Error message when parsing files and mandatory fields are missing.

[kestewart]

Using the tools.spdx.dev and feeding in file:

SPDXVersion: SPDX-2.2
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT-SAGPM
DocumentName: Software Assurance Guardian Point Man (SAG-PM)
DocumentNamespace: http://softwareassuranceguardian.com/
Creator: Person: Dick Brooks ([email protected]
Creator: Tool: PyInstaller 3.6
Created: 2020-09-08T19:44:17Z

Package: SAG-PM

PackageName:aiodns
SPDXID: SPDXRef-aiodns-2.0.0
PackageSupplier: Person:Saúl Ibarra Corretgé
PackageVersion: 2.0.0
PackageChecksum: SHA-256: aaa5ac584f40fe778013df0aa6544bf157799bd3f608364b451840ed2c8688de
PackageDownloadLocation: purl+pkg:pypi/[email protected]
FilesAnalyzed: false

PackageName:altgraph
SPDXID: SPDXRef-altgraph-0.17
PackageSupplier: Person:Ronald Oussoren
PackageVersion: 0.17
PackageChecksum: SHA-256: c623e5f3408ca61d4016f23a681b9adb100802ca3e3da5e718915a9e4052cebe
PackageLicenseConcluded: MIT
PackageDownloadLocation: purl+pkg:pypi/[email protected]
FilesAnalyzed: false

The error message, “Only one PackageName allowed, extra at line: 21” is confusing and misleading.
as I think the problem is missing mandatory fields. But please confirm if this is indeed the case.

[rjb4standards]

Kate, I have confirmed your speculation, adding the missing fields got me pass this error, perhaps an error like "Missing required fields { missing fields} would be more helpful. Thanks for your help.

[goneall]

Moving this over to the new version of the SPDX tools which is now used in the online tools.

[goneall]

I'm not able to reproduce the same error.

When I run validate using the above file text, I get an invalid document error due to the SPDX Document Ref.

The SPDXID: SPDXRef-DOCUMENT-SAGPM needs to be replaced with SPDXID: SPDXRef-DOCUMENT per the spec.

When I fix that, I get a different error:

Looking at the document, line 10 contains Package: SAG-PM which is not a valid keyword.

When I remove the invalid package, I get the following error:

Analysis exception processing SPDX file: Invalid checksum algorithm: SHA-256: aaa5ac584f40fe778013df0aa6544bf157799bd3f608364b451840ed2c8688de at line number 14

SHA-256 needs to be replaced with SHA256.

Fixing this, I get the error Analysis exception processing SPDX file: Invalid download location pattern purl+pkg:pypi/[email protected]. Must match the pattern ^(NONE|NOASSERTION|(((git|hg|svn|bzr)\+)?(http:\/\/www\.|https:\/\/www\.|http:\/\/|https:\/\/|ssh:\/\/|git:\/\/|svn:\/\/|sftp:\/\/|ftp:\/\/)?[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,5}(:[0-9]{1,5})?(\/.*))|(git\+git@[a-zA-Z0-9\.]+:[a-zA-Z0-9]+)|(bzr\+lp:[a-zA-Z0-9\.]+))$

Removing the download location, I got the following message:

This SPDX Document is not valid due to:
	Package at line 17 invalid: Missing required copyright text for altgraph in altgraph
	Package at line 17 invalid: Missing required download location for package altgraph
	Package at line 17 invalid: Missing required declared license for package altgraph
	Package at line 10 invalid: Missing required concluded license for aiodns in aiodns
	Package at line 10 invalid: Missing required copyright text for aiodns in aiodns
	Package at line 10 invalid: Missing required download location for package aiodns
	Package at line 10 invalid: Missing required declared license for package aiodns

BTW - I did find a separate issue parsing external Ref's while investigating this, issue spdx/spdx-java-tagvalue-store#3

[rjb4standards]

Thanks, Gary. I'll tackle these issues. Is there an online, web spdx verifier I can use to check for errors?

[goneall]

@rjb4standards Yes - https://tools.spdx.org/app/validate/

I thought that was the origin of these errors.

Are you using the command line tool at https://github.com/spdx/tools?

If so, you can try a more up to date command line tool at https://github.com/spdx/tools-java

[goneall]

@rjb4standards Were these error found using the Python parser? If so, you can ignore all my comments above on the error handling and I'll transfer this over to the Python tools repo.

[rjb4standards]

Gary, yhe Python parser is reporting these errors, but the online validator, my new best friend, reports no errors.
PackageName:spdx-tools
SPDXID: SPDXRef-spdx-tools-0.6.1
PackageSupplier: Person:Ahmed H. Ismail
PackageVersion: 0.6.1
PackageChecksum: SHA256: 45fa09d43534772ca63bff2dccf1fbde88e1fc9b9515fc7a34ae50540d7ad29c

[goneall]

Moving this issue to the Python tools repo

[meretp]

This issue seems to be related to #185. Feeding the python parser with the file from above with the mentioned fixes leads to the error:

PackageChecksum must be a single line of text, line: 15
PackageChecksum must be a single line of text, line: 23
Errors while parsing:  True

[meretp]

With the current release, the mentioned file can be parsed without errors, so I will close this issue.