tools-python and tools-java behave differently

[yakuri]

Greetings, I used the attached tag:value SBOM and found that VALIDATE was NG in tools-python and VALIDATE was OK in tools-java.
Which VALIDATE is correct?

test-sbom.spdx.txt

What is unique about this SBOM is the presence of “FilesAnalyzed: false” on line 28 in the Relationships block.

> java -jar tools-java-2.0.0-RC1-jar-with-dependencies.jar Verify test-sbom.spdx
This SPDX Document is valid.

> pip install spdx-tools==0.8.3
> pyspdxtools -i test-sbom.spdx
Generating LALR tables
ERROR:root:There have been issues while parsing the provided document:
Element Package is not the current element in scope, probably the expected tag to start the element (PackageName) is missing. Line: 28

Sincerely,

[armintaenzertng]

Hi @yakuri, the SPDX spec states:

Annotations and relationships for the package may appear after the package information before any file information.

That is, your relationships should appear after any information about the package.
The FilesAnalyzed: false in line 28 is part of the package but appears after the relationships. Move it 3 lines up so that it appears before the relationships and all should be fine.

[yakuri]

Hi @armintaenzertng,

Thanks for your reply.
Am I correct in understanding that it is not correct to display “This SPDX Document is valid.” when verify test-sbom.spdx.txt in tools-java?

[goneall]

Moving this issue to the tag/value store repository.