Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SPDX output_format causes exception #172

Open
mcutshaw opened this issue Apr 8, 2024 · 4 comments
Open

SPDX output_format causes exception #172

mcutshaw opened this issue Apr 8, 2024 · 4 comments
Labels
bug Something isn't working
Milestone
v0

Comments

@mcutshaw
Copy link
Collaborator

mcutshaw commented Apr 8, 2024

Describe the bug
With the Helics image surfactant currently fails to generate an output in the SPDX format.

To Reproduce
Steps to reproduce the behavior:

  1. Install latest main of surfactant with pip install -e .
  2. Download and extract Helics tar.gz
  3. surfactant create-config Helics-3.5.0-Linux-x86_64
  4. surfactant generate Helics-3.5.json --output_format spdx helics_spdx.json
  2024-04-08 09:48:32.898 | INFO     | surfactant.cmd.generate:sbom:297 - Processing Helics-3.5.0-Linux-x86_64/share
  2024-04-08 09:48:32.898 | INFO     | surfactant.cmd.generate:sbom:297 - Processing Helics-3.5.0-Linux-x86_64/share/helics
  2024-04-08 09:48:32.898 | INFO     | surfactant.cmd.generate:sbom:297 - Processing Helics-3.5.0-Linux-x86_64/share/helics/swig
  2024-04-08 09:48:32.898 | INFO     | surfactant.cmd.generate:sbom:297 - Processing Helics-3.5.0-Linux-x86_64/share/man
  2024-04-08 09:48:32.898 | INFO     | surfactant.cmd.generate:sbom:297 - Processing Helics-3.5.0-Linux-x86_64/share/man/man1
  2024-04-08 09:48:32.899 | INFO     | surfactant.cmd.generate:sbom:297 - Processing Helics-3.5.0-Linux-x86_64/share/doc
  2024-04-08 09:48:32.899 | INFO     | surfactant.cmd.generate:sbom:297 - Processing Helics-3.5.0-Linux-x86_64/share/doc/HELICS
  2024-04-08 09:48:32.899 | INFO     | surfactant.cmd.generate:sbom:297 - Processing Helics-3.5.0-Linux-x86_64/include
  2024-04-08 09:48:32.900 | INFO     | surfactant.cmd.generate:sbom:297 - Processing Helics-3.5.0-Linux-x86_64/include/fmt
  2024-04-08 09:48:32.900 | INFO     | surfactant.cmd.generate:sbom:297 - Processing Helics-3.5.0-Linux-x86_64/include/helics
  2024-04-08 09:48:32.901 | INFO     | surfactant.cmd.generate:sbom:297 - Processing Helics-3.5.0-Linux-x86_64/include/helics/cpp98
  2024-04-08 09:48:32.902 | INFO     | surfactant.cmd.generate:sbom:297 - Processing Helics-3.5.0-Linux-x86_64/lib64
  2024-04-08 09:48:33.091 | INFO     | surfactant.cmd.generate:sbom:297 - Processing Helics-3.5.0-Linux-x86_64/lib64/pkgconfig
  2024-04-08 09:48:33.091 | INFO     | surfactant.cmd.generate:sbom:297 - Processing Helics-3.5.0-Linux-x86_64/lib64/cmake
  2024-04-08 09:48:33.091 | INFO     | surfactant.cmd.generate:sbom:297 - Processing Helics-3.5.0-Linux-x86_64/lib64/cmake/fmt
  2024-04-08 09:48:33.092 | INFO     | surfactant.cmd.generate:sbom:297 - Processing Helics-3.5.0-Linux-x86_64/lib64/cmake/HELICS
  2024-04-08 09:48:33.092 | INFO     | surfactant.cmd.generate:sbom:297 - Processing Helics-3.5.0-Linux-x86_64/bin
  2024-04-08 09:48:33.334 | INFO     | surfactant.relationships:parse_relationships:16 - Determining relationship 1/9
  2024-04-08 09:48:33.335 | INFO     | surfactant.relationships:parse_relationships:16 - Determining relationship 2/9
  2024-04-08 09:48:33.335 | INFO     | surfactant.relationships:parse_relationships:16 - Determining relationship 3/9
  2024-04-08 09:48:33.335 | INFO     | surfactant.relationships:parse_relationships:16 - Determining relationship 4/9
  2024-04-08 09:48:33.336 | INFO     | surfactant.relationships:parse_relationships:16 - Determining relationship 5/9
  2024-04-08 09:48:33.336 | INFO     | surfactant.relationships:parse_relationships:16 - Determining relationship 6/9
  2024-04-08 09:48:33.336 | INFO     | surfactant.relationships:parse_relationships:16 - Determining relationship 7/9
  2024-04-08 09:48:33.337 | INFO     | surfactant.relationships:parse_relationships:16 - Determining relationship 8/9
  2024-04-08 09:48:33.337 | INFO     | surfactant.relationships:parse_relationships:16 - Determining relationship 9/9
  [Relationship(spdx_element_id='SPDXRef-libhelics.so.3.5.0-DWvCD', relationship_type=<RelationshipType.OTHER: 31>, related_spdx_element_id='SPDXRef-libzmq.so.5.2.5-QAZnN', comment='Type: USES'), Relationship(spdx_element_id='SPDXRef-libhelics.so.3.5.0-DWvCD', relationship_type=<RelationshipType.OTHER: 31>, related_spdx_element_id='SPDXRef-libzmq.so.5-UiuaJ', comment='Type: USES'), Relationship(spdx_element_id='SPDXRef-libhelics.so.3.5.0-DWvCD', relationship_type=<RelationshipType.OTHER: 31>, related_spdx_element_id='SPDXRef-libzmq.so-tup09', comment='Type: USES'), Relationship(spdx_element_id='SPDXRef-libhelics.so.3-NBDI2', relationship_type=<RelationshipType.OTHER: 31>, related_spdx_element_id='SPDXRef-libzmq.so.5.2.5-QAZnN', comment='Type: USES'), Relationship(spdx_element_id='SPDXRef-libhelics.so.3-NBDI2', relationship_type=<RelationshipType.OTHER: 31>, related_spdx_element_id='SPDXRef-libzmq.so.5-UiuaJ', comment='Type: USES'), Relationship(spdx_element_id='SPDXRef-libhelics.so.3-NBDI2', relationship_type=<RelationshipType.OTHER: 31>, related_spdx_element_id='SPDXRef-libzmq.so-tup09', comment='Type: USES'), Relationship(spdx_element_id='SPDXRef-libhelics.so-QDfUu', relationship_type=<RelationshipType.OTHER: 31>, related_spdx_element_id='SPDXRef-libzmq.so.5.2.5-QAZnN', comment='Type: USES'), Relationship(spdx_element_id='SPDXRef-libhelics.so-QDfUu', relationship_type=<RelationshipType.OTHER: 31>, related_spdx_element_id='SPDXRef-libzmq.so.5-UiuaJ', comment='Type: USES'), Relationship(spdx_element_id='SPDXRef-libhelics.so-QDfUu', relationship_type=<RelationshipType.OTHER: 31>, related_spdx_element_id='SPDXRef-libzmq.so-tup09', comment='Type: USES'), Relationship(spdx_element_id='SPDXRef-helicsconnector-jLJoz', relationship_type=<RelationshipType.OTHER: 31>, related_spdx_element_id='SPDXRef-libzmq.so.5.2.5-QAZnN', comment='Type: USES'), Relationship(spdx_element_id='SPDXRef-helicsconnector-jLJoz', relationship_type=<RelationshipType.OTHER: 31>, related_spdx_element_id='SPDXRef-libzmq.so.5-UiuaJ', comment='Type: USES'), Relationship(spdx_element_id='SPDXRef-helicsconnector-jLJoz', relationship_type=<RelationshipType.OTHER: 31>, related_spdx_element_id='SPDXRef-libzmq.so-tup09', comment='Type: USES'), Relationship(spdx_element_id='SPDXRef-helicsrecorder-0DEd6', relationship_type=<RelationshipType.OTHER: 31>, related_spdx_element_id='SPDXRef-libzmq.so.5.2.5-QAZnN', comment='Type: USES'), Relationship(spdx_element_id='SPDXRef-helicsrecorder-0DEd6', relationship_type=<RelationshipType.OTHER: 31>, related_spdx_element_id='SPDXRef-libzmq.so.5-UiuaJ', comment='Type: USES'), Relationship(spdx_element_id='SPDXRef-helicsrecorder-0DEd6', relationship_type=<RelationshipType.OTHER: 31>, related_spdx_element_id='SPDXRef-libzmq.so-tup09', comment='Type: USES'), Relationship(spdx_element_id='SPDXRef-helicsapp-r5MpF', relationship_type=<RelationshipType.OTHER: 31>, related_spdx_element_id='SPDXRef-libzmq.so.5.2.5-QAZnN', comment='Type: USES'), Relationship(spdx_element_id='SPDXRef-helicsapp-r5MpF', relationship_type=<RelationshipType.OTHER: 31>, related_spdx_element_id='SPDXRef-libzmq.so.5-UiuaJ', comment='Type: USES'), Relationship(spdx_element_id='SPDXRef-helicsapp-r5MpF', relationship_type=<RelationshipType.OTHER: 31>, related_spdx_element_id='SPDXRef-libzmq.so-tup09', comment='Type: USES'), Relationship(spdx_element_id='SPDXRef-helicsplayer-9gcZB', relationship_type=<RelationshipType.OTHER: 31>, related_spdx_element_id='SPDXRef-libzmq.so.5.2.5-QAZnN', comment='Type: USES'), Relationship(spdx_element_id='SPDXRef-helicsplayer-9gcZB', relationship_type=<RelationshipType.OTHER: 31>, related_spdx_element_id='SPDXRef-libzmq.so.5-UiuaJ', comment='Type: USES'), Relationship(spdx_element_id='SPDXRef-helicsplayer-9gcZB', relationship_type=<RelationshipType.OTHER: 31>, related_spdx_element_id='SPDXRef-libzmq.so-tup09', comment='Type: USES'), Relationship(spdx_element_id='SPDXRef-helicsbrokerserver-1xsOL', relationship_type=<RelationshipType.OTHER: 31>, related_spdx_element_id='SPDXRef-libzmq.so.5.2.5-QAZnN', comment='Type: USES'), Relationship(spdx_element_id='SPDXRef-helicsbrokerserver-1xsOL', relationship_type=<RelationshipType.OTHER: 31>, related_spdx_element_id='SPDXRef-libzmq.so.5-UiuaJ', comment='Type: USES'), Relationship(spdx_element_id='SPDXRef-helicsbrokerserver-1xsOL', relationship_type=<RelationshipType.OTHER: 31>, related_spdx_element_id='SPDXRef-libzmq.so-tup09', comment='Type: USES'), Relationship(spdx_element_id='SPDXRef-helicsbroker-3lCs6', relationship_type=<RelationshipType.OTHER: 31>, related_spdx_element_id='SPDXRef-libzmq.so.5.2.5-QAZnN', comment='Type: USES'), Relationship(spdx_element_id='SPDXRef-helicsbroker-3lCs6', relationship_type=<RelationshipType.OTHER: 31>, related_spdx_element_id='SPDXRef-libzmq.so.5-UiuaJ', comment='Type: USES'), Relationship(spdx_element_id='SPDXRef-helicsbroker-3lCs6', relationship_type=<RelationshipType.OTHER: 31>, related_spdx_element_id='SPDXRef-libzmq.so-tup09', comment='Type: USES')]
  Document is not valid. The following errors were detected: [ValidationMessage(validation_message='there must be at least one relationship "SPDXRef-DOCUMENT DESCRIBES ..." or "... DESCRIBED_BY SPDXRef-DOCUMENT" when there is not only a single package present', context=ValidationContext(spdx_id='SPDXRef-DOCUMENT', parent_id=None, element_type=<SpdxElementType.DOCUMENT: 7>, full_element=None))]

Expected behavior
We should expect surfactant to be able to generate a SPDX BOM with the helics firmware.

System Information (please complete the following information):

  • Python 3.10.12

Additional context
This may outline the need for tests for different output formats.
@mcutshaw mcutshaw added the bug Something isn't working label Apr 8, 2024
@mcutshaw
Copy link
Collaborator Author

mcutshaw commented Apr 8, 2024

Currently the SPDX document appears to contain no packages and 27 relationships for the Helics. Unfortunately I'm not terribly familiar with SPDX, and don't know if a package is required.

@nightlark
Copy link
Collaborator

nightlark commented Apr 8, 2024
edited
Loading

Interesting - I suspect the SPDX Python library released another update recently that changes their validation function.

SPDX wanting a package is a bit of a pain since often we don’t really know what “package” files belong to.. I wonder if we can make it happy by adding a SPDXRef-DOCUMENT DESCRIBES or DESCRIBED_BY using NOASSERTION instead of creating a fake package with no real information.

@nightlark nightlark added this to the v0 milestone Apr 8, 2024
@gliese1337
Copy link

I just encountered this when testing Surfactant on my own project.

[]
Document is not valid. The following errors were detected: [ValidationMessage(validation_message='there must be at least one relationship "SPDXRef-DOCUMENT DESCRIBES ..." or "... DESCRIBED_BY SPDXRef-DOCUMENT" when there is not only a single package present', context=ValidationContext(spdx_id='SPDXRef-DOCUMENT', parent_id=None, element_type=<SpdxElementType.DOCUMENT: 7>, full_element=None))]

CycloneDX output works fine.

@nightlark
Copy link
Collaborator

I'll see if the NOASSERTION method described above works; otherwise, is there any default information you'd expect a "fake" SPDX package to contain that's just meant to make the SPDX library validator happy?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
v0
Development

No branches or pull requests
3 participants
@gliese1337 @nightlark @mcutshaw