Fix an issues with SpdxPackage._verify()#71
Merged
goneall merged 1 commit intoJun 12, 2026
Conversation
The specification for SPDX v2.3 seems to not require that for each `SpdxPackage` all files which in reality correspond to that package have to be included as `SpdxFile` in case files have been analyzed, namely `filesAnalyzed` is set to `true` [1]. This allows the freedom for the creator of on SPDX document to only selectively include certain files. For example, a tool may analyze all files of a package for license texts, but choose to only selectively include certain files containing license texts as `SpdxFile` entry into the SPDX document, for example to reduce the size of the SPDX document a bit, or to omit information which is less relevant in the given context. This implies, that it should also be valid to not include any files for a package at all, even though its files have been analyzed. However, `_verify()` complains if `filesAnalyzed && files.size() == 0` which seems incorrect. Drop that check to align with the spec. [1] https://spdx.github.io/spdx-spec/v2.3/package-information/#78-files-analyzed-field Signed-off-by: Frank Viernau <frank.viernau@gmail.com>
fviernau
force-pushed
the
spdx-package-verify-drop-invalid-check
branch
from
4a4c472 to
09f6b3b
Compare
Member
|
In reviewing the spec, I tend to agree that it is valid for there to be no files and filesAnalyzed being true. |
goneall
approved these changes
Jun 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The specification for SPDX v2.3 seems to not require that for each
SpdxPackageall files which in reality correspond to that package have to be included asSpdxFilein case files have been analyzed, namelyfilesAnalyzedis set totrue[1]. This allows the freedom for the creator of on SPDX document to only selectively include certain files. For example, a tool may analyze all files of a package for license texts, but choose to only selectively include certain files containing license texts asSpdxFileentry into the SPDX document, for example to reduce the size of the SPDX document a bit, or to omit information which is less relevant in the given context.This implies, that it should also be valid to not include any files for a package even though its files have been analyzed. However,
_verify()complains iffilesAnalyzed && files.size() == 0which seems incorrect. Drop that check to align with the spec.[1] https://spdx.github.io/spdx-spec/v2.3/package-information/#78-files-analyzed-field