Security profile not implemented in SPDX 3.0.1 verifier?

[anthonyharrison]

Trying to validate a SPDX 3.0 document using 2.0.0.RC1 version which contains security elements.

Get WARNING - WARNING: No match for #/$defs/security_VexVulnAssessmentRelationship

[main] ERROR org.spdx.v3jsonldstore.JsonLDDeserializer - Missing type for core object

{"type":"VexUnderInvestigationVulnAssessmentRelationship",
"spdxId":"urn:spdx.dev:vex-underInvestigation-0",
"relationshipType":"underInvestigationFor"
,"from":"urn:spdx.dev:vuln-CVE-2023-12345",
"to":["urn:product-ACME-1.0"],
"security_assessedElement":
"urn:generic-pyyaml-6.0.1",
"suppliedBy":["urn:spdx.dev:agent-fred-flintstone"],
"completeness":"complete"}

The element include a type! According to the spec this looks like a valid element.

Tried online validator and get same error. Tried command line to see if there was any more useful information but nothing extra.

[anthonyharrison]

UPDATE from looking at the generated JSON schema (surely this isn't the way for find out what should be in a document), it appears that the type should be security_VexUnderInvestigationVulnAssessmentRelationship although there is nothing in the SPDX 3 spec gives this information...

This then results in 100's of warnings which are just errors(?) from the JSON deserialiser. Surely there needs to be a MUCH better way of highlighting where the issue is...

[goneall]

@anthonyharrison - are you using the latest from Master or the last released version "2.0.0-RC1"?

#178 may have fixed this issue - but we haven't spun a new release containing the fix.

[anthonyharrison]

@goneall I am using the 2.0.0-RC1.

I have made further progress..... adding "creationInfo" entry to the VEX entry removed all of the errors :-) although I couln't find anything which says that this is required in the Spec.

By also adding entries for each software package into the document, the document fully validates. Presumably it shouldn't be necessary to do this as reference to an SBOM (which contains the software package information) should be sufficient.

[goneall]

@goneall I am using the 2.0.0-RC1.

I have made further progress..... adding "creationInfo" entry to the VEX entry removed all of the errors :-) although I couln't find anything which says that this is required in the Spec.

Good to hear.

By also adding entries for each software package into the document, the document fully validates. Presumably it shouldn't be necessary to do this as reference to an SBOM (which contains the software package information) should be sufficient.

Good feedback on the spec.

creationInfo should be marked as required for any subclass of Element which includes VEX entries.

BTW - The warnings will go away in the next release.

[goneall]

@anthonyharrison I just released the RC2 version of the tools which should fix the warnings.

I'll go ahead and close this issue - if you run into any further issues, please feel free to open a new issue.