Merge pull request #1134 from bact/use-spdx3-validate

Add spdx3-validate to examples validation workflow

Author: goneall

.github/workflows/validate_examples.yml

@@ -21,7 +21,7 @@ jobs:
           cache: "pip"
       - name: Install Python dependencies
         run: |
-          python3 -m pip install check-jsonschema==0.29.4 pyshacl==0.29.0
+          python3 -m pip install check-jsonschema==0.31.0 pyshacl==0.29.1 spdx3-validate==0.0.5
       - name: Install dependencies
         run: |
           sudo apt install -y gawk

bin/check-examples.sh

@@ -4,54 +4,84 @@
 # documentation
 #
 # SPDX-License-Identifier: MIT
+# SPDX-FileCopyrightText: Copyright 2024 The SPDX Contributors
 
 set -e
 
 THIS_DIR="$(dirname "$0")"
+MD_DIR=docs/annexes
+JSON_DIR=examples/jsonld
+
 SPDX_VERSION="3.0.1"
 SCHEMA_URL="https://spdx.org/schema/${SPDX_VERSION}/spdx-json-schema.json"
 RDF_URL="https://spdx.org/rdf/${SPDX_VERSION}/spdx-model.ttl"
 CONTEXT_URL="https://spdx.org/rdf/${SPDX_VERSION}/spdx-context.jsonld"
 
+# print validation setup
+echo "Checking examples in"
+echo "Snippets         : $MD_DIR"
+echo "Files            : $JSON_DIR"
+echo "SPDX version     : $SPDX_VERSION"
+echo "Schema           : $SCHEMA_URL"
+echo "Schema resolved  : $(curl -I "$SCHEMA_URL" 2>/dev/null | grep -i "location:" | awk '{print $2}')"
+echo "RDF              : $RDF_URL"
+echo "RDF resolved     : $(curl -I "$RDF_URL" 2>/dev/null | grep -i "location:" | awk '{print $2}')"
+echo "Context          : $CONTEXT_URL"
+echo "Context resolved : $(curl -I "$CONTEXT_URL" 2>/dev/null | grep -i "location:" | awk '{print $2}')"
+echo "$(check-jsonschema --version)"
+echo -n "$(pyshacl --version)"
+echo "spdx3-validate version: $(spdx3-validate --version)"
+echo ""
+
 check_schema() {
+    echo "Checking schema (check-jsonschema): $1"
     check-jsonschema \
-        -v \
+        --verbose \
         --schemafile $SCHEMA_URL \
         "$1"
 }
 
 check_model() {
+    echo "Checking model (pyschacl): $1"
     pyshacl \
-        -s $RDF_URL \
-        -e $RDF_URL \
+        --shacl $RDF_URL \
+        --ont-graph $RDF_URL \
         "$1"
 }
 
+check_spdx() {
+    echo "SPDX 3 Validating (spdx3-validate): $1"
+    spdx3-validate --json $1
+}
+
 # Check examples in JSON files in examples/jsonld/
-if [ "$(ls $THIS_DIR/../examples/jsonld/*.json 2>/dev/null)" ]; then
-    for f in $THIS_DIR/../examples/jsonld/*.json; do
-        echo "Checking $f"
+if [ "$(ls $THIS_DIR/../$JSON_DIR/*.json 2>/dev/null)" ]; then
+    for f in $THIS_DIR/../$JSON_DIR/*.json; do
         check_schema $f
+        echo ""
         check_model $f
+        echo ""
+        check_spdx $f
+        echo ""
     done
 fi
 
-TEMP=$(mktemp -d)
-
 # Check examples in inline code snippets in Markdown files in docs/annexes/
-for f in $THIS_DIR/../docs/annexes/*.md; do
+TEMP=$(mktemp -d)
+for f in $THIS_DIR/../$MD_DIR/*.md; do
     if ! grep -q '^```json' $f; then
         continue
     fi
-    echo "Checking $f"
+    echo "Extract snippets from $f"
     DEST=$TEMP/$(basename $f)
     mkdir -p $DEST
 
     # Read inline code snippets and save them in separate, numbered files.
     cat $f | awk -v DEST="$DEST" 'BEGIN{flag=0} /^```json/, $0=="```" { if (/^---$/){flag++} else if ($0 !~ /^```.*/ ) print $0 > DEST "/doc-" flag ".spdx.json"}'
 
     # Combine all JSON code snippets into a single file, with SPDX context and creation info.
-    echo "[" > $DEST/combined.json
+    COMBINED_JSON = $DEST/__combined.jso
+    echo "[" > $COMBINED_JSON
 
     for doc in $DEST/*.spdx.json; do
         if ! grep -q '@context' $doc; then
@@ -81,11 +111,15 @@ HEREDOC
 HEREDOC
         fi
         check_schema $doc
-        cat $doc >> $DEST/combined.json
-        echo "," >> $DEST/combined.json
+        echo ""
+        cat $doc >> $COMBINED_JSON
+        echo "," >> $COMBINED_JSON
     done
 
-    echo "{}]" >> $DEST/combined.json
+    echo "{}]" >> $COMBINED_JSON
 
-    check_model $DEST/combined.json
+    check_model $COMBINED_JSON
+    echo ""
+    check_spdx $COMBINED_JSON
+    echo ""
 done

examples/jsonld/package_sbom.json

@@ -61,7 +61,7 @@
             "spdxId": "http://spdx.example.com/Package1",
             "creationInfo": "_:creationinfo",
             "name": "my-package",
-            "software_packageVersion": "1.0",
+            "software_packageVersion": "1.0.0",
             "software_downloadLocation": "http://dl.example.com/my-package_1.0.0.tar",
             "builtTime": "2024-03-06T00:00:00Z",
             "originatedBy": [