Add checking of SPDX ID fields (#58)

Malcolmnixon · web-flow · commit 689f8e46164e · 2025-07-05T19:56:23.000-04:00
* Add checking of SPDX ID fields

* Minor improvement to regular expression.
diff --git a/src/DemaConsulting.SpdxModel/SpdxElement.cs b/src/DemaConsulting.SpdxModel/SpdxElement.cs
@@ -18,13 +18,23 @@
 // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 // SOFTWARE.
 
+using System.Text.RegularExpressions;
+
 namespace DemaConsulting.SpdxModel;
 
 /// <summary>
 /// SPDX Element base class
 /// </summary>
 public abstract class SpdxElement
 {
+    /// <summary>
+    /// Regular expression for checking element IDs of the form "SPDXRef-name"
+    /// </summary>
+    protected static readonly Regex SpdxRefRegex = new(
+        "^SPDXRef-[a-zA-Z0-9,-]+$",
+        RegexOptions.None,
+        TimeSpan.FromMilliseconds(100));
+
     /// <summary>
     /// No Assertion value
     /// </summary>
diff --git a/src/DemaConsulting.SpdxModel/SpdxFile.cs b/src/DemaConsulting.SpdxModel/SpdxFile.cs
@@ -194,7 +194,7 @@ public void Validate(List<string> issues)
             issues.Add($"File {FileName} Invalid File Name Field");
 
         // Validate File SPDX Identifier Field
-        if (!Id.StartsWith("SPDXRef-"))
+        if (!SpdxRefRegex.IsMatch(Id))
             issues.Add($"File {FileName} Invalid SPDX Identifier Field");
 
         // Validate Checksums
diff --git a/src/DemaConsulting.SpdxModel/SpdxPackage.cs b/src/DemaConsulting.SpdxModel/SpdxPackage.cs
@@ -393,6 +393,10 @@ public void Validate(List<string> issues, SpdxDocument? doc, bool ntia = false)
         if (Name.Length == 0)
             issues.Add("Package Invalid Package Name Field");
 
+        // SPDX NTIA Unique Identifier Check
+        if (!SpdxRefRegex.IsMatch(Id))
+            issues.Add($"Package {Name} Invalid SPDX Identifier Field");
+
         // Validate Package Download Location Field
         if (DownloadLocation.Length == 0)
             issues.Add($"Package {Name} Invalid Package Download Location Field");
@@ -434,10 +438,6 @@ public void Validate(List<string> issues, SpdxDocument? doc, bool ntia = false)
         if (ntia && string.IsNullOrEmpty(Version))
             issues.Add($"NTIA: Package {Name} Missing Version");
 
-        // SPDX NTIA Unique Identifier Check
-        if (ntia && string.IsNullOrEmpty(Id))
-            issues.Add($"NTIA: Package {Name} Missing Unique Identifier");
-
         // Release Date field
         if (!SpdxHelpers.IsValidSpdxDateTime(ReleaseDate))
             issues.Add($"Package {Name} Invalid Release Date Field");
diff --git a/src/DemaConsulting.SpdxModel/SpdxSnippet.cs b/src/DemaConsulting.SpdxModel/SpdxSnippet.cs
@@ -192,7 +192,7 @@ public static SpdxSnippet[] Enhance(SpdxSnippet[] array, SpdxSnippet[] others)
     public void Validate(List<string> issues)
     {
         // Validate Snippet SPDX Identifier Field
-        if (!Id.StartsWith("SPDXRef-"))
+        if (!SpdxRefRegex.IsMatch(Id))
             issues.Add("Snippet Invalid SPDX Identifier Field");
 
         // Validate Snippet From File Field
diff --git a/test/DemaConsulting.SpdxModel.Tests/SpdxFileTests.cs b/test/DemaConsulting.SpdxModel.Tests/SpdxFileTests.cs
@@ -27,11 +27,12 @@ namespace DemaConsulting.SpdxModel.Tests;
 public class SpdxFileTests
 {
     /// <summary>
-    /// Tests the <see cref="SpdxFile.Same"/> comparer.
+    ///     Tests the <see cref="SpdxFile.Same"/> comparer compares files correctly.
     /// </summary>
     [TestMethod]
-    public void FileSameComparer()
+    public void SpdxFile_SameComparer_ComparesCorrectly()
     {
+        // Arrange: Create several SpdxFile instances with different IDs, names, and checksums
         var f1 = new SpdxFile
         {
             FileName = "./file1.txt",
@@ -44,7 +45,6 @@ public void FileSameComparer()
                 }
             ]
         };
-
         var f2 = new SpdxFile
         {
             Id = "SPDXRef-File1",
@@ -64,7 +64,6 @@ public void FileSameComparer()
             ],
             Comment = "File 1"
         };
-
         var f3 = new SpdxFile
         {
             FileName = "./file2.txt",
@@ -78,29 +77,30 @@ public void FileSameComparer()
             ]
         };
 
-        // Assert files compare to themselves
+        // Assert: Verify files compare to themselves
         Assert.IsTrue(SpdxFile.Same.Equals(f1, f1));
         Assert.IsTrue(SpdxFile.Same.Equals(f2, f2));
         Assert.IsTrue(SpdxFile.Same.Equals(f3, f3));
 
-        // Assert files compare correctly
+        // Assert: Verify files compare correctly
         Assert.IsTrue(SpdxFile.Same.Equals(f1, f2));
         Assert.IsTrue(SpdxFile.Same.Equals(f2, f1));
         Assert.IsFalse(SpdxFile.Same.Equals(f1, f3));
         Assert.IsFalse(SpdxFile.Same.Equals(f3, f1));
         Assert.IsFalse(SpdxFile.Same.Equals(f2, f3));
         Assert.IsFalse(SpdxFile.Same.Equals(f3, f2));
 
-        // Assert same files have identical hashes
+        // Assert: Verify same files have identical hashes
         Assert.AreEqual(SpdxFile.Same.GetHashCode(f1), SpdxFile.Same.GetHashCode(f2));
     }
 
     /// <summary>
-    /// Tests the <see cref="SpdxFile.DeepCopy"/> method.
+    ///     Tests the <see cref="SpdxFile.DeepCopy"/> method successfully creates a deep copy.
     /// </summary>
     [TestMethod]
-    public void DeepCopy()
+    public void SpdxFile_DeepCopy_CreatesEqualButDistinctInstance()
     {
+        // Arrange: Create an SpdxFile instance with checksums and comments
         var f1 = new SpdxFile
         {
             Id = "SPDXRef-File1",
@@ -121,27 +121,28 @@ public void DeepCopy()
             Comment = "File 1"
         };
 
-        // Make deep copy
+        // Act: Create a deep copy of the SpdxFile instance
         var f2 = f1.DeepCopy();
 
-        // Assert both objects are equal
+        // Assert: Verify deep-copy is equal to original
         Assert.AreEqual(f1, f2, SpdxFile.Same);
         Assert.AreEqual(f1.Id, f2.Id);
         Assert.AreEqual(f1.FileName, f2.FileName);
         CollectionAssert.AreEquivalent(f1.Checksums, f2.Checksums, SpdxChecksum.Same);
         Assert.AreEqual(f1.Comment, f2.Comment);
 
-        // Assert separate instances
+        // Assert: Verify deep-copy has distinct instances
         Assert.IsFalse(ReferenceEquals(f1, f2));
         Assert.IsFalse(ReferenceEquals(f1.Checksums, f2.Checksums));
     }
 
     /// <summary>
-    /// Tests the <see cref="SpdxFile.Enhance(SpdxFile[], SpdxFile[])"/> method.
+    /// Tests the <see cref="SpdxFile.Enhance(SpdxFile[], SpdxFile[])"/> method correctly adds or updates information
     /// </summary>
     [TestMethod]
-    public void Enhance()
+    public void SpdxFile_Enhance_AddsOrUpdatesInformationCorrectly()
     {
+        // Arrange: Create an array of SpdxFile objects with one file
         var files = new[]
         {
             new SpdxFile
@@ -158,6 +159,7 @@ public void Enhance()
             }
         };
 
+        // Act: Enhance the files with additional information
         files = SpdxFile.Enhance(
             files,
             [
@@ -194,6 +196,7 @@ public void Enhance()
                 }
             ]);
 
+        // Assert: Verify the files array has been enhanced correctly
         Assert.AreEqual(2, files.Length);
         Assert.AreEqual("SPDXRef-File1", files[0].Id);
         Assert.AreEqual("./file1.txt", files[0].FileName);
@@ -210,7 +213,37 @@ public void Enhance()
     }
 
     /// <summary>
-    /// Tests the <see cref="SpdxFileTypeExtensions.FromText(string)"/> method.
+    ///     Tests that an invalid file ID fails validation.
+    /// </summary>
+    [TestMethod]
+    public void SpdxFile_Validate_ReportsInvalidFileId()
+    {
+        // Arrange: Create an SpdxFile instance with an invalid ID format
+        var spdxFile = new SpdxFile
+        {
+            Id = "Invalid_ID",
+            FileName = "./file1.txt",
+            Checksums =
+            [
+                new SpdxChecksum
+                {
+                    Algorithm = SpdxChecksumAlgorithm.Sha1,
+                    Value = "85ed0817af83a24ad8da68c2b5094de69833983c"
+                }
+            ]
+        };
+
+        // Act: Perform validation on the SpdxFile instance.
+        var issues = new List<string>();
+        spdxFile.Validate(issues);
+
+        // Assert: Verify that the validation fails and the error message includes the invalid ID.
+        Assert.IsTrue(
+            issues.Any(issue => issue.Contains("File ./file1.txt Invalid SPDX Identifier Field")));
+    }
+
+    /// <summary>
+    ///     Tests the <see cref="SpdxFileTypeExtensions.FromText(string)"/> method with valid inputs.
     /// </summary>
     [TestMethod]
     public void SpdxFileTypeExtensions_FromText_Valid()
@@ -231,7 +264,7 @@ public void SpdxFileTypeExtensions_FromText_Valid()
     }
 
     /// <summary>
-    /// Tests the <see cref="SpdxFileTypeExtensions.FromText(string)"/> method.
+    ///     Tests the <see cref="SpdxFileTypeExtensions.FromText(string)"/> method with invalid input.
     /// </summary>
     [TestMethod]
     public void SpdxFileTypeExtensions_FromText_Invalid()
@@ -241,7 +274,7 @@ public void SpdxFileTypeExtensions_FromText_Invalid()
     }
 
     /// <summary>
-    /// Tests the <see cref="SpdxFileTypeExtensions.ToText"/> method.
+    ///     Tests the <see cref="SpdxFileTypeExtensions.ToText"/> method with valid inputs
     /// </summary>
     [TestMethod]
     public void SpdxFileTypeExtensions_ToText_Valid()
@@ -260,7 +293,7 @@ public void SpdxFileTypeExtensions_ToText_Valid()
     }
 
     /// <summary>
-    /// Tests the <see cref="SpdxFileTypeExtensions.ToText"/> method.
+    ///     Tests the <see cref="SpdxFileTypeExtensions.ToText"/> method with invalid input.
     /// </summary>
     [TestMethod]
     public void SpdxFileTypeExtensions_ToText_Invalid()
diff --git a/test/DemaConsulting.SpdxModel.Tests/SpdxPackageTests.cs b/test/DemaConsulting.SpdxModel.Tests/SpdxPackageTests.cs
@@ -21,61 +21,61 @@
 namespace DemaConsulting.SpdxModel.Tests;
 
 /// <summary>
-/// Tests for the <see cref="SpdxPackage"/> class.
+///     Tests for the <see cref="SpdxPackage"/> class.
 /// </summary>
 [TestClass]
 public class SpdxPackageTests
 {
     /// <summary>
-    /// Tests the <see cref="SpdxPackage.Same"/> comparer.
+    ///     Tests the <see cref="SpdxPackage.Same"/> comparer compares packages correctly.
     /// </summary>
     [TestMethod]
-    public void PackageSameComparer()
+    public void SpdxPackage_SameComparer_ComparesCorrectly()
     {
+        // Arrange: Create several SpdxPackage instances with different IDs, names, and versions
         var p1 = new SpdxPackage
         {
             Id = "SPDXRef-Package1",
             Name = "DemaConsulting.SpdxModel",
             Version = "0.0.0"
         };
-
         var p2 = new SpdxPackage
         {
             Id = "SPDXRef-Package-SpdxModel",
             Name = "DemaConsulting.SpdxModel",
             Version = "0.0.0"
         };
-
         var p3 = new SpdxPackage
         {
             Id = "SPDXRef-Package1",
             Name = "SomePackage",
             Version = "1.2.3"
         };
 
-        // Assert packages compare to themselves
+        // Assert: Verify packages compare to themselves
         Assert.IsTrue(SpdxPackage.Same.Equals(p1, p1));
         Assert.IsTrue(SpdxPackage.Same.Equals(p2, p2));
         Assert.IsTrue(SpdxPackage.Same.Equals(p3, p3));
 
-        // Assert packages compare correctly
+        // Assert: Verify packages compare correctly
         Assert.IsTrue(SpdxPackage.Same.Equals(p1, p2));
         Assert.IsTrue(SpdxPackage.Same.Equals(p2, p1));
         Assert.IsFalse(SpdxPackage.Same.Equals(p1, p3));
         Assert.IsFalse(SpdxPackage.Same.Equals(p3, p1));
         Assert.IsFalse(SpdxPackage.Same.Equals(p2, p3));
         Assert.IsFalse(SpdxPackage.Same.Equals(p3, p2));
 
-        // Assert same packages have identical hashes
+        // Assert: Verify same packages have identical hashes
         Assert.AreEqual(SpdxPackage.Same.GetHashCode(p1), SpdxPackage.Same.GetHashCode(p2));
     }
 
     /// <summary>
-    /// Tests the <see cref="SpdxPackage.DeepCopy"/> method.
+    ///     Tests the <see cref="SpdxPackage.DeepCopy"/> method successfully creates a deep copy.
     /// </summary>
     [TestMethod]
-    public void DeepCopy()
+    public void SpdxPackage_DeepCopy_CreatesEqualButDistinctInstance()
     {
+        // Arrange: Create a SpdxPackage with various properties
         var p1 = new SpdxPackage
         {
             Id = "SPDXRef-Package1",
@@ -110,9 +110,10 @@ public void DeepCopy()
             ]
         };
 
+        // Act: Create a deep copy of the SpdxPackage
         var p2 = p1.DeepCopy();
 
-        // Assert both objects are equal
+        // Assert: Verify deep-copy is equal to original
         Assert.AreEqual(p1, p2, SpdxPackage.Same);
         Assert.AreEqual(p1.Id, p2.Id);
         Assert.AreEqual(p1.Name, p2.Name);
@@ -124,7 +125,7 @@ public void DeepCopy()
         CollectionAssert.AreEquivalent(p1.AttributionText, p2.AttributionText);
         CollectionAssert.AreEquivalent(p1.Annotations, p2.Annotations, SpdxAnnotation.Same);
 
-        // Assert separate instances
+        // Assert: Verify deep-copy has distinct instances
         Assert.IsFalse(ReferenceEquals(p1, p2));
         Assert.IsFalse(ReferenceEquals(p1.HasFiles, p2.HasFiles));
         Assert.IsFalse(ReferenceEquals(p1.Checksums, p2.Checksums));
@@ -135,11 +136,12 @@ public void DeepCopy()
     }
 
     /// <summary>
-    /// Tests the <see cref="SpdxPackage.Enhance(SpdxPackage[], SpdxPackage[])"/> method.
+    ///     Tests the <see cref="SpdxPackage.Enhance(SpdxPackage[], SpdxPackage[])"/> method correctly adds or updates packages.
     /// </summary>
     [TestMethod]
-    public void Enhance()
+    public void SpdxPackage_Enhance_AddsOrUpdatesPackagesCorrectly()
     {
+        // Arrange: Set up the initial packages and the packages to enhance with.
         var packages = new[]
         {
             new SpdxPackage
@@ -150,6 +152,7 @@ public void Enhance()
             }
         };
 
+        // Act: Call the Enhance method to add or update packages.
         packages = SpdxPackage.Enhance(
             packages,
             [
@@ -167,6 +170,7 @@ public void Enhance()
                 }
             ]);
 
+        // Assert: Verify the resulting packages are as expected.
         Assert.AreEqual(2, packages.Length);
         Assert.AreEqual("SPDXRef-Package1", packages[0].Id);
         Assert.AreEqual("DemaConsulting.SpdxModel", packages[0].Name);
@@ -175,4 +179,27 @@ public void Enhance()
         Assert.AreEqual("SomePackage", packages[1].Name);
         Assert.AreEqual("1.2.3", packages[1].Version);
     }
+
+    /// <summary>
+    ///     Tests that an invalid package ID fails validation.
+    /// </summary>
+    [TestMethod]
+    public void SpdxPackage_Validate_ReportsInvalidPackageIds()
+    {
+        // Arrange: Construct a SpdxPackage with an invalid ID format
+        var package = new SpdxPackage
+        {
+            Id = "Invalid_Id",
+            Name = "TestPackage",
+            Version = "1.0.0"
+        };
+
+        // Act: Validate the package
+        var issues = new List<string>();
+        package.Validate(issues, null, true);
+
+        // Assert: Verify the invalid ID is reported
+        Assert.IsTrue(
+            issues.Any(i => i.StartsWith("Package TestPackage Invalid SPDX Identifier Field")));
+    }
 }
diff --git a/test/DemaConsulting.SpdxModel.Tests/SpdxSnippetTests.cs b/test/DemaConsulting.SpdxModel.Tests/SpdxSnippetTests.cs

Original file line number	Diff line number	Diff line change
`@@ -192,7 +192,7 @@ public static SpdxSnippet[] Enhance(SpdxSnippet[] array, SpdxSnippet[] others)`
`192`	`192`	`public void Validate(List<string> issues)`
`193`	`193`	`{`
`194`	`194`	`// Validate Snippet SPDX Identifier Field`
`195`		`- if (!Id.StartsWith("SPDXRef-"))`
	`195`	`+ if (!SpdxRefRegex.IsMatch(Id))`
`196`	`196`	`issues.Add("Snippet Invalid SPDX Identifier Field");`
`197`	`197`
`198`	`198`	`// Validate Snippet From File Field`