feat(spdx): Tolerate invalid SPDX expressions when writing reports

Instead of failing hard and not generating a report, log errors for
invalid SPDX expressions coming from detected licenses. This allows to
post-process the report later on with third-party tools like [1].

The behavior when reading SPDX reports is unchanged, and validation
exceptions are propagated as issues like before.

Resolves #10320.

[1]: https://tools.spdx.org/app/validate/

Signed-off-by: Sebastian Schuberth <[email protected]>

Author: sschuberth

plugins/package-managers/spdx/src/main/kotlin/utils/SpdxDocumentCache.kt

@@ -48,6 +48,11 @@ internal class SpdxDocumentCache {
         documentCache.getOrPut(file) {
             logger.info { "Loading SpdxDocument from '$file'." }
 
-            runCatching { SpdxModelMapper.read(file) }
+            runCatching {
+                SpdxModelMapper.read<SpdxDocument>(file).apply {
+                    packages.forEach { it.validate() }
+                    files.forEach { it.validate() }
+                }
+            }
         }
 }

plugins/reporters/spdx/src/funTest/kotlin/SpdxDocumentReporterFunTest.kt

@@ -396,7 +396,7 @@ private val ortResult = OrtResult(
                 summary = ScanSummary.EMPTY.copy(
                     licenseFindings = setOf(
                         LicenseFinding(
-                            license = "GPL-3.0-only",
+                            license = "GPL-2.0-only WITH NOASSERTION",
                             location = TextLocation("LICENSE", 1)
                         )
                     ),

plugins/reporters/spdx/src/funTest/resources/spdx-document-reporter-expected-output.spdx.json

@@ -135,7 +135,7 @@
     "filesAnalyzed" : false,
     "homepage" : "NONE",
     "licenseConcluded" : "NOASSERTION",
-    "licenseDeclared" : "GPL-3.0-only",
+    "licenseDeclared" : "GPL-2.0-only WITH NOASSERTION",
     "name" : "seventh-package",
     "versionInfo" : "0.0.1"
   }, {
@@ -156,8 +156,8 @@
     "hasFiles" : [ "SPDXRef-File-2", "SPDXRef-File-3" ],
     "homepage" : "NONE",
     "licenseConcluded" : "NOASSERTION",
-    "licenseDeclared" : "GPL-3.0-only",
-    "licenseInfoFromFiles" : [ "GPL-3.0-only" ],
+    "licenseDeclared" : "GPL-2.0-only WITH NOASSERTION",
+    "licenseInfoFromFiles" : [ "GPL-2.0-only WITH NOASSERTION" ],
     "name" : "seventh-package",
     "packageVerificationCode" : {
       "packageVerificationCodeValue" : "e14acc46fad3a38a1ef2830067619812b51cb4bc"
@@ -215,7 +215,7 @@
     "copyrightText" : "NONE",
     "fileName" : "LICENSE",
     "licenseConcluded" : "NOASSERTION",
-    "licenseInfoInFiles" : [ "GPL-3.0-only" ]
+    "licenseInfoInFiles" : [ "GPL-2.0-only WITH NOASSERTION" ]
   }, {
     "SPDXID" : "SPDXRef-File-3",
     "checksums" : [ {

plugins/reporters/spdx/src/funTest/resources/spdx-document-reporter-expected-output.spdx.yml

@@ -150,7 +150,7 @@ packages:
   filesAnalyzed: false
   homepage: "NONE"
   licenseConcluded: "NOASSERTION"
-  licenseDeclared: "GPL-3.0-only"
+  licenseDeclared: "GPL-2.0-only WITH NOASSERTION"
   name: "seventh-package"
   versionInfo: "0.0.1"
 - SPDXID: "SPDXRef-Package-Maven-seventh-package-group-seventh-package-0.0.1-source-artifact"
@@ -170,9 +170,9 @@ packages:
   - "SPDXRef-File-3"
   homepage: "NONE"
   licenseConcluded: "NOASSERTION"
-  licenseDeclared: "GPL-3.0-only"
+  licenseDeclared: "GPL-2.0-only WITH NOASSERTION"
   licenseInfoFromFiles:
-  - "GPL-3.0-only"
+  - "GPL-2.0-only WITH NOASSERTION"
   name: "seventh-package"
   packageVerificationCode:
     packageVerificationCodeValue: "e14acc46fad3a38a1ef2830067619812b51cb4bc"
@@ -226,7 +226,7 @@ files:
   fileName: "LICENSE"
   licenseConcluded: "NOASSERTION"
   licenseInfoInFiles:
-  - "GPL-3.0-only"
+  - "GPL-2.0-only WITH NOASSERTION"
 - SPDXID: "SPDXRef-File-3"
   checksums:
   - algorithm: "SHA1"

plugins/reporters/spdx/src/main/kotlin/Extensions.kt

@@ -23,6 +23,8 @@ package org.ossreviewtoolkit.plugins.reporters.spdx
 
 import java.util.concurrent.atomic.AtomicInteger
 
+import org.apache.logging.log4j.kotlin.logger
+
 import org.ossreviewtoolkit.model.ArtifactProvenance
 import org.ossreviewtoolkit.model.Hash
 import org.ossreviewtoolkit.model.Identifier
@@ -197,7 +199,13 @@ internal fun Package.toSpdxPackage(
         packageVerificationCode = packageVerificationCode,
         supplier = authors.takeUnless { it.isEmpty() }?.joinToString(prefix = "${SpdxConstants.PERSON} "),
         versionInfo = id.version
-    )
+    ).also { spdxPackage ->
+        runCatching {
+            spdxPackage.validate()
+        }.onFailure {
+            logger.error { "Validation failed for '${spdxPackage.spdxId}': ${it.message}" }
+        }
+    }
 }
 
 private fun OrtResult.getVcsScanResult(id: Identifier): ScanResult? =
@@ -290,7 +298,13 @@ internal fun OrtResult.getSpdxFiles(
             licenseConcluded = SpdxConstants.NOASSERTION,
             licenseInfoInFiles = fileFindings.licenses.map { it.toString() }.ifEmpty { listOf(SpdxConstants.NONE) },
             copyrightText = fileFindings.copyrights.sorted().joinToString("\n").ifBlank { SpdxConstants.NONE }
-        )
+        ).also { spdxFile ->
+            runCatching {
+                spdxFile.validate()
+            }.onFailure {
+                logger.error { "Validation failed for '${spdxFile.spdxId}': ${it.message}" }
+            }
+        }
     }
 
 /**

utils/spdx-document/src/main/kotlin/model/SpdxFile.kt

@@ -169,10 +169,6 @@ data class SpdxFile(
         VIDEO
     }
 
-    init {
-        validate()
-    }
-
     fun validate(): SpdxFile =
         apply {
             require(spdxId.startsWith(REF_PREFIX)) {

utils/spdx-document/src/main/kotlin/model/SpdxPackage.kt

@@ -190,10 +190,6 @@ data class SpdxPackage(
     @JsonInclude(JsonInclude.Include.NON_EMPTY)
     val versionInfo: String = ""
 ) {
-    init {
-        validate()
-    }
-
     fun validate(): SpdxPackage =
         apply {
             require(spdxId.startsWith(SpdxConstants.REF_PREFIX)) {