fix(spdx): Do not hard-code "SpdxDocumentFile" as the package type

sschuberth · sschuberth · commit f68d73705cb5 · 2026-03-03T16:03:09.000+01:00
Only the project type should be "SpdxDocumentFile". The package type
should be deduced from the PURL, if any, as `SpdxPackage` itself has no
dedicated field for the package's type.

This helps to maintain the package type e.g. if an SPDX document is used
to describe Maven packages.

Signed-off-by: Sebastian Schuberth &lt;sebastian@doubleopen.org&gt;
diff --git a/plugins/package-managers/spdx/src/funTest/assets/projects/synthetic/spdx-project-cyclic-expected-output.yml b/plugins/package-managers/spdx/src/funTest/assets/projects/synthetic/spdx-project-cyclic-expected-output.yml
@@ -29,7 +29,7 @@ project:
         - id: "SpdxDocumentFile::xyz:0.1.0"
     - id: "SpdxDocumentFile::zlib:1.2.11"
       linkage: "STATIC"
-    - id: "SpdxDocumentFile:OpenSSL Development Team:openssl:1.1.1g"
+    - id: "a-name:OpenSSL Development Team:openssl:1.1.1g"
   - name: "test"
     dependencies:
     - id: "SpdxDocumentFile::curl:7.70.0"
@@ -160,7 +160,7 @@ packages:
     url: "<REPLACE_URL_PROCESSED>"
     revision: "<REPLACE_REVISION>"
     path: "plugins/package-managers/spdx/src/funTest/assets/projects/synthetic/libs/zlib"
-- id: "SpdxDocumentFile:OpenSSL Development Team:openssl:1.1.1g"
+- id: "a-name:OpenSSL Development Team:openssl:1.1.1g"
   purl: "pkg:a-name/openssl@1.1.1g"
   cpe: "cpe:2.3:a:a-name:openssl:1.1.1g:*:*:*:*:*:*:*"
   authors:
diff --git a/plugins/package-managers/spdx/src/funTest/assets/projects/synthetic/spdx-project-xyz-expected-output.yml b/plugins/package-managers/spdx/src/funTest/assets/projects/synthetic/spdx-project-xyz-expected-output.yml
@@ -24,7 +24,7 @@ project:
     dependencies:
     - id: "SpdxDocumentFile::zlib:1.2.11"
       linkage: "STATIC"
-    - id: "SpdxDocumentFile:OpenSSL Development Team:openssl:1.1.1g"
+    - id: "a-name:OpenSSL Development Team:openssl:1.1.1g"
   - name: "test"
     dependencies:
     - id: "SpdxDocumentFile::curl:7.70.0"
@@ -95,7 +95,7 @@ packages:
     url: "<REPLACE_URL_PROCESSED>"
     revision: "<REPLACE_REVISION>"
     path: "plugins/package-managers/spdx/src/funTest/assets/projects/synthetic/libs/zlib"
-- id: "SpdxDocumentFile:OpenSSL Development Team:openssl:1.1.1g"
+- id: "a-name:OpenSSL Development Team:openssl:1.1.1g"
   purl: "pkg:a-name/openssl@1.1.1g"
   cpe: "cpe:2.3:a:a-name:openssl:1.1.1g:*:*:*:*:*:*:*"
   authors:
diff --git a/plugins/package-managers/spdx/src/funTest/kotlin/SpdxDocumentFileFunTest.kt b/plugins/package-managers/spdx/src/funTest/kotlin/SpdxDocumentFileFunTest.kt
@@ -77,7 +77,7 @@ class SpdxDocumentFileFunTest : WordSpec({
             val curlId = Identifier("SpdxDocumentFile::curl:7.70.0")
 
             val opensslPackageFile = projectDir / "libs" / "openssl" / "package.spdx.yml"
-            val opensslId = Identifier("SpdxDocumentFile:OpenSSL Development Team:openssl:1.1.1g")
+            val opensslId = Identifier("a-name:OpenSSL Development Team:openssl:1.1.1g")
 
             val zlibPackageFile = projectDir / "libs" / "zlib" / "package.spdx.yml"
             val zlibId = Identifier("SpdxDocumentFile::zlib:1.2.11")
@@ -165,7 +165,7 @@ class SpdxDocumentFileFunTest : WordSpec({
 
         "retrieve transitive dependencies" {
             val idCurl = Identifier("SpdxDocumentFile::curl:7.70.0")
-            val idOpenSsl = Identifier("SpdxDocumentFile:OpenSSL Development Team:openssl:1.1.1g")
+            val idOpenSsl = Identifier("a-name:OpenSSL Development Team:openssl:1.1.1g")
             val idZlib = Identifier("SpdxDocumentFile::zlib:1.2.11")
             val idMyLib = Identifier("SpdxDocumentFile::my-lib:8.88.8")
 
@@ -203,7 +203,7 @@ class SpdxDocumentFileFunTest : WordSpec({
 
         "retrieve nested DEPENDS_ON dependencies" {
             val idCurl = Identifier("SpdxDocumentFile::curl:7.70.0")
-            val idOpenSsl = Identifier("SpdxDocumentFile:OpenSSL Development Team:openssl:1.1.1g")
+            val idOpenSsl = Identifier("a-name:OpenSSL Development Team:openssl:1.1.1g")
             val idZlib = Identifier("SpdxDocumentFile::zlib:1.2.11")
 
             val projectFile = projectDir / "DEPENDS_ON-packages" / "project-xyz.spdx.yml"
@@ -309,7 +309,7 @@ class SpdxDocumentFileFunTest : WordSpec({
             packageIds should containExactlyInAnyOrder(
                 Identifier("SpdxDocumentFile::curl:7.70.0"),
                 Identifier("SpdxDocumentFile::my-lib:8.88.8"),
-                Identifier("SpdxDocumentFile:OpenSSL Development Team:openssl:1.1.1g")
+                Identifier("a-name:OpenSSL Development Team:openssl:1.1.1g")
             )
         }
 
diff --git a/plugins/package-managers/spdx/src/main/kotlin/SpdxDocumentFile.kt b/plugins/package-managers/spdx/src/main/kotlin/SpdxDocumentFile.kt
@@ -70,6 +70,7 @@ import org.ossreviewtoolkit.utils.spdxdocument.model.SpdxPackage
 import org.ossreviewtoolkit.utils.spdxdocument.model.SpdxRelationship
 
 private const val PROJECT_TYPE = "SpdxDocumentFile"
+private const val PACKAGE_TYPE = "SpdxDocumentFile"
 
 private const val DEFAULT_SCOPE_NAME = "default"
 
@@ -279,9 +280,9 @@ class SpdxDocumentFile(override val descriptor: PluginDescriptor = SpdxDocumentF
     /**
      * Create an [Identifier] out of this [SpdxPackage].
      */
-    private fun SpdxPackage.toIdentifier() =
+    private fun SpdxPackage.toIdentifier(type: String) =
         Identifier(
-            type = projectType,
+            type = type,
             namespace = listOfNotNull(supplier, originator).firstOrNull()
                 ?.withoutPrefix(SpdxConstants.ORGANIZATION).orEmpty().sanitize(),
             name = name.sanitize(),
@@ -306,10 +307,11 @@ class SpdxDocumentFile(override val descriptor: PluginDescriptor = SpdxDocumentF
         val isBinaryArtifact = generatedFromRelations.any { it.spdxElementId == spdxId }
             && generatedFromRelations.none { it.relatedSpdxElement == spdxId }
 
-        val id = toIdentifier()
-        val artifact = getRemoteArtifact()
+        val purlReference = locateExternalReference(SpdxExternalReference.Type.Purl)
+        val id = toIdentifier(purlReference?.toPackageUrl()?.type ?: PACKAGE_TYPE)
 
-        val purl = locateExternalReference(SpdxExternalReference.Type.Purl)
+        val artifact = getRemoteArtifact()
+        val purl = purlReference
             ?: artifact
                 ?.let { if (it.hash.algorithm in HashAlgorithm.VERIFIABLE) it else it.copy(hash = Hash.NONE) }
                 ?.let { id.toPurl(ArtifactProvenance(it)) }
@@ -560,7 +562,7 @@ class SpdxDocumentFile(override val descriptor: PluginDescriptor = SpdxDocumentF
         )
 
         val project = Project(
-            id = projectPackage.toIdentifier(),
+            id = projectPackage.toIdentifier(projectType),
             cpe = projectPackage.locateCpe(),
             definitionFilePath = VersionControlSystem.getPathInfo(definitionFile).path,
             authors = projectPackage.originator.wrapPresentInSet(),
