I've been writing some python tooling that consumes SPDX documents from various sources.
Some of which use https://github.com/swinslow/cmake-spdx which unfortunately has the open issue swinslow/cmake-spdx#8 that it generates documents with SHA256 hashes for ExternalDocumentRef due to confusion in the spec and the regex at
|
external_doc_ref_regex = re.compile(r"(.*)(\s*SHA1:\s*[a-f0-9]{40})") |
only handles SHA1.
"That's invalid, WONTFIX" is a fair resolution, but searching ExternalDocumentRef and SHA256 didn't find an existing issue so I thought it worth raising.
It may be as simple as extending the regex to the full set supported, but I can't predict if I'll have time to attempt a fix myself and it'd be helpful to know whether the fix would be accepted.
I've been writing some python tooling that consumes SPDX documents from various sources.
Some of which use https://github.com/swinslow/cmake-spdx which unfortunately has the open issue swinslow/cmake-spdx#8 that it generates documents with SHA256 hashes for ExternalDocumentRef due to confusion in the spec and the regex at
tools-python/src/spdx_tools/spdx/parser/tagvalue/parser.py
Line 288 in b7f9a3d
"That's invalid, WONTFIX" is a fair resolution, but searching ExternalDocumentRef and SHA256 didn't find an existing issue so I thought it worth raising.
It may be as simple as extending the regex to the full set supported, but I can't predict if I'll have time to attempt a fix myself and it'd be helpful to know whether the fix would be accepted.