StringIndexOutOfBoundsException is raised when serializing SPDX 3.0 SBOM with MultiFormatStore

[tiegz]

I'm using the Spdx3Example to try to build and serialize an SPDX 3.0 SBOM, but I'm running into an issue where the MultiFormatStore assumes that the objectUri of the document has a "#". I think I read somewhere that the "#" was removed in spdx IDs in 3.0, but I'm not sure if I'm just doing something incorrectly here.

The error that's being raised is:

java.lang.StringIndexOutOfBoundsException: begin 0, end -1, length 11
        at java.base/java.lang.String.checkBoundsBeginEnd(String.java:4606)
        at java.base/java.lang.String.substring(String.java:2709)
        at org.spdx.jacksonstore.MultiFormatStore.serialize(MultiFormatStore.java:184)
        at org.example.Spdx30SbomGenerator.createSbomFromScratch(Spdx30SbomGenerator.java:90)
        at org.example.Spdx30SbomGeneratorTest.testSerializeSbom(Spdx30SbomGeneratorTest.java:35)

And the PoC code is here:

package org.example;

import java.io.ByteArrayOutputStream;
import java.io.IOException;

import org.spdx.core.IModelCopyManager;
import org.spdx.core.InvalidSPDXAnalysisException;
import org.spdx.jacksonstore.MultiFormatStore;
import org.spdx.library.ModelCopyManager;
import org.spdx.library.SpdxModelFactory;
import org.spdx.library.model.v3_0_1.SpdxModelClassFactoryV3;
import org.spdx.library.model.v3_0_1.core.CreationInfo;
import org.spdx.library.model.v3_0_1.software.Sbom;
import org.spdx.library.model.v3_0_1.software.SpdxPackage;
import org.spdx.storage.simple.InMemSpdxStore;

public class Spdx30SbomGenerator {

        public static String serialize(Sbom sbom) {
                return "";
        }

        public static Sbom createSbomFromScratch() throws InvalidSPDXAnalysisException {
                SpdxModelFactory.init();
                MultiFormatStore modelStore = new MultiFormatStore(new InMemSpdxStore(),
                                org.spdx.jacksonstore.MultiFormatStore.Format.JSON_PRETTY);

                IModelCopyManager copyManager = new ModelCopyManager();
                String prefix = "https://org.spdx.spdxdata/899b1918-f72a-4755-9215-6262b3c346df/";
                CreationInfo creationInfo = SpdxModelClassFactoryV3.createCreationInfo(
                                modelStore, prefix + "Agent/AgentName", "Created By Name",
                                copyManager);
                Sbom sbom = creationInfo.createSbom(prefix + "sbom/mysbom")
                                .setName("My SBOM")
                                .build();
                SpdxPackage pkg = sbom.createSpdxPackage(prefix + "package/mypackage")
                                .setName("Package Name")
                                .build();
                sbom.getElements().add(pkg);
                sbom.getRootElements().add(pkg);

                var spdxDocument = sbom.createSpdxDocument("Asdf/foobar").build();

                ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
                try {
                        modelStore.serialize(byteArrayOutputStream, spdxDocument);
                } catch (InvalidSPDXAnalysisException | IOException e) {
                        System.out.println("ERROR: " + e.toString());
                }

                return sbom;
        }
}

[goneall]

Thanks @tiegz for reporting the issue.

The spdx-java-jackson-store only supports SPDX 2.X formats.

To serialize SPDX 3 - please use the spdx-java-v3jsonld-store.

In looking at the README, I noticed this wasn't documented anywhere - I just added PR #104 to note this in the README.

The spec version should also be checked in the serialize method to produce a better error message. Note: This may also be an issue for the RDF, spreadsheet and tag/value stores since they also only support SPDX spec version 2.X.

Let's leave this issue open to track adding the check for the version.

[tiegz]

Thanks @goneall , when I replace MultiFormatStore with JsonLDStore I am able to serialize it 👍🏻