SPDX documents don't validate for empty licenses

[nishakm]

Describe the bug
SPDX documents no longer are validated using this tool: http://13.57.134.254/app/validate/

To Reproduce
Steps to reproduce the behavior:

1. tern -l report -m spdxtagvalue -i golang:1.12.7 -f golang_1.12.7_spdx.txt
2. Upload document to the site and click validate
3. See error

Error in terminal

Unable to parse the file: File /var/www/spdxtools/spdx-online-tools/src/app/media/AnonymousUser/1567173789/golang_1.12.7_spdx.txt is not a recognized RDF/XML or tag/value format. While verifying for Tag/Value format: Error converting tag/value to RDF/XML format: Expecting a definition of a file, package, license information, or document property at License: GPLv2+ line number 564. While verifying for RDF/XML format: [line: 1, col: 1 ] Content is not allowed in prolog.

Expected behavior
This document should validate

Environment you are running Tern on

$ tern --version
Tern at commit 864a00ed00ee3fa1d768399a7c1cba6878859f94
   python version = 3.7.3 (default, Apr  3 2019, 19:16:38)

[swinslow]

Hi @nishakm @rnjudge, I will take a look at this in the next couple of days (away from my computer today) to see if I can reproduce too, and to add thoughts on the tag-value formatting.

[rnjudge]

@nishakm @swinslow For what it's worth, it doesn't validate output going all the way back to tern-0.4.0. I tried with spdxtagvalue output from the latest commit, tern-0.5.4 and tern-0.4.0 and got the same error for all 3 output files. So I would be curious if something changed on the spdx side of the validate app as well. Do either of you know the last time it was confirmed that Tern's spdxtagvalue output file was able to be validated? Something about the following line in all 3 cases is the root of the failure:

License: GPLv2+

[nishakm]

This is the original document that finally passed validation: https://github.com/vmware/tern/pull/270/files

It still passes validation, so I think something regressed in the format. Maybe run tern on the same image and do a diff on the output file and this one.

[nishakm]

@swinslow So the issue we found was that if there are no licenses found, then no license identifier list is generated. This is especially true with debian based images where there is no license metadata. How do we write valid SPDX documents when we can't find any and all of the mandatory tags?

[rnjudge]

The consensus from the SPDX call on 9/3 is that if there is no license metadata the report should use NOASSERTION, i.e.

LicenseID: NOASSERTION

[rnjudge]

@swinslow I opened a PR according to your suggestion in the SPDX call which fixes the original issue we were seeing related to missing license metadata. However, we still see an issue with validation for debian-based image reports. The issue now is related to how debian can sometimes version their packages with an epoch that uses a colon to separate the epoc from the upstream version/debian release. You can read more about it here but to summarize, their versioning looks like this:
[epoch:]upstream_version[-debian_revision].

In most cases, the epoch is omitted but in the case where it is present the colon that follows confuses the SPDX tag:value validation. The error we see from the validator is:
No external document ref found for SPDX ID SPDXRef-bsdutils.1:2.33.1-0.1. While verifying for RDF/XML format: [line: 1, col: 1 ] Content is not allowed in prolog

which we believe is coming from epoch:upstreamversion-debianrelease version format of bsdutils.

Any thoughts on how we should handle this? I don't see anything about this specific style of package versioning in the 2.1 spec. For Tern's use case, we could always trim the epoch but this particular case seems like something that might be helpful for others to see in the spec as well.