Remove unnecessary parser errors which disallow syft SBOMs by sfoslund · Pull Request #917 · microsoft/sbom-tool (original) (raw)

This PR removes 2 SPDX 2.2 parser exceptions which are currently enforcing rules which are not explicitly required for SPDX 2.2 SBOMs. These errors have not been a problem thus far because the SBOMs generated by this tool (currently the only type of SBOM we parse with the parser package) do not violate these assumptions. However, when we start parsing SBOMs generated by syft, we need to allow for more variance. These changes include:

• Do not error when a file entry is missing a SHA256 hash. SHA256 is not required for 2.2 SBOMs.
• Do not error when a package entry's LicenseInfoFromFiles property is empty, which is also not required for 2.2 SBOMs. It appears that we previously made a change to allow this property to be empty in our own generation logic but never made the corresponding change to accept SBOMs without this property.