SPDX 3 Validation Tool

November 25, 2024 ยท View on GitHub

Validates SPDX 3 documents

While standalone tools like pyshacl and check-jsonschema can be used to validate SPDX 3 documents, there are a few context-aware checks that can be useful. This includes:

  1. Ignored SHACL errors for missing spdxIds if they are defined in an ExternalMap
  2. Validation that any spdxId defined in an ExternalMap are not present in the document
  3. SHACL Validation of merged documents (in this way, if you reference an spdxId from an ExternalMap and then pass the document that provides that spdxId, the type can be validated)
  4. (Hopefully) More useful JSON schema error output

Installation

spdx3-validate can be installed using pip:

python3 -m pip install spdx3-validate

Developing

Developing on spdx3-validate is best done using a virtual environment. You can configure one and install spdx3-validate in editable mode with all necessary development dependencies by running:

python3 -m venv .venv
. .venv/bin/activate
pip install -e ".[dev]"

TODO

  • Option to automatically download dependencies based on locationHint
  • Offline validation?