feat: upgrade to spdx-jackson-java 2.x lib (#426)

ruromero · web-flow · commit 72d3a4816ef4 · 2025-06-11T10:46:54.000+02:00
Signed-off-by: Ruben Romero Montes &lt;rromerom@redhat.com&gt;
diff --git a/pom.xml b/pom.xml
@@ -50,7 +50,7 @@
     <!-- Dependencies -->
     <exhort-api.version>1.0.5</exhort-api.version>
     <sentry.version>7.8.0</sentry.version>
-    <spdx.version>1.1.9.1</spdx.version>
+    <spdx.version>2.0.2</spdx.version>
     <htmlunit.version>4.11.1</htmlunit.version>
     <wiremock.version>3.4.2</wiremock.version>
     <cvss-calculator.version>1.4.2</cvss-calculator.version>
diff --git a/src/main/java/com/redhat/exhort/config/exception/SbomValidationException.java b/src/main/java/com/redhat/exhort/config/exception/SbomValidationException.java
@@ -23,4 +23,8 @@ public abstract class SbomValidationException extends ClientDetailedException {
   public SbomValidationException(String message, String detail) {
     super(message, detail);
   }
+
+  public SbomValidationException(String message, Exception e) {
+    super(message, e);
+  }
 }
diff --git a/src/main/java/com/redhat/exhort/config/exception/SpdxValidationException.java b/src/main/java/com/redhat/exhort/config/exception/SpdxValidationException.java
@@ -31,6 +31,6 @@ public SpdxValidationException(String expectedVersion, List<String> errors) {
   }
 
   public SpdxValidationException(String message, Exception e) {
-    this(message + ": " + e.getMessage());
+    super(message + ": " + e.getMessage(), e);
   }
 }
diff --git a/src/main/java/com/redhat/exhort/integration/backend/sbom/spdx/SpdxParser.java b/src/main/java/com/redhat/exhort/integration/backend/sbom/spdx/SpdxParser.java
@@ -27,11 +27,11 @@
 import java.util.Set;
 import java.util.stream.Collectors;
 
+import org.spdx.core.InvalidSPDXAnalysisException;
 import org.spdx.jacksonstore.MultiFormatStore;
 import org.spdx.jacksonstore.MultiFormatStore.Format;
-import org.spdx.library.InvalidSPDXAnalysisException;
-import org.spdx.library.model.SpdxPackage;
-import org.spdx.library.model.enumerations.RelationshipType;
+import org.spdx.library.model.v2.SpdxPackage;
+import org.spdx.library.model.v2.enumerations.RelationshipType;
 import org.spdx.storage.simple.InMemSpdxStore;
 
 import com.redhat.exhort.api.PackageRef;
@@ -44,7 +44,6 @@ public class SpdxParser extends SbomParser {
 
   @Override
   protected DependencyTree buildTree(InputStream input) {
-
     var inputStore = new MultiFormatStore(new InMemSpdxStore(), Format.JSON_PRETTY);
     var wrapper = new SpdxWrapper(inputStore, input);
     var deps = buildDeps(wrapper);
@@ -117,19 +116,19 @@ private void createPackageLinks(
                       packages.stream().anyMatch(pkg -> pkg.getId().equals(relatedId));
 
                   switch (RelationshipDirection.fromRelationshipType(rel.getRelationshipType())) {
-                    case FORWARD:
+                    case FORWARD -> {
                       if (shouldIndexRelated) {
                         addLink(links, pkgId, relatedId);
                       } else {
                         addLink(links, pkgId, null);
                       }
-                      break;
-                    case BACKWARDS:
+                    }
+                    case BACKWARDS -> {
                       if (shouldIndexRelated) {
                         addLink(links, relatedId, pkgId);
                       }
-                      break;
-                    case IGNORED:
+                    }
+                    default -> {}
                   }
                 } catch (InvalidSPDXAnalysisException e) {
                   throw new SpdxValidationException(
diff --git a/src/main/java/com/redhat/exhort/integration/backend/sbom/spdx/SpdxWrapper.java b/src/main/java/com/redhat/exhort/integration/backend/sbom/spdx/SpdxWrapper.java
@@ -24,13 +24,14 @@
 import java.util.Optional;
 import java.util.stream.Collectors;
 
+import org.spdx.core.InvalidSPDXAnalysisException;
+import org.spdx.core.TypedValue;
 import org.spdx.jacksonstore.MultiFormatStore;
-import org.spdx.library.InvalidSPDXAnalysisException;
-import org.spdx.library.SpdxConstants;
-import org.spdx.library.model.ExternalRef;
-import org.spdx.library.model.SpdxDocument;
-import org.spdx.library.model.SpdxPackage;
-import org.spdx.library.model.TypedValue;
+import org.spdx.library.SpdxModelFactory;
+import org.spdx.library.model.v2.ExternalRef;
+import org.spdx.library.model.v2.SpdxConstantsCompatV2;
+import org.spdx.library.model.v2.SpdxDocument;
+import org.spdx.library.model.v2.SpdxPackage;
 
 import com.redhat.exhort.api.PackageRef;
 import com.redhat.exhort.config.exception.SpdxValidationException;
@@ -41,16 +42,23 @@ public class SpdxWrapper {
 
   private MultiFormatStore inputStore;
   private SpdxDocument doc;
-  private String uri;
+  private String docUri;
   private Collection<SpdxPackage> packages;
 
+  static {
+    SpdxModelFactory.init();
+  }
+
   public SpdxWrapper(MultiFormatStore inputStore, InputStream input)
       throws SpdxValidationException {
     this.inputStore = inputStore;
     try {
       this.inputStore.deSerialize(input, false);
-      this.uri = inputStore.getDocumentUris().get(0);
-      this.doc = new SpdxDocument(inputStore, uri, null, false);
+      var uris = inputStore.getDocumentUris();
+      if (uris != null && !uris.isEmpty()) {
+        this.docUri = uris.iterator().next();
+      }
+      this.doc = new SpdxDocument(inputStore, docUri, null, false);
 
       var version = doc.getSpecVersion();
       var verify = doc.verify(version);
@@ -111,9 +119,17 @@ public Collection<SpdxPackage> getPackages() {
     return this.packages;
   }
 
+  public SpdxPackage getPackageByUri(String uri) {
+    try {
+      return new SpdxPackage(inputStore, docUri, uri.substring(docUri.length() + 1), null, false);
+    } catch (InvalidSPDXAnalysisException e) {
+      throw new SpdxValidationException("Unable to create SpdxPackage for URI: " + uri, e);
+    }
+  }
+
   public SpdxPackage getPackageById(String id) {
     try {
-      return new SpdxPackage(inputStore, uri, id, null, false);
+      return new SpdxPackage(inputStore, docUri, id, null, false);
     } catch (InvalidSPDXAnalysisException e) {
       throw new SpdxValidationException("Unable to create SpdxPackage for id: " + id, e);
     }
@@ -122,9 +138,9 @@ public SpdxPackage getPackageById(String id) {
   private Collection<SpdxPackage> parsePackages() throws InvalidSPDXAnalysisException {
     var docName = doc.getName();
     return inputStore
-        .getAllItems(uri, SpdxConstants.CLASS_SPDX_PACKAGE)
-        .map(TypedValue::getId)
-        .map(this::getPackageById)
+        .getAllItems(docUri, SpdxConstantsCompatV2.CLASS_SPDX_PACKAGE)
+        .map(TypedValue::getObjectUri)
+        .map(this::getPackageByUri)
         .filter(this::hasPurl)
         .filter(p -> !packageHasName(p, docName))
         .collect(Collectors.toList());
diff --git a/src/test/java/com/redhat/exhort/integration/backend/sbom/SpdxWrapperTest.java b/src/test/java/com/redhat/exhort/integration/backend/sbom/SpdxWrapperTest.java
@@ -26,10 +26,10 @@
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.ValueSource;
+import org.spdx.core.InvalidSPDXAnalysisException;
 import org.spdx.jacksonstore.MultiFormatStore;
 import org.spdx.jacksonstore.MultiFormatStore.Format;
-import org.spdx.library.InvalidSPDXAnalysisException;
-import org.spdx.library.Version;
+import org.spdx.library.model.v2.Version;
 import org.spdx.storage.simple.InMemSpdxStore;
 
 import com.redhat.exhort.config.exception.SpdxValidationException;
@@ -55,11 +55,15 @@ void testVersions(String version) throws InvalidSPDXAnalysisException, IOExcepti
 
   @Test
   void testInvalidDocument() {
-    assertThrows(
-        SpdxValidationException.class,
-        () ->
-            new SpdxWrapper(
-                inputStore,
-                this.getClass().getClassLoader().getResourceAsStream("cyclonedx/empty-sbom.json")));
+    var err =
+        assertThrows(
+            SpdxValidationException.class,
+            () ->
+                new SpdxWrapper(
+                    inputStore,
+                    this.getClass()
+                        .getClassLoader()
+                        .getResourceAsStream("cyclonedx/empty-sbom.json")));
+    assertNotNull(err.getMessage());
   }
 }
diff --git a/src/test/resources/spdx/reverse-sbom.json b/src/test/resources/spdx/reverse-sbom.json
diff --git a/src/test/resources/spdx/shared-deps-sbom.json b/src/test/resources/spdx/shared-deps-sbom.json
diff --git a/src/test/resources/spdx/versions/SPDX-2.2.json b/src/test/resources/spdx/versions/SPDX-2.2.json

Original file line number	Diff line number	Diff line change
`@@ -23,4 +23,8 @@ public abstract class SbomValidationException extends ClientDetailedException {`
`23`	`23`	`public SbomValidationException(String message, String detail) {`
`24`	`24`	`super(message, detail);`
`25`	`25`	`}`
	`26`	`+`
	`27`	`+ public SbomValidationException(String message, Exception e) {`
	`28`	`+ super(message, e);`
	`29`	`+ }`
`26`	`30`	`}`
Original file line number	Diff line number	Diff line change
`@@ -31,6 +31,6 @@ public SpdxValidationException(String expectedVersion, List<String> errors) {`
`31`	`31`	`}`
`32`	`32`
`33`	`33`	`public SpdxValidationException(String message, Exception e) {`
`34`		`- this(message + ": " + e.getMessage());`
	`34`	`+ super(message + ": " + e.getMessage(), e);`
`35`	`35`	`}`
`36`	`36`	`}`