According to the Serialization Information section in the SPDX 3.0.1 spec serializing NamespaceMaps within the @context field for JSON-LD serializations is valid.
When serializing a physical SpdxDocument, any property of the logical element that can be natively represented within the chosen serialization format (e.g., @context prefixes in JSON-LD instead of the namespaceMap) may utilize these native mechanisms. All remaining properties shall be serialized within the SpdxDocument element itself.
[...]
Additional namespace mappings may be defined within a separate object within the context.
The java spdx tools however do not currently support this.
Take for example the following document: sbom-output.spdx.json
export SPDX_TOOLS_VERSION=2.0.2
curl -sLO "https://github.com/spdx/tools-java/releases/download/v${SPDX_TOOLS_VERSION}/tools-java-${SPDX_TOOLS_VERSION}.zip"
unzip -j "tools-java-${SPDX_TOOLS_VERSION}.zip" "tools-java-${SPDX_TOOLS_VERSION}-jar-with-dependencies.jar"
java -jar "tools-java-${SPDX_TOOLS_VERSION}-jar-with-dependencies.jar" Verify "sbom-output.spdx.json"The java tools fail with
This SPDX Document is not valid due to:
$.@context: must be the constant value 'https://spdx.org/rdf/3.0.1/spdx-context.jsonld'even though the document should be valid.
An easy way to fix this would be to expand the custom context before processing the SPDX document.
See for example expand-custom-context.sh
./expand-custom-context.sh sbom-output.spdx.json
This small script expands the custom context and outputs expanded-sbom-output.spdx.json which successfully gets validated by the java tools.
java -jar "tools-java-${SPDX_TOOLS_VERSION}-jar-with-dependencies.jar" Verify "expanded-sbom-output.spdx.json"
This SPDX Document is valid.It would be helpful if this behavior could be supported directly by the java-tools.
According to the Serialization Information section in the SPDX 3.0.1 spec serializing NamespaceMaps within the
@contextfield for JSON-LD serializations is valid.The java spdx tools however do not currently support this.
Take for example the following document: sbom-output.spdx.json
The java tools fail with
This SPDX Document is not valid due to: $.@context: must be the constant value 'https://spdx.org/rdf/3.0.1/spdx-context.jsonld'even though the document should be valid.
An easy way to fix this would be to expand the custom context before processing the SPDX document.
See for example expand-custom-context.sh
This small script expands the custom context and outputs
expanded-sbom-output.spdx.jsonwhich successfully gets validated by the java tools.It would be helpful if this behavior could be supported directly by the java-tools.