Conversation
|
Copyright Validation Results ⏭️ Skipped (Excluded) Files
✅ All files have valid copyright headers! |
There was a problem hiding this comment.
Pull request overview
Adds an SPDX JSON SBOM document to the repository to describe third-party dependencies and associated licensing information for the MarkLogic Java Client.
Changes:
- Introduces a new
sbom.spdx.jsonfile containing SPDX 2.3 document metadata, extracted license texts, and a list of dependency packages.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| @@ -0,0 +1,491 @@ | |||
| { | |||
| "SPDXID" : "SPDXRef-DOCUMENT", | |||
| "spdxVersion" : "2.3", | |||
There was a problem hiding this comment.
The SPDX 2.3 JSON document is missing the required top-level dataLicense field (typically "CC0-1.0"). Many SPDX validators/tools will reject the document without it, so please add dataLicense alongside spdxVersion/SPDXID/creationInfo.
| "spdxVersion" : "2.3", | |
| "spdxVersion" : "2.3", | |
| "dataLicense" : "CC0-1.0", |
| }, | ||
| "name" : "MarkLogic-DevExp-javaapi.java client-8.1.0.0", | ||
| "documentName" : "java client-8.1.0.spdx", | ||
| "documentNamespace" : "https://www.progress.com/spdx/MarkLogic/DevExp/javaapi/java client-8.1.0.0-69f00983-1344-342a-b62a-db32c5399683", |
There was a problem hiding this comment.
documentNamespace contains spaces (.../java client-8.1.0.0-...), which makes it an invalid URI. SPDX requires documentNamespace to be a valid, unique URI, so the space should be removed or URL-encoded to avoid consumers failing to parse/validate the SBOM.
| "documentNamespace" : "https://www.progress.com/spdx/MarkLogic/DevExp/javaapi/java client-8.1.0.0-69f00983-1344-342a-b62a-db32c5399683", | |
| "documentNamespace" : "https://www.progress.com/spdx/MarkLogic/DevExp/javaapi/java%20client-8.1.0.0-69f00983-1344-342a-b62a-db32c5399683", |
| "creators" : [ "Tool: SBOMinator-1.1.0.617", "Organization: Progress Software Corporation" ] | ||
| }, | ||
| "name" : "MarkLogic-DevExp-javaapi.java client-8.1.0.0", | ||
| "documentName" : "java client-8.1.0.spdx", |
There was a problem hiding this comment.
documentName is not part of the standard SPDX JSON 2.3 document properties (the document name is represented by the top-level name). Keeping documentName may cause schema validation failures in strict SPDX tooling; consider removing it or renaming it to a supported field if it’s needed for internal consumers.
| "documentName" : "java client-8.1.0.spdx", |
| "packages" : [ { | ||
| "SPDXID" : "SPDXRef-C1:com.fasterxml.jackson.core:jackson-annotations:2.21", | ||
| "name" : "jackson-annotations", | ||
| "versionInfo" : "2.21", |
There was a problem hiding this comment.
All package SPDXID values include : characters (e.g. SPDXRef-C1:com.fasterxml...). SPDX element IDs are expected to match the SPDXRef-... identifier pattern and typically should not contain colons; this can break references/relationships and validation. Please normalize these IDs (e.g., replace : with -/_) and put Maven coordinates in a dedicated field such as externalRefs (purl) if needed.
No description provided.