It is quite frustrating to see output like:

Error converting SPDX file to OSV.
Error reading the SPDX input file

I rebuilt, adding to Main.java

            if (Objects.nonNull(ex.getCause())) {
                System.err.println(ex.getCause());
            }

and could then see that the error was Output file OSVOutput.json already exists..

• Review all PR's and Issues
• Fix issue #24
• Fix issue #23
• Pass unit tests
• Run mvn org.owasp:dependency-check-maven:check
• Update version
• Run mvn deploy
• Release to Maven on Sonatype
• Create Github release
• Bump version to snaphsot

Download locations that start with git+https://github.com/ are skipped and not parsed.

The error returned is:

java.io.IOException: Server returned HTTP response code: 400 for URL: https://api.osv.dev/v1/query

Since 400 is a malformed request, the specific response code could be checked and a more meaningful error such as "Invalid request sent to OSV" could be displayed.

The response code should be checked for each of the queryVulnerabilities methods in OsvApi.

Package URL's of type github and a specified after the @ generates a 400 response from the OSV server.

This is due to the string after the @ being interpreted as a commit hash and a commit query request is sent.

This could be fixed by pattern matching the string after the @ to a valid commit hash.

Example:

pkg:github/spdx/[email protected]

@goneall, thanks for releasing a new version. I have tested it with TensorFlow but I faced this error:

SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
Error converting SPDX file to OSV.
I/O error converting SPDX to OSV
java.io.IOException: Server returned HTTP response code: 504 for URL: https://api.osv.dev/v1/query
usage: spdx-to-osv
 -a,--all                 Include vulnerabilities for all packages in the
                          SPDX file. Default is to only include
                          vulnerabilities related to the element described
                          by the document.
 -f,--inputFormat <arg>   Input file format - RDFXML, JSON, XLS, XLSX,
                          YAML, or TAG
 -I,--input <arg>         Input SPDX file in one of the supported formats
                          (json, yaml, tag/value, xls, xlsx, rdf/xml)
 -O,--output <arg>        output file name.  File will be in the OSV JSON
                          format

vcpkg.spdx.json.zip

I have attached the spdx to help you debug.

I am getting an error when I run the tool on an SBOM:
org.spdx.library.InvalidSPDXAnalysisException: Error parsing JSON field for ID SPDXRef-Xerces-c-28-2.8.0-1.0.0.32.i686.rpm: Invalid license expression. Expecting more operands. License expression: 'Apache Software License'

I do not plan on ever completing licensing information for this SBOM and the tool does not seem to do anything with licensing information, so it'd like to ignore it if possible.

Description

When using the spdx-to-osv tool to scan a spdx file for vulnerabilities the end result is an empty vulnerability report (report only contains '[]'). No errors are thrown by the tool and the exit code is 0. Im pretty sure the repot should show vulnerabilities since when I run npm install in this project I am given this warning:

npm install
audited 1092 packages in 3.495s

92 packages are looking for funding
  run `npm fund` for details

found 13 vulnerabilities (2 low, 2 moderate, 7 high, 2 critical)
  run `npm audit fix` to fix them, or `npm audit` for details

When choosing 1 vulnerability at random to cross reference with the osv db

npm audit

I can find this vulnerability on the osv DB: https://osv.dev/vulnerability/GHSA-76p3-8jx3-jpfq

I have attached my spdx file and the resulting output file

The spdx file was created using the bom tool found here: https://github.com/kubernetes-sigs/bom

Steps to Reproduce

1. Install spdx-to-osv.jar files
2. Run the following command

java -jar spdx-to-osv/target/spdx-to-osv-0.1.1-SNAPSHOT-jar-with-dependencies.jar -a --input sbom-demo.spdx --output sbom-demo-vuln.json

3. Wait for the command to complete (takes some time)

Expected Results

The sbom-demo-vuln.json file shows the same/similar information in json format as the npm audit command

Actual Results

The sbom-demo-vuln.json file is empty

Workaround

None

Environment Info

• Tried using the pre-build released JAR file 0.1.0, along with building the latest main branch and using the resulting SNAPSHOT jar file
• Tried on both Java 11 and Java 8

Attachements
sbom-demo.spdx.zip
sbom-demo-vuln.json.zip

Error parsing timestamp:

Error converting SPDX file to OSV.
com.sourceauditor.spdx_to_osv.SpdxToOsvException: Error reading the SPDX input file
	at com.sourceauditor.spdx_to_osv.Main.spdxToOsv(Main.java:472)
	at com.sourceauditor.spdx_to_osv.Main.spdxToOsv(Main.java:245)
	at com.sourceauditor.spdx_to_osv.Main.main(Main.java:174)
Caused by: org.spdx.library.InvalidSPDXAnalysisException: Invalid date format: Text '2021-16-06T13:41:24Z' could not be parsed at index 0
	at org.spdx.library.model.SpdxCreatorInformation.setCreated(SpdxCreatorInformation.java:137)
	at org.spdx.tag.BuildDocument.buildDocumentProperties(BuildDocument.java:637)
	at org.spdx.tag.BuildDocument.buildDocument(BuildDocument.java:422)
	at org.spdx.tag.HandBuiltParser.data(HandBuiltParser.java:100)
	at org.spdx.tagvaluestore.TagValueStore.deSerialize(TagValueStore.java:88)
	at com.sourceauditor.spdx_to_osv.Main.spdxToOsv(Main.java:469)
	... 2 more

Small input file (from curl -L https://sbom.k8s.io/v1.21.2/source)

SPDXVersion: SPDX-2.2
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: kubernetes-v1.21.2
DocumentNamespace: https://k8s.io/sbom/source/v1.21.2
Creator: Tool: k8s.io/release/pkg/spdx
Created: 2021-16-06T13:41:24Z

HTTP request body data when calling https://api.osv.dev/v1/query
It appears that purl and ecosystem are specified at the same time.

A 400 error is returned in that case.

Related Issue
google/osv.dev#1443

Inspired by Brandon Lum and Oliver Chang writing for the Google Security Blog I tried to use this project.

I only had CycloneDX SBOMs, not SPDX SBOMs, so I converted:

curl --location https://github.com/DependencyTrack/dependency-track/releases/download/4.1.0/bom.json > /tmp/bom.json
/usr/local/Cellar/openjdk/18.0.2.1/libexec/openjdk.jdk/Contents/Home/bin/java -jar ~/src/spdx/cdx2spdx/target/cdx2spdx-0.0.2-SNAPSHOT-jar-with-dependencies.jar /tmp/bom.json /tmp/spdx-bom.json
java -jar ./target/spdx-to-osv-0.1.0-SNAPSHOT-jar-with-dependencies.jar -I /tmp/spdx-bom.json -O /tmp/OSVOutput.json

The error message is

Error reading the SPDX input file
org.spdx.library.InvalidSPDXAnalysisException: Error parsing JSON field for ID SPDXRef-pkg-maven-org.glassfish.hk2-osgi-resource-locator-1.0.3-type-jar: Could not find enum constants for SHA3-256 property algorithm

Running the commandline gives the following error message:

SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.

This is likely related to the recent updates to the SPDX Java library version.

The update to the tools includes a new Jena version which required an update to the slf4j logging facility.

I have tried to convert this vcpkg.spdx.zip to OSV JSON, but it generated an empty file.

Used command:

java -jar spdx-to-osv-0.1.0-jar-with-dependencies.jar -I vcpkg.spdx.json -O OSV.json

Please note that this file is generated from VCPKG using --x-json option.