Handling of extension property field

[IvicaDuspara]

According to the SPDX AIPackage specification an optional property field is extension. This field is of type Extension.

Extension is an abstract class so it can't be instantiated. Concrete sub-classes are CdxPropertiesExtension and CdxPropertyEntry. When I try to add such a property, validator fails.

{
  "@context": "https://spdx.org/rdf/3.0.1/spdx-context.jsonld",
  "@graph": [
    {
      "type": "Organization",
      "spdxId": "SPDXRef-MyOrganization:-73f9a129-5eea-4de8-b38b-96832cc72d57",
      "name": "MyOrganization",
      "creationInfo": "_:creationinfo"
    },
    {
      "type": "CreationInfo",
      "@id": "_:creationinfo",
      "specVersion": "3.0.1",
      "createdBy": [
        "SPDXRef-MyOrganization:-73f9a129-5eea-4de8-b38b-96832cc72d57"
      ],
      "createdUsing": [
        "Tool: An example tool v 1.0.0"
      ],
      "created": "2025-01-07T07:01:21Z"
    },
    {
      "type": "SpdxDocument",
      "spdxId": "SPDXRef-Document:-8b2134c3-1472-48c3-bbd9-53cdef129f09",
      "creationInfo": "_:creationinfo",
      "dataLicense": "SPDXRef-License:-DataLicenseCC1.0",
      "profileConformance": [
        "core",
        "software",
        "security",
        "simpleLicensing"
      ],
      "rootElement": [
        "BOM:ROOT"
      ]
    },
    {
      "type": "simplelicensing_LicenseExpression",
      "spdxId": "SPDXRef-License:-DataLicenseCC1.0",
      "name": "Data License CC 1.0",
      "description": "Refer to this element if another element's data license is CC 1.0",
      "creationInfo": "_:creationinfo",
      "simplelicensing_licenseExpression": "CC-BY-1.0"
    },
    {
      "type": "simplelicensing_LicenseExpression",
      "spdxId": "SPDXRef-License:-NoAssertion",
      "name": "NoAssertion",
      "description": "Refer to this element if another element's license can't be asserted.",
      "creationInfo": "_:creationinfo",
      "simplelicensing_licenseExpression": "NOASSERTION"
    },
    {
      "type": "software_Package",
      "spdxId": "SPDX-ID:-73fde02b-0fda-50b2-ad2e-a219f85c7ce4",
      "creationInfo": "_:creationinfo",
      "name": "An example software",
      "originatedBy": [
        "Organization: An example organization"
      ],
      "software_copyrightText": "NOASSERTION",
      "software_primaryPurpose": "application",
      "description": "This is an example software"
     },
     {
        "type" : "ai_AIPackage",
        "spdxId" : "SPDXRef-ID:-2437b0f5-df7c-4f25-8a35-15b9b54e8bca",
        "creationInfo": "_:creationinfo",
        "name" : "An example AI package",
        "software_packageVersion" : "1.0",
        "software_primaryPurpose" : "application",
        "software_downloadLocation" : "An example download location",
        "suppliedBy" : {
                "spdxId" : "SPDXRef-ID:-1728b0f5-df7c-4f25-8a35-15b9b54e8bca",
                "creationInfo": "_:creationinfo",
                "type" : "Organization"
        },
        "releaseTime" : "2025-03-25T12:00:00Z",
        "extension" : {
            "type" : "CdxPropertiesExtension",
            "cdxProperty" : [
                {
                    "cdxPropName" : "Name",
                    "cdxPropValue" : "Value"
                }
            ]
        }
     },
    {
      "type": "software_Sbom",
      "spdxId": "BOM:ROOT",
      "creationInfo": "_:creationinfo",
      "software_sbomType": [
        "analyzed"
      ],
      "rootElement": [
        "SPDX-ID:-73fde02b-0fda-50b2-ad2e-a219f85c7ce4"
      ],
      "element": [
        "SPDXRef-License:-DataLicenseCC1.0",
        "SPDXRef-License:-NoAssertion",
        "SPDX-ID:-73fde02b-0fda-50b2-ad2e-a219f85c7ce4",
        "SPDXRef-ID:-2437b0f5-df7c-4f25-8a35-15b9b54e8bca"
      ]
    }
  ]
}

I get the message that I'm missing a type for "core object". I tried removing type property field from extension but to no avail.

I have also tried to change the type from CdxPropertiesExtension to extension_CdxPropertiesExtension. This generates a different error which claims there is no property descriptor for field cdxProperty. I am not sure if this is a bug in validator or am I adding an extension field in a wrong way. If you have an example of how to do this correctly, can you please provide it.

Full file: constructed.json

[goneall]

Thanks @IvicaDuspara for reporting the issue.

It looks like this issue is with the SPDX Java Library used by the online tools.

I'll transfer this issue to the library and see if I can diagnose the issue.

[goneall]

@IvicaDuspara I found 3 issues in the above attached JSON file that causes the parsing failures:

• Any non-core profile class or property needs to be prefixed with the lowercase profile name - e.g. replacing "type" : "CdxPropertiesExtension", with "type" : "extension_CdxPropertiesExtension",, it will parse without error.
• The type is missing for the cdxPropertyEntry class
• The extension property takes an array, not a single element value

Replacing the extension definition with the following will fix the issue:

        "extension" : [
			{
				"type" : "extension_CdxPropertiesExtension",
				"extension_cdxProperty" : [
					{
						"type" : "extension_CdxPropertyEntry",
						"extension_cdxPropName" : "Name",
						"extension_cdxPropValue" : "Value"
					}
				]
			}
		]

Attached is a working file:

bad-extension.json

[goneall]

The general issue of adding an extension not defined in the schema is much trickier since we don't have the model to deserialize the structure. Perhaps we create a separate issue to discuss the non-CdxPropertiesExtension extensions.

[goneall]

@IvicaDuspara Since this issue discusses to different issues - handling abstract Extensions and handling CdxPropertiesExtensions - I opened a separate issue to discuss the abstract Extensions - #308

I believe the CdxPropertiesExtensions is work as designed, so I'll go ahead and close this original issue. Let me know if you disagree of if I didn't capture all of the issue.