Add PURL and CPE into the SPDX examples file

[goneall]

Now that Package URL's and CPE references are supported, we should add those to the examples

[MarkusTe]

That would help us a lot ;-)
Even after some hours I still was unable to generate any SPDX BoM file containing CPE and PURL (for packages) that was understood by Dependency Track ...
Any valid example in any of the five formats would be a big help.

[MarkusTe]

Still not being successful in using PURL with SPDX.

Trying to convert this example into Tag format --> error message in the context of package mgrs.

Whatever I've tried within last weeks, I get problems with PURL, let it be Dependency Track, OSS Review Toolkit, SPDX converter, it leads to problems. I believe having examples would help all of us quite a bit.

[goneall]

@MarkusTe The error is due to issue 16 in the SPDX Java Jackson Store.

The spec isn't clear on if we should be using the Tag/Value format of PACKAGE-MANAGER or a more computer language friendly form of PACKAGE_MANAGER in the YAML and JSON versions.

It looks like ORT is using the dashes while the other SPDX tools are expecting the underscrore.

@tsteenbe @zvr any opinions on which of these formats should be used in JSON/YAML?

If the consensus is to use dashes, I can fix the Java code be compatible.

[zvr]

Why am I reminded of #58?

[goneall]

Good memory @zvr ! It is a bit of a pain to deal with dashes in a serialization format that doesn't support them.

Java, for examples, doesn't support dashes in enums.

[sschuberth]

It looks like ORT is using the dashes while the other SPDX tools are expecting the underscrore.

FYI, @tsteenbe fixed ORT to use underscores in oss-review-toolkit/ort#3867 some two weeks ago.

[goneall]

FYI, @tsteenbe fixed ORT to use underscores in oss-review-toolkit/ort#3867 some two weeks ago.

Based on this, I'll leave the Java implementation as is - it will be consistent with ORT

[goneall]

I just added a PR to add a purl example. Please review PR #509 and let me know if this works.

My apologies for the randomizing of the element order making the diffs rather useless - a side-effect of using tools to generate the examples.

[MarkusTe]

Assuming that the examples are accepted as correct, here my findings as expected

• The PR Add an external-ref of type purl to the example files. #509 TAG example contains "PACKAGE-MANAGER". This file is understood by Dependency Track 4.0.1 but the PURL is not imported. Issue is mentioned above.
• When converting the PR Add an external-ref of type purl to the example files. #509 YAML example to TAG, the result still contains "PACKAGE_MANAGER". This TAG file is not understood by Dependency Track 4.0.1; "Invalid External Ref category: PACKAGE_MANAGER". Issue is mentioned above.
• I cannot judge if the examples are correct.
  Thanks a lot for our effort @goneall .