Merge pull request #196 from spdx/issue195

Check for relative file names in file verify

Author: goneall

src/main/java/org/spdx/library/model/SpdxFile.java

@@ -269,6 +269,9 @@ protected List<String> _verify(Set<String> verifiedIds, String specVersion) {
 			Optional<String> myName = this.getName();
 			if (myName.isPresent()) {
 				fileName = myName.get();
+				if (fileName.startsWith("/")) {
+					retval.add("File name name must be relative - the name must not start with a '/'.  Found "+fileName);
+				}
 			} else {
 				retval.add("Missing required file name");
 			}

src/test/java/org/spdx/library/model/SpdxDocumentTest.java

@@ -125,7 +125,7 @@ protected void setUp() throws Exception {
 		RELATIONSHIP2 = gmo.createRelationship(RELATED_ELEMENT2, 
 				RelationshipType.DYNAMIC_LINK, "Relationship Comment2");
 		FILE1 = gmo.createSpdxFile(gmo.getModelStore().getNextId(IdType.SpdxId, gmo.getDocumentUri()),
-				"FileName1", LICENSE1, Arrays.asList(new ExtractedLicenseInfo[] {LICENSE2}), 
+				"./FileName1", LICENSE1, Arrays.asList(new ExtractedLicenseInfo[] {LICENSE2}), 
 				"File Copyright1", CHECKSUM1)
 				.setComment("FileComment 1")
 				.setLicenseComments("License Comment1")
@@ -135,7 +135,7 @@ protected void setUp() throws Exception {
 				.build();
 
 		FILE2 = gmo.createSpdxFile(gmo.getModelStore().getNextId(IdType.SpdxId, gmo.getDocumentUri()),
-				"FileName2", LICENSE2, Arrays.asList(new ExtractedLicenseInfo[] {LICENSE3}), 
+				"./FileName2", LICENSE2, Arrays.asList(new ExtractedLicenseInfo[] {LICENSE3}), 
 				"File Copyright2", CHECKSUM2)
 				.setComment("FileComment 2")
 				.setLicenseComments("License Comment2")
@@ -145,7 +145,7 @@ protected void setUp() throws Exception {
 				.build();
 
 		FILE3 = gmo.createSpdxFile(gmo.getModelStore().getNextId(IdType.SpdxId, gmo.getDocumentUri()),
-				"FileName3", LICENSE3, Arrays.asList(new ExtractedLicenseInfo[] {LICENSE1}), 
+				"./FileName3", LICENSE3, Arrays.asList(new ExtractedLicenseInfo[] {LICENSE1}), 
 				"File Copyright2", CHECKSUM1)
 				.setComment("FileComment 3")
 				.setLicenseComments("License Comment3")

src/test/java/org/spdx/library/model/SpdxFileTest.java

@@ -111,7 +111,7 @@ public void testVerify() throws InvalidSPDXAnalysisException {
 		List<String> contributors = Arrays.asList(new String[] {"Contrib1", "Contrib2"});
 
 		SpdxFile fileDep1 = gmo.createSpdxFile(gmo.getModelStore().getNextId(IdType.SpdxId, gmo.getDocumentUri()),
-				"fileDep1", COMPLEX_LICENSE, seenLic, "Copyright1", SHA1)
+				"./fileDep1", COMPLEX_LICENSE, seenLic, "Copyright1", SHA1)
 				.setLicenseComments("License Comments1")
 				.setComment("Comment1")
 				.setNoticeText("Notice Text")
@@ -123,15 +123,15 @@ public void testVerify() throws InvalidSPDXAnalysisException {
 		assertEquals(0, verify.size());
 
 		SpdxFile fileDep2 =gmo.createSpdxFile(gmo.getModelStore().getNextId(IdType.SpdxId, gmo.getDocumentUri()),
-				"fileDep2", COMPLEX_LICENSE, seenLic, "Copyright2", SHA1)
+				"./fileDep2", COMPLEX_LICENSE, seenLic, "Copyright2", SHA1)
 				.setComment("Comment2")
 				.addAnnotation(ANNOTATION3)
 				.setLicenseComments("License Comments2")
 				.addFileType(FileType.BINARY)
 				.build();
 
 		String fileNotice = "File Notice";
-		String name = "fileName";
+		String name = "./fileName";
 		String comment = "file comments";
 		String copyright = "Copyrights";
 		String licenseComment = "License comments";
@@ -155,7 +155,7 @@ public void testVerify23Fields() throws InvalidSPDXAnalysisException {
 
 
 		SpdxFile file = gmo.createSpdxFile(gmo.getModelStore().getNextId(IdType.SpdxId, gmo.getDocumentUri()),
-				"name", null, Arrays.asList(new AnyLicenseInfo[] {}), null, SHA1)
+				"./name", null, Arrays.asList(new AnyLicenseInfo[] {}), null, SHA1)
 				.build();
 		assertEquals(0, file.verify().size());
 		assertTrue(file.verify(Version.TWO_POINT_ZERO_VERSION).size() > 0);
@@ -489,4 +489,22 @@ public void testDependency() throws InvalidSPDXAnalysisException {
 		assertEquals(1, result.size());
 		assertTrue(result.contains(dep));
 	}
+	
+	public void testVerifyNonLocalFileName() throws InvalidSPDXAnalysisException {
+		SpdxFile file = gmo.createSpdxFile(gmo.getModelStore().getNextId(IdType.SpdxId, gmo.getDocumentUri()),
+				"/filename", COMPLEX_LICENSE, Arrays.asList(CONJUNCTIVE_LICENSES), SpdxConstants.NOASSERTION_VALUE, SHA1)
+				.build();
+		List<String> result = file.verify();
+		assertEquals(1, result.size());
+		SpdxFile file2 = gmo.createSpdxFile(gmo.getModelStore().getNextId(IdType.SpdxId, gmo.getDocumentUri()),
+				"./filename", COMPLEX_LICENSE, Arrays.asList(CONJUNCTIVE_LICENSES), SpdxConstants.NOASSERTION_VALUE, SHA1)
+				.build();
+		result = file2.verify();
+		assertTrue(result.isEmpty());
+		SpdxFile file3 = gmo.createSpdxFile(gmo.getModelStore().getNextId(IdType.SpdxId, gmo.getDocumentUri()),
+				"filename", COMPLEX_LICENSE, Arrays.asList(CONJUNCTIVE_LICENSES), SpdxConstants.NOASSERTION_VALUE, SHA1)
+				.build();
+		result = file3.verify();
+		assertTrue(result.isEmpty());
+	}
 }

src/test/java/org/spdx/library/model/SpdxPackageTest.java

@@ -141,7 +141,7 @@ protected void setUp() throws Exception {
 		LICENSE3 = new ExtractedLicenseInfo("LicenseRef-3", "License Text 3");
 
 		FILE1 = gmo.createSpdxFile(gmo.getModelStore().getNextId(IdType.SpdxId, gmo.getDocumentUri()), 
-				"FileName1", LICENSE1, Arrays.asList(new AnyLicenseInfo[] {LICENSE2}), 
+				"./FileName1", LICENSE1, Arrays.asList(new AnyLicenseInfo[] {LICENSE2}), 
 				COPYRIGHT_TEXT1, CHECKSUM1)
 				.setComment("File Comment1")
 				.setLicenseComments(LICENSE_COMMENT1)
@@ -151,7 +151,7 @@ protected void setUp() throws Exception {
 				.build();
 
 		FILE2 = gmo.createSpdxFile(gmo.getModelStore().getNextId(IdType.SpdxId, gmo.getDocumentUri()), 
-				"FileName2", LICENSE2, Arrays.asList(new AnyLicenseInfo[] {LICENSE1, LICENSE2}), 
+				"./FileName2", LICENSE2, Arrays.asList(new AnyLicenseInfo[] {LICENSE1, LICENSE2}), 
 				COPYRIGHT_TEXT2, CHECKSUM4)
 				.setComment("File Comment2")
 				.setLicenseComments(LICENSE_COMMENT2)

src/test/java/org/spdx/library/model/SpdxSnippetTest.java

@@ -142,11 +142,11 @@ protected void setUp() throws Exception {
 		}));
 
 		FROM_FILE1 = gmo.createSpdxFile(gmo.getModelStore().getNextId(IdType.SpdxId, gmo.getDocumentUri()),
-				"fromFile1", COMPLEX_LICENSE, Arrays.asList(NON_STD_LICENSES), SpdxConstants.NOASSERTION_VALUE, 
+				"./fromFile1", COMPLEX_LICENSE, Arrays.asList(NON_STD_LICENSES), SpdxConstants.NOASSERTION_VALUE, 
 				gmo.createChecksum(ChecksumAlgorithm.SHA1, "1123456789abcdef0123456789abcdef01234567")).build();
 
 		FROM_FILE2 = gmo.createSpdxFile(gmo.getModelStore().getNextId(IdType.SpdxId, gmo.getDocumentUri()),
-				"fromFile2", STANDARD_LICENSES[0], Arrays.asList(STANDARD_LICENSES), SpdxConstants.NOASSERTION_VALUE, 
+				"./fromFile2", STANDARD_LICENSES[0], Arrays.asList(STANDARD_LICENSES), SpdxConstants.NOASSERTION_VALUE, 
 				gmo.createChecksum(ChecksumAlgorithm.SHA1, "5555556789abcdef0123456789abcdef01234567")).build();
 
 		BOP_POINTER1_1 = gmo.createByteOffsetPointer(FROM_FILE1, OFFSET1_1);