Conversion from CycloneDX to SPDX creates invalid SPDX

[vargenau]

SPDX JSON file: https://raw.githubusercontent.com/OpenChain-Project/Telco-WG/refs/heads/main/tools/openchain_telco_sbom_validator/open-source-compliance-artifacts/openchain-telco-sbom-validator-0.1.6.spdx.json

cyclonedx --version
0.28.2+37262579cb974d91c949f394ba5811a5f8e11202

Convert from SPDX to CycloneDX:

cyclonedx convert --input-file openchain-telco-sbom-validator-0.3.1.spdx.json --input-format spdxjson --output-file openchain-telco-sbom-validator-cyclonedx-0.3.1.cdx.json --output-format json

Result is valid CycloneDX 1.6:

cyclonedx validate --input-file openchain-telco-sbom-validator-cyclonedx-0.3.1.cdx.json
BOM validated successfully.

Converting back to SPDX:

cyclonedx convert --input-file openchain-telco-sbom-validator-cyclonedx-0.3.1.cdx.json --input-format json --output-file openchain-telco-sbom-validator-cyclonedx-0.3.1.cdx-to-spdx.spdx.json --output-format spdxjson

Result is invalid SPDX:

pyspdxtools -i openchain-telco-sbom-validator-cyclonedx-0.3.1.cdx-to-spdx.spdx.json
ERROR:root:The document is invalid. The following issues have been found:
license_info_from_files must be None if files_analyzed is False, but is: [NOASSERTION]
license_info_from_files must be None if files_analyzed is False, but is: [NOASSERTION]
license_info_from_files must be None if files_analyzed is False, but is: [NOASSERTION]
license_info_from_files must be None if files_analyzed is False, but is: [NOASSERTION]
license_info_from_files must be None if files_analyzed is False, but is: [NOASSERTION]
license_info_from_files must be None if files_analyzed is False, but is: [NOASSERTION]
license_info_from_files must be None if files_analyzed is False, but is: [NOASSERTION]
there must be at least one relationship "SPDXRef-DOCUMENT DESCRIBES ..." or "... DESCRIBED_BY SPDXRef-DOCUMENT" when there is not only a single package present

What we lost in the conversion:

        "creators": [
            "Organization: Nokia",
            "Tool: Nokia Compliance Tool - 1.0"
        ],

becomes

        "creators": [
            "Tool: Nokia Compliance Tool - 1.0"
        ],

We lose supplier and originator:

            "originator": "Organization: Nokia",
            "supplier": "Organization: https://pypi.org",

becomes

            "originator": "NOASSERTION",
            "supplier": "NOASSERTION",

There is a useless

            "licenseInfoFromFiles": [
                "NOASSERTION"
            ],

that renders the code invalid.

Also, all relationships are lost, which also renders the code invalid.

[andreas-hilti]

@vargenau I'm not so familiar with the SPDX to CDX conversion, but a couple of comments from my side:

• with release 0.29, I no longer see these issues "license_info_from_files must be None if files_analyzed is False, but is: [NOASSERTION]"; note that there was a large PR to support SPDX 2.3.
• with respect to "there must be at least one relationship "SPDXRef-DOCUMENT DESCRIBES ..." or "... DESCRIBED_BY SPDXRef-DOCUMENT" when there is not only a single package present": I think the main component in the SPDX file (i.e. the one that is pointed to by DESCRIBES) should not be added to components but rather to metadata/component. Similarly, when then converting back to SPDX, the metadata/component should then be pointed to by a DESCRIBES relationship.
• with respect to: "Also, all relationships are lost, which also renders the code invalid." As pointed out to the readme, the implementation is pending for conversion of relationships and pull-requests are welcome. I guess this also raises the question whether there is a one-to-one match of the relationship types in the two formats.
• originator and supplier: They are still lost, but it no longer shows "NOASSERTION".