SPDX 2.2 JSON documents are validated using the 2.3 schema

[puerco]

It seems the verification code is using the 2.3 (or maybe just the latest?) json schema to validate documents regardless of the version in them. I noticed this while adjusting changes in the external references when migrating some tools to 2.3.

As an example, a 2.2 document using the 2.3 category label PACKAGE-MANAGER (with the dash instead of the underscore) like this is reported as valid:

      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceLocator": "pkg:oci/index@sha256:8101cc07b2a1b5ca4736130f602b3e03808d18706d931123aee866ad43b1b2d7",
          "referenceType": "purl"
        }
      ]

java -jar tools-java-1.1.0-jar-with-dependencies.jar Verify test.spdx.json 
WARNING: sun.reflect.Reflection.getCallerClass is not supported. This will impact performance.
This SPDX Document is valid.

I'm attaching the example SBOM to reproduce the problem: test.spdx.json.gz

[goneall]

@puerco - Thanks for pointing this out. You are correct, it is only using the latest schema for validation. Although there is code within the underlying Java library to look for differences between 2.2 and 2.3 when validating, the JSON schema validation is done in a different library - spdx-java-jackson-store.

I'll move this issue over to that repo to use version specific schemas when validating.

[goneall]

Looks like the validation is in the tools-java verify function - moving the issue back ...

[goneall]

Resolved with #75