From 3690f979b3ea776e9701bc71d496410576953422 Mon Sep 17 00:00:00 2001
From: Christopher Angelo Phillips <32073428+spiffcs@users.noreply.github.com>
Date: Wed, 21 Dec 2022 15:56:03 -0500
Subject: [PATCH] feat: update spdx format model to produce valid spdx json
 documents (#1418)

---
 .../common/spdxhelpers/relationship_type.go   |   5 ++
 .../common/spdxhelpers/to_format_model.go     |  29 +++++++++-
 .../TestSPDXJSONDirectoryEncoder.golden       |  13 +++--
 .../snapshot/TestSPDXJSONImageEncoder.golden  |  13 +++--
 .../snapshot/TestSPDXRelationshipOrder.golden |  51 +++++++++++++++---
 .../stereoscope-fixture-image-simple.golden   | Bin 15360 -> 15360 bytes
 .../snapshot/TestSPDXJSONSPDXIDs.golden       |  10 ++--
 .../snapshot/TestSPDXRelationshipOrder.golden |  13 +++--
 .../TestSPDXTagValueDirectoryEncoder.golden   |  10 ++--
 .../TestSPDXTagValueImageEncoder.golden       |  10 ++--
 .../stereoscope-fixture-image-simple.golden   | Bin 15360 -> 15360 bytes
 test/cli/spdx_tooling_validation_test.go      |  33 +++++++++++-
 12 files changed, 159 insertions(+), 28 deletions(-)

diff --git a/syft/formats/common/spdxhelpers/relationship_type.go b/syft/formats/common/spdxhelpers/relationship_type.go
index 564dd32ec..a3234c873 100644
--- a/syft/formats/common/spdxhelpers/relationship_type.go
+++ b/syft/formats/common/spdxhelpers/relationship_type.go
@@ -8,6 +8,11 @@ const (
 	// Example: The package 'WildFly' is described by SPDX document WildFly.spdx.
 	DescribedByRelationship RelationshipType = "DESCRIBED_BY"
 
+	// Describes is to be used when SPDXRef-DOCUMENT describes SPDXRef-A.
+	// Example: An SPDX document WildFly.spdx describes package ‘WildFly’.
+	// Note this is a logical relationship to help organize related items within an SPDX document that is mandatory if more than one package or set of files (not in a package) is present.
+	DescribesRelationship RelationshipType = "DESCRIBES"
+
 	// ContainsRelationship is to be used when SPDXRef-A contains SPDXRef-B.
 	// Example: An ARCHIVE file bar.tgz contains a SOURCE file foo.c.
 	ContainsRelationship RelationshipType = "CONTAINS"
diff --git a/syft/formats/common/spdxhelpers/to_format_model.go b/syft/formats/common/spdxhelpers/to_format_model.go
index 798bd1a27..655c9cce6 100644
--- a/syft/formats/common/spdxhelpers/to_format_model.go
+++ b/syft/formats/common/spdxhelpers/to_format_model.go
@@ -33,6 +33,24 @@ const (
 //nolint:funlen
 func ToFormatModel(s sbom.SBOM) *spdx.Document {
 	name, namespace := DocumentNameAndNamespace(s.Source)
+	relationships := toRelationships(s.RelationshipsSorted())
+
+	// for valid SPDX we need a document describes relationship
+	// TODO: remove this placeholder after deciding on correct behavior
+	// for the primary package purpose field:
+	// https://spdx.github.io/spdx-spec/v2.3/package-information/#724-primary-package-purpose-field
+	documentDescribesRelationship := &spdx.Relationship{
+		RefA: common.DocElementID{
+			ElementRefID: "DOCUMENT",
+		},
+		Relationship: string(DescribesRelationship),
+		RefB: common.DocElementID{
+			ElementRefID: "DOCUMENT",
+		},
+		RelationshipComment: "",
+	}
+
+	relationships = append(relationships, documentDescribesRelationship)
 
 	return &spdx.Document{
 		// 6.1: SPDX Version; should be in the format "SPDX-x.x"
@@ -107,7 +125,7 @@ func ToFormatModel(s sbom.SBOM) *spdx.Document {
 		},
 		Packages:      toPackages(s.Artifacts.PackageCatalog, s),
 		Files:         toFiles(s),
-		Relationships: toRelationships(s.RelationshipsSorted()),
+		Relationships: relationships,
 	}
 }
 
@@ -407,6 +425,15 @@ func toFiles(s sbom.SBOM) (results []*spdx.File) {
 			digests = digestsForLocation
 		}
 
+		// if we don't have any metadata or digests for this location
+		// then the file is most likely a symlink or non-regular file
+		// for now we include a 0 sha1 digest as requested by the spdx spec
+		// TODO: update location code in core SBOM so that we can map complex links
+		// back to their real file digest location.
+		if len(digests) == 0 {
+			digests = append(digests, file.Digest{Algorithm: "sha1", Value: "0000000000000000000000000000000000000000"})
+		}
+
 		// TODO: add file classifications (?) and content as a snippet
 
 		var comment string
diff --git a/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden b/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden
index bbe863815..59bdc67c9 100644
--- a/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden
+++ b/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden
@@ -3,14 +3,14 @@
  "dataLicense": "CC0-1.0",
  "SPDXID": "SPDXRef-DOCUMENT",
  "name": "/some/path",
- "documentNamespace": "https://anchore.com/syft/dir/some/path-4bf54cdd-0a0f-4560-bf4f-39cac2ef7a5b",
+ "documentNamespace": "https://anchore.com/syft/dir/some/path-116e86ba-a976-48ed-909d-9278807ee7fe",
  "creationInfo": {
-  "licenseListVersion": "3.18",
+  "licenseListVersion": "3.19",
   "creators": [
    "Organization: Anchore, Inc",
    "Tool: syft-v0.42.0-bogus"
   ],
-  "created": "2022-11-19T13:46:57Z",
+  "created": "2022-12-21T03:39:05Z",
   "comment": ""
  },
  "packages": [
@@ -62,5 +62,12 @@
     }
    ]
   }
+ ],
+ "relationships": [
+  {
+   "spdxElementId": "SPDXRef-DOCUMENT",
+   "relatedSpdxElement": "SPDXRef-DOCUMENT",
+   "relationshipType": "DESCRIBES"
+  }
  ]
 }
diff --git a/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden b/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden
index 5462bcdf1..8e9ca38cc 100644
--- a/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden
+++ b/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden
@@ -3,14 +3,14 @@
  "dataLicense": "CC0-1.0",
  "SPDXID": "SPDXRef-DOCUMENT",
  "name": "user-image-input",
- "documentNamespace": "https://anchore.com/syft/image/user-image-input-102ca7dc-3d1e-46d2-b130-28968831ebcc",
+ "documentNamespace": "https://anchore.com/syft/image/user-image-input-006b9b96-66f1-4de3-897f-6583b4358c87",
  "creationInfo": {
-  "licenseListVersion": "3.18",
+  "licenseListVersion": "3.19",
   "creators": [
    "Organization: Anchore, Inc",
    "Tool: syft-v0.42.0-bogus"
   ],
-  "created": "2022-11-19T13:46:57Z",
+  "created": "2022-12-21T03:39:05Z",
   "comment": ""
  },
  "packages": [
@@ -62,5 +62,12 @@
     }
    ]
   }
+ ],
+ "relationships": [
+  {
+   "spdxElementId": "SPDXRef-DOCUMENT",
+   "relatedSpdxElement": "SPDXRef-DOCUMENT",
+   "relationshipType": "DESCRIBES"
+  }
  ]
 }
diff --git a/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden b/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden
index 451f76e9b..e88d0f5e6 100644
--- a/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden
+++ b/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden
@@ -3,14 +3,14 @@
  "dataLicense": "CC0-1.0",
  "SPDXID": "SPDXRef-DOCUMENT",
  "name": "user-image-input",
- "documentNamespace": "https://anchore.com/syft/image/user-image-input-ace88a38-4633-4bff-8fa3-8ae929dab37d",
+ "documentNamespace": "https://anchore.com/syft/image/user-image-input-552a9cfc-49ee-4706-81cb-723fd7146b4f",
  "creationInfo": {
   "licenseListVersion": "3.19",
   "creators": [
    "Organization: Anchore, Inc",
    "Tool: syft-v0.42.0-bogus"
   ],
-  "created": "2022-12-14T18:21:40Z",
+  "created": "2022-12-21T03:39:05Z",
   "comment": ""
  },
  "packages": [
@@ -70,7 +70,12 @@
    "fileTypes": [
     "OTHER"
    ],
-   "checksums": [],
+   "checksums": [
+    {
+     "algorithm": "SHA1",
+     "checksumValue": "0000000000000000000000000000000000000000"
+    }
+   ],
    "licenseConcluded": "NOASSERTION",
    "copyrightText": ""
   },
@@ -80,7 +85,12 @@
    "fileTypes": [
     "OTHER"
    ],
-   "checksums": [],
+   "checksums": [
+    {
+     "algorithm": "SHA1",
+     "checksumValue": "0000000000000000000000000000000000000000"
+    }
+   ],
    "licenseConcluded": "NOASSERTION",
    "copyrightText": ""
   },
@@ -90,7 +100,12 @@
    "fileTypes": [
     "OTHER"
    ],
-   "checksums": [],
+   "checksums": [
+    {
+     "algorithm": "SHA1",
+     "checksumValue": "0000000000000000000000000000000000000000"
+    }
+   ],
    "licenseConcluded": "NOASSERTION",
    "copyrightText": ""
   },
@@ -100,7 +115,12 @@
    "fileTypes": [
     "OTHER"
    ],
-   "checksums": [],
+   "checksums": [
+    {
+     "algorithm": "SHA1",
+     "checksumValue": "0000000000000000000000000000000000000000"
+    }
+   ],
    "licenseConcluded": "NOASSERTION",
    "copyrightText": ""
   },
@@ -110,7 +130,12 @@
    "fileTypes": [
     "OTHER"
    ],
-   "checksums": [],
+   "checksums": [
+    {
+     "algorithm": "SHA1",
+     "checksumValue": "0000000000000000000000000000000000000000"
+    }
+   ],
    "licenseConcluded": "NOASSERTION",
    "copyrightText": ""
   },
@@ -120,7 +145,12 @@
    "fileTypes": [
     "OTHER"
    ],
-   "checksums": [],
+   "checksums": [
+    {
+     "algorithm": "SHA1",
+     "checksumValue": "0000000000000000000000000000000000000000"
+    }
+   ],
    "licenseConcluded": "NOASSERTION",
    "copyrightText": ""
   }
@@ -155,6 +185,11 @@
    "spdxElementId": "SPDXRef-Package-python-package-1-66ba429119b8bec6",
    "relatedSpdxElement": "SPDXRef-f9e49132a4b96ccd",
    "relationshipType": "CONTAINS"
+  },
+  {
+   "spdxElementId": "SPDXRef-DOCUMENT",
+   "relatedSpdxElement": "SPDXRef-DOCUMENT",
+   "relationshipType": "DESCRIBES"
   }
  ]
 }
diff --git a/syft/formats/spdxjson/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden b/syft/formats/spdxjson/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden
index aca6612022dd7bc15ae55b156bb7897f9e4c54ef..b9ddf6e33390ab196d24a941bdda1dc969b30a0e 100644
GIT binary patch
literal 15360
zcmeHOZExE)5ccQ&3QzkQ+a$#|8Q6!eDbNDNQnXnItSAb;CR%ODkmMpkkpI4u>^QNz
zR!d|nDMrD7#kV8%9PfNQJ&u_WL{sC4wG4YAF?W_&oG8wCEIH;@I^mcSRx68*XAI#)
zS|o9zEfbSL`-Koig0TTwUAy0P?Eur5Au0rp;{hTFBRm+gcG2B?EXzt2u%xb%b|0>*
zyq?C#UG@L|#oKqUPJaL1azUGjQ@X47n=&95@8}=nSPX`pb@IJM-L(DB^^eEBpnQXN
z_<mvtbhiJ$%RFm&rWX6hjC|$)g+RgnTVUNw^Hr4EXc~3h2GLQpP=(7Xkj1&iGSL`Q
z8Ea{&j}s=iCCFM$b<zYIQs5+!iW)`)_Xd-g80x4*36mhp6i!vHUKl}yj4&Aye2U^}
zOr|s*$0XrNENJ{!-8IiDm1eH^1b03?i>6o6%e<^IHFq!`dK~9-=x|&9qjbfp<yloJ
zbN;TfX%<brnw9P-+SKJsc$nQvSHRG9<!N=fxj$LBY+FuKI>`(yV%`5m_9dET%h~KG
zdOn9|Tiw2ztF!e&-{-UC+?6*if9A#KG&?&^*Q<SzRmJ5ZPiv4@V^6Z*mg#IG>b25t
zwjO@nAoKL`_z=B$cKY(y$+9dav)riJq||9Py;I&4ZyTDbRS|BZj}HNK0z2crh^oSz
zr<F6+vZz(2=9W_slLO|_EX|e|(e+-8vPU6Z4SzCIm#!GsG4waD7XMGbj{mX1H2D8-
z0=mbBGM_u2&fJKMtBY!ng71iG(LaLo-YWhlScsSm5XJ(I3nBi$gW;iWSGph8zoPK#
zUH*Kid4k-4KtLcM5D<7;2y{KH9VGvY1;=s7|Msy{I_v)+`Cr5t<o|ogOose#AKNU<
z@k9~mZ2#T!zlamO^Zo}hcqJ6<zlS}u&i{7Z26ZBKle5K%KqG|VbBfTk`GidE_cFDQ
zm_Y2R_ygttDB;2WdocgOCjW;YGyliG%KwG<uMh1H2Gx054(lY~@LZLfG+;k-hgkvw
z0fB%(K;ZEZ;MOHxGj6$|3S+FDb|^N|BdQXml_81q8XKn(V^#|bd{Cn$H%<vgv>A6l
z|6xLR&wm8LYrt^+>tS15Mc*Jb+_GsJ-pZbM8e5!}nu4)KVW~+gn^R;f^9LfADldS8
z^Wmyx7?D6R<FSy<F?2P<Ck-Q`XUE4)^fPM0-{E9C93K8M)HT88b6V90+<ZP?F`RBH
z$2K>gT~UWm<1Z+>K5ARYHgoA;7t*|kzq624`JM{_M$DZv<xy1RdF6qnaurpVi<-L9
zur^9~D4Tl!DYek{Au7)mVSGxE7D$K$*jOx<fSactYhY-_6!=<<Y34i^4ilD0FQwrW
zJ0UFwrk8<s3sTpTD0j?&BVkw}&#(j<a3X>KrLZwZg1@1)1d9wZf_kg5$BsxsiS)4r
zwt4jN`iCRb^kB35oMNuB)Vs3!FMj-?^S1Fn7z57#?bYx<aPa>Rh5KIPz;`}h^CqLc
z!~$UbZ`~q4Rc9-oQn|wArO6j=<kO3qIX6mc%Hya^=Zl$}N`^Q$3?nJEwFLZtP%?2z
z;^1#13Gy6TY2pO&-Xx5HXEK&M3;~KG#4ug6|6bP|v}U^frL*8U_Q#C_NA~fjd+DXG
z&IRbIOyPGlb>*SvY_orI``@723)J?{d9eROsbfp-RaCZEXdN|lHqt#X%&)JXrUh-m
P843Y`fIvXthe6;Ux}S+Y

literal 15360
zcmeHOZBOGk5bo#u6}{Y7+S-m^E8PcfS!q{V9j9GxPdbE<<Jgd+O{yeafe`=w#%(FI
z9ONKvVYRM`8o!P0XEKxV<bjGL6-HQ*Vj);6IT1L)BtcprlTbu-nyAD&Bbl{?F=?!_
z8nYNlj5ODSPV)yLiUeaFH2<vs`q~brF{QEKgg`%nU=^J%YZl$U$F!<-2}^1#X?=5T
z<?U!ZZL9yU?>~R}c=-EM%S9L=PU*VdZ_9vOyrzE~6Vd6m*2z<gx^4Tx^^f~ILHQQ#
z@cYIPXl?)hR7Kvfrw04SjI8^Aj5!MS-vH}Iny;fQjfPR%+aTJDCc3nF4YCwhj>;Gd
z?6lx9jbly{k{E3f(h3PKG{JGos1zzqgh-KaOk-}WAX-ZavP@}pZT-R^6d*lJdPp8&
zHbi7dSzk&JqDV~s_Fap-)>&@LQ@C>3Sv0(kJ``1*>#>FL(Bq&OLx;QapOr1=E&Fw?
z&H0x)&GKmI^r*6X(Xy_X!e-VhZ3#mcl}Gi}^7?RM^Hn*s(qV335sUus^Ka2GpN>X*
z(YrD1ZGQQ2tj`t;{aTEsV_V&}{8f|}S$=kqEmr$Jugj}Rk$I5kV-NG+rrBsI>XT0F
zXfga|hRoZ?<2d?b|LDW7gK1R`MupL%L6v0r@LqXYyla?M&5LjuoxB9l0o)nSMO2sO
zJgcp#r=?e!9;cjwm;x}5Mp-_+jBYk!lsgpC*6;@-ePzqOkD(v^H28n|F#abP(cu3d
z1$2WARWY_M8`&P|*O&DM1>Y0ZpnnACJs<xQ$~ecAbP&dZhWP&;g4?^C>%QxsqVV*t
ze%{_pL2^JKAP^7;2)rc(+8)-nlK;hmGamB4ySPtU>whcxUnFpd|97GOPRRf61m-t8
zNo)IWpZ`Ui;I;QZh*9wWJ9#tlgTMb-<bT`V20jtH%-LckP!D1F9w9WGeM6@9sZ8xF
zCJ@^yemnU;O#S=+VE@~HY%KGC_%-u?{6YSYh4^p#%7+>1^Q`LnBw+VkSIacuPNoi%
z1Ox&C0fB(PD<a^Cfmq8?6B{mK%p8&eb8I|M!*P--!{QXkpPWi*I1&_bBpug^5o?%K
z{r2ZSOz4C2U+nXLA^zL`jd2}4LTb2U)694)8{%oKa9TVCV}-)vNh`}!WFzwjBA2=-
zfrE2=-875<kvRs+(CipGpW!rtk<tFa!7Tde&BEXAU^N`>{?bi6!R8{X{Q<WakLL`h
z+sb}gm<wC_@Tva|MK^nm3t3?<{pUhv@8Rz)WL|#eLVyu-?@YNDl|@lIV5wY3_0_~v
zS7xk@3O1Ey&Yfl{v>iv)xh9Mct>MyvFVHF$7RRwPj>i_PG)Ys6QIaa@oKAtYD=ARG
z3E?7zW~{Wah;su{7m^rGX`Cp`3Aa?@*a{F!m{Km$DCNijy_`^O6~zYl<|$Sf{uDD*
zS&58_PHw(CLe2I~cB3<lb)Gp})&IwjzjWdz{s&|6JuWz!@joyL{{N+TKW7~H&UXvm
zWVDf30IdJBofJp<Z0=KPTiT*B#l-epcIlaOz06Y{dsQ}`jO<V{?=u)iQi6XWf;yq4
zvPuD4lq%#nw1PVj#5toF6G)hpTPz*2gcz21_TMMZL7PptxpWrnV{_a%aAYSxJx47&
z>sx}Zstlf^nXR@pX_NiKzZI?9Kj*>zx2291xz|zEV4*&0Xl<k$V3^<ByiE&Qfin~W
M0s(=5z;}bdzmznGHUIzs

diff --git a/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden b/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden
index 988de2374..c017916c2 100644
--- a/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden
+++ b/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden
@@ -2,11 +2,11 @@ SPDXVersion: SPDX-2.3
 DataLicense: CC0-1.0
 SPDXID: SPDXRef-DOCUMENT
 DocumentName: foobar/baz
-DocumentNamespace: https://anchore.com/syft/dir/foobar/baz-62bc0aae-2b37-4c86-ab79-63c6fc4198ed
-LicenseListVersion: 3.18
+DocumentNamespace: https://anchore.com/syft/dir/foobar/baz-478e410d-7fad-472c-b4e9-a4068ef28160
+LicenseListVersion: 3.19
 Creator: Organization: Anchore, Inc
 Creator: Tool: syft-v0.42.0-bogus
-Created: 2022-11-19T13:48:30Z
+Created: 2022-12-21T03:39:05Z
 
 ##### Package: @at-sign
 
@@ -41,3 +41,7 @@ PackageLicenseConcluded: NONE
 PackageLicenseDeclared: NONE
 PackageCopyrightText: NOASSERTION
 
+##### Relationships
+
+Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-DOCUMENT
+
diff --git a/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden b/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden
index d87fee378..94cd399de 100644
--- a/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden
+++ b/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden
@@ -2,42 +2,48 @@ SPDXVersion: SPDX-2.3
 DataLicense: CC0-1.0
 SPDXID: SPDXRef-DOCUMENT
 DocumentName: user-image-input
-DocumentNamespace: https://anchore.com/syft/image/user-image-input-cc20e416-9c74-401c-b4aa-245556bada5e
-LicenseListVersion: 3.18
+DocumentNamespace: https://anchore.com/syft/image/user-image-input-73433e8c-364f-42b6-b5b7-9a4da8799868
+LicenseListVersion: 3.19
 Creator: Organization: Anchore, Inc
 Creator: Tool: syft-v0.42.0-bogus
-Created: 2022-11-19T13:48:30Z
+Created: 2022-12-21T03:39:05Z
 
 ##### Unpackaged files
 
 FileName: /f1
 SPDXID: SPDXRef-5265a4dde3edbf7c
 FileType: OTHER
+FileChecksum: SHA1: 0000000000000000000000000000000000000000
 LicenseConcluded: NOASSERTION
 
 FileName: /z1/f5
 SPDXID: SPDXRef-839d99ee67d9d174
 FileType: OTHER
+FileChecksum: SHA1: 0000000000000000000000000000000000000000
 LicenseConcluded: NOASSERTION
 
 FileName: /a1/f6
 SPDXID: SPDXRef-9c2f7510199b17f6
 FileType: OTHER
+FileChecksum: SHA1: 0000000000000000000000000000000000000000
 LicenseConcluded: NOASSERTION
 
 FileName: /d2/f4
 SPDXID: SPDXRef-c641caa71518099f
 FileType: OTHER
+FileChecksum: SHA1: 0000000000000000000000000000000000000000
 LicenseConcluded: NOASSERTION
 
 FileName: /d1/f3
 SPDXID: SPDXRef-c6f5b29dca12661f
 FileType: OTHER
+FileChecksum: SHA1: 0000000000000000000000000000000000000000
 LicenseConcluded: NOASSERTION
 
 FileName: /f2
 SPDXID: SPDXRef-f9e49132a4b96ccd
 FileType: OTHER
+FileChecksum: SHA1: 0000000000000000000000000000000000000000
 LicenseConcluded: NOASSERTION
 
 ##### Package: package-2
@@ -76,4 +82,5 @@ Relationship: SPDXRef-Package-python-package-1-66ba429119b8bec6 CONTAINS SPDXRef
 Relationship: SPDXRef-Package-python-package-1-66ba429119b8bec6 CONTAINS SPDXRef-c641caa71518099f
 Relationship: SPDXRef-Package-python-package-1-66ba429119b8bec6 CONTAINS SPDXRef-c6f5b29dca12661f
 Relationship: SPDXRef-Package-python-package-1-66ba429119b8bec6 CONTAINS SPDXRef-f9e49132a4b96ccd
+Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-DOCUMENT
 
diff --git a/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden b/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden
index 119e225ef..7bd71f05f 100644
--- a/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden
+++ b/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden
@@ -2,11 +2,11 @@ SPDXVersion: SPDX-2.3
 DataLicense: CC0-1.0
 SPDXID: SPDXRef-DOCUMENT
 DocumentName: /some/path
-DocumentNamespace: https://anchore.com/syft/dir/some/path-7a4b2140-6669-4a28-80dd-5c8e795c5da0
-LicenseListVersion: 3.18
+DocumentNamespace: https://anchore.com/syft/dir/some/path-1d303762-46d2-47b5-9c81-defa91387275
+LicenseListVersion: 3.19
 Creator: Organization: Anchore, Inc
 Creator: Tool: syft-v0.42.0-bogus
-Created: 2022-11-19T13:48:30Z
+Created: 2022-12-21T03:39:05Z
 
 ##### Package: package-2
 
@@ -36,3 +36,7 @@ PackageCopyrightText: NOASSERTION
 ExternalRef: SECURITY cpe23Type cpe:2.3:*:some:package:2:*:*:*:*:*:*:*
 ExternalRef: PACKAGE-MANAGER purl a-purl-2
 
+##### Relationships
+
+Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-DOCUMENT
+
diff --git a/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden b/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden
index 3d62f6ccc..df1cb1467 100644
--- a/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden
+++ b/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden
@@ -2,11 +2,11 @@ SPDXVersion: SPDX-2.3
 DataLicense: CC0-1.0
 SPDXID: SPDXRef-DOCUMENT
 DocumentName: user-image-input
-DocumentNamespace: https://anchore.com/syft/image/user-image-input-baff7ada-85cb-403e-90d7-05b0c6d79490
-LicenseListVersion: 3.18
+DocumentNamespace: https://anchore.com/syft/image/user-image-input-559af225-63af-4bc0-94fb-bce94913bcfa
+LicenseListVersion: 3.19
 Creator: Organization: Anchore, Inc
 Creator: Tool: syft-v0.42.0-bogus
-Created: 2022-11-19T13:48:30Z
+Created: 2022-12-21T03:39:05Z
 
 ##### Package: package-2
 
@@ -36,3 +36,7 @@ PackageCopyrightText: NOASSERTION
 ExternalRef: SECURITY cpe23Type cpe:2.3:*:some:package:1:*:*:*:*:*:*:*
 ExternalRef: PACKAGE-MANAGER purl a-purl-1
 
+##### Relationships
+
+Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-DOCUMENT
+
diff --git a/syft/formats/spdxtagvalue/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden b/syft/formats/spdxtagvalue/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden
index 0a4b4d25667754eaccaf5fe1dabb4e5a5b16005e..b9ddf6e33390ab196d24a941bdda1dc969b30a0e 100644
GIT binary patch
literal 15360
zcmeHOZExE)5ccQ&3QzkQ+a$#|8Q6!eDbNDNQnXnItSAb;CR%ODkmMpkkpI4u>^QNz
zR!d|nDMrD7#kV8%9PfNQJ&u_WL{sC4wG4YAF?W_&oG8wCEIH;@I^mcSRx68*XAI#)
zS|o9zEfbSL`-Koig0TTwUAy0P?Eur5Au0rp;{hTFBRm+gcG2B?EXzt2u%xb%b|0>*
zyq?C#UG@L|#oKqUPJaL1azUGjQ@X47n=&95@8}=nSPX`pb@IJM-L(DB^^eEBpnQXN
z_<mvtbhiJ$%RFm&rWX6hjC|$)g+RgnTVUNw^Hr4EXc~3h2GLQpP=(7Xkj1&iGSL`Q
z8Ea{&j}s=iCCFM$b<zYIQs5+!iW)`)_Xd-g80x4*36mhp6i!vHUKl}yj4&Aye2U^}
zOr|s*$0XrNENJ{!-8IiDm1eH^1b03?i>6o6%e<^IHFq!`dK~9-=x|&9qjbfp<yloJ
zbN;TfX%<brnw9P-+SKJsc$nQvSHRG9<!N=fxj$LBY+FuKI>`(yV%`5m_9dET%h~KG
zdOn9|Tiw2ztF!e&-{-UC+?6*if9A#KG&?&^*Q<SzRmJ5ZPiv4@V^6Z*mg#IG>b25t
zwjO@nAoKL`_z=B$cKY(y$+9dav)riJq||9Py;I&4ZyTDbRS|BZj}HNK0z2crh^oSz
zr<F6+vZz(2=9W_slLO|_EX|e|(e+-8vPU6Z4SzCIm#!GsG4waD7XMGbj{mX1H2D8-
z0=mbBGM_u2&fJKMtBY!ng71iG(LaLo-YWhlScsSm5XJ(I3nBi$gW;iWSGph8zoPK#
zUH*Kid4k-4KtLcM5D<7;2y{KH9VGvY1;=s7|Msy{I_v)+`Cr5t<o|ogOose#AKNU<
z@k9~mZ2#T!zlamO^Zo}hcqJ6<zlS}u&i{7Z26ZBKle5K%KqG|VbBfTk`GidE_cFDQ
zm_Y2R_ygttDB;2WdocgOCjW;YGyliG%KwG<uMh1H2Gx054(lY~@LZLfG+;k-hgkvw
z0fB%(K;ZEZ;MOHxGj6$|3S+FDb|^N|BdQXml_81q8XKn(V^#|bd{Cn$H%<vgv>A6l
z|6xLR&wm8LYrt^+>tS15Mc*Jb+_GsJ-pZbM8e5!}nu4)KVW~+gn^R;f^9LfADldS8
z^Wmyx7?D6R<FSy<F?2P<Ck-Q`XUE4)^fPM0-{E9C93K8M)HT88b6V90+<ZP?F`RBH
z$2K>gT~UWm<1Z+>K5ARYHgoA;7t*|kzq624`JM{_M$DZv<xy1RdF6qnaurpVi<-L9
zur^9~D4Tl!DYek{Au7)mVSGxE7D$K$*jOx<fSactYhY-_6!=<<Y34i^4ilD0FQwrW
zJ0UFwrk8<s3sTpTD0j?&BVkw}&#(j<a3X>KrLZwZg1@1)1d9wZf_kg5$BsxsiS)4r
zwt4jN`iCRb^kB35oMNuB)Vs3!FMj-?^S1Fn7z57#?bYx<aPa>Rh5KIPz;`}h^CqLc
z!~$UbZ`~q4Rc9-oQn|wArO6j=<kO3qIX6mc%Hya^=Zl$}N`^Q$3?nJEwFLZtP%?2z
z;^1#13Gy6TY2pO&-Xx5HXEK&M3;~KG#4ug6|6bP|v}U^frL*8U_Q#C_NA~fjd+DXG
z&IRbIOyPGlb>*SvY_orI``@723)J?{d9eROsbfp-RaCZEXdN|lHqt#X%&)JXrUh-m
P843Y`fIvXthe6;Ux}S+Y

literal 15360
zcmeHOZExE)5YFfQ3QzkQ+kB^JU>~xkKnoO0(Pka6peQK5BwB3AkmRC4kpI4u?Krl(
zL`@_c$wtGl`FcD)r<3k@Cy5P`Tr=aC@SgZ2HYUbI3u`Q6PFw4}v;qpyELBXolU90<
zluLN5(D0!7gAju?_yJmcw*Twa1I#GGk{}__0U}5udC=p{q}z{}m6a}lrM8r|H`kWl
zp61K8^8fVu!^gKLzdyt-!Uze*w&i|X2ju9M{IO*Gpx0U^4>5Jy_dl0E9_$6>TeQRf
zGee-Y{{LO(S;L+h^dEDwegDT?ilF}uuy)dY9i=uJMQtyG=rEe<!etfEa++G|onzWa
zYDFxxL>@DZywiePNf;F(A;#H+Vaqhpv4-b9^N2V{jR#t$aJq6eV+0Y>M{%F<Q!GY=
zj8Hs?6{dm_8UIxe&9h3UnJd0P$*1Sh=sJ3nmsO@G4(7v%<9q@G?&^P(u2}RORh2du
zA1j+?(a7s@=?<e+TRwx$Y&W_BrY;*#tE*M{Wa_d_I`i5|W`K$1_}AIjXq3&y<HP9H
z1opNlzMbgvC8MA6@oeJC+nzu3;xf(7kJBZ$ud}MSn&xQ@@?!2u_S-BSuSmVqi5oAc
z-^`JD{&<{4?~hL3{5qVK#c-S(Jsy@xnvK@#tLk0HylGK|V)XebfDYlxcr2p2Fc)d%
zOf@TNk?DyQ49Mhwc{EP5*|+GX6Q$fEk+zCI9P2Ar3~C$t-cQ5*pM7ut6HZ9D|KAH}
zhaF`;aXuZpJ{eTsstyUSk!p}X0)G$ee}V~z9|V2^#*)$?|1}7AR$R!wS3gDJ>0SQ3
zvxNfTfIvVXAP^9ERtO~Apv3DqF<v4gxmCm^E=jx;+6y5S5|#@mytW(}DxLI-S|1ap
z1xutFbm0FJhPTiEI1cB3d$~@oqkEj1J8ydKw|3;GZTPgc3%23H)=uk>d;S+`S>*-z
z;Ahtj)1;u3B1-7|z+kb$mjq@;N5{v#xe0`8^S3u#nZt|vFTJF8urJdJST*@%vN++m
zZ5-I#T)LtrF!+k1o5LnXHcu}8m65p}zQ)L+{zyi^BVKb#52GT_D-T}kbyQtVYu9z|
zwUw|bn|l8xwa|AKl^2?DF#^T6*d&}Qs%$J12o4bip&n_G<`i+2BvdkDh!vb-CKz=D
zei68m9%*8M>MbQMm6FDLrDG~ERX7%es>FIHCE*Cla5jW2a#l&prNaorTHL|yg;A`c
z&o?j5q27zucDG2|!@3>C|9Bn$3Gu(~<a{5c*7Dy?{7*ngFvS1v6IzGuA^z7Pm@kl2
zYyEF;|06-Zv;P?l_Wxe4re*xE?PXA#$1BSnD~b9D!}k=S(fk`Cbq_`A)@=2C+q-QA
zzoYmMg*346{NKYJVAJ8<&4SJGAMsuMhXwiXMi^UED>y}&pMdl(bh!!xZ4C<5fIvVX
zAP^Av&ml0;S?XO`{YV_=she+l{&P;(a={`0AM!tN$p3jN+>e?Ev6ENJyveAOSRi<U
zAKWxQ)#r<tLgfmVmnNUOzE8i^nRETLPI>H?>0~-~qnJbPr{NgIabhiz%u5|Br<8-&
zMihb=q%cf5NxV0Tb9gbt!0RYD_Q(-pcv5Hoy{mK3=F4^G&cHsp%Z-CT#^;|NC6|2-
zE<jdg3URd5mAhKAN&m^+yFv9^G`0Q<5%hmo;@F^j9hD6lT1O3AD`^KA<~KLbQ-e0(
P43&UDKp-ISVi5QTZ?c|t

diff --git a/test/cli/spdx_tooling_validation_test.go b/test/cli/spdx_tooling_validation_test.go
index 00c9afedd..eef290dee 100644
--- a/test/cli/spdx_tooling_validation_test.go
+++ b/test/cli/spdx_tooling_validation_test.go
@@ -6,6 +6,7 @@ import (
 	"os/exec"
 	"path"
 	"path/filepath"
+	"strings"
 	"testing"
 
 	"github.com/stretchr/testify/require"
@@ -26,6 +27,29 @@ func TestSpdxValidationTooling(t *testing.T) {
 			images:   []string{"alpine:latest", "photon:3.0", "debian:latest"},
 			env: map[string]string{
 				"SYFT_FILE_METADATA_CATALOGER_ENABLED": "true",
+				"SYFT_FILE_CONTENTS_CATALOGER_ENABLED": "true",
+				"SYFT_FILE_METADATA_DIGESTS":           "sha1",
+			},
+			setup: func(t *testing.T) {
+				cwd, err := os.Getwd()
+				require.NoError(t, err)
+				fixturesPath := filepath.Join(cwd, "test-fixtures", "image-java-spdx-tools")
+				buildCmd := exec.Command("make", "build")
+				buildCmd.Dir = fixturesPath
+				err = buildCmd.Run()
+				require.NoError(t, err)
+			},
+			assertions: []traitAssertion{
+				assertSuccessfulReturnCode,
+			},
+		},
+		{
+			name:     "spdx validation tooling json",
+			syftArgs: []string{"packages", "-o", "spdx-json"},
+			images:   []string{"alpine:latest", "photon:3.0", "debian:latest"},
+			env: map[string]string{
+				"SYFT_FILE_METADATA_CATALOGER_ENABLED": "true",
+				"SYFT_FILE_CONTENTS_CATALOGER_ENABLED": "true",
 				"SYFT_FILE_METADATA_DIGESTS":           "sha1",
 			},
 			setup: func(t *testing.T) {
@@ -61,8 +85,15 @@ func TestSpdxValidationTooling(t *testing.T) {
 				f, err := os.CreateTemp(t.TempDir(), "temp")
 				require.NoError(t, err)
 
+				var suffix string
+				if strings.Contains(test.name, "json") {
+					suffix = ".json"
+				} else {
+					suffix = ".spdx"
+				}
+
 				// spdx tooling only takes a file with suffix spdx
-				rename := path.Join(path.Dir(f.Name()), fmt.Sprintf("%s.spdx", path.Base(f.Name())))
+				rename := path.Join(path.Dir(f.Name()), fmt.Sprintf("%s.%s", path.Base(f.Name()), suffix))
 				err = os.Rename(f.Name(), rename)
 				require.NoError(t, err)