Converting SPDX json with primaryPackagePurpose OPERATING-SYSTEM fails

[jtklahti]

Hello,
I was trying to convert an spdx-json generated by Trivy (Harbor scanner) to CycloneDX format using cyclonedx-cli, but it resulted in an error related to the "primaryPackagePurpose" field having a value of "OPERATING-SYSTEM". Replacing "OPERATING-SYSTEM" with "OPERATING_SYSTEM" in the spdx-json file allowed me to convert the file successfully.

OS version: Mac OS 26.2 on an M1 system.
CycloneDX CLI version: 0.29.2

I expected cyclonedx-cli to convert the spdx-json to cyclonedx-json without errors, but it failed with an error. I used nginx:1.29.4 just as an example image.

SPDX spec tells that among the allowed values there is "OPERATING-SYSTEM".

This issue would probably be easily fixed in file PrimaryPackagePurposeType.cs by adding "OPERATING-SYSTEM" as a valid enum value. Same kind of issue is fixed here related to issue #267.

How to reproduce:

# create spdx-json with Trivy scanner
docker run -it --rm -v /var/run/docker.sock:/var/run/docker.sock -v "$(pwd):/data" aquasec/trivy:0.69.1 image --format spdx-json --output /data/spdx-sbom.json nginx:1.29.4
# output omitted
cyclonedx convert --input-format spdxjson --input-file spdx-sbom.json --output-format json --output-file cyclonedx-sbom.json
# results in an error
Unhandled exception: System.Text.Json.JsonException: The JSON value could not be converted to System.Nullable`1[CycloneDX.Spdx.Models.v2_3.PrimaryPackagePurposeType]. Path: $.packages[152].primaryPackagePurpose | LineNumber: 0 | BytePositionInLine: 261540.
   at System.Text.Json.ThrowHelper.ThrowJsonException(String message)
   at System.Text.Json.Serialization.Converters.EnumConverter`1.ReadEnumUsingNamingPolicy(String enumString)
   at System.Text.Json.Serialization.Converters.EnumConverter`1.Read(Utf8JsonReader& reader, Type typeToConvert, JsonSerializerOptions options)
   ...

# this kind of "package" seems to be the problem
jq '.packages[] | select(.primaryPackagePurpose=="OPERATING-SYSTEM")' spdx-sbom.json
{
  "name": "debian",
  "primaryPackagePurpose": "OPERATING-SYSTEM",
  ... # rest omitted

# temporary fix with sed
sed 's/OPERATING-SYSTEM/OPERATING_SYSTEM/g' spdx-sbom.json > spdx-sbom-fixed.json
# now converting worked, output omitted.
cyclonedx convert --input-format spdxjson --input-file spdx-sbom-fixed.json --output-format json --output-file cyclonedx-sbom.json

ls -la cyclonedx-sbom.json
-rw-r--r--  1 xyz  staff  384286 Feb  5 15:17 cyclonedx-sbom.json

Thank you in advance!

[andreas-hilti]

Hi @jtklahti,

Looks like the schema and the documentation are conflicting:
In the schema, it is OPERATING_SYSTEM:
https://github.com/spdx/spdx-spec/blob/aadf3b0b8dbbabdb4d880b0fc714255fea436ff7/schemas/spdx-schema.json#L411
As you pointed out in the documentation, it is OPERATING-SYSTEM.

The cyclonedx-dotnet-library follows the schema here. Not sure how to resolve this best.