I have an SPDX file in spec version 1.2 and want to convert it to spec 2.3. The SPDX online tools (https://github.com/spdx/tools-python/blob/main/README.md) and the python tools offer conversion examples between different formats like RDF and JSON and the conversion from 2.3 to 3.0.
I've also found hints that there was a conversion tool for 1.2 to 2.x but I wasn't able to find examples or information on this.
I tried to use the python implementation to parse a 1.2 spec RDF file, but it tells me that spdx_tools.spdx.parser.error.SPDXParsingError: ["Error while parsing CreationInfo: ['No creators provided.']"] which is obviously defined.
The SPDX RDF/XML file looks as follows:
<?xml version="1.0" encoding="utf-8"?>
<rdf:RDF
xmlns:spdx="http://spdx.org/rdf/terms#"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:doap="http://usefulinc.com/ns/doap#"
xmlns:ptr="http://www.w3.org/2009/pointers#"
xmlns:rdfs="http://www.w3.org/2000/01/rdf-schema#">
<spdx:SpdxDocument rdf:about="http://www.spdx.org/tools#SPDXRef-DOCUMENT">
<specVersion>SPDX-1.2</specVersion>
<dataLicense rdf:resource="http://spdx.org/licenses/CC0-1.0"/>
<rdfs:comment>
This document was created using SPDX 1.2 using licenses from the web site.
</rdfs:comment>
<spdx:creationInfo>
<spdx:CreationInfo>
<creator>Person: Me</creator>
<creator>Organization: Company</creator>
<creator>Tool: XYZ </creator>
<created>2024-01-27T18:30:22Z</created>
<rdfs:comment>SBOM SPDX1.2 Template</rdfs:comment>
</spdx:CreationInfo>
</spdx:creationInfo>
<spdx:describesPackage>
<spdx:Package>
<spdx:name>First_Package</spdx:name>
<spdx:versionInfo>01.01.01</spdx:versionInfo>
<spdx:supplier> Me</spdx:supplier>
<spdx:downloadLocation> DirectDelivery </spdx:downloadLocation>
<packageVerificationCode>
<PackageVerificationCode>
<packageVerificationCodeValue>7fe30480b4798198be295f083f1022c983bcd34d</packageVerificationCodeValue>
</PackageVerificationCode>
</packageVerificationCode>
<sourceInfo>cpe:2.3:a:Me:SW CP:01.01.01:*:*:*:*:*:*:*</sourceInfo>
<licenseConcluded rdf:resource="http://spdx.org/licenses/LGPL-2.0" />
<licenseInfoFromFiles rdf:resource="http://spdx.org/licenses/GPL-2.0" />
<licenseDeclared rdf:resource="http://spdx.org/licenses/LGPL-2.0" />
<copyrightText>
Copyright 2024 Me
</copyrightText>
</spdx:Package>
</spdx:describesPackage>
<spdx:referencesFile></spdx:referencesFile>
</spdx:SpdxDocument>
</rdf:RDF>
Thanks to the hints from Thomas and some analysis beside, I could parse the following file with spdx-tools 0.7.1 and then with actual 0.8.2
<?xml version="1.0" encoding="utf-8"?>
<rdf:RDF
xmlns:spdx="http://spdx.org/rdf/terms#"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:doap="http://usefulinc.com/ns/doap#"
xmlns:ptr="http://www.w3.org/2009/pointers#"
xmlns:rdfs="http://www.w3.org/2000/01/rdf-schema#">
<spdx:SpdxDocument rdf:about="http://www.spdx.org/tools#SPDXRef-DOCUMENT">
<spdx:specVersion>SPDX-1.2</spdx:specVersion>
<spdx:name>SPDX-Tools-Test</spdx:name>
<spdx:dataLicense rdf:resource="http://spdx.org/licenses/CC0-1.0"/>
<rdfs:comment>
This document was created using SPDX 1.2 using licenses from the web site.
</rdfs:comment>
<spdx:creationInfo>
<spdx:CreationInfo>
<spdx:creator>Person: Me</spdx:creator>
<spdx:creator>Organization: Company</spdx:creator>
<spdx:creator>Tool: XYZ</spdx:creator>
<spdx:created>2024-01-27T18:30:22Z</spdx:created>
<rdfs:comment>SBOM SPDX1.2 Template</rdfs:comment>
</spdx:CreationInfo>
</spdx:creationInfo>
<spdx:describesPackage>
<spdx:Package rdf:about="http://www.spdx.org/tools#SPDXRef-Package">
<spdx:name>First_Package</spdx:name>
<spdx:versionInfo>01.01.01</spdx:versionInfo>
<spdx:supplier>Person: Me</spdx:supplier>
<spdx:downloadLocation>spdx#noassertion</spdx:downloadLocation>
<spdx:packageVerificationCode>
<spdx:PackageVerificationCode>
<spdx:packageVerificationCodeValue>7fe30480b4798198be295f083f1022c983bcd34d</spdx:packageVerificationCodeValue>
</spdx:PackageVerificationCode>
</spdx:packageVerificationCode>
<spdx:sourceInfo>cpe:2.3:a:Me:SW CP:01.01.01:*:*:*:*:*:*:*</spdx:sourceInfo>
<spdx:licenseConcluded rdf:resource="http://spdx.org/licenses/LGPL-2.0" />
<spdx:licenseInfoFromFiles rdf:resource="http://spdx.org/licenses/GPL-2.0" />
<spdx:licenseDeclared rdf:resource="http://spdx.org/licenses/LGPL-2.0" />
<spdx:copyrightText>
Copyright 2024 Me
</spdx:copyrightText>
</spdx:Package>
</spdx:describesPackage>
<spdx:referencesFile>
<spdx:File rdf:about="http://www.spdx.org/tools#SPDXRef-File">
<spdx:fileName>
./First_Package/file.c
</spdx:fileName>
<spdx:checksum>
<spdx:Checksum>
<spdx:algorithm rdf:resource="http://spdx.org/rdf/terms#checksumAlgorithm_sha1"/>
<spdx:checksumValue>c2b4e1c67a2d28fced849ee1bb76e7391b93f125</spdx:checksumValue>
</spdx:Checksum>
</spdx:checksum>
</spdx:File>
</spdx:referencesFile>
</spdx:SpdxDocument>
</rdf:RDF>
Nevertheless, the SPDX 1.2 Standard does not specify spdxdocument's "name"
[enter image description here][1] [1]: https://i.stack.imgur.com/jPpu3.png
Next Step is to create an SPDX 2.3 file out of this data model.
The RDF file is missing namespace prefixes for a number of terms, including
creator, which should bespdx:creator.Answer to your question: Your spdx doesn't conform to the spdx standard. You need to prefix the creator field with the spdx namespace
Other terms that are missing prefixes,
I believe SPDX also requires a document name, to be valid SPDX. So I think you'll also fail that validation rule. When in doubt, the SPDX specification will tell you what fields are required or you can use the validator an fix each snag as it comes up.