Reported by: @mvandere (follow-up to #30, after #35 merged)
When running the generated SPDX-JSON through https://tools.spdx.org/app/validate/, the validator emits the following warnings:
```
Relationship error: Reference locator contains spaces in workshop4
Invalid date format 2026-05-18T14:27:39.895+10:00.
Does not match the pattern ^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}Z$.
```
These are two separate but related defects in the SPDX writer's output:
1) Invalid creation timestamp format
SPDX 2.x requires `Created` to be UTC with the `Z` suffix and no fractional seconds:
```
^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}Z$
```
The writer currently emits the local-time form (`+10:00` shown in the report is mvandere's AEST). Switch the formatter to ISO-8601 UTC, e.g. `FormatDateTime('yyyy-mm-dd''T''hh:nn:ss''Z''', TTimeZone.Local.ToUniversalTime(Now))`.
2) Spaces in external-reference locator
SPDX disallows whitespace inside `referenceLocator` strings; the validator pointed at one in the "workshop4" component (likely a value containing a space such as a publisher name or PURL fragment).
Audit the writer for any field that emits a value through to `referenceLocator` without URL-encoding or trimming. If the field is supposed to be a PURL or URI, percent-encode the value; otherwise reject/strip whitespace at the writer boundary.
Acceptance criteria
- Generated SPDX-JSON passes https://tools.spdx.org/app/validate/ for typical projects.
- Regression tests in `DX.Comply.Tests.Spdx.Writer.pas`:
- asserts the `Created` field matches the UTC regex above
- asserts no `referenceLocator` contains a space character
- Behavior for CycloneDX writers stays unchanged (CycloneDX accepts offset-based timestamps).
Related
Reported by: @mvandere (follow-up to #30, after #35 merged)
When running the generated SPDX-JSON through https://tools.spdx.org/app/validate/, the validator emits the following warnings:
```
Relationship error: Reference locator contains spaces in workshop4
Invalid date format 2026-05-18T14:27:39.895+10:00.
Does not match the pattern ^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}Z$.
```
These are two separate but related defects in the SPDX writer's output:
1) Invalid creation timestamp format
SPDX 2.x requires `Created` to be UTC with the `Z` suffix and no fractional seconds:
```
^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}Z$
```
The writer currently emits the local-time form (`+10:00` shown in the report is mvandere's AEST). Switch the formatter to ISO-8601 UTC, e.g. `FormatDateTime('yyyy-mm-dd''T''hh:nn:ss''Z''', TTimeZone.Local.ToUniversalTime(Now))`.
2) Spaces in external-reference locator
SPDX disallows whitespace inside `referenceLocator` strings; the validator pointed at one in the "workshop4" component (likely a value containing a space such as a publisher name or PURL fragment).
Audit the writer for any field that emits a value through to `referenceLocator` without URL-encoding or trimming. If the field is supposed to be a PURL or URI, percent-encode the value; otherwise reject/strip whitespace at the writer boundary.
Acceptance criteria
Related