From d89ab6584d3df6b7eb1d1394559e9d967d6db6ae Mon Sep 17 00:00:00 2001 From: Meret Behrens Date: Wed, 7 Dec 2022 15:33:30 +0100 Subject: [PATCH 1/4] adapt code to new spdx-tools release With the new release, the checksum class has been renamed, the license class has been moved to its own file, and files are now only allowed at document level. Signed-off-by: Meret Behrens --- requirements.txt | 2 +- setup-mini.cfg | 4 ++-- setup.cfg | 2 +- src/formattedcode/output_spdx.py | 21 +++++++++++-------- .../data/spdx/license_known/expected.tv | 3 +-- .../spdx/license_known/expected_with_text.tv | 3 +-- .../data/spdx/simple/expected.tv | 3 +-- .../formattedcode/data/spdx/tree/expected.tv | 3 +-- .../data/templated/tree/expected.tv | 3 +-- 9 files changed, 21 insertions(+), 23 deletions(-) diff --git a/requirements.txt b/requirements.txt index d97edea593f..883600070b2 100644 --- a/requirements.txt +++ b/requirements.txt @@ -64,7 +64,7 @@ requests==2.28.1 saneyaml==0.6.0 six==1.16.0 soupsieve==2.3.2.post1 -spdx-tools==0.7.0a3 +spdx-tools==0.7.0rc0 text-unidecode==1.3 toml==0.10.2 typecode==30.0.0 diff --git a/setup-mini.cfg b/setup-mini.cfg index bd303cab23d..e843dbb63e8 100644 --- a/setup-mini.cfg +++ b/setup-mini.cfg @@ -80,7 +80,7 @@ install_requires = gemfileparser2 >= 0.9.0 html5lib importlib_metadata - intbitset >= 3.0.2 + intbitset >= 3.0.2 jaraco.functools javaproperties >= 0.5 jinja2 >= 2.7.0 @@ -105,7 +105,7 @@ install_requires = pymaven_patch >= 0.2.8 requests >= 2.7.0 saneyaml >= 0.6.0 - spdx_tools == 0.7.0a3 + spdx_tools == 0.7.0rc0, ==0.7.* text_unidecode >= 1.0 toml >= 0.10.0 urlpy diff --git a/setup.cfg b/setup.cfg index eadd3bd31f6..a1c435ed53a 100644 --- a/setup.cfg +++ b/setup.cfg @@ -105,7 +105,7 @@ install_requires = pymaven_patch >= 0.2.8 requests >= 2.7.0 saneyaml >= 0.6.0 - spdx_tools == 0.7.0a3 + spdx_tools == 0.7.0rc0, ==0.7.* text_unidecode >= 1.0 toml >= 0.10.0 urlpy diff --git a/src/formattedcode/output_spdx.py b/src/formattedcode/output_spdx.py index 73b4b2a69ac..bd34c317a56 100644 --- a/src/formattedcode/output_spdx.py +++ b/src/formattedcode/output_spdx.py @@ -12,13 +12,15 @@ from io import BytesIO from io import StringIO -from spdx.checksum import Algorithm +from spdx.checksum import Checksum, ChecksumAlgorithm from spdx.creationinfo import Tool from spdx.document import ExtractedLicense from spdx.document import Document -from spdx.document import License +from spdx.license import License from spdx.file import File from spdx.package import Package +from spdx.relationship import Relationship +from spdx.utils import calc_verif_code from spdx.utils import NoAssert from spdx.utils import SPDXNone from spdx.version import Version @@ -280,9 +282,8 @@ def write_spdx( name = './' + file_data.get('path') file_entry = File( spdx_id=f'SPDXRef-{sid}', - name=name, - chk_sum=Algorithm('SHA1', file_data.get('sha1') or '') - ) + name=name) + file_entry.set_checksum(Checksum(ChecksumAlgorithm.SHA1, file_data.get('sha1') or '')) file_license_detections = file_data.get('license_detections') license_matches = get_matches_from_detection_mappings(file_license_detections) @@ -357,9 +358,11 @@ def write_spdx( else: file_entry.copyright = SPDXNone() - package.add_file(file_entry) + doc.add_file(file_entry) + relationship = Relationship(package.spdx_id + " CONTAINS " + file_entry.spdx_id) + doc.add_relationship(relationship) - if len(package.files) == 0: + if len(doc.files) == 0: if as_tagvalue: msg = "# No results for package '{}'.\n".format(package.name) else: @@ -392,7 +395,7 @@ def write_spdx( # statements for the package. package.cr_text = '\n'.join(sorted(package.cr_text)) + '\n' - package.verif_code = doc.package.calc_verif_code() + package.verif_code = calc_verif_code(doc.files) package.license_declared = NoAssert() package.conc_lics = NoAssert() @@ -404,7 +407,7 @@ def write_spdx( # one case we do need to deal with bytes and decode before writing (rdf) and # in the other case we deal with text all the way. - if package.files: + if doc.files: if as_tagvalue: from spdx.writers.tagvalue import write_document # NOQA diff --git a/tests/formattedcode/data/spdx/license_known/expected.tv b/tests/formattedcode/data/spdx/license_known/expected.tv index 9357ce6f057..fa4d0afd572 100644 --- a/tests/formattedcode/data/spdx/license_known/expected.tv +++ b/tests/formattedcode/data/spdx/license_known/expected.tv @@ -35,5 +35,4 @@ SPDXID: SPDXRef-3 FileChecksum: SHA1: 172444e7c137eb5cd3cae530aca0879c90f7fada LicenseConcluded: NOASSERTION LicenseInfoInFile: CC0-1.0 -FileCopyrightText: NONE -# Extracted Licenses \ No newline at end of file +FileCopyrightText: NONE \ No newline at end of file diff --git a/tests/formattedcode/data/spdx/license_known/expected_with_text.tv b/tests/formattedcode/data/spdx/license_known/expected_with_text.tv index 9357ce6f057..fa4d0afd572 100644 --- a/tests/formattedcode/data/spdx/license_known/expected_with_text.tv +++ b/tests/formattedcode/data/spdx/license_known/expected_with_text.tv @@ -35,5 +35,4 @@ SPDXID: SPDXRef-3 FileChecksum: SHA1: 172444e7c137eb5cd3cae530aca0879c90f7fada LicenseConcluded: NOASSERTION LicenseInfoInFile: CC0-1.0 -FileCopyrightText: NONE -# Extracted Licenses \ No newline at end of file +FileCopyrightText: NONE \ No newline at end of file diff --git a/tests/formattedcode/data/spdx/simple/expected.tv b/tests/formattedcode/data/spdx/simple/expected.tv index 43edf4777ad..8c6a74c0851 100644 --- a/tests/formattedcode/data/spdx/simple/expected.tv +++ b/tests/formattedcode/data/spdx/simple/expected.tv @@ -27,5 +27,4 @@ SPDXID: SPDXRef-1 FileChecksum: SHA1: b8a793cce3c3a4cd3a4646ddbe86edd542ed0cd8 LicenseConcluded: NOASSERTION LicenseInfoInFile: NONE -FileCopyrightText: NONE -# Extracted Licenses \ No newline at end of file +FileCopyrightText: NONE \ No newline at end of file diff --git a/tests/formattedcode/data/spdx/tree/expected.tv b/tests/formattedcode/data/spdx/tree/expected.tv index 42430f27e06..9cf44357934 100644 --- a/tests/formattedcode/data/spdx/tree/expected.tv +++ b/tests/formattedcode/data/spdx/tree/expected.tv @@ -77,5 +77,4 @@ FileChecksum: SHA1: 58748872d25374160692f1ed7075d0fe80a544b1 LicenseConcluded: NOASSERTION LicenseInfoInFile: NONE FileCopyrightText: Copyright (c) 2000 ACME, Inc. - -# Extracted Licenses \ No newline at end of file + \ No newline at end of file diff --git a/tests/formattedcode/data/templated/tree/expected.tv b/tests/formattedcode/data/templated/tree/expected.tv index 0f89fe3edee..0ff1511d78d 100644 --- a/tests/formattedcode/data/templated/tree/expected.tv +++ b/tests/formattedcode/data/templated/tree/expected.tv @@ -65,5 +65,4 @@ FileChecksum: SHA1: 58748872d25374160692f1ed7075d0fe80a544b1 LicenseConcluded: NOASSERTION LicenseInfoInFile: NONE FileCopyrightText: Copyright (c) 2000 ACME, Inc. - -# Extracted Licenses \ No newline at end of file + \ No newline at end of file From a000d7c998fbe1a6aa4ed74d402fc7debb5882ae Mon Sep 17 00:00:00 2001 From: Meret Behrens Date: Wed, 28 Dec 2022 10:35:03 +0100 Subject: [PATCH 2/4] exclude license list version from comparison of tv-files Signed-off-by: Meret Behrens --- tests/formattedcode/test_output_spdx.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/formattedcode/test_output_spdx.py b/tests/formattedcode/test_output_spdx.py index 8fd58752242..3eee6a70aa9 100644 --- a/tests/formattedcode/test_output_spdx.py +++ b/tests/formattedcode/test_output_spdx.py @@ -149,6 +149,8 @@ def load_and_clean_tv(location): line = line.strip() if not line: continue + if line.startswith('LicenseListVersion'): + continue if line.startswith(('Creator: ', 'Created: ',)): continue if line.startswith(dns): From 5c7c4a816418ef5fdf73578fcb482a4cf569c78c Mon Sep 17 00:00:00 2001 From: Meret Behrens Date: Tue, 17 Jan 2023 10:31:35 +0100 Subject: [PATCH 3/4] fixup! adapt code to new spdx-tools release Signed-off-by: Meret Behrens --- src/formattedcode/output_spdx.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/formattedcode/output_spdx.py b/src/formattedcode/output_spdx.py index bd34c317a56..fddfa065afe 100644 --- a/src/formattedcode/output_spdx.py +++ b/src/formattedcode/output_spdx.py @@ -12,7 +12,8 @@ from io import BytesIO from io import StringIO -from spdx.checksum import Checksum, ChecksumAlgorithm +from spdx.checksum import Checksum +from spdx.checksum import ChecksumAlgorithm from spdx.creationinfo import Tool from spdx.document import ExtractedLicense from spdx.document import Document @@ -359,10 +360,10 @@ def write_spdx( file_entry.copyright = SPDXNone() doc.add_file(file_entry) - relationship = Relationship(package.spdx_id + " CONTAINS " + file_entry.spdx_id) + relationship = Relationship(f'{package.spdx_id} CONTAINS {file_entry.spdx_id}') doc.add_relationship(relationship) - if len(doc.files) == 0: + if not doc.files: if as_tagvalue: msg = "# No results for package '{}'.\n".format(package.name) else: From 4677510a130b240ab92defea17dbea3db67876e0 Mon Sep 17 00:00:00 2001 From: Philippe Ombredanne Date: Wed, 18 Jan 2023 01:21:33 +0100 Subject: [PATCH 4/4] Pin spdx_tools Signed-off-by: Philippe Ombredanne --- setup-mini.cfg | 2 +- setup.cfg | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/setup-mini.cfg b/setup-mini.cfg index e843dbb63e8..98a2053c903 100644 --- a/setup-mini.cfg +++ b/setup-mini.cfg @@ -105,7 +105,7 @@ install_requires = pymaven_patch >= 0.2.8 requests >= 2.7.0 saneyaml >= 0.6.0 - spdx_tools == 0.7.0rc0, ==0.7.* + spdx_tools == 0.7.0rc0 text_unidecode >= 1.0 toml >= 0.10.0 urlpy diff --git a/setup.cfg b/setup.cfg index a1c435ed53a..3e313903f9a 100644 --- a/setup.cfg +++ b/setup.cfg @@ -105,7 +105,7 @@ install_requires = pymaven_patch >= 0.2.8 requests >= 2.7.0 saneyaml >= 0.6.0 - spdx_tools == 0.7.0rc0, ==0.7.* + spdx_tools == 0.7.0rc0 text_unidecode >= 1.0 toml >= 0.10.0 urlpy