From a3679d3be00921f13a1fbdc83a632332eccf92ac Mon Sep 17 00:00:00 2001 From: Meret Behrens Date: Fri, 28 Oct 2022 08:14:15 +0200 Subject: [PATCH] [issue-184] squashed review commits - correct checksum in json example - add JSONExample2.2 from spec but exclude in tests since 2.2 is not yet completely supported - add files only once if they appear in multiple packages - parse only spdxid in documentDescribes, delete commented out code - delete unused XMLWriter and JsonYamlWriter class, updated xml test results - rework create_document_describes method - delete surrounding document in json/yaml test - rename licenseinfoinfiles method according to variable - rename chk_sum/ check_sum to chksum/checksum - delete duplicated relationships from json/yaml/xml Signed-off-by: Meret Behrens --- data/SPDXJsonExample.json | 29 +- data/SPDXXmlExample.xml | 15 - data/SPDXYamlExample.yaml | 10 - examples/write_tv.py | 6 +- spdx/cli_tools/parser.py | 6 +- spdx/file.py | 16 +- spdx/package.py | 18 +- spdx/parsers/jsonyamlxml.py | 31 +- spdx/parsers/rdfbuilders.py | 4 +- spdx/parsers/tagvaluebuilders.py | 4 +- spdx/writers/jsonyamlxml.py | 33 +- spdx/writers/rdf.py | 6 +- spdx/writers/tagvalue.py | 6 +- spdx/writers/xml.py | 15 +- .../doc_write/json-simple-multi-package.json | 15 - .../doc_write/xml-simple-multi-package.xml | 14 +- tests/data/doc_write/xml-simple-plus.xml | 4 +- tests/data/doc_write/xml-simple.xml | 4 +- .../doc_write/yaml-simple-multi-package.yaml | 9 - tests/data/formats/SPDXJsonExample.json | 25 +- tests/data/formats/SPDXJsonExample2.2.json | 509 ++++++++++-------- tests/data/formats/SPDXXmlExample.xml | 15 - tests/data/formats/SPDXYamlExample.yaml | 10 - tests/test_document.py | 12 +- tests/test_package.py | 2 +- tests/test_parse_anything.py | 3 +- tests/test_write_anything.py | 2 +- tests/utils_test.py | 20 +- 28 files changed, 369 insertions(+), 474 deletions(-) diff --git a/data/SPDXJsonExample.json b/data/SPDXJsonExample.json index 6252ba838..49b5a13bb 100644 --- a/data/SPDXJsonExample.json +++ b/data/SPDXJsonExample.json @@ -42,7 +42,7 @@ "checksums": [ { "checksumValue": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12", - "algorithm": "checksumAlgorithm_sha1" + "algorithm": "SHA1" } ], "versionInfo": "Version 0.9.2", @@ -71,7 +71,7 @@ "checksums": [ { "checksumValue": "3ab4e1c67a2d28fced849ee1bb76e7391b93f125", - "algorithm": "checksumAlgorithm_sha1" + "algorithm": "SHA1" } ], "fileTypes": [ @@ -89,7 +89,7 @@ "checksums": [ { "checksumValue": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12", - "algorithm": "checksumAlgorithm_sha1" + "algorithm": "SHA1" } ], "fileTypes": [ @@ -112,7 +112,7 @@ { "checksum": { "checksumValue": "d6a770ba38583ed4bb4525bd96e50461655d2759", - "algorithm": "checksumAlgorithm_sha1" + "algorithm": "SHA1" }, "spdxDocument": "https://spdx.org/spdxdocs/spdx-tools-v2.1-3F2504E0-4F89-41D3-9A0C-0305E82C3301", "externalDocumentId": "DocumentRef-spdx-tool-2.1" @@ -128,23 +128,6 @@ "annotator": "Person: Jim Reviewer" } ], - "relationships": [ - { - "spdxElementId": "SPDXRef-DOCUMENT", - "relatedSpdxElement": "SPDXRef-Package", - "relationshipType": "CONTAINS" - }, - { - "spdxElementId": "SPDXRef-DOCUMENT", - "relatedSpdxElement": "SPDXRef-File", - "relationshipType": "DESCRIBES" - }, - { - "spdxElementId": "SPDXRef-DOCUMENT", - "relatedSpdxElement": "SPDXRef-Package", - "relationshipType": "DESCRIBES" - } - ], "dataLicense": "CC0-1.0", "reviewers": [ { @@ -160,11 +143,11 @@ ], "hasExtractedLicensingInfos": [ { - "extractedText": "This package includes the GRDDL parser developed by Hewlett Packard under the following license:\n\u00a9 Copyright 2007 Hewlett-Packard Development Company, LP\n\nRedistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: \n\nRedistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. \nRedistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. \nThe name of the author may not be used to endorse or promote products derived from this software without specific prior written permission. \nTHIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ", + "extractedText": "This package includes the GRDDL parser developed by Hewlett Packard under the following license:\n\u00a9 Copyright 2007 Hewlett-Packard Development Company, LP\n\nRedistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:\n\nRedistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.\nRedistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.\nThe name of the author may not be used to endorse or promote products derived from this software without specific prior written permission.\nTHIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ", "licenseId": "LicenseRef-2" }, { - "extractedText": "The CyberNeko Software License, Version 1.0\n\n \n(C) Copyright 2002-2005, Andy Clark. All rights reserved.\n \nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions\nare met:\n\n1. Redistributions of source code must retain the above copyright\n notice, this list of conditions and the following disclaimer. \n\n2. Redistributions in binary form must reproduce the above copyright\n notice, this list of conditions and the following disclaimer in\n the documentation and/or other materials provided with the\n distribution.\n\n3. The end-user documentation included with the redistribution,\n if any, must include the following acknowledgment: \n \"This product includes software developed by Andy Clark.\"\n Alternately, this acknowledgment may appear in the software itself,\n if and wherever such third-party acknowledgments normally appear.\n\n4. The names \"CyberNeko\" and \"NekoHTML\" must not be used to endorse\n or promote products derived from this software without prior \n written permission. For written permission, please contact \n andyc@cyberneko.net.\n\n5. Products derived from this software may not be called \"CyberNeko\",\n nor may \"CyberNeko\" appear in their name, without prior written\n permission of the author.\n\nTHIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED\nWARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\nOF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR OTHER CONTRIBUTORS\nBE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, \nOR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT \nOF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR \nBUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, \nWHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE \nOR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, \nEVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.", + "extractedText": "The CyberNeko Software License, Version 1.0\n\n\n(C) Copyright 2002-2005, Andy Clark. All rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions\nare met:\n\n1. Redistributions of source code must retain the above copyright\n notice, this list of conditions and the following disclaimer.\n\n2. Redistributions in binary form must reproduce the above copyright\n notice, this list of conditions and the following disclaimer in\n the documentation and/or other materials provided with the\n distribution.\n\n3. The end-user documentation included with the redistribution,\n if any, must include the following acknowledgment:\n \"This product includes software developed by Andy Clark.\"\n Alternately, this acknowledgment may appear in the software itself,\n if and wherever such third-party acknowledgments normally appear.\n\n4. The names \"CyberNeko\" and \"NekoHTML\" must not be used to endorse\n or promote products derived from this software without prior\n written permission. For written permission, please contact\n andyc@cyberneko.net.\n\n5. Products derived from this software may not be called \"CyberNeko\",\n nor may \"CyberNeko\" appear in their name, without prior written\n permission of the author.\n\nTHIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED\nWARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\nOF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR OTHER CONTRIBUTORS\nBE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\nOR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\nOF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\nBUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\nWHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\nOR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,\nEVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.", "comment": "This is tye CyperNeko License", "licenseId": "LicenseRef-3", "name": "CyberNeko License", diff --git a/data/SPDXXmlExample.xml b/data/SPDXXmlExample.xml index 256433411..fceac1a76 100644 --- a/data/SPDXXmlExample.xml +++ b/data/SPDXXmlExample.xml @@ -237,19 +237,4 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. SPDXRef-Snippet SPDXRef-DoapSource - - SPDXRef-DOCUMENT - SPDXRef-File - DESCRIBES - - - SPDXRef-DOCUMENT - SPDXRef-Package - DESCRIBES - - - SPDXRef-DOCUMENT - SPDXRef-Package - CONTAINS - diff --git a/data/SPDXYamlExample.yaml b/data/SPDXYamlExample.yaml index 9fa7cacc4..404be57e5 100644 --- a/data/SPDXYamlExample.yaml +++ b/data/SPDXYamlExample.yaml @@ -170,16 +170,6 @@ Document: SPDXID: SPDXRef-DOCUMENT name: Sample_Document-V2.1 documentNamespace: https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301 - relationships: - - spdxElementId: "SPDXRef-DOCUMENT" - relatedSpdxElement: "SPDXRef-Package" - relationshipType: "DESCRIBES" - - spdxElementId: "SPDXRef-DOCUMENT" - relatedSpdxElement: "SPDXRef-Package" - relationshipType: "CONTAINS" - - spdxElementId: "SPDXRef-DOCUMENT" - relatedSpdxElement: "SPDXRef-File" - relationshipType: "DESCRIBES" reviewers: - comment: Another example reviewer. reviewDate: '2011-03-13T00:00:00Z' diff --git a/examples/write_tv.py b/examples/write_tv.py index cf907c2c0..3ed332e6e 100755 --- a/examples/write_tv.py +++ b/examples/write_tv.py @@ -34,7 +34,7 @@ testfile1.type = FileType.BINARY testfile1.spdx_id = "TestFilet#SPDXRef-FILE" testfile1.comment = "This is a test file." - testfile1.chk_sum = Algorithm("SHA1", "c537c5d99eca5333f23491d47ededd083fefb7ad") + testfile1.chksum = Algorithm("SHA1", "c537c5d99eca5333f23491d47ededd083fefb7ad") testfile1.conc_lics = License.from_identifier("BSD-2-Clause") testfile1.add_lics(License.from_identifier("BSD-2-Clause")) testfile1.copyright = SPDXNone() @@ -46,7 +46,7 @@ testfile2.type = FileType.SOURCE testfile2.spdx_id = "TestFile2#SPDXRef-FILE" testfile2.comment = "This is a test file." - testfile2.chk_sum = Algorithm("SHA1", "bb154f28d1cf0646ae21bb0bec6c669a2b90e113") + testfile2.chksum = Algorithm("SHA1", "bb154f28d1cf0646ae21bb0bec6c669a2b90e113") testfile2.conc_lics = License.from_identifier("Apache-2.0") testfile2.add_lics(License.from_identifier("Apache-2.0")) testfile2.copyright = NoAssert() @@ -58,7 +58,7 @@ package.file_name = "twt.jar" package.spdx_id = 'TestPackage#SPDXRef-PACKAGE' package.download_location = "http://www.tagwritetest.test/download" - package.check_sum = Algorithm("SHA1", "c537c5d99eca5333f23491d47ededd083fefb7ad") + package.checksum = Algorithm("SHA1", "c537c5d99eca5333f23491d47ededd083fefb7ad") package.homepage = SPDXNone() package.verif_code = "4e3211c67a2d28fced849ee1bb76e7391b93feba" license_set = LicenseConjunction( diff --git a/spdx/cli_tools/parser.py b/spdx/cli_tools/parser.py index 182ca2db0..2be6d995f 100755 --- a/spdx/cli_tools/parser.py +++ b/spdx/cli_tools/parser.py @@ -50,8 +50,8 @@ def main(file, force): "Package Download Location: {0}".format(doc.package.download_location) ) print("Package Homepage: {0}".format(doc.package.homepage)) - if doc.package.check_sum: - print("Package Checksum: {0}".format(doc.package.check_sum.value)) + if doc.package.checksum: + print("Package Checksum: {0}".format(doc.package.checksum.value)) print("Package Attribution Text: {0}".format(doc.package.attribution_text)) print("Package verification code: {0}".format(doc.package.verif_code)) print( @@ -77,7 +77,7 @@ def main(file, force): for f in doc.files: print("\tFile name: {0}".format(f.name)) print("\tFile type: {0}".format(VALUES[f.type])) - print("\tFile Checksum: {0}".format(f.chk_sum.value)) + print("\tFile Checksum: {0}".format(f.chksum.value)) print("\tFile license concluded: {0}".format(f.conc_lics)) print( "\tFile license info in file: {0}".format( diff --git a/spdx/file.py b/spdx/file.py index c960a83fe..df3ac8871 100644 --- a/spdx/file.py +++ b/spdx/file.py @@ -42,7 +42,7 @@ class File(object): - comment: File comment str, Optional zero or one. - type: one of FileType.SOURCE, FileType.BINARY, FileType.ARCHIVE and FileType.OTHER, optional zero or one. - - chk_sum: SHA1, Mandatory one. + - chksum: SHA1, Mandatory one. - conc_lics: Mandatory one. document.License or utils.NoAssert or utils.SPDXNone. - licenses_in_file: list of licenses found in file, mandatory one or more. document.License or utils.SPDXNone or utils.NoAssert. @@ -58,12 +58,12 @@ class File(object): -attribution_text: optional string. """ - def __init__(self, name, spdx_id=None, chk_sum=None): + def __init__(self, name, spdx_id=None, chksum=None): self.name = name self.spdx_id = spdx_id self.comment = None self.type = None - self.checksums = [None] + self.checksums = [chksum] self.conc_lics = None self.licenses_in_file = [] self.license_comment = None @@ -83,15 +83,15 @@ def __lt__(self, other): return self.name < other.name @property - def chk_sum(self): + def chksum(self): """ Backwards compatibility, return first checksum. """ # NOTE Package.check_sum but File.chk_sum return self.checksums[0] - @chk_sum.setter - def chk_sum(self, value): + @chksum.setter + def chksum(self, value): self.checksums[0] = value def add_lics(self, lics): @@ -190,12 +190,12 @@ def validate_type(self, messages): return messages def validate_checksum(self, messages): - if not isinstance(self.chk_sum, checksum.Algorithm): + if not isinstance(self.chksum, checksum.Algorithm): messages.append( "File checksum must be instance of spdx.checksum.Algorithm" ) else: - if not self.chk_sum.identifier == "SHA1": + if not self.chksum.identifier == "SHA1": messages.append("File checksum algorithm must be SHA1") return messages diff --git a/spdx/package.py b/spdx/package.py index 944826357..f04f1278c 100644 --- a/spdx/package.py +++ b/spdx/package.py @@ -106,15 +106,15 @@ def are_files_analyzed(self): # return self.files_analyzed or self.files_analyzed is None @property - def check_sum(self): + def checksum(self): """ Backwards compatibility, return first checksum. """ # NOTE Package.check_sum but File.chk_sum return self.checksums[0] - @check_sum.setter - def check_sum(self, value): + @checksum.setter + def checksum(self, value): self.checksums[0] = value def add_file(self, fil): @@ -283,12 +283,12 @@ def validate_str_fields(self, fields, optional, messages): return messages def validate_checksum(self, messages): - if self.check_sum is not None: - if not isinstance(self.check_sum, checksum.Algorithm): + if self.checksum is not None: + if not isinstance(self.checksum, checksum.Algorithm): messages.append( "Package checksum must be instance of spdx.checksum.Algorithm" ) - elif not self.check_sum.identifier == "SHA1": + elif not self.checksum.identifier == "SHA1": messages.append( "First checksum in package must be SHA1." ) @@ -300,10 +300,10 @@ def calc_verif_code(self): for file_entry in self.files: if ( - isinstance(file_entry.chk_sum, checksum.Algorithm) - and file_entry.chk_sum.identifier == "SHA1" + isinstance(file_entry.chksum, checksum.Algorithm) + and file_entry.chksum.identifier == "SHA1" ): - sha1 = file_entry.chk_sum.value + sha1 = file_entry.chksum.value else: sha1 = file_entry.calc_chksum() hashes.append(sha1) diff --git a/spdx/parsers/jsonyamlxml.py b/spdx/parsers/jsonyamlxml.py index c1e8f081c..2f5ca93b7 100644 --- a/spdx/parsers/jsonyamlxml.py +++ b/spdx/parsers/jsonyamlxml.py @@ -741,7 +741,7 @@ def parse_file(self, file): self.parse_file_id(file.get("SPDXID")) self.parse_file_types(file.get("fileTypes")) self.parse_file_concluded_license(file.get("licenseConcluded")) - self.parse_file_license_info_from_files(file.get("licenseInfoInFiles")) + self.parse_file_license_info_in_files(file.get("licenseInfoInFiles")) self.parse_file_license_comments(file.get("licenseComments")) self.parse_file_copyright_text(file.get("copyrightText")) self.parse_file_artifacts(file.get("artifactOf")) @@ -836,7 +836,7 @@ def parse_file_concluded_license(self, concluded_license): else: self.value_error("FILE_SINGLE_LICS", concluded_license) - def parse_file_license_info_from_files(self, license_info_from_files): + def parse_file_license_info_in_files(self, license_info_from_files): """ Parse File license information from files - license_info_from_files: Python list of licenses information from files (str/unicode) @@ -1502,7 +1502,6 @@ def flatten_document(document): files_by_id = {} if "files" in document: for f in document.get("files"): - # XXX must downstream rely on "sha1" property? for checksum in f["checksums"]: if checksum["algorithm"] == "SHA1" or "sha1" in checksum["algorithm"]: f["sha1"] = checksum["checksumValue"] @@ -1515,7 +1514,6 @@ def flatten_document(document): package["files"] = [{ "File": files_by_id[spdxid.split("#")[-1]]} for spdxid in package["hasFiles"] ] - # XXX must downstream rely on "sha1" property? for checksum in package.get("checksums", []): if checksum["algorithm"] == "SHA1" or "sha1" in checksum["algorithm"]: package["sha1"] = checksum["checksumValue"] @@ -1676,30 +1674,15 @@ def parse_doc_comment(self, doc_comment): def parse_doc_described_objects(self, doc_described_objects): """ - Parse Document documentDescribes (Files and Packages dicts) - - doc_described_objects: Python list of dicts as in FileParser.parse_file or PackageParser.parse_package + Parse Document documentDescribes (SPDXIDs) + - doc_described_objects: Python list of strings """ if isinstance(doc_described_objects, list): - packages = filter( - lambda described: isinstance(described, dict) - and described.get("Package") is not None, - doc_described_objects, - ) - files = filter( - lambda described: isinstance(described, dict) - and described.get("File") is not None, - doc_described_objects, - ) - relationships = filter( + described_spdxids = filter( lambda described: isinstance(described, str), doc_described_objects ) - # At the moment, only single-package documents are supported, so just the last package will be stored. - for package in packages: - self.parse_package(package.get("Package")) - for file in files: - self.parse_file(file.get("File")) - for relationship in relationships: - self.parse_relationship(self.document.spdx_id, "DESCRIBES", relationship) + for spdxid in described_spdxids: + self.parse_relationship(self.document.spdx_id, "DESCRIBES", spdxid) return True else: diff --git a/spdx/parsers/rdfbuilders.py b/spdx/parsers/rdfbuilders.py index 3affb7329..1a9966350 100644 --- a/spdx/parsers/rdfbuilders.py +++ b/spdx/parsers/rdfbuilders.py @@ -195,7 +195,7 @@ def set_pkg_chk_sum(self, doc, chk_sum): self.assert_package_exists() if not self.package_chk_sum_set: self.package_chk_sum_set = True - doc.packages[-1].check_sum = checksum.Algorithm("SHA1", chk_sum) + doc.packages[-1].checksum = checksum.Algorithm("SHA1", chk_sum) else: raise CardinalityError("Package::CheckSum") @@ -391,7 +391,7 @@ def set_file_chksum(self, doc, chk_sum): if self.has_package(doc) and self.has_file(doc): if not self.file_chksum_set: self.file_chksum_set = True - self.file(doc).chk_sum = checksum.Algorithm("SHA1", chk_sum) + self.file(doc).chksum = checksum.Algorithm("SHA1", chk_sum) return True else: raise CardinalityError("File::CheckSum") diff --git a/spdx/parsers/tagvaluebuilders.py b/spdx/parsers/tagvaluebuilders.py index 9c194fe29..46b3b4675 100644 --- a/spdx/parsers/tagvaluebuilders.py +++ b/spdx/parsers/tagvaluebuilders.py @@ -780,7 +780,7 @@ def set_pkg_chk_sum(self, doc, chk_sum): self.assert_package_exists() if not self.package_chk_sum_set: self.package_chk_sum_set = True - doc.packages[-1].check_sum = checksum_from_sha1(chk_sum) + doc.packages[-1].checksum = checksum_from_sha1(chk_sum) return True else: raise CardinalityError("Package::CheckSum") @@ -1130,7 +1130,7 @@ def set_file_chksum(self, doc, chksum): if self.has_package(doc) and self.has_file(doc): if not self.file_chksum_set: self.file_chksum_set = True - self.file(doc).chk_sum = checksum_from_sha1(chksum) + self.file(doc).chksum = checksum_from_sha1(chksum) return True else: raise CardinalityError("File::CheckSum") diff --git a/spdx/writers/jsonyamlxml.py b/spdx/writers/jsonyamlxml.py index d8a8b3519..dec9beb68 100644 --- a/spdx/writers/jsonyamlxml.py +++ b/spdx/writers/jsonyamlxml.py @@ -147,7 +147,7 @@ def create_package_info(self, package): if package.has_optional_field("originator"): package_object["originator"] = package.originator.to_value() - if package.has_optional_field("check_sum"): + if package.has_optional_field("checksum"): package_object["checksums"] = [self.checksum(checksum) for checksum in package.checksums if checksum] if package.has_optional_field("description"): @@ -204,15 +204,12 @@ def create_file_info(self, file): file_object["fileName"] = file.name file_object["SPDXID"] = self.spdx_id(file.spdx_id) - file_object["checksums"] = [self.checksum(file.chk_sum)] + file_object["checksums"] = [self.checksum(file.chksum)] file_object["licenseConcluded"] = self.license(file.conc_lics) file_object["licenseInfoInFiles"] = list( map(self.license, file.licenses_in_file) ) file_object["copyrightText"] = file.copyright.__str__() - # assert file.chk_sum.identifier == "SHA1", "First checksum must be SHA1" - # file_object["sha1"] = file.chk_sum.value - if file.has_optional_field("comment"): file_object["comment"] = file.comment @@ -474,17 +471,18 @@ def create_ext_document_references(self): def create_document_describes(self): """ - Create list of SPDXID that have a + Create a list of SPDXIDs that the document describes according to DESCRIBES-relationship. """ - described_relationships = [] + document_describes = [] remove_rel = [] for relationship in self.document.relationships: if relationship.relationshiptype == "DESCRIBES": - described_relationships.append(relationship.relatedspdxelement) + document_describes.append(relationship.relatedspdxelement) if not relationship.has_comment: - remove_rel.append(relationship.relatedspdxelement) - self.document.relationships = [rel for rel in self.document.relationships if rel.relatedspdxelement not in remove_rel] - return described_relationships + remove_rel.append(relationship) + for relationship in remove_rel: + self.document.relationships.remove(relationship) + return document_describes def create_document(self): @@ -497,16 +495,15 @@ def create_document(self): self.document_object["SPDXID"] = self.spdx_id(self.document.spdx_id) self.document_object["name"] = self.document.name - described_relationships = self.create_document_describes() - if described_relationships: - self.document_object["documentDescribes"] = described_relationships + document_describes = self.create_document_describes() + self.document_object["documentDescribes"] = document_describes package_objects = [] file_objects = [] for package in self.document.packages: package_info_object, files_in_package = self.create_package_info(package) package_objects.append(package_info_object) - file_objects.extend(files_in_package) + file_objects.extend(file for file in files_in_package if file not in file_objects) self.document_object["packages"] = package_objects self.document_object["files"] = file_objects @@ -537,9 +534,3 @@ def create_document(self): return self.document_object - -class JsonYamlWriter(Writer): - - def create_document(self): - document_object = super().create_document() - return document_object diff --git a/spdx/writers/rdf.py b/spdx/writers/rdf.py index fcbdcb36d..7f3002490 100644 --- a/spdx/writers/rdf.py +++ b/spdx/writers/rdf.py @@ -264,7 +264,7 @@ def create_file_node(self, doc_file): ( file_node, self.spdx_namespace.checksum, - self.create_checksum_node(doc_file.chk_sum), + self.create_checksum_node(doc_file.chksum), ) ) @@ -754,8 +754,8 @@ def handle_pkg_optional_fields(self, package: Package, package_node): package, package_node, self.spdx_namespace.filesAnalyzed, "files_analyzed" ) - if package.has_optional_field("check_sum"): - checksum_node = self.create_checksum_node(package.check_sum) + if package.has_optional_field("checksum"): + checksum_node = self.create_checksum_node(package.checksum) self.graph.add((package_node, self.spdx_namespace.checksum, checksum_node)) if package.has_optional_field("homepage"): diff --git a/spdx/writers/tagvalue.py b/spdx/writers/tagvalue.py index 5f14ef191..d74b15f2d 100644 --- a/spdx/writers/tagvalue.py +++ b/spdx/writers/tagvalue.py @@ -115,7 +115,7 @@ def write_file(spdx_file, out): write_value("SPDXID", spdx_file.spdx_id, out) if spdx_file.has_optional_field("type"): write_file_type(spdx_file.type, out) - write_value("FileChecksum", spdx_file.chk_sum.to_tv(), out) + write_value("FileChecksum", spdx_file.chksum.to_tv(), out) if isinstance( spdx_file.conc_lics, (document.LicenseConjunction, document.LicenseDisjunction) ): @@ -223,8 +223,8 @@ def write_package(package, out): if package.has_optional_field("originator"): write_value("PackageOriginator", package.originator, out) - if package.has_optional_field("check_sum"): - write_value("PackageChecksum", package.check_sum.to_tv(), out) + if package.has_optional_field("checksum"): + write_value("PackageChecksum", package.checksum.to_tv(), out) if package.has_optional_field("verif_code"): write_value("PackageVerificationCode", format_verif_code(package), out) diff --git a/spdx/writers/xml.py b/spdx/writers/xml.py index 684f7ea7d..14bbd4b99 100644 --- a/spdx/writers/xml.py +++ b/spdx/writers/xml.py @@ -16,19 +16,6 @@ from spdx.parsers.loggers import ErrorMessages -class XMLWriter(Writer): - def checksum(self, checksum_field): - """ - Return a dictionary representation of a spdx.checksum.Algorithm object - """ - checksum_object = dict() - checksum_object["algorithm"] = ( - "checksumAlgorithm_" + checksum_field.identifier.lower() - ) - checksum_object["checksumValue"] = checksum_field.value - return checksum_object - - def write_document(document, out, validate=True): if validate: @@ -37,7 +24,7 @@ def write_document(document, out, validate=True): if messages: raise InvalidDocumentError(messages) - writer = XMLWriter(document) + writer = Writer(document) document_object = {"Document": writer.create_document()} xmltodict.unparse(document_object, out, encoding="utf-8", pretty=True) diff --git a/tests/data/doc_write/json-simple-multi-package.json b/tests/data/doc_write/json-simple-multi-package.json index 794e3c33d..61e221c7e 100644 --- a/tests/data/doc_write/json-simple-multi-package.json +++ b/tests/data/doc_write/json-simple-multi-package.json @@ -59,21 +59,6 @@ } ], "files": [ - { - "fileName": "./some/path/tofile", - "SPDXID": "SPDXRef-File", - "checksums": [ - { - "algorithm": "SHA1", - "checksumValue": "SOME-SHA1" - } - ], - "licenseConcluded": "NOASSERTION", - "licenseInfoInFiles": [ - "LGPL-2.1-or-later" - ], - "copyrightText": "NOASSERTION" - }, { "fileName": "./some/path/tofile", "SPDXID": "SPDXRef-File", diff --git a/tests/data/doc_write/xml-simple-multi-package.xml b/tests/data/doc_write/xml-simple-multi-package.xml index 70f2e7a68..4b7e6e85c 100644 --- a/tests/data/doc_write/xml-simple-multi-package.xml +++ b/tests/data/doc_write/xml-simple-multi-package.xml @@ -49,23 +49,11 @@ ./some/path/tofile SPDXRef-File - checksumAlgorithm_sha1 + SHA1 SOME-SHA1 NOASSERTION LGPL-2.1-or-later NOASSERTION - - ./some/path/tofile - SPDXRef-File - - checksumAlgorithm_sha1 - SOME-SHA1 - - NOASSERTION - LGPL-2.1-or-later - NOASSERTION - - \ No newline at end of file diff --git a/tests/data/doc_write/xml-simple-plus.xml b/tests/data/doc_write/xml-simple-plus.xml index 44cf607d9..f3b2bec73 100644 --- a/tests/data/doc_write/xml-simple-plus.xml +++ b/tests/data/doc_write/xml-simple-plus.xml @@ -17,7 +17,7 @@ SOME-SHA1 - checksumAlgorithm_sha1 + SHA1 NOASSERTION NOASSERTION @@ -31,7 +31,7 @@ SPDXRef-File SOME-SHA1 - checksumAlgorithm_sha1 + SHA1 NOASSERTION NOASSERTION diff --git a/tests/data/doc_write/xml-simple.xml b/tests/data/doc_write/xml-simple.xml index 54d79c95c..9eaca485b 100644 --- a/tests/data/doc_write/xml-simple.xml +++ b/tests/data/doc_write/xml-simple.xml @@ -16,7 +16,7 @@ SOME-SHA1 - checksumAlgorithm_sha1 + SHA1 NOASSERTION NOASSERTION @@ -29,7 +29,7 @@ SPDXRef-File SOME-SHA1 - checksumAlgorithm_sha1 + SHA1 NOASSERTION NOASSERTION diff --git a/tests/data/doc_write/yaml-simple-multi-package.yaml b/tests/data/doc_write/yaml-simple-multi-package.yaml index e5a057833..a6d10db5c 100644 --- a/tests/data/doc_write/yaml-simple-multi-package.yaml +++ b/tests/data/doc_write/yaml-simple-multi-package.yaml @@ -43,15 +43,6 @@ documentNamespace: https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0 name: Sample_Document-V2.1 spdxVersion: SPDX-2.1 files: - - SPDXID: SPDXRef-File - checksums: - - algorithm: SHA1 - checksumValue: SOME-SHA1 - copyrightText: NOASSERTION - licenseConcluded: NOASSERTION - licenseInfoInFiles: - - LGPL-2.1-or-later - fileName: ./some/path/tofile - SPDXID: SPDXRef-File checksums: - algorithm: SHA1 diff --git a/tests/data/formats/SPDXJsonExample.json b/tests/data/formats/SPDXJsonExample.json index 673f8f4f8..49b5a13bb 100644 --- a/tests/data/formats/SPDXJsonExample.json +++ b/tests/data/formats/SPDXJsonExample.json @@ -42,7 +42,7 @@ "checksums": [ { "checksumValue": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12", - "algorithm": "checksumAlgorithm_sha1" + "algorithm": "SHA1" } ], "versionInfo": "Version 0.9.2", @@ -71,7 +71,7 @@ "checksums": [ { "checksumValue": "3ab4e1c67a2d28fced849ee1bb76e7391b93f125", - "algorithm": "checksumAlgorithm_sha1" + "algorithm": "SHA1" } ], "fileTypes": [ @@ -89,7 +89,7 @@ "checksums": [ { "checksumValue": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12", - "algorithm": "checksumAlgorithm_sha1" + "algorithm": "SHA1" } ], "fileTypes": [ @@ -112,7 +112,7 @@ { "checksum": { "checksumValue": "d6a770ba38583ed4bb4525bd96e50461655d2759", - "algorithm": "checksumAlgorithm_sha1" + "algorithm": "SHA1" }, "spdxDocument": "https://spdx.org/spdxdocs/spdx-tools-v2.1-3F2504E0-4F89-41D3-9A0C-0305E82C3301", "externalDocumentId": "DocumentRef-spdx-tool-2.1" @@ -128,23 +128,6 @@ "annotator": "Person: Jim Reviewer" } ], - "relationships": [ - { - "spdxElementId": "SPDXRef-DOCUMENT", - "relatedSpdxElement": "SPDXRef-Package", - "relationshipType": "CONTAINS" - }, - { - "spdxElementId": "SPDXRef-DOCUMENT", - "relatedSpdxElement": "SPDXRef-File", - "relationshipType": "DESCRIBES" - }, - { - "spdxElementId": "SPDXRef-DOCUMENT", - "relatedSpdxElement": "SPDXRef-Package", - "relationshipType": "DESCRIBES" - } - ], "dataLicense": "CC0-1.0", "reviewers": [ { diff --git a/tests/data/formats/SPDXJsonExample2.2.json b/tests/data/formats/SPDXJsonExample2.2.json index 33b6f93b7..2b8661f3c 100644 --- a/tests/data/formats/SPDXJsonExample2.2.json +++ b/tests/data/formats/SPDXJsonExample2.2.json @@ -1,231 +1,284 @@ { - "comment": "This is a sample spreadsheet", - "name": "Sample_Document-V2.1", - "documentDescribes": [ - "SPDXRef-Package" - ], - "creationInfo": { - "comment": "This is an example of an SPDX spreadsheet format", - "creators": [ - "Tool: SourceAuditor-V1.2", - "Person: Gary O'Neall", - "Organization: Source Auditor Inc." - ], - "licenseListVersion": "3.6", - "created": "2010-02-03T00:00:00Z" + "SPDXID" : "SPDXRef-DOCUMENT", + "spdxVersion" : "SPDX-2.2", + "creationInfo" : { + "comment" : "This package has been shipped in source and binary form.\nThe binaries were created with gcc 4.5.1 and expect to link to\ncompatible system run time libraries.", + "created" : "2010-01-29T18:30:22Z", + "creators" : [ "Tool: LicenseFind-1.0", "Organization: ExampleCodeInspect ()", "Person: Jane Doe ()" ], + "licenseListVersion" : "3.9" + }, + "name" : "SPDX-Tools-v2.0", + "dataLicense" : "CC0-1.0", + "comment" : "This document was created using SPDX 2.0 using licenses from the web site.", + "externalDocumentRefs" : [ { + "externalDocumentId" : "DocumentRef-spdx-tool-1.2", + "checksum" : { + "algorithm" : "SHA1", + "checksumValue" : "d6a770ba38583ed4bb4525bd96e50461655d2759" }, - "externalDocumentRefs": [ - { - "checksum": { - "checksumValue": "d6a770ba38583ed4bb4525bd96e50461655d2759", - "algorithm": "SHA1" - }, - "spdxDocument": "https://spdx.org/spdxdocs/spdx-tools-v2.1-3F2504E0-4F89-41D3-9A0C-0305E82C3301", - "externalDocumentId": "DocumentRef-spdx-tool-2.1" - } - ], - "documentNamespace": "https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301", - "annotations": [ - { - "comment": "This is just an example. Some of the non-standard licenses look like they are actually BSD 3 clause licenses", - "annotationType": "REVIEW", - "SPDXID": "SPDXRef-45", - "annotationDate": "2012-06-13T00:00:00Z", - "annotator": "Person: Jim Reviewer" - } - ], - "relationships": [ - { - "spdxElementId": "SPDXRef-DOCUMENT", - "relatedSpdxElement": "SPDXRef-Package", - "relationshipType": "CONTAINS" - }, - { - "spdxElementId": "SPDXRef-DOCUMENT", - "relatedSpdxElement": "SPDXRef-File", - "relationshipType": "DESCRIBES" - }, - { - "spdxElementId": "SPDXRef-DOCUMENT", - "relatedSpdxElement": "DocumentRef-spdx-tool-1.2:SPDXRef-ToolsElement", - "relationshipType": "COPY_OF" - }, - { - "spdxElementId": "SPDXRef-DOCUMENT", - "relatedSpdxElement": "SPDXRef-Package", - "relationshipType": "DESCRIBES" - }, - { - "spdxElementId": "SPDXRef-Package", - "relatedSpdxElement": "SPDXRef-Saxon", - "relationshipType": "DYNAMIC_LINK" - }, - { - "spdxElementId": "SPDXRef-Package", - "relatedSpdxElement": "SPDXRef-JenaLib", - "relationshipType": "CONTAINS" - }, - { - "spdxElementId": "SPDXRef-CommonsLangSrc", - "relatedSpdxElement": "NOASSERTION", - "relationshipType": "GENERATED_FROM" - }, - { - "spdxElementId": "SPDXRef-JenaLib", - "relatedSpdxElement": "SPDXRef-Package", - "relationshipType": "CONTAINS" - }, - { - "spdxElementId": "SPDXRef-File", - "relatedSpdxElement": "SPDXRef-fromDoap-0", - "relationshipType": "GENERATED_FROM" - } - ], - "dataLicense": "CC0-1.0", - "reviewers": [ - { - "comment": "This is just an example. Some of the non-standard licenses look like they are actually BSD 3 clause licenses", - "reviewer": "Person: Joe Reviewer", - "reviewDate": "2010-02-10T00:00:00Z" - }, - { - "comment": "Another example reviewer.", - "reviewer": "Person: Suzanne Reviewer", - "reviewDate": "2011-03-13T00:00:00Z" - } - ], - "hasExtractedLicensingInfos": [ - { - "extractedText": "This package includes the GRDDL parser developed by Hewlett Packard under the following license:\n\u00a9 Copyright 2007 Hewlett-Packard Development Company, LP\n\nRedistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: \n\nRedistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. \nRedistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. \nThe name of the author may not be used to endorse or promote products derived from this software without specific prior written permission. \nTHIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ", - "licenseId": "LicenseRef-2" - }, - { - "extractedText": "The CyberNeko Software License, Version 1.0\n\n \n(C) Copyright 2002-2005, Andy Clark. All rights reserved.\n \nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions\nare met:\n\n1. Redistributions of source code must retain the above copyright\n notice, this list of conditions and the following disclaimer. \n\n2. Redistributions in binary form must reproduce the above copyright\n notice, this list of conditions and the following disclaimer in\n the documentation and/or other materials provided with the\n distribution.\n\n3. The end-user documentation included with the redistribution,\n if any, must include the following acknowledgment: \n \"This product includes software developed by Andy Clark.\"\n Alternately, this acknowledgment may appear in the software itself,\n if and wherever such third-party acknowledgments normally appear.\n\n4. The names \"CyberNeko\" and \"NekoHTML\" must not be used to endorse\n or promote products derived from this software without prior \n written permission. For written permission, please contact \n andyc@cyberneko.net.\n\n5. Products derived from this software may not be called \"CyberNeko\",\n nor may \"CyberNeko\" appear in their name, without prior written\n permission of the author.\n\nTHIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED\nWARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\nOF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR OTHER CONTRIBUTORS\nBE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, \nOR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT \nOF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR \nBUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, \nWHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE \nOR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, \nEVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.", - "comment": "This is tye CyperNeko License", - "licenseId": "LicenseRef-3", - "name": "CyberNeko License", - "seeAlso": [ - "http://justasample.url.com", - "http://people.apache.org/~andyc/neko/LICENSE" - ] - }, - { - "extractedText": "/*\n * (c) Copyright 2009 University of Bristol\n * All rights reserved.\n *\n * Redistribution and use in source and binary forms, with or without\n * modification, are permitted provided that the following conditions\n * are met:\n * 1. Redistributions of source code must retain the above copyright\n * notice, this list of conditions and the following disclaimer.\n * 2. Redistributions in binary form must reproduce the above copyright\n * notice, this list of conditions and the following disclaimer in the\n * documentation and/or other materials provided with the distribution.\n * 3. The name of the author may not be used to endorse or promote products\n * derived from this software without specific prior written permission.\n *\n * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR\n * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\n * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.\n * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,\n * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT\n * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\n * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\n * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF\n * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n */ ", - "licenseId": "LicenseRef-4" - }, - { - "extractedText": "/*\n * (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP\n * All rights reserved.\n *\n * Redistribution and use in source and binary forms, with or without\n * modification, are permitted provided that the following conditions\n * are met:\n * 1. Redistributions of source code must retain the above copyright\n * notice, this list of conditions and the following disclaimer.\n * 2. Redistributions in binary form must reproduce the above copyright\n * notice, this list of conditions and the following disclaimer in the\n * documentation and/or other materials provided with the distribution.\n * 3. The name of the author may not be used to endorse or promote products\n * derived from this software without specific prior written permission.\n *\n * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR\n * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\n * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.\n * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,\n * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT\n * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\n * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\n * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF\n * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n */", - "licenseId": "LicenseRef-1" - } - ], - "spdxVersion": "SPDX-2.1", - "SPDXID": "SPDXRef-DOCUMENT", - "snippets": [ - { - "comment": "This snippet was identified as significant and highlighted in this Apache-2.0 file, when a commercial scanner identified it as being derived from file foo.c in package xyz which is licensed under GPL-2.0-or-later.", - "name": "from linux kernel", - "copyrightText": "Copyright 2008-2010 John Smith", - "licenseConcluded": "Apache-2.0", - "licenseInfoFromSnippet": [ - "Apache-2.0" - ], - "licenseComments": "The concluded license was taken from package xyz, from which the snippet was copied into the current file. The concluded license information was found in the COPYING.txt file in package xyz.", - "SPDXID": "SPDXRef-Snippet", - "fileId": "SPDXRef-DoapSource" - } - ], - "packages": [ - { - "SPDXID": "SPDXRef-Package", - "originator": "Organization: SPDX", - "licenseInfoFromFiles": [ - "Apache-1.0", - "LicenseRef-3", - "MPL-1.1", - "LicenseRef-2", - "LicenseRef-4", - "Apache-2.0", - "LicenseRef-1" - ], - "name": "SPDX Translator", - "packageFileName": "spdxtranslator-1.0.zip", - "licenseComments": "The declared license information can be found in the NOTICE file at the root of the archive file", - "summary": "SPDX Translator utility", - "sourceInfo": "Version 1.0 of the SPDX Translator application", - "copyrightText": " Copyright 2010, 2011 Source Auditor Inc.", - "packageVerificationCode": { - "packageVerificationCodeValue": "4e3211c67a2d28fced849ee1bb76e7391b93feba", - "packageVerificationCodeExcludedFiles": [ - "SpdxTranslatorSpdx.rdf", - "SpdxTranslatorSpdx.txt" - ] - }, - "licenseConcluded": "(Apache-1.0 AND LicenseRef-2 AND MPL-1.1 AND LicenseRef-3 AND LicenseRef-4 AND Apache-2.0 AND LicenseRef-1)", - "supplier": "Organization: Linux Foundation", - "attributionTexts": [ - "The GNU C Library is free software. See the file COPYING.LIB for copying conditions, and LICENSES for notices about a few contributions that require these additional notices to be distributed. License copyright years may be listed using range notation, e.g., 1996-2015, indicating that every year in the range, inclusive, is a copyrightable year that would otherwise be listed individually." - ], - "checksums": [ - { - "checksumValue": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12", - "algorithm": "SHA1" - } - ], - "versionInfo": "Version 0.9.2", - "licenseDeclared": "(LicenseRef-4 AND LicenseRef-3 AND Apache-2.0 AND LicenseRef-2 AND MPL-1.1 AND LicenseRef-1)", - "downloadLocation": "http://www.spdx.org/tools", - "description": "This utility translates and SPDX RDF XML document to a spreadsheet, translates a spreadsheet to an SPDX RDF XML document and translates an SPDX RDFa document to an SPDX RDF XML document.", - "hasFiles": [ - "SPDXRef-File1", - "SPDXRef-File2" - ] - } - ], - "files": [ - { - "comment": "This file belongs to Jena", - "copyrightText": "(c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP", - "artifactOf": [ - { - "name": "Jena", - "homePage": "http://www.openjena.org/", - "projectUri": "http://subversion.apache.org/doap.rdf" - } - ], - "licenseConcluded": "LicenseRef-1", - "licenseComments": "This license is used by Jena", - "checksums": [ - { - "checksumValue": "3ab4e1c67a2d28fced849ee1bb76e7391b93f125", - "algorithm": "SHA1" - } - ], - "fileTypes": [ - "fileType_archive" - ], - "SPDXID": "SPDXRef-File1", - "fileName": "Jenna-2.6.3/jena-2.6.3-sources.jar", - "licenseInfoInFiles": [ - "LicenseRef-1" - ] - }, - { - "copyrightText": "Copyright 2010, 2011 Source Auditor Inc.", - "licenseConcluded": "Apache-2.0", - "checksums": [ - { - "checksumValue": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12", - "algorithm": "SHA1" - } - ], - "fileTypes": [ - "fileType_source" - ], - "SPDXID": "SPDXRef-File2", - "fileName": "src/org/spdx/parser/DOAPProject.java", - "licenseInfoInFiles": [ - "Apache-2.0" - ] - } - ] + "spdxDocument" : "http://spdx.org/spdxdocs/spdx-tools-v1.2-3F2504E0-4F89-41D3-9A0C-0305E82C3301" + } ], + "hasExtractedLicensingInfos" : [ { + "licenseId" : "LicenseRef-1", + "extractedText" : "/*\n * (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP\n * All rights reserved.\n *\n * Redistribution and use in source and binary forms, with or without\n * modification, are permitted provided that the following conditions\n * are met:\n * 1. Redistributions of source code must retain the above copyright\n * notice, this list of conditions and the following disclaimer.\n * 2. Redistributions in binary form must reproduce the above copyright\n * notice, this list of conditions and the following disclaimer in the\n * documentation and/or other materials provided with the distribution.\n * 3. The name of the author may not be used to endorse or promote products\n * derived from this software without specific prior written permission.\n *\n * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR\n * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\n * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.\n * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,\n * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT\n * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\n * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\n * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF\n * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n*/" + }, { + "licenseId" : "LicenseRef-2", + "extractedText" : "This package includes the GRDDL parser developed by Hewlett Packard under the following license:\n� Copyright 2007 Hewlett-Packard Development Company, LP\n\nRedistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: \n\nRedistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. \nRedistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. \nThe name of the author may not be used to endorse or promote products derived from this software without specific prior written permission. \nTHIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE." + }, { + "licenseId" : "LicenseRef-4", + "extractedText" : "/*\n * (c) Copyright 2009 University of Bristol\n * All rights reserved.\n *\n * Redistribution and use in source and binary forms, with or without\n * modification, are permitted provided that the following conditions\n * are met:\n * 1. Redistributions of source code must retain the above copyright\n * notice, this list of conditions and the following disclaimer.\n * 2. Redistributions in binary form must reproduce the above copyright\n * notice, this list of conditions and the following disclaimer in the\n * documentation and/or other materials provided with the distribution.\n * 3. The name of the author may not be used to endorse or promote products\n * derived from this software without specific prior written permission.\n *\n * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR\n * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\n * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.\n * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,\n * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT\n * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\n * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\n * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF\n * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n*/" + }, { + "licenseId" : "LicenseRef-Beerware-4.2", + "comment" : "The beerware license has a couple of other standard variants.", + "extractedText" : "\"THE BEER-WARE LICENSE\" (Revision 42):\nphk@FreeBSD.ORG wrote this file. As long as you retain this notice you\ncan do whatever you want with this stuff. If we meet some day, and you think this stuff is worth it, you can buy me a beer in return Poul-Henning Kamp", + "name" : "Beer-Ware License (Version 42)", + "seeAlsos" : [ "http://people.freebsd.org/~phk/" ] + }, { + "licenseId" : "LicenseRef-3", + "comment" : "This is tye CyperNeko License", + "extractedText" : "The CyberNeko Software License, Version 1.0\n\n \n(C) Copyright 2002-2005, Andy Clark. All rights reserved.\n \nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions\nare met:\n\n1. Redistributions of source code must retain the above copyright\n notice, this list of conditions and the following disclaimer. \n\n2. Redistributions in binary form must reproduce the above copyright\n notice, this list of conditions and the following disclaimer in\n the documentation and/or other materials provided with the\n distribution.\n\n3. The end-user documentation included with the redistribution,\n if any, must include the following acknowledgment: \n \"This product includes software developed by Andy Clark.\"\n Alternately, this acknowledgment may appear in the software itself,\n if and wherever such third-party acknowledgments normally appear.\n\n4. The names \"CyberNeko\" and \"NekoHTML\" must not be used to endorse\n or promote products derived from this software without prior \n written permission. For written permission, please contact \n andyc@cyberneko.net.\n\n5. Products derived from this software may not be called \"CyberNeko\",\n nor may \"CyberNeko\" appear in their name, without prior written\n permission of the author.\n\nTHIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED\nWARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\nOF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR OTHER CONTRIBUTORS\nBE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, \nOR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT \nOF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR \nBUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, \nWHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE \nOR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, \nEVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.", + "name" : "CyberNeko License", + "seeAlsos" : [ "http://people.apache.org/~andyc/neko/LICENSE", "http://justasample.url.com" ] + } ], + "annotations" : [ { + "annotationDate" : "2010-01-29T18:30:22Z", + "annotationType" : "OTHER", + "annotator" : "Person: Jane Doe ()", + "comment" : "Document level annotation" + }, { + "annotationDate" : "2010-02-10T00:00:00Z", + "annotationType" : "REVIEW", + "annotator" : "Person: Joe Reviewer", + "comment" : "This is just an example. Some of the non-standard licenses look like they are actually BSD 3 clause licenses" + }, { + "annotationDate" : "2011-03-13T00:00:00Z", + "annotationType" : "REVIEW", + "annotator" : "Person: Suzanne Reviewer", + "comment" : "Another example reviewer." + } ], + "documentNamespace" : "http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301", + "documentDescribes" : [ "SPDXRef-File", "SPDXRef-Package" ], + "packages" : [ { + "SPDXID" : "SPDXRef-Package", + "annotations" : [ { + "annotationDate" : "2011-01-29T18:30:22Z", + "annotationType" : "OTHER", + "annotator" : "Person: Package Commenter", + "comment" : "Package level annotation" + } ], + "attributionTexts" : [ "The GNU C Library is free software. See the file COPYING.LIB for copying conditions, and LICENSES for notices about a few contributions that require these additional notices to be distributed. License copyright years may be listed using range notation, e.g., 1996-2015, indicating that every year in the range, inclusive, is a copyrightable year that would otherwise be listed individually." ], + "checksums" : [ { + "algorithm" : "MD5", + "checksumValue" : "624c1abb3664f4b35547e7c73864ad24" + }, { + "algorithm" : "SHA1", + "checksumValue" : "85ed0817af83a24ad8da68c2b5094de69833983c" + }, { + "algorithm" : "SHA256", + "checksumValue" : "11b6d3ee554eedf79299905a98f9b9a04e498210b59f15094c916c91d150efcd" + } ], + "copyrightText" : "Copyright 2008-2010 John Smith", + "description" : "The GNU C Library defines functions that are specified by the ISO C standard, as well as additional features specific to POSIX and other derivatives of the Unix operating system, and extensions specific to GNU systems.", + "downloadLocation" : "http://ftp.gnu.org/gnu/glibc/glibc-ports-2.15.tar.gz", + "externalRefs" : [ { + "referenceCategory" : "SECURITY", + "referenceLocator" : "cpe:2.3:a:pivotal_software:spring_framework:4.1.0:*:*:*:*:*:*:*", + "referenceType" : "cpe23Type" + }, { + "comment" : "This is the external ref for Acme", + "referenceCategory" : "OTHER", + "referenceLocator" : "acmecorp/acmenator/4.1.3-alpha", + "referenceType" : "http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301#LocationRef-acmeforge" + } ], + "filesAnalyzed" : true, + "hasFiles" : [ "SPDXRef-CommonsLangSrc", "SPDXRef-JenaLib", "SPDXRef-DoapSource" ], + "homepage" : "http://ftp.gnu.org/gnu/glibc", + "licenseComments" : "The license for this project changed with the release of version x.y. The version of the project included here post-dates the license change.", + "licenseConcluded" : "(LGPL-2.0-only OR LicenseRef-3)", + "licenseDeclared" : "(LGPL-2.0-only AND LicenseRef-3)", + "licenseInfoFromFiles" : [ "GPL-2.0-only", "LicenseRef-2", "LicenseRef-1" ], + "name" : "glibc", + "originator" : "Organization: ExampleCodeInspect (contact@example.com)", + "packageFileName" : "glibc-2.11.1.tar.gz", + "packageVerificationCode" : { + "packageVerificationCodeExcludedFiles" : [ "./package.spdx" ], + "packageVerificationCodeValue" : "d6a770ba38583ed4bb4525bd96e50461655d2758" + }, + "sourceInfo" : "uses glibc-2_11-branch from git://sourceware.org/git/glibc.git.", + "summary" : "GNU C library.", + "supplier" : "Person: Jane Doe (jane.doe@example.com)", + "versionInfo" : "2.11.1" + }, { + "SPDXID" : "SPDXRef-fromDoap-1", + "copyrightText" : "NOASSERTION", + "downloadLocation" : "NOASSERTION", + "filesAnalyzed" : false, + "homepage" : "http://commons.apache.org/proper/commons-lang/", + "licenseConcluded" : "NOASSERTION", + "licenseDeclared" : "NOASSERTION", + "name" : "Apache Commons Lang" + }, { + "SPDXID" : "SPDXRef-fromDoap-0", + "copyrightText" : "NOASSERTION", + "downloadLocation" : "https://search.maven.org/remotecontent?filepath=org/apache/jena/apache-jena/3.12.0/apache-jena-3.12.0.tar.gz", + "externalRefs" : [ { + "referenceCategory" : "PACKAGE_MANAGER", + "referenceLocator" : "pkg:maven/org.apache.jena/apache-jena@3.12.0", + "referenceType" : "purl" + } ], + "filesAnalyzed" : false, + "homepage" : "http://www.openjena.org/", + "licenseConcluded" : "NOASSERTION", + "licenseDeclared" : "NOASSERTION", + "name" : "Jena", + "versionInfo" : "3.12.0" + }, { + "SPDXID" : "SPDXRef-Saxon", + "checksums" : [ { + "algorithm" : "SHA1", + "checksumValue" : "85ed0817af83a24ad8da68c2b5094de69833983c" + } ], + "copyrightText" : "Copyright Saxonica Ltd", + "description" : "The Saxon package is a collection of tools for processing XML documents.", + "downloadLocation" : "https://sourceforge.net/projects/saxon/files/Saxon-B/8.8.0.7/saxonb8-8-0-7j.zip/download", + "filesAnalyzed" : false, + "homepage" : "http://saxon.sourceforge.net/", + "licenseComments" : "Other versions available for a commercial license", + "licenseConcluded" : "MPL-1.0", + "licenseDeclared" : "MPL-1.0", + "name" : "Saxon", + "packageFileName" : "saxonB-8.8.zip", + "versionInfo" : "8.8" + } ], + "files" : [ { + "SPDXID" : "SPDXRef-DoapSource", + "checksums" : [ { + "algorithm" : "SHA1", + "checksumValue" : "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12" + } ], + "copyrightText" : "Copyright 2010, 2011 Source Auditor Inc.", + "fileContributors" : [ "Protecode Inc.", "SPDX Technical Team Members", "Open Logic Inc.", "Source Auditor Inc.", "Black Duck Software In.c" ], + "fileName" : "./src/org/spdx/parser/DOAPProject.java", + "fileTypes" : [ "SOURCE" ], + "licenseConcluded" : "Apache-2.0", + "licenseInfoInFiles" : [ "Apache-2.0" ] + }, { + "SPDXID" : "SPDXRef-CommonsLangSrc", + "checksums" : [ { + "algorithm" : "SHA1", + "checksumValue" : "c2b4e1c67a2d28fced849ee1bb76e7391b93f125" + } ], + "comment" : "This file is used by Jena", + "copyrightText" : "Copyright 2001-2011 The Apache Software Foundation", + "fileContributors" : [ "Apache Software Foundation" ], + "fileName" : "./lib-source/commons-lang3-3.1-sources.jar", + "fileTypes" : [ "ARCHIVE" ], + "licenseConcluded" : "Apache-2.0", + "licenseInfoInFiles" : [ "Apache-2.0" ], + "noticeText" : "Apache Commons Lang\nCopyright 2001-2011 The Apache Software Foundation\n\nThis product includes software developed by\nThe Apache Software Foundation (http://www.apache.org/).\n\nThis product includes software from the Spring Framework,\nunder the Apache License 2.0 (see: StringUtils.containsWhitespace())" + }, { + "SPDXID" : "SPDXRef-JenaLib", + "checksums" : [ { + "algorithm" : "SHA1", + "checksumValue" : "3ab4e1c67a2d28fced849ee1bb76e7391b93f125" + } ], + "comment" : "This file belongs to Jena", + "copyrightText" : "(c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP", + "fileContributors" : [ "Apache Software Foundation", "Hewlett Packard Inc." ], + "fileName" : "./lib-source/jena-2.6.3-sources.jar", + "fileTypes" : [ "ARCHIVE" ], + "licenseComments" : "This license is used by Jena", + "licenseConcluded" : "LicenseRef-1", + "licenseInfoInFiles" : [ "LicenseRef-1" ] + }, { + "SPDXID" : "SPDXRef-File", + "annotations" : [ { + "annotationDate" : "2011-01-29T18:30:22Z", + "annotationType" : "OTHER", + "annotator" : "Person: File Commenter", + "comment" : "File level annotation" + } ], + "checksums" : [ { + "algorithm" : "SHA1", + "checksumValue" : "d6a770ba38583ed4bb4525bd96e50461655d2758" + }, { + "algorithm" : "MD5", + "checksumValue" : "624c1abb3664f4b35547e7c73864ad24" + } ], + "comment" : "The concluded license was taken from the package level that the file was included in.\nThis information was found in the COPYING.txt file in the xyz directory.", + "copyrightText" : "Copyright 2008-2010 John Smith", + "fileContributors" : [ "The Regents of the University of California", "Modified by Paul Mundt lethal@linux-sh.org", "IBM Corporation" ], + "fileName" : "./package/foo.c", + "fileTypes" : [ "SOURCE" ], + "licenseComments" : "The concluded license was taken from the package level that the file was included in.", + "licenseConcluded" : "(LGPL-2.0-only OR LicenseRef-2)", + "licenseInfoInFiles" : [ "GPL-2.0-only", "LicenseRef-2" ], + "noticeText" : "Copyright (c) 2001 Aaron Lehmann aaroni@vitelus.com\n\nPermission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the �Software�), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: \nThe above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED �AS IS', WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE." + } ], + "snippets" : [ { + "SPDXID" : "SPDXRef-Snippet", + "comment" : "This snippet was identified as significant and highlighted in this Apache-2.0 file, when a commercial scanner identified it as being derived from file foo.c in package xyz which is licensed under GPL-2.0.", + "copyrightText" : "Copyright 2008-2010 John Smith", + "licenseComments" : "The concluded license was taken from package xyz, from which the snippet was copied into the current file. The concluded license information was found in the COPYING.txt file in package xyz.", + "licenseConcluded" : "GPL-2.0-only", + "licenseInfoInSnippets" : [ "GPL-2.0-only" ], + "name" : "from linux kernel", + "ranges" : [ { + "endPointer" : { + "offset" : 420, + "reference" : "SPDXRef-DoapSource" + }, + "startPointer" : { + "offset" : 310, + "reference" : "SPDXRef-DoapSource" + } + }, { + "endPointer" : { + "lineNumber" : 23, + "reference" : "SPDXRef-DoapSource" + }, + "startPointer" : { + "lineNumber" : 5, + "reference" : "SPDXRef-DoapSource" + } + } ], + "snippetFromFile" : "SPDXRef-DoapSource" + } ], + "relationships" : [ { + "spdxElementId" : "SPDXRef-DOCUMENT", + "relatedSpdxElement" : "SPDXRef-Package", + "relationshipType" : "CONTAINS" + }, { + "spdxElementId" : "SPDXRef-DOCUMENT", + "relatedSpdxElement" : "DocumentRef-spdx-tool-1.2:SPDXRef-ToolsElement", + "relationshipType" : "COPY_OF" + }, { + "spdxElementId" : "SPDXRef-DOCUMENT", + "relatedSpdxElement" : "SPDXRef-File", + "relationshipType" : "DESCRIBES" + }, { + "spdxElementId" : "SPDXRef-DOCUMENT", + "relatedSpdxElement" : "SPDXRef-Package", + "relationshipType" : "DESCRIBES" + }, { + "spdxElementId" : "SPDXRef-Package", + "relatedSpdxElement" : "SPDXRef-JenaLib", + "relationshipType" : "CONTAINS" + }, { + "spdxElementId" : "SPDXRef-Package", + "relatedSpdxElement" : "SPDXRef-Saxon", + "relationshipType" : "DYNAMIC_LINK" + }, { + "spdxElementId" : "SPDXRef-CommonsLangSrc", + "relatedSpdxElement" : "NOASSERTION", + "relationshipType" : "GENERATED_FROM" + }, { + "spdxElementId" : "SPDXRef-JenaLib", + "relatedSpdxElement" : "SPDXRef-Package", + "relationshipType" : "CONTAINS" + }, { + "spdxElementId" : "SPDXRef-File", + "relatedSpdxElement" : "SPDXRef-fromDoap-0", + "relationshipType" : "GENERATED_FROM" + } ] } \ No newline at end of file diff --git a/tests/data/formats/SPDXXmlExample.xml b/tests/data/formats/SPDXXmlExample.xml index 256433411..fceac1a76 100644 --- a/tests/data/formats/SPDXXmlExample.xml +++ b/tests/data/formats/SPDXXmlExample.xml @@ -237,19 +237,4 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. SPDXRef-Snippet SPDXRef-DoapSource - - SPDXRef-DOCUMENT - SPDXRef-File - DESCRIBES - - - SPDXRef-DOCUMENT - SPDXRef-Package - DESCRIBES - - - SPDXRef-DOCUMENT - SPDXRef-Package - CONTAINS - diff --git a/tests/data/formats/SPDXYamlExample.yaml b/tests/data/formats/SPDXYamlExample.yaml index cc660bced..1aa3e5716 100644 --- a/tests/data/formats/SPDXYamlExample.yaml +++ b/tests/data/formats/SPDXYamlExample.yaml @@ -170,16 +170,6 @@ Document: SPDXID: SPDXRef-DOCUMENT name: Sample_Document-V2.1 documentNamespace: https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301 - relationships: - - spdxElementId: "SPDXRef-DOCUMENT" - relatedSpdxElement: "SPDXRef-Package" - relationshipType: "DESCRIBES" - - spdxElementId: "SPDXRef-DOCUMENT" - relatedSpdxElement: "SPDXRef-Package" - relationshipType: "CONTAINS" - - spdxElementId: "SPDXRef-DOCUMENT" - relatedSpdxElement: "SPDXRef-File" - relationshipType: "DESCRIBES" reviewers: - comment: Another example reviewer. reviewDate: '2011-03-13T00:00:00Z' diff --git a/tests/test_document.py b/tests/test_document.py index 0047eecba..0ffc7443a 100644 --- a/tests/test_document.py +++ b/tests/test_document.py @@ -78,11 +78,11 @@ def test_document_validate_failures_returns_informative_messages(self): 'Sample_Document-V2.1', spdx_id='SPDXRef-DOCUMENT', namespace='https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301') pack = doc.package = Package('some/path', NoAssert()) - pack.check_sum = 'SOME-SHA1' + pack.checksum = 'SOME-SHA1' file1 = File('./some/path/tofile') file1.name = './some/path/tofile' file1.spdx_id = 'SPDXRef-File' - file1.chk_sum = Algorithm('SHA1', 'SOME-SHA1') + file1.chksum = Algorithm('SHA1', 'SOME-SHA1') lic1 = License.from_identifier('LGPL-2.1-only') file1.add_lics(lic1) pack.add_lics_from_file(lic1) @@ -120,7 +120,7 @@ def test_document_is_valid_when_using_or_later_licenses(self): file1 = File('./some/path/tofile') file1.name = './some/path/tofile' file1.spdx_id = 'SPDXRef-File' - file1.chk_sum = Algorithm('SHA1', 'SOME-SHA1') + file1.chksum = Algorithm('SHA1', 'SOME-SHA1') file1.conc_lics = NoAssert() file1.copyright = NoAssert() @@ -173,14 +173,14 @@ def _get_lgpl_doc(self, or_later=False): package.spdx_id = 'SPDXRef-Package' package.cr_text = 'Some copyrught' package.verif_code = 'SOME code' - package.check_sum = Algorithm('SHA1', 'SOME-SHA1') + package.checksum = Algorithm('SHA1', 'SOME-SHA1') package.license_declared = NoAssert() package.conc_lics = NoAssert() file1 = File('./some/path/tofile') file1.name = './some/path/tofile' file1.spdx_id = 'SPDXRef-File' - file1.chk_sum = Algorithm('SHA1', 'SOME-SHA1') + file1.chksum = Algorithm('SHA1', 'SOME-SHA1') file1.conc_lics = NoAssert() file1.copyright = NoAssert() @@ -231,7 +231,7 @@ def _get_lgpl_multi_package_doc(self, or_later=False): file1 = File('./some/path/tofile') file1.name = './some/path/tofile' file1.spdx_id = 'SPDXRef-File' - file1.chk_sum = Algorithm('SHA1', 'SOME-SHA1') + file1.chksum = Algorithm('SHA1', 'SOME-SHA1') file1.conc_lics = NoAssert() file1.copyright = NoAssert() diff --git a/tests/test_package.py b/tests/test_package.py index c9076969e..0c8529734 100644 --- a/tests/test_package.py +++ b/tests/test_package.py @@ -24,7 +24,7 @@ def test_calc_verif_code(self): def test_package_with_non_sha1_check_sum(self): package = Package() - package.check_sum = Algorithm("SHA256", '') + package.checksum = Algorithm("SHA256", '') # Make sure that validation still works despite the checksum not being SHA1 messages = [] diff --git a/tests/test_parse_anything.py b/tests/test_parse_anything.py index 7692e5744..7b8679081 100644 --- a/tests/test_parse_anything.py +++ b/tests/test_parse_anything.py @@ -16,7 +16,8 @@ dirname = os.path.join(os.path.dirname(__file__), "data", "formats") -test_files = [os.path.join(dirname, fn) for fn in os.listdir(dirname)] +test_files = [os.path.join(dirname, fn) for fn in os.listdir(dirname) if "2.2" not in fn] +# exclude json2.2 file since spec-2.2 is not fully supported yet @pytest.mark.parametrize("test_file", test_files) diff --git a/tests/test_write_anything.py b/tests/test_write_anything.py index bbf9d8d34..3fbee2974 100644 --- a/tests/test_write_anything.py +++ b/tests/test_write_anything.py @@ -44,7 +44,7 @@ @pytest.mark.parametrize("in_file", test_files, ids=lambda x: os.path.basename(x)) def test_write_anything(in_file, out_format, tmpdir): in_basename = os.path.basename(in_file) - if in_basename == "SPDXSBOMExample.spdx.yml" or in_basename == "SPDXSBOMExample.tag": + if in_basename == "SPDXSBOMExample.spdx.yml" or in_basename == "SPDXSBOMExample.tag" or in_basename == "SPDXJsonExample2.2.json": # conversion of spdx2.2 is not yet done return doc, error = parse_anything.parse_file(in_file) diff --git a/tests/utils_test.py b/tests/utils_test.py index 7941b690e..3d2c9630a 100644 --- a/tests/utils_test.py +++ b/tests/utils_test.py @@ -176,10 +176,10 @@ def load_and_clean_json(location): """ with io.open(location, encoding='utf-8') as l: content = l.read() - data = {'Document': json.loads(content)} + data = json.loads(content) - if 'creationInfo' in data['Document']: - del(data['Document']['creationInfo']) + if 'creationInfo' in data: + del(data['creationInfo']) return sort_nested(data) @@ -206,10 +206,10 @@ def load_and_clean_yaml(location): """ with io.open(location, encoding='utf-8') as l: content = l.read() - data = {'Document': yaml.safe_load(content)} + data = yaml.safe_load(content) - if 'creationInfo' in data['Document']: - del(data['Document']['creationInfo']) + if 'creationInfo' in data: + del(data['creationInfo']) return sort_nested(data) @@ -360,7 +360,7 @@ def package_to_dict(cls, package): ('licenseDeclared', cls.license_to_dict(package.license_declared)), ('copyrightText', package.cr_text), ('licenseComment', package.license_comment), - ('checksum', cls.checksum_to_dict(package.check_sum)), + ('checksum', cls.checksum_to_dict(package.checksum)), ('files', cls.files_to_list(sorted(package.files))), ('licenseInfoFromFiles', [cls.license_to_dict(lic) for lic in lics_from_files]), ('verificationCode', OrderedDict([ @@ -377,7 +377,7 @@ def files_to_list(cls, files): files_list = [] for file in files: - lics_from_files = sorted(file.licenses_in_file, key=lambda lic: lic.identifier) + lics_in_files = sorted(file.licenses_in_file, key=lambda lic: lic.identifier) contributors = sorted(file.contributors, key=lambda c: c.name) file_dict = OrderedDict([ ('id', file.spdx_id), @@ -388,8 +388,8 @@ def files_to_list(cls, files): ('copyrightText', file.copyright), ('licenseComment', file.license_comment), ('notice', file.notice), - ('checksum', cls.checksum_to_dict(file.chk_sum)), - ('licenseInfoInFiles', [cls.license_to_dict(lic) for lic in lics_from_files]), + ('checksum', cls.checksum_to_dict(file.chksum)), + ('licenseInfoInFiles', [cls.license_to_dict(lic) for lic in lics_in_files]), ('contributors', [cls.entity_to_dict(contributor) for contributor in contributors]), ('dependencies', sorted(file.dependencies)), ('artifactOfProjectName', file.artifact_of_project_name),