From b58db203b3e01cd79d3f354cd54a7dd3f513dbf9 Mon Sep 17 00:00:00 2001 From: Daniel Holth Date: Wed, 10 Nov 2021 15:57:32 -0500 Subject: [PATCH 01/10] support spdx 2.2 compliant json Signed-off-by: Daniel Holth --- spdx/creationinfo.py | 4 +- spdx/file.py | 14 +- spdx/package.py | 14 +- spdx/parsers/jsonyamlxml.py | 35 ++- spdx/writers/json.py | 4 +- spdx/writers/jsonyamlxml.py | 55 ++++- spdx/writers/rdf.py | 3 +- spdx/writers/xml.py | 15 +- spdx/writers/yaml.py | 4 +- tests/data/doc_write/json-simple-plus.json | 13 +- .../data/doc_write/json-simple-plus.new.json | 59 +++++ tests/data/doc_write/json-simple.json | 13 +- tests/data/doc_write/json-simple.new.json | 59 +++++ .../data/doc_write/yaml-simple-plus.new.yaml | 38 +++ tests/data/doc_write/yaml-simple-plus.yaml | 13 +- tests/data/doc_write/yaml-simple.new.yaml | 38 +++ tests/data/doc_write/yaml-simple.yaml | 13 +- tests/data/formats/SPDXJsonExample2.2.json | 231 ++++++++++++++++++ tests/test_document.py | 8 +- tests/test_write_anything.py | 6 +- tests/utils_test.py | 4 +- 21 files changed, 607 insertions(+), 36 deletions(-) create mode 100644 tests/data/doc_write/json-simple-plus.new.json create mode 100644 tests/data/doc_write/json-simple.new.json create mode 100644 tests/data/doc_write/yaml-simple-plus.new.yaml create mode 100644 tests/data/doc_write/yaml-simple.new.yaml create mode 100644 tests/data/formats/SPDXJsonExample2.2.json diff --git a/spdx/creationinfo.py b/spdx/creationinfo.py index 1545a8ab7..54a99e9d3 100644 --- a/spdx/creationinfo.py +++ b/spdx/creationinfo.py @@ -44,7 +44,7 @@ class Organization(Creator): - email: Org's email address. Optional. Type: str. """ - def __init__(self, name, email): + def __init__(self, name, email=None): super(Organization, self).__init__(name) self.email = email @@ -80,7 +80,7 @@ class Person(Creator): - email: person's email address. Optional. Type: str. """ - def __init__(self, name, email): + def __init__(self, name, email=None): super(Person, self).__init__(name) self.email = email diff --git a/spdx/file.py b/spdx/file.py index d619509ce..c960a83fe 100644 --- a/spdx/file.py +++ b/spdx/file.py @@ -63,7 +63,7 @@ def __init__(self, name, spdx_id=None, chk_sum=None): self.spdx_id = spdx_id self.comment = None self.type = None - self.chk_sum = chk_sum + self.checksums = [None] self.conc_lics = None self.licenses_in_file = [] self.license_comment = None @@ -82,6 +82,18 @@ def __eq__(self, other): def __lt__(self, other): return self.name < other.name + @property + def chk_sum(self): + """ + Backwards compatibility, return first checksum. + """ + # NOTE Package.check_sum but File.chk_sum + return self.checksums[0] + + @chk_sum.setter + def chk_sum(self, value): + self.checksums[0] = value + def add_lics(self, lics): self.licenses_in_file.append(lics) diff --git a/spdx/package.py b/spdx/package.py index e2533d5f1..f881a01ab 100644 --- a/spdx/package.py +++ b/spdx/package.py @@ -84,7 +84,7 @@ def __init__( self.files_analyzed = None self.homepage = None self.verif_code = None - self.check_sum = None + self.checksums = [None] self.source_info = None self.conc_lics = None self.license_declared = None @@ -105,6 +105,18 @@ def are_files_analyzed(self): # as default None Value is False, previous line is simplification of # return self.files_analyzed or self.files_analyzed is None + @property + def check_sum(self): + """ + Backwards compatibility, return first checksum. + """ + # NOTE Package.check_sum but File.chk_sum + return self.checksums[0] + + @check_sum.setter + def check_sum(self, value): + self.checksums[0] = value + def add_file(self, fil): self.files.append(fil) diff --git a/spdx/parsers/jsonyamlxml.py b/spdx/parsers/jsonyamlxml.py index 8942823f4..a684e27f9 100644 --- a/spdx/parsers/jsonyamlxml.py +++ b/spdx/parsers/jsonyamlxml.py @@ -1495,6 +1495,39 @@ def parse_pkg_chksum(self, pkg_chksum): self.value_error("PKG_CHECKSUM", pkg_chksum) +def unflatten_document(document): + """ + Inverse of spdx.writers.jsonyamlxml.flatten_document + """ + files_by_id = {} + if "files" in document: + for f in document.pop("files"): + f["name"] = f.pop("fileName") + # XXX must downstream rely on "sha1" property? + for checksum in f["checksums"]: + if checksum["algorithm"] == "SHA1": + f["sha1"] = checksum["checksumValue"] + break + if "licenseInfoInFiles" in f: + f["licenseInfoFromFiles"] = f.pop("licenseInfoInFiles") + files_by_id[f["SPDXID"]] = f + + packages = document.pop("packages") + for package in packages: + if "hasFiles" in package: + package["files"] = [{ + "File": files_by_id[spdxid]} for spdxid in package["hasFiles"] + ] + # XXX must downstream rely on "sha1" property? + for checksum in package.get("checksums", []): + if checksum["algorithm"] == "SHA1": + package["sha1"] = checksum["checksumValue"] + break + + document["documentDescribes"] = [{ "Package": package} for package in packages ] + + return document + class Parser( CreationInfoParser, ExternalDocumentRefsParser, @@ -1512,7 +1545,7 @@ def __init__(self, builder, logger): def json_yaml_set_document(self, data): # we could verify that the spdxVersion >= 2.2, but we try to be resilient in parsing if data.get("spdxVersion"): - self.document_object = data + self.document_object = unflatten_document(data) return self.document_object = data.get("Document") diff --git a/spdx/writers/json.py b/spdx/writers/json.py index 0177cd104..a587a650b 100644 --- a/spdx/writers/json.py +++ b/spdx/writers/json.py @@ -12,7 +12,7 @@ import json from spdx.writers.tagvalue import InvalidDocumentError -from spdx.writers.jsonyamlxml import Writer +from spdx.writers.jsonyamlxml import JsonYamlWriter from spdx.parsers.loggers import ErrorMessages @@ -24,6 +24,6 @@ def write_document(document, out, validate=True): if messages: raise InvalidDocumentError(messages) - writer = Writer(document) + writer = JsonYamlWriter(document) document_object = writer.create_document() json.dump(document_object, out, indent=4) diff --git a/spdx/writers/jsonyamlxml.py b/spdx/writers/jsonyamlxml.py index 60e9afadc..4cc3bde25 100644 --- a/spdx/writers/jsonyamlxml.py +++ b/spdx/writers/jsonyamlxml.py @@ -47,7 +47,7 @@ def checksum(self, checksum_field): """ checksum_object = dict() checksum_object["algorithm"] = ( - "checksumAlgorithm_" + checksum_field.identifier.lower() + checksum_field.identifier.upper() ) checksum_object["checksumValue"] = checksum_field.value return checksum_object @@ -142,13 +142,14 @@ def create_package_info(self, package): package_object["packageFileName"] = package.file_name if package.has_optional_field("supplier"): - package_object["supplier"] = package.supplier.__str__() + package_object["supplier"] = package.supplier.to_value() if package.has_optional_field("originator"): - package_object["originator"] = package.originator.__str__() + package_object["originator"] = package.originator.to_value() if package.has_optional_field("check_sum"): - package_object["checksums"] = [self.checksum(package.check_sum)] + package_object["checksums"] = [self.checksum(checksum) for checksum in package.checksums if checksum] + assert package.check_sum.identifier == "SHA1", "First checksum must be SHA1" package_object["sha1"] = package.check_sum.value if package.has_optional_field("description"): @@ -201,12 +202,14 @@ def create_file_info(self, package): file_object["name"] = file.name file_object["SPDXID"] = self.spdx_id(file.spdx_id) - file_object["checksums"] = [self.checksum(file.chk_sum)] + file_object["checksums"] = [self.checksum(checksum) for checksum in file.checksums if checksum] file_object["licenseConcluded"] = self.license(file.conc_lics) file_object["licenseInfoFromFiles"] = list( map(self.license, file.licenses_in_file) ) file_object["copyrightText"] = file.copyright.__str__() + + assert file.chk_sum.identifier == "SHA1", "First checksum must be SHA1" file_object["sha1"] = file.chk_sum.value if file.has_optional_field("comment"): @@ -511,3 +514,45 @@ def create_document(self): self.document_object["relationships"] = self.create_relationship_info() return {"Document": self.document_object} + + +def flatten_document(document_object): + """ + Move nested Package -> Files to top level to conform with schema. + """ + + document = document_object["Document"] + + # replace documentDescribes with SPDXID references + package_objects = document["documentDescribes"] + + document["documentDescribes"] = [package["Package"]["SPDXID"] for package in package_objects] + + document["packages"] = [package["Package"] for package in package_objects] + + file_objects = [] + + for package_info_object in document.get("packages", []): + if not "files" in package_info_object: + continue + if "sha1" in package_info_object: + del package_info_object["sha1"] + package_info_object["hasFiles"] = [file_object["File"]["SPDXID"] for file_object in package_info_object["files"]] + file_objects.extend(file_object["File"] for file_object in package_info_object.pop("files")) + + for file_object in file_objects: + file_object["fileName"] = file_object.pop("name") + if "licenseInfoFromFiles" in file_object: + file_object["licenseInfoInFiles"] = file_object.pop("licenseInfoFromFiles") + del file_object["sha1"] + + document["files"] = file_objects + + return document + + +class JsonYamlWriter(Writer): + + def create_document(self): + document_object = super().create_document() + return flatten_document(document_object) diff --git a/spdx/writers/rdf.py b/spdx/writers/rdf.py index 3b167fcc7..fcbdcb36d 100644 --- a/spdx/writers/rdf.py +++ b/spdx/writers/rdf.py @@ -22,6 +22,7 @@ from spdx import document from spdx import config from spdx import utils +from spdx.package import Package from spdx.parsers.loggers import ErrorMessages from spdx.writers.tagvalue import InvalidDocumentError @@ -709,7 +710,7 @@ def handle_package_literal_optional(self, package, package_node, predicate, fiel triple = (package_node, predicate, value_node) self.graph.add(triple) - def handle_pkg_optional_fields(self, package, package_node): + def handle_pkg_optional_fields(self, package: Package, package_node): """ Write package optional fields. """ diff --git a/spdx/writers/xml.py b/spdx/writers/xml.py index 43e28f8cf..9e4cb9b09 100644 --- a/spdx/writers/xml.py +++ b/spdx/writers/xml.py @@ -16,6 +16,19 @@ from spdx.parsers.loggers import ErrorMessages +class XMLWriter(Writer): + def checksum(self, checksum_field): + """ + Return a dictionary representation of a spdx.checksum.Algorithm object + """ + checksum_object = dict() + checksum_object["algorithm"] = ( + "checksumAlgorithm_" + checksum_field.identifier.lower() + ) + checksum_object["checksumValue"] = checksum_field.value + return checksum_object + + def write_document(document, out, validate=True): if validate: @@ -24,7 +37,7 @@ def write_document(document, out, validate=True): if messages: raise InvalidDocumentError(messages) - writer = Writer(document) + writer = XMLWriter(document) document_object = {"SpdxDocument": writer.create_document()} xmltodict.unparse(document_object, out, encoding="utf-8", pretty=True) diff --git a/spdx/writers/yaml.py b/spdx/writers/yaml.py index 24600d8a7..6fd0135e6 100644 --- a/spdx/writers/yaml.py +++ b/spdx/writers/yaml.py @@ -12,7 +12,7 @@ import yaml from spdx.writers.tagvalue import InvalidDocumentError -from spdx.writers.jsonyamlxml import Writer +from spdx.writers.jsonyamlxml import JsonYamlWriter from spdx.parsers.loggers import ErrorMessages @@ -24,7 +24,7 @@ def write_document(document, out, validate=True): if messages: raise InvalidDocumentError(messages) - writer = Writer(document) + writer = JsonYamlWriter(document) document_object = writer.create_document() yaml.safe_dump(document_object, out, indent=2, explicit_start=True) diff --git a/tests/data/doc_write/json-simple-plus.json b/tests/data/doc_write/json-simple-plus.json index 11e0929e4..d034ecf50 100644 --- a/tests/data/doc_write/json-simple-plus.json +++ b/tests/data/doc_write/json-simple-plus.json @@ -5,10 +5,17 @@ "name": "Sample_Document-V2.1", "SPDXID": "SPDXRef-DOCUMENT", "documentNamespace": "https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301", + "creationInfo": { + "creators": [ + "Organization: SPDX" + ], + "created": "2021-11-15T00:00:00Z", + "licenseListVersion": "3.6" + }, "documentDescribes": [ { "Package": { - "SPDXID": "SPDXRef-Package", + "SPDXID": "SPDXRef-Package", "name": "some/path", "downloadLocation": "NOASSERTION", "copyrightText": "Some copyrught", @@ -17,7 +24,7 @@ }, "checksums": [ { - "algorithm": "checksumAlgorithm_sha1", + "algorithm": "SHA1", "checksumValue": "SOME-SHA1" } ], @@ -30,7 +37,7 @@ "SPDXID": "SPDXRef-File", "checksums": [ { - "algorithm": "checksumAlgorithm_sha1", + "algorithm": "SHA1", "checksumValue": "SOME-SHA1" } ], diff --git a/tests/data/doc_write/json-simple-plus.new.json b/tests/data/doc_write/json-simple-plus.new.json new file mode 100644 index 000000000..a67c6e324 --- /dev/null +++ b/tests/data/doc_write/json-simple-plus.new.json @@ -0,0 +1,59 @@ +{ + "spdxVersion": "SPDX-2.1", + "dataLicense": "CC0-1.0", + "name": "Sample_Document-V2.1", + "SPDXID": "SPDXRef-DOCUMENT", + "documentNamespace": "https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301", + "creationInfo": { + "creators": [ + "Organization: SPDX" + ], + "created": "2021-11-15T00:00:00Z", + "licenseListVersion": "3.6" + }, + "documentDescribes": [ + "SPDXRef-Package" + ], + "packages": [ + { + "SPDXID": "SPDXRef-Package", + "name": "some/path", + "downloadLocation": "NOASSERTION", + "copyrightText": "Some copyrught", + "packageVerificationCode": { + "packageVerificationCodeValue": "SOME code" + }, + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "SOME-SHA1" + } + ], + "licenseDeclared": "NOASSERTION", + "licenseConcluded": "NOASSERTION", + "licenseInfoFromFiles": [ + "LGPL-2.1-or-later" + ], + "hasFiles": [ + "SPDXRef-File" + ] + } + ], + "files": [ + { + "SPDXID": "SPDXRef-File", + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "SOME-SHA1" + } + ], + "licenseConcluded": "NOASSERTION", + "copyrightText": "NOASSERTION", + "fileName": "./some/path/tofile", + "licenseInfoInFiles": [ + "LGPL-2.1-or-later" + ] + } + ] +} \ No newline at end of file diff --git a/tests/data/doc_write/json-simple.json b/tests/data/doc_write/json-simple.json index 246a0cacb..619821b40 100644 --- a/tests/data/doc_write/json-simple.json +++ b/tests/data/doc_write/json-simple.json @@ -5,10 +5,17 @@ "name": "Sample_Document-V2.1", "SPDXID": "SPDXRef-DOCUMENT", "documentNamespace": "https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301", + "creationInfo": { + "creators": [ + "Organization: SPDX" + ], + "created": "2021-11-15T00:00:00Z", + "licenseListVersion": "3.6" + }, "documentDescribes": [ { "Package": { - "SPDXID": "SPDXRef-Package", + "SPDXID": "SPDXRef-Package", "name": "some/path", "downloadLocation": "NOASSERTION", "copyrightText": "Some copyrught", @@ -17,7 +24,7 @@ }, "checksums": [ { - "algorithm": "checksumAlgorithm_sha1", + "algorithm": "SHA1", "checksumValue": "SOME-SHA1" } ], @@ -30,7 +37,7 @@ "SPDXID": "SPDXRef-File", "checksums": [ { - "algorithm": "checksumAlgorithm_sha1", + "algorithm": "SHA1", "checksumValue": "SOME-SHA1" } ], diff --git a/tests/data/doc_write/json-simple.new.json b/tests/data/doc_write/json-simple.new.json new file mode 100644 index 000000000..187895621 --- /dev/null +++ b/tests/data/doc_write/json-simple.new.json @@ -0,0 +1,59 @@ +{ + "spdxVersion": "SPDX-2.1", + "dataLicense": "CC0-1.0", + "name": "Sample_Document-V2.1", + "SPDXID": "SPDXRef-DOCUMENT", + "documentNamespace": "https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301", + "creationInfo": { + "creators": [ + "Organization: SPDX" + ], + "created": "2021-11-15T00:00:00Z", + "licenseListVersion": "3.6" + }, + "documentDescribes": [ + "SPDXRef-Package" + ], + "packages": [ + { + "SPDXID": "SPDXRef-Package", + "name": "some/path", + "downloadLocation": "NOASSERTION", + "copyrightText": "Some copyrught", + "packageVerificationCode": { + "packageVerificationCodeValue": "SOME code" + }, + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "SOME-SHA1" + } + ], + "licenseDeclared": "NOASSERTION", + "licenseConcluded": "NOASSERTION", + "licenseInfoFromFiles": [ + "LGPL-2.1-only" + ], + "hasFiles": [ + "SPDXRef-File" + ] + } + ], + "files": [ + { + "SPDXID": "SPDXRef-File", + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "SOME-SHA1" + } + ], + "licenseConcluded": "NOASSERTION", + "copyrightText": "NOASSERTION", + "fileName": "./some/path/tofile", + "licenseInfoInFiles": [ + "LGPL-2.1-only" + ] + } + ] +} \ No newline at end of file diff --git a/tests/data/doc_write/yaml-simple-plus.new.yaml b/tests/data/doc_write/yaml-simple-plus.new.yaml new file mode 100644 index 000000000..1c20a50c4 --- /dev/null +++ b/tests/data/doc_write/yaml-simple-plus.new.yaml @@ -0,0 +1,38 @@ +SPDXID: SPDXRef-DOCUMENT +creationInfo: + created: '2021-11-15T00:00:00Z' + creators: + - 'Organization: SPDX' + licenseListVersion: '3.6' +dataLicense: CC0-1.0 +documentDescribes: +- SPDXRef-Package +documentNamespace: https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301 +files: +- SPDXID: SPDXRef-File + checksums: + - algorithm: SHA1 + checksumValue: SOME-SHA1 + copyrightText: NOASSERTION + fileName: ./some/path/tofile + licenseConcluded: NOASSERTION + licenseInfoInFiles: + - LGPL-2.1-or-later +name: Sample_Document-V2.1 +packages: +- SPDXID: SPDXRef-Package + checksums: + - algorithm: SHA1 + checksumValue: SOME-SHA1 + copyrightText: Some copyrught + downloadLocation: NOASSERTION + hasFiles: + - SPDXRef-File + licenseConcluded: NOASSERTION + licenseDeclared: NOASSERTION + licenseInfoFromFiles: + - LGPL-2.1-or-later + name: some/path + packageVerificationCode: + packageVerificationCodeValue: SOME code +spdxVersion: SPDX-2.1 diff --git a/tests/data/doc_write/yaml-simple-plus.yaml b/tests/data/doc_write/yaml-simple-plus.yaml index 9858c8167..2a58e6d40 100644 --- a/tests/data/doc_write/yaml-simple-plus.yaml +++ b/tests/data/doc_write/yaml-simple-plus.yaml @@ -5,6 +5,13 @@ Document: name: "Sample_Document-V2.1" SPDXID: "SPDXRef-DOCUMENT" documentNamespace: "https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301" + creationInfo: { + "creators": [ + "Organization: SPDX" + ], + "created": "2021-11-15T00:00:00Z", + "licenseListVersion": "3.6" + } documentDescribes: - Package: SPDXID: "SPDXRef-Package" @@ -14,7 +21,7 @@ Document: packageVerificationCode: packageVerificationCodeValue: "SOME code" checksums: - - algorithm: "checksumAlgorithm_sha1" + - algorithm: "SHA1" checksumValue: "SOME-SHA1" licenseDeclared: "NOASSERTION" licenseConcluded: "NOASSERTION" @@ -22,8 +29,8 @@ Document: - File: name: "./some/path/tofile" SPDXID: "SPDXRef-File" - checksums: - - algorithm: "checksumAlgorithm_sha1" + checksums: + - algorithm: "SHA1" checksumValue: "SOME-SHA1" licenseConcluded: "NOASSERTION" copyrightText: "NOASSERTION" diff --git a/tests/data/doc_write/yaml-simple.new.yaml b/tests/data/doc_write/yaml-simple.new.yaml new file mode 100644 index 000000000..9cbdc783c --- /dev/null +++ b/tests/data/doc_write/yaml-simple.new.yaml @@ -0,0 +1,38 @@ +SPDXID: SPDXRef-DOCUMENT +creationInfo: + created: '2021-11-15T00:00:00Z' + creators: + - 'Organization: SPDX' + licenseListVersion: '3.6' +dataLicense: CC0-1.0 +documentDescribes: +- SPDXRef-Package +documentNamespace: https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301 +files: +- SPDXID: SPDXRef-File + checksums: + - algorithm: SHA1 + checksumValue: SOME-SHA1 + copyrightText: NOASSERTION + fileName: ./some/path/tofile + licenseConcluded: NOASSERTION + licenseInfoInFiles: + - LGPL-2.1-only +name: Sample_Document-V2.1 +packages: +- SPDXID: SPDXRef-Package + checksums: + - algorithm: SHA1 + checksumValue: SOME-SHA1 + copyrightText: Some copyrught + downloadLocation: NOASSERTION + hasFiles: + - SPDXRef-File + licenseConcluded: NOASSERTION + licenseDeclared: NOASSERTION + licenseInfoFromFiles: + - LGPL-2.1-only + name: some/path + packageVerificationCode: + packageVerificationCodeValue: SOME code +spdxVersion: SPDX-2.1 diff --git a/tests/data/doc_write/yaml-simple.yaml b/tests/data/doc_write/yaml-simple.yaml index b4946b70f..449a2cc15 100644 --- a/tests/data/doc_write/yaml-simple.yaml +++ b/tests/data/doc_write/yaml-simple.yaml @@ -5,6 +5,13 @@ Document: name: "Sample_Document-V2.1" SPDXID: "SPDXRef-DOCUMENT" documentNamespace: "https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301" + creationInfo: { + "creators": [ + "Organization: SPDX" + ], + "created": "2021-11-15T00:00:00Z", + "licenseListVersion": "3.6" + } documentDescribes: - Package: SPDXID: "SPDXRef-Package" @@ -14,7 +21,7 @@ Document: packageVerificationCode: packageVerificationCodeValue: "SOME code" checksums: - - algorithm: "checksumAlgorithm_sha1" + - algorithm: "SHA1" checksumValue: "SOME-SHA1" licenseDeclared: "NOASSERTION" licenseConcluded: "NOASSERTION" @@ -22,8 +29,8 @@ Document: - File: name: "./some/path/tofile" SPDXID: "SPDXRef-File" - checksums: - - algorithm: "checksumAlgorithm_sha1" + checksums: + - algorithm: "SHA1" checksumValue: "SOME-SHA1" licenseConcluded: "NOASSERTION" copyrightText: "NOASSERTION" diff --git a/tests/data/formats/SPDXJsonExample2.2.json b/tests/data/formats/SPDXJsonExample2.2.json new file mode 100644 index 000000000..33b6f93b7 --- /dev/null +++ b/tests/data/formats/SPDXJsonExample2.2.json @@ -0,0 +1,231 @@ +{ + "comment": "This is a sample spreadsheet", + "name": "Sample_Document-V2.1", + "documentDescribes": [ + "SPDXRef-Package" + ], + "creationInfo": { + "comment": "This is an example of an SPDX spreadsheet format", + "creators": [ + "Tool: SourceAuditor-V1.2", + "Person: Gary O'Neall", + "Organization: Source Auditor Inc." + ], + "licenseListVersion": "3.6", + "created": "2010-02-03T00:00:00Z" + }, + "externalDocumentRefs": [ + { + "checksum": { + "checksumValue": "d6a770ba38583ed4bb4525bd96e50461655d2759", + "algorithm": "SHA1" + }, + "spdxDocument": "https://spdx.org/spdxdocs/spdx-tools-v2.1-3F2504E0-4F89-41D3-9A0C-0305E82C3301", + "externalDocumentId": "DocumentRef-spdx-tool-2.1" + } + ], + "documentNamespace": "https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301", + "annotations": [ + { + "comment": "This is just an example. Some of the non-standard licenses look like they are actually BSD 3 clause licenses", + "annotationType": "REVIEW", + "SPDXID": "SPDXRef-45", + "annotationDate": "2012-06-13T00:00:00Z", + "annotator": "Person: Jim Reviewer" + } + ], + "relationships": [ + { + "spdxElementId": "SPDXRef-DOCUMENT", + "relatedSpdxElement": "SPDXRef-Package", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DOCUMENT", + "relatedSpdxElement": "SPDXRef-File", + "relationshipType": "DESCRIBES" + }, + { + "spdxElementId": "SPDXRef-DOCUMENT", + "relatedSpdxElement": "DocumentRef-spdx-tool-1.2:SPDXRef-ToolsElement", + "relationshipType": "COPY_OF" + }, + { + "spdxElementId": "SPDXRef-DOCUMENT", + "relatedSpdxElement": "SPDXRef-Package", + "relationshipType": "DESCRIBES" + }, + { + "spdxElementId": "SPDXRef-Package", + "relatedSpdxElement": "SPDXRef-Saxon", + "relationshipType": "DYNAMIC_LINK" + }, + { + "spdxElementId": "SPDXRef-Package", + "relatedSpdxElement": "SPDXRef-JenaLib", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-CommonsLangSrc", + "relatedSpdxElement": "NOASSERTION", + "relationshipType": "GENERATED_FROM" + }, + { + "spdxElementId": "SPDXRef-JenaLib", + "relatedSpdxElement": "SPDXRef-Package", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-File", + "relatedSpdxElement": "SPDXRef-fromDoap-0", + "relationshipType": "GENERATED_FROM" + } + ], + "dataLicense": "CC0-1.0", + "reviewers": [ + { + "comment": "This is just an example. Some of the non-standard licenses look like they are actually BSD 3 clause licenses", + "reviewer": "Person: Joe Reviewer", + "reviewDate": "2010-02-10T00:00:00Z" + }, + { + "comment": "Another example reviewer.", + "reviewer": "Person: Suzanne Reviewer", + "reviewDate": "2011-03-13T00:00:00Z" + } + ], + "hasExtractedLicensingInfos": [ + { + "extractedText": "This package includes the GRDDL parser developed by Hewlett Packard under the following license:\n\u00a9 Copyright 2007 Hewlett-Packard Development Company, LP\n\nRedistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: \n\nRedistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. \nRedistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. \nThe name of the author may not be used to endorse or promote products derived from this software without specific prior written permission. \nTHIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ", + "licenseId": "LicenseRef-2" + }, + { + "extractedText": "The CyberNeko Software License, Version 1.0\n\n \n(C) Copyright 2002-2005, Andy Clark. All rights reserved.\n \nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions\nare met:\n\n1. Redistributions of source code must retain the above copyright\n notice, this list of conditions and the following disclaimer. \n\n2. Redistributions in binary form must reproduce the above copyright\n notice, this list of conditions and the following disclaimer in\n the documentation and/or other materials provided with the\n distribution.\n\n3. The end-user documentation included with the redistribution,\n if any, must include the following acknowledgment: \n \"This product includes software developed by Andy Clark.\"\n Alternately, this acknowledgment may appear in the software itself,\n if and wherever such third-party acknowledgments normally appear.\n\n4. The names \"CyberNeko\" and \"NekoHTML\" must not be used to endorse\n or promote products derived from this software without prior \n written permission. For written permission, please contact \n andyc@cyberneko.net.\n\n5. Products derived from this software may not be called \"CyberNeko\",\n nor may \"CyberNeko\" appear in their name, without prior written\n permission of the author.\n\nTHIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED\nWARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\nOF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR OTHER CONTRIBUTORS\nBE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, \nOR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT \nOF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR \nBUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, \nWHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE \nOR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, \nEVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.", + "comment": "This is tye CyperNeko License", + "licenseId": "LicenseRef-3", + "name": "CyberNeko License", + "seeAlso": [ + "http://justasample.url.com", + "http://people.apache.org/~andyc/neko/LICENSE" + ] + }, + { + "extractedText": "/*\n * (c) Copyright 2009 University of Bristol\n * All rights reserved.\n *\n * Redistribution and use in source and binary forms, with or without\n * modification, are permitted provided that the following conditions\n * are met:\n * 1. Redistributions of source code must retain the above copyright\n * notice, this list of conditions and the following disclaimer.\n * 2. Redistributions in binary form must reproduce the above copyright\n * notice, this list of conditions and the following disclaimer in the\n * documentation and/or other materials provided with the distribution.\n * 3. The name of the author may not be used to endorse or promote products\n * derived from this software without specific prior written permission.\n *\n * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR\n * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\n * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.\n * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,\n * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT\n * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\n * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\n * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF\n * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n */ ", + "licenseId": "LicenseRef-4" + }, + { + "extractedText": "/*\n * (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP\n * All rights reserved.\n *\n * Redistribution and use in source and binary forms, with or without\n * modification, are permitted provided that the following conditions\n * are met:\n * 1. Redistributions of source code must retain the above copyright\n * notice, this list of conditions and the following disclaimer.\n * 2. Redistributions in binary form must reproduce the above copyright\n * notice, this list of conditions and the following disclaimer in the\n * documentation and/or other materials provided with the distribution.\n * 3. The name of the author may not be used to endorse or promote products\n * derived from this software without specific prior written permission.\n *\n * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR\n * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\n * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.\n * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,\n * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT\n * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\n * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\n * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF\n * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n */", + "licenseId": "LicenseRef-1" + } + ], + "spdxVersion": "SPDX-2.1", + "SPDXID": "SPDXRef-DOCUMENT", + "snippets": [ + { + "comment": "This snippet was identified as significant and highlighted in this Apache-2.0 file, when a commercial scanner identified it as being derived from file foo.c in package xyz which is licensed under GPL-2.0-or-later.", + "name": "from linux kernel", + "copyrightText": "Copyright 2008-2010 John Smith", + "licenseConcluded": "Apache-2.0", + "licenseInfoFromSnippet": [ + "Apache-2.0" + ], + "licenseComments": "The concluded license was taken from package xyz, from which the snippet was copied into the current file. The concluded license information was found in the COPYING.txt file in package xyz.", + "SPDXID": "SPDXRef-Snippet", + "fileId": "SPDXRef-DoapSource" + } + ], + "packages": [ + { + "SPDXID": "SPDXRef-Package", + "originator": "Organization: SPDX", + "licenseInfoFromFiles": [ + "Apache-1.0", + "LicenseRef-3", + "MPL-1.1", + "LicenseRef-2", + "LicenseRef-4", + "Apache-2.0", + "LicenseRef-1" + ], + "name": "SPDX Translator", + "packageFileName": "spdxtranslator-1.0.zip", + "licenseComments": "The declared license information can be found in the NOTICE file at the root of the archive file", + "summary": "SPDX Translator utility", + "sourceInfo": "Version 1.0 of the SPDX Translator application", + "copyrightText": " Copyright 2010, 2011 Source Auditor Inc.", + "packageVerificationCode": { + "packageVerificationCodeValue": "4e3211c67a2d28fced849ee1bb76e7391b93feba", + "packageVerificationCodeExcludedFiles": [ + "SpdxTranslatorSpdx.rdf", + "SpdxTranslatorSpdx.txt" + ] + }, + "licenseConcluded": "(Apache-1.0 AND LicenseRef-2 AND MPL-1.1 AND LicenseRef-3 AND LicenseRef-4 AND Apache-2.0 AND LicenseRef-1)", + "supplier": "Organization: Linux Foundation", + "attributionTexts": [ + "The GNU C Library is free software. See the file COPYING.LIB for copying conditions, and LICENSES for notices about a few contributions that require these additional notices to be distributed. License copyright years may be listed using range notation, e.g., 1996-2015, indicating that every year in the range, inclusive, is a copyrightable year that would otherwise be listed individually." + ], + "checksums": [ + { + "checksumValue": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12", + "algorithm": "SHA1" + } + ], + "versionInfo": "Version 0.9.2", + "licenseDeclared": "(LicenseRef-4 AND LicenseRef-3 AND Apache-2.0 AND LicenseRef-2 AND MPL-1.1 AND LicenseRef-1)", + "downloadLocation": "http://www.spdx.org/tools", + "description": "This utility translates and SPDX RDF XML document to a spreadsheet, translates a spreadsheet to an SPDX RDF XML document and translates an SPDX RDFa document to an SPDX RDF XML document.", + "hasFiles": [ + "SPDXRef-File1", + "SPDXRef-File2" + ] + } + ], + "files": [ + { + "comment": "This file belongs to Jena", + "copyrightText": "(c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP", + "artifactOf": [ + { + "name": "Jena", + "homePage": "http://www.openjena.org/", + "projectUri": "http://subversion.apache.org/doap.rdf" + } + ], + "licenseConcluded": "LicenseRef-1", + "licenseComments": "This license is used by Jena", + "checksums": [ + { + "checksumValue": "3ab4e1c67a2d28fced849ee1bb76e7391b93f125", + "algorithm": "SHA1" + } + ], + "fileTypes": [ + "fileType_archive" + ], + "SPDXID": "SPDXRef-File1", + "fileName": "Jenna-2.6.3/jena-2.6.3-sources.jar", + "licenseInfoInFiles": [ + "LicenseRef-1" + ] + }, + { + "copyrightText": "Copyright 2010, 2011 Source Auditor Inc.", + "licenseConcluded": "Apache-2.0", + "checksums": [ + { + "checksumValue": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12", + "algorithm": "SHA1" + } + ], + "fileTypes": [ + "fileType_source" + ], + "SPDXID": "SPDXRef-File2", + "fileName": "src/org/spdx/parser/DOAPProject.java", + "licenseInfoInFiles": [ + "Apache-2.0" + ] + } + ] +} \ No newline at end of file diff --git a/tests/test_document.py b/tests/test_document.py index f6518485b..d2f699dde 100644 --- a/tests/test_document.py +++ b/tests/test_document.py @@ -344,7 +344,7 @@ def test_write_document_json_with_validate(self): write_document(doc, output, validate=True) expected_file = utils_test.get_test_loc( - 'doc_write/json-simple.json', + 'doc_write/json-simple.new.json', test_data_dir=utils_test.test_data_dir) utils_test.check_json_scan(expected_file, result_file, regen=False) @@ -364,7 +364,7 @@ def test_write_document_json_with_or_later_with_validate(self): write_document(doc, output, validate=True) expected_file = utils_test.get_test_loc( - 'doc_write/json-simple-plus.json', + 'doc_write/json-simple-plus.new.json', test_data_dir=utils_test.test_data_dir) utils_test.check_json_scan(expected_file, result_file, regen=False) @@ -406,7 +406,7 @@ def test_write_document_yaml_with_validate(self): write_document(doc, output, validate=True) expected_file = utils_test.get_test_loc( - 'doc_write/yaml-simple.yaml', + 'doc_write/yaml-simple.new.yaml', test_data_dir=utils_test.test_data_dir) utils_test.check_yaml_scan(expected_file, result_file, regen=False) @@ -426,7 +426,7 @@ def test_write_document_yaml_with_or_later_with_validate(self): write_document(doc, output, validate=True) expected_file = utils_test.get_test_loc( - 'doc_write/yaml-simple-plus.yaml', + 'doc_write/yaml-simple-plus.new.yaml', test_data_dir=utils_test.test_data_dir) utils_test.check_yaml_scan(expected_file, result_file, regen=False) diff --git a/tests/test_write_anything.py b/tests/test_write_anything.py index b961abb38..bbf9d8d34 100644 --- a/tests/test_write_anything.py +++ b/tests/test_write_anything.py @@ -35,7 +35,9 @@ "SPDXRdfExample.rdf-yaml", "SPDXRdfExample.rdf-xml", "SPDXRdfExample.rdf-json", - "SPDXRdfExample.rdf-tag" + "SPDXRdfExample.rdf-tag", + "SPDXJsonExample2.2.json-rdf", + "SPDXJsonExample2.2.json-tag", } @pytest.mark.parametrize("out_format", ['rdf', 'yaml', 'xml', 'json', 'tag']) @@ -56,7 +58,7 @@ def test_write_anything(in_file, out_format, tmpdir): doc2, error2 = parse_anything.parse_file(out_fn) result2 = utils_test.TestParserUtils.to_dict(doc2) assert not error2 - + test = in_basename + "-" + out_format if test not in UNSTABLE_CONVERSIONS: assert result==result2 diff --git a/tests/utils_test.py b/tests/utils_test.py index 8f79fb907..876b57000 100644 --- a/tests/utils_test.py +++ b/tests/utils_test.py @@ -176,7 +176,7 @@ def load_and_clean_json(location): """ with io.open(location, encoding='utf-8') as l: content = l.read() - data = json.loads(content) + data = {'Document': json.loads(content)} if 'creationInfo' in data['Document']: del(data['Document']['creationInfo']) @@ -206,7 +206,7 @@ def load_and_clean_yaml(location): """ with io.open(location, encoding='utf-8') as l: content = l.read() - data = yaml.safe_load(content) + data = {'Document': yaml.safe_load(content)} if 'creationInfo' in data['Document']: del(data['Document']['creationInfo']) From 8cf5b11826154f4f3c3f22dbdc85545120dace39 Mon Sep 17 00:00:00 2001 From: Meret Behrens Date: Tue, 18 Oct 2022 12:01:44 +0200 Subject: [PATCH 02/10] [issue-184] delete outdated testfiles Signed-off-by: Meret Behrens --- tests/data/doc_write/json-simple-plus.json | 110 +++++++++--------- .../data/doc_write/json-simple-plus.new.json | 59 ---------- tests/data/doc_write/json-simple.json | 110 +++++++++--------- tests/data/doc_write/json-simple.new.json | 59 ---------- .../data/doc_write/yaml-simple-plus.new.yaml | 38 ------ tests/data/doc_write/yaml-simple-plus.yaml | 80 ++++++------- tests/data/doc_write/yaml-simple.new.yaml | 38 ------ tests/data/doc_write/yaml-simple.yaml | 80 ++++++------- tests/test_document.py | 8 +- 9 files changed, 192 insertions(+), 390 deletions(-) delete mode 100644 tests/data/doc_write/json-simple-plus.new.json delete mode 100644 tests/data/doc_write/json-simple.new.json delete mode 100644 tests/data/doc_write/yaml-simple-plus.new.yaml delete mode 100644 tests/data/doc_write/yaml-simple.new.yaml diff --git a/tests/data/doc_write/json-simple-plus.json b/tests/data/doc_write/json-simple-plus.json index d034ecf50..a67c6e324 100644 --- a/tests/data/doc_write/json-simple-plus.json +++ b/tests/data/doc_write/json-simple-plus.json @@ -1,57 +1,59 @@ { - "Document": { - "spdxVersion": "SPDX-2.1", - "dataLicense": "CC0-1.0", - "name": "Sample_Document-V2.1", - "SPDXID": "SPDXRef-DOCUMENT", - "documentNamespace": "https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301", - "creationInfo": { - "creators": [ - "Organization: SPDX" + "spdxVersion": "SPDX-2.1", + "dataLicense": "CC0-1.0", + "name": "Sample_Document-V2.1", + "SPDXID": "SPDXRef-DOCUMENT", + "documentNamespace": "https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301", + "creationInfo": { + "creators": [ + "Organization: SPDX" + ], + "created": "2021-11-15T00:00:00Z", + "licenseListVersion": "3.6" + }, + "documentDescribes": [ + "SPDXRef-Package" + ], + "packages": [ + { + "SPDXID": "SPDXRef-Package", + "name": "some/path", + "downloadLocation": "NOASSERTION", + "copyrightText": "Some copyrught", + "packageVerificationCode": { + "packageVerificationCodeValue": "SOME code" + }, + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "SOME-SHA1" + } + ], + "licenseDeclared": "NOASSERTION", + "licenseConcluded": "NOASSERTION", + "licenseInfoFromFiles": [ + "LGPL-2.1-or-later" ], - "created": "2021-11-15T00:00:00Z", - "licenseListVersion": "3.6" - }, - "documentDescribes": [ - { - "Package": { - "SPDXID": "SPDXRef-Package", - "name": "some/path", - "downloadLocation": "NOASSERTION", - "copyrightText": "Some copyrught", - "packageVerificationCode": { - "packageVerificationCodeValue": "SOME code" - }, - "checksums": [ - { - "algorithm": "SHA1", - "checksumValue": "SOME-SHA1" - } - ], - "licenseDeclared": "NOASSERTION", - "licenseConcluded": "NOASSERTION", - "files": [ - { - "File": { - "name": "./some/path/tofile", - "SPDXID": "SPDXRef-File", - "checksums": [ - { - "algorithm": "SHA1", - "checksumValue": "SOME-SHA1" - } - ], - "licenseConcluded": "NOASSERTION", - "copyrightText": "NOASSERTION", - "licenseInfoFromFiles": ["LGPL-2.1-or-later"], - "sha1": "SOME-SHA1" - } - } - ], - "licenseInfoFromFiles": ["LGPL-2.1-or-later"], - "sha1": "SOME-SHA1" + "hasFiles": [ + "SPDXRef-File" + ] + } + ], + "files": [ + { + "SPDXID": "SPDXRef-File", + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "SOME-SHA1" } - } - ] - } -} + ], + "licenseConcluded": "NOASSERTION", + "copyrightText": "NOASSERTION", + "fileName": "./some/path/tofile", + "licenseInfoInFiles": [ + "LGPL-2.1-or-later" + ] + } + ] +} \ No newline at end of file diff --git a/tests/data/doc_write/json-simple-plus.new.json b/tests/data/doc_write/json-simple-plus.new.json deleted file mode 100644 index a67c6e324..000000000 --- a/tests/data/doc_write/json-simple-plus.new.json +++ /dev/null @@ -1,59 +0,0 @@ -{ - "spdxVersion": "SPDX-2.1", - "dataLicense": "CC0-1.0", - "name": "Sample_Document-V2.1", - "SPDXID": "SPDXRef-DOCUMENT", - "documentNamespace": "https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301", - "creationInfo": { - "creators": [ - "Organization: SPDX" - ], - "created": "2021-11-15T00:00:00Z", - "licenseListVersion": "3.6" - }, - "documentDescribes": [ - "SPDXRef-Package" - ], - "packages": [ - { - "SPDXID": "SPDXRef-Package", - "name": "some/path", - "downloadLocation": "NOASSERTION", - "copyrightText": "Some copyrught", - "packageVerificationCode": { - "packageVerificationCodeValue": "SOME code" - }, - "checksums": [ - { - "algorithm": "SHA1", - "checksumValue": "SOME-SHA1" - } - ], - "licenseDeclared": "NOASSERTION", - "licenseConcluded": "NOASSERTION", - "licenseInfoFromFiles": [ - "LGPL-2.1-or-later" - ], - "hasFiles": [ - "SPDXRef-File" - ] - } - ], - "files": [ - { - "SPDXID": "SPDXRef-File", - "checksums": [ - { - "algorithm": "SHA1", - "checksumValue": "SOME-SHA1" - } - ], - "licenseConcluded": "NOASSERTION", - "copyrightText": "NOASSERTION", - "fileName": "./some/path/tofile", - "licenseInfoInFiles": [ - "LGPL-2.1-or-later" - ] - } - ] -} \ No newline at end of file diff --git a/tests/data/doc_write/json-simple.json b/tests/data/doc_write/json-simple.json index 619821b40..187895621 100644 --- a/tests/data/doc_write/json-simple.json +++ b/tests/data/doc_write/json-simple.json @@ -1,57 +1,59 @@ { - "Document": { - "spdxVersion": "SPDX-2.1", - "dataLicense": "CC0-1.0", - "name": "Sample_Document-V2.1", - "SPDXID": "SPDXRef-DOCUMENT", - "documentNamespace": "https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301", - "creationInfo": { - "creators": [ - "Organization: SPDX" + "spdxVersion": "SPDX-2.1", + "dataLicense": "CC0-1.0", + "name": "Sample_Document-V2.1", + "SPDXID": "SPDXRef-DOCUMENT", + "documentNamespace": "https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301", + "creationInfo": { + "creators": [ + "Organization: SPDX" + ], + "created": "2021-11-15T00:00:00Z", + "licenseListVersion": "3.6" + }, + "documentDescribes": [ + "SPDXRef-Package" + ], + "packages": [ + { + "SPDXID": "SPDXRef-Package", + "name": "some/path", + "downloadLocation": "NOASSERTION", + "copyrightText": "Some copyrught", + "packageVerificationCode": { + "packageVerificationCodeValue": "SOME code" + }, + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "SOME-SHA1" + } + ], + "licenseDeclared": "NOASSERTION", + "licenseConcluded": "NOASSERTION", + "licenseInfoFromFiles": [ + "LGPL-2.1-only" ], - "created": "2021-11-15T00:00:00Z", - "licenseListVersion": "3.6" - }, - "documentDescribes": [ - { - "Package": { - "SPDXID": "SPDXRef-Package", - "name": "some/path", - "downloadLocation": "NOASSERTION", - "copyrightText": "Some copyrught", - "packageVerificationCode": { - "packageVerificationCodeValue": "SOME code" - }, - "checksums": [ - { - "algorithm": "SHA1", - "checksumValue": "SOME-SHA1" - } - ], - "licenseDeclared": "NOASSERTION", - "licenseConcluded": "NOASSERTION", - "files": [ - { - "File": { - "name": "./some/path/tofile", - "SPDXID": "SPDXRef-File", - "checksums": [ - { - "algorithm": "SHA1", - "checksumValue": "SOME-SHA1" - } - ], - "licenseConcluded": "NOASSERTION", - "copyrightText": "NOASSERTION", - "licenseInfoFromFiles": ["LGPL-2.1-only"], - "sha1": "SOME-SHA1" - } - } - ], - "licenseInfoFromFiles": ["LGPL-2.1-only"], - "sha1": "SOME-SHA1" + "hasFiles": [ + "SPDXRef-File" + ] + } + ], + "files": [ + { + "SPDXID": "SPDXRef-File", + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "SOME-SHA1" } - } - ] - } -} + ], + "licenseConcluded": "NOASSERTION", + "copyrightText": "NOASSERTION", + "fileName": "./some/path/tofile", + "licenseInfoInFiles": [ + "LGPL-2.1-only" + ] + } + ] +} \ No newline at end of file diff --git a/tests/data/doc_write/json-simple.new.json b/tests/data/doc_write/json-simple.new.json deleted file mode 100644 index 187895621..000000000 --- a/tests/data/doc_write/json-simple.new.json +++ /dev/null @@ -1,59 +0,0 @@ -{ - "spdxVersion": "SPDX-2.1", - "dataLicense": "CC0-1.0", - "name": "Sample_Document-V2.1", - "SPDXID": "SPDXRef-DOCUMENT", - "documentNamespace": "https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301", - "creationInfo": { - "creators": [ - "Organization: SPDX" - ], - "created": "2021-11-15T00:00:00Z", - "licenseListVersion": "3.6" - }, - "documentDescribes": [ - "SPDXRef-Package" - ], - "packages": [ - { - "SPDXID": "SPDXRef-Package", - "name": "some/path", - "downloadLocation": "NOASSERTION", - "copyrightText": "Some copyrught", - "packageVerificationCode": { - "packageVerificationCodeValue": "SOME code" - }, - "checksums": [ - { - "algorithm": "SHA1", - "checksumValue": "SOME-SHA1" - } - ], - "licenseDeclared": "NOASSERTION", - "licenseConcluded": "NOASSERTION", - "licenseInfoFromFiles": [ - "LGPL-2.1-only" - ], - "hasFiles": [ - "SPDXRef-File" - ] - } - ], - "files": [ - { - "SPDXID": "SPDXRef-File", - "checksums": [ - { - "algorithm": "SHA1", - "checksumValue": "SOME-SHA1" - } - ], - "licenseConcluded": "NOASSERTION", - "copyrightText": "NOASSERTION", - "fileName": "./some/path/tofile", - "licenseInfoInFiles": [ - "LGPL-2.1-only" - ] - } - ] -} \ No newline at end of file diff --git a/tests/data/doc_write/yaml-simple-plus.new.yaml b/tests/data/doc_write/yaml-simple-plus.new.yaml deleted file mode 100644 index 1c20a50c4..000000000 --- a/tests/data/doc_write/yaml-simple-plus.new.yaml +++ /dev/null @@ -1,38 +0,0 @@ -SPDXID: SPDXRef-DOCUMENT -creationInfo: - created: '2021-11-15T00:00:00Z' - creators: - - 'Organization: SPDX' - licenseListVersion: '3.6' -dataLicense: CC0-1.0 -documentDescribes: -- SPDXRef-Package -documentNamespace: https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301 -files: -- SPDXID: SPDXRef-File - checksums: - - algorithm: SHA1 - checksumValue: SOME-SHA1 - copyrightText: NOASSERTION - fileName: ./some/path/tofile - licenseConcluded: NOASSERTION - licenseInfoInFiles: - - LGPL-2.1-or-later -name: Sample_Document-V2.1 -packages: -- SPDXID: SPDXRef-Package - checksums: - - algorithm: SHA1 - checksumValue: SOME-SHA1 - copyrightText: Some copyrught - downloadLocation: NOASSERTION - hasFiles: - - SPDXRef-File - licenseConcluded: NOASSERTION - licenseDeclared: NOASSERTION - licenseInfoFromFiles: - - LGPL-2.1-or-later - name: some/path - packageVerificationCode: - packageVerificationCodeValue: SOME code -spdxVersion: SPDX-2.1 diff --git a/tests/data/doc_write/yaml-simple-plus.yaml b/tests/data/doc_write/yaml-simple-plus.yaml index 2a58e6d40..1c20a50c4 100644 --- a/tests/data/doc_write/yaml-simple-plus.yaml +++ b/tests/data/doc_write/yaml-simple-plus.yaml @@ -1,42 +1,38 @@ ---- -Document: - spdxVersion: "SPDX-2.1" - dataLicense: "CC0-1.0" - name: "Sample_Document-V2.1" - SPDXID: "SPDXRef-DOCUMENT" - documentNamespace: "https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301" - creationInfo: { - "creators": [ - "Organization: SPDX" - ], - "created": "2021-11-15T00:00:00Z", - "licenseListVersion": "3.6" - } - documentDescribes: - - Package: - SPDXID: "SPDXRef-Package" - name: "some/path" - downloadLocation: "NOASSERTION" - copyrightText: "Some copyrught" - packageVerificationCode: - packageVerificationCodeValue: "SOME code" - checksums: - - algorithm: "SHA1" - checksumValue: "SOME-SHA1" - licenseDeclared: "NOASSERTION" - licenseConcluded: "NOASSERTION" - files: - - File: - name: "./some/path/tofile" - SPDXID: "SPDXRef-File" - checksums: - - algorithm: "SHA1" - checksumValue: "SOME-SHA1" - licenseConcluded: "NOASSERTION" - copyrightText: "NOASSERTION" - licenseInfoFromFiles: - - "LGPL-2.1-or-later" - sha1: "SOME-SHA1" - licenseInfoFromFiles: - - "LGPL-2.1-or-later" - sha1: "SOME-SHA1" +SPDXID: SPDXRef-DOCUMENT +creationInfo: + created: '2021-11-15T00:00:00Z' + creators: + - 'Organization: SPDX' + licenseListVersion: '3.6' +dataLicense: CC0-1.0 +documentDescribes: +- SPDXRef-Package +documentNamespace: https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301 +files: +- SPDXID: SPDXRef-File + checksums: + - algorithm: SHA1 + checksumValue: SOME-SHA1 + copyrightText: NOASSERTION + fileName: ./some/path/tofile + licenseConcluded: NOASSERTION + licenseInfoInFiles: + - LGPL-2.1-or-later +name: Sample_Document-V2.1 +packages: +- SPDXID: SPDXRef-Package + checksums: + - algorithm: SHA1 + checksumValue: SOME-SHA1 + copyrightText: Some copyrught + downloadLocation: NOASSERTION + hasFiles: + - SPDXRef-File + licenseConcluded: NOASSERTION + licenseDeclared: NOASSERTION + licenseInfoFromFiles: + - LGPL-2.1-or-later + name: some/path + packageVerificationCode: + packageVerificationCodeValue: SOME code +spdxVersion: SPDX-2.1 diff --git a/tests/data/doc_write/yaml-simple.new.yaml b/tests/data/doc_write/yaml-simple.new.yaml deleted file mode 100644 index 9cbdc783c..000000000 --- a/tests/data/doc_write/yaml-simple.new.yaml +++ /dev/null @@ -1,38 +0,0 @@ -SPDXID: SPDXRef-DOCUMENT -creationInfo: - created: '2021-11-15T00:00:00Z' - creators: - - 'Organization: SPDX' - licenseListVersion: '3.6' -dataLicense: CC0-1.0 -documentDescribes: -- SPDXRef-Package -documentNamespace: https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301 -files: -- SPDXID: SPDXRef-File - checksums: - - algorithm: SHA1 - checksumValue: SOME-SHA1 - copyrightText: NOASSERTION - fileName: ./some/path/tofile - licenseConcluded: NOASSERTION - licenseInfoInFiles: - - LGPL-2.1-only -name: Sample_Document-V2.1 -packages: -- SPDXID: SPDXRef-Package - checksums: - - algorithm: SHA1 - checksumValue: SOME-SHA1 - copyrightText: Some copyrught - downloadLocation: NOASSERTION - hasFiles: - - SPDXRef-File - licenseConcluded: NOASSERTION - licenseDeclared: NOASSERTION - licenseInfoFromFiles: - - LGPL-2.1-only - name: some/path - packageVerificationCode: - packageVerificationCodeValue: SOME code -spdxVersion: SPDX-2.1 diff --git a/tests/data/doc_write/yaml-simple.yaml b/tests/data/doc_write/yaml-simple.yaml index 449a2cc15..9cbdc783c 100644 --- a/tests/data/doc_write/yaml-simple.yaml +++ b/tests/data/doc_write/yaml-simple.yaml @@ -1,42 +1,38 @@ ---- -Document: - spdxVersion: "SPDX-2.1" - dataLicense: "CC0-1.0" - name: "Sample_Document-V2.1" - SPDXID: "SPDXRef-DOCUMENT" - documentNamespace: "https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301" - creationInfo: { - "creators": [ - "Organization: SPDX" - ], - "created": "2021-11-15T00:00:00Z", - "licenseListVersion": "3.6" - } - documentDescribes: - - Package: - SPDXID: "SPDXRef-Package" - name: "some/path" - downloadLocation: "NOASSERTION" - copyrightText: "Some copyrught" - packageVerificationCode: - packageVerificationCodeValue: "SOME code" - checksums: - - algorithm: "SHA1" - checksumValue: "SOME-SHA1" - licenseDeclared: "NOASSERTION" - licenseConcluded: "NOASSERTION" - files: - - File: - name: "./some/path/tofile" - SPDXID: "SPDXRef-File" - checksums: - - algorithm: "SHA1" - checksumValue: "SOME-SHA1" - licenseConcluded: "NOASSERTION" - copyrightText: "NOASSERTION" - licenseInfoFromFiles: - - "LGPL-2.1-only" - sha1: "SOME-SHA1" - licenseInfoFromFiles: - - "LGPL-2.1-only" - sha1: "SOME-SHA1" +SPDXID: SPDXRef-DOCUMENT +creationInfo: + created: '2021-11-15T00:00:00Z' + creators: + - 'Organization: SPDX' + licenseListVersion: '3.6' +dataLicense: CC0-1.0 +documentDescribes: +- SPDXRef-Package +documentNamespace: https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301 +files: +- SPDXID: SPDXRef-File + checksums: + - algorithm: SHA1 + checksumValue: SOME-SHA1 + copyrightText: NOASSERTION + fileName: ./some/path/tofile + licenseConcluded: NOASSERTION + licenseInfoInFiles: + - LGPL-2.1-only +name: Sample_Document-V2.1 +packages: +- SPDXID: SPDXRef-Package + checksums: + - algorithm: SHA1 + checksumValue: SOME-SHA1 + copyrightText: Some copyrught + downloadLocation: NOASSERTION + hasFiles: + - SPDXRef-File + licenseConcluded: NOASSERTION + licenseDeclared: NOASSERTION + licenseInfoFromFiles: + - LGPL-2.1-only + name: some/path + packageVerificationCode: + packageVerificationCodeValue: SOME code +spdxVersion: SPDX-2.1 diff --git a/tests/test_document.py b/tests/test_document.py index d2f699dde..f6518485b 100644 --- a/tests/test_document.py +++ b/tests/test_document.py @@ -344,7 +344,7 @@ def test_write_document_json_with_validate(self): write_document(doc, output, validate=True) expected_file = utils_test.get_test_loc( - 'doc_write/json-simple.new.json', + 'doc_write/json-simple.json', test_data_dir=utils_test.test_data_dir) utils_test.check_json_scan(expected_file, result_file, regen=False) @@ -364,7 +364,7 @@ def test_write_document_json_with_or_later_with_validate(self): write_document(doc, output, validate=True) expected_file = utils_test.get_test_loc( - 'doc_write/json-simple-plus.new.json', + 'doc_write/json-simple-plus.json', test_data_dir=utils_test.test_data_dir) utils_test.check_json_scan(expected_file, result_file, regen=False) @@ -406,7 +406,7 @@ def test_write_document_yaml_with_validate(self): write_document(doc, output, validate=True) expected_file = utils_test.get_test_loc( - 'doc_write/yaml-simple.new.yaml', + 'doc_write/yaml-simple.yaml', test_data_dir=utils_test.test_data_dir) utils_test.check_yaml_scan(expected_file, result_file, regen=False) @@ -426,7 +426,7 @@ def test_write_document_yaml_with_or_later_with_validate(self): write_document(doc, output, validate=True) expected_file = utils_test.get_test_loc( - 'doc_write/yaml-simple-plus.new.yaml', + 'doc_write/yaml-simple-plus.yaml', test_data_dir=utils_test.test_data_dir) utils_test.check_yaml_scan(expected_file, result_file, regen=False) From 6ce0cbaa24fc33aef41120fde500ea85e37faea4 Mon Sep 17 00:00:00 2001 From: Meret Behrens Date: Tue, 25 Oct 2022 12:30:22 +0200 Subject: [PATCH 03/10] [issue-184] delete surrounding document-Tag from XML leads to failing tests caused by jsonyamlxml writer since json and yaml expect surrounding document Signed-off-by: Meret Behrens --- data/SPDXXmlExample.xml | 2 - spdx/parsers/xmlparser.py | 2 +- spdx/writers/jsonyamlxml.py | 2 +- spdx/writers/xml.py | 2 +- .../doc_write/json-simple-multi-package.json | 184 +++++++++--------- .../doc_write/xml-simple-multi-package.xml | 154 ++++++++------- tests/data/doc_write/xml-simple-plus.xml | 4 +- tests/data/doc_write/xml-simple.xml | 6 +- .../doc_write/yaml-simple-multi-package.yaml | 116 ++++++----- tests/data/formats/SPDXXmlExample.xml | 2 - tests/utils_test.py | 4 +- 11 files changed, 232 insertions(+), 246 deletions(-) diff --git a/data/SPDXXmlExample.xml b/data/SPDXXmlExample.xml index 9707b9832..98ee4d544 100644 --- a/data/SPDXXmlExample.xml +++ b/data/SPDXXmlExample.xml @@ -1,5 +1,4 @@ - This is a sample spreadsheet Sample_Document-V2.1 @@ -261,4 +260,3 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. CONTAINS - \ No newline at end of file diff --git a/spdx/parsers/xmlparser.py b/spdx/parsers/xmlparser.py index 3fed3cdb7..3880c9985 100644 --- a/spdx/parsers/xmlparser.py +++ b/spdx/parsers/xmlparser.py @@ -50,7 +50,7 @@ def parse(self, file): file.read(), strip_whitespace=False, encoding="utf-8" ) fixed_object = self._set_in_list(parsed_xml, self.LIST_LIKE_FIELDS) - self.document_object = fixed_object.get("SpdxDocument").get("Document") + self.document_object = fixed_object.get("Document") return super(Parser, self).parse() def _set_in_list(self, data, keys): diff --git a/spdx/writers/jsonyamlxml.py b/spdx/writers/jsonyamlxml.py index 4cc3bde25..cc6fd9d0e 100644 --- a/spdx/writers/jsonyamlxml.py +++ b/spdx/writers/jsonyamlxml.py @@ -513,7 +513,7 @@ def create_document(self): if self.document.relationships: self.document_object["relationships"] = self.create_relationship_info() - return {"Document": self.document_object} + return self.document_object def flatten_document(document_object): diff --git a/spdx/writers/xml.py b/spdx/writers/xml.py index 9e4cb9b09..684f7ea7d 100644 --- a/spdx/writers/xml.py +++ b/spdx/writers/xml.py @@ -38,6 +38,6 @@ def write_document(document, out, validate=True): raise InvalidDocumentError(messages) writer = XMLWriter(document) - document_object = {"SpdxDocument": writer.create_document()} + document_object = {"Document": writer.create_document()} xmltodict.unparse(document_object, out, encoding="utf-8", pretty=True) diff --git a/tests/data/doc_write/json-simple-multi-package.json b/tests/data/doc_write/json-simple-multi-package.json index 9785bd3ab..6d0f72f9e 100644 --- a/tests/data/doc_write/json-simple-multi-package.json +++ b/tests/data/doc_write/json-simple-multi-package.json @@ -1,98 +1,96 @@ { - "Document": { - "spdxVersion": "SPDX-2.1", - "documentNamespace": "https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301", - "creationInfo": { - "creators": [ - "Tool: ScanCode" - ], - "created": "2021-10-21T17:09:37Z", - "licenseListVersion": "3.6" + "spdxVersion": "SPDX-2.1", + "documentNamespace": "https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301", + "creationInfo": { + "creators": [ + "Tool: ScanCode" + ], + "created": "2021-10-21T17:09:37Z", + "licenseListVersion": "3.6" + }, + "dataLicense": "CC0-1.0", + "SPDXID": "SPDXRef-DOCUMENT", + "name": "Sample_Document-V2.1", + "documentDescribes": [ + { + "Package": { + "SPDXID": "SPDXRef-Package1", + "name": "some/path1", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "Some copyright" + } }, - "dataLicense": "CC0-1.0", - "SPDXID": "SPDXRef-DOCUMENT", - "name": "Sample_Document-V2.1", - "documentDescribes": [ - { - "Package": { - "SPDXID": "SPDXRef-Package1", - "name": "some/path1", - "downloadLocation": "NOASSERTION", - "filesAnalyzed": false, - "licenseConcluded": "NOASSERTION", - "licenseDeclared": "NOASSERTION", - "copyrightText": "Some copyright" - } - }, - { - "Package": { - "SPDXID": "SPDXRef-Package2", - "name": "some/path2", - "downloadLocation": "NOASSERTION", - "packageVerificationCode": { - "packageVerificationCodeValue": "SOME code" - }, - "licenseInfoFromFiles": [ - "LGPL-2.1-or-later" - ], - "licenseConcluded": "NOASSERTION", - "licenseDeclared": "NOASSERTION", - "copyrightText": "Some copyright", - "files": [ - { - "File": { - "name": "./some/path/tofile", - "SPDXID": "SPDXRef-File", - "checksums": [ - { - "algorithm": "checksumAlgorithm_sha1", - "checksumValue": "SOME-SHA1" - } - ], - "licenseConcluded": "NOASSERTION", - "licenseInfoFromFiles": [ - "LGPL-2.1-or-later" - ], - "copyrightText": "NOASSERTION", - "sha1": "SOME-SHA1" - } + { + "Package": { + "SPDXID": "SPDXRef-Package2", + "name": "some/path2", + "downloadLocation": "NOASSERTION", + "packageVerificationCode": { + "packageVerificationCodeValue": "SOME code" + }, + "licenseInfoFromFiles": [ + "LGPL-2.1-or-later" + ], + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "Some copyright", + "files": [ + { + "File": { + "name": "./some/path/tofile", + "SPDXID": "SPDXRef-File", + "checksums": [ + { + "algorithm": "checksumAlgorithm_sha1", + "checksumValue": "SOME-SHA1" + } + ], + "licenseConcluded": "NOASSERTION", + "licenseInfoFromFiles": [ + "LGPL-2.1-or-later" + ], + "copyrightText": "NOASSERTION", + "sha1": "SOME-SHA1" } - ] - } - }, - { - "Package": { - "SPDXID": "SPDXRef-Package3", - "name": "some/path3", - "downloadLocation": "NOASSERTION", - "licenseInfoFromFiles": [ - "LGPL-2.1-or-later" - ], - "licenseConcluded": "NOASSERTION", - "licenseDeclared": "NOASSERTION", - "copyrightText": "Some copyright", - "files": [ - { - "File": { - "name": "./some/path/tofile", - "SPDXID": "SPDXRef-File", - "checksums": [ - { - "algorithm": "checksumAlgorithm_sha1", - "checksumValue": "SOME-SHA1" - } - ], - "licenseConcluded": "NOASSERTION", - "licenseInfoFromFiles": [ - "LGPL-2.1-or-later" - ], - "copyrightText": "NOASSERTION", - "sha1": "SOME-SHA1" - } + } + ] + } + }, + { + "Package": { + "SPDXID": "SPDXRef-Package3", + "name": "some/path3", + "downloadLocation": "NOASSERTION", + "licenseInfoFromFiles": [ + "LGPL-2.1-or-later" + ], + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "Some copyright", + "files": [ + { + "File": { + "name": "./some/path/tofile", + "SPDXID": "SPDXRef-File", + "checksums": [ + { + "algorithm": "checksumAlgorithm_sha1", + "checksumValue": "SOME-SHA1" + } + ], + "licenseConcluded": "NOASSERTION", + "licenseInfoFromFiles": [ + "LGPL-2.1-or-later" + ], + "copyrightText": "NOASSERTION", + "sha1": "SOME-SHA1" } - ] - } + } + ] } - ] - } -} \ No newline at end of file + } + ] + } \ No newline at end of file diff --git a/tests/data/doc_write/xml-simple-multi-package.xml b/tests/data/doc_write/xml-simple-multi-package.xml index eadaba0fc..6e62a8e65 100644 --- a/tests/data/doc_write/xml-simple-multi-package.xml +++ b/tests/data/doc_write/xml-simple-multi-package.xml @@ -1,79 +1,77 @@ - - - SPDX-2.1 - https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301 - - Tool: ScanCode - 2021-10-21T17:02:23Z - 3.6 - - CC0-1.0 - SPDXRef-DOCUMENT - Sample_Document-V2.1 - - - SPDXRef-Package1 - some/path1 - NOASSERTION - false - NOASSERTION - NOASSERTION - Some copyright - - - - - SPDXRef-Package2 - some/path2 - NOASSERTION - - SOME code - - LGPL-2.1-or-later - NOASSERTION - NOASSERTION - Some copyright - - - ./some/path/tofile - SPDXRef-File - - checksumAlgorithm_sha1 - SOME-SHA1 - - NOASSERTION - LGPL-2.1-or-later - NOASSERTION - SOME-SHA1 - - - - - - - SPDXRef-Package3 - some/path3 - NOASSERTION - LGPL-2.1-or-later - NOASSERTION - NOASSERTION - Some copyright - - - ./some/path/tofile - SPDXRef-File - - checksumAlgorithm_sha1 - SOME-SHA1 - - NOASSERTION - LGPL-2.1-or-later - NOASSERTION - SOME-SHA1 - - - - - - \ No newline at end of file + + SPDX-2.1 + https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301 + + Tool: ScanCode + 2021-10-21T17:02:23Z + 3.6 + + CC0-1.0 + SPDXRef-DOCUMENT + Sample_Document-V2.1 + + + SPDXRef-Package1 + some/path1 + NOASSERTION + false + NOASSERTION + NOASSERTION + Some copyright + + + + + SPDXRef-Package2 + some/path2 + NOASSERTION + + SOME code + + LGPL-2.1-or-later + NOASSERTION + NOASSERTION + Some copyright + + + ./some/path/tofile + SPDXRef-File + + checksumAlgorithm_sha1 + SOME-SHA1 + + NOASSERTION + LGPL-2.1-or-later + NOASSERTION + SOME-SHA1 + + + + + + + SPDXRef-Package3 + some/path3 + NOASSERTION + LGPL-2.1-or-later + NOASSERTION + NOASSERTION + Some copyright + + + ./some/path/tofile + SPDXRef-File + + checksumAlgorithm_sha1 + SOME-SHA1 + + NOASSERTION + LGPL-2.1-or-later + NOASSERTION + SOME-SHA1 + + + + + \ No newline at end of file diff --git a/tests/data/doc_write/xml-simple-plus.xml b/tests/data/doc_write/xml-simple-plus.xml index b69c29f79..9be2ca994 100644 --- a/tests/data/doc_write/xml-simple-plus.xml +++ b/tests/data/doc_write/xml-simple-plus.xml @@ -1,5 +1,4 @@ - SPDX-2.1 CC0-1.0 @@ -39,5 +38,4 @@ SOME-SHA1 - - \ No newline at end of file + \ No newline at end of file diff --git a/tests/data/doc_write/xml-simple.xml b/tests/data/doc_write/xml-simple.xml index 2eb292fe8..15b8bdc90 100644 --- a/tests/data/doc_write/xml-simple.xml +++ b/tests/data/doc_write/xml-simple.xml @@ -1,6 +1,5 @@ - - + SPDX-2.1 CC0-1.0 Sample_Document-V2.1 @@ -39,5 +38,4 @@ SOME-SHA1 - - \ No newline at end of file + \ No newline at end of file diff --git a/tests/data/doc_write/yaml-simple-multi-package.yaml b/tests/data/doc_write/yaml-simple-multi-package.yaml index d7c4b134e..5f9ee90e7 100644 --- a/tests/data/doc_write/yaml-simple-multi-package.yaml +++ b/tests/data/doc_write/yaml-simple-multi-package.yaml @@ -1,65 +1,63 @@ ---- -Document: - SPDXID: SPDXRef-DOCUMENT - creationInfo: - created: '2021-10-21T16:46:56Z' - creators: - - 'Tool: ScanCode' - licenseListVersion: '3.6' - dataLicense: CC0-1.0 - documentDescribes: - - Package: - SPDXID: SPDXRef-Package1 - copyrightText: Some copyright - downloadLocation: NOASSERTION - filesAnalyzed: false +SPDXID: SPDXRef-DOCUMENT +creationInfo: +created: '2021-10-21T16:46:56Z' +creators: +- 'Tool: ScanCode' +licenseListVersion: '3.6' +dataLicense: CC0-1.0 +documentDescribes: +- Package: + SPDXID: SPDXRef-Package1 + copyrightText: Some copyright + downloadLocation: NOASSERTION + filesAnalyzed: false + licenseConcluded: NOASSERTION + licenseDeclared: NOASSERTION + name: some/path1 +- Package: + SPDXID: SPDXRef-Package2 + copyrightText: Some copyright + downloadLocation: NOASSERTION + files: + - File: + SPDXID: SPDXRef-File + checksums: + - algorithm: checksumAlgorithm_sha1 + checksumValue: SOME-SHA1 + copyrightText: NOASSERTION licenseConcluded: NOASSERTION - licenseDeclared: NOASSERTION - name: some/path1 - - Package: - SPDXID: SPDXRef-Package2 - copyrightText: Some copyright - downloadLocation: NOASSERTION - files: - - File: - SPDXID: SPDXRef-File - checksums: - - algorithm: checksumAlgorithm_sha1 - checksumValue: SOME-SHA1 - copyrightText: NOASSERTION - licenseConcluded: NOASSERTION - licenseInfoFromFiles: - - LGPL-2.1-or-later - name: ./some/path/tofile - sha1: SOME-SHA1 - licenseConcluded: NOASSERTION - licenseDeclared: NOASSERTION licenseInfoFromFiles: - LGPL-2.1-or-later - name: some/path2 - packageVerificationCode: - packageVerificationCodeValue: SOME code - - Package: - SPDXID: SPDXRef-Package3 - copyrightText: Some copyright - downloadLocation: NOASSERTION - files: - - File: - SPDXID: SPDXRef-File - checksums: - - algorithm: checksumAlgorithm_sha1 - checksumValue: SOME-SHA1 - copyrightText: NOASSERTION - licenseConcluded: NOASSERTION - licenseInfoFromFiles: - - LGPL-2.1-or-later - name: ./some/path/tofile - sha1: SOME-SHA1 + name: ./some/path/tofile + sha1: SOME-SHA1 + licenseConcluded: NOASSERTION + licenseDeclared: NOASSERTION + licenseInfoFromFiles: + - LGPL-2.1-or-later + name: some/path2 + packageVerificationCode: + packageVerificationCodeValue: SOME code +- Package: + SPDXID: SPDXRef-Package3 + copyrightText: Some copyright + downloadLocation: NOASSERTION + files: + - File: + SPDXID: SPDXRef-File + checksums: + - algorithm: checksumAlgorithm_sha1 + checksumValue: SOME-SHA1 + copyrightText: NOASSERTION licenseConcluded: NOASSERTION - licenseDeclared: NOASSERTION licenseInfoFromFiles: - LGPL-2.1-or-later - name: some/path3 - documentNamespace: https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301 - name: Sample_Document-V2.1 - spdxVersion: SPDX-2.1 + name: ./some/path/tofile + sha1: SOME-SHA1 + licenseConcluded: NOASSERTION + licenseDeclared: NOASSERTION + licenseInfoFromFiles: + - LGPL-2.1-or-later + name: some/path3 +documentNamespace: https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301 +name: Sample_Document-V2.1 +spdxVersion: SPDX-2.1 diff --git a/tests/data/formats/SPDXXmlExample.xml b/tests/data/formats/SPDXXmlExample.xml index 1c557b281..2f9d82750 100644 --- a/tests/data/formats/SPDXXmlExample.xml +++ b/tests/data/formats/SPDXXmlExample.xml @@ -1,5 +1,4 @@ - This is a sample spreadsheet Sample_Document-V2.1 @@ -261,4 +260,3 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. CONTAINS - \ No newline at end of file diff --git a/tests/utils_test.py b/tests/utils_test.py index 876b57000..dd9482a03 100644 --- a/tests/utils_test.py +++ b/tests/utils_test.py @@ -238,8 +238,8 @@ def load_and_clean_xml(location): content = l.read() data = xmltodict.parse(content, encoding='utf-8') - if 'creationInfo' in data['SpdxDocument']['Document']: - del(data['SpdxDocument']['Document']['creationInfo']) + if 'creationInfo' in data['Document']: + del(data['Document']['creationInfo']) return sort_nested(data) From c8ed87d1d90dd1dfc602fbcb0291fd6b1ce9a69e Mon Sep 17 00:00:00 2001 From: Meret Behrens Date: Tue, 25 Oct 2022 11:52:52 +0200 Subject: [PATCH 04/10] [issue-184] add describes relationship to write_tv test This leads to the failure of tests caused by the jsonyamlxml writer. Signed-off-by: Meret Behrens --- tests/data/doc_write/tv-simple-plus.tv | 2 ++ tests/data/doc_write/tv-simple.tv | 2 ++ tests/data/doc_write/xml-simple-plus.xml | 6 ++++++ tests/data/doc_write/xml-simple.xml | 5 +++++ tests/test_document.py | 10 ++++++++++ 5 files changed, 25 insertions(+) diff --git a/tests/data/doc_write/tv-simple-plus.tv b/tests/data/doc_write/tv-simple-plus.tv index b4c54b347..10bd317eb 100644 --- a/tests/data/doc_write/tv-simple-plus.tv +++ b/tests/data/doc_write/tv-simple-plus.tv @@ -5,6 +5,8 @@ DocumentNamespace: https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0 DocumentName: Sample_Document-V2.1 SPDXID: SPDXRef-DOCUMENT # Creation Info +# Relationships +Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Package # Package PackageName: some/path SPDXID: SPDXRef-Package diff --git a/tests/data/doc_write/tv-simple.tv b/tests/data/doc_write/tv-simple.tv index 7a4383b45..3613e7fe9 100644 --- a/tests/data/doc_write/tv-simple.tv +++ b/tests/data/doc_write/tv-simple.tv @@ -5,6 +5,8 @@ DocumentNamespace: https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0 DocumentName: Sample_Document-V2.1 SPDXID: SPDXRef-DOCUMENT # Creation Info +# Relationships +Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Package # Package PackageName: some/path SPDXID: SPDXRef-Package diff --git a/tests/data/doc_write/xml-simple-plus.xml b/tests/data/doc_write/xml-simple-plus.xml index 9be2ca994..6784858f8 100644 --- a/tests/data/doc_write/xml-simple-plus.xml +++ b/tests/data/doc_write/xml-simple-plus.xml @@ -38,4 +38,10 @@ SOME-SHA1 + + SPDXRef-DOCUMENT + SPDXRef-Package + DESCRIBES + + \ No newline at end of file diff --git a/tests/data/doc_write/xml-simple.xml b/tests/data/doc_write/xml-simple.xml index 15b8bdc90..187803886 100644 --- a/tests/data/doc_write/xml-simple.xml +++ b/tests/data/doc_write/xml-simple.xml @@ -38,4 +38,9 @@ SOME-SHA1 + + SPDXRef-DOCUMENT + SPDXRef-Package + DESCRIBES + \ No newline at end of file diff --git a/tests/test_document.py b/tests/test_document.py index f6518485b..0047eecba 100644 --- a/tests/test_document.py +++ b/tests/test_document.py @@ -22,6 +22,7 @@ from spdx.file import File from spdx.package import Package from spdx.parsers.loggers import ErrorMessages +from spdx.relationship import Relationship from spdx.utils import NoAssert from spdx.version import Version @@ -191,6 +192,8 @@ def _get_lgpl_doc(self, or_later=False): package.add_lics_from_file(lic1) package.add_file(file1) + relationship = doc.spdx_id + " " + "DESCRIBES" + " " + package.spdx_id + doc.add_relationships(Relationship(relationship)) return doc def _get_lgpl_multi_package_doc(self, or_later=False): @@ -246,6 +249,13 @@ def _get_lgpl_multi_package_doc(self, or_later=False): doc.add_package(package2) doc.add_package(package3) + relationship = doc.spdx_id + " " + "DESCRIBES" + " " + package1.spdx_id + doc.add_relationships(Relationship(relationship)) + relationship = doc.spdx_id + " " + "DESCRIBES" + " " + package2.spdx_id + doc.add_relationships(Relationship(relationship)) + relationship = doc.spdx_id + " " + "DESCRIBES" + " " + package3.spdx_id + doc.add_relationships(Relationship(relationship)) + return doc def test_write_document_rdf_with_validate(self): From 945e4e1988e38bb4c88d24b79843e6654115698a Mon Sep 17 00:00:00 2001 From: Meret Behrens Date: Tue, 25 Oct 2022 14:53:47 +0200 Subject: [PATCH 05/10] [issue-184] update jsonyamlxml parser and writer to validate against spec 2.2 Signed-off-by: Meret Behrens --- spdx/package.py | 4 + spdx/parsers/jsonyamlxml.py | 46 +++-- spdx/parsers/xmlparser.py | 4 + spdx/writers/json.py | 4 +- spdx/writers/jsonyamlxml.py | 151 +++++++-------- spdx/writers/yaml.py | 4 +- .../doc_write/json-simple-multi-package.json | 179 +++++++++--------- .../doc_write/xml-simple-multi-package.xml | 142 +++++++------- tests/data/doc_write/xml-simple-plus.xml | 28 ++- tests/data/doc_write/xml-simple.xml | 80 ++++---- .../doc_write/yaml-simple-multi-package.yaml | 108 +++++------ 11 files changed, 365 insertions(+), 385 deletions(-) diff --git a/spdx/package.py b/spdx/package.py index f881a01ab..944826357 100644 --- a/spdx/package.py +++ b/spdx/package.py @@ -288,6 +288,10 @@ def validate_checksum(self, messages): messages.append( "Package checksum must be instance of spdx.checksum.Algorithm" ) + elif not self.check_sum.identifier == "SHA1": + messages.append( + "First checksum in package must be SHA1." + ) return messages diff --git a/spdx/parsers/jsonyamlxml.py b/spdx/parsers/jsonyamlxml.py index a684e27f9..291aefbed 100644 --- a/spdx/parsers/jsonyamlxml.py +++ b/spdx/parsers/jsonyamlxml.py @@ -1495,36 +1495,34 @@ def parse_pkg_chksum(self, pkg_chksum): self.value_error("PKG_CHECKSUM", pkg_chksum) -def unflatten_document(document): +def flatten_document(document): """ - Inverse of spdx.writers.jsonyamlxml.flatten_document + Flatten document to match current data model. File objects are nested within packages according to hasFiles-tag. """ files_by_id = {} if "files" in document: - for f in document.pop("files"): + for f in document.get("files"): f["name"] = f.pop("fileName") # XXX must downstream rely on "sha1" property? for checksum in f["checksums"]: - if checksum["algorithm"] == "SHA1": + if checksum["algorithm"] == "SHA1" or "sha1" in checksum["algorithm"]: f["sha1"] = checksum["checksumValue"] break if "licenseInfoInFiles" in f: f["licenseInfoFromFiles"] = f.pop("licenseInfoInFiles") files_by_id[f["SPDXID"]] = f - - packages = document.pop("packages") - for package in packages: - if "hasFiles" in package: - package["files"] = [{ - "File": files_by_id[spdxid]} for spdxid in package["hasFiles"] - ] - # XXX must downstream rely on "sha1" property? - for checksum in package.get("checksums", []): - if checksum["algorithm"] == "SHA1": - package["sha1"] = checksum["checksumValue"] - break - - document["documentDescribes"] = [{ "Package": package} for package in packages ] + if "packages" in document: + packages = document.get("packages") + for package in packages: + if "hasFiles" in package: + package["files"] = [{ + "File": files_by_id[spdxid.split("#")[-1]]} for spdxid in package["hasFiles"] + ] + # XXX must downstream rely on "sha1" property? + for checksum in package.get("checksums", []): + if checksum["algorithm"] == "SHA1" or "sha1" in checksum["algorithm"]: + package["sha1"] = checksum["checksumValue"] + break return document @@ -1545,7 +1543,7 @@ def __init__(self, builder, logger): def json_yaml_set_document(self, data): # we could verify that the spdxVersion >= 2.2, but we try to be resilient in parsing if data.get("spdxVersion"): - self.document_object = unflatten_document(data) + self.document_object = data return self.document_object = data.get("Document") @@ -1555,6 +1553,7 @@ def parse(self): """ self.error = False self.document = document.Document() + self.document_object = flatten_document(self.document_object) if not isinstance(self.document_object, dict): self.logger.log("Empty or not valid SPDX Document") self.error = True @@ -1580,7 +1579,8 @@ def parse(self): self.parse_packages(self.document_object.get("packages")) - self.parse_doc_described_objects(self.document_object.get("documentDescribes")) + if self.document_object.get("documentDescribes"): + self.parse_doc_described_objects(self.document_object.get("documentDescribes")) validation_messages = ErrorMessages() # Report extra errors if self.error is False otherwise there will be @@ -1693,11 +1693,17 @@ def parse_doc_described_objects(self, doc_described_objects): and described.get("File") is not None, doc_described_objects, ) + relationships = filter( + lambda described: isinstance(described, str), doc_described_objects + ) # At the moment, only single-package documents are supported, so just the last package will be stored. for package in packages: self.parse_package(package.get("Package")) for file in files: self.parse_file(file.get("File")) + for relationship in relationships: + self.parse_relationship(self.document.spdx_id, "DESCRIBES", relationship) + return True else: self.value_error("DOC_DESCRIBES", doc_described_objects) diff --git a/spdx/parsers/xmlparser.py b/spdx/parsers/xmlparser.py index 3880c9985..ea9ea557f 100644 --- a/spdx/parsers/xmlparser.py +++ b/spdx/parsers/xmlparser.py @@ -37,12 +37,16 @@ def __init__(self, builder, logger): "reviewers", "fileTypes", "licenseInfoFromFiles", + "licenseInfoInFiles", "artifactOf", "fileContributors", "fileDependencies", "excludedFilesNames", "files", "documentDescribes", + "packages", + "checksums", + "hasFiles" } def parse(self, file): diff --git a/spdx/writers/json.py b/spdx/writers/json.py index a587a650b..0177cd104 100644 --- a/spdx/writers/json.py +++ b/spdx/writers/json.py @@ -12,7 +12,7 @@ import json from spdx.writers.tagvalue import InvalidDocumentError -from spdx.writers.jsonyamlxml import JsonYamlWriter +from spdx.writers.jsonyamlxml import Writer from spdx.parsers.loggers import ErrorMessages @@ -24,6 +24,6 @@ def write_document(document, out, validate=True): if messages: raise InvalidDocumentError(messages) - writer = JsonYamlWriter(document) + writer = Writer(document) document_object = writer.create_document() json.dump(document_object, out, indent=4) diff --git a/spdx/writers/jsonyamlxml.py b/spdx/writers/jsonyamlxml.py index cc6fd9d0e..d8a8b3519 100644 --- a/spdx/writers/jsonyamlxml.py +++ b/spdx/writers/jsonyamlxml.py @@ -149,8 +149,6 @@ def create_package_info(self, package): if package.has_optional_field("check_sum"): package_object["checksums"] = [self.checksum(checksum) for checksum in package.checksums if checksum] - assert package.check_sum.identifier == "SHA1", "First checksum must be SHA1" - package_object["sha1"] = package.check_sum.value if package.has_optional_field("description"): package_object["description"] = package.description @@ -161,7 +159,14 @@ def create_package_info(self, package): if package.has_optional_field("homepage"): package_object["homepage"] = package.homepage.__str__() - return package_object + files_in_package = [] + if package.has_optional_field("files"): + package_object["hasFiles"] = [] + for file in package.files: + package_object["hasFiles"].append(file.spdx_id) + files_in_package.append(self.create_file_info(file)) + + return package_object, files_in_package class FileWriter(BaseWriter): @@ -187,66 +192,61 @@ def create_artifact_info(self, file): return artifact_of_objects - def create_file_info(self, package): + def create_file_info(self, file): file_types = { 1: "fileType_source", 2: "fileType_binary", 3: "fileType_archive", 4: "fileType_other", } - file_objects = [] - files = package.files - for file in files: - file_object = dict() + file_object = dict() - file_object["name"] = file.name - file_object["SPDXID"] = self.spdx_id(file.spdx_id) - file_object["checksums"] = [self.checksum(checksum) for checksum in file.checksums if checksum] - file_object["licenseConcluded"] = self.license(file.conc_lics) - file_object["licenseInfoFromFiles"] = list( - map(self.license, file.licenses_in_file) - ) - file_object["copyrightText"] = file.copyright.__str__() + file_object["fileName"] = file.name + file_object["SPDXID"] = self.spdx_id(file.spdx_id) + file_object["checksums"] = [self.checksum(file.chk_sum)] + file_object["licenseConcluded"] = self.license(file.conc_lics) + file_object["licenseInfoInFiles"] = list( + map(self.license, file.licenses_in_file) + ) + file_object["copyrightText"] = file.copyright.__str__() + # assert file.chk_sum.identifier == "SHA1", "First checksum must be SHA1" + # file_object["sha1"] = file.chk_sum.value - assert file.chk_sum.identifier == "SHA1", "First checksum must be SHA1" - file_object["sha1"] = file.chk_sum.value - if file.has_optional_field("comment"): - file_object["comment"] = file.comment + if file.has_optional_field("comment"): + file_object["comment"] = file.comment - if file.has_optional_field("type"): - file_object["fileTypes"] = [file_types.get(file.type)] + if file.has_optional_field("type"): + file_object["fileTypes"] = [file_types.get(file.type)] - if file.has_optional_field("license_comment"): - file_object["licenseComments"] = file.license_comment + if file.has_optional_field("license_comment"): + file_object["licenseComments"] = file.license_comment - if file.has_optional_field("attribution_text"): - file_object["attributionTexts"] = [file.attribution_text] + if file.has_optional_field("attribution_text"): + file_object["attributionTexts"] = [file.attribution_text] - if file.has_optional_field("notice"): - file_object["noticeText"] = file.notice + if file.has_optional_field("notice"): + file_object["noticeText"] = file.notice - if file.contributors: - file_object["fileContributors"] = file.contributors.__str__() + if file.contributors: + file_object["fileContributors"] = file.contributors.__str__() - if file.dependencies: - file_object["fileDependencies"] = file.dependencies + if file.dependencies: + file_object["fileDependencies"] = file.dependencies - valid_artifacts = ( + valid_artifacts = ( file.artifact_of_project_name and len(file.artifact_of_project_name) == len(file.artifact_of_project_home) and len(file.artifact_of_project_home) == len(file.artifact_of_project_uri) - ) - - if valid_artifacts: - file_object["artifactOf"] = self.create_artifact_info(file) + ) - file_objects.append({"File": file_object}) + if valid_artifacts: + file_object["artifactOf"] = self.create_artifact_info(file) - return file_objects + return file_object class ReviewInfoWriter(BaseWriter): @@ -315,6 +315,10 @@ def create_relationship_info(self): relationship_objects = [] for relationship_term in self.document.relationships: + if relationship_term.relationshiptype == "DESCRIBES": + continue + if relationship_term.relationshiptype == "CONTAINS": + continue relationship_object = dict() relationship_object["spdxElementId"] = relationship_term.spdxelementid relationship_object[ @@ -468,6 +472,21 @@ def create_ext_document_references(self): return ext_document_reference_objects + def create_document_describes(self): + """ + Create list of SPDXID that have a + """ + described_relationships = [] + remove_rel = [] + for relationship in self.document.relationships: + if relationship.relationshiptype == "DESCRIBES": + described_relationships.append(relationship.relatedspdxelement) + if not relationship.has_comment: + remove_rel.append(relationship.relatedspdxelement) + self.document.relationships = [rel for rel in self.document.relationships if rel.relatedspdxelement not in remove_rel] + return described_relationships + + def create_document(self): self.document_object = dict() @@ -478,15 +497,18 @@ def create_document(self): self.document_object["SPDXID"] = self.spdx_id(self.document.spdx_id) self.document_object["name"] = self.document.name + described_relationships = self.create_document_describes() + if described_relationships: + self.document_object["documentDescribes"] = described_relationships + package_objects = [] + file_objects = [] for package in self.document.packages: - package_info_object = self.create_package_info(package) - # SPDX 2.2 says to omit if filesAnalyzed = False - if package.files: - package_info_object["files"] = self.create_file_info(package) - package_objects.append({"Package": package_info_object}) - - self.document_object["documentDescribes"] = package_objects + package_info_object, files_in_package = self.create_package_info(package) + package_objects.append(package_info_object) + file_objects.extend(files_in_package) + self.document_object["packages"] = package_objects + self.document_object["files"] = file_objects if self.document.has_comment: self.document_object["comment"] = self.document.comment @@ -516,43 +538,8 @@ def create_document(self): return self.document_object -def flatten_document(document_object): - """ - Move nested Package -> Files to top level to conform with schema. - """ - - document = document_object["Document"] - - # replace documentDescribes with SPDXID references - package_objects = document["documentDescribes"] - - document["documentDescribes"] = [package["Package"]["SPDXID"] for package in package_objects] - - document["packages"] = [package["Package"] for package in package_objects] - - file_objects = [] - - for package_info_object in document.get("packages", []): - if not "files" in package_info_object: - continue - if "sha1" in package_info_object: - del package_info_object["sha1"] - package_info_object["hasFiles"] = [file_object["File"]["SPDXID"] for file_object in package_info_object["files"]] - file_objects.extend(file_object["File"] for file_object in package_info_object.pop("files")) - - for file_object in file_objects: - file_object["fileName"] = file_object.pop("name") - if "licenseInfoFromFiles" in file_object: - file_object["licenseInfoInFiles"] = file_object.pop("licenseInfoFromFiles") - del file_object["sha1"] - - document["files"] = file_objects - - return document - - class JsonYamlWriter(Writer): def create_document(self): document_object = super().create_document() - return flatten_document(document_object) + return document_object diff --git a/spdx/writers/yaml.py b/spdx/writers/yaml.py index 6fd0135e6..24600d8a7 100644 --- a/spdx/writers/yaml.py +++ b/spdx/writers/yaml.py @@ -12,7 +12,7 @@ import yaml from spdx.writers.tagvalue import InvalidDocumentError -from spdx.writers.jsonyamlxml import JsonYamlWriter +from spdx.writers.jsonyamlxml import Writer from spdx.parsers.loggers import ErrorMessages @@ -24,7 +24,7 @@ def write_document(document, out, validate=True): if messages: raise InvalidDocumentError(messages) - writer = JsonYamlWriter(document) + writer = Writer(document) document_object = writer.create_document() yaml.safe_dump(document_object, out, indent=2, explicit_start=True) diff --git a/tests/data/doc_write/json-simple-multi-package.json b/tests/data/doc_write/json-simple-multi-package.json index 6d0f72f9e..794e3c33d 100644 --- a/tests/data/doc_write/json-simple-multi-package.json +++ b/tests/data/doc_write/json-simple-multi-package.json @@ -1,96 +1,93 @@ { - "spdxVersion": "SPDX-2.1", - "documentNamespace": "https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301", - "creationInfo": { - "creators": [ - "Tool: ScanCode" - ], - "created": "2021-10-21T17:09:37Z", - "licenseListVersion": "3.6" + "spdxVersion": "SPDX-2.1", + "documentNamespace": "https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301", + "creationInfo": { + "creators": [ + "Tool: ScanCode" + ], + "created": "2021-10-21T17:09:37Z", + "licenseListVersion": "3.6" + }, + "dataLicense": "CC0-1.0", + "SPDXID": "SPDXRef-DOCUMENT", + "name": "Sample_Document-V2.1", + "documentDescribes": [ + "SPDXRef-Package1", + "SPDXRef-Package2", + "SPDXRef-Package3" + ], + "packages": [ + { + "SPDXID": "SPDXRef-Package1", + "name": "some/path1", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "Some copyright" }, - "dataLicense": "CC0-1.0", - "SPDXID": "SPDXRef-DOCUMENT", - "name": "Sample_Document-V2.1", - "documentDescribes": [ - { - "Package": { - "SPDXID": "SPDXRef-Package1", - "name": "some/path1", - "downloadLocation": "NOASSERTION", - "filesAnalyzed": false, - "licenseConcluded": "NOASSERTION", - "licenseDeclared": "NOASSERTION", - "copyrightText": "Some copyright" - } - }, + { + "SPDXID": "SPDXRef-Package2", + "name": "some/path2", + "downloadLocation": "NOASSERTION", + "packageVerificationCode": { + "packageVerificationCodeValue": "SOME code" + }, + "licenseInfoFromFiles": [ + "LGPL-2.1-or-later" + ], + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "Some copyright", + "hasFiles": [ + "SPDXRef-File" + ] + }, + { + "SPDXID": "SPDXRef-Package3", + "name": "some/path3", + "downloadLocation": "NOASSERTION", + "licenseInfoFromFiles": [ + "LGPL-2.1-or-later" + ], + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "Some copyright", + "hasFiles": [ + "SPDXRef-File" + ] + } + ], + "files": [ + { + "fileName": "./some/path/tofile", + "SPDXID": "SPDXRef-File", + "checksums": [ { - "Package": { - "SPDXID": "SPDXRef-Package2", - "name": "some/path2", - "downloadLocation": "NOASSERTION", - "packageVerificationCode": { - "packageVerificationCodeValue": "SOME code" - }, - "licenseInfoFromFiles": [ - "LGPL-2.1-or-later" - ], - "licenseConcluded": "NOASSERTION", - "licenseDeclared": "NOASSERTION", - "copyrightText": "Some copyright", - "files": [ - { - "File": { - "name": "./some/path/tofile", - "SPDXID": "SPDXRef-File", - "checksums": [ - { - "algorithm": "checksumAlgorithm_sha1", - "checksumValue": "SOME-SHA1" - } - ], - "licenseConcluded": "NOASSERTION", - "licenseInfoFromFiles": [ - "LGPL-2.1-or-later" - ], - "copyrightText": "NOASSERTION", - "sha1": "SOME-SHA1" - } - } - ] - } - }, + "algorithm": "SHA1", + "checksumValue": "SOME-SHA1" + } + ], + "licenseConcluded": "NOASSERTION", + "licenseInfoInFiles": [ + "LGPL-2.1-or-later" + ], + "copyrightText": "NOASSERTION" + }, + { + "fileName": "./some/path/tofile", + "SPDXID": "SPDXRef-File", + "checksums": [ { - "Package": { - "SPDXID": "SPDXRef-Package3", - "name": "some/path3", - "downloadLocation": "NOASSERTION", - "licenseInfoFromFiles": [ - "LGPL-2.1-or-later" - ], - "licenseConcluded": "NOASSERTION", - "licenseDeclared": "NOASSERTION", - "copyrightText": "Some copyright", - "files": [ - { - "File": { - "name": "./some/path/tofile", - "SPDXID": "SPDXRef-File", - "checksums": [ - { - "algorithm": "checksumAlgorithm_sha1", - "checksumValue": "SOME-SHA1" - } - ], - "licenseConcluded": "NOASSERTION", - "licenseInfoFromFiles": [ - "LGPL-2.1-or-later" - ], - "copyrightText": "NOASSERTION", - "sha1": "SOME-SHA1" - } - } - ] - } + "algorithm": "SHA1", + "checksumValue": "SOME-SHA1" } - ] - } \ No newline at end of file + ], + "licenseConcluded": "NOASSERTION", + "licenseInfoInFiles": [ + "LGPL-2.1-or-later" + ], + "copyrightText": "NOASSERTION" + } + ] +} diff --git a/tests/data/doc_write/xml-simple-multi-package.xml b/tests/data/doc_write/xml-simple-multi-package.xml index 6e62a8e65..70f2e7a68 100644 --- a/tests/data/doc_write/xml-simple-multi-package.xml +++ b/tests/data/doc_write/xml-simple-multi-package.xml @@ -1,77 +1,71 @@ - SPDX-2.1 - https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301 - - Tool: ScanCode - 2021-10-21T17:02:23Z - 3.6 - - CC0-1.0 - SPDXRef-DOCUMENT - Sample_Document-V2.1 - - - SPDXRef-Package1 - some/path1 - NOASSERTION - false - NOASSERTION - NOASSERTION - Some copyright - - - - - SPDXRef-Package2 - some/path2 - NOASSERTION - - SOME code - - LGPL-2.1-or-later - NOASSERTION - NOASSERTION - Some copyright - - - ./some/path/tofile - SPDXRef-File - - checksumAlgorithm_sha1 - SOME-SHA1 - - NOASSERTION - LGPL-2.1-or-later - NOASSERTION - SOME-SHA1 - - - - - - - SPDXRef-Package3 - some/path3 - NOASSERTION - LGPL-2.1-or-later - NOASSERTION - NOASSERTION - Some copyright - - - ./some/path/tofile - SPDXRef-File - - checksumAlgorithm_sha1 - SOME-SHA1 - - NOASSERTION - LGPL-2.1-or-later - NOASSERTION - SOME-SHA1 - - - - + SPDX-2.1 + https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301 + + Tool: ScanCode + 2021-10-21T17:02:23Z + 3.6 + + CC0-1.0 + SPDXRef-DOCUMENT + Sample_Document-V2.1 + SPDXRef-Package1 + SPDXRef-Package2 + SPDXRef-Package3 + + SPDXRef-Package1 + some/path1 + NOASSERTION + false + NOASSERTION + NOASSERTION + Some copyright + + + SPDXRef-Package2 + some/path2 + NOASSERTION + + SOME code + + LGPL-2.1-or-later + NOASSERTION + NOASSERTION + Some copyright + SPDXRef-File + + + SPDXRef-Package3 + some/path3 + NOASSERTION + LGPL-2.1-or-later + NOASSERTION + NOASSERTION + Some copyright + SPDXRef-File + + + ./some/path/tofile + SPDXRef-File + + checksumAlgorithm_sha1 + SOME-SHA1 + + NOASSERTION + LGPL-2.1-or-later + NOASSERTION + + + ./some/path/tofile + SPDXRef-File + + checksumAlgorithm_sha1 + SOME-SHA1 + + NOASSERTION + LGPL-2.1-or-later + NOASSERTION + + \ No newline at end of file diff --git a/tests/data/doc_write/xml-simple-plus.xml b/tests/data/doc_write/xml-simple-plus.xml index 6784858f8..44cf607d9 100644 --- a/tests/data/doc_write/xml-simple-plus.xml +++ b/tests/data/doc_write/xml-simple-plus.xml @@ -1,12 +1,13 @@ + SPDX-2.1 CC0-1.0 Sample_Document-V2.1 SPDXRef-DOCUMENT https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301 - - + SPDXRef-Package + SPDXRef-Package some/path NOASSERTION @@ -20,9 +21,13 @@ NOASSERTION NOASSERTION + LGPL-2.1-or-later + + SPDXRef-File + - - ./some/path/tofile + + ./some/path/tofile SPDXRef-File SOME-SHA1 @@ -30,18 +35,9 @@ NOASSERTION NOASSERTION - LGPL-2.1-or-later - SOME-SHA1 - + LGPL-2.1-or-later + - LGPL-2.1-or-later - SOME-SHA1 - - - - SPDXRef-DOCUMENT - SPDXRef-Package - DESCRIBES - + \ No newline at end of file diff --git a/tests/data/doc_write/xml-simple.xml b/tests/data/doc_write/xml-simple.xml index 187803886..54d79c95c 100644 --- a/tests/data/doc_write/xml-simple.xml +++ b/tests/data/doc_write/xml-simple.xml @@ -1,46 +1,38 @@ - SPDX-2.1 - CC0-1.0 - Sample_Document-V2.1 - SPDXRef-DOCUMENT - https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301 - - - SPDXRef-Package - some/path - NOASSERTION - Some copyrught - - SOME code - - - SOME-SHA1 - checksumAlgorithm_sha1 - - NOASSERTION - NOASSERTION - - - ./some/path/tofile - SPDXRef-File - - SOME-SHA1 - checksumAlgorithm_sha1 - - NOASSERTION - NOASSERTION - LGPL-2.1-only - SOME-SHA1 - - - LGPL-2.1-only - SOME-SHA1 - - - - SPDXRef-DOCUMENT - SPDXRef-Package - DESCRIBES - - \ No newline at end of file + SPDX-2.1 + CC0-1.0 + Sample_Document-V2.1 + SPDXRef-DOCUMENT + https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301 + SPDXRef-Package + + SPDXRef-Package + some/path + NOASSERTION + Some copyrught + + SOME code + + + SOME-SHA1 + checksumAlgorithm_sha1 + + NOASSERTION + NOASSERTION + + LGPL-2.1-only + SPDXRef-File + + + ./some/path/tofile + SPDXRef-File + + SOME-SHA1 + checksumAlgorithm_sha1 + + NOASSERTION + NOASSERTION + LGPL-2.1-only + + \ No newline at end of file diff --git a/tests/data/doc_write/yaml-simple-multi-package.yaml b/tests/data/doc_write/yaml-simple-multi-package.yaml index 5f9ee90e7..e5a057833 100644 --- a/tests/data/doc_write/yaml-simple-multi-package.yaml +++ b/tests/data/doc_write/yaml-simple-multi-package.yaml @@ -1,63 +1,63 @@ SPDXID: SPDXRef-DOCUMENT creationInfo: -created: '2021-10-21T16:46:56Z' -creators: -- 'Tool: ScanCode' -licenseListVersion: '3.6' + created: '2021-10-21T16:46:56Z' + creators: + - 'Tool: ScanCode' + licenseListVersion: '3.6' dataLicense: CC0-1.0 documentDescribes: -- Package: - SPDXID: SPDXRef-Package1 - copyrightText: Some copyright - downloadLocation: NOASSERTION - filesAnalyzed: false - licenseConcluded: NOASSERTION - licenseDeclared: NOASSERTION - name: some/path1 -- Package: - SPDXID: SPDXRef-Package2 - copyrightText: Some copyright - downloadLocation: NOASSERTION - files: - - File: - SPDXID: SPDXRef-File - checksums: - - algorithm: checksumAlgorithm_sha1 - checksumValue: SOME-SHA1 - copyrightText: NOASSERTION - licenseConcluded: NOASSERTION - licenseInfoFromFiles: + - SPDXRef-Package1 + - SPDXRef-Package2 + - SPDXRef-Package3 +packages: + - SPDXID: SPDXRef-Package1 + copyrightText: Some copyright + downloadLocation: NOASSERTION + filesAnalyzed: false + licenseConcluded: NOASSERTION + licenseDeclared: NOASSERTION + name: some/path1 + - SPDXID: SPDXRef-Package2 + copyrightText: Some copyright + downloadLocation: NOASSERTION + hasFiles: + - SPDXRef-File + licenseConcluded: NOASSERTION + licenseDeclared: NOASSERTION + licenseInfoFromFiles: - LGPL-2.1-or-later - name: ./some/path/tofile - sha1: SOME-SHA1 - licenseConcluded: NOASSERTION - licenseDeclared: NOASSERTION - licenseInfoFromFiles: - - LGPL-2.1-or-later - name: some/path2 - packageVerificationCode: - packageVerificationCodeValue: SOME code -- Package: - SPDXID: SPDXRef-Package3 - copyrightText: Some copyright - downloadLocation: NOASSERTION - files: - - File: - SPDXID: SPDXRef-File - checksums: - - algorithm: checksumAlgorithm_sha1 - checksumValue: SOME-SHA1 - copyrightText: NOASSERTION - licenseConcluded: NOASSERTION - licenseInfoFromFiles: + name: some/path2 + packageVerificationCode: + packageVerificationCodeValue: SOME code + - SPDXID: SPDXRef-Package3 + copyrightText: Some copyright + downloadLocation: NOASSERTION + hasFiles: + - SPDXRef-File + licenseConcluded: NOASSERTION + licenseDeclared: NOASSERTION + licenseInfoFromFiles: - LGPL-2.1-or-later - name: ./some/path/tofile - sha1: SOME-SHA1 - licenseConcluded: NOASSERTION - licenseDeclared: NOASSERTION - licenseInfoFromFiles: - - LGPL-2.1-or-later - name: some/path3 + name: some/path3 documentNamespace: https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301 name: Sample_Document-V2.1 spdxVersion: SPDX-2.1 +files: + - SPDXID: SPDXRef-File + checksums: + - algorithm: SHA1 + checksumValue: SOME-SHA1 + copyrightText: NOASSERTION + licenseConcluded: NOASSERTION + licenseInfoInFiles: + - LGPL-2.1-or-later + fileName: ./some/path/tofile + - SPDXID: SPDXRef-File + checksums: + - algorithm: SHA1 + checksumValue: SOME-SHA1 + copyrightText: NOASSERTION + licenseConcluded: NOASSERTION + licenseInfoInFiles: + - LGPL-2.1-or-later + fileName: ./some/path/tofile \ No newline at end of file From 8924acff1b6e2c12e26f8217345400e9ee583646 Mon Sep 17 00:00:00 2001 From: Meret Behrens Date: Wed, 26 Oct 2022 09:15:18 +0200 Subject: [PATCH 06/10] [issue-184] change LicenseFromFiles in files to LicenseInFiles according to spec Signed-off-by: Meret Behrens --- data/SPDXJsonExample.json | 4 ++-- data/SPDXXmlExample.xml | 4 ++-- data/SPDXYamlExample.yaml | 4 ++-- spdx/parsers/jsonyamlxml.py | 4 +--- tests/data/doc_parse/expected.json | 4 ++-- tests/data/doc_parse/spdx-expected.json | 4 ++-- tests/data/formats/SPDXJsonExample.json | 4 ++-- tests/data/formats/SPDXXmlExample.xml | 4 ++-- tests/data/formats/SPDXYamlExample.yaml | 4 ++-- tests/utils_test.py | 2 +- 10 files changed, 18 insertions(+), 20 deletions(-) diff --git a/data/SPDXJsonExample.json b/data/SPDXJsonExample.json index 6e456d602..8d9b55480 100644 --- a/data/SPDXJsonExample.json +++ b/data/SPDXJsonExample.json @@ -11,7 +11,7 @@ { "File": { "comment": "This file belongs to Jena", - "licenseInfoFromFiles": [ + "licenseInfoInFiles": [ "LicenseRef-1" ], "sha1": "3ab4e1c67a2d28fced849ee1bb76e7391b93f125", @@ -40,7 +40,7 @@ }, { "File": { - "licenseInfoFromFiles": [ + "licenseInfoInFiles": [ "Apache-2.0" ], "sha1": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12", diff --git a/data/SPDXXmlExample.xml b/data/SPDXXmlExample.xml index 98ee4d544..bf3ee1bc0 100644 --- a/data/SPDXXmlExample.xml +++ b/data/SPDXXmlExample.xml @@ -9,7 +9,7 @@ The GNU C Library is free software. See the file COPYING.LIB for copying conditions, and LICENSES for notices about a few contributions that require these additional notices to be distributed. License copyright years may be listed using range notation, e.g., 1996-2015, indicating that every year in the range, inclusive, is a copyrightable year that would otherwise be listed individually. - Apache-2.0 + Apache-2.0 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 src/org/spdx/parser/DOAPProject.java Copyright 2010, 2011 Source Auditor Inc. @@ -26,7 +26,7 @@ This file belongs to Jena - LicenseRef-1 + LicenseRef-1 3ab4e1c67a2d28fced849ee1bb76e7391b93f125 Jenna-2.6.3/jena-2.6.3-sources.jar (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP diff --git a/data/SPDXYamlExample.yaml b/data/SPDXYamlExample.yaml index e8a42c8de..ffa1b4fac 100644 --- a/data/SPDXYamlExample.yaml +++ b/data/SPDXYamlExample.yaml @@ -51,7 +51,7 @@ Document: SPDXID: SPDXRef-File1 licenseComments: This license is used by Jena licenseConcluded: LicenseRef-1 - licenseInfoFromFiles: + licenseInfoInFiles: - LicenseRef-1 name: Jenna-2.6.3/jena-2.6.3-sources.jar sha1: 3ab4e1c67a2d28fced849ee1bb76e7391b93f125 @@ -64,7 +64,7 @@ Document: - fileType_source SPDXID: SPDXRef-File2 licenseConcluded: Apache-2.0 - licenseInfoFromFiles: + licenseInfoInFiles: - Apache-2.0 name: src/org/spdx/parser/DOAPProject.java sha1: 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 diff --git a/spdx/parsers/jsonyamlxml.py b/spdx/parsers/jsonyamlxml.py index 291aefbed..9447d685d 100644 --- a/spdx/parsers/jsonyamlxml.py +++ b/spdx/parsers/jsonyamlxml.py @@ -741,7 +741,7 @@ def parse_file(self, file): self.parse_file_id(file.get("SPDXID")) self.parse_file_types(file.get("fileTypes")) self.parse_file_concluded_license(file.get("licenseConcluded")) - self.parse_file_license_info_from_files(file.get("licenseInfoFromFiles")) + self.parse_file_license_info_from_files(file.get("licenseInfoInFiles")) self.parse_file_license_comments(file.get("licenseComments")) self.parse_file_copyright_text(file.get("copyrightText")) self.parse_file_artifacts(file.get("artifactOf")) @@ -1508,8 +1508,6 @@ def flatten_document(document): if checksum["algorithm"] == "SHA1" or "sha1" in checksum["algorithm"]: f["sha1"] = checksum["checksumValue"] break - if "licenseInfoInFiles" in f: - f["licenseInfoFromFiles"] = f.pop("licenseInfoInFiles") files_by_id[f["SPDXID"]] = f if "packages" in document: packages = document.get("packages") diff --git a/tests/data/doc_parse/expected.json b/tests/data/doc_parse/expected.json index 346de7167..e612356ca 100644 --- a/tests/data/doc_parse/expected.json +++ b/tests/data/doc_parse/expected.json @@ -119,7 +119,7 @@ "identifier": "SHA1", "value": "3ab4e1c67a2d28fced849ee1bb76e7391b93f125" }, - "licenseInfoFromFiles": [ + "licenseInfoInFiles": [ { "type": "Single", "identifier": "LicenseRef-1", @@ -155,7 +155,7 @@ "identifier": "SHA1", "value": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12" }, - "licenseInfoFromFiles": [ + "licenseInfoInFiles": [ { "type": "Single", "identifier": "Apache-2.0", diff --git a/tests/data/doc_parse/spdx-expected.json b/tests/data/doc_parse/spdx-expected.json index 3514bfcc6..33a19ec74 100644 --- a/tests/data/doc_parse/spdx-expected.json +++ b/tests/data/doc_parse/spdx-expected.json @@ -119,7 +119,7 @@ "identifier": "SHA1", "value": "3ab4e1c67a2d28fced849ee1bb76e7391b93f125" }, - "licenseInfoFromFiles": [ + "licenseInfoInFiles": [ { "type": "Single", "identifier": "LicenseRef-1", @@ -153,7 +153,7 @@ "identifier": "SHA1", "value": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12" }, - "licenseInfoFromFiles": [ + "licenseInfoInFiles": [ { "type": "Single", "identifier": "Apache-2.0", diff --git a/tests/data/formats/SPDXJsonExample.json b/tests/data/formats/SPDXJsonExample.json index 0dbce19a4..5e6acbc26 100644 --- a/tests/data/formats/SPDXJsonExample.json +++ b/tests/data/formats/SPDXJsonExample.json @@ -11,7 +11,7 @@ { "File": { "comment": "This file belongs to Jena", - "licenseInfoFromFiles": [ + "licenseInfoInFiles": [ "LicenseRef-1" ], "sha1": "3ab4e1c67a2d28fced849ee1bb76e7391b93f125", @@ -40,7 +40,7 @@ }, { "File": { - "licenseInfoFromFiles": [ + "licenseInfoInFiles": [ "Apache-2.0" ], "sha1": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12", diff --git a/tests/data/formats/SPDXXmlExample.xml b/tests/data/formats/SPDXXmlExample.xml index 2f9d82750..6ef59388c 100644 --- a/tests/data/formats/SPDXXmlExample.xml +++ b/tests/data/formats/SPDXXmlExample.xml @@ -10,7 +10,7 @@ true - Apache-2.0 + Apache-2.0 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 src/org/spdx/parser/DOAPProject.java Copyright 2010, 2011 Source Auditor Inc. @@ -27,7 +27,7 @@ This file belongs to Jena - LicenseRef-1 + LicenseRef-1 3ab4e1c67a2d28fced849ee1bb76e7391b93f125 Jenna-2.6.3/jena-2.6.3-sources.jar (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP diff --git a/tests/data/formats/SPDXYamlExample.yaml b/tests/data/formats/SPDXYamlExample.yaml index e8a42c8de..ffa1b4fac 100644 --- a/tests/data/formats/SPDXYamlExample.yaml +++ b/tests/data/formats/SPDXYamlExample.yaml @@ -51,7 +51,7 @@ Document: SPDXID: SPDXRef-File1 licenseComments: This license is used by Jena licenseConcluded: LicenseRef-1 - licenseInfoFromFiles: + licenseInfoInFiles: - LicenseRef-1 name: Jenna-2.6.3/jena-2.6.3-sources.jar sha1: 3ab4e1c67a2d28fced849ee1bb76e7391b93f125 @@ -64,7 +64,7 @@ Document: - fileType_source SPDXID: SPDXRef-File2 licenseConcluded: Apache-2.0 - licenseInfoFromFiles: + licenseInfoInFiles: - Apache-2.0 name: src/org/spdx/parser/DOAPProject.java sha1: 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 diff --git a/tests/utils_test.py b/tests/utils_test.py index dd9482a03..9c3076347 100644 --- a/tests/utils_test.py +++ b/tests/utils_test.py @@ -389,7 +389,7 @@ def files_to_list(cls, files): ('licenseComment', file.license_comment), ('notice', file.notice), ('checksum', cls.checksum_to_dict(file.chk_sum)), - ('licenseInfoFromFiles', [cls.license_to_dict(lic) for lic in lics_from_files]), + ('licenseInfoInFiles', [cls.license_to_dict(lic) for lic in lics_from_files]), ('contributors', [cls.entity_to_dict(contributor) for contributor in contributors]), ('dependencies', sorted(file.dependencies)), ('artifactOfProjectName', file.artifact_of_project_name), From ad131ea233bae409f0b2a66331b7d8d05876dd8e Mon Sep 17 00:00:00 2001 From: Meret Behrens Date: Wed, 26 Oct 2022 09:23:51 +0200 Subject: [PATCH 07/10] [issue-184] change name in files to fileName according to spec Signed-off-by: Meret Behrens --- data/SPDXJsonExample.json | 4 ++-- data/SPDXXmlExample.xml | 4 ++-- data/SPDXYamlExample.yaml | 4 ++-- spdx/parsers/jsonyamlxml.py | 3 +-- tests/data/doc_parse/expected.json | 4 ++-- tests/data/doc_parse/spdx-expected.json | 4 ++-- tests/data/formats/SPDXJsonExample.json | 4 ++-- tests/data/formats/SPDXXmlExample.xml | 4 ++-- tests/data/formats/SPDXYamlExample.yaml | 4 ++-- tests/utils_test.py | 2 +- 10 files changed, 18 insertions(+), 19 deletions(-) diff --git a/data/SPDXJsonExample.json b/data/SPDXJsonExample.json index 8d9b55480..86818c622 100644 --- a/data/SPDXJsonExample.json +++ b/data/SPDXJsonExample.json @@ -15,7 +15,7 @@ "LicenseRef-1" ], "sha1": "3ab4e1c67a2d28fced849ee1bb76e7391b93f125", - "name": "Jenna-2.6.3/jena-2.6.3-sources.jar", + "fileName": "Jenna-2.6.3/jena-2.6.3-sources.jar", "copyrightText": "(c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP", "artifactOf" : [ { @@ -44,7 +44,7 @@ "Apache-2.0" ], "sha1": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12", - "name": "src/org/spdx/parser/DOAPProject.java", + "fileName": "src/org/spdx/parser/DOAPProject.java", "copyrightText": "Copyright 2010, 2011 Source Auditor Inc.", "licenseConcluded": "Apache-2.0", "checksums": [ diff --git a/data/SPDXXmlExample.xml b/data/SPDXXmlExample.xml index bf3ee1bc0..c17268c71 100644 --- a/data/SPDXXmlExample.xml +++ b/data/SPDXXmlExample.xml @@ -11,7 +11,7 @@ Apache-2.0 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 - src/org/spdx/parser/DOAPProject.java + src/org/spdx/parser/DOAPProject.java Copyright 2010, 2011 Source Auditor Inc. Apache-2.0 @@ -28,7 +28,7 @@ This file belongs to Jena LicenseRef-1 3ab4e1c67a2d28fced849ee1bb76e7391b93f125 - Jenna-2.6.3/jena-2.6.3-sources.jar + Jenna-2.6.3/jena-2.6.3-sources.jar (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP Jena diff --git a/data/SPDXYamlExample.yaml b/data/SPDXYamlExample.yaml index ffa1b4fac..a07a54f3e 100644 --- a/data/SPDXYamlExample.yaml +++ b/data/SPDXYamlExample.yaml @@ -53,7 +53,7 @@ Document: licenseConcluded: LicenseRef-1 licenseInfoInFiles: - LicenseRef-1 - name: Jenna-2.6.3/jena-2.6.3-sources.jar + fileName: Jenna-2.6.3/jena-2.6.3-sources.jar sha1: 3ab4e1c67a2d28fced849ee1bb76e7391b93f125 - File: checksums: @@ -66,7 +66,7 @@ Document: licenseConcluded: Apache-2.0 licenseInfoInFiles: - Apache-2.0 - name: src/org/spdx/parser/DOAPProject.java + fileName: src/org/spdx/parser/DOAPProject.java sha1: 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 licenseComments: The declared license information can be found in the NOTICE file at the root of the archive file diff --git a/spdx/parsers/jsonyamlxml.py b/spdx/parsers/jsonyamlxml.py index 9447d685d..c1e8f081c 100644 --- a/spdx/parsers/jsonyamlxml.py +++ b/spdx/parsers/jsonyamlxml.py @@ -737,7 +737,7 @@ def parse_file(self, file): - file: Python dict with File Information fields in it """ if isinstance(file, dict): - self.parse_file_name(file.get("name")) + self.parse_file_name(file.get("fileName")) self.parse_file_id(file.get("SPDXID")) self.parse_file_types(file.get("fileTypes")) self.parse_file_concluded_license(file.get("licenseConcluded")) @@ -1502,7 +1502,6 @@ def flatten_document(document): files_by_id = {} if "files" in document: for f in document.get("files"): - f["name"] = f.pop("fileName") # XXX must downstream rely on "sha1" property? for checksum in f["checksums"]: if checksum["algorithm"] == "SHA1" or "sha1" in checksum["algorithm"]: diff --git a/tests/data/doc_parse/expected.json b/tests/data/doc_parse/expected.json index e612356ca..163a9c2cb 100644 --- a/tests/data/doc_parse/expected.json +++ b/tests/data/doc_parse/expected.json @@ -104,7 +104,7 @@ "files": [ { "id": "SPDXRef-File1", - "name": "Jenna-2.6.3/jena-2.6.3-sources.jar", + "fileName": "Jenna-2.6.3/jena-2.6.3-sources.jar", "type": 3, "comment": "This file belongs to Jena", "licenseConcluded": { @@ -140,7 +140,7 @@ }, { "id": "SPDXRef-File2", - "name": "src/org/spdx/parser/DOAPProject.java", + "fileName": "src/org/spdx/parser/DOAPProject.java", "type": 1, "comment": null, "licenseConcluded": { diff --git a/tests/data/doc_parse/spdx-expected.json b/tests/data/doc_parse/spdx-expected.json index 33a19ec74..9ef23d0aa 100644 --- a/tests/data/doc_parse/spdx-expected.json +++ b/tests/data/doc_parse/spdx-expected.json @@ -104,7 +104,7 @@ "files": [ { "id": "https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301#SPDXRef-File1", - "name": "Jenna-2.6.3/jena-2.6.3-sources.jar", + "fileName": "Jenna-2.6.3/jena-2.6.3-sources.jar", "type": 3, "comment": "This file belongs to Jena", "licenseConcluded": { @@ -138,7 +138,7 @@ }, { "id": "https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301#SPDXRef-File2", - "name": "src/org/spdx/parser/DOAPProject.java", + "fileName": "src/org/spdx/parser/DOAPProject.java", "type": 1, "comment": null, "licenseConcluded": { diff --git a/tests/data/formats/SPDXJsonExample.json b/tests/data/formats/SPDXJsonExample.json index 5e6acbc26..5b8b67648 100644 --- a/tests/data/formats/SPDXJsonExample.json +++ b/tests/data/formats/SPDXJsonExample.json @@ -15,7 +15,7 @@ "LicenseRef-1" ], "sha1": "3ab4e1c67a2d28fced849ee1bb76e7391b93f125", - "name": "Jenna-2.6.3/jena-2.6.3-sources.jar", + "fileName": "Jenna-2.6.3/jena-2.6.3-sources.jar", "copyrightText": "(c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP", "artifactOf" : [ { @@ -44,7 +44,7 @@ "Apache-2.0" ], "sha1": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12", - "name": "src/org/spdx/parser/DOAPProject.java", + "fileName": "src/org/spdx/parser/DOAPProject.java", "copyrightText": "Copyright 2010, 2011 Source Auditor Inc.", "licenseConcluded": "Apache-2.0", "checksums": [ diff --git a/tests/data/formats/SPDXXmlExample.xml b/tests/data/formats/SPDXXmlExample.xml index 6ef59388c..f96e4dc32 100644 --- a/tests/data/formats/SPDXXmlExample.xml +++ b/tests/data/formats/SPDXXmlExample.xml @@ -12,7 +12,7 @@ Apache-2.0 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 - src/org/spdx/parser/DOAPProject.java + src/org/spdx/parser/DOAPProject.java Copyright 2010, 2011 Source Auditor Inc. Apache-2.0 @@ -29,7 +29,7 @@ This file belongs to Jena LicenseRef-1 3ab4e1c67a2d28fced849ee1bb76e7391b93f125 - Jenna-2.6.3/jena-2.6.3-sources.jar + Jenna-2.6.3/jena-2.6.3-sources.jar (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP Jena diff --git a/tests/data/formats/SPDXYamlExample.yaml b/tests/data/formats/SPDXYamlExample.yaml index ffa1b4fac..a07a54f3e 100644 --- a/tests/data/formats/SPDXYamlExample.yaml +++ b/tests/data/formats/SPDXYamlExample.yaml @@ -53,7 +53,7 @@ Document: licenseConcluded: LicenseRef-1 licenseInfoInFiles: - LicenseRef-1 - name: Jenna-2.6.3/jena-2.6.3-sources.jar + fileName: Jenna-2.6.3/jena-2.6.3-sources.jar sha1: 3ab4e1c67a2d28fced849ee1bb76e7391b93f125 - File: checksums: @@ -66,7 +66,7 @@ Document: licenseConcluded: Apache-2.0 licenseInfoInFiles: - Apache-2.0 - name: src/org/spdx/parser/DOAPProject.java + fileName: src/org/spdx/parser/DOAPProject.java sha1: 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 licenseComments: The declared license information can be found in the NOTICE file at the root of the archive file diff --git a/tests/utils_test.py b/tests/utils_test.py index 9c3076347..7941b690e 100644 --- a/tests/utils_test.py +++ b/tests/utils_test.py @@ -381,7 +381,7 @@ def files_to_list(cls, files): contributors = sorted(file.contributors, key=lambda c: c.name) file_dict = OrderedDict([ ('id', file.spdx_id), - ('name', file.name), + ('fileName', file.name), ('type', file.type), ('comment', file.comment), ('licenseConcluded', cls.license_to_dict(file.conc_lics)), From cbd0b35a52c0259d9b91beb3d66d40d7fc466bef Mon Sep 17 00:00:00 2001 From: Meret Behrens Date: Wed, 26 Oct 2022 14:41:14 +0200 Subject: [PATCH 08/10] [issue-184] delete objects from documentDescribes in test-files to validate against spec Signed-off-by: Meret Behrens --- data/SPDXJsonExample.json | 395 +++++++++++----------- data/SPDXXmlExample.xml | 178 +++++----- data/SPDXYamlExample.yaml | 212 ++++++------ tests/data/doc_parse/expected.json | 4 +- tests/data/formats/SPDXJsonExample.json | 419 +++++++++++------------- tests/data/formats/SPDXXmlExample.xml | 182 +++++----- tests/data/formats/SPDXYamlExample.yaml | 240 +++++++------- 7 files changed, 806 insertions(+), 824 deletions(-) diff --git a/data/SPDXJsonExample.json b/data/SPDXJsonExample.json index 86818c622..e767ac2ca 100644 --- a/data/SPDXJsonExample.json +++ b/data/SPDXJsonExample.json @@ -1,199 +1,204 @@ { - "Document": { - "comment": "This is a sample spreadsheet", - "name": "Sample_Document-V2.1", - "documentDescribes": [ - { - "Package": { - "SPDXID": "SPDXRef-Package", - "originator": "Organization: SPDX", - "files": [ - { - "File": { - "comment": "This file belongs to Jena", - "licenseInfoInFiles": [ - "LicenseRef-1" - ], - "sha1": "3ab4e1c67a2d28fced849ee1bb76e7391b93f125", - "fileName": "Jenna-2.6.3/jena-2.6.3-sources.jar", - "copyrightText": "(c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP", - "artifactOf" : [ - { - "name" : "Jena", - "homePage" : "http://www.openjena.org/", - "projectUri" : "http://subversion.apache.org/doap.rdf" - } - ], - "licenseConcluded": "LicenseRef-1", - "licenseComments": "This license is used by Jena", - "checksums": [ - { - "checksumValue": "3ab4e1c67a2d28fced849ee1bb76e7391b93f125", - "algorithm": "checksumAlgorithm_sha1" - } - ], - "fileTypes": [ - "fileType_archive" - ], - "SPDXID": "SPDXRef-File1" - } - }, - { - "File": { - "licenseInfoInFiles": [ - "Apache-2.0" - ], - "sha1": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12", - "fileName": "src/org/spdx/parser/DOAPProject.java", - "copyrightText": "Copyright 2010, 2011 Source Auditor Inc.", - "licenseConcluded": "Apache-2.0", - "checksums": [ - { - "checksumValue": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12", - "algorithm": "checksumAlgorithm_sha1" - } - ], - "fileTypes": [ - "fileType_source" - ], - "SPDXID": "SPDXRef-File2" - } - } - ], - "licenseInfoFromFiles": [ - "Apache-1.0", - "LicenseRef-3", - "MPL-1.1", - "LicenseRef-2", - "LicenseRef-4", - "Apache-2.0", - "LicenseRef-1" - ], - "sha1": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12", - "name": "SPDX Translator", - "packageFileName": "spdxtranslator-1.0.zip", - "licenseComments": "The declared license information can be found in the NOTICE file at the root of the archive file", - "summary": "SPDX Translator utility", - "sourceInfo": "Version 1.0 of the SPDX Translator application", - "copyrightText": " Copyright 2010, 2011 Source Auditor Inc.", - "packageVerificationCode": { - "packageVerificationCodeValue": "4e3211c67a2d28fced849ee1bb76e7391b93feba", - "packageVerificationCodeExcludedFiles": [ - "SpdxTranslatorSpdx.rdf", - "SpdxTranslatorSpdx.txt" - ] - }, - "licenseConcluded": "(Apache-1.0 AND LicenseRef-2 AND MPL-1.1 AND LicenseRef-3 AND LicenseRef-4 AND Apache-2.0 AND LicenseRef-1)", - "supplier": "Organization: Linux Foundation", - "attributionTexts" : [ "The GNU C Library is free software. See the file COPYING.LIB for copying conditions, and LICENSES for notices about a few contributions that require these additional notices to be distributed. License copyright years may be listed using range notation, e.g., 1996-2015, indicating that every year in the range, inclusive, is a copyrightable year that would otherwise be listed individually." ], - "checksums": [ - { - "checksumValue": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12", - "algorithm": "checksumAlgorithm_sha1" - } - ], - "versionInfo": "Version 0.9.2", - "licenseDeclared": "(LicenseRef-4 AND LicenseRef-3 AND Apache-2.0 AND LicenseRef-2 AND MPL-1.1 AND LicenseRef-1)", - "downloadLocation": "http://www.spdx.org/tools", - "description": "This utility translates and SPDX RDF XML document to a spreadsheet, translates a spreadsheet to an SPDX RDF XML document and translates an SPDX RDFa document to an SPDX RDF XML document." - } - } - ], - "creationInfo": { - "comment": "This is an example of an SPDX spreadsheet format", - "creators": [ - "Tool: SourceAuditor-V1.2", - "Person: Gary O'Neall", - "Organization: Source Auditor Inc." - ], - "licenseListVersion": "3.6", - "created": "2010-02-03T00:00:00Z" - }, - "externalDocumentRefs": [ - { - "checksum": { - "checksumValue": "d6a770ba38583ed4bb4525bd96e50461655d2759", - "algorithm": "checksumAlgorithm_sha1" - }, - "spdxDocument": "https://spdx.org/spdxdocs/spdx-tools-v2.1-3F2504E0-4F89-41D3-9A0C-0305E82C3301", - "externalDocumentId": "DocumentRef-spdx-tool-2.1" - } - ], - "documentNamespace": "https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301", - "annotations": [ - { - "comment": "This is just an example. Some of the non-standard licenses look like they are actually BSD 3 clause licenses", - "annotationType": "REVIEW", - "SPDXID": "SPDXRef-45", - "annotationDate": "2012-06-13T00:00:00Z", - "annotator": "Person: Jim Reviewer" - } - ], - "relationships" : [ { - "spdxElementId" : "SPDXRef-DOCUMENT", - "relatedSpdxElement" : "SPDXRef-Package", - "relationshipType" : "CONTAINS" - }, { - "spdxElementId" : "SPDXRef-DOCUMENT", - "relatedSpdxElement" : "SPDXRef-File", - "relationshipType" : "DESCRIBES" - }, { - "spdxElementId" : "SPDXRef-DOCUMENT", - "relatedSpdxElement" : "SPDXRef-Package", - "relationshipType" : "DESCRIBES" - } ], - "dataLicense": "CC0-1.0", - "reviewers": [ - { - "comment": "This is just an example. Some of the non-standard licenses look like they are actually BSD 3 clause licenses", - "reviewer": "Person: Joe Reviewer", - "reviewDate": "2010-02-10T00:00:00Z" - }, - { - "comment": "Another example reviewer.", - "reviewer": "Person: Suzanne Reviewer", - "reviewDate": "2011-03-13T00:00:00Z" - } - ], - "hasExtractedLicensingInfos": [ - { - "extractedText": "This package includes the GRDDL parser developed by Hewlett Packard under the following license:\n\u00a9 Copyright 2007 Hewlett-Packard Development Company, LP\n\nRedistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: \n\nRedistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. \nRedistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. \nThe name of the author may not be used to endorse or promote products derived from this software without specific prior written permission. \nTHIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ", - "licenseId": "LicenseRef-2" - }, - { - "extractedText": "The CyberNeko Software License, Version 1.0\n\n \n(C) Copyright 2002-2005, Andy Clark. All rights reserved.\n \nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions\nare met:\n\n1. Redistributions of source code must retain the above copyright\n notice, this list of conditions and the following disclaimer. \n\n2. Redistributions in binary form must reproduce the above copyright\n notice, this list of conditions and the following disclaimer in\n the documentation and/or other materials provided with the\n distribution.\n\n3. The end-user documentation included with the redistribution,\n if any, must include the following acknowledgment: \n \"This product includes software developed by Andy Clark.\"\n Alternately, this acknowledgment may appear in the software itself,\n if and wherever such third-party acknowledgments normally appear.\n\n4. The names \"CyberNeko\" and \"NekoHTML\" must not be used to endorse\n or promote products derived from this software without prior \n written permission. For written permission, please contact \n andyc@cyberneko.net.\n\n5. Products derived from this software may not be called \"CyberNeko\",\n nor may \"CyberNeko\" appear in their name, without prior written\n permission of the author.\n\nTHIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED\nWARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\nOF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR OTHER CONTRIBUTORS\nBE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, \nOR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT \nOF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR \nBUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, \nWHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE \nOR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, \nEVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.", - "comment": "This is tye CyperNeko License", - "licenseId": "LicenseRef-3", - "name": "CyberNeko License", - "seeAlso": [ - "http://justasample.url.com", - "http://people.apache.org/~andyc/neko/LICENSE" - ] - }, - { - "extractedText": "/*\n * (c) Copyright 2009 University of Bristol\n * All rights reserved.\n *\n * Redistribution and use in source and binary forms, with or without\n * modification, are permitted provided that the following conditions\n * are met:\n * 1. Redistributions of source code must retain the above copyright\n * notice, this list of conditions and the following disclaimer.\n * 2. Redistributions in binary form must reproduce the above copyright\n * notice, this list of conditions and the following disclaimer in the\n * documentation and/or other materials provided with the distribution.\n * 3. The name of the author may not be used to endorse or promote products\n * derived from this software without specific prior written permission.\n *\n * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR\n * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\n * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.\n * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,\n * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT\n * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\n * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\n * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF\n * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n */ ", - "licenseId": "LicenseRef-4" - }, - { - "extractedText": "/*\n * (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP\n * All rights reserved.\n *\n * Redistribution and use in source and binary forms, with or without\n * modification, are permitted provided that the following conditions\n * are met:\n * 1. Redistributions of source code must retain the above copyright\n * notice, this list of conditions and the following disclaimer.\n * 2. Redistributions in binary form must reproduce the above copyright\n * notice, this list of conditions and the following disclaimer in the\n * documentation and/or other materials provided with the distribution.\n * 3. The name of the author may not be used to endorse or promote products\n * derived from this software without specific prior written permission.\n *\n * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR\n * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\n * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.\n * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,\n * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT\n * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\n * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\n * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF\n * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n */", - "licenseId": "LicenseRef-1" - } - ], - "spdxVersion": "SPDX-2.1", - "SPDXID": "SPDXRef-DOCUMENT", - "snippets": [ - { - "comment": "This snippet was identified as significant and highlighted in this Apache-2.0 file, when a commercial scanner identified it as being derived from file foo.c in package xyz which is licensed under GPL-2.0-or-later.", - "name": "from linux kernel", - "copyrightText": "Copyright 2008-2010 John Smith", - "licenseConcluded": "Apache-2.0", - "licenseInfoFromSnippet": [ - "Apache-2.0" - ], - "licenseComments": "The concluded license was taken from package xyz, from which the snippet was copied into the current file. The concluded license information was found in the COPYING.txt file in package xyz.", - "SPDXID": "SPDXRef-Snippet", - "fileId": "SPDXRef-DoapSource" - } + "comment": "This is a sample spreadsheet", + "name": "Sample_Document-V2.1", + "documentDescribes": [ + "SPDXRef-Package" + ], + "packages": [ + { + "SPDXID": "SPDXRef-Package", + "originator": "Organization: SPDX", + "hasFiles": [ + "SPDXRef-File1", + "SPDXRef-File2" + ], + "licenseInfoFromFiles": [ + "Apache-1.0", + "LicenseRef-3", + "MPL-1.1", + "LicenseRef-2", + "LicenseRef-4", + "Apache-2.0", + "LicenseRef-1" + ], + "sha1": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12", + "name": "SPDX Translator", + "packageFileName": "spdxtranslator-1.0.zip", + "licenseComments": "The declared license information can be found in the NOTICE file at the root of the archive file", + "summary": "SPDX Translator utility", + "sourceInfo": "Version 1.0 of the SPDX Translator application", + "copyrightText": " Copyright 2010, 2011 Source Auditor Inc.", + "packageVerificationCode": { + "packageVerificationCodeValue": "4e3211c67a2d28fced849ee1bb76e7391b93feba", + "packageVerificationCodeExcludedFiles": [ + "SpdxTranslatorSpdx.rdf", + "SpdxTranslatorSpdx.txt" ] + }, + "licenseConcluded": "(Apache-1.0 AND LicenseRef-2 AND MPL-1.1 AND LicenseRef-3 AND LicenseRef-4 AND Apache-2.0 AND LicenseRef-1)", + "supplier": "Organization: Linux Foundation", + "attributionTexts": [ + "The GNU C Library is free software. See the file COPYING.LIB for copying conditions, and LICENSES for notices about a few contributions that require these additional notices to be distributed. License copyright years may be listed using range notation, e.g., 1996-2015, indicating that every year in the range, inclusive, is a copyrightable year that would otherwise be listed individually." + ], + "checksums": [ + { + "checksumValue": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12", + "algorithm": "checksumAlgorithm_sha1" + } + ], + "versionInfo": "Version 0.9.2", + "licenseDeclared": "(LicenseRef-4 AND LicenseRef-3 AND Apache-2.0 AND LicenseRef-2 AND MPL-1.1 AND LicenseRef-1)", + "downloadLocation": "http://www.spdx.org/tools", + "description": "This utility translates and SPDX RDF XML document to a spreadsheet, translates a spreadsheet to an SPDX RDF XML document and translates an SPDX RDFa document to an SPDX RDF XML document." } + ], + "files": [ + { + "comment": "This file belongs to Jena", + "licenseInfoInFiles": [ + "LicenseRef-1" + ], + "sha1": "3ab4e1c67a2d28fced849ee1bb76e7391b93f125", + "fileName": "Jenna-2.6.3/jena-2.6.3-sources.jar", + "copyrightText": "(c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP", + "artifactOf": [ + { + "name": "Jena", + "homePage": "http://www.openjena.org/", + "projectUri": "http://subversion.apache.org/doap.rdf" + } + ], + "licenseConcluded": "LicenseRef-1", + "licenseComments": "This license is used by Jena", + "checksums": [ + { + "checksumValue": "3ab4e1c67a2d28fced849ee1bb76e7391b93f125", + "algorithm": "checksumAlgorithm_sha1" + } + ], + "fileTypes": [ + "fileType_archive" + ], + "SPDXID": "SPDXRef-File1" + }, + { + "licenseInfoInFiles": [ + "Apache-2.0" + ], + "sha1": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12", + "fileName": "src/org/spdx/parser/DOAPProject.java", + "copyrightText": "Copyright 2010, 2011 Source Auditor Inc.", + "licenseConcluded": "Apache-2.0", + "checksums": [ + { + "checksumValue": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12", + "algorithm": "checksumAlgorithm_sha1" + } + ], + "fileTypes": [ + "fileType_source" + ], + "SPDXID": "SPDXRef-File2" + } + ], + "creationInfo": { + "comment": "This is an example of an SPDX spreadsheet format", + "creators": [ + "Tool: SourceAuditor-V1.2", + "Person: Gary O'Neall", + "Organization: Source Auditor Inc." + ], + "licenseListVersion": "3.6", + "created": "2010-02-03T00:00:00Z" + }, + "externalDocumentRefs": [ + { + "checksum": { + "checksumValue": "d6a770ba38583ed4bb4525bd96e50461655d2759", + "algorithm": "checksumAlgorithm_sha1" + }, + "spdxDocument": "https://spdx.org/spdxdocs/spdx-tools-v2.1-3F2504E0-4F89-41D3-9A0C-0305E82C3301", + "externalDocumentId": "DocumentRef-spdx-tool-2.1" + } + ], + "documentNamespace": "https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301", + "annotations": [ + { + "comment": "This is just an example. Some of the non-standard licenses look like they are actually BSD 3 clause licenses", + "annotationType": "REVIEW", + "SPDXID": "SPDXRef-45", + "annotationDate": "2012-06-13T00:00:00Z", + "annotator": "Person: Jim Reviewer" + } + ], + "relationships": [ + { + "spdxElementId": "SPDXRef-DOCUMENT", + "relatedSpdxElement": "SPDXRef-Package", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DOCUMENT", + "relatedSpdxElement": "SPDXRef-File", + "relationshipType": "DESCRIBES" + }, + { + "spdxElementId": "SPDXRef-DOCUMENT", + "relatedSpdxElement": "SPDXRef-Package", + "relationshipType": "DESCRIBES" + } + ], + "dataLicense": "CC0-1.0", + "reviewers": [ + { + "comment": "This is just an example. Some of the non-standard licenses look like they are actually BSD 3 clause licenses", + "reviewer": "Person: Joe Reviewer", + "reviewDate": "2010-02-10T00:00:00Z" + }, + { + "comment": "Another example reviewer.", + "reviewer": "Person: Suzanne Reviewer", + "reviewDate": "2011-03-13T00:00:00Z" + } + ], + "hasExtractedLicensingInfos": [ + { + "extractedText": "This package includes the GRDDL parser developed by Hewlett Packard under the following license:\n\u00a9 Copyright 2007 Hewlett-Packard Development Company, LP\n\nRedistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: \n\nRedistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. \nRedistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. \nThe name of the author may not be used to endorse or promote products derived from this software without specific prior written permission. \nTHIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ", + "licenseId": "LicenseRef-2" + }, + { + "extractedText": "The CyberNeko Software License, Version 1.0\n\n \n(C) Copyright 2002-2005, Andy Clark. All rights reserved.\n \nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions\nare met:\n\n1. Redistributions of source code must retain the above copyright\n notice, this list of conditions and the following disclaimer. \n\n2. Redistributions in binary form must reproduce the above copyright\n notice, this list of conditions and the following disclaimer in\n the documentation and/or other materials provided with the\n distribution.\n\n3. The end-user documentation included with the redistribution,\n if any, must include the following acknowledgment: \n \"This product includes software developed by Andy Clark.\"\n Alternately, this acknowledgment may appear in the software itself,\n if and wherever such third-party acknowledgments normally appear.\n\n4. The names \"CyberNeko\" and \"NekoHTML\" must not be used to endorse\n or promote products derived from this software without prior \n written permission. For written permission, please contact \n andyc@cyberneko.net.\n\n5. Products derived from this software may not be called \"CyberNeko\",\n nor may \"CyberNeko\" appear in their name, without prior written\n permission of the author.\n\nTHIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED\nWARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\nOF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR OTHER CONTRIBUTORS\nBE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, \nOR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT \nOF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR \nBUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, \nWHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE \nOR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, \nEVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.", + "comment": "This is tye CyperNeko License", + "licenseId": "LicenseRef-3", + "name": "CyberNeko License", + "seeAlso": [ + "http://justasample.url.com", + "http://people.apache.org/~andyc/neko/LICENSE" + ] + }, + { + "extractedText": "/*\n * (c) Copyright 2009 University of Bristol\n * All rights reserved.\n *\n * Redistribution and use in source and binary forms, with or without\n * modification, are permitted provided that the following conditions\n * are met:\n * 1. Redistributions of source code must retain the above copyright\n * notice, this list of conditions and the following disclaimer.\n * 2. Redistributions in binary form must reproduce the above copyright\n * notice, this list of conditions and the following disclaimer in the\n * documentation and/or other materials provided with the distribution.\n * 3. The name of the author may not be used to endorse or promote products\n * derived from this software without specific prior written permission.\n *\n * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR\n * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\n * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.\n * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,\n * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT\n * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\n * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\n * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF\n * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n */ ", + "licenseId": "LicenseRef-4" + }, + { + "extractedText": "/*\n * (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP\n * All rights reserved.\n *\n * Redistribution and use in source and binary forms, with or without\n * modification, are permitted provided that the following conditions\n * are met:\n * 1. Redistributions of source code must retain the above copyright\n * notice, this list of conditions and the following disclaimer.\n * 2. Redistributions in binary form must reproduce the above copyright\n * notice, this list of conditions and the following disclaimer in the\n * documentation and/or other materials provided with the distribution.\n * 3. The name of the author may not be used to endorse or promote products\n * derived from this software without specific prior written permission.\n *\n * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR\n * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\n * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.\n * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,\n * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT\n * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\n * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\n * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF\n * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n */", + "licenseId": "LicenseRef-1" + } + ], + "spdxVersion": "SPDX-2.1", + "SPDXID": "SPDXRef-DOCUMENT", + "snippets": [ + { + "comment": "This snippet was identified as significant and highlighted in this Apache-2.0 file, when a commercial scanner identified it as being derived from file foo.c in package xyz which is licensed under GPL-2.0-or-later.", + "name": "from linux kernel", + "copyrightText": "Copyright 2008-2010 John Smith", + "licenseConcluded": "Apache-2.0", + "licenseInfoFromSnippet": [ + "Apache-2.0" + ], + "licenseComments": "The concluded license was taken from package xyz, from which the snippet was copied into the current file. The concluded license information was found in the COPYING.txt file in package xyz.", + "SPDXID": "SPDXRef-Snippet", + "fileId": "SPDXRef-DoapSource" + } + ] } \ No newline at end of file diff --git a/data/SPDXXmlExample.xml b/data/SPDXXmlExample.xml index c17268c71..6b734e7be 100644 --- a/data/SPDXXmlExample.xml +++ b/data/SPDXXmlExample.xml @@ -2,80 +2,43 @@ This is a sample spreadsheet Sample_Document-V2.1 - - - SPDXRef-Package - Organization: SPDX - The GNU C Library is free software. See the file COPYING.LIB for copying conditions, and LICENSES for notices about a few contributions that require these additional notices to be distributed. License copyright years may be listed using range notation, e.g., 1996-2015, indicating that every year in the range, inclusive, is a copyrightable year that would otherwise be listed individually. - - - Apache-2.0 - 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 - src/org/spdx/parser/DOAPProject.java - Copyright 2010, 2011 Source Auditor Inc. - Apache-2.0 - - - 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 - checksumAlgorithm_sha1 - - fileType_source - SPDXRef-File2 - - - - - This file belongs to Jena - LicenseRef-1 - 3ab4e1c67a2d28fced849ee1bb76e7391b93f125 - Jenna-2.6.3/jena-2.6.3-sources.jar - (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP - - Jena - http://www.openjena.org/ - http://subversion.apache.org/doap.rdf - - LicenseRef-1 - This license is used by Jena - - 3ab4e1c67a2d28fced849ee1bb76e7391b93f125 - checksumAlgorithm_sha1 - - fileType_archive - SPDXRef-File1 - - - LicenseRef-3 - LicenseRef-1 - Apache-1.0 - LicenseRef-4 - Apache-2.0 - LicenseRef-2 - MPL-1.1 - 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 - SPDX Translator - spdxtranslator-1.0.zip - The declared license information can be found in the NOTICE file at the root of the archive file - SPDX Translator utility - Version 1.0 of the SPDX Translator application - Copyright 2010, 2011 Source Auditor Inc. - - 4e3211c67a2d28fced849ee1bb76e7391b93feba - SpdxTranslatorSpdx.rdf - SpdxTranslatorSpdx.txt - - (LicenseRef-1 AND MPL-1.1 AND LicenseRef-2 AND LicenseRef-3 AND Apache-2.0 AND LicenseRef-4 AND Apache-1.0) - Organization: Linux Foundation - - 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 - checksumAlgorithm_sha1 - - Version 0.9.2 - (LicenseRef-3 AND LicenseRef-2 AND Apache-2.0 AND MPL-1.1 AND LicenseRef-1 AND LicenseRef-4) - http://www.spdx.org/tools - This utility translates and SPDX RDF XML document to a spreadsheet, translates a spreadsheet to an SPDX RDF XML document and translates an SPDX RDFa document to an SPDX RDF XML document. - - + SPDXRef-Package + + SPDXRef-Package + Organization: SPDX + The GNU C Library is free software. See the file COPYING.LIB for copying conditions, and LICENSES for notices about a few contributions that require these additional notices to be distributed. License copyright years may be listed using range notation, e.g., 1996-2015, indicating that every year in the range, inclusive, is a copyrightable year that would otherwise be listed individually. + LicenseRef-3 + LicenseRef-1 + Apache-1.0 + LicenseRef-4 + Apache-2.0 + LicenseRef-2 + MPL-1.1 + 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 + SPDX Translator + SPDXRef-File1 + SPDXRef-File2 + spdxtranslator-1.0.zip + The declared license information can be found in the NOTICE file at the root of the archive file + SPDX Translator utility + Version 1.0 of the SPDX Translator application + Copyright 2010, 2011 Source Auditor Inc. + + 4e3211c67a2d28fced849ee1bb76e7391b93feba + SpdxTranslatorSpdx.rdf + SpdxTranslatorSpdx.txt + + (LicenseRef-1 AND MPL-1.1 AND LicenseRef-2 AND LicenseRef-3 AND Apache-2.0 AND LicenseRef-4 AND Apache-1.0) + Organization: Linux Foundation + + 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 + checksumAlgorithm_sha1 + + Version 0.9.2 + (LicenseRef-3 AND LicenseRef-2 AND Apache-2.0 AND MPL-1.1 AND LicenseRef-1 AND LicenseRef-4) + http://www.spdx.org/tools + This utility translates and SPDX RDF XML document to a spreadsheet, translates a spreadsheet to an SPDX RDF XML document and translates an SPDX RDFa document to an SPDX RDF XML document. + This is an example of an SPDX spreadsheet format Tool: SourceAuditor-V1.2 @@ -101,7 +64,6 @@ Person: Jim Reviewer CC0-1.0 - This is just an example. Some of the non-standard licenses look like they are actually BSD 3 clause licenses Person: Joe Reviewer @@ -145,26 +107,26 @@ This package includes the GRDDL parser developed by Hewlett Packard under the following license: © Copyright 2007 Hewlett-Packard Development Company, LP -Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: +Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: -Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. -Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. -The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission. +Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. +Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. +The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. LicenseRef-2 The CyberNeko Software License, Version 1.0 - + (C) Copyright 2002-2005, Andy Clark. All rights reserved. - + Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. + notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in @@ -172,14 +134,14 @@ are met: distribution. 3. The end-user documentation included with the redistribution, - if any, must include the following acknowledgment: + if any, must include the following acknowledgment: "This product includes software developed by Andy Clark." Alternately, this acknowledgment may appear in the software itself, if and wherever such third-party acknowledgments normally appear. 4. The names "CyberNeko" and "NekoHTML" must not be used to endorse - or promote products derived from this software without prior - written permission. For written permission, please contact + or promote products derived from this software without prior + written permission. For written permission, please contact andyc@cyberneko.net. 5. Products derived from this software may not be called "CyberNeko", @@ -190,12 +152,12 @@ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR OTHER CONTRIBUTORS -BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, -OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT -OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR -BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE -OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, +BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, +OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT +OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This is tye CyperNeko License LicenseRef-3 @@ -234,6 +196,40 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. SPDX-2.1 SPDXRef-DOCUMENT + + Apache-2.0 + 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 + src/org/spdx/parser/DOAPProject.java + Copyright 2010, 2011 Source Auditor Inc. + Apache-2.0 + + + 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 + checksumAlgorithm_sha1 + + fileType_source + SPDXRef-File2 + + + This file belongs to Jena + LicenseRef-1 + 3ab4e1c67a2d28fced849ee1bb76e7391b93f125 + Jenna-2.6.3/jena-2.6.3-sources.jar + (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP + + Jena + http://www.openjena.org/ + http://subversion.apache.org/doap.rdf + + LicenseRef-1 + This license is used by Jena + + 3ab4e1c67a2d28fced849ee1bb76e7391b93f125 + checksumAlgorithm_sha1 + + fileType_archive + SPDXRef-File1 + This snippet was identified as significant and highlighted in this Apache-2.0 file, when a commercial scanner identified it as being derived from file foo.c in package xyz which is licensed under GPL-2.0-or-later. from linux kernel diff --git a/data/SPDXYamlExample.yaml b/data/SPDXYamlExample.yaml index a07a54f3e..ae7f40998 100644 --- a/data/SPDXYamlExample.yaml +++ b/data/SPDXYamlExample.yaml @@ -1,73 +1,39 @@ ---- Document: annotations: - - annotationDate: '2012-06-13T00:00:00Z' - annotationType: REVIEW - annotator: 'Person: Jim Reviewer' - comment: This is just an example. Some of the non-standard licenses look like - they are actually BSD 3 clause licenses - SPDXID: SPDXRef-45 + - annotationDate: '2012-06-13T00:00:00Z' + annotationType: REVIEW + annotator: 'Person: Jim Reviewer' + comment: This is just an example. Some of the non-standard licenses look like + they are actually BSD 3 clause licenses + SPDXID: SPDXRef-45 comment: This is a sample spreadsheet creationInfo: comment: This is an example of an SPDX spreadsheet format created: '2010-02-03T00:00:00Z' creators: - - 'Tool: SourceAuditor-V1.2' - - 'Organization: Source Auditor Inc.' - - 'Person: Gary O''Neall' + - 'Tool: SourceAuditor-V1.2' + - 'Organization: Source Auditor Inc.' + - 'Person: Gary O''Neall' licenseListVersion: '3.6' dataLicense: CC0-1.0 documentDescribes: - - Package: - SPDXID: SPDXRef-Package + - SPDXRef-Package + packages: + - SPDXID: SPDXRef-Package checksums: - - algorithm: checksumAlgorithm_sha1 - checksumValue: 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 + - algorithm: checksumAlgorithm_sha1 + checksumValue: 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 copyrightText: ' Copyright 2010, 2011 Source Auditor Inc.' description: This utility translates and SPDX RDF XML document to a spreadsheet, translates a spreadsheet to an SPDX RDF XML document and translates an SPDX RDFa document to an SPDX RDF XML document. downloadLocation: http://www.spdx.org/tools attributionTexts: - - "The GNU C Library is free software. See the file COPYING.LIB for copying conditions,\ + - "The GNU C Library is free software. See the file COPYING.LIB for copying conditions,\ \ and LICENSES for notices about a few contributions that require these additional\ \ notices to be distributed. License copyright years may be listed using range\ \ notation, e.g., 1996-2015, indicating that every year in the range, inclusive,\ \ is a copyrightable year that would otherwise be listed individually." - files: - - File: - checksums: - - algorithm: checksumAlgorithm_sha1 - checksumValue: 3ab4e1c67a2d28fced849ee1bb76e7391b93f125 - comment: This file belongs to Jena - copyrightText: (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, - 2008, 2009 Hewlett-Packard Development Company, LP - artifactOf: - - name: "Jena" - homePage: "http://www.openjena.org/" - projectUri: "http://subversion.apache.org/doap.rdf" - fileTypes: - - fileType_archive - SPDXID: SPDXRef-File1 - licenseComments: This license is used by Jena - licenseConcluded: LicenseRef-1 - licenseInfoInFiles: - - LicenseRef-1 - fileName: Jenna-2.6.3/jena-2.6.3-sources.jar - sha1: 3ab4e1c67a2d28fced849ee1bb76e7391b93f125 - - File: - checksums: - - algorithm: checksumAlgorithm_sha1 - checksumValue: 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 - copyrightText: Copyright 2010, 2011 Source Auditor Inc. - fileTypes: - - fileType_source - SPDXID: SPDXRef-File2 - licenseConcluded: Apache-2.0 - licenseInfoInFiles: - - Apache-2.0 - fileName: src/org/spdx/parser/DOAPProject.java - sha1: 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 licenseComments: The declared license information can be found in the NOTICE file at the root of the archive file licenseConcluded: (LicenseRef-3 AND LicenseRef-1 AND MPL-1.1 AND Apache-2.0 @@ -75,20 +41,23 @@ Document: licenseDeclared: (MPL-1.1 AND LicenseRef-4 AND LicenseRef-2 AND LicenseRef-1 AND Apache-2.0 AND LicenseRef-3) licenseInfoFromFiles: - - Apache-2.0 - - MPL-1.1 - - LicenseRef-3 - - LicenseRef-1 - - LicenseRef-4 - - Apache-1.0 - - LicenseRef-2 + - Apache-2.0 + - MPL-1.1 + - LicenseRef-3 + - LicenseRef-1 + - LicenseRef-4 + - Apache-1.0 + - LicenseRef-2 name: SPDX Translator originator: 'Organization: SPDX' packageFileName: spdxtranslator-1.0.zip + hasFiles: + - SPDXRef-File1 + - SPDXRef-File2 packageVerificationCode: packageVerificationCodeExcludedFiles: - - SpdxTranslatorSpdx.txt - - SpdxTranslatorSpdx.rdf + - SpdxTranslatorSpdx.txt + - SpdxTranslatorSpdx.rdf packageVerificationCodeValue: 4e3211c67a2d28fced849ee1bb76e7391b93feba sha1: 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 sourceInfo: Version 1.0 of the SPDX Translator application @@ -96,14 +65,14 @@ Document: supplier: 'Organization: Linux Foundation' versionInfo: Version 0.9.2 externalDocumentRefs: - - checksum: - algorithm: checksumAlgorithm_sha1 - checksumValue: d6a770ba38583ed4bb4525bd96e50461655d2759 - externalDocumentId: DocumentRef-spdx-tool-2.1 - spdxDocument: https://spdx.org/spdxdocs/spdx-tools-v2.1-3F2504E0-4F89-41D3-9A0C-0305E82C3301 + - checksum: + algorithm: checksumAlgorithm_sha1 + checksumValue: d6a770ba38583ed4bb4525bd96e50461655d2759 + externalDocumentId: DocumentRef-spdx-tool-2.1 + spdxDocument: https://spdx.org/spdxdocs/spdx-tools-v2.1-3F2504E0-4F89-41D3-9A0C-0305E82C3301 hasExtractedLicensingInfos: - - comment: This is tye CyperNeko License - extractedText: "The CyberNeko Software License, Version 1.0\n\n \n(C) Copyright\ + - comment: This is tye CyperNeko License + extractedText: "The CyberNeko Software License, Version 1.0\n\n \n(C) Copyright\ \ 2002-2005, Andy Clark. All rights reserved.\n \nRedistribution and use in\ \ source and binary forms, with or without\nmodification, are permitted provided\ \ that the following conditions\nare met:\n\n1. Redistributions of source code\ @@ -130,12 +99,12 @@ Document: \ CAUSED AND ON ANY THEORY OF LIABILITY, \nWHETHER IN CONTRACT, STRICT LIABILITY,\ \ OR TORT (INCLUDING NEGLIGENCE \nOR OTHERWISE) ARISING IN ANY WAY OUT OF THE\ \ USE OF THIS SOFTWARE, \nEVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE." - licenseId: LicenseRef-3 - name: CyberNeko License - seeAlso: - - http://justasample.url.com - - http://people.apache.org/~andyc/neko/LICENSE - - extractedText: "/*\n * (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006,\ + licenseId: LicenseRef-3 + name: CyberNeko License + seeAlso: + - http://justasample.url.com + - http://people.apache.org/~andyc/neko/LICENSE + - extractedText: "/*\n * (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006,\ \ 2007, 2008, 2009 Hewlett-Packard Development Company, LP\n * All rights reserved.\n\ \ *\n * Redistribution and use in source and binary forms, with or without\n\ \ * modification, are permitted provided that the following conditions\n * are\ @@ -156,8 +125,8 @@ Document: \ CONTRACT, STRICT LIABILITY, OR TORT\n * (INCLUDING NEGLIGENCE OR OTHERWISE)\ \ ARISING IN ANY WAY OUT OF THE USE OF\n * THIS SOFTWARE, EVEN IF ADVISED OF\ \ THE POSSIBILITY OF SUCH DAMAGE.\n */" - licenseId: LicenseRef-1 - - extractedText: "This package includes the GRDDL parser developed by Hewlett Packard\ + licenseId: LicenseRef-1 + - extractedText: "This package includes the GRDDL parser developed by Hewlett Packard\ \ under the following license:\n\xA9 Copyright 2007 Hewlett-Packard Development\ \ Company, LP\n\nRedistribution and use in source and binary forms, with or\ \ without modification, are permitted provided that the following conditions\ @@ -177,8 +146,8 @@ Document: \ IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)\ \ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE\ \ POSSIBILITY OF SUCH DAMAGE. " - licenseId: LicenseRef-2 - - extractedText: "/*\n * (c) Copyright 2009 University of Bristol\n * All rights\ + licenseId: LicenseRef-2 + - extractedText: "/*\n * (c) Copyright 2009 University of Bristol\n * All rights\ \ reserved.\n *\n * Redistribution and use in source and binary forms, with\ \ or without\n * modification, are permitted provided that the following conditions\n\ \ * are met:\n * 1. Redistributions of source code must retain the above copyright\n\ @@ -198,40 +167,73 @@ Document: \ CONTRACT, STRICT LIABILITY, OR TORT\n * (INCLUDING NEGLIGENCE OR OTHERWISE)\ \ ARISING IN ANY WAY OUT OF THE USE OF\n * THIS SOFTWARE, EVEN IF ADVISED OF\ \ THE POSSIBILITY OF SUCH DAMAGE.\n */ " - licenseId: LicenseRef-4 + licenseId: LicenseRef-4 SPDXID: SPDXRef-DOCUMENT name: Sample_Document-V2.1 documentNamespace: https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301 relationships: - - spdxElementId: "SPDXRef-DOCUMENT" - relatedSpdxElement: "SPDXRef-Package" - relationshipType: "DESCRIBES" - - spdxElementId: "SPDXRef-DOCUMENT" - relatedSpdxElement: "SPDXRef-Package" - relationshipType: "CONTAINS" - - spdxElementId: "SPDXRef-DOCUMENT" - relatedSpdxElement: "SPDXRef-File" - relationshipType: "DESCRIBES" + - spdxElementId: "SPDXRef-DOCUMENT" + relatedSpdxElement: "SPDXRef-Package" + relationshipType: "DESCRIBES" + - spdxElementId: "SPDXRef-DOCUMENT" + relatedSpdxElement: "SPDXRef-Package" + relationshipType: "CONTAINS" + - spdxElementId: "SPDXRef-DOCUMENT" + relatedSpdxElement: "SPDXRef-File" + relationshipType: "DESCRIBES" reviewers: - - comment: Another example reviewer. - reviewDate: '2011-03-13T00:00:00Z' - reviewer: 'Person: Suzanne Reviewer' - - comment: This is just an example. Some of the non-standard licenses look like - they are actually BSD 3 clause licenses - reviewDate: '2010-02-10T00:00:00Z' - reviewer: 'Person: Joe Reviewer' + - comment: Another example reviewer. + reviewDate: '2011-03-13T00:00:00Z' + reviewer: 'Person: Suzanne Reviewer' + - comment: This is just an example. Some of the non-standard licenses look like + they are actually BSD 3 clause licenses + reviewDate: '2010-02-10T00:00:00Z' + reviewer: 'Person: Joe Reviewer' snippets: - - comment: This snippet was identified as significant and highlighted in this Apache-2.0 - file, when a commercial scanner identified it as being derived from file foo.c - in package xyz which is licensed under GPL-2.0-or-later. - copyrightText: Copyright 2008-2010 John Smith - fileId: SPDXRef-DoapSource - SPDXID: SPDXRef-Snippet - licenseComments: The concluded license was taken from package xyz, from which - the snippet was copied into the current file. The concluded license information - was found in the COPYING.txt file in package xyz. - licenseConcluded: Apache-2.0 - licenseInfoFromSnippet: - - Apache-2.0 - name: from linux kernel + - comment: This snippet was identified as significant and highlighted in this Apache-2.0 + file, when a commercial scanner identified it as being derived from file foo.c + in package xyz which is licensed under GPL-2.0-or-later. + copyrightText: Copyright 2008-2010 John Smith + fileId: SPDXRef-DoapSource + SPDXID: SPDXRef-Snippet + licenseComments: The concluded license was taken from package xyz, from which + the snippet was copied into the current file. The concluded license information + was found in the COPYING.txt file in package xyz. + licenseConcluded: Apache-2.0 + licenseInfoFromSnippet: + - Apache-2.0 + name: from linux kernel spdxVersion: SPDX-2.1 + files: + - SPDXID: SPDXRef-File1 + checksums: + - algorithm: checksumAlgorithm_sha1 + checksumValue: 3ab4e1c67a2d28fced849ee1bb76e7391b93f125 + comment: This file belongs to Jena + copyrightText: (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, + 2008, 2009 Hewlett-Packard Development Company, LP + artifactOf: + - name: "Jena" + homePage: "http://www.openjena.org/" + projectUri: "http://subversion.apache.org/doap.rdf" + fileTypes: + - fileType_archive + licenseComments: This license is used by Jena + licenseConcluded: LicenseRef-1 + licenseInfoInFiles: + - LicenseRef-1 + fileName: Jenna-2.6.3/jena-2.6.3-sources.jar + sha1: 3ab4e1c67a2d28fced849ee1bb76e7391b93f125 + + - SPDXID: SPDXRef-File2 + checksums: + - algorithm: checksumAlgorithm_sha1 + checksumValue: 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 + copyrightText: Copyright 2010, 2011 Source Auditor Inc. + fileTypes: + - fileType_source + licenseConcluded: Apache-2.0 + licenseInfoInFiles: + - Apache-2.0 + fileName: src/org/spdx/parser/DOAPProject.java + sha1: 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 diff --git a/tests/data/doc_parse/expected.json b/tests/data/doc_parse/expected.json index 163a9c2cb..64d8ba347 100644 --- a/tests/data/doc_parse/expected.json +++ b/tests/data/doc_parse/expected.json @@ -236,14 +236,14 @@ { "name": "LicenseRef-2", "identifier": "LicenseRef-2", - "text": "This package includes the GRDDL parser developed by Hewlett Packard under the following license:\n\u00a9 Copyright 2007 Hewlett-Packard Development Company, LP\n\nRedistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: \n\nRedistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. \nRedistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. \nThe name of the author may not be used to endorse or promote products derived from this software without specific prior written permission. \nTHIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ", + "text": "This package includes the GRDDL parser developed by Hewlett Packard under the following license:\n\u00a9 Copyright 2007 Hewlett-Packard Development Company, LP\n\nRedistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:\n\nRedistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.\nRedistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.\nThe name of the author may not be used to endorse or promote products derived from this software without specific prior written permission.\nTHIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ", "comment": null, "cross_refs": [] }, { "name": "CyberNeko License", "identifier": "LicenseRef-3", - "text": "The CyberNeko Software License, Version 1.0\n\n \n(C) Copyright 2002-2005, Andy Clark. All rights reserved.\n \nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions\nare met:\n\n1. Redistributions of source code must retain the above copyright\n notice, this list of conditions and the following disclaimer. \n\n2. Redistributions in binary form must reproduce the above copyright\n notice, this list of conditions and the following disclaimer in\n the documentation and/or other materials provided with the\n distribution.\n\n3. The end-user documentation included with the redistribution,\n if any, must include the following acknowledgment: \n \"This product includes software developed by Andy Clark.\"\n Alternately, this acknowledgment may appear in the software itself,\n if and wherever such third-party acknowledgments normally appear.\n\n4. The names \"CyberNeko\" and \"NekoHTML\" must not be used to endorse\n or promote products derived from this software without prior \n written permission. For written permission, please contact \n andyc@cyberneko.net.\n\n5. Products derived from this software may not be called \"CyberNeko\",\n nor may \"CyberNeko\" appear in their name, without prior written\n permission of the author.\n\nTHIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED\nWARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\nOF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR OTHER CONTRIBUTORS\nBE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, \nOR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT \nOF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR \nBUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, \nWHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE \nOR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, \nEVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.", + "text": "The CyberNeko Software License, Version 1.0\n\n\n(C) Copyright 2002-2005, Andy Clark. All rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions\nare met:\n\n1. Redistributions of source code must retain the above copyright\n notice, this list of conditions and the following disclaimer.\n\n2. Redistributions in binary form must reproduce the above copyright\n notice, this list of conditions and the following disclaimer in\n the documentation and/or other materials provided with the\n distribution.\n\n3. The end-user documentation included with the redistribution,\n if any, must include the following acknowledgment:\n \"This product includes software developed by Andy Clark.\"\n Alternately, this acknowledgment may appear in the software itself,\n if and wherever such third-party acknowledgments normally appear.\n\n4. The names \"CyberNeko\" and \"NekoHTML\" must not be used to endorse\n or promote products derived from this software without prior\n written permission. For written permission, please contact\n andyc@cyberneko.net.\n\n5. Products derived from this software may not be called \"CyberNeko\",\n nor may \"CyberNeko\" appear in their name, without prior written\n permission of the author.\n\nTHIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED\nWARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\nOF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR OTHER CONTRIBUTORS\nBE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\nOR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\nOF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\nBUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\nWHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\nOR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,\nEVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.", "comment": "This is tye CyperNeko License", "cross_refs": [ "http://justasample.url.com", diff --git a/tests/data/formats/SPDXJsonExample.json b/tests/data/formats/SPDXJsonExample.json index 5b8b67648..7e3cedab9 100644 --- a/tests/data/formats/SPDXJsonExample.json +++ b/tests/data/formats/SPDXJsonExample.json @@ -1,223 +1,204 @@ { - "Document": { - "comment": "This is a sample spreadsheet", - "name": "Sample_Document-V2.1", - "documentDescribes": [ - { - "Package": { - "SPDXID": "SPDXRef-Package", - "originator": "Organization: SPDX", - "files": [ - { - "File": { - "comment": "This file belongs to Jena", - "licenseInfoInFiles": [ - "LicenseRef-1" - ], - "sha1": "3ab4e1c67a2d28fced849ee1bb76e7391b93f125", - "fileName": "Jenna-2.6.3/jena-2.6.3-sources.jar", - "copyrightText": "(c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP", - "artifactOf" : [ - { - "name" : "Jena", - "homePage" : "http://www.openjena.org/", - "projectUri" : "http://subversion.apache.org/doap.rdf" - } - ], - "licenseConcluded": "LicenseRef-1", - "licenseComments": "This license is used by Jena", - "checksums": [ - { - "checksumValue": "3ab4e1c67a2d28fced849ee1bb76e7391b93f125", - "algorithm": "checksumAlgorithm_sha1" - } - ], - "fileTypes": [ - "fileType_archive" - ], - "SPDXID": "SPDXRef-File1" - } - }, - { - "File": { - "licenseInfoInFiles": [ - "Apache-2.0" - ], - "sha1": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12", - "fileName": "src/org/spdx/parser/DOAPProject.java", - "copyrightText": "Copyright 2010, 2011 Source Auditor Inc.", - "licenseConcluded": "Apache-2.0", - "checksums": [ - { - "checksumValue": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12", - "algorithm": "checksumAlgorithm_sha1" - } - ], - "fileTypes": [ - "fileType_source" - ], - "SPDXID": "SPDXRef-File2" - } - } - ], - "licenseInfoFromFiles": [ - "Apache-1.0", - "LicenseRef-3", - "MPL-1.1", - "LicenseRef-2", - "LicenseRef-4", - "Apache-2.0", - "LicenseRef-1" - ], - "sha1": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12", - "name": "SPDX Translator", - "packageFileName": "spdxtranslator-1.0.zip", - "licenseComments": "The declared license information can be found in the NOTICE file at the root of the archive file", - "summary": "SPDX Translator utility", - "sourceInfo": "Version 1.0 of the SPDX Translator application", - "copyrightText": " Copyright 2010, 2011 Source Auditor Inc.", - "packageVerificationCode": { - "packageVerificationCodeValue": "4e3211c67a2d28fced849ee1bb76e7391b93feba", - "packageVerificationCodeExcludedFiles": [ - "SpdxTranslatorSpdx.rdf", - "SpdxTranslatorSpdx.txt" - ] - }, - "licenseConcluded": "(Apache-1.0 AND LicenseRef-2 AND MPL-1.1 AND LicenseRef-3 AND LicenseRef-4 AND Apache-2.0 AND LicenseRef-1)", - "supplier": "Organization: Linux Foundation", - "attributionTexts" : [ "The GNU C Library is free software. See the file COPYING.LIB for copying conditions, and LICENSES for notices about a few contributions that require these additional notices to be distributed. License copyright years may be listed using range notation, e.g., 1996-2015, indicating that every year in the range, inclusive, is a copyrightable year that would otherwise be listed individually." ], - "checksums": [ - { - "checksumValue": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12", - "algorithm": "checksumAlgorithm_sha1" - } - ], - "versionInfo": "Version 0.9.2", - "licenseDeclared": "(LicenseRef-4 AND LicenseRef-3 AND Apache-2.0 AND LicenseRef-2 AND MPL-1.1 AND LicenseRef-1)", - "downloadLocation": "http://www.spdx.org/tools", - "description": "This utility translates and SPDX RDF XML document to a spreadsheet, translates a spreadsheet to an SPDX RDF XML document and translates an SPDX RDFa document to an SPDX RDF XML document." - } - } - ], - "creationInfo": { - "comment": "This is an example of an SPDX spreadsheet format", - "creators": [ - "Tool: SourceAuditor-V1.2", - "Person: Gary O'Neall", - "Organization: Source Auditor Inc." - ], - "licenseListVersion": "3.6", - "created": "2010-02-03T00:00:00Z" - }, - "externalDocumentRefs": [ - { - "checksum": { - "checksumValue": "d6a770ba38583ed4bb4525bd96e50461655d2759", - "algorithm": "checksumAlgorithm_sha1" - }, - "spdxDocument": "https://spdx.org/spdxdocs/spdx-tools-v2.1-3F2504E0-4F89-41D3-9A0C-0305E82C3301", - "externalDocumentId": "DocumentRef-spdx-tool-2.1" - } - ], - "documentNamespace": "https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301", - "annotations": [ - { - "comment": "This is just an example. Some of the non-standard licenses look like they are actually BSD 3 clause licenses", - "annotationType": "REVIEW", - "SPDXID": "SPDXRef-45", - "annotationDate": "2012-06-13T00:00:00Z", - "annotator": "Person: Jim Reviewer" - } - ], - "relationships" : [ { - "spdxElementId" : "SPDXRef-DOCUMENT", - "relatedSpdxElement" : "SPDXRef-Package", - "relationshipType" : "CONTAINS" - }, { - "spdxElementId" : "SPDXRef-DOCUMENT", - "relatedSpdxElement" : "SPDXRef-File", - "relationshipType" : "DESCRIBES" - }, { - "spdxElementId" : "SPDXRef-DOCUMENT", - "relatedSpdxElement" : "DocumentRef-spdx-tool-1.2:SPDXRef-ToolsElement", - "relationshipType" : "COPY_OF" - }, { - "spdxElementId" : "SPDXRef-DOCUMENT", - "relatedSpdxElement" : "SPDXRef-Package", - "relationshipType" : "DESCRIBES" - }, { - "spdxElementId" : "SPDXRef-Package", - "relatedSpdxElement" : "SPDXRef-Saxon", - "relationshipType" : "DYNAMIC_LINK" - }, { - "spdxElementId" : "SPDXRef-Package", - "relatedSpdxElement" : "SPDXRef-JenaLib", - "relationshipType" : "CONTAINS" - }, { - "spdxElementId" : "SPDXRef-CommonsLangSrc", - "relatedSpdxElement" : "NOASSERTION", - "relationshipType" : "GENERATED_FROM" - }, { - "spdxElementId" : "SPDXRef-JenaLib", - "relatedSpdxElement" : "SPDXRef-Package", - "relationshipType" : "CONTAINS" - }, { - "spdxElementId" : "SPDXRef-File", - "relatedSpdxElement" : "SPDXRef-fromDoap-0", - "relationshipType" : "GENERATED_FROM" - } ], - "dataLicense": "CC0-1.0", - "reviewers": [ - { - "comment": "This is just an example. Some of the non-standard licenses look like they are actually BSD 3 clause licenses", - "reviewer": "Person: Joe Reviewer", - "reviewDate": "2010-02-10T00:00:00Z" - }, - { - "comment": "Another example reviewer.", - "reviewer": "Person: Suzanne Reviewer", - "reviewDate": "2011-03-13T00:00:00Z" - } - ], - "hasExtractedLicensingInfos": [ - { - "extractedText": "This package includes the GRDDL parser developed by Hewlett Packard under the following license:\n\u00a9 Copyright 2007 Hewlett-Packard Development Company, LP\n\nRedistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: \n\nRedistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. \nRedistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. \nThe name of the author may not be used to endorse or promote products derived from this software without specific prior written permission. \nTHIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ", - "licenseId": "LicenseRef-2" - }, - { - "extractedText": "The CyberNeko Software License, Version 1.0\n\n \n(C) Copyright 2002-2005, Andy Clark. All rights reserved.\n \nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions\nare met:\n\n1. Redistributions of source code must retain the above copyright\n notice, this list of conditions and the following disclaimer. \n\n2. Redistributions in binary form must reproduce the above copyright\n notice, this list of conditions and the following disclaimer in\n the documentation and/or other materials provided with the\n distribution.\n\n3. The end-user documentation included with the redistribution,\n if any, must include the following acknowledgment: \n \"This product includes software developed by Andy Clark.\"\n Alternately, this acknowledgment may appear in the software itself,\n if and wherever such third-party acknowledgments normally appear.\n\n4. The names \"CyberNeko\" and \"NekoHTML\" must not be used to endorse\n or promote products derived from this software without prior \n written permission. For written permission, please contact \n andyc@cyberneko.net.\n\n5. Products derived from this software may not be called \"CyberNeko\",\n nor may \"CyberNeko\" appear in their name, without prior written\n permission of the author.\n\nTHIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED\nWARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\nOF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR OTHER CONTRIBUTORS\nBE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, \nOR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT \nOF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR \nBUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, \nWHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE \nOR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, \nEVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.", - "comment": "This is tye CyperNeko License", - "licenseId": "LicenseRef-3", - "name": "CyberNeko License", - "seeAlso": [ - "http://justasample.url.com", - "http://people.apache.org/~andyc/neko/LICENSE" - ] - }, - { - "extractedText": "/*\n * (c) Copyright 2009 University of Bristol\n * All rights reserved.\n *\n * Redistribution and use in source and binary forms, with or without\n * modification, are permitted provided that the following conditions\n * are met:\n * 1. Redistributions of source code must retain the above copyright\n * notice, this list of conditions and the following disclaimer.\n * 2. Redistributions in binary form must reproduce the above copyright\n * notice, this list of conditions and the following disclaimer in the\n * documentation and/or other materials provided with the distribution.\n * 3. The name of the author may not be used to endorse or promote products\n * derived from this software without specific prior written permission.\n *\n * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR\n * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\n * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.\n * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,\n * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT\n * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\n * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\n * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF\n * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n */ ", - "licenseId": "LicenseRef-4" - }, - { - "extractedText": "/*\n * (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP\n * All rights reserved.\n *\n * Redistribution and use in source and binary forms, with or without\n * modification, are permitted provided that the following conditions\n * are met:\n * 1. Redistributions of source code must retain the above copyright\n * notice, this list of conditions and the following disclaimer.\n * 2. Redistributions in binary form must reproduce the above copyright\n * notice, this list of conditions and the following disclaimer in the\n * documentation and/or other materials provided with the distribution.\n * 3. The name of the author may not be used to endorse or promote products\n * derived from this software without specific prior written permission.\n *\n * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR\n * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\n * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.\n * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,\n * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT\n * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\n * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\n * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF\n * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n */", - "licenseId": "LicenseRef-1" - } - ], - "spdxVersion": "SPDX-2.1", - "SPDXID": "SPDXRef-DOCUMENT", - "snippets": [ - { - "comment": "This snippet was identified as significant and highlighted in this Apache-2.0 file, when a commercial scanner identified it as being derived from file foo.c in package xyz which is licensed under GPL-2.0-or-later.", - "name": "from linux kernel", - "copyrightText": "Copyright 2008-2010 John Smith", - "licenseConcluded": "Apache-2.0", - "licenseInfoFromSnippet": [ - "Apache-2.0" - ], - "licenseComments": "The concluded license was taken from package xyz, from which the snippet was copied into the current file. The concluded license information was found in the COPYING.txt file in package xyz.", - "SPDXID": "SPDXRef-Snippet", - "fileId": "SPDXRef-DoapSource" - } + "comment": "This is a sample spreadsheet", + "name": "Sample_Document-V2.1", + "documentDescribes": [ + "SPDXRef-Package" + ], + "packages": [ + { + "SPDXID": "SPDXRef-Package", + "originator": "Organization: SPDX", + "hasFiles": [ + "SPDXRef-File1", + "SPDXRef-File2" + ], + "licenseInfoFromFiles": [ + "Apache-1.0", + "LicenseRef-3", + "MPL-1.1", + "LicenseRef-2", + "LicenseRef-4", + "Apache-2.0", + "LicenseRef-1" + ], + "sha1": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12", + "name": "SPDX Translator", + "packageFileName": "spdxtranslator-1.0.zip", + "licenseComments": "The declared license information can be found in the NOTICE file at the root of the archive file", + "summary": "SPDX Translator utility", + "sourceInfo": "Version 1.0 of the SPDX Translator application", + "copyrightText": " Copyright 2010, 2011 Source Auditor Inc.", + "packageVerificationCode": { + "packageVerificationCodeValue": "4e3211c67a2d28fced849ee1bb76e7391b93feba", + "packageVerificationCodeExcludedFiles": [ + "SpdxTranslatorSpdx.rdf", + "SpdxTranslatorSpdx.txt" ] + }, + "licenseConcluded": "(Apache-1.0 AND LicenseRef-2 AND MPL-1.1 AND LicenseRef-3 AND LicenseRef-4 AND Apache-2.0 AND LicenseRef-1)", + "supplier": "Organization: Linux Foundation", + "attributionTexts": [ + "The GNU C Library is free software. See the file COPYING.LIB for copying conditions, and LICENSES for notices about a few contributions that require these additional notices to be distributed. License copyright years may be listed using range notation, e.g., 1996-2015, indicating that every year in the range, inclusive, is a copyrightable year that would otherwise be listed individually." + ], + "checksums": [ + { + "checksumValue": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12", + "algorithm": "checksumAlgorithm_sha1" + } + ], + "versionInfo": "Version 0.9.2", + "licenseDeclared": "(LicenseRef-4 AND LicenseRef-3 AND Apache-2.0 AND LicenseRef-2 AND MPL-1.1 AND LicenseRef-1)", + "downloadLocation": "http://www.spdx.org/tools", + "description": "This utility translates and SPDX RDF XML document to a spreadsheet, translates a spreadsheet to an SPDX RDF XML document and translates an SPDX RDFa document to an SPDX RDF XML document." } + ], + "files": [ + { + "comment": "This file belongs to Jena", + "licenseInfoInFiles": [ + "LicenseRef-1" + ], + "sha1": "3ab4e1c67a2d28fced849ee1bb76e7391b93f125", + "fileName": "Jenna-2.6.3/jena-2.6.3-sources.jar", + "copyrightText": "(c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP", + "artifactOf": [ + { + "name": "Jena", + "homePage": "http://www.openjena.org/", + "projectUri": "http://subversion.apache.org/doap.rdf" + } + ], + "licenseConcluded": "LicenseRef-1", + "licenseComments": "This license is used by Jena", + "checksums": [ + { + "checksumValue": "3ab4e1c67a2d28fced849ee1bb76e7391b93f125", + "algorithm": "checksumAlgorithm_sha1" + } + ], + "fileTypes": [ + "fileType_archive" + ], + "SPDXID": "SPDXRef-File1" + }, + { + "licenseInfoInFiles": [ + "Apache-2.0" + ], + "sha1": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12", + "fileName": "src/org/spdx/parser/DOAPProject.java", + "copyrightText": "Copyright 2010, 2011 Source Auditor Inc.", + "licenseConcluded": "Apache-2.0", + "checksums": [ + { + "checksumValue": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12", + "algorithm": "checksumAlgorithm_sha1" + } + ], + "fileTypes": [ + "fileType_source" + ], + "SPDXID": "SPDXRef-File2" + } + ], + "creationInfo": { + "comment": "This is an example of an SPDX spreadsheet format", + "creators": [ + "Tool: SourceAuditor-V1.2", + "Person: Gary O'Neall", + "Organization: Source Auditor Inc." + ], + "licenseListVersion": "3.6", + "created": "2010-02-03T00:00:00Z" + }, + "externalDocumentRefs": [ + { + "checksum": { + "checksumValue": "d6a770ba38583ed4bb4525bd96e50461655d2759", + "algorithm": "checksumAlgorithm_sha1" + }, + "spdxDocument": "https://spdx.org/spdxdocs/spdx-tools-v2.1-3F2504E0-4F89-41D3-9A0C-0305E82C3301", + "externalDocumentId": "DocumentRef-spdx-tool-2.1" + } + ], + "documentNamespace": "https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301", + "annotations": [ + { + "comment": "This is just an example. Some of the non-standard licenses look like they are actually BSD 3 clause licenses", + "annotationType": "REVIEW", + "SPDXID": "SPDXRef-45", + "annotationDate": "2012-06-13T00:00:00Z", + "annotator": "Person: Jim Reviewer" + } + ], + "relationships": [ + { + "spdxElementId": "SPDXRef-DOCUMENT", + "relatedSpdxElement": "SPDXRef-Package", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DOCUMENT", + "relatedSpdxElement": "SPDXRef-File", + "relationshipType": "DESCRIBES" + }, + { + "spdxElementId": "SPDXRef-DOCUMENT", + "relatedSpdxElement": "SPDXRef-Package", + "relationshipType": "DESCRIBES" + } + ], + "dataLicense": "CC0-1.0", + "reviewers": [ + { + "comment": "This is just an example. Some of the non-standard licenses look like they are actually BSD 3 clause licenses", + "reviewer": "Person: Joe Reviewer", + "reviewDate": "2010-02-10T00:00:00Z" + }, + { + "comment": "Another example reviewer.", + "reviewer": "Person: Suzanne Reviewer", + "reviewDate": "2011-03-13T00:00:00Z" + } + ], + "hasExtractedLicensingInfos": [ + { + "extractedText": "This package includes the GRDDL parser developed by Hewlett Packard under the following license:\n\u00a9 Copyright 2007 Hewlett-Packard Development Company, LP\n\nRedistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:\n\nRedistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.\nRedistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.\nThe name of the author may not be used to endorse or promote products derived from this software without specific prior written permission.\nTHIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ", + "licenseId": "LicenseRef-2" + }, + { + "extractedText": "The CyberNeko Software License, Version 1.0\n\n\n(C) Copyright 2002-2005, Andy Clark. All rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions\nare met:\n\n1. Redistributions of source code must retain the above copyright\n notice, this list of conditions and the following disclaimer.\n\n2. Redistributions in binary form must reproduce the above copyright\n notice, this list of conditions and the following disclaimer in\n the documentation and/or other materials provided with the\n distribution.\n\n3. The end-user documentation included with the redistribution,\n if any, must include the following acknowledgment:\n \"This product includes software developed by Andy Clark.\"\n Alternately, this acknowledgment may appear in the software itself,\n if and wherever such third-party acknowledgments normally appear.\n\n4. The names \"CyberNeko\" and \"NekoHTML\" must not be used to endorse\n or promote products derived from this software without prior\n written permission. For written permission, please contact\n andyc@cyberneko.net.\n\n5. Products derived from this software may not be called \"CyberNeko\",\n nor may \"CyberNeko\" appear in their name, without prior written\n permission of the author.\n\nTHIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED\nWARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\nOF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR OTHER CONTRIBUTORS\nBE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\nOR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\nOF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\nBUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\nWHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\nOR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,\nEVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.", + "comment": "This is tye CyperNeko License", + "licenseId": "LicenseRef-3", + "name": "CyberNeko License", + "seeAlso": [ + "http://justasample.url.com", + "http://people.apache.org/~andyc/neko/LICENSE" + ] + }, + { + "extractedText": "/*\n * (c) Copyright 2009 University of Bristol\n * All rights reserved.\n *\n * Redistribution and use in source and binary forms, with or without\n * modification, are permitted provided that the following conditions\n * are met:\n * 1. Redistributions of source code must retain the above copyright\n * notice, this list of conditions and the following disclaimer.\n * 2. Redistributions in binary form must reproduce the above copyright\n * notice, this list of conditions and the following disclaimer in the\n * documentation and/or other materials provided with the distribution.\n * 3. The name of the author may not be used to endorse or promote products\n * derived from this software without specific prior written permission.\n *\n * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR\n * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\n * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.\n * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,\n * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT\n * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\n * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\n * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF\n * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n */ ", + "licenseId": "LicenseRef-4" + }, + { + "extractedText": "/*\n * (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP\n * All rights reserved.\n *\n * Redistribution and use in source and binary forms, with or without\n * modification, are permitted provided that the following conditions\n * are met:\n * 1. Redistributions of source code must retain the above copyright\n * notice, this list of conditions and the following disclaimer.\n * 2. Redistributions in binary form must reproduce the above copyright\n * notice, this list of conditions and the following disclaimer in the\n * documentation and/or other materials provided with the distribution.\n * 3. The name of the author may not be used to endorse or promote products\n * derived from this software without specific prior written permission.\n *\n * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR\n * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\n * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.\n * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,\n * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT\n * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\n * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\n * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF\n * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n */", + "licenseId": "LicenseRef-1" + } + ], + "spdxVersion": "SPDX-2.1", + "SPDXID": "SPDXRef-DOCUMENT", + "snippets": [ + { + "comment": "This snippet was identified as significant and highlighted in this Apache-2.0 file, when a commercial scanner identified it as being derived from file foo.c in package xyz which is licensed under GPL-2.0-or-later.", + "name": "from linux kernel", + "copyrightText": "Copyright 2008-2010 John Smith", + "licenseConcluded": "Apache-2.0", + "licenseInfoFromSnippet": [ + "Apache-2.0" + ], + "licenseComments": "The concluded license was taken from package xyz, from which the snippet was copied into the current file. The concluded license information was found in the COPYING.txt file in package xyz.", + "SPDXID": "SPDXRef-Snippet", + "fileId": "SPDXRef-DoapSource" + } + ] } \ No newline at end of file diff --git a/tests/data/formats/SPDXXmlExample.xml b/tests/data/formats/SPDXXmlExample.xml index f96e4dc32..6b734e7be 100644 --- a/tests/data/formats/SPDXXmlExample.xml +++ b/tests/data/formats/SPDXXmlExample.xml @@ -2,81 +2,43 @@ This is a sample spreadsheet Sample_Document-V2.1 - - - SPDXRef-Package - Organization: SPDX - The GNU C Library is free software. See the file COPYING.LIB for copying conditions, and LICENSES for notices about a few contributions that require these additional notices to be distributed. License copyright years may be listed using range notation, e.g., 1996-2015, indicating that every year in the range, inclusive, is a copyrightable year that would otherwise be listed individually. - true - - - Apache-2.0 - 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 - src/org/spdx/parser/DOAPProject.java - Copyright 2010, 2011 Source Auditor Inc. - Apache-2.0 - - - 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 - checksumAlgorithm_sha1 - - fileType_source - SPDXRef-File2 - - - - - This file belongs to Jena - LicenseRef-1 - 3ab4e1c67a2d28fced849ee1bb76e7391b93f125 - Jenna-2.6.3/jena-2.6.3-sources.jar - (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP - - Jena - http://www.openjena.org/ - http://subversion.apache.org/doap.rdf - - LicenseRef-1 - This license is used by Jena - - 3ab4e1c67a2d28fced849ee1bb76e7391b93f125 - checksumAlgorithm_sha1 - - fileType_archive - SPDXRef-File1 - - - LicenseRef-3 - LicenseRef-1 - Apache-1.0 - LicenseRef-4 - Apache-2.0 - LicenseRef-2 - MPL-1.1 - 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 - SPDX Translator - spdxtranslator-1.0.zip - The declared license information can be found in the NOTICE file at the root of the archive file - SPDX Translator utility - Version 1.0 of the SPDX Translator application - Copyright 2010, 2011 Source Auditor Inc. - - 4e3211c67a2d28fced849ee1bb76e7391b93feba - SpdxTranslatorSpdx.rdf - SpdxTranslatorSpdx.txt - - (LicenseRef-1 AND MPL-1.1 AND LicenseRef-2 AND LicenseRef-3 AND Apache-2.0 AND LicenseRef-4 AND Apache-1.0) - Organization: Linux Foundation - - 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 - checksumAlgorithm_sha1 - - Version 0.9.2 - (LicenseRef-3 AND LicenseRef-2 AND Apache-2.0 AND MPL-1.1 AND LicenseRef-1 AND LicenseRef-4) - http://www.spdx.org/tools - This utility translates and SPDX RDF XML document to a spreadsheet, translates a spreadsheet to an SPDX RDF XML document and translates an SPDX RDFa document to an SPDX RDF XML document. - - + SPDXRef-Package + + SPDXRef-Package + Organization: SPDX + The GNU C Library is free software. See the file COPYING.LIB for copying conditions, and LICENSES for notices about a few contributions that require these additional notices to be distributed. License copyright years may be listed using range notation, e.g., 1996-2015, indicating that every year in the range, inclusive, is a copyrightable year that would otherwise be listed individually. + LicenseRef-3 + LicenseRef-1 + Apache-1.0 + LicenseRef-4 + Apache-2.0 + LicenseRef-2 + MPL-1.1 + 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 + SPDX Translator + SPDXRef-File1 + SPDXRef-File2 + spdxtranslator-1.0.zip + The declared license information can be found in the NOTICE file at the root of the archive file + SPDX Translator utility + Version 1.0 of the SPDX Translator application + Copyright 2010, 2011 Source Auditor Inc. + + 4e3211c67a2d28fced849ee1bb76e7391b93feba + SpdxTranslatorSpdx.rdf + SpdxTranslatorSpdx.txt + + (LicenseRef-1 AND MPL-1.1 AND LicenseRef-2 AND LicenseRef-3 AND Apache-2.0 AND LicenseRef-4 AND Apache-1.0) + Organization: Linux Foundation + + 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 + checksumAlgorithm_sha1 + + Version 0.9.2 + (LicenseRef-3 AND LicenseRef-2 AND Apache-2.0 AND MPL-1.1 AND LicenseRef-1 AND LicenseRef-4) + http://www.spdx.org/tools + This utility translates and SPDX RDF XML document to a spreadsheet, translates a spreadsheet to an SPDX RDF XML document and translates an SPDX RDFa document to an SPDX RDF XML document. + This is an example of an SPDX spreadsheet format Tool: SourceAuditor-V1.2 @@ -101,7 +63,7 @@ 2012-06-13T00:00:00Z Person: Jim Reviewer - CC0-1.0 + CC0-1.0 This is just an example. Some of the non-standard licenses look like they are actually BSD 3 clause licenses Person: Joe Reviewer @@ -145,26 +107,26 @@ This package includes the GRDDL parser developed by Hewlett Packard under the following license: © Copyright 2007 Hewlett-Packard Development Company, LP -Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: +Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: -Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. -Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. -The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission. +Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. +Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. +The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. LicenseRef-2 The CyberNeko Software License, Version 1.0 - + (C) Copyright 2002-2005, Andy Clark. All rights reserved. - + Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. + notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in @@ -172,14 +134,14 @@ are met: distribution. 3. The end-user documentation included with the redistribution, - if any, must include the following acknowledgment: + if any, must include the following acknowledgment: "This product includes software developed by Andy Clark." Alternately, this acknowledgment may appear in the software itself, if and wherever such third-party acknowledgments normally appear. 4. The names "CyberNeko" and "NekoHTML" must not be used to endorse - or promote products derived from this software without prior - written permission. For written permission, please contact + or promote products derived from this software without prior + written permission. For written permission, please contact andyc@cyberneko.net. 5. Products derived from this software may not be called "CyberNeko", @@ -190,12 +152,12 @@ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR OTHER CONTRIBUTORS -BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, -OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT -OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR -BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE -OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, +BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, +OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT +OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR +BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE +OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This is tye CyperNeko License LicenseRef-3 @@ -234,6 +196,40 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. SPDX-2.1 SPDXRef-DOCUMENT + + Apache-2.0 + 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 + src/org/spdx/parser/DOAPProject.java + Copyright 2010, 2011 Source Auditor Inc. + Apache-2.0 + + + 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 + checksumAlgorithm_sha1 + + fileType_source + SPDXRef-File2 + + + This file belongs to Jena + LicenseRef-1 + 3ab4e1c67a2d28fced849ee1bb76e7391b93f125 + Jenna-2.6.3/jena-2.6.3-sources.jar + (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP + + Jena + http://www.openjena.org/ + http://subversion.apache.org/doap.rdf + + LicenseRef-1 + This license is used by Jena + + 3ab4e1c67a2d28fced849ee1bb76e7391b93f125 + checksumAlgorithm_sha1 + + fileType_archive + SPDXRef-File1 + This snippet was identified as significant and highlighted in this Apache-2.0 file, when a commercial scanner identified it as being derived from file foo.c in package xyz which is licensed under GPL-2.0-or-later. from linux kernel @@ -243,7 +239,7 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. The concluded license was taken from package xyz, from which the snippet was copied into the current file. The concluded license information was found in the COPYING.txt file in package xyz. SPDXRef-Snippet SPDXRef-DoapSource - + SPDXRef-DOCUMENT SPDXRef-File diff --git a/tests/data/formats/SPDXYamlExample.yaml b/tests/data/formats/SPDXYamlExample.yaml index a07a54f3e..bcf03cee5 100644 --- a/tests/data/formats/SPDXYamlExample.yaml +++ b/tests/data/formats/SPDXYamlExample.yaml @@ -1,73 +1,39 @@ ---- Document: annotations: - - annotationDate: '2012-06-13T00:00:00Z' - annotationType: REVIEW - annotator: 'Person: Jim Reviewer' - comment: This is just an example. Some of the non-standard licenses look like - they are actually BSD 3 clause licenses - SPDXID: SPDXRef-45 + - annotationDate: '2012-06-13T00:00:00Z' + annotationType: REVIEW + annotator: 'Person: Jim Reviewer' + comment: This is just an example. Some of the non-standard licenses look like + they are actually BSD 3 clause licenses + SPDXID: SPDXRef-45 comment: This is a sample spreadsheet creationInfo: comment: This is an example of an SPDX spreadsheet format created: '2010-02-03T00:00:00Z' creators: - - 'Tool: SourceAuditor-V1.2' - - 'Organization: Source Auditor Inc.' - - 'Person: Gary O''Neall' + - 'Tool: SourceAuditor-V1.2' + - 'Organization: Source Auditor Inc.' + - 'Person: Gary O''Neall' licenseListVersion: '3.6' dataLicense: CC0-1.0 documentDescribes: - - Package: - SPDXID: SPDXRef-Package + - SPDXRef-Package + packages: + - SPDXID: SPDXRef-Package checksums: - - algorithm: checksumAlgorithm_sha1 - checksumValue: 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 + - algorithm: checksumAlgorithm_sha1 + checksumValue: 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 copyrightText: ' Copyright 2010, 2011 Source Auditor Inc.' description: This utility translates and SPDX RDF XML document to a spreadsheet, translates a spreadsheet to an SPDX RDF XML document and translates an SPDX RDFa document to an SPDX RDF XML document. downloadLocation: http://www.spdx.org/tools attributionTexts: - - "The GNU C Library is free software. See the file COPYING.LIB for copying conditions,\ + - "The GNU C Library is free software. See the file COPYING.LIB for copying conditions,\ \ and LICENSES for notices about a few contributions that require these additional\ \ notices to be distributed. License copyright years may be listed using range\ \ notation, e.g., 1996-2015, indicating that every year in the range, inclusive,\ \ is a copyrightable year that would otherwise be listed individually." - files: - - File: - checksums: - - algorithm: checksumAlgorithm_sha1 - checksumValue: 3ab4e1c67a2d28fced849ee1bb76e7391b93f125 - comment: This file belongs to Jena - copyrightText: (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, - 2008, 2009 Hewlett-Packard Development Company, LP - artifactOf: - - name: "Jena" - homePage: "http://www.openjena.org/" - projectUri: "http://subversion.apache.org/doap.rdf" - fileTypes: - - fileType_archive - SPDXID: SPDXRef-File1 - licenseComments: This license is used by Jena - licenseConcluded: LicenseRef-1 - licenseInfoInFiles: - - LicenseRef-1 - fileName: Jenna-2.6.3/jena-2.6.3-sources.jar - sha1: 3ab4e1c67a2d28fced849ee1bb76e7391b93f125 - - File: - checksums: - - algorithm: checksumAlgorithm_sha1 - checksumValue: 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 - copyrightText: Copyright 2010, 2011 Source Auditor Inc. - fileTypes: - - fileType_source - SPDXID: SPDXRef-File2 - licenseConcluded: Apache-2.0 - licenseInfoInFiles: - - Apache-2.0 - fileName: src/org/spdx/parser/DOAPProject.java - sha1: 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 licenseComments: The declared license information can be found in the NOTICE file at the root of the archive file licenseConcluded: (LicenseRef-3 AND LicenseRef-1 AND MPL-1.1 AND Apache-2.0 @@ -75,20 +41,23 @@ Document: licenseDeclared: (MPL-1.1 AND LicenseRef-4 AND LicenseRef-2 AND LicenseRef-1 AND Apache-2.0 AND LicenseRef-3) licenseInfoFromFiles: - - Apache-2.0 - - MPL-1.1 - - LicenseRef-3 - - LicenseRef-1 - - LicenseRef-4 - - Apache-1.0 - - LicenseRef-2 + - Apache-2.0 + - MPL-1.1 + - LicenseRef-3 + - LicenseRef-1 + - LicenseRef-4 + - Apache-1.0 + - LicenseRef-2 name: SPDX Translator originator: 'Organization: SPDX' packageFileName: spdxtranslator-1.0.zip + hasFiles: + - SPDXRef-File1 + - SPDXRef-File2 packageVerificationCode: packageVerificationCodeExcludedFiles: - - SpdxTranslatorSpdx.txt - - SpdxTranslatorSpdx.rdf + - SpdxTranslatorSpdx.txt + - SpdxTranslatorSpdx.rdf packageVerificationCodeValue: 4e3211c67a2d28fced849ee1bb76e7391b93feba sha1: 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 sourceInfo: Version 1.0 of the SPDX Translator application @@ -96,46 +65,46 @@ Document: supplier: 'Organization: Linux Foundation' versionInfo: Version 0.9.2 externalDocumentRefs: - - checksum: - algorithm: checksumAlgorithm_sha1 - checksumValue: d6a770ba38583ed4bb4525bd96e50461655d2759 - externalDocumentId: DocumentRef-spdx-tool-2.1 - spdxDocument: https://spdx.org/spdxdocs/spdx-tools-v2.1-3F2504E0-4F89-41D3-9A0C-0305E82C3301 + - checksum: + algorithm: checksumAlgorithm_sha1 + checksumValue: d6a770ba38583ed4bb4525bd96e50461655d2759 + externalDocumentId: DocumentRef-spdx-tool-2.1 + spdxDocument: https://spdx.org/spdxdocs/spdx-tools-v2.1-3F2504E0-4F89-41D3-9A0C-0305E82C3301 hasExtractedLicensingInfos: - - comment: This is tye CyperNeko License - extractedText: "The CyberNeko Software License, Version 1.0\n\n \n(C) Copyright\ - \ 2002-2005, Andy Clark. All rights reserved.\n \nRedistribution and use in\ + - comment: This is tye CyperNeko License + extractedText: "The CyberNeko Software License, Version 1.0\n\n\n(C) Copyright\ + \ 2002-2005, Andy Clark. All rights reserved.\n\nRedistribution and use in\ \ source and binary forms, with or without\nmodification, are permitted provided\ \ that the following conditions\nare met:\n\n1. Redistributions of source code\ \ must retain the above copyright\n notice, this list of conditions and the\ - \ following disclaimer. \n\n2. Redistributions in binary form must reproduce\ + \ following disclaimer.\n\n2. Redistributions in binary form must reproduce\ \ the above copyright\n notice, this list of conditions and the following\ \ disclaimer in\n the documentation and/or other materials provided with the\n\ \ distribution.\n\n3. The end-user documentation included with the redistribution,\n\ - \ if any, must include the following acknowledgment: \n \"This product\ + \ if any, must include the following acknowledgment:\n \"This product\ \ includes software developed by Andy Clark.\"\n Alternately, this acknowledgment\ \ may appear in the software itself,\n if and wherever such third-party acknowledgments\ \ normally appear.\n\n4. The names \"CyberNeko\" and \"NekoHTML\" must not be\ \ used to endorse\n or promote products derived from this software without\ - \ prior \n written permission. For written permission, please contact \n \ + \ prior\n written permission. For written permission, please contact\n \ \ andyc@cyberneko.net.\n\n5. Products derived from this software may not be\ \ called \"CyberNeko\",\n nor may \"CyberNeko\" appear in their name, without\ \ prior written\n permission of the author.\n\nTHIS SOFTWARE IS PROVIDED ``AS\ \ IS'' AND ANY EXPRESSED OR IMPLIED\nWARRANTIES, INCLUDING, BUT NOT LIMITED\ \ TO, THE IMPLIED WARRANTIES\nOF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\ \ PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR OTHER CONTRIBUTORS\n\ - BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, \nOR CONSEQUENTIAL\ - \ DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT \nOF SUBSTITUTE GOODS\ - \ OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR \nBUSINESS INTERRUPTION) HOWEVER\ - \ CAUSED AND ON ANY THEORY OF LIABILITY, \nWHETHER IN CONTRACT, STRICT LIABILITY,\ - \ OR TORT (INCLUDING NEGLIGENCE \nOR OTHERWISE) ARISING IN ANY WAY OUT OF THE\ - \ USE OF THIS SOFTWARE, \nEVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE." - licenseId: LicenseRef-3 - name: CyberNeko License - seeAlso: - - http://justasample.url.com - - http://people.apache.org/~andyc/neko/LICENSE - - extractedText: "/*\n * (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006,\ + BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\nOR CONSEQUENTIAL\ + \ DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\nOF SUBSTITUTE GOODS\ + \ OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\nBUSINESS INTERRUPTION) HOWEVER\ + \ CAUSED AND ON ANY THEORY OF LIABILITY,\nWHETHER IN CONTRACT, STRICT LIABILITY,\ + \ OR TORT (INCLUDING NEGLIGENCE\nOR OTHERWISE) ARISING IN ANY WAY OUT OF THE\ + \ USE OF THIS SOFTWARE,\nEVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE." + licenseId: LicenseRef-3 + name: CyberNeko License + seeAlso: + - http://justasample.url.com + - http://people.apache.org/~andyc/neko/LICENSE + - extractedText: "/*\n * (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006,\ \ 2007, 2008, 2009 Hewlett-Packard Development Company, LP\n * All rights reserved.\n\ \ *\n * Redistribution and use in source and binary forms, with or without\n\ \ * modification, are permitted provided that the following conditions\n * are\ @@ -156,18 +125,18 @@ Document: \ CONTRACT, STRICT LIABILITY, OR TORT\n * (INCLUDING NEGLIGENCE OR OTHERWISE)\ \ ARISING IN ANY WAY OUT OF THE USE OF\n * THIS SOFTWARE, EVEN IF ADVISED OF\ \ THE POSSIBILITY OF SUCH DAMAGE.\n */" - licenseId: LicenseRef-1 - - extractedText: "This package includes the GRDDL parser developed by Hewlett Packard\ + licenseId: LicenseRef-1 + - extractedText: "This package includes the GRDDL parser developed by Hewlett Packard\ \ under the following license:\n\xA9 Copyright 2007 Hewlett-Packard Development\ \ Company, LP\n\nRedistribution and use in source and binary forms, with or\ \ without modification, are permitted provided that the following conditions\ - \ are met: \n\nRedistributions of source code must retain the above copyright\ - \ notice, this list of conditions and the following disclaimer. \nRedistributions\ + \ are met:\n\nRedistributions of source code must retain the above copyright\ + \ notice, this list of conditions and the following disclaimer.\nRedistributions\ \ in binary form must reproduce the above copyright notice, this list of conditions\ \ and the following disclaimer in the documentation and/or other materials provided\ - \ with the distribution. \nThe name of the author may not be used to endorse\ + \ with the distribution.\nThe name of the author may not be used to endorse\ \ or promote products derived from this software without specific prior written\ - \ permission. \nTHIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS\ + \ permission.\nTHIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS\ \ OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\ \ OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN\ \ NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,\ @@ -177,8 +146,8 @@ Document: \ IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)\ \ ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE\ \ POSSIBILITY OF SUCH DAMAGE. " - licenseId: LicenseRef-2 - - extractedText: "/*\n * (c) Copyright 2009 University of Bristol\n * All rights\ + licenseId: LicenseRef-2 + - extractedText: "/*\n * (c) Copyright 2009 University of Bristol\n * All rights\ \ reserved.\n *\n * Redistribution and use in source and binary forms, with\ \ or without\n * modification, are permitted provided that the following conditions\n\ \ * are met:\n * 1. Redistributions of source code must retain the above copyright\n\ @@ -198,40 +167,73 @@ Document: \ CONTRACT, STRICT LIABILITY, OR TORT\n * (INCLUDING NEGLIGENCE OR OTHERWISE)\ \ ARISING IN ANY WAY OUT OF THE USE OF\n * THIS SOFTWARE, EVEN IF ADVISED OF\ \ THE POSSIBILITY OF SUCH DAMAGE.\n */ " - licenseId: LicenseRef-4 + licenseId: LicenseRef-4 SPDXID: SPDXRef-DOCUMENT name: Sample_Document-V2.1 documentNamespace: https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301 relationships: - - spdxElementId: "SPDXRef-DOCUMENT" - relatedSpdxElement: "SPDXRef-Package" - relationshipType: "DESCRIBES" - - spdxElementId: "SPDXRef-DOCUMENT" - relatedSpdxElement: "SPDXRef-Package" - relationshipType: "CONTAINS" - - spdxElementId: "SPDXRef-DOCUMENT" - relatedSpdxElement: "SPDXRef-File" - relationshipType: "DESCRIBES" + - spdxElementId: "SPDXRef-DOCUMENT" + relatedSpdxElement: "SPDXRef-Package" + relationshipType: "DESCRIBES" + - spdxElementId: "SPDXRef-DOCUMENT" + relatedSpdxElement: "SPDXRef-Package" + relationshipType: "CONTAINS" + - spdxElementId: "SPDXRef-DOCUMENT" + relatedSpdxElement: "SPDXRef-File" + relationshipType: "DESCRIBES" reviewers: - - comment: Another example reviewer. - reviewDate: '2011-03-13T00:00:00Z' - reviewer: 'Person: Suzanne Reviewer' - - comment: This is just an example. Some of the non-standard licenses look like - they are actually BSD 3 clause licenses - reviewDate: '2010-02-10T00:00:00Z' - reviewer: 'Person: Joe Reviewer' + - comment: Another example reviewer. + reviewDate: '2011-03-13T00:00:00Z' + reviewer: 'Person: Suzanne Reviewer' + - comment: This is just an example. Some of the non-standard licenses look like + they are actually BSD 3 clause licenses + reviewDate: '2010-02-10T00:00:00Z' + reviewer: 'Person: Joe Reviewer' snippets: - - comment: This snippet was identified as significant and highlighted in this Apache-2.0 - file, when a commercial scanner identified it as being derived from file foo.c - in package xyz which is licensed under GPL-2.0-or-later. - copyrightText: Copyright 2008-2010 John Smith - fileId: SPDXRef-DoapSource - SPDXID: SPDXRef-Snippet - licenseComments: The concluded license was taken from package xyz, from which - the snippet was copied into the current file. The concluded license information - was found in the COPYING.txt file in package xyz. - licenseConcluded: Apache-2.0 - licenseInfoFromSnippet: - - Apache-2.0 - name: from linux kernel + - comment: This snippet was identified as significant and highlighted in this Apache-2.0 + file, when a commercial scanner identified it as being derived from file foo.c + in package xyz which is licensed under GPL-2.0-or-later. + copyrightText: Copyright 2008-2010 John Smith + fileId: SPDXRef-DoapSource + SPDXID: SPDXRef-Snippet + licenseComments: The concluded license was taken from package xyz, from which + the snippet was copied into the current file. The concluded license information + was found in the COPYING.txt file in package xyz. + licenseConcluded: Apache-2.0 + licenseInfoFromSnippet: + - Apache-2.0 + name: from linux kernel spdxVersion: SPDX-2.1 + files: + - SPDXID: SPDXRef-File1 + checksums: + - algorithm: checksumAlgorithm_sha1 + checksumValue: 3ab4e1c67a2d28fced849ee1bb76e7391b93f125 + comment: This file belongs to Jena + copyrightText: (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, + 2008, 2009 Hewlett-Packard Development Company, LP + artifactOf: + - name: "Jena" + homePage: "http://www.openjena.org/" + projectUri: "http://subversion.apache.org/doap.rdf" + fileTypes: + - fileType_archive + licenseComments: This license is used by Jena + licenseConcluded: LicenseRef-1 + licenseInfoInFiles: + - LicenseRef-1 + fileName: Jenna-2.6.3/jena-2.6.3-sources.jar + sha1: 3ab4e1c67a2d28fced849ee1bb76e7391b93f125 + + - SPDXID: SPDXRef-File2 + checksums: + - algorithm: checksumAlgorithm_sha1 + checksumValue: 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 + copyrightText: Copyright 2010, 2011 Source Auditor Inc. + fileTypes: + - fileType_source + licenseConcluded: Apache-2.0 + licenseInfoInFiles: + - Apache-2.0 + fileName: src/org/spdx/parser/DOAPProject.java + sha1: 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 From e6d556f8a5526da0c27040eea3791c31eda40f79 Mon Sep 17 00:00:00 2001 From: Meret Behrens Date: Wed, 26 Oct 2022 14:54:59 +0200 Subject: [PATCH 09/10] [issue-184] delete sha1 tag in test-files to validate against spec Signed-off-by: Meret Behrens --- data/SPDXJsonExample.json | 3 --- data/SPDXXmlExample.xml | 3 --- data/SPDXYamlExample.yaml | 3 --- tests/data/formats/SPDXJsonExample.json | 3 --- tests/data/formats/SPDXXmlExample.xml | 3 --- tests/data/formats/SPDXYamlExample.yaml | 3 --- 6 files changed, 18 deletions(-) diff --git a/data/SPDXJsonExample.json b/data/SPDXJsonExample.json index e767ac2ca..6252ba838 100644 --- a/data/SPDXJsonExample.json +++ b/data/SPDXJsonExample.json @@ -21,7 +21,6 @@ "Apache-2.0", "LicenseRef-1" ], - "sha1": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12", "name": "SPDX Translator", "packageFileName": "spdxtranslator-1.0.zip", "licenseComments": "The declared license information can be found in the NOTICE file at the root of the archive file", @@ -58,7 +57,6 @@ "licenseInfoInFiles": [ "LicenseRef-1" ], - "sha1": "3ab4e1c67a2d28fced849ee1bb76e7391b93f125", "fileName": "Jenna-2.6.3/jena-2.6.3-sources.jar", "copyrightText": "(c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP", "artifactOf": [ @@ -85,7 +83,6 @@ "licenseInfoInFiles": [ "Apache-2.0" ], - "sha1": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12", "fileName": "src/org/spdx/parser/DOAPProject.java", "copyrightText": "Copyright 2010, 2011 Source Auditor Inc.", "licenseConcluded": "Apache-2.0", diff --git a/data/SPDXXmlExample.xml b/data/SPDXXmlExample.xml index 6b734e7be..256433411 100644 --- a/data/SPDXXmlExample.xml +++ b/data/SPDXXmlExample.xml @@ -14,7 +14,6 @@ Apache-2.0 LicenseRef-2 MPL-1.1 - 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 SPDX Translator SPDXRef-File1 SPDXRef-File2 @@ -198,7 +197,6 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. SPDXRef-DOCUMENT Apache-2.0 - 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 src/org/spdx/parser/DOAPProject.java Copyright 2010, 2011 Source Auditor Inc. Apache-2.0 @@ -213,7 +211,6 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This file belongs to Jena LicenseRef-1 - 3ab4e1c67a2d28fced849ee1bb76e7391b93f125 Jenna-2.6.3/jena-2.6.3-sources.jar (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP diff --git a/data/SPDXYamlExample.yaml b/data/SPDXYamlExample.yaml index ae7f40998..9fa7cacc4 100644 --- a/data/SPDXYamlExample.yaml +++ b/data/SPDXYamlExample.yaml @@ -59,7 +59,6 @@ Document: - SpdxTranslatorSpdx.txt - SpdxTranslatorSpdx.rdf packageVerificationCodeValue: 4e3211c67a2d28fced849ee1bb76e7391b93feba - sha1: 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 sourceInfo: Version 1.0 of the SPDX Translator application summary: SPDX Translator utility supplier: 'Organization: Linux Foundation' @@ -223,7 +222,6 @@ Document: licenseInfoInFiles: - LicenseRef-1 fileName: Jenna-2.6.3/jena-2.6.3-sources.jar - sha1: 3ab4e1c67a2d28fced849ee1bb76e7391b93f125 - SPDXID: SPDXRef-File2 checksums: @@ -236,4 +234,3 @@ Document: licenseInfoInFiles: - Apache-2.0 fileName: src/org/spdx/parser/DOAPProject.java - sha1: 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 diff --git a/tests/data/formats/SPDXJsonExample.json b/tests/data/formats/SPDXJsonExample.json index 7e3cedab9..673f8f4f8 100644 --- a/tests/data/formats/SPDXJsonExample.json +++ b/tests/data/formats/SPDXJsonExample.json @@ -21,7 +21,6 @@ "Apache-2.0", "LicenseRef-1" ], - "sha1": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12", "name": "SPDX Translator", "packageFileName": "spdxtranslator-1.0.zip", "licenseComments": "The declared license information can be found in the NOTICE file at the root of the archive file", @@ -58,7 +57,6 @@ "licenseInfoInFiles": [ "LicenseRef-1" ], - "sha1": "3ab4e1c67a2d28fced849ee1bb76e7391b93f125", "fileName": "Jenna-2.6.3/jena-2.6.3-sources.jar", "copyrightText": "(c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP", "artifactOf": [ @@ -85,7 +83,6 @@ "licenseInfoInFiles": [ "Apache-2.0" ], - "sha1": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12", "fileName": "src/org/spdx/parser/DOAPProject.java", "copyrightText": "Copyright 2010, 2011 Source Auditor Inc.", "licenseConcluded": "Apache-2.0", diff --git a/tests/data/formats/SPDXXmlExample.xml b/tests/data/formats/SPDXXmlExample.xml index 6b734e7be..256433411 100644 --- a/tests/data/formats/SPDXXmlExample.xml +++ b/tests/data/formats/SPDXXmlExample.xml @@ -14,7 +14,6 @@ Apache-2.0 LicenseRef-2 MPL-1.1 - 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 SPDX Translator SPDXRef-File1 SPDXRef-File2 @@ -198,7 +197,6 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. SPDXRef-DOCUMENT Apache-2.0 - 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 src/org/spdx/parser/DOAPProject.java Copyright 2010, 2011 Source Auditor Inc. Apache-2.0 @@ -213,7 +211,6 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This file belongs to Jena LicenseRef-1 - 3ab4e1c67a2d28fced849ee1bb76e7391b93f125 Jenna-2.6.3/jena-2.6.3-sources.jar (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP diff --git a/tests/data/formats/SPDXYamlExample.yaml b/tests/data/formats/SPDXYamlExample.yaml index bcf03cee5..cc660bced 100644 --- a/tests/data/formats/SPDXYamlExample.yaml +++ b/tests/data/formats/SPDXYamlExample.yaml @@ -59,7 +59,6 @@ Document: - SpdxTranslatorSpdx.txt - SpdxTranslatorSpdx.rdf packageVerificationCodeValue: 4e3211c67a2d28fced849ee1bb76e7391b93feba - sha1: 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 sourceInfo: Version 1.0 of the SPDX Translator application summary: SPDX Translator utility supplier: 'Organization: Linux Foundation' @@ -223,7 +222,6 @@ Document: licenseInfoInFiles: - LicenseRef-1 fileName: Jenna-2.6.3/jena-2.6.3-sources.jar - sha1: 3ab4e1c67a2d28fced849ee1bb76e7391b93f125 - SPDXID: SPDXRef-File2 checksums: @@ -236,4 +234,3 @@ Document: licenseInfoInFiles: - Apache-2.0 fileName: src/org/spdx/parser/DOAPProject.java - sha1: 2fd4e1c67a2d28fced849ee1bb76e7391b93eb12 From e4bef05b35a1cad2edd70336922525efe6b8cfe6 Mon Sep 17 00:00:00 2001 From: Meret Behrens Date: Fri, 28 Oct 2022 08:14:15 +0200 Subject: [PATCH 10/10] [issue-184] squashed review commits - correct checksum in json example - add JSONExample2.2 from spec but exclude in tests since 2.2 is not yet completely supported - add files only once if they appear in multiple packages - parse only spdxid in documentDescribes, delete commented out code - delete unused XMLWriter and JsonYamlWriter class, updated xml test results - rework create_document_describes method - delete surrounding document in json/yaml test - rename licenseinfoinfiles method according to variable - rename chk_sum/ check_sum to chksum/checksum - delete duplicated relationships from json/yaml/xml Signed-off-by: Meret Behrens --- data/SPDXJsonExample.json | 29 +- data/SPDXXmlExample.xml | 15 - data/SPDXYamlExample.yaml | 10 - examples/write_tv.py | 6 +- spdx/cli_tools/parser.py | 6 +- spdx/file.py | 16 +- spdx/package.py | 18 +- spdx/parsers/jsonyamlxml.py | 31 +- spdx/parsers/rdfbuilders.py | 4 +- spdx/parsers/tagvaluebuilders.py | 4 +- spdx/writers/jsonyamlxml.py | 33 +- spdx/writers/rdf.py | 6 +- spdx/writers/tagvalue.py | 6 +- spdx/writers/xml.py | 15 +- .../doc_write/json-simple-multi-package.json | 15 - .../doc_write/xml-simple-multi-package.xml | 14 +- tests/data/doc_write/xml-simple-plus.xml | 4 +- tests/data/doc_write/xml-simple.xml | 4 +- .../doc_write/yaml-simple-multi-package.yaml | 9 - tests/data/formats/SPDXJsonExample.json | 25 +- tests/data/formats/SPDXJsonExample2.2.json | 509 ++++++++++-------- tests/data/formats/SPDXXmlExample.xml | 15 - tests/data/formats/SPDXYamlExample.yaml | 10 - tests/test_document.py | 12 +- tests/test_package.py | 2 +- tests/test_parse_anything.py | 3 +- tests/test_write_anything.py | 2 +- tests/utils_test.py | 20 +- 28 files changed, 369 insertions(+), 474 deletions(-) diff --git a/data/SPDXJsonExample.json b/data/SPDXJsonExample.json index 6252ba838..49b5a13bb 100644 --- a/data/SPDXJsonExample.json +++ b/data/SPDXJsonExample.json @@ -42,7 +42,7 @@ "checksums": [ { "checksumValue": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12", - "algorithm": "checksumAlgorithm_sha1" + "algorithm": "SHA1" } ], "versionInfo": "Version 0.9.2", @@ -71,7 +71,7 @@ "checksums": [ { "checksumValue": "3ab4e1c67a2d28fced849ee1bb76e7391b93f125", - "algorithm": "checksumAlgorithm_sha1" + "algorithm": "SHA1" } ], "fileTypes": [ @@ -89,7 +89,7 @@ "checksums": [ { "checksumValue": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12", - "algorithm": "checksumAlgorithm_sha1" + "algorithm": "SHA1" } ], "fileTypes": [ @@ -112,7 +112,7 @@ { "checksum": { "checksumValue": "d6a770ba38583ed4bb4525bd96e50461655d2759", - "algorithm": "checksumAlgorithm_sha1" + "algorithm": "SHA1" }, "spdxDocument": "https://spdx.org/spdxdocs/spdx-tools-v2.1-3F2504E0-4F89-41D3-9A0C-0305E82C3301", "externalDocumentId": "DocumentRef-spdx-tool-2.1" @@ -128,23 +128,6 @@ "annotator": "Person: Jim Reviewer" } ], - "relationships": [ - { - "spdxElementId": "SPDXRef-DOCUMENT", - "relatedSpdxElement": "SPDXRef-Package", - "relationshipType": "CONTAINS" - }, - { - "spdxElementId": "SPDXRef-DOCUMENT", - "relatedSpdxElement": "SPDXRef-File", - "relationshipType": "DESCRIBES" - }, - { - "spdxElementId": "SPDXRef-DOCUMENT", - "relatedSpdxElement": "SPDXRef-Package", - "relationshipType": "DESCRIBES" - } - ], "dataLicense": "CC0-1.0", "reviewers": [ { @@ -160,11 +143,11 @@ ], "hasExtractedLicensingInfos": [ { - "extractedText": "This package includes the GRDDL parser developed by Hewlett Packard under the following license:\n\u00a9 Copyright 2007 Hewlett-Packard Development Company, LP\n\nRedistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: \n\nRedistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. \nRedistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. \nThe name of the author may not be used to endorse or promote products derived from this software without specific prior written permission. \nTHIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ", + "extractedText": "This package includes the GRDDL parser developed by Hewlett Packard under the following license:\n\u00a9 Copyright 2007 Hewlett-Packard Development Company, LP\n\nRedistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:\n\nRedistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.\nRedistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.\nThe name of the author may not be used to endorse or promote products derived from this software without specific prior written permission.\nTHIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ", "licenseId": "LicenseRef-2" }, { - "extractedText": "The CyberNeko Software License, Version 1.0\n\n \n(C) Copyright 2002-2005, Andy Clark. All rights reserved.\n \nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions\nare met:\n\n1. Redistributions of source code must retain the above copyright\n notice, this list of conditions and the following disclaimer. \n\n2. Redistributions in binary form must reproduce the above copyright\n notice, this list of conditions and the following disclaimer in\n the documentation and/or other materials provided with the\n distribution.\n\n3. The end-user documentation included with the redistribution,\n if any, must include the following acknowledgment: \n \"This product includes software developed by Andy Clark.\"\n Alternately, this acknowledgment may appear in the software itself,\n if and wherever such third-party acknowledgments normally appear.\n\n4. The names \"CyberNeko\" and \"NekoHTML\" must not be used to endorse\n or promote products derived from this software without prior \n written permission. For written permission, please contact \n andyc@cyberneko.net.\n\n5. Products derived from this software may not be called \"CyberNeko\",\n nor may \"CyberNeko\" appear in their name, without prior written\n permission of the author.\n\nTHIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED\nWARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\nOF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR OTHER CONTRIBUTORS\nBE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, \nOR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT \nOF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR \nBUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, \nWHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE \nOR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, \nEVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.", + "extractedText": "The CyberNeko Software License, Version 1.0\n\n\n(C) Copyright 2002-2005, Andy Clark. All rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions\nare met:\n\n1. Redistributions of source code must retain the above copyright\n notice, this list of conditions and the following disclaimer.\n\n2. Redistributions in binary form must reproduce the above copyright\n notice, this list of conditions and the following disclaimer in\n the documentation and/or other materials provided with the\n distribution.\n\n3. The end-user documentation included with the redistribution,\n if any, must include the following acknowledgment:\n \"This product includes software developed by Andy Clark.\"\n Alternately, this acknowledgment may appear in the software itself,\n if and wherever such third-party acknowledgments normally appear.\n\n4. The names \"CyberNeko\" and \"NekoHTML\" must not be used to endorse\n or promote products derived from this software without prior\n written permission. For written permission, please contact\n andyc@cyberneko.net.\n\n5. Products derived from this software may not be called \"CyberNeko\",\n nor may \"CyberNeko\" appear in their name, without prior written\n permission of the author.\n\nTHIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED\nWARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\nOF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR OTHER CONTRIBUTORS\nBE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\nOR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\nOF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\nBUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\nWHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\nOR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,\nEVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.", "comment": "This is tye CyperNeko License", "licenseId": "LicenseRef-3", "name": "CyberNeko License", diff --git a/data/SPDXXmlExample.xml b/data/SPDXXmlExample.xml index 256433411..fceac1a76 100644 --- a/data/SPDXXmlExample.xml +++ b/data/SPDXXmlExample.xml @@ -237,19 +237,4 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. SPDXRef-Snippet SPDXRef-DoapSource - - SPDXRef-DOCUMENT - SPDXRef-File - DESCRIBES - - - SPDXRef-DOCUMENT - SPDXRef-Package - DESCRIBES - - - SPDXRef-DOCUMENT - SPDXRef-Package - CONTAINS - diff --git a/data/SPDXYamlExample.yaml b/data/SPDXYamlExample.yaml index 9fa7cacc4..404be57e5 100644 --- a/data/SPDXYamlExample.yaml +++ b/data/SPDXYamlExample.yaml @@ -170,16 +170,6 @@ Document: SPDXID: SPDXRef-DOCUMENT name: Sample_Document-V2.1 documentNamespace: https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301 - relationships: - - spdxElementId: "SPDXRef-DOCUMENT" - relatedSpdxElement: "SPDXRef-Package" - relationshipType: "DESCRIBES" - - spdxElementId: "SPDXRef-DOCUMENT" - relatedSpdxElement: "SPDXRef-Package" - relationshipType: "CONTAINS" - - spdxElementId: "SPDXRef-DOCUMENT" - relatedSpdxElement: "SPDXRef-File" - relationshipType: "DESCRIBES" reviewers: - comment: Another example reviewer. reviewDate: '2011-03-13T00:00:00Z' diff --git a/examples/write_tv.py b/examples/write_tv.py index cf907c2c0..3ed332e6e 100755 --- a/examples/write_tv.py +++ b/examples/write_tv.py @@ -34,7 +34,7 @@ testfile1.type = FileType.BINARY testfile1.spdx_id = "TestFilet#SPDXRef-FILE" testfile1.comment = "This is a test file." - testfile1.chk_sum = Algorithm("SHA1", "c537c5d99eca5333f23491d47ededd083fefb7ad") + testfile1.chksum = Algorithm("SHA1", "c537c5d99eca5333f23491d47ededd083fefb7ad") testfile1.conc_lics = License.from_identifier("BSD-2-Clause") testfile1.add_lics(License.from_identifier("BSD-2-Clause")) testfile1.copyright = SPDXNone() @@ -46,7 +46,7 @@ testfile2.type = FileType.SOURCE testfile2.spdx_id = "TestFile2#SPDXRef-FILE" testfile2.comment = "This is a test file." - testfile2.chk_sum = Algorithm("SHA1", "bb154f28d1cf0646ae21bb0bec6c669a2b90e113") + testfile2.chksum = Algorithm("SHA1", "bb154f28d1cf0646ae21bb0bec6c669a2b90e113") testfile2.conc_lics = License.from_identifier("Apache-2.0") testfile2.add_lics(License.from_identifier("Apache-2.0")) testfile2.copyright = NoAssert() @@ -58,7 +58,7 @@ package.file_name = "twt.jar" package.spdx_id = 'TestPackage#SPDXRef-PACKAGE' package.download_location = "http://www.tagwritetest.test/download" - package.check_sum = Algorithm("SHA1", "c537c5d99eca5333f23491d47ededd083fefb7ad") + package.checksum = Algorithm("SHA1", "c537c5d99eca5333f23491d47ededd083fefb7ad") package.homepage = SPDXNone() package.verif_code = "4e3211c67a2d28fced849ee1bb76e7391b93feba" license_set = LicenseConjunction( diff --git a/spdx/cli_tools/parser.py b/spdx/cli_tools/parser.py index 182ca2db0..2be6d995f 100755 --- a/spdx/cli_tools/parser.py +++ b/spdx/cli_tools/parser.py @@ -50,8 +50,8 @@ def main(file, force): "Package Download Location: {0}".format(doc.package.download_location) ) print("Package Homepage: {0}".format(doc.package.homepage)) - if doc.package.check_sum: - print("Package Checksum: {0}".format(doc.package.check_sum.value)) + if doc.package.checksum: + print("Package Checksum: {0}".format(doc.package.checksum.value)) print("Package Attribution Text: {0}".format(doc.package.attribution_text)) print("Package verification code: {0}".format(doc.package.verif_code)) print( @@ -77,7 +77,7 @@ def main(file, force): for f in doc.files: print("\tFile name: {0}".format(f.name)) print("\tFile type: {0}".format(VALUES[f.type])) - print("\tFile Checksum: {0}".format(f.chk_sum.value)) + print("\tFile Checksum: {0}".format(f.chksum.value)) print("\tFile license concluded: {0}".format(f.conc_lics)) print( "\tFile license info in file: {0}".format( diff --git a/spdx/file.py b/spdx/file.py index c960a83fe..df3ac8871 100644 --- a/spdx/file.py +++ b/spdx/file.py @@ -42,7 +42,7 @@ class File(object): - comment: File comment str, Optional zero or one. - type: one of FileType.SOURCE, FileType.BINARY, FileType.ARCHIVE and FileType.OTHER, optional zero or one. - - chk_sum: SHA1, Mandatory one. + - chksum: SHA1, Mandatory one. - conc_lics: Mandatory one. document.License or utils.NoAssert or utils.SPDXNone. - licenses_in_file: list of licenses found in file, mandatory one or more. document.License or utils.SPDXNone or utils.NoAssert. @@ -58,12 +58,12 @@ class File(object): -attribution_text: optional string. """ - def __init__(self, name, spdx_id=None, chk_sum=None): + def __init__(self, name, spdx_id=None, chksum=None): self.name = name self.spdx_id = spdx_id self.comment = None self.type = None - self.checksums = [None] + self.checksums = [chksum] self.conc_lics = None self.licenses_in_file = [] self.license_comment = None @@ -83,15 +83,15 @@ def __lt__(self, other): return self.name < other.name @property - def chk_sum(self): + def chksum(self): """ Backwards compatibility, return first checksum. """ # NOTE Package.check_sum but File.chk_sum return self.checksums[0] - @chk_sum.setter - def chk_sum(self, value): + @chksum.setter + def chksum(self, value): self.checksums[0] = value def add_lics(self, lics): @@ -190,12 +190,12 @@ def validate_type(self, messages): return messages def validate_checksum(self, messages): - if not isinstance(self.chk_sum, checksum.Algorithm): + if not isinstance(self.chksum, checksum.Algorithm): messages.append( "File checksum must be instance of spdx.checksum.Algorithm" ) else: - if not self.chk_sum.identifier == "SHA1": + if not self.chksum.identifier == "SHA1": messages.append("File checksum algorithm must be SHA1") return messages diff --git a/spdx/package.py b/spdx/package.py index 944826357..f04f1278c 100644 --- a/spdx/package.py +++ b/spdx/package.py @@ -106,15 +106,15 @@ def are_files_analyzed(self): # return self.files_analyzed or self.files_analyzed is None @property - def check_sum(self): + def checksum(self): """ Backwards compatibility, return first checksum. """ # NOTE Package.check_sum but File.chk_sum return self.checksums[0] - @check_sum.setter - def check_sum(self, value): + @checksum.setter + def checksum(self, value): self.checksums[0] = value def add_file(self, fil): @@ -283,12 +283,12 @@ def validate_str_fields(self, fields, optional, messages): return messages def validate_checksum(self, messages): - if self.check_sum is not None: - if not isinstance(self.check_sum, checksum.Algorithm): + if self.checksum is not None: + if not isinstance(self.checksum, checksum.Algorithm): messages.append( "Package checksum must be instance of spdx.checksum.Algorithm" ) - elif not self.check_sum.identifier == "SHA1": + elif not self.checksum.identifier == "SHA1": messages.append( "First checksum in package must be SHA1." ) @@ -300,10 +300,10 @@ def calc_verif_code(self): for file_entry in self.files: if ( - isinstance(file_entry.chk_sum, checksum.Algorithm) - and file_entry.chk_sum.identifier == "SHA1" + isinstance(file_entry.chksum, checksum.Algorithm) + and file_entry.chksum.identifier == "SHA1" ): - sha1 = file_entry.chk_sum.value + sha1 = file_entry.chksum.value else: sha1 = file_entry.calc_chksum() hashes.append(sha1) diff --git a/spdx/parsers/jsonyamlxml.py b/spdx/parsers/jsonyamlxml.py index c1e8f081c..2f5ca93b7 100644 --- a/spdx/parsers/jsonyamlxml.py +++ b/spdx/parsers/jsonyamlxml.py @@ -741,7 +741,7 @@ def parse_file(self, file): self.parse_file_id(file.get("SPDXID")) self.parse_file_types(file.get("fileTypes")) self.parse_file_concluded_license(file.get("licenseConcluded")) - self.parse_file_license_info_from_files(file.get("licenseInfoInFiles")) + self.parse_file_license_info_in_files(file.get("licenseInfoInFiles")) self.parse_file_license_comments(file.get("licenseComments")) self.parse_file_copyright_text(file.get("copyrightText")) self.parse_file_artifacts(file.get("artifactOf")) @@ -836,7 +836,7 @@ def parse_file_concluded_license(self, concluded_license): else: self.value_error("FILE_SINGLE_LICS", concluded_license) - def parse_file_license_info_from_files(self, license_info_from_files): + def parse_file_license_info_in_files(self, license_info_from_files): """ Parse File license information from files - license_info_from_files: Python list of licenses information from files (str/unicode) @@ -1502,7 +1502,6 @@ def flatten_document(document): files_by_id = {} if "files" in document: for f in document.get("files"): - # XXX must downstream rely on "sha1" property? for checksum in f["checksums"]: if checksum["algorithm"] == "SHA1" or "sha1" in checksum["algorithm"]: f["sha1"] = checksum["checksumValue"] @@ -1515,7 +1514,6 @@ def flatten_document(document): package["files"] = [{ "File": files_by_id[spdxid.split("#")[-1]]} for spdxid in package["hasFiles"] ] - # XXX must downstream rely on "sha1" property? for checksum in package.get("checksums", []): if checksum["algorithm"] == "SHA1" or "sha1" in checksum["algorithm"]: package["sha1"] = checksum["checksumValue"] @@ -1676,30 +1674,15 @@ def parse_doc_comment(self, doc_comment): def parse_doc_described_objects(self, doc_described_objects): """ - Parse Document documentDescribes (Files and Packages dicts) - - doc_described_objects: Python list of dicts as in FileParser.parse_file or PackageParser.parse_package + Parse Document documentDescribes (SPDXIDs) + - doc_described_objects: Python list of strings """ if isinstance(doc_described_objects, list): - packages = filter( - lambda described: isinstance(described, dict) - and described.get("Package") is not None, - doc_described_objects, - ) - files = filter( - lambda described: isinstance(described, dict) - and described.get("File") is not None, - doc_described_objects, - ) - relationships = filter( + described_spdxids = filter( lambda described: isinstance(described, str), doc_described_objects ) - # At the moment, only single-package documents are supported, so just the last package will be stored. - for package in packages: - self.parse_package(package.get("Package")) - for file in files: - self.parse_file(file.get("File")) - for relationship in relationships: - self.parse_relationship(self.document.spdx_id, "DESCRIBES", relationship) + for spdxid in described_spdxids: + self.parse_relationship(self.document.spdx_id, "DESCRIBES", spdxid) return True else: diff --git a/spdx/parsers/rdfbuilders.py b/spdx/parsers/rdfbuilders.py index 3affb7329..1a9966350 100644 --- a/spdx/parsers/rdfbuilders.py +++ b/spdx/parsers/rdfbuilders.py @@ -195,7 +195,7 @@ def set_pkg_chk_sum(self, doc, chk_sum): self.assert_package_exists() if not self.package_chk_sum_set: self.package_chk_sum_set = True - doc.packages[-1].check_sum = checksum.Algorithm("SHA1", chk_sum) + doc.packages[-1].checksum = checksum.Algorithm("SHA1", chk_sum) else: raise CardinalityError("Package::CheckSum") @@ -391,7 +391,7 @@ def set_file_chksum(self, doc, chk_sum): if self.has_package(doc) and self.has_file(doc): if not self.file_chksum_set: self.file_chksum_set = True - self.file(doc).chk_sum = checksum.Algorithm("SHA1", chk_sum) + self.file(doc).chksum = checksum.Algorithm("SHA1", chk_sum) return True else: raise CardinalityError("File::CheckSum") diff --git a/spdx/parsers/tagvaluebuilders.py b/spdx/parsers/tagvaluebuilders.py index 9c194fe29..46b3b4675 100644 --- a/spdx/parsers/tagvaluebuilders.py +++ b/spdx/parsers/tagvaluebuilders.py @@ -780,7 +780,7 @@ def set_pkg_chk_sum(self, doc, chk_sum): self.assert_package_exists() if not self.package_chk_sum_set: self.package_chk_sum_set = True - doc.packages[-1].check_sum = checksum_from_sha1(chk_sum) + doc.packages[-1].checksum = checksum_from_sha1(chk_sum) return True else: raise CardinalityError("Package::CheckSum") @@ -1130,7 +1130,7 @@ def set_file_chksum(self, doc, chksum): if self.has_package(doc) and self.has_file(doc): if not self.file_chksum_set: self.file_chksum_set = True - self.file(doc).chk_sum = checksum_from_sha1(chksum) + self.file(doc).chksum = checksum_from_sha1(chksum) return True else: raise CardinalityError("File::CheckSum") diff --git a/spdx/writers/jsonyamlxml.py b/spdx/writers/jsonyamlxml.py index d8a8b3519..dec9beb68 100644 --- a/spdx/writers/jsonyamlxml.py +++ b/spdx/writers/jsonyamlxml.py @@ -147,7 +147,7 @@ def create_package_info(self, package): if package.has_optional_field("originator"): package_object["originator"] = package.originator.to_value() - if package.has_optional_field("check_sum"): + if package.has_optional_field("checksum"): package_object["checksums"] = [self.checksum(checksum) for checksum in package.checksums if checksum] if package.has_optional_field("description"): @@ -204,15 +204,12 @@ def create_file_info(self, file): file_object["fileName"] = file.name file_object["SPDXID"] = self.spdx_id(file.spdx_id) - file_object["checksums"] = [self.checksum(file.chk_sum)] + file_object["checksums"] = [self.checksum(file.chksum)] file_object["licenseConcluded"] = self.license(file.conc_lics) file_object["licenseInfoInFiles"] = list( map(self.license, file.licenses_in_file) ) file_object["copyrightText"] = file.copyright.__str__() - # assert file.chk_sum.identifier == "SHA1", "First checksum must be SHA1" - # file_object["sha1"] = file.chk_sum.value - if file.has_optional_field("comment"): file_object["comment"] = file.comment @@ -474,17 +471,18 @@ def create_ext_document_references(self): def create_document_describes(self): """ - Create list of SPDXID that have a + Create a list of SPDXIDs that the document describes according to DESCRIBES-relationship. """ - described_relationships = [] + document_describes = [] remove_rel = [] for relationship in self.document.relationships: if relationship.relationshiptype == "DESCRIBES": - described_relationships.append(relationship.relatedspdxelement) + document_describes.append(relationship.relatedspdxelement) if not relationship.has_comment: - remove_rel.append(relationship.relatedspdxelement) - self.document.relationships = [rel for rel in self.document.relationships if rel.relatedspdxelement not in remove_rel] - return described_relationships + remove_rel.append(relationship) + for relationship in remove_rel: + self.document.relationships.remove(relationship) + return document_describes def create_document(self): @@ -497,16 +495,15 @@ def create_document(self): self.document_object["SPDXID"] = self.spdx_id(self.document.spdx_id) self.document_object["name"] = self.document.name - described_relationships = self.create_document_describes() - if described_relationships: - self.document_object["documentDescribes"] = described_relationships + document_describes = self.create_document_describes() + self.document_object["documentDescribes"] = document_describes package_objects = [] file_objects = [] for package in self.document.packages: package_info_object, files_in_package = self.create_package_info(package) package_objects.append(package_info_object) - file_objects.extend(files_in_package) + file_objects.extend(file for file in files_in_package if file not in file_objects) self.document_object["packages"] = package_objects self.document_object["files"] = file_objects @@ -537,9 +534,3 @@ def create_document(self): return self.document_object - -class JsonYamlWriter(Writer): - - def create_document(self): - document_object = super().create_document() - return document_object diff --git a/spdx/writers/rdf.py b/spdx/writers/rdf.py index fcbdcb36d..7f3002490 100644 --- a/spdx/writers/rdf.py +++ b/spdx/writers/rdf.py @@ -264,7 +264,7 @@ def create_file_node(self, doc_file): ( file_node, self.spdx_namespace.checksum, - self.create_checksum_node(doc_file.chk_sum), + self.create_checksum_node(doc_file.chksum), ) ) @@ -754,8 +754,8 @@ def handle_pkg_optional_fields(self, package: Package, package_node): package, package_node, self.spdx_namespace.filesAnalyzed, "files_analyzed" ) - if package.has_optional_field("check_sum"): - checksum_node = self.create_checksum_node(package.check_sum) + if package.has_optional_field("checksum"): + checksum_node = self.create_checksum_node(package.checksum) self.graph.add((package_node, self.spdx_namespace.checksum, checksum_node)) if package.has_optional_field("homepage"): diff --git a/spdx/writers/tagvalue.py b/spdx/writers/tagvalue.py index 5f14ef191..d74b15f2d 100644 --- a/spdx/writers/tagvalue.py +++ b/spdx/writers/tagvalue.py @@ -115,7 +115,7 @@ def write_file(spdx_file, out): write_value("SPDXID", spdx_file.spdx_id, out) if spdx_file.has_optional_field("type"): write_file_type(spdx_file.type, out) - write_value("FileChecksum", spdx_file.chk_sum.to_tv(), out) + write_value("FileChecksum", spdx_file.chksum.to_tv(), out) if isinstance( spdx_file.conc_lics, (document.LicenseConjunction, document.LicenseDisjunction) ): @@ -223,8 +223,8 @@ def write_package(package, out): if package.has_optional_field("originator"): write_value("PackageOriginator", package.originator, out) - if package.has_optional_field("check_sum"): - write_value("PackageChecksum", package.check_sum.to_tv(), out) + if package.has_optional_field("checksum"): + write_value("PackageChecksum", package.checksum.to_tv(), out) if package.has_optional_field("verif_code"): write_value("PackageVerificationCode", format_verif_code(package), out) diff --git a/spdx/writers/xml.py b/spdx/writers/xml.py index 684f7ea7d..14bbd4b99 100644 --- a/spdx/writers/xml.py +++ b/spdx/writers/xml.py @@ -16,19 +16,6 @@ from spdx.parsers.loggers import ErrorMessages -class XMLWriter(Writer): - def checksum(self, checksum_field): - """ - Return a dictionary representation of a spdx.checksum.Algorithm object - """ - checksum_object = dict() - checksum_object["algorithm"] = ( - "checksumAlgorithm_" + checksum_field.identifier.lower() - ) - checksum_object["checksumValue"] = checksum_field.value - return checksum_object - - def write_document(document, out, validate=True): if validate: @@ -37,7 +24,7 @@ def write_document(document, out, validate=True): if messages: raise InvalidDocumentError(messages) - writer = XMLWriter(document) + writer = Writer(document) document_object = {"Document": writer.create_document()} xmltodict.unparse(document_object, out, encoding="utf-8", pretty=True) diff --git a/tests/data/doc_write/json-simple-multi-package.json b/tests/data/doc_write/json-simple-multi-package.json index 794e3c33d..61e221c7e 100644 --- a/tests/data/doc_write/json-simple-multi-package.json +++ b/tests/data/doc_write/json-simple-multi-package.json @@ -59,21 +59,6 @@ } ], "files": [ - { - "fileName": "./some/path/tofile", - "SPDXID": "SPDXRef-File", - "checksums": [ - { - "algorithm": "SHA1", - "checksumValue": "SOME-SHA1" - } - ], - "licenseConcluded": "NOASSERTION", - "licenseInfoInFiles": [ - "LGPL-2.1-or-later" - ], - "copyrightText": "NOASSERTION" - }, { "fileName": "./some/path/tofile", "SPDXID": "SPDXRef-File", diff --git a/tests/data/doc_write/xml-simple-multi-package.xml b/tests/data/doc_write/xml-simple-multi-package.xml index 70f2e7a68..4b7e6e85c 100644 --- a/tests/data/doc_write/xml-simple-multi-package.xml +++ b/tests/data/doc_write/xml-simple-multi-package.xml @@ -49,23 +49,11 @@ ./some/path/tofile SPDXRef-File - checksumAlgorithm_sha1 + SHA1 SOME-SHA1 NOASSERTION LGPL-2.1-or-later NOASSERTION - - ./some/path/tofile - SPDXRef-File - - checksumAlgorithm_sha1 - SOME-SHA1 - - NOASSERTION - LGPL-2.1-or-later - NOASSERTION - - \ No newline at end of file diff --git a/tests/data/doc_write/xml-simple-plus.xml b/tests/data/doc_write/xml-simple-plus.xml index 44cf607d9..f3b2bec73 100644 --- a/tests/data/doc_write/xml-simple-plus.xml +++ b/tests/data/doc_write/xml-simple-plus.xml @@ -17,7 +17,7 @@ SOME-SHA1 - checksumAlgorithm_sha1 + SHA1 NOASSERTION NOASSERTION @@ -31,7 +31,7 @@ SPDXRef-File SOME-SHA1 - checksumAlgorithm_sha1 + SHA1 NOASSERTION NOASSERTION diff --git a/tests/data/doc_write/xml-simple.xml b/tests/data/doc_write/xml-simple.xml index 54d79c95c..9eaca485b 100644 --- a/tests/data/doc_write/xml-simple.xml +++ b/tests/data/doc_write/xml-simple.xml @@ -16,7 +16,7 @@ SOME-SHA1 - checksumAlgorithm_sha1 + SHA1 NOASSERTION NOASSERTION @@ -29,7 +29,7 @@ SPDXRef-File SOME-SHA1 - checksumAlgorithm_sha1 + SHA1 NOASSERTION NOASSERTION diff --git a/tests/data/doc_write/yaml-simple-multi-package.yaml b/tests/data/doc_write/yaml-simple-multi-package.yaml index e5a057833..a6d10db5c 100644 --- a/tests/data/doc_write/yaml-simple-multi-package.yaml +++ b/tests/data/doc_write/yaml-simple-multi-package.yaml @@ -43,15 +43,6 @@ documentNamespace: https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0 name: Sample_Document-V2.1 spdxVersion: SPDX-2.1 files: - - SPDXID: SPDXRef-File - checksums: - - algorithm: SHA1 - checksumValue: SOME-SHA1 - copyrightText: NOASSERTION - licenseConcluded: NOASSERTION - licenseInfoInFiles: - - LGPL-2.1-or-later - fileName: ./some/path/tofile - SPDXID: SPDXRef-File checksums: - algorithm: SHA1 diff --git a/tests/data/formats/SPDXJsonExample.json b/tests/data/formats/SPDXJsonExample.json index 673f8f4f8..49b5a13bb 100644 --- a/tests/data/formats/SPDXJsonExample.json +++ b/tests/data/formats/SPDXJsonExample.json @@ -42,7 +42,7 @@ "checksums": [ { "checksumValue": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12", - "algorithm": "checksumAlgorithm_sha1" + "algorithm": "SHA1" } ], "versionInfo": "Version 0.9.2", @@ -71,7 +71,7 @@ "checksums": [ { "checksumValue": "3ab4e1c67a2d28fced849ee1bb76e7391b93f125", - "algorithm": "checksumAlgorithm_sha1" + "algorithm": "SHA1" } ], "fileTypes": [ @@ -89,7 +89,7 @@ "checksums": [ { "checksumValue": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12", - "algorithm": "checksumAlgorithm_sha1" + "algorithm": "SHA1" } ], "fileTypes": [ @@ -112,7 +112,7 @@ { "checksum": { "checksumValue": "d6a770ba38583ed4bb4525bd96e50461655d2759", - "algorithm": "checksumAlgorithm_sha1" + "algorithm": "SHA1" }, "spdxDocument": "https://spdx.org/spdxdocs/spdx-tools-v2.1-3F2504E0-4F89-41D3-9A0C-0305E82C3301", "externalDocumentId": "DocumentRef-spdx-tool-2.1" @@ -128,23 +128,6 @@ "annotator": "Person: Jim Reviewer" } ], - "relationships": [ - { - "spdxElementId": "SPDXRef-DOCUMENT", - "relatedSpdxElement": "SPDXRef-Package", - "relationshipType": "CONTAINS" - }, - { - "spdxElementId": "SPDXRef-DOCUMENT", - "relatedSpdxElement": "SPDXRef-File", - "relationshipType": "DESCRIBES" - }, - { - "spdxElementId": "SPDXRef-DOCUMENT", - "relatedSpdxElement": "SPDXRef-Package", - "relationshipType": "DESCRIBES" - } - ], "dataLicense": "CC0-1.0", "reviewers": [ { diff --git a/tests/data/formats/SPDXJsonExample2.2.json b/tests/data/formats/SPDXJsonExample2.2.json index 33b6f93b7..2b8661f3c 100644 --- a/tests/data/formats/SPDXJsonExample2.2.json +++ b/tests/data/formats/SPDXJsonExample2.2.json @@ -1,231 +1,284 @@ { - "comment": "This is a sample spreadsheet", - "name": "Sample_Document-V2.1", - "documentDescribes": [ - "SPDXRef-Package" - ], - "creationInfo": { - "comment": "This is an example of an SPDX spreadsheet format", - "creators": [ - "Tool: SourceAuditor-V1.2", - "Person: Gary O'Neall", - "Organization: Source Auditor Inc." - ], - "licenseListVersion": "3.6", - "created": "2010-02-03T00:00:00Z" + "SPDXID" : "SPDXRef-DOCUMENT", + "spdxVersion" : "SPDX-2.2", + "creationInfo" : { + "comment" : "This package has been shipped in source and binary form.\nThe binaries were created with gcc 4.5.1 and expect to link to\ncompatible system run time libraries.", + "created" : "2010-01-29T18:30:22Z", + "creators" : [ "Tool: LicenseFind-1.0", "Organization: ExampleCodeInspect ()", "Person: Jane Doe ()" ], + "licenseListVersion" : "3.9" + }, + "name" : "SPDX-Tools-v2.0", + "dataLicense" : "CC0-1.0", + "comment" : "This document was created using SPDX 2.0 using licenses from the web site.", + "externalDocumentRefs" : [ { + "externalDocumentId" : "DocumentRef-spdx-tool-1.2", + "checksum" : { + "algorithm" : "SHA1", + "checksumValue" : "d6a770ba38583ed4bb4525bd96e50461655d2759" }, - "externalDocumentRefs": [ - { - "checksum": { - "checksumValue": "d6a770ba38583ed4bb4525bd96e50461655d2759", - "algorithm": "SHA1" - }, - "spdxDocument": "https://spdx.org/spdxdocs/spdx-tools-v2.1-3F2504E0-4F89-41D3-9A0C-0305E82C3301", - "externalDocumentId": "DocumentRef-spdx-tool-2.1" - } - ], - "documentNamespace": "https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301", - "annotations": [ - { - "comment": "This is just an example. Some of the non-standard licenses look like they are actually BSD 3 clause licenses", - "annotationType": "REVIEW", - "SPDXID": "SPDXRef-45", - "annotationDate": "2012-06-13T00:00:00Z", - "annotator": "Person: Jim Reviewer" - } - ], - "relationships": [ - { - "spdxElementId": "SPDXRef-DOCUMENT", - "relatedSpdxElement": "SPDXRef-Package", - "relationshipType": "CONTAINS" - }, - { - "spdxElementId": "SPDXRef-DOCUMENT", - "relatedSpdxElement": "SPDXRef-File", - "relationshipType": "DESCRIBES" - }, - { - "spdxElementId": "SPDXRef-DOCUMENT", - "relatedSpdxElement": "DocumentRef-spdx-tool-1.2:SPDXRef-ToolsElement", - "relationshipType": "COPY_OF" - }, - { - "spdxElementId": "SPDXRef-DOCUMENT", - "relatedSpdxElement": "SPDXRef-Package", - "relationshipType": "DESCRIBES" - }, - { - "spdxElementId": "SPDXRef-Package", - "relatedSpdxElement": "SPDXRef-Saxon", - "relationshipType": "DYNAMIC_LINK" - }, - { - "spdxElementId": "SPDXRef-Package", - "relatedSpdxElement": "SPDXRef-JenaLib", - "relationshipType": "CONTAINS" - }, - { - "spdxElementId": "SPDXRef-CommonsLangSrc", - "relatedSpdxElement": "NOASSERTION", - "relationshipType": "GENERATED_FROM" - }, - { - "spdxElementId": "SPDXRef-JenaLib", - "relatedSpdxElement": "SPDXRef-Package", - "relationshipType": "CONTAINS" - }, - { - "spdxElementId": "SPDXRef-File", - "relatedSpdxElement": "SPDXRef-fromDoap-0", - "relationshipType": "GENERATED_FROM" - } - ], - "dataLicense": "CC0-1.0", - "reviewers": [ - { - "comment": "This is just an example. Some of the non-standard licenses look like they are actually BSD 3 clause licenses", - "reviewer": "Person: Joe Reviewer", - "reviewDate": "2010-02-10T00:00:00Z" - }, - { - "comment": "Another example reviewer.", - "reviewer": "Person: Suzanne Reviewer", - "reviewDate": "2011-03-13T00:00:00Z" - } - ], - "hasExtractedLicensingInfos": [ - { - "extractedText": "This package includes the GRDDL parser developed by Hewlett Packard under the following license:\n\u00a9 Copyright 2007 Hewlett-Packard Development Company, LP\n\nRedistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: \n\nRedistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. \nRedistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. \nThe name of the author may not be used to endorse or promote products derived from this software without specific prior written permission. \nTHIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ", - "licenseId": "LicenseRef-2" - }, - { - "extractedText": "The CyberNeko Software License, Version 1.0\n\n \n(C) Copyright 2002-2005, Andy Clark. All rights reserved.\n \nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions\nare met:\n\n1. Redistributions of source code must retain the above copyright\n notice, this list of conditions and the following disclaimer. \n\n2. Redistributions in binary form must reproduce the above copyright\n notice, this list of conditions and the following disclaimer in\n the documentation and/or other materials provided with the\n distribution.\n\n3. The end-user documentation included with the redistribution,\n if any, must include the following acknowledgment: \n \"This product includes software developed by Andy Clark.\"\n Alternately, this acknowledgment may appear in the software itself,\n if and wherever such third-party acknowledgments normally appear.\n\n4. The names \"CyberNeko\" and \"NekoHTML\" must not be used to endorse\n or promote products derived from this software without prior \n written permission. For written permission, please contact \n andyc@cyberneko.net.\n\n5. Products derived from this software may not be called \"CyberNeko\",\n nor may \"CyberNeko\" appear in their name, without prior written\n permission of the author.\n\nTHIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED\nWARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\nOF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR OTHER CONTRIBUTORS\nBE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, \nOR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT \nOF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR \nBUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, \nWHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE \nOR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, \nEVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.", - "comment": "This is tye CyperNeko License", - "licenseId": "LicenseRef-3", - "name": "CyberNeko License", - "seeAlso": [ - "http://justasample.url.com", - "http://people.apache.org/~andyc/neko/LICENSE" - ] - }, - { - "extractedText": "/*\n * (c) Copyright 2009 University of Bristol\n * All rights reserved.\n *\n * Redistribution and use in source and binary forms, with or without\n * modification, are permitted provided that the following conditions\n * are met:\n * 1. Redistributions of source code must retain the above copyright\n * notice, this list of conditions and the following disclaimer.\n * 2. Redistributions in binary form must reproduce the above copyright\n * notice, this list of conditions and the following disclaimer in the\n * documentation and/or other materials provided with the distribution.\n * 3. The name of the author may not be used to endorse or promote products\n * derived from this software without specific prior written permission.\n *\n * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR\n * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\n * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.\n * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,\n * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT\n * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\n * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\n * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF\n * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n */ ", - "licenseId": "LicenseRef-4" - }, - { - "extractedText": "/*\n * (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP\n * All rights reserved.\n *\n * Redistribution and use in source and binary forms, with or without\n * modification, are permitted provided that the following conditions\n * are met:\n * 1. Redistributions of source code must retain the above copyright\n * notice, this list of conditions and the following disclaimer.\n * 2. Redistributions in binary form must reproduce the above copyright\n * notice, this list of conditions and the following disclaimer in the\n * documentation and/or other materials provided with the distribution.\n * 3. The name of the author may not be used to endorse or promote products\n * derived from this software without specific prior written permission.\n *\n * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR\n * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\n * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.\n * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,\n * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT\n * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\n * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\n * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF\n * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n */", - "licenseId": "LicenseRef-1" - } - ], - "spdxVersion": "SPDX-2.1", - "SPDXID": "SPDXRef-DOCUMENT", - "snippets": [ - { - "comment": "This snippet was identified as significant and highlighted in this Apache-2.0 file, when a commercial scanner identified it as being derived from file foo.c in package xyz which is licensed under GPL-2.0-or-later.", - "name": "from linux kernel", - "copyrightText": "Copyright 2008-2010 John Smith", - "licenseConcluded": "Apache-2.0", - "licenseInfoFromSnippet": [ - "Apache-2.0" - ], - "licenseComments": "The concluded license was taken from package xyz, from which the snippet was copied into the current file. The concluded license information was found in the COPYING.txt file in package xyz.", - "SPDXID": "SPDXRef-Snippet", - "fileId": "SPDXRef-DoapSource" - } - ], - "packages": [ - { - "SPDXID": "SPDXRef-Package", - "originator": "Organization: SPDX", - "licenseInfoFromFiles": [ - "Apache-1.0", - "LicenseRef-3", - "MPL-1.1", - "LicenseRef-2", - "LicenseRef-4", - "Apache-2.0", - "LicenseRef-1" - ], - "name": "SPDX Translator", - "packageFileName": "spdxtranslator-1.0.zip", - "licenseComments": "The declared license information can be found in the NOTICE file at the root of the archive file", - "summary": "SPDX Translator utility", - "sourceInfo": "Version 1.0 of the SPDX Translator application", - "copyrightText": " Copyright 2010, 2011 Source Auditor Inc.", - "packageVerificationCode": { - "packageVerificationCodeValue": "4e3211c67a2d28fced849ee1bb76e7391b93feba", - "packageVerificationCodeExcludedFiles": [ - "SpdxTranslatorSpdx.rdf", - "SpdxTranslatorSpdx.txt" - ] - }, - "licenseConcluded": "(Apache-1.0 AND LicenseRef-2 AND MPL-1.1 AND LicenseRef-3 AND LicenseRef-4 AND Apache-2.0 AND LicenseRef-1)", - "supplier": "Organization: Linux Foundation", - "attributionTexts": [ - "The GNU C Library is free software. See the file COPYING.LIB for copying conditions, and LICENSES for notices about a few contributions that require these additional notices to be distributed. License copyright years may be listed using range notation, e.g., 1996-2015, indicating that every year in the range, inclusive, is a copyrightable year that would otherwise be listed individually." - ], - "checksums": [ - { - "checksumValue": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12", - "algorithm": "SHA1" - } - ], - "versionInfo": "Version 0.9.2", - "licenseDeclared": "(LicenseRef-4 AND LicenseRef-3 AND Apache-2.0 AND LicenseRef-2 AND MPL-1.1 AND LicenseRef-1)", - "downloadLocation": "http://www.spdx.org/tools", - "description": "This utility translates and SPDX RDF XML document to a spreadsheet, translates a spreadsheet to an SPDX RDF XML document and translates an SPDX RDFa document to an SPDX RDF XML document.", - "hasFiles": [ - "SPDXRef-File1", - "SPDXRef-File2" - ] - } - ], - "files": [ - { - "comment": "This file belongs to Jena", - "copyrightText": "(c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP", - "artifactOf": [ - { - "name": "Jena", - "homePage": "http://www.openjena.org/", - "projectUri": "http://subversion.apache.org/doap.rdf" - } - ], - "licenseConcluded": "LicenseRef-1", - "licenseComments": "This license is used by Jena", - "checksums": [ - { - "checksumValue": "3ab4e1c67a2d28fced849ee1bb76e7391b93f125", - "algorithm": "SHA1" - } - ], - "fileTypes": [ - "fileType_archive" - ], - "SPDXID": "SPDXRef-File1", - "fileName": "Jenna-2.6.3/jena-2.6.3-sources.jar", - "licenseInfoInFiles": [ - "LicenseRef-1" - ] - }, - { - "copyrightText": "Copyright 2010, 2011 Source Auditor Inc.", - "licenseConcluded": "Apache-2.0", - "checksums": [ - { - "checksumValue": "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12", - "algorithm": "SHA1" - } - ], - "fileTypes": [ - "fileType_source" - ], - "SPDXID": "SPDXRef-File2", - "fileName": "src/org/spdx/parser/DOAPProject.java", - "licenseInfoInFiles": [ - "Apache-2.0" - ] - } - ] + "spdxDocument" : "http://spdx.org/spdxdocs/spdx-tools-v1.2-3F2504E0-4F89-41D3-9A0C-0305E82C3301" + } ], + "hasExtractedLicensingInfos" : [ { + "licenseId" : "LicenseRef-1", + "extractedText" : "/*\n * (c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP\n * All rights reserved.\n *\n * Redistribution and use in source and binary forms, with or without\n * modification, are permitted provided that the following conditions\n * are met:\n * 1. Redistributions of source code must retain the above copyright\n * notice, this list of conditions and the following disclaimer.\n * 2. Redistributions in binary form must reproduce the above copyright\n * notice, this list of conditions and the following disclaimer in the\n * documentation and/or other materials provided with the distribution.\n * 3. The name of the author may not be used to endorse or promote products\n * derived from this software without specific prior written permission.\n *\n * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR\n * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\n * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.\n * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,\n * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT\n * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\n * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\n * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF\n * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n*/" + }, { + "licenseId" : "LicenseRef-2", + "extractedText" : "This package includes the GRDDL parser developed by Hewlett Packard under the following license:\n� Copyright 2007 Hewlett-Packard Development Company, LP\n\nRedistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: \n\nRedistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. \nRedistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. \nThe name of the author may not be used to endorse or promote products derived from this software without specific prior written permission. \nTHIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE." + }, { + "licenseId" : "LicenseRef-4", + "extractedText" : "/*\n * (c) Copyright 2009 University of Bristol\n * All rights reserved.\n *\n * Redistribution and use in source and binary forms, with or without\n * modification, are permitted provided that the following conditions\n * are met:\n * 1. Redistributions of source code must retain the above copyright\n * notice, this list of conditions and the following disclaimer.\n * 2. Redistributions in binary form must reproduce the above copyright\n * notice, this list of conditions and the following disclaimer in the\n * documentation and/or other materials provided with the distribution.\n * 3. The name of the author may not be used to endorse or promote products\n * derived from this software without specific prior written permission.\n *\n * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR\n * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\n * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.\n * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,\n * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT\n * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,\n * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY\n * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT\n * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF\n * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n*/" + }, { + "licenseId" : "LicenseRef-Beerware-4.2", + "comment" : "The beerware license has a couple of other standard variants.", + "extractedText" : "\"THE BEER-WARE LICENSE\" (Revision 42):\nphk@FreeBSD.ORG wrote this file. As long as you retain this notice you\ncan do whatever you want with this stuff. If we meet some day, and you think this stuff is worth it, you can buy me a beer in return Poul-Henning Kamp", + "name" : "Beer-Ware License (Version 42)", + "seeAlsos" : [ "http://people.freebsd.org/~phk/" ] + }, { + "licenseId" : "LicenseRef-3", + "comment" : "This is tye CyperNeko License", + "extractedText" : "The CyberNeko Software License, Version 1.0\n\n \n(C) Copyright 2002-2005, Andy Clark. All rights reserved.\n \nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions\nare met:\n\n1. Redistributions of source code must retain the above copyright\n notice, this list of conditions and the following disclaimer. \n\n2. Redistributions in binary form must reproduce the above copyright\n notice, this list of conditions and the following disclaimer in\n the documentation and/or other materials provided with the\n distribution.\n\n3. The end-user documentation included with the redistribution,\n if any, must include the following acknowledgment: \n \"This product includes software developed by Andy Clark.\"\n Alternately, this acknowledgment may appear in the software itself,\n if and wherever such third-party acknowledgments normally appear.\n\n4. The names \"CyberNeko\" and \"NekoHTML\" must not be used to endorse\n or promote products derived from this software without prior \n written permission. For written permission, please contact \n andyc@cyberneko.net.\n\n5. Products derived from this software may not be called \"CyberNeko\",\n nor may \"CyberNeko\" appear in their name, without prior written\n permission of the author.\n\nTHIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED\nWARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES\nOF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE\nDISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR OTHER CONTRIBUTORS\nBE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, \nOR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT \nOF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR \nBUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, \nWHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE \nOR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, \nEVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.", + "name" : "CyberNeko License", + "seeAlsos" : [ "http://people.apache.org/~andyc/neko/LICENSE", "http://justasample.url.com" ] + } ], + "annotations" : [ { + "annotationDate" : "2010-01-29T18:30:22Z", + "annotationType" : "OTHER", + "annotator" : "Person: Jane Doe ()", + "comment" : "Document level annotation" + }, { + "annotationDate" : "2010-02-10T00:00:00Z", + "annotationType" : "REVIEW", + "annotator" : "Person: Joe Reviewer", + "comment" : "This is just an example. Some of the non-standard licenses look like they are actually BSD 3 clause licenses" + }, { + "annotationDate" : "2011-03-13T00:00:00Z", + "annotationType" : "REVIEW", + "annotator" : "Person: Suzanne Reviewer", + "comment" : "Another example reviewer." + } ], + "documentNamespace" : "http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301", + "documentDescribes" : [ "SPDXRef-File", "SPDXRef-Package" ], + "packages" : [ { + "SPDXID" : "SPDXRef-Package", + "annotations" : [ { + "annotationDate" : "2011-01-29T18:30:22Z", + "annotationType" : "OTHER", + "annotator" : "Person: Package Commenter", + "comment" : "Package level annotation" + } ], + "attributionTexts" : [ "The GNU C Library is free software. See the file COPYING.LIB for copying conditions, and LICENSES for notices about a few contributions that require these additional notices to be distributed. License copyright years may be listed using range notation, e.g., 1996-2015, indicating that every year in the range, inclusive, is a copyrightable year that would otherwise be listed individually." ], + "checksums" : [ { + "algorithm" : "MD5", + "checksumValue" : "624c1abb3664f4b35547e7c73864ad24" + }, { + "algorithm" : "SHA1", + "checksumValue" : "85ed0817af83a24ad8da68c2b5094de69833983c" + }, { + "algorithm" : "SHA256", + "checksumValue" : "11b6d3ee554eedf79299905a98f9b9a04e498210b59f15094c916c91d150efcd" + } ], + "copyrightText" : "Copyright 2008-2010 John Smith", + "description" : "The GNU C Library defines functions that are specified by the ISO C standard, as well as additional features specific to POSIX and other derivatives of the Unix operating system, and extensions specific to GNU systems.", + "downloadLocation" : "http://ftp.gnu.org/gnu/glibc/glibc-ports-2.15.tar.gz", + "externalRefs" : [ { + "referenceCategory" : "SECURITY", + "referenceLocator" : "cpe:2.3:a:pivotal_software:spring_framework:4.1.0:*:*:*:*:*:*:*", + "referenceType" : "cpe23Type" + }, { + "comment" : "This is the external ref for Acme", + "referenceCategory" : "OTHER", + "referenceLocator" : "acmecorp/acmenator/4.1.3-alpha", + "referenceType" : "http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301#LocationRef-acmeforge" + } ], + "filesAnalyzed" : true, + "hasFiles" : [ "SPDXRef-CommonsLangSrc", "SPDXRef-JenaLib", "SPDXRef-DoapSource" ], + "homepage" : "http://ftp.gnu.org/gnu/glibc", + "licenseComments" : "The license for this project changed with the release of version x.y. The version of the project included here post-dates the license change.", + "licenseConcluded" : "(LGPL-2.0-only OR LicenseRef-3)", + "licenseDeclared" : "(LGPL-2.0-only AND LicenseRef-3)", + "licenseInfoFromFiles" : [ "GPL-2.0-only", "LicenseRef-2", "LicenseRef-1" ], + "name" : "glibc", + "originator" : "Organization: ExampleCodeInspect (contact@example.com)", + "packageFileName" : "glibc-2.11.1.tar.gz", + "packageVerificationCode" : { + "packageVerificationCodeExcludedFiles" : [ "./package.spdx" ], + "packageVerificationCodeValue" : "d6a770ba38583ed4bb4525bd96e50461655d2758" + }, + "sourceInfo" : "uses glibc-2_11-branch from git://sourceware.org/git/glibc.git.", + "summary" : "GNU C library.", + "supplier" : "Person: Jane Doe (jane.doe@example.com)", + "versionInfo" : "2.11.1" + }, { + "SPDXID" : "SPDXRef-fromDoap-1", + "copyrightText" : "NOASSERTION", + "downloadLocation" : "NOASSERTION", + "filesAnalyzed" : false, + "homepage" : "http://commons.apache.org/proper/commons-lang/", + "licenseConcluded" : "NOASSERTION", + "licenseDeclared" : "NOASSERTION", + "name" : "Apache Commons Lang" + }, { + "SPDXID" : "SPDXRef-fromDoap-0", + "copyrightText" : "NOASSERTION", + "downloadLocation" : "https://search.maven.org/remotecontent?filepath=org/apache/jena/apache-jena/3.12.0/apache-jena-3.12.0.tar.gz", + "externalRefs" : [ { + "referenceCategory" : "PACKAGE_MANAGER", + "referenceLocator" : "pkg:maven/org.apache.jena/apache-jena@3.12.0", + "referenceType" : "purl" + } ], + "filesAnalyzed" : false, + "homepage" : "http://www.openjena.org/", + "licenseConcluded" : "NOASSERTION", + "licenseDeclared" : "NOASSERTION", + "name" : "Jena", + "versionInfo" : "3.12.0" + }, { + "SPDXID" : "SPDXRef-Saxon", + "checksums" : [ { + "algorithm" : "SHA1", + "checksumValue" : "85ed0817af83a24ad8da68c2b5094de69833983c" + } ], + "copyrightText" : "Copyright Saxonica Ltd", + "description" : "The Saxon package is a collection of tools for processing XML documents.", + "downloadLocation" : "https://sourceforge.net/projects/saxon/files/Saxon-B/8.8.0.7/saxonb8-8-0-7j.zip/download", + "filesAnalyzed" : false, + "homepage" : "http://saxon.sourceforge.net/", + "licenseComments" : "Other versions available for a commercial license", + "licenseConcluded" : "MPL-1.0", + "licenseDeclared" : "MPL-1.0", + "name" : "Saxon", + "packageFileName" : "saxonB-8.8.zip", + "versionInfo" : "8.8" + } ], + "files" : [ { + "SPDXID" : "SPDXRef-DoapSource", + "checksums" : [ { + "algorithm" : "SHA1", + "checksumValue" : "2fd4e1c67a2d28fced849ee1bb76e7391b93eb12" + } ], + "copyrightText" : "Copyright 2010, 2011 Source Auditor Inc.", + "fileContributors" : [ "Protecode Inc.", "SPDX Technical Team Members", "Open Logic Inc.", "Source Auditor Inc.", "Black Duck Software In.c" ], + "fileName" : "./src/org/spdx/parser/DOAPProject.java", + "fileTypes" : [ "SOURCE" ], + "licenseConcluded" : "Apache-2.0", + "licenseInfoInFiles" : [ "Apache-2.0" ] + }, { + "SPDXID" : "SPDXRef-CommonsLangSrc", + "checksums" : [ { + "algorithm" : "SHA1", + "checksumValue" : "c2b4e1c67a2d28fced849ee1bb76e7391b93f125" + } ], + "comment" : "This file is used by Jena", + "copyrightText" : "Copyright 2001-2011 The Apache Software Foundation", + "fileContributors" : [ "Apache Software Foundation" ], + "fileName" : "./lib-source/commons-lang3-3.1-sources.jar", + "fileTypes" : [ "ARCHIVE" ], + "licenseConcluded" : "Apache-2.0", + "licenseInfoInFiles" : [ "Apache-2.0" ], + "noticeText" : "Apache Commons Lang\nCopyright 2001-2011 The Apache Software Foundation\n\nThis product includes software developed by\nThe Apache Software Foundation (http://www.apache.org/).\n\nThis product includes software from the Spring Framework,\nunder the Apache License 2.0 (see: StringUtils.containsWhitespace())" + }, { + "SPDXID" : "SPDXRef-JenaLib", + "checksums" : [ { + "algorithm" : "SHA1", + "checksumValue" : "3ab4e1c67a2d28fced849ee1bb76e7391b93f125" + } ], + "comment" : "This file belongs to Jena", + "copyrightText" : "(c) Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Hewlett-Packard Development Company, LP", + "fileContributors" : [ "Apache Software Foundation", "Hewlett Packard Inc." ], + "fileName" : "./lib-source/jena-2.6.3-sources.jar", + "fileTypes" : [ "ARCHIVE" ], + "licenseComments" : "This license is used by Jena", + "licenseConcluded" : "LicenseRef-1", + "licenseInfoInFiles" : [ "LicenseRef-1" ] + }, { + "SPDXID" : "SPDXRef-File", + "annotations" : [ { + "annotationDate" : "2011-01-29T18:30:22Z", + "annotationType" : "OTHER", + "annotator" : "Person: File Commenter", + "comment" : "File level annotation" + } ], + "checksums" : [ { + "algorithm" : "SHA1", + "checksumValue" : "d6a770ba38583ed4bb4525bd96e50461655d2758" + }, { + "algorithm" : "MD5", + "checksumValue" : "624c1abb3664f4b35547e7c73864ad24" + } ], + "comment" : "The concluded license was taken from the package level that the file was included in.\nThis information was found in the COPYING.txt file in the xyz directory.", + "copyrightText" : "Copyright 2008-2010 John Smith", + "fileContributors" : [ "The Regents of the University of California", "Modified by Paul Mundt lethal@linux-sh.org", "IBM Corporation" ], + "fileName" : "./package/foo.c", + "fileTypes" : [ "SOURCE" ], + "licenseComments" : "The concluded license was taken from the package level that the file was included in.", + "licenseConcluded" : "(LGPL-2.0-only OR LicenseRef-2)", + "licenseInfoInFiles" : [ "GPL-2.0-only", "LicenseRef-2" ], + "noticeText" : "Copyright (c) 2001 Aaron Lehmann aaroni@vitelus.com\n\nPermission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the �Software�), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: \nThe above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED �AS IS', WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE." + } ], + "snippets" : [ { + "SPDXID" : "SPDXRef-Snippet", + "comment" : "This snippet was identified as significant and highlighted in this Apache-2.0 file, when a commercial scanner identified it as being derived from file foo.c in package xyz which is licensed under GPL-2.0.", + "copyrightText" : "Copyright 2008-2010 John Smith", + "licenseComments" : "The concluded license was taken from package xyz, from which the snippet was copied into the current file. The concluded license information was found in the COPYING.txt file in package xyz.", + "licenseConcluded" : "GPL-2.0-only", + "licenseInfoInSnippets" : [ "GPL-2.0-only" ], + "name" : "from linux kernel", + "ranges" : [ { + "endPointer" : { + "offset" : 420, + "reference" : "SPDXRef-DoapSource" + }, + "startPointer" : { + "offset" : 310, + "reference" : "SPDXRef-DoapSource" + } + }, { + "endPointer" : { + "lineNumber" : 23, + "reference" : "SPDXRef-DoapSource" + }, + "startPointer" : { + "lineNumber" : 5, + "reference" : "SPDXRef-DoapSource" + } + } ], + "snippetFromFile" : "SPDXRef-DoapSource" + } ], + "relationships" : [ { + "spdxElementId" : "SPDXRef-DOCUMENT", + "relatedSpdxElement" : "SPDXRef-Package", + "relationshipType" : "CONTAINS" + }, { + "spdxElementId" : "SPDXRef-DOCUMENT", + "relatedSpdxElement" : "DocumentRef-spdx-tool-1.2:SPDXRef-ToolsElement", + "relationshipType" : "COPY_OF" + }, { + "spdxElementId" : "SPDXRef-DOCUMENT", + "relatedSpdxElement" : "SPDXRef-File", + "relationshipType" : "DESCRIBES" + }, { + "spdxElementId" : "SPDXRef-DOCUMENT", + "relatedSpdxElement" : "SPDXRef-Package", + "relationshipType" : "DESCRIBES" + }, { + "spdxElementId" : "SPDXRef-Package", + "relatedSpdxElement" : "SPDXRef-JenaLib", + "relationshipType" : "CONTAINS" + }, { + "spdxElementId" : "SPDXRef-Package", + "relatedSpdxElement" : "SPDXRef-Saxon", + "relationshipType" : "DYNAMIC_LINK" + }, { + "spdxElementId" : "SPDXRef-CommonsLangSrc", + "relatedSpdxElement" : "NOASSERTION", + "relationshipType" : "GENERATED_FROM" + }, { + "spdxElementId" : "SPDXRef-JenaLib", + "relatedSpdxElement" : "SPDXRef-Package", + "relationshipType" : "CONTAINS" + }, { + "spdxElementId" : "SPDXRef-File", + "relatedSpdxElement" : "SPDXRef-fromDoap-0", + "relationshipType" : "GENERATED_FROM" + } ] } \ No newline at end of file diff --git a/tests/data/formats/SPDXXmlExample.xml b/tests/data/formats/SPDXXmlExample.xml index 256433411..fceac1a76 100644 --- a/tests/data/formats/SPDXXmlExample.xml +++ b/tests/data/formats/SPDXXmlExample.xml @@ -237,19 +237,4 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. SPDXRef-Snippet SPDXRef-DoapSource - - SPDXRef-DOCUMENT - SPDXRef-File - DESCRIBES - - - SPDXRef-DOCUMENT - SPDXRef-Package - DESCRIBES - - - SPDXRef-DOCUMENT - SPDXRef-Package - CONTAINS - diff --git a/tests/data/formats/SPDXYamlExample.yaml b/tests/data/formats/SPDXYamlExample.yaml index cc660bced..1aa3e5716 100644 --- a/tests/data/formats/SPDXYamlExample.yaml +++ b/tests/data/formats/SPDXYamlExample.yaml @@ -170,16 +170,6 @@ Document: SPDXID: SPDXRef-DOCUMENT name: Sample_Document-V2.1 documentNamespace: https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301 - relationships: - - spdxElementId: "SPDXRef-DOCUMENT" - relatedSpdxElement: "SPDXRef-Package" - relationshipType: "DESCRIBES" - - spdxElementId: "SPDXRef-DOCUMENT" - relatedSpdxElement: "SPDXRef-Package" - relationshipType: "CONTAINS" - - spdxElementId: "SPDXRef-DOCUMENT" - relatedSpdxElement: "SPDXRef-File" - relationshipType: "DESCRIBES" reviewers: - comment: Another example reviewer. reviewDate: '2011-03-13T00:00:00Z' diff --git a/tests/test_document.py b/tests/test_document.py index 0047eecba..0ffc7443a 100644 --- a/tests/test_document.py +++ b/tests/test_document.py @@ -78,11 +78,11 @@ def test_document_validate_failures_returns_informative_messages(self): 'Sample_Document-V2.1', spdx_id='SPDXRef-DOCUMENT', namespace='https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301') pack = doc.package = Package('some/path', NoAssert()) - pack.check_sum = 'SOME-SHA1' + pack.checksum = 'SOME-SHA1' file1 = File('./some/path/tofile') file1.name = './some/path/tofile' file1.spdx_id = 'SPDXRef-File' - file1.chk_sum = Algorithm('SHA1', 'SOME-SHA1') + file1.chksum = Algorithm('SHA1', 'SOME-SHA1') lic1 = License.from_identifier('LGPL-2.1-only') file1.add_lics(lic1) pack.add_lics_from_file(lic1) @@ -120,7 +120,7 @@ def test_document_is_valid_when_using_or_later_licenses(self): file1 = File('./some/path/tofile') file1.name = './some/path/tofile' file1.spdx_id = 'SPDXRef-File' - file1.chk_sum = Algorithm('SHA1', 'SOME-SHA1') + file1.chksum = Algorithm('SHA1', 'SOME-SHA1') file1.conc_lics = NoAssert() file1.copyright = NoAssert() @@ -173,14 +173,14 @@ def _get_lgpl_doc(self, or_later=False): package.spdx_id = 'SPDXRef-Package' package.cr_text = 'Some copyrught' package.verif_code = 'SOME code' - package.check_sum = Algorithm('SHA1', 'SOME-SHA1') + package.checksum = Algorithm('SHA1', 'SOME-SHA1') package.license_declared = NoAssert() package.conc_lics = NoAssert() file1 = File('./some/path/tofile') file1.name = './some/path/tofile' file1.spdx_id = 'SPDXRef-File' - file1.chk_sum = Algorithm('SHA1', 'SOME-SHA1') + file1.chksum = Algorithm('SHA1', 'SOME-SHA1') file1.conc_lics = NoAssert() file1.copyright = NoAssert() @@ -231,7 +231,7 @@ def _get_lgpl_multi_package_doc(self, or_later=False): file1 = File('./some/path/tofile') file1.name = './some/path/tofile' file1.spdx_id = 'SPDXRef-File' - file1.chk_sum = Algorithm('SHA1', 'SOME-SHA1') + file1.chksum = Algorithm('SHA1', 'SOME-SHA1') file1.conc_lics = NoAssert() file1.copyright = NoAssert() diff --git a/tests/test_package.py b/tests/test_package.py index c9076969e..0c8529734 100644 --- a/tests/test_package.py +++ b/tests/test_package.py @@ -24,7 +24,7 @@ def test_calc_verif_code(self): def test_package_with_non_sha1_check_sum(self): package = Package() - package.check_sum = Algorithm("SHA256", '') + package.checksum = Algorithm("SHA256", '') # Make sure that validation still works despite the checksum not being SHA1 messages = [] diff --git a/tests/test_parse_anything.py b/tests/test_parse_anything.py index 7692e5744..7b8679081 100644 --- a/tests/test_parse_anything.py +++ b/tests/test_parse_anything.py @@ -16,7 +16,8 @@ dirname = os.path.join(os.path.dirname(__file__), "data", "formats") -test_files = [os.path.join(dirname, fn) for fn in os.listdir(dirname)] +test_files = [os.path.join(dirname, fn) for fn in os.listdir(dirname) if "2.2" not in fn] +# exclude json2.2 file since spec-2.2 is not fully supported yet @pytest.mark.parametrize("test_file", test_files) diff --git a/tests/test_write_anything.py b/tests/test_write_anything.py index bbf9d8d34..3fbee2974 100644 --- a/tests/test_write_anything.py +++ b/tests/test_write_anything.py @@ -44,7 +44,7 @@ @pytest.mark.parametrize("in_file", test_files, ids=lambda x: os.path.basename(x)) def test_write_anything(in_file, out_format, tmpdir): in_basename = os.path.basename(in_file) - if in_basename == "SPDXSBOMExample.spdx.yml" or in_basename == "SPDXSBOMExample.tag": + if in_basename == "SPDXSBOMExample.spdx.yml" or in_basename == "SPDXSBOMExample.tag" or in_basename == "SPDXJsonExample2.2.json": # conversion of spdx2.2 is not yet done return doc, error = parse_anything.parse_file(in_file) diff --git a/tests/utils_test.py b/tests/utils_test.py index 7941b690e..3d2c9630a 100644 --- a/tests/utils_test.py +++ b/tests/utils_test.py @@ -176,10 +176,10 @@ def load_and_clean_json(location): """ with io.open(location, encoding='utf-8') as l: content = l.read() - data = {'Document': json.loads(content)} + data = json.loads(content) - if 'creationInfo' in data['Document']: - del(data['Document']['creationInfo']) + if 'creationInfo' in data: + del(data['creationInfo']) return sort_nested(data) @@ -206,10 +206,10 @@ def load_and_clean_yaml(location): """ with io.open(location, encoding='utf-8') as l: content = l.read() - data = {'Document': yaml.safe_load(content)} + data = yaml.safe_load(content) - if 'creationInfo' in data['Document']: - del(data['Document']['creationInfo']) + if 'creationInfo' in data: + del(data['creationInfo']) return sort_nested(data) @@ -360,7 +360,7 @@ def package_to_dict(cls, package): ('licenseDeclared', cls.license_to_dict(package.license_declared)), ('copyrightText', package.cr_text), ('licenseComment', package.license_comment), - ('checksum', cls.checksum_to_dict(package.check_sum)), + ('checksum', cls.checksum_to_dict(package.checksum)), ('files', cls.files_to_list(sorted(package.files))), ('licenseInfoFromFiles', [cls.license_to_dict(lic) for lic in lics_from_files]), ('verificationCode', OrderedDict([ @@ -377,7 +377,7 @@ def files_to_list(cls, files): files_list = [] for file in files: - lics_from_files = sorted(file.licenses_in_file, key=lambda lic: lic.identifier) + lics_in_files = sorted(file.licenses_in_file, key=lambda lic: lic.identifier) contributors = sorted(file.contributors, key=lambda c: c.name) file_dict = OrderedDict([ ('id', file.spdx_id), @@ -388,8 +388,8 @@ def files_to_list(cls, files): ('copyrightText', file.copyright), ('licenseComment', file.license_comment), ('notice', file.notice), - ('checksum', cls.checksum_to_dict(file.chk_sum)), - ('licenseInfoInFiles', [cls.license_to_dict(lic) for lic in lics_from_files]), + ('checksum', cls.checksum_to_dict(file.chksum)), + ('licenseInfoInFiles', [cls.license_to_dict(lic) for lic in lics_in_files]), ('contributors', [cls.entity_to_dict(contributor) for contributor in contributors]), ('dependencies', sorted(file.dependencies)), ('artifactOfProjectName', file.artifact_of_project_name),