Fix the validity of SPDX outputs #180 (#186)

Signed-off-by: tdruez <[email protected]>

Author: tdruez

CHANGELOG.rst

@@ -6,6 +6,9 @@ Release notes
 - Fix the models documentation navigation.
   https://github.com/aboutcode-org/dejacode/issues/182
 
+- Fix the validity of SPDX outputs.
+  https://github.com/aboutcode-org/dejacode/issues/180
+
 ### Version 5.2.0
 
 - Add visual indicator in hierarchy views, when an object on the far left or far right

component_catalog/models.py

@@ -1357,6 +1357,10 @@ def aboutcode_data(self):
 
         return without_empty_values(component_data)
 
+    @property
+    def spdx_id(self):
+        return f"SPDXRef-dejacode-{self._meta.model_name}-{self.uuid}"
+
     def as_spdx(self, license_concluded=None):
         """
         Return this Component as an SPDX Package entry.
@@ -1375,7 +1379,7 @@ def as_spdx(self, license_concluded=None):
 
         return spdx.Package(
             name=self.name,
-            spdx_id=f"dejacode-{self._meta.model_name}-{self.uuid}",
+            spdx_id=self.spdx_id,
             supplier=self.owner.as_spdx() if self.owner else "",
             license_concluded=license_concluded or self.concluded_license_expression_spdx,
             license_declared=self.declared_license_expression_spdx,
@@ -2248,6 +2252,10 @@ def get_about_files(self):
 
         return about_files
 
+    @property
+    def spdx_id(self):
+        return f"SPDXRef-dejacode-{self._meta.model_name}-{self.uuid}"
+
     def as_spdx(self, license_concluded=None):
         """
         Return this Package as an SPDX Package entry.
@@ -2281,7 +2289,7 @@ def as_spdx(self, license_concluded=None):
 
         return spdx.Package(
             name=self.name or self.filename,
-            spdx_id=f"dejacode-{self._meta.model_name}-{self.uuid}",
+            spdx_id=self.spdx_id,
             download_location=self.download_url,
             license_concluded=license_concluded or self.concluded_license_expression_spdx,
             license_declared=self.declared_license_expression_spdx,

dje/tests/test_outputs.py

@@ -43,6 +43,9 @@ def test_outputs_get_attachment_response(self):
         self.assertEqual("application/json", response["Content-Type"])
 
     def test_outputs_get_spdx_document(self):
+        package = make_package(self.dataspace, package_url="pkg:type/name")
+        make_product_package(self.product1, package)
+
         document = outputs.get_spdx_document(self.product1, self.super_user)
         document.creation_info.created = "2000-01-01T01:02:03Z"
         expected = {
@@ -60,8 +63,24 @@ def test_outputs_get_spdx_document(self):
                 ],
                 "licenseListVersion": "3.18",
             },
-            "packages": [],
-            "documentDescribes": [],
+            "packages": [
+                {
+                    "name": "name",
+                    "SPDXID": f"SPDXRef-dejacode-package-{package.uuid}",
+                    "downloadLocation": "NOASSERTION",
+                    "licenseConcluded": "NOASSERTION",
+                    "copyrightText": "NOASSERTION",
+                    "filesAnalyzed": False,
+                    "externalRefs": [
+                        {
+                            "referenceCategory": "PACKAGE-MANAGER",
+                            "referenceType": "purl",
+                            "referenceLocator": "pkg:type/name",
+                        }
+                    ],
+                }
+            ],
+            "documentDescribes": [f"SPDXRef-dejacode-package-{package.uuid}"],
         }
         self.assertEqual(expected, document.as_dict())