Adopt SPDX v2.2 and fix SPDX TV correctness

pombredanne · pombredanne · commit b6ff6a04cfc3 · 2021-09-16T15:05:49.000+02:00
This is using the SPDX 2.2 version and adding missing SPDX ids
at the document and file levels.

Also adds LicenseListVersion

Signed-off-by: Philippe Ombredanne &lt;pombredanne@nexb.com&gt;
diff --git a/requirements.txt b/requirements.txt
@@ -66,7 +66,7 @@ saneyaml==0.5.2
 six==1.16.0
 sortedcontainers==2.4.0
 soupsieve==2.2.1
-spdx-tools==0.6.1
+spdx-tools==0.7.0a3
 text-unidecode==1.3
 toml==0.10.2
 typecode==21.6.1
diff --git a/setup-mini.cfg b/setup-mini.cfg
@@ -93,7 +93,7 @@ install_requires =
     pymaven_patch >= 0.2.8
     requests >= 2.7.0, < 3.0.0
     saneyaml >= 0.5.2
-    spdx_tools >= 0.6.0
+    spdx_tools >= 0.7.0a3
     text_unidecode >= 1.0, < 2.0
     toml >= 0.10.0
     typing >=3.6, < 3.7; python_version < "3.7"
diff --git a/setup.cfg b/setup.cfg
@@ -93,7 +93,7 @@ install_requires =
     pymaven_patch >= 0.2.8
     requests >= 2.7.0, < 3.0.0
     saneyaml >= 0.5.2
-    spdx_tools >= 0.6.0
+    spdx_tools >= 0.7.0a3
     text_unidecode >= 1.0, < 2.0
     toml >= 0.10.0
     typing >=3.6, < 3.7; python_version < "3.7"
diff --git a/src/formattedcode/output_spdx.py b/src/formattedcode/output_spdx.py
@@ -215,6 +215,8 @@ def write_spdx(
     package_name='',
     download_location=NoAssert(),
     as_tagvalue=True,
+    spdx_version = (2, 2),
+    with_notice_text=False,
 ):
     """
     Write scan output as SPDX Tag/value to ``output_file`` file-like
@@ -231,19 +233,25 @@ def write_spdx(
 
     ns_prefix = '_'.join(package_name.lower().split())
     comment = notice + f'\nSPDX License List: {scancode_config.spdx_license_list_version}'
+
     doc = Document(
-        version=Version(2, 1),
+        version=Version(*spdx_version),
         data_license=License.from_identifier('CC0-1.0'),
         comment=notice,
         namespace=f'http://spdx.org/spdxdocs/{ns_prefix}-{uuid.uuid4()}',
+        license_list_version=scancode_config.spdx_license_list_version,
+        name='SPDX Document created by ScanCode Toolkit'
     )
+
     tool_name = tool_name or 'ScanCode'
     doc.creation_info.add_creator(Tool(f'{tool_name} {tool_version}'))
     doc.creation_info.set_created_now()
 
+    package_id = '001'
     package = doc.package = Package(
         name=package_name,
-        download_location=download_location
+        download_location=download_location,
+        spdx_id=f'SPDXRef-{package_id}',
     )
 
     # Use a set of unique copyrights for the package.
@@ -253,7 +261,7 @@ def write_spdx(
     all_files_have_no_copyright = True
 
     # FIXME: this should walk the codebase instead!!!
-    for file_data in files:
+    for sid, file_data in enumerate(files, 1):
 
         # Skip directories.
         if file_data.get('type') != 'file':
@@ -263,6 +271,7 @@ def write_spdx(
         # SPDX output (with explicit leading './').
         name = './' + file_data.get('path')
         file_entry = File(
+            spdx_id=f'SPDXRef-{sid}',
             name=name,
             chk_sum=Algorithm('SHA1', file_data.get('sha1') or '')
         )
diff --git a/tests/formattedcode/data/spdx/simple/expected.rdf b/tests/formattedcode/data/spdx/simple/expected.rdf
@@ -1,6 +1,9 @@
 {
   "rdf:RDF": {
     "ns1:SpdxDocument": {
+      "ns1:name": {
+        "@rdf:resource": "SPDX Document created by ScanCode Toolkit"
+      },
       "ns1:dataLicense": {
         "@rdf:resource": "http://spdx.org/licenses/CC0-1.0"
       },
@@ -22,11 +25,14 @@
             }
           },
           "ns1:fileName": "./test.txt",
-          "@rdf:about": "http://www.spdx.org/files#None"
+          "@rdf:about": "http://www.spdx.org/files#SPDXRef-1"
         }
       },
       "ns1:describesPackage": {
         "ns1:Package": {
+          "ns1:Package": {
+            "@rdf:resource": "SPDXRef-001"
+          },
           "ns1:downloadLocation": {
             "@rdf:resource": "http://spdx.org/rdf/terms#noassertion"
           },
@@ -43,14 +49,14 @@
             "@rdf:resource": "http://spdx.org/rdf/terms#none"
           },
           "ns1:hasFile": {
-            "@rdf:resource": "http://www.spdx.org/files#None"
+            "@rdf:resource": "http://www.spdx.org/files#SPDXRef-1"
           },
           "@rdf:about": "http://www.spdx.org/tools#SPDXRef-Package",
           "ns1:name": "simple"
         }
       },
       "@rdf:about": "http://www.spdx.org/tools#SPDXRef-DOCUMENT",
-      "ns1:specVersion": "SPDX-2.1"
+      "ns1:specVersion": "SPDX-2.2"
     },
     "@xmlns:ns1": "http://spdx.org/rdf/terms#",
     "@xmlns:rdf": "http://www.w3.org/1999/02/22-rdf-syntax-ns#"
diff --git a/tests/formattedcode/data/spdx/simple/expected.tv b/tests/formattedcode/data/spdx/simple/expected.tv
@@ -1,8 +1,10 @@
 # Document Information
-SPDXVersion: SPDX-2.1
+SPDXVersion: SPDX-2.2
 DataLicense: CC0-1.0
-SPDXID: SPDXRef-DOCUMENT
 DocumentNamespace: http://spdx.org/spdxdocs/simple
+DocumentName: SPDX Document created by ScanCode Toolkit
+LicenseListVersion: 3.14
+SPDXID: SPDXRef-DOCUMENT
 DocumentComment: <text>Generated with ScanCode and provided on an "AS IS" BASIS, WITHOUT WARRANTIES
 OR CONDITIONS OF ANY KIND, either express or implied. No content created from
 ScanCode should be considered or used as legal advice. Consult an Attorney
@@ -12,6 +14,7 @@ Visit https://github.com/nexB/scancode-toolkit/ for support and download.</text>
 # Creation Info
 # Package
 PackageName: simple
+SPDXID: SPDXRef-001
 PackageDownloadLocation: NOASSERTION
 PackageVerificationCode: a83523bcfc10441aa94a575b88aa1d3269902485
 PackageLicenseDeclared: NOASSERTION
@@ -20,6 +23,7 @@ PackageLicenseInfoFromFiles: NONE
 PackageCopyrightText: NONE
 # File
 FileName: ./test.txt
+SPDXID: SPDXRef-1
 FileChecksum: SHA1: b8a793cce3c3a4cd3a4646ddbe86edd542ed0cd8
 LicenseConcluded: NOASSERTION
 LicenseInfoInFile: NONE
