Merge pull request #2704 from nexB/spdx-2.2

pombredanne · web-flow · commit e30dfe69cd58 · 2021-09-21T15:04:17.000+02:00
Adopt SPDX v2.2 and fix SPDX TV correctness
diff --git a/requirements.txt b/requirements.txt
@@ -66,7 +66,7 @@ saneyaml==0.5.2
 six==1.16.0
 sortedcontainers==2.4.0
 soupsieve==2.2.1
-spdx-tools==0.6.1
+spdx-tools==0.7.0a3
 text-unidecode==1.3
 toml==0.10.2
 typecode==21.6.1
diff --git a/setup-mini.cfg b/setup-mini.cfg
@@ -93,7 +93,7 @@ install_requires =
     pymaven_patch >= 0.2.8
     requests >= 2.7.0, < 3.0.0
     saneyaml >= 0.5.2
-    spdx_tools >= 0.6.0
+    spdx_tools >= 0.7.0a3
     text_unidecode >= 1.0, < 2.0
     toml >= 0.10.0
     typing >=3.6, < 3.7; python_version < "3.7"
diff --git a/setup.cfg b/setup.cfg
@@ -93,7 +93,7 @@ install_requires =
     pymaven_patch >= 0.2.8
     requests >= 2.7.0, < 3.0.0
     saneyaml >= 0.5.2
-    spdx_tools >= 0.6.0
+    spdx_tools >= 0.7.0a3
     text_unidecode >= 1.0, < 2.0
     toml >= 0.10.0
     typing >=3.6, < 3.7; python_version < "3.7"
diff --git a/src/formattedcode/output_spdx.py b/src/formattedcode/output_spdx.py
@@ -215,6 +215,8 @@ def write_spdx(
     package_name='',
     download_location=NoAssert(),
     as_tagvalue=True,
+    spdx_version = (2, 2),
+    with_notice_text=False,
 ):
     """
     Write scan output as SPDX Tag/value to ``output_file`` file-like
@@ -231,19 +233,25 @@ def write_spdx(
 
     ns_prefix = '_'.join(package_name.lower().split())
     comment = notice + f'\nSPDX License List: {scancode_config.spdx_license_list_version}'
+
     doc = Document(
-        version=Version(2, 1),
+        version=Version(*spdx_version),
         data_license=License.from_identifier('CC0-1.0'),
         comment=notice,
         namespace=f'http://spdx.org/spdxdocs/{ns_prefix}-{uuid.uuid4()}',
+        license_list_version=scancode_config.spdx_license_list_version,
+        name='SPDX Document created by ScanCode Toolkit'
     )
+
     tool_name = tool_name or 'ScanCode'
     doc.creation_info.add_creator(Tool(f'{tool_name} {tool_version}'))
     doc.creation_info.set_created_now()
 
+    package_id = '001'
     package = doc.package = Package(
         name=package_name,
-        download_location=download_location
+        download_location=download_location,
+        spdx_id=f'SPDXRef-{package_id}',
     )
 
     # Use a set of unique copyrights for the package.
@@ -253,7 +261,7 @@ def write_spdx(
     all_files_have_no_copyright = True
 
     # FIXME: this should walk the codebase instead!!!
-    for file_data in files:
+    for sid, file_data in enumerate(files, 1):
 
         # Skip directories.
         if file_data.get('type') != 'file':
@@ -263,6 +271,7 @@ def write_spdx(
         # SPDX output (with explicit leading './').
         name = './' + file_data.get('path')
         file_entry = File(
+            spdx_id=f'SPDXRef-{sid}',
             name=name,
             chk_sum=Algorithm('SHA1', file_data.get('sha1') or '')
         )
diff --git a/tests/formattedcode/data/spdx/license_known/expected.tv b/tests/formattedcode/data/spdx/license_known/expected.tv
@@ -1,8 +1,10 @@
 # Document Information
-SPDXVersion: SPDX-2.1
+SPDXVersion: SPDX-2.2
 DataLicense: CC0-1.0
+DocumentNamespace: http://spdx.org/spdxdocs/scan
+DocumentName: SPDX Document created by ScanCode Toolkit
+LicenseListVersion: 3.14
 SPDXID: SPDXRef-DOCUMENT
-DocumentNamespace: http://spdx.org/spdxdocs/scan-ab8a6f7e-3a9a-466f-964f-be56571a3c19
 DocumentComment: <text>Generated with ScanCode and provided on an "AS IS" BASIS, WITHOUT WARRANTIES
 OR CONDITIONS OF ANY KIND, either express or implied. No content created from
 ScanCode should be considered or used as legal advice. Consult an Attorney
@@ -12,6 +14,7 @@ Visit https://github.com/nexB/scancode-toolkit/ for support and download.</text>
 # Creation Info
 # Package
 PackageName: scan
+SPDXID: SPDXRef-001
 PackageDownloadLocation: NOASSERTION
 PackageVerificationCode: 517c26f04b5a3edaaa0c17bf1a6571953209e209
 PackageLicenseDeclared: NOASSERTION
@@ -21,12 +24,14 @@ PackageLicenseInfoFromFiles: CC0-1.0
 PackageCopyrightText: NONE
 # File
 FileName: ./scan/apache-2.0.LICENSE
+SPDXID: SPDXRef-2
 FileChecksum: SHA1: 2b8b815229aa8a61e483fb4ba0588b8b6c491890
 LicenseConcluded: NOASSERTION
 LicenseInfoInFile: Apache-2.0
 FileCopyrightText: NONE
 # File
 FileName: ./scan/cc0-1.0.LICENSE
+SPDXID: SPDXRef-3
 FileChecksum: SHA1: 172444e7c137eb5cd3cae530aca0879c90f7fada
 LicenseConcluded: NOASSERTION
 LicenseInfoInFile: CC0-1.0
diff --git a/tests/formattedcode/data/spdx/license_known/expected_with_text.tv b/tests/formattedcode/data/spdx/license_known/expected_with_text.tv
@@ -1,8 +1,10 @@
 # Document Information
-SPDXVersion: SPDX-2.1
+SPDXVersion: SPDX-2.2
 DataLicense: CC0-1.0
+DocumentNamespace: http://spdx.org/spdxdocs/scan
+DocumentName: SPDX Document created by ScanCode Toolkit
+LicenseListVersion: 3.14
 SPDXID: SPDXRef-DOCUMENT
-DocumentNamespace: http://spdx.org/spdxdocs/scan-8f1122d0-e528-466c-a22e-04bc0b174984
 DocumentComment: <text>Generated with ScanCode and provided on an "AS IS" BASIS, WITHOUT WARRANTIES
 OR CONDITIONS OF ANY KIND, either express or implied. No content created from
 ScanCode should be considered or used as legal advice. Consult an Attorney
@@ -12,6 +14,7 @@ Visit https://github.com/nexB/scancode-toolkit/ for support and download.</text>
 # Creation Info
 # Package
 PackageName: scan
+SPDXID: SPDXRef-001
 PackageDownloadLocation: NOASSERTION
 PackageVerificationCode: 517c26f04b5a3edaaa0c17bf1a6571953209e209
 PackageLicenseDeclared: NOASSERTION
@@ -21,12 +24,14 @@ PackageLicenseInfoFromFiles: CC0-1.0
 PackageCopyrightText: NONE
 # File
 FileName: ./scan/apache-2.0.LICENSE
+SPDXID: SPDXRef-2
 FileChecksum: SHA1: 2b8b815229aa8a61e483fb4ba0588b8b6c491890
 LicenseConcluded: NOASSERTION
 LicenseInfoInFile: Apache-2.0
 FileCopyrightText: NONE
 # File
 FileName: ./scan/cc0-1.0.LICENSE
+SPDXID: SPDXRef-3
 FileChecksum: SHA1: 172444e7c137eb5cd3cae530aca0879c90f7fada
 LicenseConcluded: NOASSERTION
 LicenseInfoInFile: CC0-1.0
diff --git a/tests/formattedcode/data/spdx/license_ref/expected.tv b/tests/formattedcode/data/spdx/license_ref/expected.tv
@@ -1,8 +1,10 @@
 # Document Information
-SPDXVersion: SPDX-2.1
+SPDXVersion: SPDX-2.2
 DataLicense: CC0-1.0
+DocumentNamespace: http://spdx.org/spdxdocs/scan
+DocumentName: SPDX Document created by ScanCode Toolkit
+LicenseListVersion: 3.14
 SPDXID: SPDXRef-DOCUMENT
-DocumentNamespace: http://spdx.org/spdxdocs/scan-25498bb4-1cfc-461c-a7cf-389008e49b5a
 DocumentComment: <text>Generated with ScanCode and provided on an "AS IS" BASIS, WITHOUT WARRANTIES
 OR CONDITIONS OF ANY KIND, either express or implied. No content created from
 ScanCode should be considered or used as legal advice. Consult an Attorney
@@ -12,6 +14,7 @@ Visit https://github.com/nexB/scancode-toolkit/ for support and download.</text>
 # Creation Info
 # Package
 PackageName: scan
+SPDXID: SPDXRef-001
 PackageDownloadLocation: NOASSERTION
 PackageVerificationCode: b49eeefd776fb76555378d07fd05d986a249a2b3
 PackageLicenseDeclared: NOASSERTION
@@ -25,6 +28,7 @@ PackageCopyrightText: <text>Copyright (c) 2017 nexB Inc. and others
 </text>
 # File
 FileName: ./scan/NOTICE
+SPDXID: SPDXRef-2
 FileChecksum: SHA1: f9c28fa2714ad0c2e36d3e5561afb0031fa76831
 LicenseConcluded: NOASSERTION
 LicenseInfoInFile: Apache-2.0
@@ -36,16 +40,19 @@ FileCopyrightText: <text>Copyright (c) 2017 nexB Inc. and others
 </text>
 # Extracted Licenses
 LicenseID: LicenseRef-scancode-other-copyleft
+LicenseName: Other Copyleft Licenses
 LicenseComment: <text>See details at https://github.com/nexB/scancode-toolkit/blob/develop/src/licensedcode/data/licenses/other-copyleft.yml
 </text>
 ExtractedText: <text>See details at https://github.com/nexB/scancode-toolkit/blob/develop/src/licensedcode/data/licenses/other-copyleft.yml
 </text>
 LicenseID: LicenseRef-scancode-other-permissive
+LicenseName: Other Permissive Licenses
 LicenseComment: <text>See details at https://github.com/nexB/scancode-toolkit/blob/develop/src/licensedcode/data/licenses/other-permissive.yml
 </text>
 ExtractedText: <text>See details at https://github.com/nexB/scancode-toolkit/blob/develop/src/licensedcode/data/licenses/other-permissive.yml
 </text>
 LicenseID: LicenseRef-scancode-scancode-acknowledgment
+LicenseName: ScanCode generated data acknowledgment
 LicenseComment: <text>See details at https://github.com/nexB/scancode-toolkit/blob/develop/src/licensedcode/data/licenses/scancode-acknowledgment.yml
 </text>
 ExtractedText: <text>See details at https://github.com/nexB/scancode-toolkit/blob/develop/src/licensedcode/data/licenses/scancode-acknowledgment.yml
diff --git a/tests/formattedcode/data/spdx/license_ref/expected_with_text.tv b/tests/formattedcode/data/spdx/license_ref/expected_with_text.tv
@@ -1,8 +1,10 @@
 # Document Information
-SPDXVersion: SPDX-2.1
+SPDXVersion: SPDX-2.2
 DataLicense: CC0-1.0
+DocumentNamespace: http://spdx.org/spdxdocs/scan
+DocumentName: SPDX Document created by ScanCode Toolkit
+LicenseListVersion: 3.14
 SPDXID: SPDXRef-DOCUMENT
-DocumentNamespace: http://spdx.org/spdxdocs/scan-ff644ef5-7b50-4793-ac2e-69cb1a0bece3
 DocumentComment: <text>Generated with ScanCode and provided on an "AS IS" BASIS, WITHOUT WARRANTIES
 OR CONDITIONS OF ANY KIND, either express or implied. No content created from
 ScanCode should be considered or used as legal advice. Consult an Attorney
@@ -12,6 +14,7 @@ Visit https://github.com/nexB/scancode-toolkit/ for support and download.</text>
 # Creation Info
 # Package
 PackageName: scan
+SPDXID: SPDXRef-001
 PackageDownloadLocation: NOASSERTION
 PackageVerificationCode: b49eeefd776fb76555378d07fd05d986a249a2b3
 PackageLicenseDeclared: NOASSERTION
@@ -25,6 +28,7 @@ PackageCopyrightText: <text>Copyright (c) 2017 nexB Inc. and others
 </text>
 # File
 FileName: ./scan/NOTICE
+SPDXID: SPDXRef-2
 FileChecksum: SHA1: f9c28fa2714ad0c2e36d3e5561afb0031fa76831
 LicenseConcluded: NOASSERTION
 LicenseInfoInFile: Apache-2.0
@@ -36,6 +40,7 @@ FileCopyrightText: <text>Copyright (c) 2017 nexB Inc. and others
 </text>
 # Extracted Licenses
 LicenseID: LicenseRef-scancode-other-copyleft
+LicenseName: Other Copyleft Licenses
 LicenseComment: <text>See details at https://github.com/nexB/scancode-toolkit/blob/develop/src/licensedcode/data/licenses/other-copyleft.yml
 </text>
 ExtractedText: <text>Software license
@@ -53,12 +58,12 @@ CONDITIONS OF ANY KIND, either express or implied. See the License for the
 specific language governing permissions and limitations under the License.
 When you publish or redistribute any data created with ScanCode or any ScanCode
 derivative work, you must accompany this data with the following acknowledgment:
-  Generated with ScanCode and provided on an "AS IS" BASIS, WITHOUT WARRANTIES
-  OR CONDITIONS OF ANY KIND, either express or implied. No content created from
-  ScanCode should be considered or used as legal advice. Consult an Attorney
-  for any legal advice.
-  ScanCode is a free software code scanning tool from nexB Inc. and others.
-  Visit https://github.com/nexB/scancode-toolkit/ for support and download.
+Generated with ScanCode and provided on an "AS IS" BASIS, WITHOUT WARRANTIES
+OR CONDITIONS OF ANY KIND, either express or implied. No content created from
+ScanCode should be considered or used as legal advice. Consult an Attorney
+for any legal advice.
+ScanCode is a free software code scanning tool from nexB Inc. and others.
+Visit https://github.com/nexB/scancode-toolkit/ for support and download.
 Third-party software licenses
 =============================
 ScanCode embeds third-party free and open source software packages under various
@@ -71,8 +76,8 @@ https://github.com/nexB/scancode-toolkit/
 or https://github.com/nexB/scancode-thirdparty-src/
 You may also contact us to request the source code by email at info@nexb.com or
 by postal mail at:
-  nexB Inc., ScanCode open source code request
-  735 Industrial Road, Suite #101, 94070 San Carlos, CA, USA
+nexB Inc., ScanCode open source code request
+735 Industrial Road, Suite #101, 94070 San Carlos, CA, USA
 Please indicate in your communication the ScanCode version for which you are
 requesting source code.
 License for ScanCode datasets
@@ -81,6 +86,7 @@ ScanCode includes datasets (e.g. for license detection) that are dedicated
 to the Public Domain using the Creative Commons CC0 1.0 Universal (CC0 1.0)
 Public Domain Dedication: http://creativecommons.org/publicdomain/zero/1.0/</text>
 LicenseID: LicenseRef-scancode-other-permissive
+LicenseName: Other Permissive Licenses
 LicenseComment: <text>See details at https://github.com/nexB/scancode-toolkit/blob/develop/src/licensedcode/data/licenses/other-permissive.yml
 </text>
 ExtractedText: <text>Software license
@@ -98,12 +104,12 @@ CONDITIONS OF ANY KIND, either express or implied. See the License for the
 specific language governing permissions and limitations under the License.
 When you publish or redistribute any data created with ScanCode or any ScanCode
 derivative work, you must accompany this data with the following acknowledgment:
-  Generated with ScanCode and provided on an "AS IS" BASIS, WITHOUT WARRANTIES
-  OR CONDITIONS OF ANY KIND, either express or implied. No content created from
-  ScanCode should be considered or used as legal advice. Consult an Attorney
-  for any legal advice.
-  ScanCode is a free software code scanning tool from nexB Inc. and others.
-  Visit https://github.com/nexB/scancode-toolkit/ for support and download.
+Generated with ScanCode and provided on an "AS IS" BASIS, WITHOUT WARRANTIES
+OR CONDITIONS OF ANY KIND, either express or implied. No content created from
+ScanCode should be considered or used as legal advice. Consult an Attorney
+for any legal advice.
+ScanCode is a free software code scanning tool from nexB Inc. and others.
+Visit https://github.com/nexB/scancode-toolkit/ for support and download.
 Third-party software licenses
 =============================
 ScanCode embeds third-party free and open source software packages under various
@@ -116,8 +122,8 @@ https://github.com/nexB/scancode-toolkit/
 or https://github.com/nexB/scancode-thirdparty-src/
 You may also contact us to request the source code by email at info@nexb.com or
 by postal mail at:
-  nexB Inc., ScanCode open source code request
-  735 Industrial Road, Suite #101, 94070 San Carlos, CA, USA
+nexB Inc., ScanCode open source code request
+735 Industrial Road, Suite #101, 94070 San Carlos, CA, USA
 Please indicate in your communication the ScanCode version for which you are
 requesting source code.
 License for ScanCode datasets
@@ -126,6 +132,7 @@ ScanCode includes datasets (e.g. for license detection) that are dedicated
 to the Public Domain using the Creative Commons CC0 1.0 Universal (CC0 1.0)
 Public Domain Dedication: http://creativecommons.org/publicdomain/zero/1.0/</text>
 LicenseID: LicenseRef-scancode-scancode-acknowledgment
+LicenseName: ScanCode generated data acknowledgment
 LicenseComment: <text>See details at https://github.com/nexB/scancode-toolkit/blob/develop/src/licensedcode/data/licenses/scancode-acknowledgment.yml
 </text>
 ExtractedText: <text>Software license
@@ -143,12 +150,12 @@ CONDITIONS OF ANY KIND, either express or implied. See the License for the
 specific language governing permissions and limitations under the License.
 When you publish or redistribute any data created with ScanCode or any ScanCode
 derivative work, you must accompany this data with the following acknowledgment:
-  Generated with ScanCode and provided on an "AS IS" BASIS, WITHOUT WARRANTIES
-  OR CONDITIONS OF ANY KIND, either express or implied. No content created from
-  ScanCode should be considered or used as legal advice. Consult an Attorney
-  for any legal advice.
-  ScanCode is a free software code scanning tool from nexB Inc. and others.
-  Visit https://github.com/nexB/scancode-toolkit/ for support and download.
+Generated with ScanCode and provided on an "AS IS" BASIS, WITHOUT WARRANTIES
+OR CONDITIONS OF ANY KIND, either express or implied. No content created from
+ScanCode should be considered or used as legal advice. Consult an Attorney
+for any legal advice.
+ScanCode is a free software code scanning tool from nexB Inc. and others.
+Visit https://github.com/nexB/scancode-toolkit/ for support and download.
 Third-party software licenses
 =============================
 ScanCode embeds third-party free and open source software packages under various
@@ -161,8 +168,8 @@ https://github.com/nexB/scancode-toolkit/
 or https://github.com/nexB/scancode-thirdparty-src/
 You may also contact us to request the source code by email at info@nexb.com or
 by postal mail at:
-  nexB Inc., ScanCode open source code request
-  735 Industrial Road, Suite #101, 94070 San Carlos, CA, USA
+nexB Inc., ScanCode open source code request
+735 Industrial Road, Suite #101, 94070 San Carlos, CA, USA
 Please indicate in your communication the ScanCode version for which you are
 requesting source code.
 License for ScanCode datasets
diff --git a/tests/formattedcode/data/spdx/simple/expected.rdf b/tests/formattedcode/data/spdx/simple/expected.rdf
@@ -1,6 +1,9 @@
 {
   "rdf:RDF": {
     "ns1:SpdxDocument": {
+      "ns1:name": {
+        "@rdf:resource": "SPDX Document created by ScanCode Toolkit"
+      },
       "ns1:dataLicense": {
         "@rdf:resource": "http://spdx.org/licenses/CC0-1.0"
       },
@@ -22,11 +25,14 @@
             }
           },
           "ns1:fileName": "./test.txt",
-          "@rdf:about": "http://www.spdx.org/files#None"
+          "@rdf:about": "http://www.spdx.org/files#SPDXRef-1"
         }
       },
       "ns1:describesPackage": {
         "ns1:Package": {
+          "ns1:Package": {
+            "@rdf:resource": "SPDXRef-001"
+          },
           "ns1:downloadLocation": {
             "@rdf:resource": "http://spdx.org/rdf/terms#noassertion"
           },
@@ -43,14 +49,14 @@
             "@rdf:resource": "http://spdx.org/rdf/terms#none"
           },
           "ns1:hasFile": {
-            "@rdf:resource": "http://www.spdx.org/files#None"
+            "@rdf:resource": "http://www.spdx.org/files#SPDXRef-1"
           },
           "@rdf:about": "http://www.spdx.org/tools#SPDXRef-Package",
           "ns1:name": "simple"
         }
       },
       "@rdf:about": "http://www.spdx.org/tools#SPDXRef-DOCUMENT",
-      "ns1:specVersion": "SPDX-2.1"
+      "ns1:specVersion": "SPDX-2.2"
     },
     "@xmlns:ns1": "http://spdx.org/rdf/terms#",
     "@xmlns:rdf": "http://www.w3.org/1999/02/22-rdf-syntax-ns#"
diff --git a/tests/formattedcode/data/spdx/simple/expected.tv b/tests/formattedcode/data/spdx/simple/expected.tv
diff --git a/tests/formattedcode/data/spdx/tree/expected.tv b/tests/formattedcode/data/spdx/tree/expected.tv
diff --git a/tests/formattedcode/data/spdx/unicode/expected.tv b/tests/formattedcode/data/spdx/unicode/expected.tv
