Add full support for SPDX 2.2 spec version

Signed-off-by: tdruez <[email protected]>

Author: tdruez

scanpipe/api/views.py

@@ -153,18 +153,19 @@ def results_download(self, request, *args, **kwargs):
         """Return the results in the provided `output_format` as an attachment."""
         project = self.get_object()
         format = request.query_params.get("output_format", "json")
+
         version = request.query_params.get("version")
         output_kwargs = {}
+        if version:
+            output_kwargs["version"] = version
 
         if format == "json":
             return project_results_json_response(project, as_attachment=True)
         elif format == "xlsx":
             output_file = output.to_xlsx(project)
         elif format == "spdx":
-            output_file = output.to_spdx(project)
+            output_file = output.to_spdx(project, **output_kwargs)
         elif format == "cyclonedx":
-            if version:
-                output_kwargs["version"] = version
             output_file = output.to_cyclonedx(project, **output_kwargs)
         elif format == "attribution":
             output_file = output.to_attribution(project)

scanpipe/management/commands/output.py

@@ -71,7 +71,7 @@ def handle_output(self, output_format):
         output_kwargs = {}
         if ":" in output_format:
             output_format, version = output_format.split(":", maxsplit=1)
-            if output_format != "cyclonedx":
+            if output_format not in ["cyclonedx", "spdx"]:
                 raise CommandError(
                     'The ":" version syntax is only supported for the cyclonedx format.'
                 )

scanpipe/pipes/output.py

@@ -713,12 +713,15 @@ def get_inputs_as_spdx_packages(project):
     return inputs_as_spdx_packages
 
 
-def to_spdx(project, include_files=False):
+def to_spdx(project, version=spdx.SPDX_SPEC_VERSION_2_3, include_files=False):
     """
     Generate output for the provided ``project`` in SPDX document format.
     The output file is created in the ``project`` "output/" directory.
     Return the path of the generated output file.
     """
+    if version not in [spdx.SPDX_SPEC_VERSION_2_2, spdx.SPDX_SPEC_VERSION_2_3]:
+        raise ValueError(f"SPDX {version} is not supported.")
+
     output_file = project.get_output_file_path("results", "spdx.json")
     document_spdx_id = f"SPDXRef-DOCUMENT-{project.uuid}"
 
@@ -786,6 +789,7 @@ def to_spdx(project, include_files=False):
         ]
 
     document = spdx.Document(
+        version=version,
         spdx_id=document_spdx_id,
         name=f"scancodeio_{project.name}",
         namespace=f"https://scancode.io/spdxdocs/{project.uuid}",

scanpipe/pipes/schemas/spdx-schema-2.2.json

@@ -0,0 +1,15 @@
+about_resource: spdx-schema-2.2.json
+name: spdx-spec
+version: 2.2
+download_url: https://github.com/spdx/spdx-spec/raw/development/v2.2/schemas/spdx-schema.json
+description: The Software Package Data Exchange® (SPDX®) specification is a standard format
+  for communicating the components, licenses and copyrights associated with software packages.
+homepage_url: https://spdx.org
+package_url: pkg:github/spdx/[email protected]?version_prefix=v#schemas/spdx-schema.json
+license_expression: cc-by-3.0
+copyright: Copyright (c) SPDX project contributors
+attribute: yes
+track_changes: yes
+licenses:
+  - key: cc-by-3.0
+    name: Creative Commons Attribution License 3.0

scanpipe/pipes/schemas/spdx-schema-2.2.json.ABOUT

@@ -29,14 +29,21 @@
 from datetime import timezone
 from pathlib import Path
 
-SPDX_SPEC_VERSION = "2.3"
+SCHEMAS_LOCATION = Path(__file__).parent / "schemas"
 SPDX_LICENSE_LIST_VERSION = "3.20"
-SPDX_SCHEMA_NAME = "spdx-schema-2.3.json"
-SPDX_SCHEMA_PATH = Path(__file__).parent / "schemas" / SPDX_SCHEMA_NAME
-SPDX_SCHEMA_URL = (
+
+SPDX_SPEC_VERSION_2_3 = "2.3"
+SPDX_SCHEMA_2_3_PATH = SCHEMAS_LOCATION / "spdx-schema-2.3.json"
+SPDX_SCHEMA_2_3_URL = (
     "https://github.com/spdx/spdx-spec/raw/development/v2.3.1/schemas/spdx-schema.json"
 )
 
+SPDX_SPEC_VERSION_2_2 = "2.2"
+SPDX_SCHEMA_2_2_PATH = SCHEMAS_LOCATION / "spdx-schema-2.2.json"
+SPDX_SCHEMA_2_2_URL = (
+    "https://github.com/spdx/spdx-spec/raw/development/v2.2/schemas/spdx-schema.json"
+)
+
 """
 Generate SPDX Documents.
 Spec documentation: https://spdx.github.io/spdx-spec/v2.3/
@@ -98,7 +105,7 @@
     print(document.as_json())
 
     # Validate document
-    schema = spdx.SPDX_SCHEMA_PATH.read_text()
+    schema = spdx.SPDX_SCHEMA_2_3_PATH.read_text()
     document.validate(schema)
 
     # Write document to a file:
@@ -233,14 +240,22 @@ class ExternalRef:
     downloadable content believed to be relevant to the Package.
     """
 
-    category: str  # Supported values: OTHER, SECURITY, PERSISTENT-ID, PACKAGE-MANAGER
+    # Supported values:
+    # v2.3: OTHER, SECURITY, PERSISTENT-ID, PACKAGE-MANAGER
+    # v2.2: OTHER, SECURITY, PACKAGE_MANAGER
+    category: str
     type: str
     locator: str
 
     comment: str = ""
 
-    def as_dict(self):
+    def as_dict(self, spec_version=SPDX_SPEC_VERSION_2_3):
         """Return the data as a serializable dict."""
+
+        if spec_version == SPDX_SPEC_VERSION_2_2:
+            if self.category == "PACKAGE-MANAGER":
+                self.category = "PACKAGE_MANAGER"
+
         data = {
             "referenceCategory": self.category,
             "referenceType": self.type,
@@ -345,7 +360,7 @@ class Package:
     external_refs: list[ExternalRef] = field(default_factory=list)
     attribution_texts: list[str] = field(default_factory=list)
 
-    def as_dict(self):
+    def as_dict(self, spec_version=SPDX_SPEC_VERSION_2_3):
         """Return the data as a serializable dict."""
         spdx_id = str(self.spdx_id)
         if not spdx_id.startswith("SPDXRef-"):
@@ -355,6 +370,7 @@ def as_dict(self):
             "name": self.name,
             "SPDXID": spdx_id,
             "downloadLocation": self.download_location or "NOASSERTION",
+            "licenseDeclared": self.license_declared or "NOASSERTION",
             "licenseConcluded": self.license_concluded or "NOASSERTION",
             "copyrightText": self.copyright_text or "NOASSERTION",
             "filesAnalyzed": self.files_analyzed,
@@ -363,24 +379,28 @@ def as_dict(self):
         optional_data = {
             "versionInfo": self.version,
             "packageFileName": self.filename,
-            "licenseDeclared": self.license_declared,
             "supplier": self.supplier,
             "originator": self.originator,
             "homepage": self.homepage,
             "description": self.description,
             "summary": self.summary,
             "sourceInfo": self.source_info,
-            "releaseDate": self.date_to_iso(self.release_date),
-            "builtDate": self.date_to_iso(self.built_date),
-            "validUntilDate": self.date_to_iso(self.valid_until_date),
-            "primaryPackagePurpose": self.primary_package_purpose,
             "comment": self.comment,
             "licenseComments": self.license_comments,
             "checksums": [checksum.as_dict() for checksum in self.checksums],
-            "externalRefs": [ref.as_dict() for ref in self.external_refs],
+            "externalRefs": [ref.as_dict(spec_version) for ref in self.external_refs],
             "attributionTexts": self.attribution_texts,
         }
 
+        # Fields only valid in 2.3
+        if spec_version == SPDX_SPEC_VERSION_2_3:
+            optional_data.update({
+                "releaseDate": self.date_to_iso(self.release_date),
+                "builtDate": self.date_to_iso(self.built_date),
+                "validUntilDate": self.date_to_iso(self.valid_until_date),
+                "primaryPackagePurpose": self.primary_package_purpose,
+            })
+
         optional_data = {key: value for key, value in optional_data.items() if value}
         return {**required_data, **optional_data}
 
@@ -567,7 +587,7 @@ class Document:
     packages: list[Package]
 
     spdx_id: str = "SPDXRef-DOCUMENT"
-    version: str = SPDX_SPEC_VERSION
+    version: str = SPDX_SPEC_VERSION_2_3
     data_license: str = "CC0-1.0"
     comment: str = ""
 
@@ -585,7 +605,7 @@ def as_dict(self):
             "documentNamespace": self.namespace,
             "documentDescribes": self.describes,
             "creationInfo": self.creation_info.as_dict(),
-            "packages": [package.as_dict() for package in self.packages],
+            "packages": [package.as_dict(self.version) for package in self.packages],
         }
 
         if self.files:
@@ -646,7 +666,7 @@ def validate(self, schema):
         return validate_document(document=self.as_dict(), schema=schema)
 
 
-def validate_document(document, schema=SPDX_SCHEMA_PATH):
+def validate_document(document, schema=SPDX_SCHEMA_2_3_PATH):
     """
     SPDX document validation.
     Requires the `jsonschema` library.

scanpipe/pipes/spdx.py

@@ -15,9 +15,15 @@
       <a href="{% url 'project_results' project.slug 'xlsx' %}" class="dropdown-item">
         <strong>XLSX</strong>
       </a>
-      <a href="{% url 'project_results' project.slug 'spdx' %}" class="dropdown-item">
+      <div class="dropdown-item">
         <strong>SPDX</strong>
-      </a>
+        <div class="has-text-weight-semibold">
+          <div class="buttons">
+            <a href="{% url 'project_results' project.slug 'spdx' '2.3' %}" class="tag is-link">2.3</a>
+            <a href="{% url 'project_results' project.slug 'spdx' '2.2' %}" class="tag">2.2</a>
+          </div>
+        </div>
+      </div>
       <div class="dropdown-item">
         <strong>CycloneDX</strong>
         <div class="has-text-weight-semibold">

scanpipe/templates/scanpipe/dropdowns/project_download_dropdown.html

@@ -7,9 +7,26 @@
     <a class="tag is-success is-medium" href="{% url 'project_results' project.slug 'xlsx' %}">
       <span class="icon mr-1"><i class="fa-solid fa-download"></i></span>XLSX
     </a>
-    <a class="tag is-success is-medium" href="{% url 'project_results' project.slug 'spdx' %}">
-      <span class="icon mr-1"><i class="fa-solid fa-download"></i></span>SPDX
-    </a>
+    <div class="dropdown is-hoverable">
+      <div class="dropdown-trigger">
+        <button class="button tag is-success is-medium" aria-haspopup="true" aria-controls="dropdown-menu-spdx">
+          <span class="icon">
+            <i class="fa-solid fa-download" aria-hidden="true"></i>
+          </span>
+          <span>SPDX</span>
+        </button>
+      </div>
+      <div class="dropdown-menu" id="dropdown-menu-spdx" role="menu">
+        <div class="dropdown-content">
+          <a href="{% url 'project_results' project.slug 'spdx' '2.3' %}" class="dropdown-item has-text-weight-semibold">
+            Spec 2.3 <span class="tag is-link ml-1">Latest</span>
+          </a>
+          <a href="{% url 'project_results' project.slug 'spdx' '2.2' %}" class="dropdown-item">
+            Spec 2.2
+          </a>
+        </div>
+      </div>
+    </div>
     <div class="dropdown is-hoverable">
       <div class="dropdown-trigger">
         <button class="button tag is-success is-medium" aria-haspopup="true" aria-controls="dropdown-menu-cyclonedx">

scanpipe/templates/scanpipe/includes/project_downloads.html

@@ -19,15 +19,16 @@
       "name": "Analysis",
       "SPDXID": "SPDXRef-scancodeio-project-b74fe5df-e965-415e-ba65-f38421a0695d",
       "downloadLocation": "NOASSERTION",
+      "licenseDeclared": "NOASSERTION",
       "licenseConcluded": "NOASSERTION",
       "copyrightText": "NOASSERTION",
-      "filesAnalyzed": true,
-      "licenseDeclared": "NOASSERTION"
+      "filesAnalyzed": true
     },
     {
       "name": "a",
       "SPDXID": "SPDXRef-scancodeio-discoveredpackage-a83a60de-81bc-4bf4-b48c-dc78e0e658a9",
       "downloadLocation": "NOASSERTION",
+      "licenseDeclared": "NOASSERTION",
       "licenseConcluded": "NOASSERTION",
       "copyrightText": "NOASSERTION",
       "filesAnalyzed": false,
@@ -43,6 +44,7 @@
       "name": "b",
       "SPDXID": "SPDXRef-scancodeio-discoveredpackage-81147701-285f-485c-ba36-9cd3742790b1",
       "downloadLocation": "NOASSERTION",
+      "licenseDeclared": "NOASSERTION",
       "licenseConcluded": "NOASSERTION",
       "copyrightText": "NOASSERTION",
       "filesAnalyzed": false,
@@ -58,6 +60,7 @@
       "name": "z",
       "SPDXID": "SPDXRef-scancodeio-discoveredpackage-e391c33e-d7d0-4a97-a3c3-e947375c53d5",
       "downloadLocation": "NOASSERTION",
+      "licenseDeclared": "NOASSERTION",
       "licenseConcluded": "NOASSERTION",
       "copyrightText": "NOASSERTION",
       "filesAnalyzed": false,
@@ -73,19 +76,19 @@
       "name": "",
       "SPDXID": "SPDXRef-scancodeio-discovereddependency-d0e1eab2-9b8b-449b-b9d1-12147ffdd8a8",
       "downloadLocation": "NOASSERTION",
+      "licenseDeclared": "NOASSERTION",
       "licenseConcluded": "NOASSERTION",
       "copyrightText": "NOASSERTION",
-      "filesAnalyzed": false,
-      "licenseDeclared": "NOASSERTION"
+      "filesAnalyzed": false
     },
     {
       "name": "unresolved",
       "SPDXID": "SPDXRef-scancodeio-discovereddependency-29fbe562-a191-44b4-88e8-a9678071ecee",
       "downloadLocation": "NOASSERTION",
+      "licenseDeclared": "NOASSERTION",
       "licenseConcluded": "NOASSERTION",
       "copyrightText": "NOASSERTION",
       "filesAnalyzed": false,
-      "licenseDeclared": "NOASSERTION",
       "externalRefs": [
         {
           "referenceCategory": "PACKAGE-MANAGER",