Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for SPDX 2.3 #164

Merged
merged 17 commits into from
Oct 31, 2022
Merged

Add support for SPDX 2.3 #164

merged 17 commits into from
Oct 31, 2022

Conversation

kzantow
Copy link
Collaborator

@kzantow kzantow commented Oct 6, 2022
edited
Loading

This PR adds support for SPDX 2.3 with the following changes:

  • SPDX 2.3 data model
  • Add SPDX 2.3 variants for utility functions
  • Add support for all formats to export and import SPDX 2.3

Fixes: #156

NOTE: this PR also includes a change to fix the references to the SPDX spec in the v2_2 model. This can be removed, but I've done this so it's possible to run a diff between the models and see a more meaningful set of changes, e.g. run:

diff v2_2 v2_3 --ignore-matching-lines='package v2_.'
Results 
diff --ignore-matching-lines='package v2_.' v2_2/annotation.go v2_3/annotation.go
7c7
< // Annotation is an Annotation section of an SPDX Document for version 2.2 of the spec.
---
> // Annotation is an Annotation section of an SPDX Document for version 2.3 of the spec.
24c24
<       AnnotationSPDXIdentifier common.DocElementID `json:"-"`
---
>       AnnotationSPDXIdentifier common.DocElementID `json:"-" yaml:"-"`
diff --ignore-matching-lines='package v2_.' v2_2/creation_info.go v2_3/creation_info.go
8c8
< // SPDX Document for version 2.2 of the spec.
---
> // SPDX Document for version 2.3 of the spec.
diff --ignore-matching-lines='package v2_.' v2_2/document.go v2_3/document.go
9c9
< // as defined in section 6.6 for version 2.2 of the spec.
---
> // as defined in section 6.6 for version 2.3 of the spec.
23,24c23,24
< // Document is an SPDX Document for version 2.2 of the spec.
< // See https://spdx.github.io/spdx-spec/v2-draft/ (DRAFT)
---
> // Document is an SPDX Document for version 2.3 of the spec.
> // See https://spdx.github.io/spdx-spec/v2.3/document-creation-information
26c26
<       // 6.1: SPDX Version; should be in the format "SPDX-2.2"
---
>       // 6.1: SPDX Version; should be in the format "SPDX-2.3"
56,61c56,61
<       Packages      []*Package      `json:"packages"`
<       Files         []*File         `json:"files"`
<       OtherLicenses []*OtherLicense `json:"hasExtractedLicensingInfos"`
<       Relationships []*Relationship `json:"relationships"`
<       Annotations   []*Annotation   `json:"annotations"`
<       Snippets      []Snippet       `json:"snippets"`
---
>       Packages      []*Package      `json:"packages,omitempty"`
>       Files         []*File         `json:"files,omitempty"`
>       OtherLicenses []*OtherLicense `json:"hasExtractedLicensingInfos,omitempty"`
>       Relationships []*Relationship `json:"relationships,omitempty"`
>       Annotations   []*Annotation   `json:"annotations,omitempty"`
>       Snippets      []Snippet       `json:"snippets,omitempty"`
64c64
<       Reviews []*Review
---
>       Reviews []*Review `json:"-" yaml:"-"`
diff --ignore-matching-lines='package v2_.' v2_2/file.go v2_3/file.go
7c7
< // File is a File section of an SPDX Document for version 2.2 of the spec.
---
> // File is a File section of an SPDX Document for version 2.3 of the spec.
21c21
<       // 8.4: File Checksum: may have keys for SHA1, SHA256 and/or MD5
---
>       // 8.4: File Checksum: may have keys for SHA1, SHA256, MD5, SHA3-256, SHA3-384, SHA3-512, BLAKE2b-256, BLAKE2b-384, BLAKE2b-512, BLAKE3, ADLER32
26,27c26,27
<       // Cardinality: mandatory, one
<       LicenseConcluded string `json:"licenseConcluded"`
---
>       // Cardinality: optional, one
>       LicenseConcluded string `json:"licenseConcluded,omitempty"`
30,31c30,31
<       // Cardinality: mandatory, one or many
<       LicenseInfoInFiles []string `json:"licenseInfoInFiles"`
---
>       // Cardinality: optional, one or many
>       LicenseInfoInFiles []string `json:"licenseInfoInFiles,omitempty"`
44c44
<       ArtifactOfProjects []*ArtifactOfProject `json:"-"`
---
>       ArtifactOfProjects []*ArtifactOfProject `json:"artifactOfs,omitempty"`
65c65
<       FileDependencies []string `json:"-"`
---
>       FileDependencies []string `json:"fileDependencies,omitempty"`
71c71
<       Snippets map[common.ElementID]*Snippet `json:"-"`
---
>       Snippets map[common.ElementID]*Snippet `json:"-" yaml:"-"`
77c77,79
< // a Package, as defined in sections 8.9-8.11 in version 2.2 of the spec.
---
> // a Package, as defined in sections 8.9-8.11 in version 2.3 of the spec.
> // NOTE: the JSON schema does not define the structure of this object:
> // https://github.com/spdx/spdx-spec/blob/development/v2.3.1/schemas/spdx-schema.json#L480
83c85
<       Name string
---
>       Name string `json:"name"`
88c90
<       HomePage string
---
>       HomePage string `json:"homePage"`
93c95
<       URI string
---
>       URI string `json:"URI"`
diff --ignore-matching-lines='package v2_.' v2_2/other_license.go v2_3/other_license.go
6c6
< // SPDX Document for version 2.2 of the spec.
---
> // SPDX Document for version 2.3 of the spec.
diff --ignore-matching-lines='package v2_.' v2_2/package.go v2_3/package.go
7c7
< // Package is a Package section of an SPDX Document for version 2.2 of the spec.
---
> // Package is a Package section of an SPDX Document for version 2.3 of the spec.
12c12
<       IsUnpackaged bool
---
>       IsUnpackaged bool `json:"-" yaml:"-"`
48c48
<       IsFilesAnalyzedTagPresent bool
---
>       IsFilesAnalyzedTagPresent bool `json:"-" yaml:"-"`
51c51,52
<       PackageVerificationCode common.PackageVerificationCode `json:"packageVerificationCode"`
---
>       // Cardinality: if FilesAnalyzed == true must be present, if FilesAnalyzed == false must be omitted
>       PackageVerificationCode *common.PackageVerificationCode `json:"packageVerificationCode,omitempty"`
53c54
<       // 7.10: Package Checksum: may have keys for SHA1, SHA256 and/or MD5
---
>       // 7.10: Package Checksum: may have keys for SHA1, SHA256, MD5, SHA3-256, SHA3-384, SHA3-512, BLAKE2b-256, BLAKE2b-384, BLAKE2b-512, BLAKE3, ADLER32
55c56
<       PackageChecksums []common.Checksum `json:"checksums"`
---
>       PackageChecksums []common.Checksum `json:"checksums,omitempty"`
66,67c67,68
<       // Cardinality: mandatory, one
<       PackageLicenseConcluded string `json:"licenseConcluded"`
---
>       // Cardinality: optional, one
>       PackageLicenseConcluded string `json:"licenseConcluded,omitempty"`
70c71
<       // Cardinality: mandatory, one or many if filesAnalyzed is true / omitted;
---
>       // Cardinality: optional, one or many if filesAnalyzed is true / omitted;
72c73
<       PackageLicenseInfoFromFiles []string `json:"licenseInfoFromFiles"`
---
>       PackageLicenseInfoFromFiles []string `json:"licenseInfoFromFiles,omitempty"`
75,76c76,77
<       // Cardinality: mandatory, one
<       PackageLicenseDeclared string `json:"licenseDeclared"`
---
>       // Cardinality: optional, one
>       PackageLicenseDeclared string `json:"licenseDeclared,omitempty"`
109a111,127
>       // 7.24: Primary Package Purpose
>       // Cardinality: optional, one or many
>       // Allowed values: APPLICATION, FRAMEWORK, LIBRARY, CONTAINER, OPERATING-SYSTEM, DEVICE, FIRMWARE, SOURCE, ARCHIVE, FILE, INSTALL, OTHER
>       PrimaryPackagePurpose string `json:"primaryPackagePurpose,omitempty"`
> 
>       // 7.25: Release Date: YYYY-MM-DDThh:mm:ssZ
>       // Cardinality: optional, one
>       ReleaseDate string `json:"releaseDate,omitempty"`
> 
>       // 7.26: Build Date: YYYY-MM-DDThh:mm:ssZ
>       // Cardinality: optional, one
>       BuiltDate string `json:"builtDate,omitempty"`
> 
>       // 7.27: Valid Until Date: YYYY-MM-DDThh:mm:ssZ
>       // Cardinality: optional, one
>       ValidUntilDate string `json:"validUntilDate,omitempty"`
> 
111c129
<       Files []*File
---
>       Files []*File `json:"files,omitempty"`
113c131
<       Annotations []Annotation `json:"annotations"`
---
>       Annotations []Annotation `json:"annotations,omitempty"`
117c135
< // about a Package, as defined in section 7.21 in version 2.2 of the spec.
---
> // about a Package, as defined in section 7.21 in version 2.3 of the spec.
diff --ignore-matching-lines='package v2_.' v2_2/relationship.go v2_3/relationship.go
8c8
< // version 2.2 of the spec.
---
> // version 2.3 of the spec.
diff --ignore-matching-lines='package v2_.' v2_2/review.go v2_3/review.go
5c5
< // Review is a Review section of an SPDX Document for version 2.2 of the spec.
---
> // Review is a Review section of an SPDX Document for version 2.3 of the spec.
diff --ignore-matching-lines='package v2_.' v2_2/snippet.go v2_3/snippet.go
7c7
< // Snippet is a Snippet section of an SPDX Document for version 2.2 of the spec.
---
> // Snippet is a Snippet section of an SPDX Document for version 2.3 of the spec.
22,23c22,23
<       // Cardinality: mandatory, one
<       SnippetLicenseConcluded string `json:"licenseConcluded"`
---
>       // Cardinality: optional, one
>       SnippetLicenseConcluded string `json:"licenseConcluded,omitempty"`
47c47
<       SnippetAttributionTexts []string `json:"-"`
---
>       SnippetAttributionTexts []string `json:"-" yaml:"-"`

@kzantow kzantow mentioned this pull request Oct 6, 2022
Closed
@kzantow kzantow force-pushed the feat/spdx-2.3-support branch from a445943 to 11771ee Compare October 6, 2022 23:36
kzantow added 8 commits October 7, 2022 12:08
@kzantow
chore: Update v2.3 JSON test
74a5f1d 
Signed-off-by: Keith Zantow <[email protected]>
@kzantow
chore: Add YAML support for v2.3 data model
edca4e8 
Signed-off-by: Keith Zantow <[email protected]>
@kzantow
chore: missed YAML writer for v2.3 data model
066a798 
Signed-off-by: Keith Zantow <[email protected]>
@kzantow
chore: add tag value reader and parser for v2.3
be2eb82 
Signed-off-by: Keith Zantow <[email protected]>
@kzantow
chore: add builder and verification functions for 2.3
b57c493 
Signed-off-by: Keith Zantow <[email protected]>
@kzantow
chore: add idsercher functions for 2.3
ab3e717 
Signed-off-by: Keith Zantow <[email protected]>
@kzantow
chore: support for 2.3 features to rdfloader
0b2bd4b 
Signed-off-by: Keith Zantow <[email protected]>
@kzantow
chore: correct RDF 2.2 example
7779493 
Signed-off-by: Keith Zantow <[email protected]>
@kzantow kzantow marked this pull request as ready for review October 10, 2022 16:37
@kzantow
Copy link
Collaborator Author

kzantow commented Oct 10, 2022
edited
Loading

NOTE: I would squash all of these commits into a feat: Support SPDX 2.3 type of commit. I may have mislabeled a few commits as chore updates.

This was referenced Oct 10, 2022
Closed
Closed
@kzantow
Copy link
Collaborator Author

kzantow commented Oct 19, 2022
edited
Loading

Ping @lumjjb @swinslow (sorry for the ping)... is this something that we could get in reasonably soon?

@lumjjb
Copy link
Collaborator

lumjjb commented Oct 19, 2022

Sorry i missed this (kubecon prep crunch). Let me review this this weekend and hope we can merge it in the next few weeks!

lumjjb
lumjjb reviewed Oct 21, 2022
View reviewed changes
Copy link
Collaborator

@lumjjb lumjjb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks so much @kzantow for this effort! It was a lot of code wrangling!! Have a couple minor nits on adding ENUMs and should be good to merge, this will provide a good basis of using the struct, and then additional validation we can add on later!

builder/builder2v3/build_creation_info_test.go Show resolved Hide resolved
examples/sample-docs/json/SPDXJSONExample-v2.3.spdx.json
@@ -0,0 +1,406 @@
{
"spdxVersion": "SPDX-2.3",
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TODO: open a separate follow-up issue to have another test case which contains more 2.3 specific fields.

Copy link
Collaborator Author

@kzantow kzantow Oct 24, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NOTE: there are all the additional fields added to at least one package: https://github.com/spdx/tools-golang/pull/164/files/d326e1063b8265703fae4677e7fd63eb97e2df28#diff-f21e5fa3e6e7c061fc6553ed162414f5a0394e27bae30f647627d0e1a7199a11R151-R154

spdx/v2_3/file.go

// 8.4: File Checksum: may have keys for SHA1, SHA256, MD5, SHA3-256, SHA3-384, SHA3-512, BLAKE2b-256, BLAKE2b-384, BLAKE2b-512, BLAKE3, ADLER32
// Cardinality: mandatory, one SHA1, others may be optionally provided
Checksums []common.Checksum `json:"checksums"`
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should add the new algorithms to the common folder as well as consts.

Added hash algorithms (SHA3-256, SHA3-384, SHA3-512, BLAKE2b-256, BLAKE2b-384, BLAKE2b-512, BLAKE3, ADLER32 ) to the set recognized by 7.10 (Package Checksum field) and 8.4 (File checksum field)

spdx/v2_3/relationship.go
// Relationship is type from 11.1.1
RefA common.DocElementID `json:"spdxElementId"`
RefB common.DocElementID `json:"relatedSpdxElement"`
Relationship string `json:"relationshipType"`
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add 2 new relationship consts to spdx/common/external.go

Update Clause 11 to add the new relationship types: REQUIREMENT_DESCRIPTION_FOR and SPECIFICATION_FOR.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In addition, since its touching the same files, adding the following consts:

Update Annex F ( External Repository Identifiers ) to expand security references to include advisory, fix, URL, SWID. Expand persistent identifiers to include gitoid.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

spdx/common/external.go already has those constants: https://github.com/spdx/tools-golang/blob/main/spdx/common/external.go#L64-L65

The other fields are here: https://github.com/spdx/tools-golang/blob/main/spdx/common/external.go#L10-L13

spdxlib/described_elements_test.go Outdated
// set up document and one package, but no relationships
// b/c only one package
doc := &v2_3.Document{
SPDXVersion: "SPDX-2.2",
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SPDX-2.2 -> SPDX-2.3

Couple of occurrences

spdxlib/documents_test.go Outdated
func Test2_3InvalidDocumentFailsValidation(t *testing.T) {
// set up document and some packages and relationships
doc := &v2_3.Document{
SPDXVersion: "SPDX-2.1",
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is the old version intended for failure here?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was copied from the 2.2 version, but doesn't actually do much to test the failure condition; so I've updated it.

tvloader/parser2v3/parse_file.go
switch common.ChecksumAlgorithm(subkey) {
case common.SHA1, common.SHA256, common.MD5:
algorithm := common.ChecksumAlgorithm(subkey)
parser.file.Checksums = append(parser.file.Checksums, common.Checksum{Algorithm: algorithm, Value: subvalue})
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

add case for newly defined unhandled checksums and create an issue as a TODO to add support for new checksums

tvloader/parser2v3/parse_other_license.go
"github.com/spdx/tools-golang/spdx/v2_3"
)

func (parser *tvParser2_3) parsePairFromOtherLicense2_3(tag string, value string) error {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@swinslow i'm not as familiar with the license change assertion of XML format in 2.3.. From my knowledge its just additional validation and parsing required (which we should add to as part of #159)? Thoughts here?

@kzantow
Copy link
Collaborator Author

kzantow commented Oct 24, 2022

Thank you so much for the review @lumjjb! I think I've made all the changes requested -- please let me know if I've missed anything!

@kzantow kzantow mentioned this pull request Oct 26, 2022
Closed
lumjjb
lumjjb approved these changes Oct 31, 2022
View reviewed changes
Copy link
Collaborator

@lumjjb lumjjb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@lumjjb lumjjb merged commit e20ab88 into spdx:main Oct 31, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lumjjb lumjjb lumjjb approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

SPDX 2.3 Support
2 participants
@kzantow @lumjjb