forked from tern-tools/tern
-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
spdx: Handle reporting for empty license metadata
Currently, if no license metadata is found (i.e. debian-based images) Tern does not generate valid SPDX. An empty license field still reports as "LicenseRef-". According to the 2.1 spec, if information about the license is unknown, the value should be NOASSERTION. This commit adds a few checks in tern/formats/spdx/spdxtagvalue/generator.py to make sure that a license value exists before trying to report the license information. It also moves the get_package_id functionality originally in tern/classes/package.py to a format in tern/formats/spdx/formats.py as package_id is a value only utilized by SPDX format reports. Since the get_package_id functionality was moved out of classes, the test for this function was removed from the test_class_package test file. tern/formats/spdx/spdxtagvalue/generator.py was updated to pull the package_id info from spdx formats.py and has additional manipulation to handle the case when a debian package is reported in the form [epoch:]upstream_version[-debian_revision]. The colon after the epoch needs to be changed to '-' in order to validate the SPDX report. Additionally, this commit wraps the PackageCopyrightText value in <text></text> in the case that the copyright statement is more than one line per guidelines from the 2.1 spec. Finally, this commit makes a change to the logic inside update_license_list() that gets rid of the dangling license block at the end of the report if no licenses are available from the container image metadata. Resolves tern-tools#431 Signed-off-by: Rose Judge <rjudge@vmware.com>
- Loading branch information
Showing
4 changed files
with
19 additions
and
16 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters