-
Notifications
You must be signed in to change notification settings - Fork 188
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
spdx: Handle reporting for empty license metadata #437
Conversation
9693e40
to
572258d
Compare
Suggestion: "does not generate valid SPDX" and then list the reasons per SPDX spec 2.1 |
I found a couple of fixes for just the debian image that will pass validation: This one gets rid of the SPDXRef error
This one gets rid of the dangling license block at the end:
Meanwhile, I have uncovered a bug in the debian based golang image. I'll file a bug on that one. |
Can you imagine any situation where changing the : to - might misrepresent the version for users who want to extract the version info directly from the Tern SPDX document? Or are we not worried about potential corner cases like that right now? |
572258d
to
c7654e5
Compare
I updated the commit message. |
The package version is whatever the package manager says it is. So in |
@nishakm Ah, I was confusing the package ID and package version. In order to determine where should do the actual If we supported other SPDX formatting in the future, would the colon after the epoch be an issue in the Thoughts? |
I think it is the tag-value parser. There is no space between the strings and the If all SPDX formatting would have an issue with the colon inside the
Perhaps there is a different way of creating a "package identifier" for documents that can be constant for all types of formats. If not, I would rather if this whole function get removed from the class and moved to the formats. |
c7654e5
to
b6630c3
Compare
As was discussed on the Tern slack channel, if SPDX formats are the only formats requiring a unique package identifier we should move the get_package_id functionality to |
Currently, if no license metadata is found (i.e. debian-based images) Tern does not generate valid SPDX. An empty license field still reports as "LicenseRef-". According to the 2.1 spec, if information about the license is unknown, the value should be NOASSERTION. This commit adds a few checks in tern/formats/spdx/spdxtagvalue/generator.py to make sure that a license value exists before trying to report the license information. It also moves the get_package_id functionality originally in tern/classes/package.py to a format in tern/formats/spdx/formats.py as package_id is a value only utilized by SPDX format reports. Since the get_package_id functionality was moved out of classes, the test for this function was removed from the test_class_package test file. tern/formats/spdx/spdxtagvalue/generator.py was updated to pull the package_id info from spdx formats.py and has additional manipulation to handle the case when a debian package is reported in the form [epoch:]upstream_version[-debian_revision]. The colon after the epoch needs to be changed to '-' in order to validate the SPDX report. Additionally, this commit wraps the PackageCopyrightText value in <text></text> in the case that the copyright statement is more than one line per guidelines from the 2.1 spec. Finally, this commit makes a change to the logic inside update_license_list() that gets rid of the dangling license block at the end of the report if no licenses are available from the container image metadata. Resolves tern-tools#431 Signed-off-by: Rose Judge <rjudge@vmware.com>
b6630c3
to
be63be5
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Validator approves!
Currently, if no license metadata is found (i.e. debian-based images)
Tern does not generate valid SPDX. An empty license field still reports
as "LicenseRef-". According to the 2.1 spec, if information about the
license is unknown, the value should be NOASSERTION.
This commit adds a few checks in
tern/formats/spdx/spdxtagvalue/generator.py to make sure that a license
value exists before trying to report the license information.
It also moves the get_package_id functionality originally in
tern/classes/package.py to a format in tern/formats/spdx/formats.py as
package_id is a value only utilized by SPDX format reports. Since
the get_package_id functionality was moved out of classes, the test for
this function was removed from the test_class_package test file.
tern/formats/spdx/spdxtagvalue/generator.py was updated to pull the
package_id info from spdx formats.py and has additional manipulation
to handle the case when a debian package is reported in the form
[epoch:]upstream_version[-debian_revision]. The colon after the epoch
needs to be changed to '-' in order to validate the SPDX report.
Additionally, this commit wraps the PackageCopyrightText value in
in the case that the copyright statement is more than one
line per guidelines from the 2.1 spec.
Finally, this commit makes a change to the logic inside
update_license_list() that gets rid of the dangling license block at
the end of the report if no licenses are available from the container
image metadata.
Resolves #431
Signed-off-by: Rose Judge rjudge@vmware.com