adapt code to new spdx-tools release

meretp · meretp · commit d89ab6584d3d · 2023-01-17T10:28:51.000+01:00
With the new release, the checksum class has been renamed, the license class has been moved to its own file, and files are now only allowed at document level.

Signed-off-by: Meret Behrens &lt;meret.behrens@tngtech.com&gt;
diff --git a/requirements.txt b/requirements.txt
@@ -64,7 +64,7 @@ requests==2.28.1
 saneyaml==0.6.0
 six==1.16.0
 soupsieve==2.3.2.post1
-spdx-tools==0.7.0a3
+spdx-tools==0.7.0rc0
 text-unidecode==1.3
 toml==0.10.2
 typecode==30.0.0
diff --git a/setup-mini.cfg b/setup-mini.cfg
@@ -80,7 +80,7 @@ install_requires =
     gemfileparser2 >= 0.9.0
     html5lib
     importlib_metadata
-    intbitset >= 3.0.2 
+    intbitset >= 3.0.2
     jaraco.functools
     javaproperties >= 0.5
     jinja2 >= 2.7.0
@@ -105,7 +105,7 @@ install_requires =
     pymaven_patch >= 0.2.8
     requests >= 2.7.0
     saneyaml >= 0.6.0
-    spdx_tools == 0.7.0a3
+    spdx_tools == 0.7.0rc0, ==0.7.*
     text_unidecode >= 1.0
     toml >= 0.10.0
     urlpy
diff --git a/setup.cfg b/setup.cfg
@@ -105,7 +105,7 @@ install_requires =
     pymaven_patch >= 0.2.8
     requests >= 2.7.0
     saneyaml >= 0.6.0
-    spdx_tools == 0.7.0a3
+    spdx_tools == 0.7.0rc0, ==0.7.*
     text_unidecode >= 1.0
     toml >= 0.10.0
     urlpy
diff --git a/src/formattedcode/output_spdx.py b/src/formattedcode/output_spdx.py
@@ -12,13 +12,15 @@
 from io import BytesIO
 from io import StringIO
 
-from spdx.checksum import Algorithm
+from spdx.checksum import Checksum, ChecksumAlgorithm
 from spdx.creationinfo import Tool
 from spdx.document import ExtractedLicense
 from spdx.document import Document
-from spdx.document import License
+from spdx.license import License
 from spdx.file import File
 from spdx.package import Package
+from spdx.relationship import Relationship
+from spdx.utils import calc_verif_code
 from spdx.utils import NoAssert
 from spdx.utils import SPDXNone
 from spdx.version import Version
@@ -280,9 +282,8 @@ def write_spdx(
         name = './' + file_data.get('path')
         file_entry = File(
             spdx_id=f'SPDXRef-{sid}',
-            name=name,
-            chk_sum=Algorithm('SHA1', file_data.get('sha1') or '')
-        )
+            name=name)
+        file_entry.set_checksum(Checksum(ChecksumAlgorithm.SHA1, file_data.get('sha1') or ''))
 
         file_license_detections = file_data.get('license_detections')
         license_matches = get_matches_from_detection_mappings(file_license_detections)
@@ -357,9 +358,11 @@ def write_spdx(
         else:
             file_entry.copyright = SPDXNone()
 
-        package.add_file(file_entry)
+        doc.add_file(file_entry)
+        relationship = Relationship(package.spdx_id + " CONTAINS " + file_entry.spdx_id)
+        doc.add_relationship(relationship)
 
-    if len(package.files) == 0:
+    if len(doc.files) == 0:
         if as_tagvalue:
             msg = "# No results for package '{}'.\n".format(package.name)
         else:
@@ -392,7 +395,7 @@ def write_spdx(
         # statements for the package.
         package.cr_text = '\n'.join(sorted(package.cr_text)) + '\n'
 
-    package.verif_code = doc.package.calc_verif_code()
+    package.verif_code = calc_verif_code(doc.files)
     package.license_declared = NoAssert()
     package.conc_lics = NoAssert()
 
@@ -404,7 +407,7 @@ def write_spdx(
     # one case we do need to deal with bytes and decode before writing (rdf) and
     # in the other case we deal with text all the way.
 
-    if package.files:
+    if doc.files:
 
         if as_tagvalue:
             from spdx.writers.tagvalue import write_document  # NOQA
diff --git a/tests/formattedcode/data/spdx/license_known/expected.tv b/tests/formattedcode/data/spdx/license_known/expected.tv
@@ -35,5 +35,4 @@ SPDXID: SPDXRef-3
 FileChecksum: SHA1: 172444e7c137eb5cd3cae530aca0879c90f7fada
 LicenseConcluded: NOASSERTION
 LicenseInfoInFile: CC0-1.0
-FileCopyrightText: NONE
-# Extracted Licenses
+FileCopyrightText: NONE
diff --git a/tests/formattedcode/data/spdx/license_known/expected_with_text.tv b/tests/formattedcode/data/spdx/license_known/expected_with_text.tv
@@ -35,5 +35,4 @@ SPDXID: SPDXRef-3
 FileChecksum: SHA1: 172444e7c137eb5cd3cae530aca0879c90f7fada
 LicenseConcluded: NOASSERTION
 LicenseInfoInFile: CC0-1.0
-FileCopyrightText: NONE
-# Extracted Licenses
+FileCopyrightText: NONE
diff --git a/tests/formattedcode/data/spdx/simple/expected.tv b/tests/formattedcode/data/spdx/simple/expected.tv
@@ -27,5 +27,4 @@ SPDXID: SPDXRef-1
 FileChecksum: SHA1: b8a793cce3c3a4cd3a4646ddbe86edd542ed0cd8
 LicenseConcluded: NOASSERTION
 LicenseInfoInFile: NONE
-FileCopyrightText: NONE
-# Extracted Licenses
+FileCopyrightText: NONE
diff --git a/tests/formattedcode/data/spdx/tree/expected.tv b/tests/formattedcode/data/spdx/tree/expected.tv
@@ -77,5 +77,4 @@ FileChecksum: SHA1: 58748872d25374160692f1ed7075d0fe80a544b1
 LicenseConcluded: NOASSERTION
 LicenseInfoInFile: NONE
 FileCopyrightText: <text>Copyright (c) 2000 ACME, Inc.
-</text>
-# Extracted Licenses
+</text>
diff --git a/tests/formattedcode/data/templated/tree/expected.tv b/tests/formattedcode/data/templated/tree/expected.tv
@@ -65,5 +65,4 @@ FileChecksum: SHA1: 58748872d25374160692f1ed7075d0fe80a544b1
 LicenseConcluded: NOASSERTION
 LicenseInfoInFile: NONE
 FileCopyrightText: <text>Copyright (c) 2000 ACME, Inc.
-</text>
-# Extracted Licenses
+</text>
