adapt code to new spdx-tools release

[meretp]

With the new release, the checksum class has been renamed, the license class has been moved to its own file, and files are now only allowed at document level.

Signed-off-by: Meret Behrens meret.behrens@tngtech.com

Fixes #3172

Tasks

• Reviewed contribution guidelines
• PR is descriptively titled 📑 and links the original issue above 🔗
• Tests pass -- look for a green checkbox ✔️ a few minutes after opening your PR
  Run tests locally to check for errors.
• Commits are in uniquely-named feature branch and has no merge conflicts 📁

[nicoweidner]

Here are two more locations that probably need to be adapted:

scancode-toolkit/setup.cfg

Line 107 in 8f07fdf

spdx_tools >= 0.7.0a3

scancode-toolkit/setup-mini.cfg

Line 106 in 8f07fdf

spdx_tools >= 0.7.0a3

[pombredanne]

@meretp @nicoweidner I pushed spdx-tools 0.7.0rc0 so you should be able to update your PR accordingly.

[meretp]

@pombredanne I updated the PR accordingly and all tests pass now, so this is ready for review.

[armintaenzertng]

I updated the requirement.txt files of all other nexB repositories that include the spdx-tools dependency to use 0.7.0rc0:
nexB/aboutcode-toolkit#515
nexB/container-inspector#49
nexB/fetchcode#87
nexB/debian-inspector#34
nexB/typecode#30
nexB/plugincode#8
nexB/commoncode#50
nexB/extractcode#45
nexB/purldb#16
All pipeline runs are green except for extractcode, but that seems to be a non-related problem with the typecode dependency that also appears on the main branch.

[meretp]

@pombredanne Gentle ping, is there anything else I can do to get this PR merged?
We would really like to have the 0.7.0 release on PyPi for tools-python, as the current release is still the release candidate.

[pombredanne]

Gentle ping, is there anything else I can do to get this PR merged?
We would really like to have the 0.7.0 release on PyPi for tools-python, as the current release is still the release candidate.

We are all good and this is being merged today

[pombredanne]

@meretp Thanks! see some review nitpickings for your consideration.

[pombredanne]

We avoid using upper cap in setup requirements. We pin instead in requirements files.

Suggested change

	spdx_tools >= 0.7.0rc0, ==0.7.*
	spdx_tools >= 0.7.0rc0

See https://iscinumpy.dev/post/bound-version-constraints/ and https://caremad.io/posts/2013/07/setup-vs-requirement/ for detailed articles on the topics. ScanCode is both used as an app and as a library. App deps are pinned, library deps are not capped.

[maxhbr]

Since there is currently a big refactoring in the progress, which is breaking the API after 0.7, we think that it is safer to restrict it here. Otherwise we will run into the same race condition with releasing.

Pinning in requirement files was not sufficient to mitigate the breaking changes between 0.7.0a3 and 0.7.0rc0.

[pombredanne]

@meretp @maxhbr tell me who needs to own the PyPI account (I need to know the PyPI user id so I can send the invites)

[maxhbr]

@meretp @maxhbr tell me who needs to own the PyPI account (I need to know the PyPI user id so I can send the invites)

My account on pypi is maxhbr.

[meretp]

@pombredanne I included your suggested changes in a fix-up commit to squash this before merging. Two tests fail but that seems to be another issue as the latest commit on develop also has these failing tests.
Regarding the comments in setup.cfg: as @maxhbr commented we would really appreciate if we could avoid another race condition with releasing for the changes to come in tools-python.

[pombredanne]

Regarding the comments in setup.cfg: as @maxhbr commented we would really appreciate if we could avoid another race condition with releasing for the changes to come in tools-python.

No worries, we will be fine now!

[pombredanne]

The test failure is unrelated and fixed in develop. I still prefer a pinned SPDX version for now.

[pombredanne]

Thanks! The code looks good and the failure is fixed in develop.
I can merge as is!
I fixed the requirements to be pinned for SPDX tools for now as I do not like stars.