Migrate to spdx-tools 0.8.0a2 (a pre-release)

[jspeed-meyers]

Fix #113
Fix #70

This branch introduces v0.8.0a2 of spdx-tools. This migration required substantial changes to the codebase (for the better, honestly) and the test documents and test cases.

For those following along at home:

There is new version of spdx-tools (thanks to the great efforts of @meretp and others) and it creates breaking changes. This migration addresses those breaking changes. Importantly, some of those breaking changes also led to new test documents (the new spdx-tools parsing rules are stricter) and so that's why there are so many changes lines of code. For reviewers, the most important changes are in sbom_checker.py, IMO.

This is a larger change than I would prefer to make in a single PR. But I don't see any way around it short of having a broken build. This way we avoid a broken build and complete the migration.

@goneall, @meretp, @linynjosh -- Feel free to take a look over the next week. Assuming positive reviews and no objections, we can merge this into main in a week. :)

Again, big kudos to @meretp, without whom this migration would not have happened or would have happened at a glacially slow rate. THANK YOU!

[yong-aan]

Thanks @jspeed-meyers!

[jspeed-meyers]

Thanks, @linynjosh! I'll work to figure out the migration before merging :)

[yong-aan]

Thanks @jspeed-meyers!

[meretp]

Thanks for opening this PR, the changes made look good to me and fit what I would have expected.
I have two remarks on the current changes which are associated to some basic changes coming with the refacotred version. So to provide a bit more background on the refactored version of tools-python:
On the one hand we introduced a new separate layer for the validation of a parsed SPDX document. This validation takes care of the more "implicit rules for SPDX documents". So for example each SPDXID used in the document need to be unique. It might make sense to also use this validation here and expect a valid SPDX document before checking for the minimal ntia elements.
On the other hand we introduced a more strict underlying model, which enforces correct types and cardinalities for each property. So for example an SPDX document must have at least one creator that is a person, a tool or an organization. These types of "validation" are handled by the parser and the tools will raise a SPDXParsingError if the parsed document doesn't fit the model.

I think this is also the reason for most of the failing tests. I had a look at some of the test files and noticed that they aren't valid according to the spec. For example the SPDXJsonExample.json contains a surrounding Document object which is not valid according to the spec. I think a first step to fix the tests is to make all used documents valid SPDX documents. Apart from that I will take a closer look at the tests and try to provide more feedback on why they fail and how to fix them.

[jspeed-meyers]

It might make sense to also use this validation here and expect a valid SPDX document before checking for the minimal ntia elements.

Perfect. I like this.

I think a first step to fix the tests is to make all used documents valid SPDX documents.

Good call. Will do.

Apart from that I will take a closer look at the tests and try to provide more feedback on why they fail and how to fix them.

Thank you. You've really gone above and beyond in helping this project and others do the migration. THANK YOU!

[meretp]

Your welcome! This also helps us a lot to verify that the refactored version is stable. I already found a small bug thanks to this PR, so a big thank you too for being willing to serve as an early adopter! 🙂

[meretp]

FYI: We have a weekly call to discuss topics related to the spdx-tools. It's open to everyone, and meant as an informal way to sync on current topics and where development should focus next. Maybe you are also interested in joining. It's every Thursday, 3.30pm - 4.00pm GMT (except the first Thursday of the month, when it is shifted by half an hour to 4.00pm - 4.30pm) and takes place per zoom: https://zoom.us/j/98741582779.

[meretp]

@jspeed-meyers I did some work on this and pushed the changes to the branch on my fork as I don't have the permission to push to this branch directly. I can also open a PR against this branch, might be easier to see the changes...

4 tests are still failing due to bugs in the spdx-tools. We work on fixes for these bugs and plan to do another alpha release including the fixes, so this PR should probably wait until the release and then include the second alpha release as dependency.

I wasn't sure about the generated output, especially the formatting. As the parser in the refactored version of the spdx-tools is stricter I decided to except the possibly thrown SPDXParsingError and generate an indiviudal output as all other checks can't be performed. I also added the output of validation messages if the document is parseable but not compliant with the spdx specification. Please tell me what you think about these changes.

[jspeed-meyers]

@meretp, first, thank you! This is tremendous.

Please do open a PR against this branch. After that, I'll do a review and point out any thoughts I have. We can then wait for the next alpha release of spdx-tools.

Again, thank you. I hope this migration work, from myself and now you, has benefitted spdx-tools!

[jspeed-meyers]

@meretp, amazing. Thank you! What great work. I'll review this new branch now and ask any questions. I have no doubt this code is excellent.

[jspeed-meyers]

No questions! This looks really great. I'm also of the opinion that the best way way to find bugs is through users, so even though this is a lot of change, I'm not convinced it's worth it going over it too closely in code review :) Again, great work.

You mentioned that a new future pre-release will fix the remaining bugs. I'll watch out for that. AND THANK YOU!

[meretp]

With pleasure, thank you for the feedback and the great cooperation! This helps us a lot in the development of spdx-tools!

The new release is now on Pypi. This should fix the tests. It seems that I've missed to format one file to also fix the black-formatting action. So if you could change the dependency to 0.8.0a2 and fix the formatting the CI should be green and this PR can be merged.

[github-actions]

☂️ Python Coverage

current status: ✅

Overall Coverage

Lines	Covered	Coverage	Threshold	Status
271	224	83%	0%	🟢

New Files

No new covered files...

Modified Files

File	Coverage	Status
ntia_conformance_checker/sbom_checker.py	68%	🟢
tests/test_checker.py	100%	🟢
TOTAL	84%	🟢

updated for commit: d0da352 by action🐍

[goneall]

LGTM

[jspeed-meyers]

Thank you, @goneall!

[meretp]

Sorry for the late response, looks good to me! Only one small remark from my side to make the dependency consistent in the pyoproject.toml.

[jspeed-meyers]

Thank you, @meretp!

[jspeed-meyers]

Woohoo, merging! 🥳