-
Notifications
You must be signed in to change notification settings - Fork 18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Migrate to spdx-tools 0.8.0a2 (a pre-release) #114
Conversation
spdx-tools implemented a significant refactor. This commit bumps the version and is expected to introduce breaking changes to ntia-conformance-checker. Signed-off-by: John Speed Meyers <jsmeyers@chainguard.dev>
Because spdx-tools has been refactored and is available now only in a pre-release versions, this change enables the build test pipeline to use prerelease versions of packages, which is not allowed by pip/pipenv with default settings. Signed-off-by: John Speed Meyers <jsmeyers@chainguard.dev>
Signed-off-by: John Speed Meyers <jsmeyers@chainguard.dev>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @jspeed-meyers!
Thanks, @linynjosh! I'll work to figure out the migration before merging :) |
Signed-off-by: John Speed Meyers <jsmeyers@chainguard.dev>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @jspeed-meyers!
The spdx-tools refactoring made the spdx spec validation stricter and this document no longer matches the spdx spec. Adding this created timestamp makes the document compliant. Signed-off-by: John Speed Meyers <jsmeyers@chainguard.dev>
Since the new spdx-tools version has stricter requirements that the SBOM comply with spdx spec, the SBOM used for this test needed to be ammended and so now too does the expected test output need to be ammended since there is a timestamp in the underlying SBOM. Signed-off-by: John Speed Meyers <jsmeyers@chainguard.dev>
Signed-off-by: John Speed Meyers <jsmeyers@chainguard.dev>
Because the underlying test SBOM now does have a timestamp, because the refactored version of spdx-tools requires ingested SBOMs to conform strictly to the spdx spec, this test now ought to expect that an SBOM does have a timestamp. Signed-off-by: John Speed Meyers <jsmeyers@chainguard.dev>
Signed-off-by: John Speed Meyers <jsmeyers@chainguard.dev>
Signed-off-by: John Speed Meyers <jsmeyers@chainguard.dev>
The migration to the 0.8.0 spdx-tools library version means dealing with stricter adherence to the spdx spec. This commit drops a version field that is empty since it was throwing an error with the new library. Signed-off-by: John Speed Meyers <jsmeyers@chainguard.dev>
Signed-off-by: John Speed Meyers <jsmeyers@chainguard.dev>
Signed-off-by: John Speed Meyers <jsmeyers@chainguard.dev>
Drop RDF SBOM since there seem to be so many specification-related issues. Signed-off-by: John Speed Meyers <jsmeyers@chainguard.dev>
Signed-off-by: John Speed Meyers <jsmeyers@chainguard.dev>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for opening this PR, the changes made look good to me and fit what I would have expected.
I have two remarks on the current changes which are associated to some basic changes coming with the refacotred version. So to provide a bit more background on the refactored version of tools-python
:
On the one hand we introduced a new separate layer for the validation of a parsed SPDX document. This validation takes care of the more "implicit rules for SPDX documents". So for example each SPDXID
used in the document need to be unique. It might make sense to also use this validation here and expect a valid SPDX document before checking for the minimal ntia elements.
On the other hand we introduced a more strict underlying model, which enforces correct types and cardinalities for each property. So for example an SPDX document must have at least one creator
that is a person, a tool or an organization. These types of "validation" are handled by the parser and the tools will raise a SPDXParsingError
if the parsed document doesn't fit the model.
I think this is also the reason for most of the failing tests. I had a look at some of the test files and noticed that they aren't valid according to the spec. For example the SPDXJsonExample.json contains a surrounding Document
object which is not valid according to the spec. I think a first step to fix the tests is to make all used documents valid SPDX documents. Apart from that I will take a closer look at the tests and try to provide more feedback on why they fail and how to fix them.
Perfect. I like this.
Good call. Will do.
Thank you. You've really gone above and beyond in helping this project and others do the migration. THANK YOU! |
Your welcome! This also helps us a lot to verify that the refactored version is stable. I already found a small bug thanks to this PR, so a big thank you too for being willing to serve as an early adopter! 🙂 |
Because the new spdx-tools version won't accept does the work of the old check, that old code can be replaced by a much simpler version. Signed-off-by: John Speed Meyers <jsmeyers@chainguard.dev>
If the document is parsed successfully, the new spdx-tools logic guarantees that there is an author and there is a document timestamp. So this commit sets those values to always true. Signed-off-by: John Speed Meyers <jsmeyers@chainguard.dev>
Signed-off-by: John Speed Meyers <jsmeyers@chainguard.dev>
tests/data/missing_dependency_relationships/SPDXJsonExample.json
Outdated
Show resolved
Hide resolved
FYI: We have a weekly call to discuss topics related to the |
@jspeed-meyers I did some work on this and pushed the changes to the branch on my fork as I don't have the permission to push to this branch directly. I can also open a PR against this branch, might be easier to see the changes... 4 tests are still failing due to bugs in the I wasn't sure about the generated output, especially the formatting. As the parser in the refactored version of the |
@meretp, first, thank you! This is tremendous. Please do open a PR against this branch. After that, I'll do a review and point out any thoughts I have. We can then wait for the next alpha release of Again, thank you. I hope this migration work, from myself and now you, has benefitted |
…cation Signed-off-by: Meret Behrens <meret.behrens@tngtech.com>
Signed-off-by: Meret Behrens <meret.behrens@tngtech.com>
Signed-off-by: Meret Behrens <meret.behrens@tngtech.com>
Signed-off-by: Meret Behrens <meret.behrens@tngtech.com>
Migrate2spdx tools 0.8.0a1
@meretp, amazing. Thank you! What great work. I'll review this new branch now and ask any questions. I have no doubt this code is excellent. |
No questions! This looks really great. I'm also of the opinion that the best way way to find bugs is through users, so even though this is a lot of change, I'm not convinced it's worth it going over it too closely in code review :) Again, great work. You mentioned that a new future pre-release will fix the remaining bugs. I'll watch out for that. AND THANK YOU! |
With pleasure, thank you for the feedback and the great cooperation! This helps us a lot in the development of The new release is now on Pypi. This should fix the tests. It seems that I've missed to format one file to also fix the black-formatting action. So if you could change the dependency to |
☂️ Python Coverage
Overall Coverage
New FilesNo new covered files... Modified Files
|
Signed-off-by: John Speed Meyers <jsmeyers@chainguard.dev>
Update pipfile with 0.8.0a2 spdx-tools bump
Signed-off-by: John Speed Meyers <jsmeyers@chainguard.dev>
Perform black formatting sbom_checker.py
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Thank you, @goneall! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for the late response, looks good to me! Only one small remark from my side to make the dependency consistent in the pyoproject.toml
.
Co-authored-by: Meret B. <50019307+meretp@users.noreply.github.com>
Thank you, @meretp! |
Woohoo, merging! 🥳 |
Fix #113
Fix #70
This branch introduces v0.8.0a2 of spdx-tools. This migration required substantial changes to the codebase (for the better, honestly) and the test documents and test cases.
For those following along at home:
There is new version of
spdx-tools
(thanks to the great efforts of @meretp and others) and it creates breaking changes. This migration addresses those breaking changes. Importantly, some of those breaking changes also led to new test documents (the newspdx-tools
parsing rules are stricter) and so that's why there are so many changes lines of code. For reviewers, the most important changes are insbom_checker.py
, IMO.This is a larger change than I would prefer to make in a single PR. But I don't see any way around it short of having a broken build. This way we avoid a broken build and complete the migration.
@goneall, @meretp, @linynjosh -- Feel free to take a look over the next week. Assuming positive reviews and no objections, we can merge this into main in a week. :)
Again, big kudos to @meretp, without whom this migration would not have happened or would have happened at a glacially slow rate. THANK YOU!