Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump spdx-tools from 0.8.1 to 0.8.2 #158

Merged
merged 7 commits into from
Oct 17, 2023
Merged

Bump spdx-tools from 0.8.1 to 0.8.2 #158

merged 7 commits into from
Oct 17, 2023

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Oct 16, 2023

Bumps spdx-tools from 0.8.1 to 0.8.2.

Release notes

Sourced from spdx-tools's releases.

v0.8.2

What's Changed

Full Changelog: spdx/tools-python@v0.8.1...v0.8.2

Changelog

Sourced from spdx-tools's changelog.

v0.8.2 (2023-10-12)

New features and changes

  • added optional encoding parameter for parsing files
  • fixed handling of the FilesAnalyzed field in Tag-Value format
  • fixed the validation of the DownloadLocation field
  • fixed the error handling while parsing license expressions
  • fixed output of timezone-sensitive datetimes
  • added code architecture documentation

Contributors

This release was made possible by the following contributors. Thank you very much!

Commits
  • 32e74cd update changelog for 0.8.2 release
  • f0873eb Properly install tzdata for GitHub Actions.
  • 195e244 Handle timezone-aware datetime objects when writing SPDX.
  • 248394c add documentation about the code architecture
  • 40d1d8e fix(validation): fix error generation in expression validator
  • e08e4d2 Merge pull request #759 from HomagGroup/feature/encoding_compliance
  • e8ae39d Merge branch 'main' into feature/encoding_compliance
  • ed9a135 fix(validation): also allow URLs in download locations
  • a1584b7 implement recommended UTF-8 encoding for reading and writing SPDX files
  • 3d3100a [issue-753] only allow lowercase values for FilesAnalyzed in tag-value
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump spdx-tools from 0.8.1 to 0.8.2
180ed09 
Bumps [spdx-tools](https://github.com/spdx/tools-python) from 0.8.1 to 0.8.2.
- [Release notes](https://github.com/spdx/tools-python/releases)
- [Changelog](https://github.com/spdx/tools-python/blob/main/CHANGELOG.md)
- [Commits](spdx/tools-python@v0.8.1...v0.8.2)

---
updated-dependencies:
- dependency-name: spdx-tools
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Oct 16, 2023
@jspeed-meyers jspeed-meyers self-requested a review October 16, 2023 10:59
@jspeed-meyers
Copy link
Collaborator

Hmmm, there are some failing test cases. Debugging help and PRs welcome!

What's going on?

@jspeed-meyers jspeed-meyers added the bug Something isn't working label Oct 16, 2023
@goneall
Copy link
Member

goneall commented Oct 16, 2023

@jspeed-meyers - It looks like the valid SPDX version format changed from SPDX-2.3 to 2.3 based on this test code in the Python libraries.

I wasn't able to track down where the change occurred - since this PR updates the version of python-tools, I assume something changed in that library but I couldn't track it down.

@armintaenzertng - any thoughts?

Here's the function that's returning false:

ntia-conformance-checker/ntia_conformance_checker/sbom_checker.py

Line 57 in cbafec7

def check_doc_version(self):

@jspeed-meyers
Copy link
Collaborator

Thank you, @goneall.

If that's the case, I could add to this PR changes to those SPDX documents in our test suite.

@armintaenzertng
Copy link

There have been no changes to the spdx_version field in the last update. The correct format is still SPDX-2.2 or SPDX-2.3, see here. The test that @goneall mentioned could be "fixed" to use the valid formats but since it's only a unit test (i.e. no validation function comes into play there), it doesn't really matter. I assume the error lies elsewhere.

@armintaenzertng
Copy link

So the error is here and reads

'SbomChecker' object has no attribute 'doc_version'.

So the problem is that doc_version never gets set on the SbomChecker object. For example, this could happen if we run into an SPDXParsingError here. Related to that: There has been a change in the validation of the FilesAnalyzed field in Tag-Value format in 0.8.2.

@armintaenzertng
Copy link

So I'm pretty sure the issue arises due to the fix of this issue.
That is, in order to be more spec-compliant, we only allow the all-lower-case (!) true and false as valid values for FilesAnalyzed in Tag-Value format. The test files in this repo should be updated accordingly.

@jspeed-meyers
Copy link
Collaborator

jspeed-meyers commented Oct 17, 2023
edited

@armintaenzertng, ahhhh. Thank you!

@goneall: Let me add these changes to this PR.

@jspeed-meyers jspeed-meyers self-assigned this Oct 17, 2023
@jspeed-meyers jspeed-meyers removed their request for review October 17, 2023 11:08
@jspeed-meyers
Copy link
Collaborator

Okay, fixed. Thank you @armintaenzertng!

Ready for review :)

goneall
goneall approved these changes Oct 17, 2023
View reviewed changes
Copy link
Member

@goneall goneall left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Thanks @armintaenzertng and @jspeed-meyers

@jspeed-meyers
Copy link
Collaborator

Thank you, @goneall!

@jspeed-meyers jspeed-meyers merged commit cc8bd68 into main Oct 17, 2023
6 checks passed
@jspeed-meyers jspeed-meyers deleted the dependabot/pip/spdx-tools-0.8.2 branch October 17, 2023 12:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@goneall goneall goneall approved these changes

@yong-aan yong-aan Awaiting requested review from yong-aan

Assignees

@jspeed-meyers jspeed-meyers

Labels
bug Something isn't working dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@jspeed-meyers @goneall @armintaenzertng