Skip to content

Commit

Permalink
analyzer: Add a generic SPDX-document-based "fake" package manager
Browse files Browse the repository at this point in the history
See the discussion at spdx/spdx-spec#439 for
details.

Signed-off-by: Sebastian Schuberth <sebastian.schuberth@bosch.io>
  • Loading branch information
sschuberth committed Jul 9, 2020
1 parent e7ff2ed commit 6703121
Show file tree
Hide file tree
Showing 13 changed files with 443 additions and 0 deletions.
Empty file.
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
---
project:
id: "SpdxDocumentFile::xyz:0.1.0"
definition_file_path: "analyzer/src/funTest/assets/projects/synthetic/spdx/project/project.spdx.yml"
declared_licenses:
- "Apache-2.0 AND curl AND LicenseRef-Proprietary-ExampleInc"
declared_licenses_processed:
spdx_expression: "Apache-2.0 AND curl AND LicenseRef-Proprietary-ExampleInc"
vcs:
type: ""
url: ""
revision: ""
path: ""
vcs_processed:
type: "Git"
url: "<REPLACE_URL_PROCESSED>"
revision: "<REPLACE_REVISION>"
path: "analyzer/src/funTest/assets/projects/synthetic/spdx/project"
homepage_url: "https://example.com/products/xyz"
scopes:
- name: "default"
dependencies:
- id: "SpdxDocumentFile::curl:7.70.0"
- id: "SpdxDocumentFile::openssl:1.1.1g"
packages:
- package:
id: "SpdxDocumentFile::curl:7.70.0"
purl: "pkg:spdxdocumentfile/curl@7.70.0"
declared_licenses:
- "curl"
declared_licenses_processed:
spdx_expression: "curl"
concluded_license: "NOASSERTION"
description: "A command line tool and library for transferring data with URL syntax,\
\ supporting HTTP, HTTPS, FTP, FTPS, GOPHER, TFTP, SCP, SFTP, SMB, TELNET, DICT,\
\ LDAP, LDAPS, MQTT, FILE, IMAP, SMTP, POP3, RTSP and RTMP. libcurl offers a\
\ myriad of powerful features."
homepage_url: "https://curl.haxx.se/"
binary_artifact:
url: ""
hash:
value: ""
algorithm: ""
source_artifact:
url: ""
hash:
value: ""
algorithm: ""
vcs:
type: "Git"
url: "<REPLACE_URL>"
revision: "<REPLACE_REVISION>"
path: "analyzer/src/funTest/assets/projects/synthetic/spdx/project/libs/curl"
vcs_processed:
type: "Git"
url: "<REPLACE_URL_PROCESSED>"
revision: "<REPLACE_REVISION>"
path: "analyzer/src/funTest/assets/projects/synthetic/spdx/project/libs/curl"
curations: []
- package:
id: "SpdxDocumentFile::openssl:1.1.1g"
purl: "pkg:spdxdocumentfile/openssl@1.1.1g"
declared_licenses:
- "Apache-2.0"
declared_licenses_processed:
spdx_expression: "Apache-2.0"
concluded_license: "NOASSERTION"
description: "OpenSSL is a robust, commercial-grade, full-featured Open Source\
\ Toolkit for the Transport Layer Security (TLS) protocol formerly known as\
\ the Secure Sockets Layer (SSL) protocol. The protocol implementation is based\
\ on a full-strength general purpose cryptographic library, which can also be\
\ used stand-alone."
homepage_url: "https://www.openssl.org/"
binary_artifact:
url: ""
hash:
value: ""
algorithm: ""
source_artifact:
url: ""
hash:
value: ""
algorithm: ""
vcs:
type: "Git"
url: "<REPLACE_URL>"
revision: "<REPLACE_REVISION>"
path: "analyzer/src/funTest/assets/projects/synthetic/spdx/project/libs/openssl"
vcs_processed:
type: "Git"
url: "<REPLACE_URL_PROCESSED>"
revision: "<REPLACE_REVISION>"
path: "analyzer/src/funTest/assets/projects/synthetic/spdx/project/libs/openssl"
curations: []
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
This is the root of a project that stores `package.spdx.yml` files in the directories of its dependencies (one file per
dependency package).
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
This directory contains the source code of the `curl` dependency.
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
SPDXID: "SPDXRef-DOCUMENT"
spdxVersion: "SPDX-2.2"
creationInfo:
created: "2020-07-23T18:30:22Z"
creators:
- "Organization: Example Inc."
- "Person: Thomas Steenbergen"
licenseListVersion: "3.9"
name: "curl-7.70.0"
dataLicense: "CC0-1.0"
documentNamespace: "http://spdx.org/spdxdocs/spdx-document-curl"
documentDescribes:
- "SPDXRef-Package-curl"
packages:
- SPDXID: "SPDXRef-Package-curl"
comment: "A command line tool and library for transferring data with URL syntax, supporting \
HTTP, HTTPS, FTP, FTPS, GOPHER, TFTP, SCP, SFTP, SMB, TELNET, DICT, LDAP, LDAPS, MQTT, FILE, \
IMAP, SMTP, POP3, RTSP and RTMP. libcurl offers a myriad of powerful features."
copyrightText: "Copyright (c) 1996 - 2020, Daniel Stenberg, <daniel@haxx.se>, and many
contributors, see the THANKS file."
downloadLocation: "git+github.com:curl/curl.git@53cdc2c963e33bc0cc1a51ad2df79396202e07f8"
filesAnalyzed: false
homepage: "https://curl.haxx.se/"
licenseConcluded: "NOASSERTION"
licenseDeclared: "curl"
name: "curl"
versionInfo: "7.70.0"
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
This a project that stores `project.spdx.yml` at its root which describes its dependencies contained in sub-directories
(one file per project package).
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
This directory contains the source code of the `curl` dependency.
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
This directory contains the source code of the `openssl` dependency.
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
This directory contains the source code of the `xyz` dependency.
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
SPDXID: "SPDXRef-DOCUMENT"
spdxVersion: "SPDX-2.2"
creationInfo:
created: "2020-07-23T18:30:22Z"
creators:
- "Organization: Example Inc."
- "Person: Thomas Steenbergen"
licenseListVersion: "3.9"
name: "xyz-0.1.0"
dataLicense: "CC0-1.0"
documentNamespace: "http://spdx.org/spdxdocs/spdx-document-xyz"
documentDescribes:
- "SPDXRef-Package-xyz"
packages:
- SPDXID: "SPDXRef-Package-xyz"
comment: "Awesome product created by Example Inc."
copyrightText: "Copyright (C) 2020 Example Inc."
downloadLocation: "git+ssh://gitlab.example.com:3389/products/xyz.git@b2c358080011af6a366d2512a25a379fbe7b1f78"
filesAnalyzed: false
homepage: "https://example.com/products/xyz"
licenseConcluded: "NOASSERTION"
licenseDeclared: "Apache-2.0 AND curl AND LicenseRef-Proprietary-ExampleInc"
name: "xyz"
versionInfo: "0.1.0"
- SPDXID: "SPDXRef-Package-curl"
comment: "A command line tool and library for transferring data with URL syntax, supporting \
HTTP, HTTPS, FTP, FTPS, GOPHER, TFTP, SCP, SFTP, SMB, TELNET, DICT, LDAP, LDAPS, MQTT, FILE, \
IMAP, SMTP, POP3, RTSP and RTMP. libcurl offers a myriad of powerful features."
copyrightText: "Copyright (c) 1996 - 2020, Daniel Stenberg, <daniel@haxx.se>, and many
contributors, see the THANKS file."
downloadLocation: "https://github.com/curl/curl/releases/download/curl-7_70_0/curl-7.70.0.tar.gz"
filesAnalyzed: false
homepage: "https://curl.haxx.se/"
licenseConcluded: "NOASSERTION"
licenseDeclared: "curl"
name: "curl"
packageFileName: "./libs/curl"
versionInfo: "7.70.0"
- SPDXID: "SPDXRef-Package-openssl"
comment: "OpenSSL is a robust, commercial-grade, full-featured Open Source Toolkit for the Transport Layer Security (TLS) protocol formerly known as the Secure Sockets Layer (SSL) protocol. The protocol implementation is based on a full-strength general purpose cryptographic library, which can also be used stand-alone."
copyrightText: "copyright 2004-2020 The OpenSSL Project Authors. All Rights Reserved."
downloadLocation: "git+ssh://github.com:openssl/openssl.git@e2e09d9fba1187f8d6aafaa34d4172f56f1ffb72"
filesAnalyzed: false
homepage: "https://www.openssl.org/"
licenseConcluded: "NOASSERTION"
licenseDeclared: "Apache-2.0"
packageFileName: "./libs/openssl"
name: "openssl"
versionInfo: "1.1.1g"
relationships:
- spdxElementId: "SPDXRef-Package-xyz"
relatedSpdxElement: "SPDXRef-Package-curl"
relationshipType: "DEPENDS_ON"
- spdxElementId: "SPDXRef-Package-xyz"
relatedSpdxElement: "SPDXRef-Package-openssl"
relationshipType: "DEPENDS_ON"
63 changes: 63 additions & 0 deletions analyzer/src/funTest/kotlin/managers/SpdxDocumentFileTest.kt
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
/*
* Copyright (C) 2020 Bosch.IO GmbH
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* SPDX-License-Identifier: Apache-2.0
* License-Filename: LICENSE
*/

package org.ossreviewtoolkit.analyzer.managers

import io.kotest.core.spec.style.StringSpec
import io.kotest.matchers.shouldBe

import java.io.File

import org.ossreviewtoolkit.downloader.VersionControlSystem
import org.ossreviewtoolkit.utils.normalizeVcsUrl
import org.ossreviewtoolkit.utils.test.DEFAULT_ANALYZER_CONFIGURATION
import org.ossreviewtoolkit.utils.test.DEFAULT_REPOSITORY_CONFIGURATION
import org.ossreviewtoolkit.utils.test.USER_DIR
import org.ossreviewtoolkit.utils.test.patchExpectedResult

class SpdxDocumentFileTest : StringSpec() {
private val projectDir = File("src/funTest/assets/projects/synthetic/spdx").absoluteFile
private val vcsDir = VersionControlSystem.forDirectory(projectDir)!!
private val vcsUrl = vcsDir.getRemoteUrl()
private val vcsRevision = vcsDir.getRevision()

init {
"Project dependencies are detected correctly" {
val expectedResult = patchExpectedResult(
File(projectDir.parentFile, "spdx-project-expected-output.yml"),
url = vcsUrl,
urlProcessed = normalizeVcsUrl(vcsUrl),
revision = vcsRevision
)

val definitionFile = File(projectDir, "project/project.spdx.yml")
val actualResult = createSpdxDocumentFile().resolveSingleProject(definitionFile).toYaml()

actualResult shouldBe expectedResult
}
}

private fun createSpdxDocumentFile() =
SpdxDocumentFile(
"SpdxDocumentFile",
USER_DIR,
DEFAULT_ANALYZER_CONFIGURATION,
DEFAULT_REPOSITORY_CONFIGURATION
)
}
Loading

0 comments on commit 6703121

Please sign in to comment.