-
Notifications
You must be signed in to change notification settings - Fork 314
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
analyzer: Add a generic SPDX-document-based "fake" package manager
See spdx/spdx-spec#439 for details. Signed-off-by: Sebastian Schuberth <sebastian.schuberth@bosch.io>
- Loading branch information
1 parent
731859b
commit b539875
Showing
13 changed files
with
445 additions
and
0 deletions.
There are no files selected for viewing
Empty file.
94 changes: 94 additions & 0 deletions
94
analyzer/src/funTest/assets/projects/synthetic/spdx-project-expected-output.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,94 @@ | ||
--- | ||
project: | ||
id: "SpdxDocumentFile::xyz:0.1.0" | ||
definition_file_path: "analyzer/src/funTest/assets/projects/synthetic/spdx/project/project.spdx.yml" | ||
declared_licenses: | ||
- "Apache-2.0 AND curl AND LicenseRef-Proprietary-ExampleInc" | ||
declared_licenses_processed: | ||
spdx_expression: "Apache-2.0 AND curl AND LicenseRef-Proprietary-ExampleInc" | ||
vcs: | ||
type: "" | ||
url: "" | ||
revision: "" | ||
path: "" | ||
vcs_processed: | ||
type: "Git" | ||
url: "<REPLACE_URL_PROCESSED>" | ||
revision: "<REPLACE_REVISION>" | ||
path: "analyzer/src/funTest/assets/projects/synthetic/spdx/project" | ||
homepage_url: "https://example.com/products/xyz" | ||
scopes: | ||
- name: "default" | ||
dependencies: | ||
- id: "SpdxDocumentFile::curl:7.70.0" | ||
- id: "SpdxDocumentFile::openssl:1.1.1g" | ||
packages: | ||
- package: | ||
id: "SpdxDocumentFile::curl:7.70.0" | ||
purl: "pkg:spdxdocumentfile/curl@7.70.0" | ||
declared_licenses: | ||
- "curl" | ||
declared_licenses_processed: | ||
spdx_expression: "curl" | ||
concluded_license: "NOASSERTION" | ||
description: "A command line tool and library for transferring data with URL syntax,\ | ||
\ supporting HTTP, HTTPS, FTP, FTPS, GOPHER, TFTP, SCP, SFTP, SMB, TELNET, DICT,\ | ||
\ LDAP, LDAPS, MQTT, FILE, IMAP, SMTP, POP3, RTSP and RTMP. libcurl offers a\ | ||
\ myriad of powerful features." | ||
homepage_url: "https://curl.haxx.se/" | ||
binary_artifact: | ||
url: "" | ||
hash: | ||
value: "" | ||
algorithm: "" | ||
source_artifact: | ||
url: "" | ||
hash: | ||
value: "" | ||
algorithm: "" | ||
vcs: | ||
type: "Git" | ||
url: "<REPLACE_URL>" | ||
revision: "<REPLACE_REVISION>" | ||
path: "analyzer/src/funTest/assets/projects/synthetic/spdx/project/libs/curl" | ||
vcs_processed: | ||
type: "Git" | ||
url: "<REPLACE_URL_PROCESSED>" | ||
revision: "<REPLACE_REVISION>" | ||
path: "analyzer/src/funTest/assets/projects/synthetic/spdx/project/libs/curl" | ||
curations: [] | ||
- package: | ||
id: "SpdxDocumentFile::openssl:1.1.1g" | ||
purl: "pkg:spdxdocumentfile/openssl@1.1.1g" | ||
declared_licenses: | ||
- "Apache-2.0" | ||
declared_licenses_processed: | ||
spdx_expression: "Apache-2.0" | ||
concluded_license: "NOASSERTION" | ||
description: "OpenSSL is a robust, commercial-grade, full-featured Open Source\ | ||
\ Toolkit for the Transport Layer Security (TLS) protocol formerly known as\ | ||
\ the Secure Sockets Layer (SSL) protocol. The protocol implementation is based\ | ||
\ on a full-strength general purpose cryptographic library, which can also be\ | ||
\ used stand-alone." | ||
homepage_url: "https://www.openssl.org/" | ||
binary_artifact: | ||
url: "" | ||
hash: | ||
value: "" | ||
algorithm: "" | ||
source_artifact: | ||
url: "" | ||
hash: | ||
value: "" | ||
algorithm: "" | ||
vcs: | ||
type: "Git" | ||
url: "<REPLACE_URL>" | ||
revision: "<REPLACE_REVISION>" | ||
path: "analyzer/src/funTest/assets/projects/synthetic/spdx/project/libs/openssl" | ||
vcs_processed: | ||
type: "Git" | ||
url: "<REPLACE_URL_PROCESSED>" | ||
revision: "<REPLACE_REVISION>" | ||
path: "analyzer/src/funTest/assets/projects/synthetic/spdx/project/libs/openssl" | ||
curations: [] |
2 changes: 2 additions & 0 deletions
2
analyzer/src/funTest/assets/projects/synthetic/spdx/package/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
This is the root of a project that stores `package.spdx.yml` files in the directories of its dependencies (one file per | ||
dependency package). |
1 change: 1 addition & 0 deletions
1
analyzer/src/funTest/assets/projects/synthetic/spdx/package/libs/curl/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
This directory contains the source code of the `curl` dependency. |
27 changes: 27 additions & 0 deletions
27
analyzer/src/funTest/assets/projects/synthetic/spdx/package/libs/curl/package.spdx.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
SPDXID: "SPDXRef-DOCUMENT" | ||
spdxVersion: "SPDX-2.2" | ||
creationInfo: | ||
created: "2020-07-23T18:30:22Z" | ||
creators: | ||
- "Organization: Example Inc." | ||
- "Person: Thomas Steenbergen" | ||
licenseListVersion: "3.9" | ||
name: "curl-7.70.0" | ||
dataLicense: "CC0-1.0" | ||
documentNamespace: "http://spdx.org/spdxdocs/spdx-document-curl" | ||
documentDescribes: | ||
- "SPDXRef-Package-curl" | ||
packages: | ||
- SPDXID: "SPDXRef-Package-curl" | ||
comment: "A command line tool and library for transferring data with URL syntax, supporting \ | ||
HTTP, HTTPS, FTP, FTPS, GOPHER, TFTP, SCP, SFTP, SMB, TELNET, DICT, LDAP, LDAPS, MQTT, FILE, \ | ||
IMAP, SMTP, POP3, RTSP and RTMP. libcurl offers a myriad of powerful features." | ||
copyrightText: "Copyright (c) 1996 - 2020, Daniel Stenberg, <daniel@haxx.se>, and many | ||
contributors, see the THANKS file." | ||
downloadLocation: "git+github.com:curl/curl.git@53cdc2c963e33bc0cc1a51ad2df79396202e07f8" | ||
filesAnalyzed: false | ||
homepage: "https://curl.haxx.se/" | ||
licenseConcluded: "NOASSERTION" | ||
licenseDeclared: "curl" | ||
name: "curl" | ||
versionInfo: "7.70.0" |
2 changes: 2 additions & 0 deletions
2
analyzer/src/funTest/assets/projects/synthetic/spdx/project/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
This a project that stores `project.spdx.yml` at its root which describes its dependencies contained in sub-directories | ||
(one file per project package). |
1 change: 1 addition & 0 deletions
1
analyzer/src/funTest/assets/projects/synthetic/spdx/project/libs/curl/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
This directory contains the source code of the `curl` dependency. |
1 change: 1 addition & 0 deletions
1
analyzer/src/funTest/assets/projects/synthetic/spdx/project/libs/openssl/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
This directory contains the source code of the `openssl` dependency. |
1 change: 1 addition & 0 deletions
1
analyzer/src/funTest/assets/projects/synthetic/spdx/project/libs/xyz/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
This directory contains the source code of the `xyz` dependency. |
56 changes: 56 additions & 0 deletions
56
analyzer/src/funTest/assets/projects/synthetic/spdx/project/project.spdx.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
SPDXID: "SPDXRef-DOCUMENT" | ||
spdxVersion: "SPDX-2.2" | ||
creationInfo: | ||
created: "2020-07-23T18:30:22Z" | ||
creators: | ||
- "Organization: Example Inc." | ||
- "Person: Thomas Steenbergen" | ||
licenseListVersion: "3.9" | ||
name: "xyz-0.1.0" | ||
dataLicense: "CC0-1.0" | ||
documentNamespace: "http://spdx.org/spdxdocs/spdx-document-xyz" | ||
documentDescribes: | ||
- "SPDXRef-Package-xyz" | ||
packages: | ||
- SPDXID: "SPDXRef-Package-xyz" | ||
comment: "Awesome product created by Example Inc." | ||
copyrightText: "Copyright (C) 2020 Example Inc." | ||
downloadLocation: "git+ssh://gitlab.example.com:3389/products/xyz.git@b2c358080011af6a366d2512a25a379fbe7b1f78" | ||
filesAnalyzed: false | ||
homepage: "https://example.com/products/xyz" | ||
licenseConcluded: "NOASSERTION" | ||
licenseDeclared: "Apache-2.0 AND curl AND LicenseRef-Proprietary-ExampleInc" | ||
name: "xyz" | ||
versionInfo: "0.1.0" | ||
- SPDXID: "SPDXRef-Package-curl" | ||
comment: "A command line tool and library for transferring data with URL syntax, supporting \ | ||
HTTP, HTTPS, FTP, FTPS, GOPHER, TFTP, SCP, SFTP, SMB, TELNET, DICT, LDAP, LDAPS, MQTT, FILE, \ | ||
IMAP, SMTP, POP3, RTSP and RTMP. libcurl offers a myriad of powerful features." | ||
copyrightText: "Copyright (c) 1996 - 2020, Daniel Stenberg, <daniel@haxx.se>, and many | ||
contributors, see the THANKS file." | ||
downloadLocation: "https://github.com/curl/curl/releases/download/curl-7_70_0/curl-7.70.0.tar.gz" | ||
filesAnalyzed: false | ||
homepage: "https://curl.haxx.se/" | ||
licenseConcluded: "NOASSERTION" | ||
licenseDeclared: "curl" | ||
name: "curl" | ||
packageFileName: "./libs/curl" | ||
versionInfo: "7.70.0" | ||
- SPDXID: "SPDXRef-Package-openssl" | ||
comment: "OpenSSL is a robust, commercial-grade, full-featured Open Source Toolkit for the Transport Layer Security (TLS) protocol formerly known as the Secure Sockets Layer (SSL) protocol. The protocol implementation is based on a full-strength general purpose cryptographic library, which can also be used stand-alone." | ||
copyrightText: "copyright 2004-2020 The OpenSSL Project Authors. All Rights Reserved." | ||
downloadLocation: "git+ssh://github.com:openssl/openssl.git@e2e09d9fba1187f8d6aafaa34d4172f56f1ffb72" | ||
filesAnalyzed: false | ||
homepage: "https://www.openssl.org/" | ||
licenseConcluded: "NOASSERTION" | ||
licenseDeclared: "Apache-2.0" | ||
packageFileName: "./libs/openssl" | ||
name: "openssl" | ||
versionInfo: "1.1.1g" | ||
relationships: | ||
- spdxElementId: "SPDXRef-Package-xyz" | ||
relatedSpdxElement: "SPDXRef-Package-curl" | ||
relationshipType: "DEPENDS_ON" | ||
- spdxElementId: "SPDXRef-Package-xyz" | ||
relatedSpdxElement: "SPDXRef-Package-openssl" | ||
relationshipType: "DEPENDS_ON" |
63 changes: 63 additions & 0 deletions
63
analyzer/src/funTest/kotlin/managers/SpdxDocumentFileTest.kt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
/* | ||
* Copyright (C) 2020 Bosch.IO GmbH | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); | ||
* you may not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
* | ||
* SPDX-License-Identifier: Apache-2.0 | ||
* License-Filename: LICENSE | ||
*/ | ||
|
||
package org.ossreviewtoolkit.analyzer.managers | ||
|
||
import io.kotest.core.spec.style.StringSpec | ||
import io.kotest.matchers.shouldBe | ||
|
||
import java.io.File | ||
|
||
import org.ossreviewtoolkit.downloader.VersionControlSystem | ||
import org.ossreviewtoolkit.utils.normalizeVcsUrl | ||
import org.ossreviewtoolkit.utils.test.DEFAULT_ANALYZER_CONFIGURATION | ||
import org.ossreviewtoolkit.utils.test.DEFAULT_REPOSITORY_CONFIGURATION | ||
import org.ossreviewtoolkit.utils.test.USER_DIR | ||
import org.ossreviewtoolkit.utils.test.patchExpectedResult | ||
|
||
class SpdxDocumentFileTest : StringSpec() { | ||
private val projectDir = File("src/funTest/assets/projects/synthetic/spdx").absoluteFile | ||
private val vcsDir = VersionControlSystem.forDirectory(projectDir)!! | ||
private val vcsUrl = vcsDir.getRemoteUrl() | ||
private val vcsRevision = vcsDir.getRevision() | ||
|
||
init { | ||
"Project dependencies are detected correctly" { | ||
val expectedResult = patchExpectedResult( | ||
File(projectDir.parentFile, "spdx-project-expected-output.yml"), | ||
url = vcsUrl, | ||
urlProcessed = normalizeVcsUrl(vcsUrl), | ||
revision = vcsRevision | ||
) | ||
|
||
val definitionFile = File(projectDir, "project/project.spdx.yml") | ||
val actualResult = createSpdxDocumentFile().resolveSingleProject(definitionFile).toYaml() | ||
|
||
actualResult shouldBe expectedResult | ||
} | ||
} | ||
|
||
private fun createSpdxDocumentFile() = | ||
SpdxDocumentFile( | ||
"SpdxDocumentFile", | ||
USER_DIR, | ||
DEFAULT_ANALYZER_CONFIGURATION, | ||
DEFAULT_REPOSITORY_CONFIGURATION | ||
) | ||
} |
Oops, something went wrong.