tools-python
tools-python copied to clipboard
spdx
A Python library to parse, validate and create SPDX documents.
[According to spec](https://spdx.github.io/spdx-spec/v2.3/composition-of-an-SPDX-document/#522-package-information-section), since v2.0 a document does not have to contain a package. This contradicts the [current validation](https://github.com/spdx/tools-python/blob/a9eeb104e2ccd565af9785d909db5a8777e6dd0a/spdx/document.py#L468).
Python has support for [type hints](https://docs.python.org/3/library/typing.html) since 3.5. Adding it throughout the repo would help new contributors (and in general people who don't work on the project daily) get up...
The writer for json/yaml/xml writes documents like the following, wrapping all content in a redundant `Document` property at top level: ``` { "Document": { "spdxVersion": "SPDX-2.1", "documentNamespace": "https://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301", ``` Apart...
In the current [implementation](https://github.com/spdx/tools-python/blob/c0aa92a3a4779fe189c72b5e1d85a18267f6e45a/spdx/writers/jsonyamlxml.py#L480) all packages are written to the "documentDescribes"-Tag. According to the [JSON-example](https://github.com/spdx/spdx-spec/blob/development/v2.2/examples/SPDXJSONExample-v2.2.spdx.json), packages should be listed in a tag "packages" and "documentDescribes" should only contain the SPDXIDs...
`setup.py` [lists Python 3.6-3.9 as supported versions](https://github.com/spdx/tools-python/blob/main/setup.py#L54-L57). However, CircleCI [runs against Python 3.7-3.10](https://github.com/spdx/tools-python/blob/main/.circleci/config.yml#L106-L113). If the latter reflects the current state, `setup.py` should be updated.
I came across [this line](https://github.com/spdx/tools-python/blob/7b9395589d65c117f541dc43e85895e2f6fb63ee/spdx/parsers/jsonyamlxml.py#L1654) in the code of `jsonyamlxml.py`: ``` # At the moment, only single-package documents are supported, so just the last package will be stored. ``` Multiple...
The [current implementation](https://github.com/spdx/tools-python/blob/a76ded116489be3a06b056f3e1f9d01abce23748/spdx/parsers/xmlparser.py#L53) expects an SPDX document in xml format to be wrapped in `` _and_ `` tags. As can be seen [here](https://github.com/spdx/spdx-spec/blob/development/v2.3.1/examples/SPDXXMLExample-v2.3.spdx.xml), for example, only `` tags are necessary...
I am getting the following warning: ``` $ convertor -f tag data/SPDXSimpleTag.tag -o output.rdf /home/nico/IdeaProjects/tools-python/venv/lib/python3.8/site-packages/spdx/writers/rdf.py:148: UserWarning: Missing extracted license: LicenseRef-2.0 warnings.warn( ``` Not entirely sure what this warning is about,...
One example: Annotation validation [does not return anything](https://github.com/spdx/tools-python/blob/5b40ece44692f3184c35573ed4b8d43b2258210c/spdx/annotation.py#L78-L86), but the place that calls it [expects a return value](https://github.com/spdx/tools-python/blob/a9eeb104e2ccd565af9785d909db5a8777e6dd0a/spdx/document.py#L452). There may be other examples as well. In general, I would suggest...
fixes #775