tools-python icon indicating copy to clipboard operation
tools-python copied to clipboard

Published 20 hours ago verified publisher icon spdx

Update spdx3.model to SPDX v3.0.1

Open bact opened this issue 1 year ago • 1 comments

Update spdx_tools.spdx3.model to the latest in SPDX v3.0.1:

  • Move Core Profile-related files to their own directories (following current v3 model structure)
    • from spdx_tools.spdx3.model to spdx_tools.spdx3.model.core
    • from spdx_tools.spdx3.writer.console to spdx_tools.spdx3.writer.console.core
  • Type/Enums:
    • Complete/update entries in vocabularies (enums) (e.g. HashAlgorithm, RelationshipType).
      • ADLER32 algorithm is now available
      • New relationship types like HAS_OPTIONAL_COMPONENT
    • Add PresenceType, SupportType, FileKindType
    • Update RelationshipType conversion rules in bump_from_spdx2/relationship.py: using the table from Differences between V3.0 and V2.3: Relationship as a reference
    • ExternalIdentifierType: PURL -> PACKAGE_URL
    • RelationshipType: concludedLicense -> hasConcludedLicense
    • RelationshipType: declaredLicense -> hasDeclaredLicense
  • Rename (see also CHANGELOG.md):
    • AIPackage: sensitivePersonalInformation -> useSensitivePersonalInformation
    • Build: parameters -> parameter
    • Core: ExternalReference -> ExternalRef
    • Core: ExternalReferenceType -> ExternalRefType
    • Core: imports -> import_ (cannot use "import", as it is Python's reserved)
    • Dataset: Dataset -> DatasetPackage
    • DatasetPackage: sensitivePersonalInformation -> hasSensitivePersonalInformation
    • Package: homepage -> homePage (home_page)
    • Software: SBOMType -> SbomType
  • Others:
    • Fix type in class initialization (List cannot be None)
    • Sorting out imports, to avoid circular import issue
    • Update SPDX_OWL.json and context.json with ones generated from the latest v3.0.1 model at https://spdx.org/rdf/3.0.1/spdx-model.ttl (10 Oct 2024) (using instructions in the updated process.md)

Notes:

  • Mapping between spdx2 and spdx3 (that is required for conversion) is not yet in this PR.
  • SpdxOrganization individual is also not in this PR

bact avatar Oct 09 '24 06:10 bact

@maxhbr - Can you take a quick look and give @bact feedback

Discussed on the 15 Oct 2024 tech call

goneall avatar Oct 15 '24 16:10 goneall

We might abandon this PR if we can generate the Python code from the model ontology file (I have learned from Gary that there's a work under going for that).

I think that's probably a better approach in terms of maintenance (and correctness to the model).

bact avatar Nov 04 '24 13:11 bact

I agree with you

On Mon, 4 Nov 2024 at 15:21, Arthit Suriyawongkul @.***> wrote:

We might abandon this PR if we can generate the Python code from the model ontology file. I think that's probably a better approach in terms of maintenance.

— Reply to this email directly, view it on GitHub https://github.com/spdx/tools-python/pull/829#issuecomment-2454701926, or unsubscribe https://github.com/notifications/unsubscribe-auth/ASN5JCPORMIRTAOD25IS3FDZ65YFFAVCNFSM6AAAAABPTY72NWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDINJUG4YDCOJSGY . You are receiving this because you are subscribed to this thread.Message ID: @.***>

keithofox avatar Nov 05 '24 11:11 keithofox

Could you share any news when we might expect spdx / tools-python to support deserializing / validating v3.0.1 spdx documents?

Is there some discussion further where one could subscribe to get any kind of updates on the state?

Seems like this PR has been hanging for a while.

alcroito avatar Feb 27 '25 15:02 alcroito

@alcroito - we've been having some discussions on this topic on our weekly SPDX Implementers meeting.

We now have the generated model files that implement SPDX 3.0.1 available in a separate repo: https://github.com/spdx/spdx-python-model

The current thinking is we would refactor this tools-python code to use the generated model files, but that is quite a bit of work.

One possibility is to review and merge these changes now and make the design changes later.

@maxhbr @bact - any thoughts on the approach?

goneall avatar Feb 27 '25 21:02 goneall

I have take a look at spdx-python-model. We can try refactor the code to use the generated model.

One of the things that the generated model is lacking compared to the spdx3.model in tools-python is the access to properties inside a class directly. You have to iterate the class members to get property names. Code may be more verbose.

What I have in mind:

  1. Packaging, versioning, and making spdx-python-model available from PyPI (this is to ease the development/deployment in further steps)
  2. Create (automatically?) a light layer that expose classes' properties
  3. Refactor spdx3 code in tools-python

But yes that will be quite a work.

bact avatar Mar 03 '25 05:03 bact

Maybe we can try also try to to rerun the CI test of this PR?

bact avatar Mar 03 '25 05:03 bact