tools-python
tools-python copied to clipboard
spdx
A Python library to parse, validate and create SPDX documents.
As of PEP 749 (Python 3.14), it is no longer possible to access `__annotations__` on class instances. `__annotations__` is now a descriptor that is only defined on `type` and not...
Hi there, Trying to build tools-python on Debian with python3.14 ends up in error: ``` =================================== FAILURES =================================== ___________________________ test_bump_spdx_document ____________________________ def test_bump_spdx_document(): spdx2_document: Spdx2_Document = document_fixture() spdx2_document.creation_info.creators.append(actor_fixture(ActorType.TOOL, "tool_name", None))...
I saw that there is a `py.typed` file at [`src/spdx_tools/spdx/py.typed`](https://github.com/spdx/tools-python/blob/main/src/spdx_tools/spdx/py.typed), but there's not a similar file at `src/spdx_tools/spdx3/py.typed`. From initial observation, `spdx3` appears to be typed inline, the same as...
As described in issue #760, the tools do not currently support reading SPDX3.0 documents. This makes it clearer in the README.
I've been writing some python tooling that consumes SPDX documents from various sources. Some of which use https://github.com/swinslow/cmake-spdx which unfortunately has the open issue https://github.com/swinslow/cmake-spdx/issues/8 that it generates documents with...
I see SPDX community is suggesting to use spdx3-validate python tool to perform json generated sbom validation at https://github.com/spdx/spdx-3-model/blob/develop/serialization/jsonld/validation.md Running this too against a generated SPDX SBOM based on model...
[output.spdx.json](https://github.com/user-attachments/files/22278804/output.spdx.json) https://github.com/spdx/tools-java gives: ``` This SPDX Document is not valid due to: object has missing required properties (["downloadLocation"]) for {"pointer":"/packages/0"} Document must have at least one relationship of type DOCUMENT_DESCRIBES...
When converting from `XXX_DEPENDENCY_OF` to `DEPENDS_ON` we need to swap the dependency direction.
This issue is related to https://github.com/spdx/spdx-java-model-2_X/issues/33 and has identical behaviour and an identical fix. The regex that validates `PackageDownloadLocation` tags rejects git URLs with underscores in the repository name: https://github.com/spdx/tools-python/blob/b7f9a3defe8b0af1414cd75f1447ec242428f1d0/src/spdx_tools/spdx/validation/uri_validators.py#L18...
When attempting to retrieve license data in SPDX3 documents using LicenseDeclared attribute, I get no output. The same workflow works as expected in SPDX2, but I can’t find an attribute...
