feat(spdx): Upgrade output to specification version 2.3

Note that this changes serialization of reference categories to use dashes instead of underscores [1]. Continue to accept underscores when deserializing for backward-compatibility, also see the discussion at [2]. Generally, deserialization of SPDX 2.2 is still supported. The diff of `spdx-schema.json` nicely resembles the code changes. Resolves #5445. [1]: https://github.com/spdx/spdx-spec/blob/v2.3/schemas/spdx-schema.json#L325 [2]: CycloneDX/cyclonedx-dotnet-library#267 Signed-off-by: Sebastian Schuberth <[email protected]>
oss-review-toolkit · Nov 17, 2023 · 8bb326d · 8bb326d
1 parent 40630f4
commit 8bb326d
Show file tree

Hide file tree

Showing 12 changed files with 220 additions and 65 deletions.
diff --git a/README.md b/README.md
@@ -732,7 +732,7 @@ following formats are supported (reporter names are case-insensitive):
   * Customizable with [Apache Freemarker](https://freemarker.apache.org/) templates
 * Opossum input that can be visualized and edited in the [OpossumUI](https://github.com/opossum-tool/opossumUI)
   (`-f Opossum`)
-* [SPDX Document](https://spdx.dev/specifications/), version 2.2 (`-f SpdxDocument`)
+* [SPDX Document](https://spdx.dev/specifications/), version 2.3 (`-f SpdxDocument`)
 * Static HTML (`-f StaticHtml`)
 * [TrustSource](https://www.trustsource.io/) JSON file (`-f TrustSource`)
   * Use this as an alternative to [ts-scan](https://github.com/TrustSource/ts-scan) for support of more build systems.

diff --git a/plugins/reporters/spdx/src/funTest/assets/spdx-document-reporter-expected-output.spdx.json b/plugins/reporters/spdx/src/funTest/assets/spdx-document-reporter-expected-output.spdx.json
@@ -1,6 +1,6 @@
 {
   "SPDXID" : "SPDXRef-DOCUMENT",
-  "spdxVersion" : "SPDX-2.2",
+  "spdxVersion" : "SPDX-2.3",
   "creationInfo" : {
     "comment" : "some creation info comment",
     "created" : "<REPLACE_CREATION_DATE_AND_TIME>",
@@ -39,7 +39,7 @@
     "copyrightText" : "Copyright 2020 Some copyright holder in VCS\nCopyright 2020 Some copyright holder in source artifact\nCopyright 2020 Some other copyright holder in source artifact",
     "downloadLocation" : "https://some-host/first-package.jar",
     "externalRefs" : [ {
-      "referenceCategory" : "PACKAGE_MANAGER",
+      "referenceCategory" : "PACKAGE-MANAGER",
       "referenceType" : "purl",
       "referenceLocator" : "pkg:maven/first-package-group/[email protected]"
     } ],
@@ -55,7 +55,7 @@
     "copyrightText" : "Copyright 2020 Some copyright holder in VCS\nCopyright 2020 Some copyright holder in source artifact\nCopyright 2020 Some other copyright holder in source artifact",
     "downloadLocation" : "git+ssh://github.com/path/first-package-repo.git@deadbeef#project-path",
     "externalRefs" : [ {
-      "referenceCategory" : "PACKAGE_MANAGER",
+      "referenceCategory" : "PACKAGE-MANAGER",
       "referenceType" : "purl",
       "referenceLocator" : "pkg:maven/first-package-group/[email protected]"
     } ],
@@ -80,7 +80,7 @@
     "copyrightText" : "Copyright 2020 Some copyright holder in VCS\nCopyright 2020 Some copyright holder in source artifact\nCopyright 2020 Some other copyright holder in source artifact",
     "downloadLocation" : "https://some-host/first-package-sources.jar",
     "externalRefs" : [ {
-      "referenceCategory" : "PACKAGE_MANAGER",
+      "referenceCategory" : "PACKAGE-MANAGER",
       "referenceType" : "purl",
       "referenceLocator" : "pkg:maven/first-package-group/[email protected]"
     } ],
@@ -96,7 +96,7 @@
     "copyrightText" : "NONE",
     "downloadLocation" : "NONE",
     "externalRefs" : [ {
-      "referenceCategory" : "PACKAGE_MANAGER",
+      "referenceCategory" : "PACKAGE-MANAGER",
       "referenceType" : "purl",
       "referenceLocator" : "pkg:maven/fourth-package-group/[email protected]"
     } ],
@@ -112,7 +112,7 @@
     "copyrightText" : "NONE",
     "downloadLocation" : "NONE",
     "externalRefs" : [ {
-      "referenceCategory" : "PACKAGE_MANAGER",
+      "referenceCategory" : "PACKAGE-MANAGER",
       "referenceType" : "purl",
       "referenceLocator" : "pkg:maven/second-package-group/[email protected]"
     } ],
@@ -128,7 +128,7 @@
     "copyrightText" : "Copyright 2020 Some copyright holder in source artifact",
     "downloadLocation" : "NONE",
     "externalRefs" : [ {
-      "referenceCategory" : "PACKAGE_MANAGER",
+      "referenceCategory" : "PACKAGE-MANAGER",
       "referenceType" : "purl",
       "referenceLocator" : "pkg:maven/seventh-package-group/[email protected]"
     } ],
@@ -148,7 +148,7 @@
     "copyrightText" : "Copyright 2020 Some copyright holder in source artifact",
     "downloadLocation" : "https://some-host/seventh-package-sources.jar",
     "externalRefs" : [ {
-      "referenceCategory" : "PACKAGE_MANAGER",
+      "referenceCategory" : "PACKAGE-MANAGER",
       "referenceType" : "purl",
       "referenceLocator" : "pkg:maven/seventh-package-group/[email protected]"
     } ],
@@ -169,7 +169,7 @@
     "copyrightText" : "NONE",
     "downloadLocation" : "NONE",
     "externalRefs" : [ {
-      "referenceCategory" : "PACKAGE_MANAGER",
+      "referenceCategory" : "PACKAGE-MANAGER",
       "referenceType" : "purl",
       "referenceLocator" : "pkg:maven/sixth-package-group/[email protected]"
     } ],
@@ -185,7 +185,7 @@
     "copyrightText" : "NONE",
     "downloadLocation" : "NONE",
     "externalRefs" : [ {
-      "referenceCategory" : "PACKAGE_MANAGER",
+      "referenceCategory" : "PACKAGE-MANAGER",
       "referenceType" : "purl",
       "referenceLocator" : "pkg:maven/third-package-group/[email protected]"
     } ],

diff --git a/plugins/reporters/spdx/src/funTest/assets/spdx-document-reporter-expected-output.spdx.yml b/plugins/reporters/spdx/src/funTest/assets/spdx-document-reporter-expected-output.spdx.yml
@@ -1,6 +1,6 @@
 ---
 SPDXID: "SPDXRef-DOCUMENT"
-spdxVersion: "SPDX-2.2"
+spdxVersion: "SPDX-2.3"
 creationInfo:
   comment: "some creation info comment"
   created: "<REPLACE_CREATION_DATE_AND_TIME>"
@@ -49,7 +49,7 @@ packages:
     \ in source artifact"
   downloadLocation: "https://some-host/first-package.jar"
   externalRefs:
-  - referenceCategory: "PACKAGE_MANAGER"
+  - referenceCategory: "PACKAGE-MANAGER"
     referenceType: "purl"
     referenceLocator: "pkg:maven/first-package-group/[email protected]"
   filesAnalyzed: false
@@ -67,7 +67,7 @@ packages:
     \ in source artifact"
   downloadLocation: "git+ssh://github.com/path/first-package-repo.git@deadbeef#project-path"
   externalRefs:
-  - referenceCategory: "PACKAGE_MANAGER"
+  - referenceCategory: "PACKAGE-MANAGER"
     referenceType: "purl"
     referenceLocator: "pkg:maven/first-package-group/[email protected]"
   filesAnalyzed: true
@@ -95,7 +95,7 @@ packages:
     \ in source artifact"
   downloadLocation: "https://some-host/first-package-sources.jar"
   externalRefs:
-  - referenceCategory: "PACKAGE_MANAGER"
+  - referenceCategory: "PACKAGE-MANAGER"
     referenceType: "purl"
     referenceLocator: "pkg:maven/first-package-group/[email protected]"
   filesAnalyzed: false
@@ -111,7 +111,7 @@ packages:
   copyrightText: "NONE"
   downloadLocation: "NONE"
   externalRefs:
-  - referenceCategory: "PACKAGE_MANAGER"
+  - referenceCategory: "PACKAGE-MANAGER"
     referenceType: "purl"
     referenceLocator: "pkg:maven/fourth-package-group/[email protected]"
   filesAnalyzed: false
@@ -125,7 +125,7 @@ packages:
   copyrightText: "NONE"
   downloadLocation: "NONE"
   externalRefs:
-  - referenceCategory: "PACKAGE_MANAGER"
+  - referenceCategory: "PACKAGE-MANAGER"
     referenceType: "purl"
     referenceLocator: "pkg:maven/second-package-group/[email protected]"
   filesAnalyzed: false
@@ -139,7 +139,7 @@ packages:
   copyrightText: "Copyright 2020 Some copyright holder in source artifact"
   downloadLocation: "NONE"
   externalRefs:
-  - referenceCategory: "PACKAGE_MANAGER"
+  - referenceCategory: "PACKAGE-MANAGER"
     referenceType: "purl"
     referenceLocator: "pkg:maven/seventh-package-group/[email protected]"
   filesAnalyzed: false
@@ -156,7 +156,7 @@ packages:
   copyrightText: "Copyright 2020 Some copyright holder in source artifact"
   downloadLocation: "https://some-host/seventh-package-sources.jar"
   externalRefs:
-  - referenceCategory: "PACKAGE_MANAGER"
+  - referenceCategory: "PACKAGE-MANAGER"
     referenceType: "purl"
     referenceLocator: "pkg:maven/seventh-package-group/[email protected]"
   filesAnalyzed: true
@@ -177,7 +177,7 @@ packages:
   copyrightText: "NONE"
   downloadLocation: "NONE"
   externalRefs:
-  - referenceCategory: "PACKAGE_MANAGER"
+  - referenceCategory: "PACKAGE-MANAGER"
     referenceType: "purl"
     referenceLocator: "pkg:maven/sixth-package-group/[email protected]"
   filesAnalyzed: false
@@ -191,7 +191,7 @@ packages:
   copyrightText: "NONE"
   downloadLocation: "NONE"
   externalRefs:
-  - referenceCategory: "PACKAGE_MANAGER"
+  - referenceCategory: "PACKAGE-MANAGER"
     referenceType: "purl"
     referenceLocator: "pkg:maven/third-package-group/[email protected]"
   filesAnalyzed: false