adapt code to new spdx-tools release

meretp · meretp · commit 77f0e45eb5a1 · 2022-12-28T08:49:06.000+01:00
With the new release, the checksum class has been renamed, the license class has been moved to its own file, and files are now only allowed at document level.

Signed-off-by: Meret Behrens &lt;meret.behrens@tngtech.com&gt;
diff --git a/requirements.txt b/requirements.txt
@@ -64,7 +64,7 @@ requests==2.28.1
 saneyaml==0.5.2
 six==1.16.0
 soupsieve==2.3.2.post1
-spdx-tools==0.7.0a3
+spdx-tools==0.7.0rc0
 text-unidecode==1.3
 toml==0.10.2
 typecode==30.0.0
diff --git a/setup-mini.cfg b/setup-mini.cfg
@@ -103,7 +103,7 @@ install_requires =
     pymaven_patch >= 0.2.8
     requests >= 2.7.0
     saneyaml >= 0.5.2
-    spdx_tools >= 0.7.0a3
+    spdx_tools >= 0.7.0rc0, ==0.7.*
     text_unidecode >= 1.0
     toml >= 0.10.0
     urlpy
diff --git a/setup.cfg b/setup.cfg
@@ -104,7 +104,7 @@ install_requires =
     python-frontmatter >= 1.0.0
     requests >= 2.7.0
     saneyaml >= 0.5.2
-    spdx_tools >= 0.7.0a3
+    spdx_tools >= 0.7.0rc0, ==0.7.*
     text_unidecode >= 1.0
     toml >= 0.10.0
     urlpy
diff --git a/src/formattedcode/output_spdx.py b/src/formattedcode/output_spdx.py
@@ -12,13 +12,15 @@
 from io import BytesIO
 from io import StringIO
 
-from spdx.checksum import Algorithm
+from spdx.checksum import Checksum, ChecksumAlgorithm
 from spdx.creationinfo import Tool
 from spdx.document import ExtractedLicense
 from spdx.document import Document
-from spdx.document import License
+from spdx.license import License
 from spdx.file import File
 from spdx.package import Package
+from spdx.relationship import Relationship
+from spdx.utils import calc_verif_code
 from spdx.utils import NoAssert
 from spdx.utils import SPDXNone
 from spdx.version import Version
@@ -281,9 +283,8 @@ def write_spdx(
         name = './' + file_data.get('path')
         file_entry = File(
             spdx_id=f'SPDXRef-{sid}',
-            name=name,
-            chk_sum=Algorithm('SHA1', file_data.get('sha1') or '')
-        )
+            name=name)
+        file_entry.set_checksum(Checksum(ChecksumAlgorithm.SHA1, file_data.get('sha1') or ''))
 
         file_license_detections = file_data.get('license_detections')
         license_matches = get_matches_from_detection_mappings(file_license_detections)
@@ -362,9 +363,11 @@ def write_spdx(
         else:
             file_entry.copyright = SPDXNone()
 
-        package.add_file(file_entry)
+        doc.add_file(file_entry)
+        relationship = Relationship(package.spdx_id + " CONTAINS " + file_entry.spdx_id)
+        doc.add_relationship(relationship)
 
-    if len(package.files) == 0:
+    if len(doc.files) == 0:
         if as_tagvalue:
             msg = "# No results for package '{}'.\n".format(package.name)
         else:
@@ -397,7 +400,7 @@ def write_spdx(
         # statements for the package.
         package.cr_text = '\n'.join(sorted(package.cr_text)) + '\n'
 
-    package.verif_code = doc.package.calc_verif_code()
+    package.verif_code = calc_verif_code(doc.files)
     package.license_declared = NoAssert()
     package.conc_lics = NoAssert()
 
@@ -409,7 +412,7 @@ def write_spdx(
     # one case we do need to deal with bytes and decode before writing (rdf) and
     # in the other case we deal with text all the way.
 
-    if package.files:
+    if doc.files:
 
         if as_tagvalue:
             from spdx.writers.tagvalue import write_document  # NOQA
diff --git a/tests/formattedcode/data/spdx/simple/expected.tv b/tests/formattedcode/data/spdx/simple/expected.tv
@@ -27,5 +27,4 @@ SPDXID: SPDXRef-1
 FileChecksum: SHA1: b8a793cce3c3a4cd3a4646ddbe86edd542ed0cd8
 LicenseConcluded: NOASSERTION
 LicenseInfoInFile: NONE
-FileCopyrightText: NONE
-# Extracted Licenses
+FileCopyrightText: NONE
