spdx/v2/v2_3/tagvalue/writer/save_package_test.go - third_party/github.com/spdx/tools-golang - Git at Google

 // SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later

 package writer

 import (
 	"bytes"
 	"testing"

 	"github.com/spdx/tools-golang/spdx/v2/common"
 	spdx "github.com/spdx/tools-golang/spdx/v2/v2_3"
 )

 // ===== Package section Saver tests =====
 func TestSaverPackageSavesTextCombo1(t *testing.T) {
 	// include package external refs
 	// test Supplier:Organization, Originator:Person
 	// FilesAnalyzed true, IsFilesAnalyzedTagPresent true
 	// PackageVerificationCodeExcludedFile has string

 	// NOTE, this is an entirely made up CPE and the format is likely invalid
 	per1 := &spdx.PackageExternalReference{
 		Category:           "SECURITY",
 		RefType:            "cpe22Type",
 		Locator:            "cpe:/a:john_doe_inc:p1:0.1.0",
 		ExternalRefComment: "this is an external ref comment #1",
 	}

 	// NOTE, this is an entirely made up NPM
 	per2 := &spdx.PackageExternalReference{
 		Category: "PACKAGE-MANAGER",
 		RefType:  "npm",
 		Locator:  "p1@0.1.0",
 		ExternalRefComment: `this is a
 multi-line external ref comment`,
 	}

 	// NOTE, this is an entirely made up SWH persistent ID
 	per3 := &spdx.PackageExternalReference{
 		Category: "PERSISTENT-ID",
 		RefType:  "swh",
 		Locator:  "swh:1:cnt:94a9ed024d3859793618152ea559a168bbcbb5e2",
 		// no ExternalRefComment for this one
 	}

 	per4 := &spdx.PackageExternalReference{
 		Category: "OTHER",
 		RefType:  "anything",
 		Locator:  "anything-without-spaces-can-go-here",
 		// no ExternalRefComment for this one
 	}

 	pkg := &spdx.Package{
 		PackageName:               "p1",
 		PackageSPDXIdentifier:     common.ElementID("p1"),
 		PackageVersion:            "0.1.0",
 		PackageFileName:           "p1-0.1.0-master.tar.gz",
 		PackageSupplier:           &common.Supplier{SupplierType: "Organization", Supplier: "John Doe, Inc."},
 		PackageOriginator:         &common.Originator{Originator: "John Doe", OriginatorType: "Person"},
 		PackageDownloadLocation:   "http://example.com/p1/p1-0.1.0-master.tar.gz",
 		FilesAnalyzed:             true,
 		IsFilesAnalyzedTagPresent: true,
 		PackageVerificationCode: &common.PackageVerificationCode{
 			Value:         "0123456789abcdef0123456789abcdef01234567",
 			ExcludedFiles: []string{"p1-0.1.0.spdx"},
 		},
 		PackageChecksums: []common.Checksum{
 			{
 				Algorithm: common.SHA1,
 				Value:     "85ed0817af83a24ad8da68c2b5094de69833983c",
 			},
 			{
 				Algorithm: common.SHA256,
 				Value:     "11b6d3ee554eedf79299905a98f9b9a04e498210b59f15094c916c91d150efcd",
 			},
 			{
 				Algorithm: common.MD5,
 				Value:     "624c1abb3664f4b35547e7c73864ad24",
 			},
 		},
 		PackageHomePage:         "http://example.com/p1",
 		PackageSourceInfo:       "this is a source comment",
 		PackageLicenseConcluded: "GPL-2.0-or-later",
 		PackageLicenseInfoFromFiles: []string{
 			"Apache-1.1",
 			"Apache-2.0",
 			"GPL-2.0-or-later",
 		},
 		PackageLicenseDeclared:  "Apache-2.0 OR GPL-2.0-or-later",
 		PackageLicenseComments:  "this is a license comment(s)",
 		PackageCopyrightText:    "Copyright (c) John Doe, Inc.",
 		PackageSummary:          "this is a summary comment",
 		PackageDescription:      "this is a description comment",
 		PackageComment:          "this is a comment comment",
 		PackageAttributionTexts: []string{"Include this notice in all advertising materials"},
 		PackageExternalReferences: []*spdx.PackageExternalReference{
 			per1,
 			per2,
 			per3,
 			per4,
 		},
 		PrimaryPackagePurpose: "LIBRARY",
 		BuiltDate:             "2021-09-15T02:38:00Z",
 		ValidUntilDate:        "2022-10-15T02:38:00Z",
 		ReleaseDate:           "2021-10-15T02:38:00Z",
 	}

 	// what we want to get, as a buffer of bytes
 	want := bytes.NewBufferString(`PackageName: p1
 SPDXID: SPDXRef-p1
 PackageVersion: 0.1.0
 PackageFileName: p1-0.1.0-master.tar.gz
 PackageSupplier: Organization: John Doe, Inc.
 PackageOriginator: Person: John Doe
 PackageDownloadLocation: http://example.com/p1/p1-0.1.0-master.tar.gz
 PrimaryPackagePurpose: LIBRARY
 ReleaseDate: 2021-10-15T02:38:00Z
 BuiltDate: 2021-09-15T02:38:00Z
 ValidUntilDate: 2022-10-15T02:38:00Z
 FilesAnalyzed: true
 PackageVerificationCode: 0123456789abcdef0123456789abcdef01234567 (excludes: p1-0.1.0.spdx)
 PackageChecksum: SHA1: 85ed0817af83a24ad8da68c2b5094de69833983c
 PackageChecksum: SHA256: 11b6d3ee554eedf79299905a98f9b9a04e498210b59f15094c916c91d150efcd
 PackageChecksum: MD5: 624c1abb3664f4b35547e7c73864ad24
 PackageHomePage: http://example.com/p1
 PackageSourceInfo: this is a source comment
 PackageLicenseConcluded: GPL-2.0-or-later
 PackageLicenseInfoFromFiles: Apache-1.1
 PackageLicenseInfoFromFiles: Apache-2.0
 PackageLicenseInfoFromFiles: GPL-2.0-or-later
 PackageLicenseDeclared: Apache-2.0 OR GPL-2.0-or-later
 PackageLicenseComments: this is a license comment(s)
 PackageCopyrightText: Copyright (c) John Doe, Inc.
 PackageSummary: this is a summary comment
 PackageDescription: this is a description comment
 PackageComment: this is a comment comment
 ExternalRef: SECURITY cpe22Type cpe:/a:john_doe_inc:p1:0.1.0
 ExternalRefComment: this is an external ref comment #1
 ExternalRef: PACKAGE-MANAGER npm p1@0.1.0
 ExternalRefComment: <text>this is a
 multi-line external ref comment</text>
 ExternalRef: PERSISTENT-ID swh swh:1:cnt:94a9ed024d3859793618152ea559a168bbcbb5e2
 ExternalRef: OTHER anything anything-without-spaces-can-go-here
 PackageAttributionText: Include this notice in all advertising materials

 `)

 	// render as buffer of bytes
 	var got bytes.Buffer
 	err := renderPackage(pkg, &got)
 	if err != nil {
 		t.Errorf("Expected nil error, got %v", err)
 	}

 	// check that they match
 	c := bytes.Compare(want.Bytes(), got.Bytes())
 	if c != 0 {
 		t.Errorf("Expected %v, got %v", want.String(), got.String())
 	}
 }

 func TestSaverPackageSavesTextCombo2(t *testing.T) {
 	// no package external refs
 	// test Supplier:NOASSERTION, Originator:Organization
 	// FilesAnalyzed true, IsFilesAnalyzedTagPresent false
 	// PackageVerificationCodeExcludedFile is empty

 	pkg := &spdx.Package{
 		PackageName:               "p1",
 		PackageSPDXIdentifier:     common.ElementID("p1"),
 		PackageVersion:            "0.1.0",
 		PackageFileName:           "p1-0.1.0-master.tar.gz",
 		PackageSupplier:           &common.Supplier{Supplier: "NOASSERTION"},
 		PackageOriginator:         &common.Originator{OriginatorType: "Organization", Originator: "John Doe, Inc."},
 		PackageDownloadLocation:   "http://example.com/p1/p1-0.1.0-master.tar.gz",
 		FilesAnalyzed:             true,
 		IsFilesAnalyzedTagPresent: false,
 		PackageVerificationCode:   &common.PackageVerificationCode{Value: "0123456789abcdef0123456789abcdef01234567"},
 		PackageChecksums: []common.Checksum{
 			{
 				Algorithm: common.SHA1,
 				Value:     "85ed0817af83a24ad8da68c2b5094de69833983c",
 			},
 			{
 				Algorithm: common.SHA256,
 				Value:     "11b6d3ee554eedf79299905a98f9b9a04e498210b59f15094c916c91d150efcd",
 			},
 			{
 				Algorithm: common.MD5,
 				Value:     "624c1abb3664f4b35547e7c73864ad24",
 			},
 		},
 		PackageHomePage:         "http://example.com/p1",
 		PackageSourceInfo:       "this is a source comment",
 		PackageLicenseConcluded: "GPL-2.0-or-later",
 		PackageLicenseInfoFromFiles: []string{
 			"Apache-1.1",
 			"Apache-2.0",
 			"GPL-2.0-or-later",
 		},
 		PackageLicenseDeclared:  "Apache-2.0 OR GPL-2.0-or-later",
 		PackageLicenseComments:  "this is a license comment(s)",
 		PackageCopyrightText:    "Copyright (c) John Doe, Inc.",
 		PackageSummary:          "this is a summary comment",
 		PackageDescription:      "this is a description comment",
 		PackageComment:          "this is a comment comment",
 		PackageAttributionTexts: []string{"Include this notice in all advertising materials"},
 	}

 	// what we want to get, as a buffer of bytes
 	want := bytes.NewBufferString(`PackageName: p1
 SPDXID: SPDXRef-p1
 PackageVersion: 0.1.0
 PackageFileName: p1-0.1.0-master.tar.gz
 PackageSupplier: NOASSERTION
 PackageOriginator: Organization: John Doe, Inc.
 PackageDownloadLocation: http://example.com/p1/p1-0.1.0-master.tar.gz
 PackageVerificationCode: 0123456789abcdef0123456789abcdef01234567
 PackageChecksum: SHA1: 85ed0817af83a24ad8da68c2b5094de69833983c
 PackageChecksum: SHA256: 11b6d3ee554eedf79299905a98f9b9a04e498210b59f15094c916c91d150efcd
 PackageChecksum: MD5: 624c1abb3664f4b35547e7c73864ad24
 PackageHomePage: http://example.com/p1
 PackageSourceInfo: this is a source comment
 PackageLicenseConcluded: GPL-2.0-or-later
 PackageLicenseInfoFromFiles: Apache-1.1
 PackageLicenseInfoFromFiles: Apache-2.0
 PackageLicenseInfoFromFiles: GPL-2.0-or-later
 PackageLicenseDeclared: Apache-2.0 OR GPL-2.0-or-later
 PackageLicenseComments: this is a license comment(s)
 PackageCopyrightText: Copyright (c) John Doe, Inc.
 PackageSummary: this is a summary comment
 PackageDescription: this is a description comment
 PackageComment: this is a comment comment
 PackageAttributionText: Include this notice in all advertising materials

 `)

 	// render as buffer of bytes
 	var got bytes.Buffer
 	err := renderPackage(pkg, &got)
 	if err != nil {
 		t.Errorf("Expected nil error, got %v", err)
 	}

 	// check that they match
 	c := bytes.Compare(want.Bytes(), got.Bytes())
 	if c != 0 {
 		t.Errorf("Expected %v, got %v", want.String(), got.String())
 	}
 }

 func TestSaverPackageSavesTextCombo3(t *testing.T) {
 	// no package external refs
 	// test Supplier:Person, Originator:NOASSERTION
 	// FilesAnalyzed false, IsFilesAnalyzedTagPresent true
 	// PackageVerificationCodeExcludedFile is empty
 	// three PackageAttributionTexts, one with multi-line text

 	pkg := &spdx.Package{
 		PackageName:               "p1",
 		PackageSPDXIdentifier:     common.ElementID("p1"),
 		PackageVersion:            "0.1.0",
 		PackageFileName:           "p1-0.1.0-master.tar.gz",
 		PackageSupplier:           &common.Supplier{Supplier: "John Doe", SupplierType: "Person"},
 		PackageOriginator:         &common.Originator{Originator: "NOASSERTION"},
 		PackageDownloadLocation:   "http://example.com/p1/p1-0.1.0-master.tar.gz",
 		FilesAnalyzed:             false,
 		IsFilesAnalyzedTagPresent: true,
 		// NOTE that verification code MUST be omitted from output
 		// since FilesAnalyzed is false
 		PackageVerificationCode: &common.PackageVerificationCode{Value: "0123456789abcdef0123456789abcdef01234567"},
 		PackageChecksums: []common.Checksum{
 			{
 				Algorithm: common.SHA1,
 				Value:     "85ed0817af83a24ad8da68c2b5094de69833983c",
 			},
 			{
 				Algorithm: common.SHA256,
 				Value:     "11b6d3ee554eedf79299905a98f9b9a04e498210b59f15094c916c91d150efcd",
 			},
 			{
 				Algorithm: common.MD5,
 				Value:     "624c1abb3664f4b35547e7c73864ad24",
 			},
 		},
 		PackageHomePage:         "http://example.com/p1",
 		PackageSourceInfo:       "this is a source comment",
 		PackageLicenseConcluded: "GPL-2.0-or-later",
 		// NOTE that license info from files MUST be omitted from output
 		// since FilesAnalyzed is false
 		PackageLicenseInfoFromFiles: []string{
 			"Apache-1.1",
 			"Apache-2.0",
 			"GPL-2.0-or-later",
 		},
 		PackageLicenseDeclared: "Apache-2.0 OR GPL-2.0-or-later",
 		PackageLicenseComments: "this is a license comment(s)",
 		PackageCopyrightText:   "Copyright (c) John Doe, Inc.",
 		PackageSummary:         "this is a summary comment",
 		PackageDescription:     "this is a description comment",
 		PackageComment:         "this is a comment comment",
 		PackageAttributionTexts: []string{
 			"Include this notice in all advertising materials",
 			"and also this notice",
 			`and this multi-line notice
 which goes across two lines`,
 		},
 	}

 	// what we want to get, as a buffer of bytes
 	want := bytes.NewBufferString(`PackageName: p1
 SPDXID: SPDXRef-p1
 PackageVersion: 0.1.0
 PackageFileName: p1-0.1.0-master.tar.gz
 PackageSupplier: Person: John Doe
 PackageOriginator: NOASSERTION
 PackageDownloadLocation: http://example.com/p1/p1-0.1.0-master.tar.gz
 FilesAnalyzed: false
 PackageChecksum: SHA1: 85ed0817af83a24ad8da68c2b5094de69833983c
 PackageChecksum: SHA256: 11b6d3ee554eedf79299905a98f9b9a04e498210b59f15094c916c91d150efcd
 PackageChecksum: MD5: 624c1abb3664f4b35547e7c73864ad24
 PackageHomePage: http://example.com/p1
 PackageSourceInfo: this is a source comment
 PackageLicenseConcluded: GPL-2.0-or-later
 PackageLicenseDeclared: Apache-2.0 OR GPL-2.0-or-later
 PackageLicenseComments: this is a license comment(s)
 PackageCopyrightText: Copyright (c) John Doe, Inc.
 PackageSummary: this is a summary comment
 PackageDescription: this is a description comment
 PackageComment: this is a comment comment
 PackageAttributionText: Include this notice in all advertising materials
 PackageAttributionText: and also this notice
 PackageAttributionText: <text>and this multi-line notice
 which goes across two lines</text>

 `)

 	// render as buffer of bytes
 	var got bytes.Buffer
 	err := renderPackage(pkg, &got)
 	if err != nil {
 		t.Errorf("Expected nil error, got %v", err)
 	}

 	// check that they match
 	c := bytes.Compare(want.Bytes(), got.Bytes())
 	if c != 0 {
 		t.Errorf("Expected %v, got %v", want.String(), got.String())
 	}
 }

 func TestSaverPackageSaveOmitsOptionalFieldsIfEmpty(t *testing.T) {
 	pkg := &spdx.Package{
 		PackageName:               "p1",
 		PackageSPDXIdentifier:     common.ElementID("p1"),
 		PackageDownloadLocation:   "http://example.com/p1/p1-0.1.0-master.tar.gz",
 		FilesAnalyzed:             false,
 		IsFilesAnalyzedTagPresent: true,
 		// NOTE that verification code MUST be omitted from output,
 		// even if present in model, since FilesAnalyzed is false
 		PackageLicenseConcluded: "GPL-2.0-or-later",
 		// NOTE that license info from files MUST be omitted from output
 		// even if present in model, since FilesAnalyzed is false
 		PackageLicenseInfoFromFiles: []string{
 			"Apache-1.1",
 			"Apache-2.0",
 			"GPL-2.0-or-later",
 		},
 		PackageLicenseDeclared: "Apache-2.0 OR GPL-2.0-or-later",
 		PackageCopyrightText:   "Copyright (c) John Doe, Inc.",
 	}

 	// what we want to get, as a buffer of bytes
 	want := bytes.NewBufferString(`PackageName: p1
 SPDXID: SPDXRef-p1
 PackageDownloadLocation: http://example.com/p1/p1-0.1.0-master.tar.gz
 FilesAnalyzed: false
 PackageLicenseConcluded: GPL-2.0-or-later
 PackageLicenseDeclared: Apache-2.0 OR GPL-2.0-or-later
 PackageCopyrightText: Copyright (c) John Doe, Inc.

 `)

 	// render as buffer of bytes
 	var got bytes.Buffer
 	err := renderPackage(pkg, &got)
 	if err != nil {
 		t.Errorf("Expected nil error, got %v", err)
 	}

 	// check that they match
 	c := bytes.Compare(want.Bytes(), got.Bytes())
 	if c != 0 {
 		t.Errorf("Expected %v, got %v", want.String(), got.String())
 	}
 }

 func TestSaverPackageSavesFilesIfPresent(t *testing.T) {
 	f1 := &spdx.File{
 		FileName:           "/tmp/whatever1.txt",
 		FileSPDXIdentifier: common.ElementID("File1231"),
 		Checksums: []common.Checksum{
 			{
 				Algorithm: common.SHA1,
 				Value:     "85ed0817af83a24ad8da68c2b5094de69833983c",
 			},
 		},
 		LicenseConcluded:   "Apache-2.0",
 		LicenseInfoInFiles: []string{"Apache-2.0"},
 		FileCopyrightText:  "Copyright (c) Jane Doe",
 	}

 	f2 := &spdx.File{
 		FileName:           "/tmp/whatever2.txt",
 		FileSPDXIdentifier: common.ElementID("File1232"),
 		Checksums: []common.Checksum{
 			{
 				Algorithm: common.SHA1,
 				Value:     "85ed0817af83a24ad8da68c2b5094de69833983d",
 			},
 		},
 		LicenseConcluded:   "MIT",
 		LicenseInfoInFiles: []string{"MIT"},
 		FileCopyrightText:  "Copyright (c) John Doe",
 	}

 	pkg := &spdx.Package{
 		PackageName:               "p1",
 		PackageSPDXIdentifier:     common.ElementID("p1"),
 		PackageDownloadLocation:   "http://example.com/p1/p1-0.1.0-master.tar.gz",
 		FilesAnalyzed:             false,
 		IsFilesAnalyzedTagPresent: true,
 		// NOTE that verification code MUST be omitted from output,
 		// even if present in model, since FilesAnalyzed is false
 		PackageLicenseConcluded: "GPL-2.0-or-later",
 		// NOTE that license info from files MUST be omitted from output
 		// even if present in model, since FilesAnalyzed is false
 		PackageLicenseInfoFromFiles: []string{
 			"Apache-1.1",
 			"Apache-2.0",
 			"GPL-2.0-or-later",
 		},
 		PackageLicenseDeclared: "Apache-2.0 OR GPL-2.0-or-later",
 		PackageCopyrightText:   "Copyright (c) John Doe, Inc.",
 		Files: []*spdx.File{
 			f1,
 			f2,
 		},
 	}

 	// what we want to get, as a buffer of bytes
 	want := bytes.NewBufferString(`PackageName: p1
 SPDXID: SPDXRef-p1
 PackageDownloadLocation: http://example.com/p1/p1-0.1.0-master.tar.gz
 FilesAnalyzed: false
 PackageLicenseConcluded: GPL-2.0-or-later
 PackageLicenseDeclared: Apache-2.0 OR GPL-2.0-or-later
 PackageCopyrightText: Copyright (c) John Doe, Inc.

 FileName: /tmp/whatever1.txt
 SPDXID: SPDXRef-File1231
 FileChecksum: SHA1: 85ed0817af83a24ad8da68c2b5094de69833983c
 LicenseConcluded: Apache-2.0
 LicenseInfoInFile: Apache-2.0
 FileCopyrightText: Copyright (c) Jane Doe

 FileName: /tmp/whatever2.txt
 SPDXID: SPDXRef-File1232
 FileChecksum: SHA1: 85ed0817af83a24ad8da68c2b5094de69833983d
 LicenseConcluded: MIT
 LicenseInfoInFile: MIT
 FileCopyrightText: Copyright (c) John Doe

 `)

 	// render as buffer of bytes
 	var got bytes.Buffer
 	err := renderPackage(pkg, &got)
 	if err != nil {
 		t.Errorf("Expected nil error, got %v", err)
 	}

 	// check that they match
 	c := bytes.Compare(want.Bytes(), got.Bytes())
 	if c != 0 {
 		t.Errorf("Expected %v, got %v", want.String(), got.String())
 	}
 }

 func TestSaverPackageWrapsMultiLine(t *testing.T) {
 	pkg := &spdx.Package{
 		PackageName:               "p1",
 		PackageSPDXIdentifier:     common.ElementID("p1"),
 		PackageDownloadLocation:   "http://example.com/p1/p1-0.1.0-master.tar.gz",
 		FilesAnalyzed:             false,
 		IsFilesAnalyzedTagPresent: true,
 		PackageLicenseConcluded:   "GPL-2.0-or-later",
 		PackageLicenseInfoFromFiles: []string{
 			"Apache-1.1",
 			"Apache-2.0",
 			"GPL-2.0-or-later",
 		},
 		PackageLicenseDeclared: "Apache-2.0 OR GPL-2.0-or-later",
 		PackageCopyrightText: `Copyright (c) John Doe, Inc.
 Copyright Jane Doe`,
 	}

 	// what we want to get, as a buffer of bytes
 	want := bytes.NewBufferString(`PackageName: p1
 SPDXID: SPDXRef-p1
 PackageDownloadLocation: http://example.com/p1/p1-0.1.0-master.tar.gz
 FilesAnalyzed: false
 PackageLicenseConcluded: GPL-2.0-or-later
 PackageLicenseDeclared: Apache-2.0 OR GPL-2.0-or-later
 PackageCopyrightText: <text>Copyright (c) John Doe, Inc.
 Copyright Jane Doe</text>

 `)

 	// render as buffer of bytes
 	var got bytes.Buffer
 	err := renderPackage(pkg, &got)
 	if err != nil {
 		t.Errorf("Expected nil error, got %v", err)
 	}

 	// check that they match
 	c := bytes.Compare(want.Bytes(), got.Bytes())
 	if c != 0 {
 		t.Errorf("Expected %v, got %v", want.String(), got.String())
 	}
 }
	// SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later

	package writer

	import (
	"bytes"
	"testing"

	"github.com/spdx/tools-golang/spdx/v2/common"
	spdx "github.com/spdx/tools-golang/spdx/v2/v2_3"
	)

	// ===== Package section Saver tests =====
	func TestSaverPackageSavesTextCombo1(t *testing.T) {
	// include package external refs
	// test Supplier:Organization, Originator:Person
	// FilesAnalyzed true, IsFilesAnalyzedTagPresent true
	// PackageVerificationCodeExcludedFile has string

	// NOTE, this is an entirely made up CPE and the format is likely invalid
	per1 := &spdx.PackageExternalReference{
	Category: "SECURITY",
	RefType: "cpe22Type",
	Locator: "cpe:/a:john_doe_inc:p1:0.1.0",
	ExternalRefComment: "this is an external ref comment #1",
	}

	// NOTE, this is an entirely made up NPM
	per2 := &spdx.PackageExternalReference{
	Category: "PACKAGE-MANAGER",
	RefType: "npm",
	Locator: "p1@0.1.0",
	ExternalRefComment: `this is a
	multi-line external ref comment`,
	}

	// NOTE, this is an entirely made up SWH persistent ID
	per3 := &spdx.PackageExternalReference{
	Category: "PERSISTENT-ID",
	RefType: "swh",
	Locator: "swh:1:cnt:94a9ed024d3859793618152ea559a168bbcbb5e2",
	// no ExternalRefComment for this one
	}

	per4 := &spdx.PackageExternalReference{
	Category: "OTHER",
	RefType: "anything",
	Locator: "anything-without-spaces-can-go-here",
	// no ExternalRefComment for this one
	}

	pkg := &spdx.Package{
	PackageName: "p1",
	PackageSPDXIdentifier: common.ElementID("p1"),
	PackageVersion: "0.1.0",
	PackageFileName: "p1-0.1.0-master.tar.gz",
	PackageSupplier: &common.Supplier{SupplierType: "Organization", Supplier: "John Doe, Inc."},
	PackageOriginator: &common.Originator{Originator: "John Doe", OriginatorType: "Person"},
	PackageDownloadLocation: "http://example.com/p1/p1-0.1.0-master.tar.gz",
	FilesAnalyzed: true,
	IsFilesAnalyzedTagPresent: true,
	PackageVerificationCode: &common.PackageVerificationCode{
	Value: "0123456789abcdef0123456789abcdef01234567",
	ExcludedFiles: []string{"p1-0.1.0.spdx"},
	},
	PackageChecksums: []common.Checksum{
	{
	Algorithm: common.SHA1,
	Value: "85ed0817af83a24ad8da68c2b5094de69833983c",
	},
	{
	Algorithm: common.SHA256,
	Value: "11b6d3ee554eedf79299905a98f9b9a04e498210b59f15094c916c91d150efcd",
	},
	{
	Algorithm: common.MD5,
	Value: "624c1abb3664f4b35547e7c73864ad24",
	},
	},
	PackageHomePage: "http://example.com/p1",
	PackageSourceInfo: "this is a source comment",
	PackageLicenseConcluded: "GPL-2.0-or-later",
	PackageLicenseInfoFromFiles: []string{
	"Apache-1.1",
	"Apache-2.0",
	"GPL-2.0-or-later",
	},
	PackageLicenseDeclared: "Apache-2.0 OR GPL-2.0-or-later",
	PackageLicenseComments: "this is a license comment(s)",
	PackageCopyrightText: "Copyright (c) John Doe, Inc.",
	PackageSummary: "this is a summary comment",
	PackageDescription: "this is a description comment",
	PackageComment: "this is a comment comment",
	PackageAttributionTexts: []string{"Include this notice in all advertising materials"},
	PackageExternalReferences: []*spdx.PackageExternalReference{
	per1,
	per2,
	per3,
	per4,
	},
	PrimaryPackagePurpose: "LIBRARY",
	BuiltDate: "2021-09-15T02:38:00Z",
	ValidUntilDate: "2022-10-15T02:38:00Z",
	ReleaseDate: "2021-10-15T02:38:00Z",
	}

	// what we want to get, as a buffer of bytes
	want := bytes.NewBufferString(`PackageName: p1
	SPDXID: SPDXRef-p1
	PackageVersion: 0.1.0
	PackageFileName: p1-0.1.0-master.tar.gz
	PackageSupplier: Organization: John Doe, Inc.
	PackageOriginator: Person: John Doe
	PackageDownloadLocation: http://example.com/p1/p1-0.1.0-master.tar.gz
	PrimaryPackagePurpose: LIBRARY
	ReleaseDate: 2021-10-15T02:38:00Z
	BuiltDate: 2021-09-15T02:38:00Z
	ValidUntilDate: 2022-10-15T02:38:00Z
	FilesAnalyzed: true
	PackageVerificationCode: 0123456789abcdef0123456789abcdef01234567 (excludes: p1-0.1.0.spdx)
	PackageChecksum: SHA1: 85ed0817af83a24ad8da68c2b5094de69833983c
	PackageChecksum: SHA256: 11b6d3ee554eedf79299905a98f9b9a04e498210b59f15094c916c91d150efcd
	PackageChecksum: MD5: 624c1abb3664f4b35547e7c73864ad24
	PackageHomePage: http://example.com/p1
	PackageSourceInfo: this is a source comment
	PackageLicenseConcluded: GPL-2.0-or-later
	PackageLicenseInfoFromFiles: Apache-1.1
	PackageLicenseInfoFromFiles: Apache-2.0
	PackageLicenseInfoFromFiles: GPL-2.0-or-later
	PackageLicenseDeclared: Apache-2.0 OR GPL-2.0-or-later
	PackageLicenseComments: this is a license comment(s)
	PackageCopyrightText: Copyright (c) John Doe, Inc.
	PackageSummary: this is a summary comment
	PackageDescription: this is a description comment
	PackageComment: this is a comment comment
	ExternalRef: SECURITY cpe22Type cpe:/a:john_doe_inc:p1:0.1.0
	ExternalRefComment: this is an external ref comment #1
	ExternalRef: PACKAGE-MANAGER npm p1@0.1.0
	ExternalRefComment: <text>this is a
	multi-line external ref comment</text>
	ExternalRef: PERSISTENT-ID swh swh:1:cnt:94a9ed024d3859793618152ea559a168bbcbb5e2
	ExternalRef: OTHER anything anything-without-spaces-can-go-here
	PackageAttributionText: Include this notice in all advertising materials

	`)

	// render as buffer of bytes
	var got bytes.Buffer
	err := renderPackage(pkg, &got)
	if err != nil {
	t.Errorf("Expected nil error, got %v", err)
	}

	// check that they match
	c := bytes.Compare(want.Bytes(), got.Bytes())
	if c != 0 {
	t.Errorf("Expected %v, got %v", want.String(), got.String())
	}
	}

	func TestSaverPackageSavesTextCombo2(t *testing.T) {
	// no package external refs
	// test Supplier:NOASSERTION, Originator:Organization
	// FilesAnalyzed true, IsFilesAnalyzedTagPresent false
	// PackageVerificationCodeExcludedFile is empty

	pkg := &spdx.Package{
	PackageName: "p1",
	PackageSPDXIdentifier: common.ElementID("p1"),
	PackageVersion: "0.1.0",
	PackageFileName: "p1-0.1.0-master.tar.gz",
	PackageSupplier: &common.Supplier{Supplier: "NOASSERTION"},
	PackageOriginator: &common.Originator{OriginatorType: "Organization", Originator: "John Doe, Inc."},
	PackageDownloadLocation: "http://example.com/p1/p1-0.1.0-master.tar.gz",
	FilesAnalyzed: true,
	IsFilesAnalyzedTagPresent: false,
	PackageVerificationCode: &common.PackageVerificationCode{Value: "0123456789abcdef0123456789abcdef01234567"},
	PackageChecksums: []common.Checksum{
	{
	Algorithm: common.SHA1,
	Value: "85ed0817af83a24ad8da68c2b5094de69833983c",
	},
	{
	Algorithm: common.SHA256,
	Value: "11b6d3ee554eedf79299905a98f9b9a04e498210b59f15094c916c91d150efcd",
	},
	{
	Algorithm: common.MD5,
	Value: "624c1abb3664f4b35547e7c73864ad24",
	},
	},
	PackageHomePage: "http://example.com/p1",
	PackageSourceInfo: "this is a source comment",
	PackageLicenseConcluded: "GPL-2.0-or-later",
	PackageLicenseInfoFromFiles: []string{
	"Apache-1.1",
	"Apache-2.0",
	"GPL-2.0-or-later",
	},
	PackageLicenseDeclared: "Apache-2.0 OR GPL-2.0-or-later",
	PackageLicenseComments: "this is a license comment(s)",
	PackageCopyrightText: "Copyright (c) John Doe, Inc.",
	PackageSummary: "this is a summary comment",
	PackageDescription: "this is a description comment",
	PackageComment: "this is a comment comment",
	PackageAttributionTexts: []string{"Include this notice in all advertising materials"},
	}

	// what we want to get, as a buffer of bytes
	want := bytes.NewBufferString(`PackageName: p1
	SPDXID: SPDXRef-p1
	PackageVersion: 0.1.0
	PackageFileName: p1-0.1.0-master.tar.gz
	PackageSupplier: NOASSERTION
	PackageOriginator: Organization: John Doe, Inc.
	PackageDownloadLocation: http://example.com/p1/p1-0.1.0-master.tar.gz
	PackageVerificationCode: 0123456789abcdef0123456789abcdef01234567
	PackageChecksum: SHA1: 85ed0817af83a24ad8da68c2b5094de69833983c
	PackageChecksum: SHA256: 11b6d3ee554eedf79299905a98f9b9a04e498210b59f15094c916c91d150efcd
	PackageChecksum: MD5: 624c1abb3664f4b35547e7c73864ad24
	PackageHomePage: http://example.com/p1
	PackageSourceInfo: this is a source comment
	PackageLicenseConcluded: GPL-2.0-or-later
	PackageLicenseInfoFromFiles: Apache-1.1
	PackageLicenseInfoFromFiles: Apache-2.0
	PackageLicenseInfoFromFiles: GPL-2.0-or-later
	PackageLicenseDeclared: Apache-2.0 OR GPL-2.0-or-later
	PackageLicenseComments: this is a license comment(s)
	PackageCopyrightText: Copyright (c) John Doe, Inc.
	PackageSummary: this is a summary comment
	PackageDescription: this is a description comment
	PackageComment: this is a comment comment
	PackageAttributionText: Include this notice in all advertising materials

	`)

	// render as buffer of bytes
	var got bytes.Buffer
	err := renderPackage(pkg, &got)
	if err != nil {
	t.Errorf("Expected nil error, got %v", err)
	}

	// check that they match
	c := bytes.Compare(want.Bytes(), got.Bytes())
	if c != 0 {
	t.Errorf("Expected %v, got %v", want.String(), got.String())
	}
	}

	func TestSaverPackageSavesTextCombo3(t *testing.T) {
	// no package external refs
	// test Supplier:Person, Originator:NOASSERTION
	// FilesAnalyzed false, IsFilesAnalyzedTagPresent true
	// PackageVerificationCodeExcludedFile is empty
	// three PackageAttributionTexts, one with multi-line text

	pkg := &spdx.Package{
	PackageName: "p1",
	PackageSPDXIdentifier: common.ElementID("p1"),
	PackageVersion: "0.1.0",
	PackageFileName: "p1-0.1.0-master.tar.gz",
	PackageSupplier: &common.Supplier{Supplier: "John Doe", SupplierType: "Person"},
	PackageOriginator: &common.Originator{Originator: "NOASSERTION"},
	PackageDownloadLocation: "http://example.com/p1/p1-0.1.0-master.tar.gz",
	FilesAnalyzed: false,
	IsFilesAnalyzedTagPresent: true,
	// NOTE that verification code MUST be omitted from output
	// since FilesAnalyzed is false
	PackageVerificationCode: &common.PackageVerificationCode{Value: "0123456789abcdef0123456789abcdef01234567"},
	PackageChecksums: []common.Checksum{
	{
	Algorithm: common.SHA1,
	Value: "85ed0817af83a24ad8da68c2b5094de69833983c",
	},
	{
	Algorithm: common.SHA256,
	Value: "11b6d3ee554eedf79299905a98f9b9a04e498210b59f15094c916c91d150efcd",
	},
	{
	Algorithm: common.MD5,
	Value: "624c1abb3664f4b35547e7c73864ad24",
	},
	},
	PackageHomePage: "http://example.com/p1",
	PackageSourceInfo: "this is a source comment",
	PackageLicenseConcluded: "GPL-2.0-or-later",
	// NOTE that license info from files MUST be omitted from output
	// since FilesAnalyzed is false
	PackageLicenseInfoFromFiles: []string{
	"Apache-1.1",
	"Apache-2.0",
	"GPL-2.0-or-later",
	},
	PackageLicenseDeclared: "Apache-2.0 OR GPL-2.0-or-later",
	PackageLicenseComments: "this is a license comment(s)",
	PackageCopyrightText: "Copyright (c) John Doe, Inc.",
	PackageSummary: "this is a summary comment",
	PackageDescription: "this is a description comment",
	PackageComment: "this is a comment comment",
	PackageAttributionTexts: []string{
	"Include this notice in all advertising materials",
	"and also this notice",
	`and this multi-line notice
	which goes across two lines`,
	},
	}

	// what we want to get, as a buffer of bytes
	want := bytes.NewBufferString(`PackageName: p1
	SPDXID: SPDXRef-p1
	PackageVersion: 0.1.0
	PackageFileName: p1-0.1.0-master.tar.gz
	PackageSupplier: Person: John Doe
	PackageOriginator: NOASSERTION
	PackageDownloadLocation: http://example.com/p1/p1-0.1.0-master.tar.gz
	FilesAnalyzed: false
	PackageChecksum: SHA1: 85ed0817af83a24ad8da68c2b5094de69833983c
	PackageChecksum: SHA256: 11b6d3ee554eedf79299905a98f9b9a04e498210b59f15094c916c91d150efcd
	PackageChecksum: MD5: 624c1abb3664f4b35547e7c73864ad24
	PackageHomePage: http://example.com/p1
	PackageSourceInfo: this is a source comment
	PackageLicenseConcluded: GPL-2.0-or-later
	PackageLicenseDeclared: Apache-2.0 OR GPL-2.0-or-later
	PackageLicenseComments: this is a license comment(s)
	PackageCopyrightText: Copyright (c) John Doe, Inc.
	PackageSummary: this is a summary comment
	PackageDescription: this is a description comment
	PackageComment: this is a comment comment
	PackageAttributionText: Include this notice in all advertising materials
	PackageAttributionText: and also this notice
	PackageAttributionText: <text>and this multi-line notice
	which goes across two lines</text>

	`)

	// render as buffer of bytes
	var got bytes.Buffer
	err := renderPackage(pkg, &got)
	if err != nil {
	t.Errorf("Expected nil error, got %v", err)
	}

	// check that they match
	c := bytes.Compare(want.Bytes(), got.Bytes())
	if c != 0 {
	t.Errorf("Expected %v, got %v", want.String(), got.String())
	}
	}

	func TestSaverPackageSaveOmitsOptionalFieldsIfEmpty(t *testing.T) {
	pkg := &spdx.Package{
	PackageName: "p1",
	PackageSPDXIdentifier: common.ElementID("p1"),
	PackageDownloadLocation: "http://example.com/p1/p1-0.1.0-master.tar.gz",
	FilesAnalyzed: false,
	IsFilesAnalyzedTagPresent: true,
	// NOTE that verification code MUST be omitted from output,
	// even if present in model, since FilesAnalyzed is false
	PackageLicenseConcluded: "GPL-2.0-or-later",
	// NOTE that license info from files MUST be omitted from output
	// even if present in model, since FilesAnalyzed is false
	PackageLicenseInfoFromFiles: []string{
	"Apache-1.1",
	"Apache-2.0",
	"GPL-2.0-or-later",
	},
	PackageLicenseDeclared: "Apache-2.0 OR GPL-2.0-or-later",
	PackageCopyrightText: "Copyright (c) John Doe, Inc.",
	}

	// what we want to get, as a buffer of bytes
	want := bytes.NewBufferString(`PackageName: p1
	SPDXID: SPDXRef-p1
	PackageDownloadLocation: http://example.com/p1/p1-0.1.0-master.tar.gz
	FilesAnalyzed: false
	PackageLicenseConcluded: GPL-2.0-or-later
	PackageLicenseDeclared: Apache-2.0 OR GPL-2.0-or-later
	PackageCopyrightText: Copyright (c) John Doe, Inc.

	`)

	// render as buffer of bytes
	var got bytes.Buffer
	err := renderPackage(pkg, &got)
	if err != nil {
	t.Errorf("Expected nil error, got %v", err)
	}

	// check that they match
	c := bytes.Compare(want.Bytes(), got.Bytes())
	if c != 0 {
	t.Errorf("Expected %v, got %v", want.String(), got.String())
	}
	}

	func TestSaverPackageSavesFilesIfPresent(t *testing.T) {
	f1 := &spdx.File{
	FileName: "/tmp/whatever1.txt",
	FileSPDXIdentifier: common.ElementID("File1231"),
	Checksums: []common.Checksum{
	{
	Algorithm: common.SHA1,
	Value: "85ed0817af83a24ad8da68c2b5094de69833983c",
	},
	},
	LicenseConcluded: "Apache-2.0",
	LicenseInfoInFiles: []string{"Apache-2.0"},
	FileCopyrightText: "Copyright (c) Jane Doe",
	}

	f2 := &spdx.File{
	FileName: "/tmp/whatever2.txt",
	FileSPDXIdentifier: common.ElementID("File1232"),
	Checksums: []common.Checksum{
	{
	Algorithm: common.SHA1,
	Value: "85ed0817af83a24ad8da68c2b5094de69833983d",
	},
	},
	LicenseConcluded: "MIT",
	LicenseInfoInFiles: []string{"MIT"},
	FileCopyrightText: "Copyright (c) John Doe",
	}

	pkg := &spdx.Package{
	PackageName: "p1",
	PackageSPDXIdentifier: common.ElementID("p1"),
	PackageDownloadLocation: "http://example.com/p1/p1-0.1.0-master.tar.gz",
	FilesAnalyzed: false,
	IsFilesAnalyzedTagPresent: true,
	// NOTE that verification code MUST be omitted from output,
	// even if present in model, since FilesAnalyzed is false
	PackageLicenseConcluded: "GPL-2.0-or-later",
	// NOTE that license info from files MUST be omitted from output
	// even if present in model, since FilesAnalyzed is false
	PackageLicenseInfoFromFiles: []string{
	"Apache-1.1",
	"Apache-2.0",
	"GPL-2.0-or-later",
	},
	PackageLicenseDeclared: "Apache-2.0 OR GPL-2.0-or-later",
	PackageCopyrightText: "Copyright (c) John Doe, Inc.",
	Files: []*spdx.File{
	f1,
	f2,
	},
	}

	// what we want to get, as a buffer of bytes
	want := bytes.NewBufferString(`PackageName: p1
	SPDXID: SPDXRef-p1
	PackageDownloadLocation: http://example.com/p1/p1-0.1.0-master.tar.gz
	FilesAnalyzed: false
	PackageLicenseConcluded: GPL-2.0-or-later
	PackageLicenseDeclared: Apache-2.0 OR GPL-2.0-or-later
	PackageCopyrightText: Copyright (c) John Doe, Inc.

	FileName: /tmp/whatever1.txt
	SPDXID: SPDXRef-File1231
	FileChecksum: SHA1: 85ed0817af83a24ad8da68c2b5094de69833983c
	LicenseConcluded: Apache-2.0
	LicenseInfoInFile: Apache-2.0
	FileCopyrightText: Copyright (c) Jane Doe

	FileName: /tmp/whatever2.txt
	SPDXID: SPDXRef-File1232
	FileChecksum: SHA1: 85ed0817af83a24ad8da68c2b5094de69833983d
	LicenseConcluded: MIT
	LicenseInfoInFile: MIT
	FileCopyrightText: Copyright (c) John Doe

	`)

	// render as buffer of bytes
	var got bytes.Buffer
	err := renderPackage(pkg, &got)
	if err != nil {
	t.Errorf("Expected nil error, got %v", err)
	}

	// check that they match
	c := bytes.Compare(want.Bytes(), got.Bytes())
	if c != 0 {
	t.Errorf("Expected %v, got %v", want.String(), got.String())
	}
	}

	func TestSaverPackageWrapsMultiLine(t *testing.T) {
	pkg := &spdx.Package{
	PackageName: "p1",
	PackageSPDXIdentifier: common.ElementID("p1"),
	PackageDownloadLocation: "http://example.com/p1/p1-0.1.0-master.tar.gz",
	FilesAnalyzed: false,
	IsFilesAnalyzedTagPresent: true,
	PackageLicenseConcluded: "GPL-2.0-or-later",
	PackageLicenseInfoFromFiles: []string{
	"Apache-1.1",
	"Apache-2.0",
	"GPL-2.0-or-later",
	},
	PackageLicenseDeclared: "Apache-2.0 OR GPL-2.0-or-later",
	PackageCopyrightText: `Copyright (c) John Doe, Inc.
	Copyright Jane Doe`,
	}

	// what we want to get, as a buffer of bytes
	want := bytes.NewBufferString(`PackageName: p1
	SPDXID: SPDXRef-p1
	PackageDownloadLocation: http://example.com/p1/p1-0.1.0-master.tar.gz
	FilesAnalyzed: false
	PackageLicenseConcluded: GPL-2.0-or-later
	PackageLicenseDeclared: Apache-2.0 OR GPL-2.0-or-later
	PackageCopyrightText: <text>Copyright (c) John Doe, Inc.
	Copyright Jane Doe</text>

	`)

	// render as buffer of bytes
	var got bytes.Buffer
	err := renderPackage(pkg, &got)
	if err != nil {
	t.Errorf("Expected nil error, got %v", err)
	}

	// check that they match
	c := bytes.Compare(want.Bytes(), got.Bytes())
	if c != 0 {
	t.Errorf("Expected %v, got %v", want.String(), got.String())
	}
	}