examples/spdx2_document_from_scratch.py - third_party/github.com/spdx/tools-python - Git at Google

 #  SPDX-FileCopyrightText: 2023 spdx contributors
 #
 #  SPDX-License-Identifier: Apache-2.0
 import logging
 from datetime import datetime
 from typing import List

 from spdx_tools.common.spdx_licensing import spdx_licensing
 from spdx_tools.spdx.model import (
     Actor,
     ActorType,
     Checksum,
     ChecksumAlgorithm,
     CreationInfo,
     Document,
     ExternalPackageRef,
     ExternalPackageRefCategory,
     File,
     FileType,
     Package,
     PackagePurpose,
     PackageVerificationCode,
     Relationship,
     RelationshipType,
 )
 from spdx_tools.spdx.validation.document_validator import validate_full_spdx_document
 from spdx_tools.spdx.validation.validation_message import ValidationMessage
 from spdx_tools.spdx.writer.write_anything import write_file

 # This example shows how to use the spdx-tools to create an SPDX document from scratch,
 # validate it and write it to a file.

 # First up, we need general information about the creation of the document, summarised by the CreationInfo class.
 creation_info = CreationInfo(
     spdx_version="SPDX-2.3",
     spdx_id="SPDXRef-DOCUMENT",
     name="document name",
     data_license="CC0-1.0",
     document_namespace="https://some.namespace",
     creators=[Actor(ActorType.PERSON, "Jane Doe", "jane.doe@example.com")],
     created=datetime(2022, 1, 1),
 )

 # creation_info is the only required property of the Document class (have a look there!), the rest are optional lists.
 # So, we are set up to create a new document instance.
 document = Document(creation_info)

 # The document currently does not describe anything. Let's create a package that we can add to it.
 # The Package class has quite a few properties (have a look there!),
 # but only name, spdx_id and download_location are mandatory in SPDX v2.3.
 package = Package(
     name="package name",
     spdx_id="SPDXRef-Package",
     download_location="https://download.com",
     version="2.2.1",
     file_name="./foo.bar",
     supplier=Actor(ActorType.PERSON, "Jane Doe", "jane.doe@example.com"),
     originator=Actor(ActorType.ORGANIZATION, "some organization", "contact@example.com"),
     files_analyzed=True,
     verification_code=PackageVerificationCode(
         value="d6a770ba38583ed4bb4525bd96e50461655d2758", excluded_files=["./some.file"]
     ),
     checksums=[
         Checksum(ChecksumAlgorithm.SHA1, "d6a770ba38583ed4bb4525bd96e50461655d2758"),
         Checksum(ChecksumAlgorithm.MD5, "624c1abb3664f4b35547e7c73864ad24"),
     ],
     license_concluded=spdx_licensing.parse("GPL-2.0-only OR MIT"),
     license_info_from_files=[spdx_licensing.parse("GPL-2.0-only"), spdx_licensing.parse("MIT")],
     license_declared=spdx_licensing.parse("GPL-2.0-only AND MIT"),
     license_comment="license comment",
     copyright_text="Copyright 2022 Jane Doe",
     description="package description",
     attribution_texts=["package attribution"],
     primary_package_purpose=PackagePurpose.LIBRARY,
     release_date=datetime(2015, 1, 1),
     external_references=[
         ExternalPackageRef(
             category=ExternalPackageRefCategory.OTHER,
             reference_type="http://reference.type",
             locator="reference/locator",
             comment="external reference comment",
         )
     ],
 )

 # Now that we have a package defined, we can add it to the document's package property.
 document.packages = [package]

 # A DESCRIBES relationship asserts that the document indeed describes the package.
 describes_relationship = Relationship("SPDXRef-DOCUMENT", RelationshipType.DESCRIBES, "SPDXRef-Package")
 document.relationships = [describes_relationship]

 # Let's add two files. Have a look at the file class for all possible properties a file can have.
 file1 = File(
     name="./package/file1.py",
     spdx_id="SPDXRef-File1",
     file_types=[FileType.SOURCE],
     checksums=[
         Checksum(ChecksumAlgorithm.SHA1, "d6a770ba38583ed4bb4525bd96e50461655d2758"),
         Checksum(ChecksumAlgorithm.MD5, "624c1abb3664f4b35547e7c73864ad24"),
     ],
     license_concluded=spdx_licensing.parse("MIT"),
     license_info_in_file=[spdx_licensing.parse("MIT")],
     copyright_text="Copyright 2022 Jane Doe",
 )
 file2 = File(
     name="./package/file2.py",
     spdx_id="SPDXRef-File2",
     checksums=[
         Checksum(ChecksumAlgorithm.SHA1, "d6a770ba38583ed4bb4525bd96e50461655d2759"),
     ],
     license_concluded=spdx_licensing.parse("GPL-2.0-only"),
 )

 # Assuming the package contains those two files, we create two CONTAINS relationships.
 contains_relationship1 = Relationship("SPDXRef-Package", RelationshipType.CONTAINS, "SPDXRef-File1")
 contains_relationship2 = Relationship("SPDXRef-Package", RelationshipType.CONTAINS, "SPDXRef-File2")

 # This library uses run-time type checks when assigning properties.
 # Because in-place alterations like .append() circumvent these checks, we don't use them here.
 document.relationships += [contains_relationship1, contains_relationship2]
 document.files += [file1, file2]

 # We now have created a document with basic creation information, describing a package that contains two files.
 # You can also add Annotations, Snippets and ExtractedLicensingInfo to the document in an analogous manner to the above.
 # Have a look at their respective classes if you are unsure about their properties.


 # This library provides comprehensive validation against the SPDX specification.
 # Note that details of the validation depend on the SPDX version of the document.
 validation_messages: List[ValidationMessage] = validate_full_spdx_document(document)

 # You can have a look at each entry's message and context (like spdx_id, parent_id, full_element)
 # which will help you pinpoint the location of the invalidity.
 for message in validation_messages:
     logging.warning(message.validation_message)
     logging.warning(message.context)

 # If the document is valid, validation_messages will be empty.
 assert validation_messages == []

 # Finally, we can serialize the document to any of the five supported formats.
 # Using the write_file() method from the write_anything module,
 # the format will be determined by the file ending: .spdx (tag-value), .json, .xml, .yaml. or .rdf (or .rdf.xml)
 write_file(document, "my_spdx_document.spdx.json")
	# SPDX-FileCopyrightText: 2023 spdx contributors
	#
	# SPDX-License-Identifier: Apache-2.0
	import logging
	from datetime import datetime
	from typing import List

	from spdx_tools.common.spdx_licensing import spdx_licensing
	from spdx_tools.spdx.model import (
	Actor,
	ActorType,
	Checksum,
	ChecksumAlgorithm,
	CreationInfo,
	Document,
	ExternalPackageRef,
	ExternalPackageRefCategory,
	File,
	FileType,
	Package,
	PackagePurpose,
	PackageVerificationCode,
	Relationship,
	RelationshipType,
	)
	from spdx_tools.spdx.validation.document_validator import validate_full_spdx_document
	from spdx_tools.spdx.validation.validation_message import ValidationMessage
	from spdx_tools.spdx.writer.write_anything import write_file

	# This example shows how to use the spdx-tools to create an SPDX document from scratch,
	# validate it and write it to a file.

	# First up, we need general information about the creation of the document, summarised by the CreationInfo class.
	creation_info = CreationInfo(
	spdx_version="SPDX-2.3",
	spdx_id="SPDXRef-DOCUMENT",
	name="document name",
	data_license="CC0-1.0",
	document_namespace="https://some.namespace",
	creators=[Actor(ActorType.PERSON, "Jane Doe", "jane.doe@example.com")],
	created=datetime(2022, 1, 1),
	)

	# creation_info is the only required property of the Document class (have a look there!), the rest are optional lists.
	# So, we are set up to create a new document instance.
	document = Document(creation_info)

	# The document currently does not describe anything. Let's create a package that we can add to it.
	# The Package class has quite a few properties (have a look there!),
	# but only name, spdx_id and download_location are mandatory in SPDX v2.3.
	package = Package(
	name="package name",
	spdx_id="SPDXRef-Package",
	download_location="https://download.com",
	version="2.2.1",
	file_name="./foo.bar",
	supplier=Actor(ActorType.PERSON, "Jane Doe", "jane.doe@example.com"),
	originator=Actor(ActorType.ORGANIZATION, "some organization", "contact@example.com"),
	files_analyzed=True,
	verification_code=PackageVerificationCode(
	value="d6a770ba38583ed4bb4525bd96e50461655d2758", excluded_files=["./some.file"]
	),
	checksums=[
	Checksum(ChecksumAlgorithm.SHA1, "d6a770ba38583ed4bb4525bd96e50461655d2758"),
	Checksum(ChecksumAlgorithm.MD5, "624c1abb3664f4b35547e7c73864ad24"),
	],
	license_concluded=spdx_licensing.parse("GPL-2.0-only OR MIT"),
	license_info_from_files=[spdx_licensing.parse("GPL-2.0-only"), spdx_licensing.parse("MIT")],
	license_declared=spdx_licensing.parse("GPL-2.0-only AND MIT"),
	license_comment="license comment",
	copyright_text="Copyright 2022 Jane Doe",
	description="package description",
	attribution_texts=["package attribution"],
	primary_package_purpose=PackagePurpose.LIBRARY,
	release_date=datetime(2015, 1, 1),
	external_references=[
	ExternalPackageRef(
	category=ExternalPackageRefCategory.OTHER,
	reference_type="http://reference.type",
	locator="reference/locator",
	comment="external reference comment",
	)
	],
	)

	# Now that we have a package defined, we can add it to the document's package property.
	document.packages = [package]

	# A DESCRIBES relationship asserts that the document indeed describes the package.
	describes_relationship = Relationship("SPDXRef-DOCUMENT", RelationshipType.DESCRIBES, "SPDXRef-Package")
	document.relationships = [describes_relationship]

	# Let's add two files. Have a look at the file class for all possible properties a file can have.
	file1 = File(
	name="./package/file1.py",
	spdx_id="SPDXRef-File1",
	file_types=[FileType.SOURCE],
	checksums=[
	Checksum(ChecksumAlgorithm.SHA1, "d6a770ba38583ed4bb4525bd96e50461655d2758"),
	Checksum(ChecksumAlgorithm.MD5, "624c1abb3664f4b35547e7c73864ad24"),
	],
	license_concluded=spdx_licensing.parse("MIT"),
	license_info_in_file=[spdx_licensing.parse("MIT")],
	copyright_text="Copyright 2022 Jane Doe",
	)
	file2 = File(
	name="./package/file2.py",
	spdx_id="SPDXRef-File2",
	checksums=[
	Checksum(ChecksumAlgorithm.SHA1, "d6a770ba38583ed4bb4525bd96e50461655d2759"),
	],
	license_concluded=spdx_licensing.parse("GPL-2.0-only"),
	)

	# Assuming the package contains those two files, we create two CONTAINS relationships.
	contains_relationship1 = Relationship("SPDXRef-Package", RelationshipType.CONTAINS, "SPDXRef-File1")
	contains_relationship2 = Relationship("SPDXRef-Package", RelationshipType.CONTAINS, "SPDXRef-File2")

	# This library uses run-time type checks when assigning properties.
	# Because in-place alterations like .append() circumvent these checks, we don't use them here.
	document.relationships += [contains_relationship1, contains_relationship2]
	document.files += [file1, file2]

	# We now have created a document with basic creation information, describing a package that contains two files.
	# You can also add Annotations, Snippets and ExtractedLicensingInfo to the document in an analogous manner to the above.
	# Have a look at their respective classes if you are unsure about their properties.


	# This library provides comprehensive validation against the SPDX specification.
	# Note that details of the validation depend on the SPDX version of the document.
	validation_messages: List[ValidationMessage] = validate_full_spdx_document(document)

	# You can have a look at each entry's message and context (like spdx_id, parent_id, full_element)
	# which will help you pinpoint the location of the invalidity.
	for message in validation_messages:
	logging.warning(message.validation_message)
	logging.warning(message.context)

	# If the document is valid, validation_messages will be empty.
	assert validation_messages == []

	# Finally, we can serialize the document to any of the five supported formats.
	# Using the write_file() method from the write_anything module,
	# the format will be determined by the file ending: .spdx (tag-value), .json, .xml, .yaml. or .rdf (or .rdf.xml)
	write_file(document, "my_spdx_document.spdx.json")