Andrew Geissler | 5199d83 | 2021-09-24 16:47:35 -0500 | [diff] [blame] | 1 | # |
Patrick Williams | 92b42cb | 2022-09-03 06:53:57 -0500 | [diff] [blame] | 2 | # Copyright OpenEmbedded Contributors |
| 3 | # |
Andrew Geissler | 5199d83 | 2021-09-24 16:47:35 -0500 | [diff] [blame] | 4 | # SPDX-License-Identifier: GPL-2.0-only |
| 5 | # |
| 6 | |
Patrick Williams | 93c203f | 2021-10-06 16:15:23 -0500 | [diff] [blame] | 7 | # |
| 8 | # This library is intended to capture the JSON SPDX specification in a type |
| 9 | # safe manner. It is not intended to encode any particular OE specific |
| 10 | # behaviors, see the sbom.py for that. |
| 11 | # |
| 12 | # The documented SPDX spec document doesn't cover the JSON syntax for |
| 13 | # particular configuration, which can make it hard to determine what the JSON |
| 14 | # syntax should be. I've found it is actually much simpler to read the official |
| 15 | # SPDX JSON schema which can be found here: https://github.com/spdx/spdx-spec |
| 16 | # in schemas/spdx-schema.json |
| 17 | # |
| 18 | |
Andrew Geissler | 5199d83 | 2021-09-24 16:47:35 -0500 | [diff] [blame] | 19 | import hashlib |
| 20 | import itertools |
| 21 | import json |
| 22 | |
| 23 | SPDX_VERSION = "2.2" |
| 24 | |
| 25 | |
Patrick Williams | 93c203f | 2021-10-06 16:15:23 -0500 | [diff] [blame] | 26 | # |
| 27 | # The following are the support classes that are used to implement SPDX object |
| 28 | # |
| 29 | |
Andrew Geissler | 5199d83 | 2021-09-24 16:47:35 -0500 | [diff] [blame] | 30 | class _Property(object): |
Patrick Williams | 93c203f | 2021-10-06 16:15:23 -0500 | [diff] [blame] | 31 | """ |
| 32 | A generic SPDX object property. The different types will derive from this |
| 33 | class |
| 34 | """ |
| 35 | |
Andrew Geissler | 5199d83 | 2021-09-24 16:47:35 -0500 | [diff] [blame] | 36 | def __init__(self, *, default=None): |
| 37 | self.default = default |
| 38 | |
| 39 | def setdefault(self, dest, name): |
| 40 | if self.default is not None: |
| 41 | dest.setdefault(name, self.default) |
| 42 | |
| 43 | |
| 44 | class _String(_Property): |
Patrick Williams | 93c203f | 2021-10-06 16:15:23 -0500 | [diff] [blame] | 45 | """ |
| 46 | A scalar string property for an SPDX object |
| 47 | """ |
| 48 | |
Andrew Geissler | 5199d83 | 2021-09-24 16:47:35 -0500 | [diff] [blame] | 49 | def __init__(self, **kwargs): |
| 50 | super().__init__(**kwargs) |
| 51 | |
| 52 | def set_property(self, attrs, name): |
| 53 | def get_helper(obj): |
| 54 | return obj._spdx[name] |
| 55 | |
| 56 | def set_helper(obj, value): |
| 57 | obj._spdx[name] = value |
| 58 | |
| 59 | def del_helper(obj): |
| 60 | del obj._spdx[name] |
| 61 | |
| 62 | attrs[name] = property(get_helper, set_helper, del_helper) |
| 63 | |
| 64 | def init(self, source): |
| 65 | return source |
| 66 | |
| 67 | |
| 68 | class _Object(_Property): |
Patrick Williams | 93c203f | 2021-10-06 16:15:23 -0500 | [diff] [blame] | 69 | """ |
| 70 | A scalar SPDX object property of a SPDX object |
| 71 | """ |
| 72 | |
Andrew Geissler | 5199d83 | 2021-09-24 16:47:35 -0500 | [diff] [blame] | 73 | def __init__(self, cls, **kwargs): |
| 74 | super().__init__(**kwargs) |
| 75 | self.cls = cls |
| 76 | |
| 77 | def set_property(self, attrs, name): |
| 78 | def get_helper(obj): |
| 79 | if not name in obj._spdx: |
| 80 | obj._spdx[name] = self.cls() |
| 81 | return obj._spdx[name] |
| 82 | |
| 83 | def set_helper(obj, value): |
| 84 | obj._spdx[name] = value |
| 85 | |
| 86 | def del_helper(obj): |
| 87 | del obj._spdx[name] |
| 88 | |
| 89 | attrs[name] = property(get_helper, set_helper) |
| 90 | |
| 91 | def init(self, source): |
| 92 | return self.cls(**source) |
| 93 | |
| 94 | |
| 95 | class _ListProperty(_Property): |
Patrick Williams | 93c203f | 2021-10-06 16:15:23 -0500 | [diff] [blame] | 96 | """ |
| 97 | A list of SPDX properties |
| 98 | """ |
| 99 | |
Andrew Geissler | 5199d83 | 2021-09-24 16:47:35 -0500 | [diff] [blame] | 100 | def __init__(self, prop, **kwargs): |
| 101 | super().__init__(**kwargs) |
| 102 | self.prop = prop |
| 103 | |
| 104 | def set_property(self, attrs, name): |
| 105 | def get_helper(obj): |
| 106 | if not name in obj._spdx: |
| 107 | obj._spdx[name] = [] |
| 108 | return obj._spdx[name] |
| 109 | |
Andrew Geissler | 7e0e3c0 | 2022-02-25 20:34:39 +0000 | [diff] [blame] | 110 | def set_helper(obj, value): |
| 111 | obj._spdx[name] = list(value) |
| 112 | |
Andrew Geissler | 5199d83 | 2021-09-24 16:47:35 -0500 | [diff] [blame] | 113 | def del_helper(obj): |
| 114 | del obj._spdx[name] |
| 115 | |
Andrew Geissler | 7e0e3c0 | 2022-02-25 20:34:39 +0000 | [diff] [blame] | 116 | attrs[name] = property(get_helper, set_helper, del_helper) |
Andrew Geissler | 5199d83 | 2021-09-24 16:47:35 -0500 | [diff] [blame] | 117 | |
| 118 | def init(self, source): |
| 119 | return [self.prop.init(o) for o in source] |
| 120 | |
| 121 | |
| 122 | class _StringList(_ListProperty): |
Patrick Williams | 93c203f | 2021-10-06 16:15:23 -0500 | [diff] [blame] | 123 | """ |
| 124 | A list of strings as a property for an SPDX object |
| 125 | """ |
| 126 | |
Andrew Geissler | 5199d83 | 2021-09-24 16:47:35 -0500 | [diff] [blame] | 127 | def __init__(self, **kwargs): |
| 128 | super().__init__(_String(), **kwargs) |
| 129 | |
| 130 | |
| 131 | class _ObjectList(_ListProperty): |
Patrick Williams | 93c203f | 2021-10-06 16:15:23 -0500 | [diff] [blame] | 132 | """ |
| 133 | A list of SPDX objects as a property for an SPDX object |
| 134 | """ |
| 135 | |
Andrew Geissler | 5199d83 | 2021-09-24 16:47:35 -0500 | [diff] [blame] | 136 | def __init__(self, cls, **kwargs): |
| 137 | super().__init__(_Object(cls), **kwargs) |
| 138 | |
| 139 | |
| 140 | class MetaSPDXObject(type): |
Patrick Williams | 93c203f | 2021-10-06 16:15:23 -0500 | [diff] [blame] | 141 | """ |
| 142 | A metaclass that allows properties (anything derived from a _Property |
| 143 | class) to be defined for a SPDX object |
| 144 | """ |
Andrew Geissler | 5199d83 | 2021-09-24 16:47:35 -0500 | [diff] [blame] | 145 | def __new__(mcls, name, bases, attrs): |
| 146 | attrs["_properties"] = {} |
| 147 | |
| 148 | for key in attrs.keys(): |
| 149 | if isinstance(attrs[key], _Property): |
| 150 | prop = attrs[key] |
| 151 | attrs["_properties"][key] = prop |
| 152 | prop.set_property(attrs, key) |
| 153 | |
| 154 | return super().__new__(mcls, name, bases, attrs) |
| 155 | |
| 156 | |
| 157 | class SPDXObject(metaclass=MetaSPDXObject): |
Patrick Williams | 93c203f | 2021-10-06 16:15:23 -0500 | [diff] [blame] | 158 | """ |
| 159 | The base SPDX object; all SPDX spec classes must derive from this class |
| 160 | """ |
Andrew Geissler | 5199d83 | 2021-09-24 16:47:35 -0500 | [diff] [blame] | 161 | def __init__(self, **d): |
| 162 | self._spdx = {} |
| 163 | |
| 164 | for name, prop in self._properties.items(): |
| 165 | prop.setdefault(self._spdx, name) |
| 166 | if name in d: |
| 167 | self._spdx[name] = prop.init(d[name]) |
| 168 | |
| 169 | def serializer(self): |
| 170 | return self._spdx |
| 171 | |
| 172 | def __setattr__(self, name, value): |
| 173 | if name in self._properties or name == "_spdx": |
| 174 | super().__setattr__(name, value) |
| 175 | return |
| 176 | raise KeyError("%r is not a valid SPDX property" % name) |
| 177 | |
Patrick Williams | 93c203f | 2021-10-06 16:15:23 -0500 | [diff] [blame] | 178 | # |
| 179 | # These are the SPDX objects implemented from the spec. The *only* properties |
| 180 | # that can be added to these objects are ones directly specified in the SPDX |
| 181 | # spec, however you may add helper functions to make operations easier. |
| 182 | # |
| 183 | # Defaults should *only* be specified if the SPDX spec says there is a certain |
| 184 | # required value for a field (e.g. dataLicense), or if the field is mandatory |
| 185 | # and has some sane "this field is unknown" (e.g. "NOASSERTION") |
| 186 | # |
| 187 | |
| 188 | class SPDXAnnotation(SPDXObject): |
| 189 | annotationDate = _String() |
| 190 | annotationType = _String() |
| 191 | annotator = _String() |
| 192 | comment = _String() |
Andrew Geissler | 5199d83 | 2021-09-24 16:47:35 -0500 | [diff] [blame] | 193 | |
| 194 | class SPDXChecksum(SPDXObject): |
| 195 | algorithm = _String() |
| 196 | checksumValue = _String() |
| 197 | |
| 198 | |
| 199 | class SPDXRelationship(SPDXObject): |
| 200 | spdxElementId = _String() |
| 201 | relatedSpdxElement = _String() |
| 202 | relationshipType = _String() |
| 203 | comment = _String() |
Andrew Geissler | eff2747 | 2021-10-29 15:35:00 -0500 | [diff] [blame] | 204 | annotations = _ObjectList(SPDXAnnotation) |
Andrew Geissler | 5199d83 | 2021-09-24 16:47:35 -0500 | [diff] [blame] | 205 | |
| 206 | |
| 207 | class SPDXExternalReference(SPDXObject): |
| 208 | referenceCategory = _String() |
| 209 | referenceType = _String() |
| 210 | referenceLocator = _String() |
| 211 | |
| 212 | |
| 213 | class SPDXPackageVerificationCode(SPDXObject): |
| 214 | packageVerificationCodeValue = _String() |
| 215 | packageVerificationCodeExcludedFiles = _StringList() |
| 216 | |
| 217 | |
| 218 | class SPDXPackage(SPDXObject): |
| 219 | name = _String() |
| 220 | SPDXID = _String() |
| 221 | versionInfo = _String() |
| 222 | downloadLocation = _String(default="NOASSERTION") |
Patrick Williams | db4c27e | 2022-08-05 08:10:29 -0500 | [diff] [blame] | 223 | supplier = _String(default="NOASSERTION") |
Andrew Geissler | 5199d83 | 2021-09-24 16:47:35 -0500 | [diff] [blame] | 224 | homepage = _String() |
| 225 | licenseConcluded = _String(default="NOASSERTION") |
| 226 | licenseDeclared = _String(default="NOASSERTION") |
| 227 | summary = _String() |
| 228 | description = _String() |
| 229 | sourceInfo = _String() |
| 230 | copyrightText = _String(default="NOASSERTION") |
| 231 | licenseInfoFromFiles = _StringList(default=["NOASSERTION"]) |
| 232 | externalRefs = _ObjectList(SPDXExternalReference) |
| 233 | packageVerificationCode = _Object(SPDXPackageVerificationCode) |
| 234 | hasFiles = _StringList() |
| 235 | packageFileName = _String() |
Patrick Williams | 93c203f | 2021-10-06 16:15:23 -0500 | [diff] [blame] | 236 | annotations = _ObjectList(SPDXAnnotation) |
Andrew Geissler | 5199d83 | 2021-09-24 16:47:35 -0500 | [diff] [blame] | 237 | |
| 238 | |
| 239 | class SPDXFile(SPDXObject): |
| 240 | SPDXID = _String() |
| 241 | fileName = _String() |
| 242 | licenseConcluded = _String(default="NOASSERTION") |
| 243 | copyrightText = _String(default="NOASSERTION") |
| 244 | licenseInfoInFiles = _StringList(default=["NOASSERTION"]) |
| 245 | checksums = _ObjectList(SPDXChecksum) |
| 246 | fileTypes = _StringList() |
| 247 | |
| 248 | |
| 249 | class SPDXCreationInfo(SPDXObject): |
| 250 | created = _String() |
| 251 | licenseListVersion = _String() |
| 252 | comment = _String() |
| 253 | creators = _StringList() |
| 254 | |
| 255 | |
| 256 | class SPDXExternalDocumentRef(SPDXObject): |
| 257 | externalDocumentId = _String() |
| 258 | spdxDocument = _String() |
| 259 | checksum = _Object(SPDXChecksum) |
| 260 | |
| 261 | |
| 262 | class SPDXExtractedLicensingInfo(SPDXObject): |
| 263 | name = _String() |
| 264 | comment = _String() |
| 265 | licenseId = _String() |
| 266 | extractedText = _String() |
| 267 | |
| 268 | |
| 269 | class SPDXDocument(SPDXObject): |
| 270 | spdxVersion = _String(default="SPDX-" + SPDX_VERSION) |
| 271 | dataLicense = _String(default="CC0-1.0") |
| 272 | SPDXID = _String(default="SPDXRef-DOCUMENT") |
| 273 | name = _String() |
| 274 | documentNamespace = _String() |
| 275 | creationInfo = _Object(SPDXCreationInfo) |
| 276 | packages = _ObjectList(SPDXPackage) |
| 277 | files = _ObjectList(SPDXFile) |
| 278 | relationships = _ObjectList(SPDXRelationship) |
| 279 | externalDocumentRefs = _ObjectList(SPDXExternalDocumentRef) |
| 280 | hasExtractedLicensingInfos = _ObjectList(SPDXExtractedLicensingInfo) |
| 281 | |
| 282 | def __init__(self, **d): |
| 283 | super().__init__(**d) |
| 284 | |
| 285 | def to_json(self, f, *, sort_keys=False, indent=None, separators=None): |
| 286 | class Encoder(json.JSONEncoder): |
| 287 | def default(self, o): |
| 288 | if isinstance(o, SPDXObject): |
| 289 | return o.serializer() |
| 290 | |
| 291 | return super().default(o) |
| 292 | |
| 293 | sha1 = hashlib.sha1() |
| 294 | for chunk in Encoder( |
| 295 | sort_keys=sort_keys, |
| 296 | indent=indent, |
| 297 | separators=separators, |
| 298 | ).iterencode(self): |
| 299 | chunk = chunk.encode("utf-8") |
| 300 | f.write(chunk) |
| 301 | sha1.update(chunk) |
| 302 | |
| 303 | return sha1.hexdigest() |
| 304 | |
| 305 | @classmethod |
| 306 | def from_json(cls, f): |
| 307 | return cls(**json.load(f)) |
| 308 | |
Andrew Geissler | eff2747 | 2021-10-29 15:35:00 -0500 | [diff] [blame] | 309 | def add_relationship(self, _from, relationship, _to, *, comment=None, annotation=None): |
Andrew Geissler | 5199d83 | 2021-09-24 16:47:35 -0500 | [diff] [blame] | 310 | if isinstance(_from, SPDXObject): |
| 311 | from_spdxid = _from.SPDXID |
| 312 | else: |
| 313 | from_spdxid = _from |
| 314 | |
| 315 | if isinstance(_to, SPDXObject): |
| 316 | to_spdxid = _to.SPDXID |
| 317 | else: |
| 318 | to_spdxid = _to |
| 319 | |
| 320 | r = SPDXRelationship( |
| 321 | spdxElementId=from_spdxid, |
| 322 | relatedSpdxElement=to_spdxid, |
| 323 | relationshipType=relationship, |
| 324 | ) |
| 325 | |
| 326 | if comment is not None: |
| 327 | r.comment = comment |
| 328 | |
Andrew Geissler | eff2747 | 2021-10-29 15:35:00 -0500 | [diff] [blame] | 329 | if annotation is not None: |
| 330 | r.annotations.append(annotation) |
| 331 | |
Andrew Geissler | 5199d83 | 2021-09-24 16:47:35 -0500 | [diff] [blame] | 332 | self.relationships.append(r) |
| 333 | |
| 334 | def find_by_spdxid(self, spdxid): |
| 335 | for o in itertools.chain(self.packages, self.files): |
| 336 | if o.SPDXID == spdxid: |
| 337 | return o |
| 338 | return None |
| 339 | |
| 340 | def find_external_document_ref(self, namespace): |
| 341 | for r in self.externalDocumentRefs: |
| 342 | if r.spdxDocument == namespace: |
| 343 | return r |
| 344 | return None |