Closed dependabot[bot] closed 8 months ago
Hmmm, there are some failing test cases. Debugging help and PRs welcome!
What's going on?
@jspeed-meyers - It looks like the valid SPDX version format changed from SPDX-2.3
to 2.3
based on this test code in the Python libraries.
I wasn't able to track down where the change occurred - since this PR updates the version of python-tools, I assume something changed in that library but I couldn't track it down.
@armintaenzertng - any thoughts?
Here's the function that's returning false: https://github.com/spdx/ntia-conformance-checker/blob/cbafec78e9ab58cd245d7a8914a88784a06ed188/ntia_conformance_checker/sbom_checker.py#L57
Thank you, @goneall.
If that's the case, I could add to this PR changes to those SPDX documents in our test suite.
There have been no changes to the spdx_version
field in the last update. The correct format is still SPDX-2.2
or SPDX-2.3
, see here. The test that @goneall mentioned could be "fixed" to use the valid formats but since it's only a unit test (i.e. no validation function comes into play there), it doesn't really matter. I assume the error lies elsewhere.
So the error is here and reads
'SbomChecker' object has no attribute 'doc_version'.
So the problem is that doc_version
never gets set on the SbomChecker
object. For example, this could happen if we run into an SPDXParsingError
here. Related to that: There has been a change in the validation of the FilesAnalyzed
field in Tag-Value format in 0.8.2.
So I'm pretty sure the issue arises due to the fix of this issue.
That is, in order to be more spec-compliant, we only allow the all-lower-case (!) true
and false
as valid values for FilesAnalyzed
in Tag-Value format. The test files in this repo should be updated accordingly.
@armintaenzertng, ahhhh. Thank you!
@goneall: Let me add these changes to this PR.
Okay, fixed. Thank you @armintaenzertng!
Ready for review :)
Thank you, @goneall!
Bumps spdx-tools from 0.8.1 to 0.8.2.
Release notes
Sourced from spdx-tools's releases.
Changelog
Sourced from spdx-tools's changelog.
Commits
32e74cd
update changelog for 0.8.2 releasef0873eb
Properly install tzdata for GitHub Actions.195e244
Handle timezone-aware datetime objects when writing SPDX.248394c
add documentation about the code architecture40d1d8e
fix(validation): fix error generation in expression validatore08e4d2
Merge pull request #759 from HomagGroup/feature/encoding_compliancee8ae39d
Merge branch 'main' into feature/encoding_complianceed9a135
fix(validation): also allow URLs in download locationsa1584b7
implement recommended UTF-8 encoding for reading and writing SPDX files3d3100a
[issue-753] only allow lowercase values for FilesAnalyzed in tag-valueDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show