Bump spdx-tools from 0.8.1 to 0.8.2

[dependabot[bot]]

Bumps spdx-tools from 0.8.1 to 0.8.2.

Release notes

Sourced from spdx-tools's releases.

v0.8.2

What's Changed

• add encoding parameter for parsing files by @​chrisdecker1201 in spdx/tools-python#756
• [issue-754] output FilesAnalyzed boolean in lowercase in tag-value by @​armintaenzertng in spdx/tools-python#757
• [issue-753] only allow lowercase values for FilesAnalyzed in tag-value by @​armintaenzertng in spdx/tools-python#758
• fix(validation): also allow URLs in download locations by @​maxhbr in spdx/tools-python#763
• implement recommended UTF-8 encoding for reading and writing SPDX files by @​chrisdecker1201 in spdx/tools-python#759
• fix(validation): fix error generation in expression validator by @​maxhbr in spdx/tools-python#765
• add documentation on the code architecture by @​armintaenzertng in spdx/tools-python#752
• Handle timezone-aware datetime objects when writing SPDX. by @​licquia in spdx/tools-python#768
• update changelog for 0.8.2 release by @​armintaenzertng in spdx/tools-python#769

Full Changelog: https://github.com/spdx/tools-python/compare/v0.8.1...v0.8.2

Changelog

Sourced from spdx-tools's changelog.

v0.8.2 (2023-10-12)

New features and changes

• added optional encoding parameter for parsing files
• fixed handling of the FilesAnalyzed field in Tag-Value format
• fixed the validation of the DownloadLocation field
• fixed the error handling while parsing license expressions
• fixed output of timezone-sensitive datetimes
• added code architecture documentation

Contributors

This release was made possible by the following contributors. Thank you very much!

• Christian Decker @​chrisdecker1201
• Jeff Licquia @​licquia
• Maximilian Huber @​maxhbr
• Armin Tänzer @​armintaenzertng

Commits

• 32e74cd update changelog for 0.8.2 release
• f0873eb Properly install tzdata for GitHub Actions.
• 195e244 Handle timezone-aware datetime objects when writing SPDX.
• 248394c add documentation about the code architecture
• 40d1d8e fix(validation): fix error generation in expression validator
• e08e4d2 Merge pull request #759 from HomagGroup/feature/encoding_compliance
• e8ae39d Merge branch 'main' into feature/encoding_compliance
• ed9a135 fix(validation): also allow URLs in download locations
• a1584b7 implement recommended UTF-8 encoding for reading and writing SPDX files
• 3d3100a [issue-753] only allow lowercase values for FilesAnalyzed in tag-value
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[jspeed-meyers]

Hmmm, there are some failing test cases. Debugging help and PRs welcome!

What's going on?

[goneall]

@jspeed-meyers - It looks like the valid SPDX version format changed from SPDX-2.3 to 2.3 based on this test code in the Python libraries.

I wasn't able to track down where the change occurred - since this PR updates the version of python-tools, I assume something changed in that library but I couldn't track it down.

@armintaenzertng - any thoughts?

Here's the function that's returning false: https://github.com/spdx/ntia-conformance-checker/blob/cbafec78e9ab58cd245d7a8914a88784a06ed188/ntia_conformance_checker/sbom_checker.py#L57

[jspeed-meyers]

Thank you, @goneall.

If that's the case, I could add to this PR changes to those SPDX documents in our test suite.

[armintaenzertng]

There have been no changes to the spdx_version field in the last update. The correct format is still SPDX-2.2 or SPDX-2.3, see here. The test that @goneall mentioned could be "fixed" to use the valid formats but since it's only a unit test (i.e. no validation function comes into play there), it doesn't really matter. I assume the error lies elsewhere.

[armintaenzertng]

So the error is here and reads

'SbomChecker' object has no attribute 'doc_version'.

So the problem is that doc_version never gets set on the SbomChecker object. For example, this could happen if we run into an SPDXParsingError here. Related to that: There has been a change in the validation of the FilesAnalyzed field in Tag-Value format in 0.8.2.

[armintaenzertng]

So I'm pretty sure the issue arises due to the fix of this issue. That is, in order to be more spec-compliant, we only allow the all-lower-case (!) true and false as valid values for FilesAnalyzed in Tag-Value format. The test files in this repo should be updated accordingly.

[jspeed-meyers]

@armintaenzertng, ahhhh. Thank you!

@goneall: Let me add these changes to this PR.

[jspeed-meyers]

Okay, fixed. Thank you @armintaenzertng!

Ready for review :)

[jspeed-meyers]

Thank you, @goneall!