From 0e1908d933ce7050cc0a8e2b50b64ab8dc472f3d Mon Sep 17 00:00:00 2001 From: Pietro Albini Date: Thu, 10 Nov 2022 11:24:42 +0100 Subject: [PATCH 1/4] avoid gpg signing commits during tests --- tests/conftest.py | 49 +++++++++++++++++++++-------------------------- 1 file changed, 22 insertions(+), 27 deletions(-) diff --git a/tests/conftest.py b/tests/conftest.py index fb0fb2d2c..928fd7f2f 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -1,6 +1,7 @@ # SPDX-FileCopyrightText: 2017 Free Software Foundation Europe e.V. # SPDX-FileCopyrightText: 2022 Florian Snow # SPDX-FileCopyrightText: 2022 Carmen Bianca Bakker +# SPDX-FileCopyrightText: 2022 Pietro Albini # # SPDX-License-Identifier: GPL-3.0-or-later @@ -162,15 +163,7 @@ def git_repository(fake_repository: Path, git_exe: Optional[str]) -> Path: ) subprocess.run([git_exe, "add", str(fake_repository)], check=True) - subprocess.run( - [ - git_exe, - "commit", - "-m", - "initial", - ], - check=True, - ) + git_commit(git_exe, "initial") return fake_repository @@ -227,15 +220,7 @@ def submodule_repository( ) subprocess.run([git_exe, "add", str(submodule)], check=True) - subprocess.run( - [ - git_exe, - "commit", - "-m", - "initial", - ], - check=True, - ) + git_commit(git_exe, "initial") os.chdir(git_repository) @@ -256,15 +241,7 @@ def submodule_repository( ], check=True, ) - subprocess.run( - [ - git_exe, - "commit", - "-m", - "add submodule", - ], - check=True, - ) + git_commit(git_exe, "add submodule") (git_repository / ".gitmodules.license").write_text(header) @@ -367,4 +344,22 @@ def mock_date_today(monkeypatch): monkeypatch.setattr(datetime, "date", date) +def git_commit(git_exe, message): + subprocess.run( + [ + git_exe, + # Git can be globally configured to digitally sign all commits, + # which causes problems when running the test suite, as the user + # would be prompted to authorize the signing multiple times per + # test execution. The option below configures git to skip signing. + "-c", + "commit.gpgSign=false", + "commit", + "-m", + message, + ], + check=True, + ) + + # REUSE-IgnoreEnd From a150a09ab7a6a95aca391dfd7b51d91c15e0322d Mon Sep 17 00:00:00 2001 From: Pietro Albini Date: Thu, 10 Nov 2022 10:45:01 +0100 Subject: [PATCH 2/4] generate LicenseConcluded in the SPDX report --- src/reuse/report.py | 26 ++++++- tests/conftest.py | 7 ++ .../fake_repository/LICENSES/Apache-2.0.txt | 73 +++++++++++++++++++ .../fake_repository/src/multiple_licenses.rs | 1 + tests/test_report.py | 47 ++++++++++++ 5 files changed, 151 insertions(+), 3 deletions(-) create mode 100644 tests/resources/fake_repository/LICENSES/Apache-2.0.txt create mode 100644 tests/resources/fake_repository/src/multiple_licenses.rs diff --git a/src/reuse/report.py b/src/reuse/report.py index 458316d76..79115e9c9 100644 --- a/src/reuse/report.py +++ b/src/reuse/report.py @@ -1,5 +1,6 @@ # SPDX-FileCopyrightText: 2017 Free Software Foundation Europe e.V. # SPDX-FileCopyrightText: 2022 Florian Snow +# SPDX-FileCopyrightText: 2022 Pietro Albini # # SPDX-License-Identifier: GPL-3.0-or-later @@ -145,9 +146,9 @@ def bill_of_materials(self) -> str: out.write(f"FileName: {report.spdxfile.name}\n") out.write(f"SPDXID: {report.spdxfile.spdx_id}\n") out.write(f"FileChecksum: SHA1: {report.spdxfile.chk_sum}\n") - # IMPORTANT: Make no assertion about concluded license. This tool - # cannot, with full certainty, determine the license of a file. - out.write("LicenseConcluded: NOASSERTION\n") + out.write( + f"LicenseConcluded: {report.spdxfile.license_concluded}\n" + ) for lic in sorted(report.spdxfile.licenses_in_file): out.write(f"LicenseInfoInFile: {lic}\n") @@ -306,6 +307,7 @@ def __init__(self, name, spdx_id=None, chk_sum=None): self.spdx_id: str = spdx_id self.chk_sum: str = chk_sum self.licenses_in_file: List[str] = [] + self.license_concluded: str = None self.copyright: str = None @@ -378,6 +380,24 @@ def generate( # Add license to report. report.spdxfile.licenses_in_file.append(identifier) + if not spdx_info.spdx_expressions: + report.spdxfile.license_concluded = "NONE" + else: + # Merge all the license expressions together, wrapping them in + # parentheses to make sure an expression doesn't spill into another + # one. The extra parentheses will be removed by the roundtrip + # through parse() -> simplify() -> render(). + report.spdxfile.license_concluded = ( + _LICENSING.parse( + " AND ".join( + f"({expression})" + for expression in spdx_info.spdx_expressions + ), + ) + .simplify() + .render() + ) + # Copyright text report.spdxfile.copyright = "\n".join(sorted(spdx_info.copyright_lines)) diff --git a/tests/conftest.py b/tests/conftest.py index 928fd7f2f..f22767d46 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -118,6 +118,13 @@ def fake_repository(tmpdir_factory) -> Path: "SPDX-License-Identifier: LicenseRef-custom", encoding="utf-8", ) + (directory / "src/multiple_licenses.rs").write_text( + "SPDX-FileCopyrightText: 2022 Jane Doe\n" + "SPDX-License-Identifier: GPL-3.0-or-later\n" + "SPDX-License-Identifier: Apache-2.0 OR CC0-1.0" + " WITH Autoconf-exception-3.0\n", + encoding="utf-8", + ) os.chdir(directory) return directory diff --git a/tests/resources/fake_repository/LICENSES/Apache-2.0.txt b/tests/resources/fake_repository/LICENSES/Apache-2.0.txt new file mode 100644 index 000000000..137069b82 --- /dev/null +++ b/tests/resources/fake_repository/LICENSES/Apache-2.0.txt @@ -0,0 +1,73 @@ +Apache License +Version 2.0, January 2004 +http://www.apache.org/licenses/ + +TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + +1. Definitions. + +"License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. + +"Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. + +"Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. + +"You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. + +"Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. + +"Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. + +"Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). + +"Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. + +"Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." + +"Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. + +2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. + +3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. + +4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: + + (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. + + You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. + +5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. + +6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. + +7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. + +8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. + +9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. + +END OF TERMS AND CONDITIONS + +APPENDIX: How to apply the Apache License to your work. + +To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "[]" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives. + +Copyright [yyyy] [name of copyright owner] + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/tests/resources/fake_repository/src/multiple_licenses.rs b/tests/resources/fake_repository/src/multiple_licenses.rs new file mode 100644 index 000000000..9768b946c --- /dev/null +++ b/tests/resources/fake_repository/src/multiple_licenses.rs @@ -0,0 +1 @@ +// This file is overridden by the fake_repository fixture. diff --git a/tests/test_report.py b/tests/test_report.py index 7ae17ff3d..f5612a9a4 100644 --- a/tests/test_report.py +++ b/tests/test_report.py @@ -1,5 +1,6 @@ # SPDX-FileCopyrightText: 2017 Free Software Foundation Europe e.V. # SPDX-FileCopyrightText: 2022 Florian Snow +# SPDX-FileCopyrightText: 2022 Pietro Albini # # SPDX-License-Identifier: GPL-3.0-or-later @@ -35,6 +36,7 @@ def test_generate_file_report_file_simple(fake_repository): project = Project(fake_repository) result = FileReport.generate(project, "src/source_code.py") assert result.spdxfile.licenses_in_file == ["GPL-3.0-or-later"] + assert result.spdxfile.license_concluded == "GPL-3.0-or-later" assert result.spdxfile.copyright == "SPDX-FileCopyrightText: 2017 Jane Doe" assert not result.bad_licenses assert not result.missing_licenses @@ -48,6 +50,7 @@ def test_generate_file_report_file_from_different_cwd(fake_repository): project, fake_repository / "src/source_code.py" ) assert result.spdxfile.licenses_in_file == ["GPL-3.0-or-later"] + assert result.spdxfile.license_concluded == "GPL-3.0-or-later" assert result.spdxfile.copyright == "SPDX-FileCopyrightText: 2017 Jane Doe" assert not result.bad_licenses assert not result.missing_licenses @@ -62,6 +65,8 @@ def test_generate_file_report_file_missing_license(fake_repository): result = FileReport.generate(project, "foo.py") assert result.spdxfile.copyright == "" + assert result.spdxfile.licenses_in_file == ["BSD-3-Clause"] + assert result.spdxfile.license_concluded == "BSD-3-Clause" assert result.missing_licenses == {"BSD-3-Clause"} assert not result.bad_licenses @@ -75,6 +80,8 @@ def test_generate_file_report_file_bad_license(fake_repository): result = FileReport.generate(project, "foo.py") assert result.spdxfile.copyright == "" + assert result.spdxfile.licenses_in_file == ["fakelicense"] + assert result.spdxfile.license_concluded == "fakelicense" assert result.bad_licenses == {"fakelicense"} assert result.missing_licenses == {"fakelicense"} @@ -91,6 +98,8 @@ def test_generate_file_report_license_contains_plus(fake_repository): result = FileReport.generate(project, "foo.py") assert result.spdxfile.copyright == "" + assert result.spdxfile.licenses_in_file == ["Apache-1.0+"] + assert result.spdxfile.license_concluded == "Apache-1.0+" assert not result.bad_licenses assert not result.missing_licenses @@ -103,11 +112,49 @@ def test_generate_file_report_exception(fake_repository): "GPL-3.0-or-later", "Autoconf-exception-3.0", } + assert ( + result.spdxfile.license_concluded + == "GPL-3.0-or-later WITH Autoconf-exception-3.0" + ) assert result.spdxfile.copyright == "SPDX-FileCopyrightText: 2017 Jane Doe" assert not result.bad_licenses assert not result.missing_licenses +def test_generate_file_report_no_licenses(fake_repository): + """Test behavior when no license information is present in the file""" + (fake_repository / "foo.py").write_text("") + project = Project(fake_repository) + result = FileReport.generate(project, "foo.py") + + assert result.spdxfile.copyright == "" + assert not result.spdxfile.licenses_in_file + assert result.spdxfile.license_concluded == "NONE" + assert not result.bad_licenses + assert not result.missing_licenses + + +def test_generate_file_report_multiple_licenses(fake_repository): + """Test that all licenses are included in LicenseConcluded""" + project = Project(fake_repository) + result = FileReport.generate(project, "src/multiple_licenses.rs") + + assert result.spdxfile.copyright == "SPDX-FileCopyrightText: 2022 Jane Doe" + assert set(result.spdxfile.licenses_in_file) == { + "GPL-3.0-or-later", + "Apache-2.0", + "CC0-1.0", + "Autoconf-exception-3.0", + } + assert ( + result.spdxfile.license_concluded + == "GPL-3.0-or-later AND (Apache-2.0 OR CC0-1.0" + " WITH Autoconf-exception-3.0)" + ) + assert not result.bad_licenses + assert not result.missing_licenses + + def test_generate_project_report_simple(fake_repository, multiprocessing): """Simple generate test, just to see if it sort of works.""" project = Project(fake_repository) From bf5f40c7c8fce1e9091be9d4492d9e2b658a4340 Mon Sep 17 00:00:00 2001 From: Pietro Albini Date: Thu, 10 Nov 2022 10:57:22 +0100 Subject: [PATCH 3/4] gate LicenseConcluded behind a CLI flag --- src/reuse/report.py | 23 +++++++-- src/reuse/spdx.py | 13 +++++- tests/conftest.py | 5 ++ tests/test_main.py | 23 ++++++++- tests/test_report.py | 108 ++++++++++++++++++++++++++++++++++--------- 5 files changed, 143 insertions(+), 29 deletions(-) diff --git a/src/reuse/report.py b/src/reuse/report.py index 79115e9c9..86c1dd5e6 100644 --- a/src/reuse/report.py +++ b/src/reuse/report.py @@ -28,9 +28,10 @@ class _MultiprocessingContainer: """Container that remembers some data in order to generate a FileReport.""" - def __init__(self, project, do_checksum): + def __init__(self, project, do_checksum, add_license_concluded): self.project = project self.do_checksum = do_checksum + self.add_license_concluded = add_license_concluded def __call__(self, file_): # pylint: disable=broad-except @@ -38,7 +39,10 @@ def __call__(self, file_): return _MultiprocessingResult( file_, FileReport.generate( - self.project, file_, do_checksum=self.do_checksum + self.project, + file_, + do_checksum=self.do_checksum, + add_license_concluded=self.add_license_concluded, ), None, ) @@ -178,6 +182,7 @@ def generate( project: Project, do_checksum: bool = True, multiprocessing: bool = cpu_count() > 1, + add_license_concluded: bool = False, ) -> "ProjectReport": """Generate a ProjectReport from a Project.""" project_report = cls(do_checksum=do_checksum) @@ -187,7 +192,9 @@ def generate( project.licenses_without_extension ) - container = _MultiprocessingContainer(project, do_checksum) + container = _MultiprocessingContainer( + project, do_checksum, add_license_concluded + ) if multiprocessing: with mp.Pool() as pool: @@ -339,7 +346,11 @@ def to_dict(self): @classmethod def generate( - cls, project: Project, path: PathLike, do_checksum: bool = True + cls, + project: Project, + path: PathLike, + do_checksum: bool = True, + add_license_concluded: bool = False, ) -> "FileReport": """Generate a FileReport from a path in a Project.""" path = Path(path) @@ -380,7 +391,9 @@ def generate( # Add license to report. report.spdxfile.licenses_in_file.append(identifier) - if not spdx_info.spdx_expressions: + if not add_license_concluded: + report.spdxfile.license_concluded = "NOASSERTION" + elif not spdx_info.spdx_expressions: report.spdxfile.license_concluded = "NONE" else: # Merge all the license expressions together, wrapping them in diff --git a/src/reuse/spdx.py b/src/reuse/spdx.py index 6a512ae44..5a3293e1f 100644 --- a/src/reuse/spdx.py +++ b/src/reuse/spdx.py @@ -1,4 +1,5 @@ # SPDX-FileCopyrightText: 2017 Free Software Foundation Europe e.V. +# SPDX-FileCopyrightText: 2022 Pietro Albini # # SPDX-License-Identifier: GPL-3.0-or-later @@ -22,6 +23,14 @@ def add_arguments(parser) -> None: parser.add_argument( "--output", "-o", dest="file", action="store", type=PathType("w") ) + parser.add_argument( + "--add-license-concluded", + action="store_true", + help=_( + "Populate the LicenseConcluded field. Note that REUSE cannot " + "guarantee the field is accurate." + ), + ) def run(args, project: Project, out=sys.stdout) -> int: @@ -43,7 +52,9 @@ def run(args, project: Project, out=sys.stdout) -> int: ) report = ProjectReport.generate( - project, multiprocessing=not args.no_multiprocessing + project, + multiprocessing=not args.no_multiprocessing, + add_license_concluded=args.add_license_concluded, ) out.write(report.bill_of_materials()) diff --git a/tests/conftest.py b/tests/conftest.py index f22767d46..ab9fd210f 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -85,6 +85,11 @@ def multiprocessing(request, monkeypatch) -> bool: yield request.param +@pytest.fixture(params=[True, False]) +def add_license_concluded(request) -> bool: + yield request + + @pytest.fixture() def empty_directory(tmpdir_factory) -> Path: """Create a temporary empty directory.""" diff --git a/tests/test_main.py b/tests/test_main.py index d789c37ac..9ecde6c57 100644 --- a/tests/test_main.py +++ b/tests/test_main.py @@ -2,6 +2,7 @@ # SPDX-FileCopyrightText: 2019 Stefan Bakker # SPDX-FileCopyrightText: © 2020 Liferay, Inc. # SPDX-FileCopyrightText: 2022 Florian Snow +# SPDX-FileCopyrightText: 2022 Pietro Albini # # SPDX-License-Identifier: GPL-3.0-or-later @@ -277,10 +278,30 @@ def test_spdx(fake_repository, stringio): """Compile to an SPDX document.""" os.chdir(str(fake_repository)) result = main(["spdx"], out=stringio) + output = stringio.getvalue() + + # Ensure no LicenseConcluded is included without the flag + assert "\nLicenseConcluded: NOASSERTION\n" in output + assert "\nLicenseConcluded: GPL-3.0-or-later\n" not in output # TODO: This test is rubbish. assert result == 0 - assert stringio.getvalue() + assert output + + +def test_spdx_add_license_concluded(fake_repository, stringio): + """Compile to an SPDX document.""" + os.chdir(str(fake_repository)) + result = main(["spdx", "--add-license-concluded"], out=stringio) + output = stringio.getvalue() + + # Ensure no LicenseConcluded is included without the flag + assert "\nLicenseConcluded: NOASSERTION\n" not in output + assert "\nLicenseConcluded: GPL-3.0-or-later\n" in output + + # TODO: This test is rubbish. + assert result == 0 + assert output def test_spdx_no_multiprocessing(fake_repository, stringio, multiprocessing): diff --git a/tests/test_report.py b/tests/test_report.py index f5612a9a4..1ff0da58c 100644 --- a/tests/test_report.py +++ b/tests/test_report.py @@ -29,64 +29,101 @@ # REUSE-IgnoreStart -def test_generate_file_report_file_simple(fake_repository): +def test_generate_file_report_file_simple( + fake_repository, add_license_concluded +): """An extremely simple generate test, just to see if the function doesn't crash. """ project = Project(fake_repository) - result = FileReport.generate(project, "src/source_code.py") + result = FileReport.generate( + project, + "src/source_code.py", + add_license_concluded=add_license_concluded, + ) + assert result.spdxfile.licenses_in_file == ["GPL-3.0-or-later"] - assert result.spdxfile.license_concluded == "GPL-3.0-or-later" + assert ( + result.spdxfile.license_concluded == "GPL-3.0-or-later" + if add_license_concluded + else "NOASSERTION" + ) assert result.spdxfile.copyright == "SPDX-FileCopyrightText: 2017 Jane Doe" assert not result.bad_licenses assert not result.missing_licenses -def test_generate_file_report_file_from_different_cwd(fake_repository): +def test_generate_file_report_file_from_different_cwd( + fake_repository, add_license_concluded +): """Another simple generate test, but from a different CWD.""" os.chdir("/") project = Project(fake_repository) result = FileReport.generate( - project, fake_repository / "src/source_code.py" + project, + fake_repository / "src/source_code.py", + add_license_concluded=add_license_concluded, ) assert result.spdxfile.licenses_in_file == ["GPL-3.0-or-later"] - assert result.spdxfile.license_concluded == "GPL-3.0-or-later" + assert ( + result.spdxfile.license_concluded == "GPL-3.0-or-later" + if add_license_concluded + else "NOASSERTION" + ) assert result.spdxfile.copyright == "SPDX-FileCopyrightText: 2017 Jane Doe" assert not result.bad_licenses assert not result.missing_licenses -def test_generate_file_report_file_missing_license(fake_repository): +def test_generate_file_report_file_missing_license( + fake_repository, add_license_concluded +): """Simple generate test with a missing license.""" (fake_repository / "foo.py").write_text( "SPDX-License-Identifier: BSD-3-Clause" ) project = Project(fake_repository) - result = FileReport.generate(project, "foo.py") + result = FileReport.generate( + project, "foo.py", add_license_concluded=add_license_concluded + ) assert result.spdxfile.copyright == "" assert result.spdxfile.licenses_in_file == ["BSD-3-Clause"] - assert result.spdxfile.license_concluded == "BSD-3-Clause" + assert ( + result.spdxfile.license_concluded == "BSD-3-Clause" + if add_license_concluded + else "NOASSERTION" + ) assert result.missing_licenses == {"BSD-3-Clause"} assert not result.bad_licenses -def test_generate_file_report_file_bad_license(fake_repository): +def test_generate_file_report_file_bad_license( + fake_repository, add_license_concluded +): """Simple generate test with a bad license.""" (fake_repository / "foo.py").write_text( "SPDX-License-Identifier: fakelicense" ) project = Project(fake_repository) - result = FileReport.generate(project, "foo.py") + result = FileReport.generate( + project, "foo.py", add_license_concluded=add_license_concluded + ) assert result.spdxfile.copyright == "" assert result.spdxfile.licenses_in_file == ["fakelicense"] - assert result.spdxfile.license_concluded == "fakelicense" + assert ( + result.spdxfile.license_concluded == "fakelicense" + if add_license_concluded + else "NOASSERTION" + ) assert result.bad_licenses == {"fakelicense"} assert result.missing_licenses == {"fakelicense"} -def test_generate_file_report_license_contains_plus(fake_repository): +def test_generate_file_report_license_contains_plus( + fake_repository, add_license_concluded +): """Given a license expression akin to Apache-1.0+, LICENSES/Apache-1.0.txt should be an appropriate license file. """ @@ -95,19 +132,28 @@ def test_generate_file_report_license_contains_plus(fake_repository): ) (fake_repository / "LICENSES/Apache-1.0.txt").touch() project = Project(fake_repository) - result = FileReport.generate(project, "foo.py") + result = FileReport.generate( + project, "foo.py", add_license_concluded=add_license_concluded + ) assert result.spdxfile.copyright == "" assert result.spdxfile.licenses_in_file == ["Apache-1.0+"] - assert result.spdxfile.license_concluded == "Apache-1.0+" + assert ( + result.spdxfile.license_concluded == "Apache-1.0+" + if add_license_concluded + else "NOASSERTION" + ) assert not result.bad_licenses assert not result.missing_licenses -def test_generate_file_report_exception(fake_repository): +def test_generate_file_report_exception(fake_repository, add_license_concluded): """Simple generate test to test if the exception is detected.""" project = Project(fake_repository) - result = FileReport.generate(project, "src/exception.py") + result = FileReport.generate( + project, "src/exception.py", add_license_concluded=add_license_concluded + ) + assert set(result.spdxfile.licenses_in_file) == { "GPL-3.0-or-later", "Autoconf-exception-3.0", @@ -115,29 +161,45 @@ def test_generate_file_report_exception(fake_repository): assert ( result.spdxfile.license_concluded == "GPL-3.0-or-later WITH Autoconf-exception-3.0" + if add_license_concluded + else "NOASSERTION" ) assert result.spdxfile.copyright == "SPDX-FileCopyrightText: 2017 Jane Doe" assert not result.bad_licenses assert not result.missing_licenses -def test_generate_file_report_no_licenses(fake_repository): +def test_generate_file_report_no_licenses( + fake_repository, add_license_concluded +): """Test behavior when no license information is present in the file""" (fake_repository / "foo.py").write_text("") project = Project(fake_repository) - result = FileReport.generate(project, "foo.py") + result = FileReport.generate( + project, "foo.py", add_license_concluded=add_license_concluded + ) assert result.spdxfile.copyright == "" assert not result.spdxfile.licenses_in_file - assert result.spdxfile.license_concluded == "NONE" + assert ( + result.spdxfile.license_concluded == "NONE" + if add_license_concluded + else "NOASSERTION" + ) assert not result.bad_licenses assert not result.missing_licenses -def test_generate_file_report_multiple_licenses(fake_repository): +def test_generate_file_report_multiple_licenses( + fake_repository, add_license_concluded +): """Test that all licenses are included in LicenseConcluded""" project = Project(fake_repository) - result = FileReport.generate(project, "src/multiple_licenses.rs") + result = FileReport.generate( + project, + "src/multiple_licenses.rs", + add_license_concluded=add_license_concluded, + ) assert result.spdxfile.copyright == "SPDX-FileCopyrightText: 2022 Jane Doe" assert set(result.spdxfile.licenses_in_file) == { @@ -150,6 +212,8 @@ def test_generate_file_report_multiple_licenses(fake_repository): result.spdxfile.license_concluded == "GPL-3.0-or-later AND (Apache-2.0 OR CC0-1.0" " WITH Autoconf-exception-3.0)" + if add_license_concluded + else "NOASSERTION" ) assert not result.bad_licenses assert not result.missing_licenses From 6353b3dd80a870783e2008d4139e5462a595f1ca Mon Sep 17 00:00:00 2001 From: Pietro Albini Date: Fri, 11 Nov 2022 09:41:30 +0100 Subject: [PATCH 4/4] add spdx --creator-person --creator-organization --- src/reuse/report.py | 23 +++++++++++++++++--- src/reuse/spdx.py | 36 ++++++++++++++++++++++++++++++- tests/test_main.py | 52 ++++++++++++++++++++++++++++++++++++++++----- 3 files changed, 102 insertions(+), 9 deletions(-) diff --git a/src/reuse/report.py b/src/reuse/report.py index 86c1dd5e6..d6849a988 100644 --- a/src/reuse/report.py +++ b/src/reuse/report.py @@ -103,7 +103,12 @@ def to_dict(self): "file_reports": [report.to_dict() for report in self.file_reports], } - def bill_of_materials(self) -> str: + def bill_of_materials( + self, + *, + creator_person: Optional[str] = None, + creator_organization: Optional[str] = None, + ) -> str: """Generate a bill of materials from the project. See https://spdx.org/specifications. @@ -124,8 +129,10 @@ def bill_of_materials(self) -> str: # Author # TODO: Fix Person and Organization - out.write("Creator: Person: Anonymous ()\n") - out.write("Creator: Organization: Anonymous ()\n") + out.write(f"Creator: Person: {format_creator(creator_person)}\n") + out.write( + f"Creator: Organization: {format_creator(creator_organization)}\n" + ) out.write(f"Creator: Tool: reuse-{__version__}\n") now = datetime.datetime.utcnow() @@ -420,3 +427,13 @@ def __hash__(self): if self.spdxfile.chk_sum is not None: return hash(self.spdxfile.name + self.spdxfile.chk_sum) return super().__hash__(self) + + +def format_creator(creator): + """Render the creator field based on the provided flag""" + if creator is None: + return "Anonymous ()" + if "(" in creator and creator.endswith(")"): + # The creator field already contains an email address + return creator + return creator + " ()" diff --git a/src/reuse/spdx.py b/src/reuse/spdx.py index 5a3293e1f..2b1c209d3 100644 --- a/src/reuse/spdx.py +++ b/src/reuse/spdx.py @@ -31,10 +31,39 @@ def add_arguments(parser) -> None: "guarantee the field is accurate." ), ) + parser.add_argument( + "--creator-person", + metavar="NAME", + help=_("Name of the person signing off on the SPDX report"), + ) + parser.add_argument( + "--creator-organization", + metavar="NAME", + help=_("Name of the organization signing off on the SPDX report"), + ) def run(args, project: Project, out=sys.stdout) -> int: """Print the project's bill of materials.""" + # The SPDX spec mandates that a creator must be specified when a license + # conclusion is made, so here we enforce that. More context: + # + # https://github.com/fsfe/reuse-tool/issues/586#issuecomment-1310425706 + # + if ( + args.add_license_concluded + and args.creator_person is None + and args.creator_organization is None + ): + print( + _( + "error: --creator-person=NAME or --creator-organization=NAME" + " required when --add-license-concluded is provided" + ), + file=sys.stderr, + ) + return 1 + with contextlib.ExitStack() as stack: if args.file: out = stack.enter_context(args.file.open("w", encoding="utf-8")) @@ -57,6 +86,11 @@ def run(args, project: Project, out=sys.stdout) -> int: add_license_concluded=args.add_license_concluded, ) - out.write(report.bill_of_materials()) + out.write( + report.bill_of_materials( + creator_person=args.creator_person, + creator_organization=args.creator_organization, + ) + ) return 0 diff --git a/tests/test_main.py b/tests/test_main.py index 9ecde6c57..b9bfd9317 100644 --- a/tests/test_main.py +++ b/tests/test_main.py @@ -283,25 +283,67 @@ def test_spdx(fake_repository, stringio): # Ensure no LicenseConcluded is included without the flag assert "\nLicenseConcluded: NOASSERTION\n" in output assert "\nLicenseConcluded: GPL-3.0-or-later\n" not in output + assert "\nCreator: Person: Anonymous ()\n" in output + assert "\nCreator: Organization: Anonymous ()\n" in output # TODO: This test is rubbish. assert result == 0 assert output +def test_spdx_creator_info(fake_repository, stringio): + """Ensure the --creator-* flags are properly formatted""" + os.chdir(str(fake_repository)) + result = main( + [ + "spdx", + "--creator-person=Jane Doe (jane.doe@example.org)", + "--creator-organization=FSFE", + ], + out=stringio, + ) + output = stringio.getvalue() + + assert result == 0 + assert "\nCreator: Person: Jane Doe (jane.doe@example.org)\n" in output + assert "\nCreator: Organization: FSFE ()\n" in output + + def test_spdx_add_license_concluded(fake_repository, stringio): - """Compile to an SPDX document.""" + """Compile to an SPDX document with the LicenseConcluded field.""" os.chdir(str(fake_repository)) - result = main(["spdx", "--add-license-concluded"], out=stringio) + result = main( + [ + "spdx", + "--add-license-concluded", + "--creator-person=Jane Doe", + "--creator-organization=FSFE", + ], + out=stringio, + ) output = stringio.getvalue() # Ensure no LicenseConcluded is included without the flag + assert result == 0 assert "\nLicenseConcluded: NOASSERTION\n" not in output assert "\nLicenseConcluded: GPL-3.0-or-later\n" in output + assert "\nCreator: Person: Jane Doe ()\n" in output + assert "\nCreator: Organization: FSFE ()\n" in output - # TODO: This test is rubbish. - assert result == 0 - assert output + +def test_spdx_add_license_concluded_without_creator_info( + fake_repository, stringio +): + """Adding LicenseConcluded should require creator information""" + os.chdir(str(fake_repository)) + result = main(["spdx", "--add-license-concluded"], out=stringio) + output = stringio.getvalue() + + assert result == 1 + # An error message is emitted, but on stderr to avoid returning mangled + # output when the caller expects an SPDX document. We cannot assert its + # contents because of that, unfortunately. + assert not output def test_spdx_no_multiprocessing(fake_repository, stringio, multiprocessing):