| Message ID | 20241026032519.1968518-4-hongxu.jia@windriver.com |
|---|---|
| State | New |
| Headers | show |
| Series | Support SPDX include source for work-share directory | expand |
On Fri, Oct 25, 2024 at 9:25 PM Hongxu Jia <hongxu.jia@windriver.com> wrote: > > If file_licenses is empty, the hasDeclaredLicense relationship from sourcefile > to NoneElement which makes no sense. Such as This is intentional, as it indicates that we looked for licenses and didn't find any. Omitting the relationship means we didn't even look for any licenses (which can also be done explicitly by making a relationship to "NoAssertion") > > { > "type": "Relationship", > ... > "from": "http://spdx.org/spdxdocs/gettext-minimal-native-1fa0d5cb/sourcefile/3323", > "relationshipType": "hasDeclaredLicense", > "to": [ > "NoneElement" > ] > }, > > Create hasDeclaredLicense relationship only if file_licenses is not empty > > Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> > --- > meta/lib/oe/sbom30.py | 11 ++++++----- > 1 file changed, 6 insertions(+), 5 deletions(-) > > diff --git a/meta/lib/oe/sbom30.py b/meta/lib/oe/sbom30.py > index f4cc1f49dd..6df5759596 100644 > --- a/meta/lib/oe/sbom30.py > +++ b/meta/lib/oe/sbom30.py > @@ -620,11 +620,12 @@ class ObjectSet(oe.spdx30.SHACLObjectSet): > for extracted_lic in oe.spdx_common.extract_licenses(filepath): > file_licenses.add(self.new_license_expression(extracted_lic, license_data)) > > - self.new_relationship( > - [spdx_file], > - oe.spdx30.RelationshipType.hasDeclaredLicense, > - file_licenses, > - ) > + if file_licenses: > + self.new_relationship( > + [spdx_file], > + oe.spdx30.RelationshipType.hasDeclaredLicense, > + file_licenses, > + ) > spdx_file.extension.append(OELicenseScannedExtension()) > > def new_file(self, _id, name, path, *, purposes=[]): > -- > 2.25.1 >
According to Specification Version 3.0.1
NoneElement should be used if [1]
the SPDX creator desires to assert that there are NO elements for the given context of use.
NoAssertionElement should be used if [2]
the SPDX creator has attempted to but cannot reach a reasonable objective determination;
the SPDX creator has made no attempt to determine this field; or
the SPDX creator has intentionally provided no information (no meaning should be implied by doing so).
If we indicates to look for licenses and didn't find any. It should be NoAssertionElement other than NoneElement?
If so, I will set it to NoAssertionElement in V2
[1] https://spdx.github.io/spdx-spec/v3.0.1/model/Core/Individuals/NoneElement/
[2] https://spdx.github.io/spdx-spec/v3.0.1/model/Core/Individuals/NoAssertionElement/
//Hongxu
On Fri, Oct 25, 2024 at 9:25 PM Hongxu Jia <hongxu.jia@windriver.com> wrote:
>
> If file_licenses is empty, the hasDeclaredLicense relationship from sourcefile
> to NoneElement which makes no sense. Such as
This is intentional, as it indicates that we looked for licenses and
didn't find any. Omitting the relationship means we didn't even look
for any licenses (which can also be done explicitly by making a
relationship to "NoAssertion")
>
> {
> "type": "Relationship",
> ...
> "from": "http://spdx.org/spdxdocs/gettext-minimal-native-1fa0d5cb/sourcefile/3323",
> "relationshipType": "hasDeclaredLicense",
> "to": [
> "NoneElement"
> ]
> },
>
> Create hasDeclaredLicense relationship only if file_licenses is not empty
>
> Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
> ---
> meta/lib/oe/sbom30.py | 11 ++++++-----
> 1 file changed, 6 insertions(+), 5 deletions(-)
>
> diff --git a/meta/lib/oe/sbom30.py b/meta/lib/oe/sbom30.py
> index f4cc1f49dd..6df5759596 100644
> --- a/meta/lib/oe/sbom30.py
> +++ b/meta/lib/oe/sbom30.py
> @@ -620,11 +620,12 @@ class ObjectSet(oe.spdx30.SHACLObjectSet):
> for extracted_lic in oe.spdx_common.extract_licenses(filepath):
> file_licenses.add(self.new_license_expression(extracted_lic, license_data))
>
> - self.new_relationship(
> - [spdx_file],
> - oe.spdx30.RelationshipType.hasDeclaredLicense,
> - file_licenses,
> - )
> + if file_licenses:
> + self.new_relationship(
> + [spdx_file],
> + oe.spdx30.RelationshipType.hasDeclaredLicense,
> + file_licenses,
> + )
> spdx_file.extension.append(OELicenseScannedExtension())
>
> def new_file(self, _id, name, path, *, purposes=[]):
> --
> 2.25.1
>
diff --git a/meta/lib/oe/sbom30.py b/meta/lib/oe/sbom30.py index f4cc1f49dd..6df5759596 100644 --- a/meta/lib/oe/sbom30.py +++ b/meta/lib/oe/sbom30.py @@ -620,11 +620,12 @@ class ObjectSet(oe.spdx30.SHACLObjectSet): for extracted_lic in oe.spdx_common.extract_licenses(filepath): file_licenses.add(self.new_license_expression(extracted_lic, license_data)) - self.new_relationship( - [spdx_file], - oe.spdx30.RelationshipType.hasDeclaredLicense, - file_licenses, - ) + if file_licenses: + self.new_relationship( + [spdx_file], + oe.spdx30.RelationshipType.hasDeclaredLicense, + file_licenses, + ) spdx_file.extension.append(OELicenseScannedExtension()) def new_file(self, _id, name, path, *, purposes=[]):
If file_licenses is empty, the hasDeclaredLicense relationship from sourcefile to NoneElement which makes no sense. Such as { "type": "Relationship", ... "from": "http://spdx.org/spdxdocs/gettext-minimal-native-1fa0d5cb/sourcefile/3323", "relationshipType": "hasDeclaredLicense", "to": [ "NoneElement" ] }, Create hasDeclaredLicense relationship only if file_licenses is not empty Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> --- meta/lib/oe/sbom30.py | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-)