| Message ID | 20241029091723.2851061-4-hongxu.jia@windriver.com |
|---|---|
| State | New |
| Headers | show |
| Series | Support SPDX include source for work-share directory | expand |
On Tue, Oct 29, 2024 at 3:17 AM Hongxu Jia <hongxu.jia@windriver.com> wrote: > > If file_licenses is empty, the hasDeclaredLicense relationship is from sourcefile > to NoneElement. Such as > > { > "type": "Relationship", > ... > "from": "http://spdx.org/spdxdocs/gettext-minimal-native-1fa0d5cb/sourcefile/3323", > "relationshipType": "hasDeclaredLicense", > "to": [ > "NoneElement" > ] > }, > > According to Specification Version 3.0.1 > > NoneElement should be used if [1] > > the SPDX creator desires to assert that there are NO elements for the given context of use. > > NoAssertionElement should be used if [2] > > the SPDX creator has attempted to but cannot reach a reasonable objective determination; > the SPDX creator has made no attempt to determine this field; or > the SPDX creator has intentionally provided no information (no meaning should be implied by doing so). > > If we indicates to look for licenses and didn't find any. It should be NoAssertionElement other than NoneElement > > [1] https://spdx.github.io/spdx-spec/v3.0.1/model/Core/Individuals/NoneElement/ > [2] https://spdx.github.io/spdx-spec/v3.0.1/model/Core/Individuals/NoAssertionElement/ > > Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> > --- > meta/lib/oe/sbom30.py | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/meta/lib/oe/sbom30.py b/meta/lib/oe/sbom30.py > index e3a9428668..7ae05c42a9 100644 > --- a/meta/lib/oe/sbom30.py > +++ b/meta/lib/oe/sbom30.py > @@ -620,6 +620,11 @@ class ObjectSet(oe.spdx30.SHACLObjectSet): > for extracted_lic in oe.spdx_common.extract_licenses(filepath): > file_licenses.add(self.new_license_expression(extracted_lic, license_data)) > > + # SPDX creator has attempted to but cannot reach a reasonable objective determination > + # https://spdx.github.io/spdx-spec/v3.0.1/model/Core/Individuals/NoAssertionElement/ > + if not file_licenses: > + file_licenses = [oe.spdx30.Element.NoAssertionElement] This still needs to be NoneElement, because we looked and did not find any licenses, therefore in our estimation, there are not any to be found. This is the meaning intended by the spec; we (the SPDX creator) are explicitly stating that there are NO licenses (elements) defined in the file (given context). If we didn't scan the file at all, that means that we were unable (or made no attempt) to determine if the file had licenses or not; and thus NoAssertion would be the correct choice since we would want to explicitly state we chose not to look for any licenses. This is not what we actually do in practice, except for in the case where extract_licenses() gets an exception; if you wanted to, you could have the function return None in that case and then use that to add a NoAssertion to the relationship, but the empty list must be treated as NoneElement > + > self.new_relationship( > [spdx_file], > oe.spdx30.RelationshipType.hasDeclaredLicense, > -- > 2.25.1 >
Sure, I will drop this patch in V3 //Hongxu On Tue, Oct 29, 2024 at 3:17 AM Hongxu Jia <hongxu.jia@windriver.com> wrote: > > If file_licenses is empty, the hasDeclaredLicense relationship is from sourcefile > to NoneElement. Such as > > { > "type": "Relationship", > ... > "from": "http://spdx.org/spdxdocs/gettext-minimal-native-1fa0d5cb/sourcefile/3323", > "relationshipType": "hasDeclaredLicense", > "to": [ > "NoneElement" > ] > }, > > According to Specification Version 3.0.1 > > NoneElement should be used if [1] > > the SPDX creator desires to assert that there are NO elements for the given context of use. > > NoAssertionElement should be used if [2] > > the SPDX creator has attempted to but cannot reach a reasonable objective determination; > the SPDX creator has made no attempt to determine this field; or > the SPDX creator has intentionally provided no information (no meaning should be implied by doing so). > > If we indicates to look for licenses and didn't find any. It should be NoAssertionElement other than NoneElement > > [1] https://spdx.github.io/spdx-spec/v3.0.1/model/Core/Individuals/NoneElement/ > [2] https://spdx.github.io/spdx-spec/v3.0.1/model/Core/Individuals/NoAssertionElement/ > > Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> > --- > meta/lib/oe/sbom30.py | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/meta/lib/oe/sbom30.py b/meta/lib/oe/sbom30.py > index e3a9428668..7ae05c42a9 100644 > --- a/meta/lib/oe/sbom30.py > +++ b/meta/lib/oe/sbom30.py > @@ -620,6 +620,11 @@ class ObjectSet(oe.spdx30.SHACLObjectSet): > for extracted_lic in oe.spdx_common.extract_licenses(filepath): > file_licenses.add(self.new_license_expression(extracted_lic, license_data)) > > + # SPDX creator has attempted to but cannot reach a reasonable objective determination > + # https://spdx.github.io/spdx-spec/v3.0.1/model/Core/Individuals/NoAssertionElement/ > + if not file_licenses: > + file_licenses = [oe.spdx30.Element.NoAssertionElement] This still needs to be NoneElement, because we looked and did not find any licenses, therefore in our estimation, there are not any to be found. This is the meaning intended by the spec; we (the SPDX creator) are explicitly stating that there are NO licenses (elements) defined in the file (given context). If we didn't scan the file at all, that means that we were unable (or made no attempt) to determine if the file had licenses or not; and thus NoAssertion would be the correct choice since we would want to explicitly state we chose not to look for any licenses. This is not what we actually do in practice, except for in the case where extract_licenses() gets an exception; if you wanted to, you could have the function return None in that case and then use that to add a NoAssertion to the relationship, but the empty list must be treated as NoneElement > + > self.new_relationship( > [spdx_file], > oe.spdx30.RelationshipType.hasDeclaredLicense, > -- > 2.25.1 >
diff --git a/meta/lib/oe/sbom30.py b/meta/lib/oe/sbom30.py index e3a9428668..7ae05c42a9 100644 --- a/meta/lib/oe/sbom30.py +++ b/meta/lib/oe/sbom30.py @@ -620,6 +620,11 @@ class ObjectSet(oe.spdx30.SHACLObjectSet): for extracted_lic in oe.spdx_common.extract_licenses(filepath): file_licenses.add(self.new_license_expression(extracted_lic, license_data)) + # SPDX creator has attempted to but cannot reach a reasonable objective determination + # https://spdx.github.io/spdx-spec/v3.0.1/model/Core/Individuals/NoAssertionElement/ + if not file_licenses: + file_licenses = [oe.spdx30.Element.NoAssertionElement] + self.new_relationship( [spdx_file], oe.spdx30.RelationshipType.hasDeclaredLicense,
If file_licenses is empty, the hasDeclaredLicense relationship is from sourcefile to NoneElement. Such as { "type": "Relationship", ... "from": "http://spdx.org/spdxdocs/gettext-minimal-native-1fa0d5cb/sourcefile/3323", "relationshipType": "hasDeclaredLicense", "to": [ "NoneElement" ] }, According to Specification Version 3.0.1 NoneElement should be used if [1] the SPDX creator desires to assert that there are NO elements for the given context of use. NoAssertionElement should be used if [2] the SPDX creator has attempted to but cannot reach a reasonable objective determination; the SPDX creator has made no attempt to determine this field; or the SPDX creator has intentionally provided no information (no meaning should be implied by doing so). If we indicates to look for licenses and didn't find any. It should be NoAssertionElement other than NoneElement [1] https://spdx.github.io/spdx-spec/v3.0.1/model/Core/Individuals/NoneElement/ [2] https://spdx.github.io/spdx-spec/v3.0.1/model/Core/Individuals/NoAssertionElement/ Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> --- meta/lib/oe/sbom30.py | 5 +++++ 1 file changed, 5 insertions(+)