def add_package(package, parent=None):
""" Function to recursively add a package and it's deps"""
spdxpackage = SpdxPackage(name=package.package_name,
version=package.version)
spdxpackage.spdx_id = f'SPDXRef-{id_count[0]}'
id_count[0] += 1
spdxpackage.homepage = SPDXNone()
spdxpackage.cr_text = NoAssert()
spdxpackage.download_location = UnKnown()
spdxpackage.files_analyzed = False
spdxpackage.conc_lics = NoAssert()
spdxpackage.license_declared = NoAssert()
spdxpackage.licenses_from_files = [NoAssert()]
# if we have a parent be sure to list the relationship
if parent != None:
spdxpackage.add_relationship(
Relationship(spdxpackage, RelationshipOptions.PACKAGE_OF,
parent))
# go through the same process for depenedencies
for dep in package.dependencies:
add_package(dep, parent=spdxpackage)
# finally add it to the document
doc.add_package(spdxpackage)
def generate_spdx_package(self) -> Package:
"""Generates the SPDX package.
Example of a SPDX package:
PackageName: eduVPN
DataFormat: SPDXRef-1
PackageSupplier: Organization: The Commons Conservancy eduVPN Programme
PackageHomePage: https://eduvpn.org
PackageLicenseDeclared: GPL-3.0+
PackageCopyrightText: 2017, The Commons Conservancy eduVPN Programme
PackageSummary: <text>EduVPN is designed to allow users to connect
securely and encrypted to the Internet from any standard device.
</text>
PackageComment: <text>The package includes the following libraries; see
Relationship information.
</text>
Created: 2017-06-06T09:00:00Z
PackageDownloadLocation: git://github.com/eduVPN/reponame
PackageDownloadLocation: git+https://github.com/eduVPN/reponame.git
PackageDownloadLocation: git+ssh://github.com/eduVPN/reponame.git
Creator: Person: Jane Doe
Returns:
the corresponding package
"""
package = Package(
name=determine_spdx_value(self.name),
spdx_id=f"SPDXRef-{self.id}",
download_location=determine_spdx_value(None),
version=determine_spdx_value(self.version),
file_name=determine_spdx_value(self.name),
supplier=None,
originator=Person(determine_spdx_value(self.author),
determine_spdx_value(self.author_email)),
)
package.check_sum = Algorithm("SHA1", str(NoAssert()))
package.cr_text = NoAssert()
package.homepage = determine_spdx_value(self.url)
package.license_declared = License.from_identifier(
str(determine_spdx_value(self.main_licence)))
package.conc_lics = License.from_identifier(
str(determine_spdx_value(self.licence)))
package.summary = determine_spdx_value(self.description)
package.description = NoAssert()
files = self.get_spdx_files()
if files:
package.files_analyzed = True
for file in files:
package.add_file(file.generate_spdx_file())
package.add_lics_from_file(
License.from_identifier(
str(determine_spdx_value(file.licence))))
_set_package_copyright(file, package)
package.verif_code = determine_spdx_value(
package.calc_verif_code())
else:
# Has to generate a dummy file because of the following rule in SDK:
# - Package must have at least one file
dummy_file = SpdxFile(Path(UNKNOWN), self._package_info.root_dir,
self.main_licence)
package.verif_code = NoAssert()
package.add_file(dummy_file.generate_spdx_file())
package.add_lics_from_file(
License.from_identifier(
str(determine_spdx_value(dummy_file.licence))))
return package
