Skip to content

How to migrate from 0.7 to 0.8

Jump to bottom Edit New page
Armin Tänzer edited this page Jun 30, 2023 · 4 revisions

Below is an overview of changes in the new release. Keep in mind that the whole codebase has gotten a total makeover, so please do not expect things to work out of the box with your 0.7 code.

Data Model

All data model classes can now be found in src/spdx/model. All methods contained in model classes have been removed (except for auto-generated @dataclass methods like __eq__()) in favor of working directly on the class properties. For example, instead of

document.add_annotation(my_annotation)

use*

document.annotations = document.annotations + [my_annotation]

For validation purposes, a new validation layer has been introduced, see the corresponding section below.
Many properties have undergone a renaming and/or type change to better fit the specification names and types. Take special note of the following:

  • The SPDX license list and license expressions are now handled by the license-expression package. Example: 
    LicenseConjunction(License.from_identifier("Apache-2.0"), License.from_identifier("BSD-2-Clause"))
    is now 
    get_spdx_licensing().parse("Apache-2.0 and BSD-2-Clause")
  • The constructor for Relationship no longer parses the relationship properties from a relationship string but uses the regular form 
    def __init__(self, spdx_element_id: str, relationship_type: RelationshipType,
             related_spdx_element_id: Union[str, SpdxNone, SpdxNoAssertion], comment: Optional[str] = None)
  • relationship_type is now of type RelationshipType.
  • license_info_from_files, license_info_in_file and license_info_in_snippet are now always lists (for example [SpdxNoAssertion()]).
  • attribution_texts is now a list.
  • Person, Organization and Tool have been combined into Actor, which has a property actor_type.
  • Review has been removed (use Annotation with annotation_type = AnnotationType.REVIEW instead).
  • verif_code and verif_exc_files have been combined into a single class PackageVerificationCode.

For a full overview have a look at this spreadsheet or this pdf which compares the names, types and imports of all fields in the 0.7 and 0.8 versions.

Validation

The validation of correct Python types is now ensured by runtime type checks when fields are set or retrieved. The reference for the correct type of a field is the type hint in the class definition it belongs to.
The validation of conformity with the SPDX specification has been separated into its own layer found in src/spdx/validation. Entry point is the validate_full_spdx_document() method. Validation methods now return a list of ValidationMessage objects which consist of a validation_message String describing the invalidity and a Context object which helps pinpointing the location of the invalidity.

Parsing/Writing

Due to much stricter validation rules, only SPDX documents with the right types in all of their properties can be parsed. In the case of invalid types, an error with a comprehensive summary of all encountered problems will be raised.
Now, when calling write_file(), by default a Document will be validated against the specification before it can be written to a file.

*Note: Using inplace manipulations like document.annotations.append(my_annotation) circumvents the runtime type checking. If a wrong type is set this way, a TypeError would still be raised when calling document.annotations at some later time.

Add a custom footer
Add a custom sidebar
Clone this wiki locally