Merge pull request OpenChain-Project#112 from nokia/fixes-for-0.1.6

Fixes for validator 0.1.6
nokia · Oct 11, 2024 · 2eb32fd · 2eb32fd
2 parents e7d046e + 96e6ce0
commit 2eb32fd
Show file tree

Hide file tree

Showing 6 changed files with 48 additions and 46 deletions.
diff --git a/tools/openchain_telco_sbom_validator/README.md b/tools/openchain_telco_sbom_validator/README.md
@@ -1,28 +1,30 @@
 # openchain-telco-sbom-validator
 
-A script to validate SBOMs against version 1.0 of the OpenChain Telco SBOM Guide.
+A script to validate SBOMs against version 1.0 of
+the [OpenChain Telco SBOM Guide](https://github.com/OpenChain-Project/Telco-WG/blob/main/OpenChain-Telco-SBOM-Guide_EN.md).
 
-# Installation 
+# Installation
 
-From this folder issue `pip3 install openchain-telco-sbom-validator`.
+To install from [PyPI](https://pypi.org/project/openchain-telco-sbom-validator/), issue `pip3 install openchain-telco-sbom-validator`.
 
-## Installation of prerequisities
+# Manual installation
 
-This script is written in Python and uses a requirements.txt to list its dependencies. To install Python on an Ubuntu
+This script is written in Python and uses a `requirements.txt` to list its dependencies. To install Python on an Ubuntu
 environment run `sudo apt install python3-pip`.
 
 It is usually a good practice to install Python dependencies to a Python virtual environment. To be able to manage
 virtual environments you need to install `venv` with `sudo apt install python3-venv`.
 
-If you do not have a virtual environment yet cretate it with `python3 -m venv .env`, if you already have a virtual environment start it with `. .env/bin/activate`.
+If you do not have a virtual environment you can create it with `python3 -m venv .env`,
+if you already have a virtual environment start it with `. .env/bin/activate`.
 
 
 # Usage
 
 ## From command line
 
 ```
-usage: open-chain-telco-sbom-validator [options] input
+usage: openchain-telco-sbom-validator [options] input
 
 positional arguments:
   input                 The input SPDX file.
@@ -55,9 +57,9 @@ from openchain_telco_sbom_validator.validator import Validator
 
 def main():
     # Instantiate a validator
-    
+
     myValidator = Validator()
-    
+
     # Do validate
     result, problems = myValidator.validate(filePath,          # path to the SPDX file as a string
                                             strict_purl_check, # If strict purl check is needed
@@ -96,7 +98,7 @@ It is possible to add additional CLI arguments if needed for example:
 
 #### Additional checks
 
-It is possible to add additional checks both on global and on package level. 
+It is possible to add additional checks both on global and on package level.
 
 ```
     # Import in addition of the previous imports

diff --git a/.../open-chain-telco-sbom-validator-0.1.spdx → ...openchain-telco-sbom-validator-0.1.6.spdx b/.../open-chain-telco-sbom-validator-0.1.spdx → ...openchain-telco-sbom-validator-0.1.6.spdx
@@ -2,8 +2,8 @@
 SPDXVersion: SPDX-2.2
 DataLicense: CC0-1.0
 SPDXID: SPDXRef-DOCUMENT
-DocumentName: open-chain-telco-sbom-validator-0.1
-DocumentNamespace: https://nokia.com/spdx/open-chain-telco-sbom-validator-0.1
+DocumentName: openchain-telco-sbom-validator-0.1.6
+DocumentNamespace: https://nokia.com/spdx/openchain-telco-sbom-validator-0.1.6
 
 ## Creation Information
 LicenseListVersion: 3.22
@@ -14,8 +14,8 @@ CreatorComment: CISA SBOM type: Source
 
 ## Package Information
 PackageName: openchain_telco_sbom_validator-with-requirements-requirements.txt
-SPDXID: SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1
-PackageVersion: 0.1
+SPDXID: SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1.6
+PackageVersion: 0.1.6
 PackageDownloadLocation: NONE
 FilesAnalyzed: false
 PackageChecksum: SHA256: d74a3c7142c82926b73d6928c04dc85e5759b649b403e024d7a44e9998415177
@@ -25,7 +25,7 @@ PackageLicenseDeclared: Apache-2.0
 PackageCopyrightText: (c) 2024 Nokia Authors Gergely Csatari, Marc-Etienne Vargenau
 PackageSupplier: Organization: Nokia
 PackageOriginator: Organization: Nokia
-ExternalRef: PACKAGE-MANAGER purl pkg:pypi/[email protected]
+ExternalRef: PACKAGE-MANAGER purl pkg:pypi/[email protected].6
 
 ## Package Information
 PackageName: beartype
@@ -435,9 +435,9 @@ Relationship: SPDXRef-Package-PyPI-spdx-tools-0.8.2 DEPENDS_ON SPDXRef-Package-P
 Relationship: SPDXRef-Package-PyPI-spdx-tools-0.8.2 DEPENDS_ON SPDXRef-Package-PyPI-semantic-version-2.10.0
 Relationship: SPDXRef-Package-PyPI-spdx-tools-0.8.2 DEPENDS_ON SPDXRef-Package-PyPI-uritools-4.0.3
 Relationship: SPDXRef-Package-PyPI-spdx-tools-0.8.2 DEPENDS_ON SPDXRef-Package-PyPI-xmltodict-0.13.0
-Relationship: SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1 DEPENDS_ON SPDXRef-Package-PyPI-ntia-conformance-checker-3.0.0
-Relationship: SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1 DEPENDS_ON SPDXRef-Package-PyPI-packageurl-python-0.15.6
-Relationship: SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1 DEPENDS_ON SPDXRef-Package-PyPI-prettytable-3.11.0
-Relationship: SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1 DEPENDS_ON SPDXRef-Package-PyPI-requests-2.32.3
-Relationship: SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1 DEPENDS_ON SPDXRef-Package-PyPI-validators-0.33.0
-Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1
+Relationship: SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1.6 DEPENDS_ON SPDXRef-Package-PyPI-ntia-conformance-checker-3.0.0
+Relationship: SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1.6 DEPENDS_ON SPDXRef-Package-PyPI-packageurl-python-0.15.6
+Relationship: SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1.6 DEPENDS_ON SPDXRef-Package-PyPI-prettytable-3.11.0
+Relationship: SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1.6 DEPENDS_ON SPDXRef-Package-PyPI-requests-2.32.3
+Relationship: SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1.6 DEPENDS_ON SPDXRef-Package-PyPI-validators-0.33.0
+Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1.6
diff --git a/...-chain-telco-sbom-validator-0.1.spdx.json → ...hain-telco-sbom-validator-0.1.6.spdx.json b/...-chain-telco-sbom-validator-0.1.spdx.json → ...hain-telco-sbom-validator-0.1.6.spdx.json
@@ -10,12 +10,12 @@
         "comment": "CISA SBOM type: Source"
     },
     "dataLicense": "CC0-1.0",
-    "name": "open-chain-telco-sbom-validator-0.1",
+    "name": "openchain-telco-sbom-validator-0.1.6",
     "spdxVersion": "SPDX-2.2",
-    "documentNamespace": "https://nokia.com/spdx/open-chain-telco-sbom-validator-0.1",
+    "documentNamespace": "https://nokia.com/spdx/openchain-telco-sbom-validator-0.1.6",
     "packages": [
         {
-            "SPDXID": "SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1",
+            "SPDXID": "SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1.6",
             "checksums": [
                 {
                     "algorithm": "SHA256",
@@ -27,7 +27,7 @@
             "externalRefs": [
                 {
                     "referenceCategory": "PACKAGE_MANAGER",
-                    "referenceLocator": "pkg:pypi/[email protected]",
+                    "referenceLocator": "pkg:pypi/[email protected].6",
                     "referenceType": "purl"
                 }
             ],
@@ -38,7 +38,7 @@
             "name": "openchain_telco_sbom_validator-with-requirements-requirements.txt",
             "originator": "Organization: Nokia",
             "supplier": "Organization: Nokia",
-            "versionInfo": "0.1"
+            "versionInfo": "0.1.6"
         },
         {
             "SPDXID": "SPDXRef-Package-PyPI-beartype-0.18.5",
@@ -762,33 +762,33 @@
             "relationshipType": "DEPENDS_ON"
         },
         {
-            "spdxElementId": "SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1",
+            "spdxElementId": "SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1.6",
             "relatedSpdxElement": "SPDXRef-Package-PyPI-ntia-conformance-checker-3.0.0",
             "relationshipType": "DEPENDS_ON"
         },
         {
-            "spdxElementId": "SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1",
+            "spdxElementId": "SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1.6",
             "relatedSpdxElement": "SPDXRef-Package-PyPI-packageurl-python-0.15.6",
             "relationshipType": "DEPENDS_ON"
         },
         {
-            "spdxElementId": "SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1",
+            "spdxElementId": "SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1.6",
             "relatedSpdxElement": "SPDXRef-Package-PyPI-prettytable-3.11.0",
             "relationshipType": "DEPENDS_ON"
         },
         {
-            "spdxElementId": "SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1",
+            "spdxElementId": "SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1.6",
             "relatedSpdxElement": "SPDXRef-Package-PyPI-requests-2.32.3",
             "relationshipType": "DEPENDS_ON"
         },
         {
-            "spdxElementId": "SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1",
+            "spdxElementId": "SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1.6",
             "relatedSpdxElement": "SPDXRef-Package-PyPI-validators-0.33.0",
             "relationshipType": "DEPENDS_ON"
         },
         {
             "spdxElementId": "SPDXRef-DOCUMENT",
-            "relatedSpdxElement": "SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1",
+            "relatedSpdxElement": "SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1.6",
             "relationshipType": "DESCRIBES"
         }
     ]

diff --git a/...n-chain-telco-sbom-validator-0.1.spdx.yml → ...chain-telco-sbom-validator-0.1.6.spdx.yml b/...n-chain-telco-sbom-validator-0.1.spdx.yml → ...chain-telco-sbom-validator-0.1.6.spdx.yml
@@ -7,18 +7,18 @@ creationInfo:
   - 'Tool: Nokia Compliance Tool - 1.0'
   licenseListVersion: '3.22'
 dataLicense: CC0-1.0
-documentNamespace: https://nokia.com/spdx/open-chain-telco-sbom-validator-0.1
-name: open-chain-telco-sbom-validator-0.1
+documentNamespace: https://nokia.com/spdx/openchain-telco-sbom-validator-0.1.6
+name: openchain-telco-sbom-validator-0.1.6
 packages:
-- SPDXID: SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1
+- SPDXID: SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1.6
   checksums:
   - algorithm: SHA256
     checksumValue: d74a3c7142c82926b73d6928c04dc85e5759b649b403e024d7a44e9998415177
   copyrightText: (c) 2024 Nokia Authors Gergely Csatari, Marc-Etienne Vargenau
   downloadLocation: NONE
   externalRefs:
   - referenceCategory: PACKAGE_MANAGER
-    referenceLocator: pkg:pypi/[email protected]
+    referenceLocator: pkg:pypi/[email protected].6
     referenceType: purl
   filesAnalyzed: false
   homepage: https://github.com/OpenChain-Project/Telco-WG/tree/main/tools
@@ -27,7 +27,7 @@ packages:
   name: openchain_telco_sbom_validator-with-requirements-requirements.txt
   originator: 'Organization: Nokia'
   supplier: 'Organization: Nokia'
-  versionInfo: '0.1'
+  versionInfo: 0.1.6
 - SPDXID: SPDXRef-Package-PyPI-beartype-0.18.5
   checksums:
   - algorithm: SHA256
@@ -585,20 +585,20 @@ relationships:
   spdxElementId: SPDXRef-Package-PyPI-spdx-tools-0.8.2
 - relatedSpdxElement: SPDXRef-Package-PyPI-ntia-conformance-checker-3.0.0
   relationshipType: DEPENDS_ON
-  spdxElementId: SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1
+  spdxElementId: SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1.6
 - relatedSpdxElement: SPDXRef-Package-PyPI-packageurl-python-0.15.6
   relationshipType: DEPENDS_ON
-  spdxElementId: SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1
+  spdxElementId: SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1.6
 - relatedSpdxElement: SPDXRef-Package-PyPI-prettytable-3.11.0
   relationshipType: DEPENDS_ON
-  spdxElementId: SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1
+  spdxElementId: SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1.6
 - relatedSpdxElement: SPDXRef-Package-PyPI-requests-2.32.3
   relationshipType: DEPENDS_ON
-  spdxElementId: SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1
+  spdxElementId: SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1.6
 - relatedSpdxElement: SPDXRef-Package-PyPI-validators-0.33.0
   relationshipType: DEPENDS_ON
-  spdxElementId: SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1
-- relatedSpdxElement: SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1
+  spdxElementId: SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1.6
+- relatedSpdxElement: SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1.6
   relationshipType: DESCRIBES
   spdxElementId: SPDXRef-DOCUMENT
 spdxVersion: SPDX-2.2
diff --git a/...om-validator-0.1_disclosure_document.html → ...-validator-0.1.6_disclosure_document.html b/...om-validator-0.1_disclosure_document.html → ...-validator-0.1.6_disclosure_document.html
diff --git a/tools/openchain_telco_sbom_validator/src/openchain_telco_sbom_validator/validator.py b/tools/openchain_telco_sbom_validator/src/openchain_telco_sbom_validator/validator.py
@@ -96,7 +96,7 @@ def __init__(self):
         return None
 
     def validate(self, filePath, strict_purl_check=False, strict_url_check=False, functionRegistry:FunctionRegistry = FunctionRegistry()):
-        """ Validates, Returns a status and a list of problems. filePath: Path to the SPDX file to validate. strict_purl_check: Not only checks the syntax of the PURL, but also cecks if the package can be downloaded. strict_url_check: Checks if the given URLs in PackageHomepages can be accesses."""
+        """ Validates, Returns a status and a list of problems. filePath: Path to the SPDX file to validate. strict_purl_check: Not only checks the syntax of the PURL, but also checks if the package can be downloaded. strict_url_check: Checks if the given URLs in PackageHomepages can be accessed."""
 
         try:
             doc = parse_anything.parse_file(filePath)
@@ -213,9 +213,9 @@ def validate(self, filePath, strict_purl_check=False, strict_url_check=False, fu
             else:
                 logger.debug(f"Package homepage is ({package.homepage})")
                 if not validators.url(package.homepage):
-                    logger.debug("Package homepage is not a valid url")
+                    logger.debug("Package homepage is not a valid URL")
                     # Adding this to the problem list is not needed as the SPDX validator also adds it
-                    # problems.append(["Invalid field in Package", package.spdx_id, package.name, f"PackageHomePage is not a valid url ({package.homepage})"])
+                    # problems.append(["Invalid field in Package", package.spdx_id, package.name, f"PackageHomePage is not a valid URL ({package.homepage})"])
                 else:
                     if strict_url_check:
                         try: