feat(SPDX): Use new SPDX library (#1496)

[tuannn2]

Signed-off-by: Nguyen Nhu Tuan tuan2.nguyennhu@toshiba.co.jp

Please provide a summary of your changes here.

• Which issue is this pull request belonging to and how is it solving it? (Refer to issue here)
• Did you add or update any new dependencies that are required for your change?

Issue: #1496

Suggest Reviewer

You can suggest reviewers here with an @mention.

How To Test?

Import SPDX BOM in Project page

Use file bom.spdx.rdf.zip

Steps

1. Go to project page
2. Click "Import SPDX BOM" button
3. Upload bom.spdx.rdf file

Validate

• "asoftware (1.1)" project was created
• "Browser", "Buffer" and "CompressionEng" components were created
• "Browser(2.1)", "Buffer(2.2)" and "CompressionEng 3.1" were created
• linked releases of "asoftware (1.1)" project are Browser(2.1) and Buffer(2.2)
• linked release of "Browser(2.1)" is "CompressionEng 3.1"

Import SPDX BOM in Component page

Use file bom.spdx.rdf.zip

Steps

1. Go to component page
2. Click "Import SPDX BOM" button
3. Upload bom.spdx.rdf file

Validate

• "asoftware", "Browser", "Buffer" and "CompressionEng" components were created
• "asoftware (1.1)", "Browser(2.1)", "Buffer(2.2)" and "CompressionEng 3.1" were created
• linked releases of "asoftware (1.1)" release are Browser(2.1) and Buffer(2.2)
• linked release of "Browser(2.1)" is "CompressionEng 3.1"

Import SPDX license to release

Use file
SPDX2_zlib128.zip_example-spdx.2.rdf.zip

Steps

1. Go to the edit page of Release Buffer(2.2)
2. In Attachments tab, add attachment SPDX2_time-1.9.tar.gz_1535120734-spdx.rdf
3. Click "Update Release" button
4. In the view page of Release Buffer(2.2), click Fossology icon to scan license on "Clearing details" tab
5. Click "Show License Info" button
6. Click "Add data to this release" button

Validate

• At step 4th, the result same as the image

• At step 6th, the result same as the image
  

Generate License Info in Project page

Steps

1. Go to the details page of "asoftware (1.1)" project
2. In "License Clearing" tab, click Generate License Info (project only) link

Validate

• Readme generation was created same as the image
  

Checklist

Must:

• All related issues are referenced in commit messages and in PR

[KoukiHama]

This PR does not change any SW360 functionality, it just changes the SPDX library used by SW360.
Testing should confirm that all existing SPDX related functionality is working fine.

Like this sw360vagrant PR, sw360/sw360vagrant#38 (comment)

-> tested with SPDX BOM import, SPDX license impoart and readme generation -> works nicely. Files used:

[SPDX2_time-1.9.tar.gz_1535120734-spdx.rdf.zip](https://github.com/sw360/sw360vagrant/files/6058100/SPDX2_time-1.9.tar.gz_1535120734-spdx.rdf.zip)
[SPDX2_zlib128.zip_example-spdx 2.rdf.zip](https://github.com/sw360/sw360vagrant/files/6058101/SPDX2_zlib128.zip_example-spdx.2.rdf.zip)

[tienlee]

I would like to attach the slides which are used in our telco today.
Let's keep to discuss the json format between anchore/syft and a perfect SPDX file (SPDXJSONExample-v2.2.spdx.json)

SW360-20220831 - Demo1594.pptx

[akapti]

Hi @tuannn2
I feel that rebase didn't went well, because PR contains changes which is totally unrelated to SPDX library upgrade.

for example:

It includes changes related to ChangeLogs in following file: https://github.com/eclipse/sw360/pull/1594/files#diff-29f4181fef7f3e6f651dde38f70234ffa90ccc0f7cfebb9cdd258071f8aa2e01 , https://github.com/eclipse/sw360/pull/1594/files#diff-e06edfe0b28e68467281adcf719a12122b6ca9565682e3523ea33ed4d39a52c7, https://github.com/eclipse/sw360/pull/1594/files#diff-7b84421f5372707112717574bd301252e3c831d747c1164593d83a2dbde26acf and few more files.

also the PR contains changes related to Thrift configuration in following files: https://github.com/eclipse/sw360/pull/1594/files#diff-c70fecc2e6dc5d8dc0441ca5fa4c26f109ebd954b2192cf3b4b5def24e24f23f

also removed changes related to Reading Obligation from README OSS in following files: https://github.com/eclipse/sw360/pull/1594/files#diff-74ca1a57d71f7fae13d891c82005a0a933bc9d39ab88b105ac531dc50f31712eL2706 and https://github.com/eclipse/sw360/pull/1594/files#diff-a47079862cba8e2c7eb02695e28dcd5e1016bdca7338e88075985b5dcb0e80baL308

Let me know in case I am wrong or if I missed something.
Or Can you please explain why changes related to ChangeLogs, Thrift configuration and ReadMe OSS obligations are part of this PR?

[tuannn2]

Thank you for your reviewing, @akapti.
I will check and reply to you as soon as possible!

[akapti]

I have only reviewed the code.
will do the testing later.
Kindly incorporate the requested changes.

UPDATE: tested the changes, SPDX functionality is working fine with updated spdx library.

[tienlee]

@akapti and @heliocastro , we have committed to new changes. Please help me to check these changes.

[mcjaeger]

(from meeting:) needs re-review and re-test after PR comments have been implemented

[akapti]

Suggested some minor review comments. Please incorporate.

Tested the feature and it's working fine without any issues.

[tienlee]

Suggested some minor review comments. Please incorporate.

Tested the feature and it's working fine without any issues.

Thank you very much. We will fix these minor defects soon.

[akapti]

Code looks good to me.
Tested the changes and it's working as expected.

[akapti]

@tuannn2 @KoukiHama @ag4ums
The existing ( and old SBOM ) import functionality is such that whenever we import components from SBOM it does not set the component type field in component.
Since Component type is mandatory field in UI and REST API while creating the component.
It would be really good if we can set the component type to OSS while importing the components from SBOM.

Kindly include this change in the current PR if possible, or else create a new PR.

[KoukiHama]

@akapti @ag4ums

ok. I agree the idea about components type field

Could you merge this PR and make new issue and assign it to me?

base on the issue, we will make new PR as soon as possible.

[KoukiHama]

@akapti @ag4ums

It would be really good if we can set the component type to OSS while importing the components from SBO

we want to do it as new issue.

[KoukiHama]

@tienlee do you have idea about component type issue.

[tienlee]

@tienlee do you have idea about component type issue.

I think this is a bug from the old version. Please create new issue and I will fix it.

[akapti]

I think this is a bug from the old version. Please create new issue and I will fix it.

Created an new issue #1658 .
You can work on the above issue once this PR is merged.
This is present in current main branch as well (an existing issue)