Bump spdx-tools from 0.8.1 to 0.8.2

[dependabot]

Bumps spdx-tools from 0.8.1 to 0.8.2.

Release notes

Sourced from spdx-tools's releases.

v0.8.2

What's Changed

• add encoding parameter for parsing files by @​chrisdecker1201 in spdx/tools-python#756
• [issue-754] output FilesAnalyzed boolean in lowercase in tag-value by @​armintaenzertng in spdx/tools-python#757
• [issue-753] only allow lowercase values for FilesAnalyzed in tag-value by @​armintaenzertng in spdx/tools-python#758
• fix(validation): also allow URLs in download locations by @​maxhbr in spdx/tools-python#763
• implement recommended UTF-8 encoding for reading and writing SPDX files by @​chrisdecker1201 in spdx/tools-python#759
• fix(validation): fix error generation in expression validator by @​maxhbr in spdx/tools-python#765
• add documentation on the code architecture by @​armintaenzertng in spdx/tools-python#752
• Handle timezone-aware datetime objects when writing SPDX. by @​licquia in spdx/tools-python#768
• update changelog for 0.8.2 release by @​armintaenzertng in spdx/tools-python#769

Full Changelog: spdx/tools-python@v0.8.1...v0.8.2

Changelog

Sourced from spdx-tools's changelog.

v0.8.2 (2023-10-12)

New features and changes

• added optional encoding parameter for parsing files
• fixed handling of the FilesAnalyzed field in Tag-Value format
• fixed the validation of the DownloadLocation field
• fixed the error handling while parsing license expressions
• fixed output of timezone-sensitive datetimes
• added code architecture documentation

Contributors

This release was made possible by the following contributors. Thank you very much!

• Christian Decker @​chrisdecker1201
• Jeff Licquia @​licquia
• Maximilian Huber @​maxhbr
• Armin Tänzer @​armintaenzertng

Commits

• 32e74cd update changelog for 0.8.2 release
• f0873eb Properly install tzdata for GitHub Actions.
• 195e244 Handle timezone-aware datetime objects when writing SPDX.
• 248394c add documentation about the code architecture
• 40d1d8e fix(validation): fix error generation in expression validator
• e08e4d2 Merge pull request #759 from HomagGroup/feature/encoding_compliance
• e8ae39d Merge branch 'main' into feature/encoding_compliance
• ed9a135 fix(validation): also allow URLs in download locations
• a1584b7 implement recommended UTF-8 encoding for reading and writing SPDX files
• 3d3100a [issue-753] only allow lowercase values for FilesAnalyzed in tag-value
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[jspeed-meyers]

Hmmm, there are some failing test cases. Debugging help and PRs welcome!

What's going on?

[goneall]

@jspeed-meyers - It looks like the valid SPDX version format changed from SPDX-2.3 to 2.3 based on this test code in the Python libraries.

I wasn't able to track down where the change occurred - since this PR updates the version of python-tools, I assume something changed in that library but I couldn't track it down.

@armintaenzertng - any thoughts?

Here's the function that's returning false:

ntia-conformance-checker/ntia_conformance_checker/sbom_checker.py

Line 57 in cbafec7

def check_doc_version(self):

[jspeed-meyers]

Thank you, @goneall.

If that's the case, I could add to this PR changes to those SPDX documents in our test suite.

[armintaenzertng]

There have been no changes to the spdx_version field in the last update. The correct format is still SPDX-2.2 or SPDX-2.3, see here. The test that @goneall mentioned could be "fixed" to use the valid formats but since it's only a unit test (i.e. no validation function comes into play there), it doesn't really matter. I assume the error lies elsewhere.

[armintaenzertng]

So the error is here and reads

'SbomChecker' object has no attribute 'doc_version'.

So the problem is that doc_version never gets set on the SbomChecker object. For example, this could happen if we run into an SPDXParsingError here. Related to that: There has been a change in the validation of the FilesAnalyzed field in Tag-Value format in 0.8.2.

[armintaenzertng]

So I'm pretty sure the issue arises due to the fix of this issue.
That is, in order to be more spec-compliant, we only allow the all-lower-case (!) true and false as valid values for FilesAnalyzed in Tag-Value format. The test files in this repo should be updated accordingly.

[jspeed-meyers]

@armintaenzertng, ahhhh. Thank you!

@goneall: Let me add these changes to this PR.

[jspeed-meyers]

Okay, fixed. Thank you @armintaenzertng!

Ready for review :)

[goneall]

LGTM

Thanks @armintaenzertng and @jspeed-meyers

[jspeed-meyers]

Thank you, @goneall!