fix: properly output and read the filesAnalyzed field in JSON/YAML (#210

)

Signed-off-by: Keith Zantow <kzantow@gmail.com>

examples/sample-docs/json/SPDXJSONExample-v2.2.spdx.json

@@ -126,7 +126,6 @@
       "referenceLocator" : "pkg:maven/org.apache.jena/apache-jena@3.12.0",
       "referenceType" : "purl"
     } ],
-    "filesAnalyzed" : false,
     "homepage" : "http://www.openjena.org/",
     "licenseConcluded" : "NOASSERTION",
     "licenseDeclared" : "NOASSERTION",

examples/sample-docs/json/SPDXJSONExample-v2.3.spdx.json

@@ -97,6 +97,7 @@
       "name": "Apache Commons Lang",
       "SPDXID": "SPDXRef-fromDoap-1",
       "downloadLocation": "NOASSERTION",
+      "filesAnalyzed": false,
       "homepage": "http://commons.apache.org/proper/commons-lang/",
       "licenseConcluded": "NOASSERTION",
       "licenseDeclared": "NOASSERTION",
@@ -125,6 +126,7 @@
       "versionInfo": "8.8",
       "packageFileName": "saxonB-8.8.zip",
       "downloadLocation": "https://sourceforge.net/projects/saxon/files/Saxon-B/8.8.0.7/saxonb8-8-0-7j.zip/download",
+      "filesAnalyzed": false,
       "checksums": [
         {
           "algorithm": "SHA1",

examples/sample-docs/tv/SPDXTagExample-v2.3.spdx

@@ -92,7 +92,7 @@ PrimaryPackagePurpose: CONTAINER
 ReleaseDate: 2021-10-15T02:38:00Z
 BuiltDate: 2021-09-15T02:38:00Z
 ValidUntilDate: 2022-10-15T02:38:00Z
-FilesAnalyzed: false
+FilesAnalyzed: true
 PackageHomePage: https://www.centos.org/
 PackageCopyrightText: NOASSERTION
 PackageDescription: The CentOS container used to run the application.
@@ -148,7 +148,7 @@ PackageName: Jena
 SPDXID: SPDXRef-fromDoap-0
 PackageVersion: 3.12.0
 PackageDownloadLocation: https://search.maven.org/remotecontent?filepath=org/apache/jena/apache-jena/3.12.0/apache-jena-3.12.0.tar.gz
-FilesAnalyzed: false
+FilesAnalyzed: true
 PackageHomePage: http://www.openjena.org/
 PackageLicenseConcluded: NOASSERTION
 PackageLicenseDeclared: NOASSERTION

examples/sample-docs/yaml/SPDXYAMLExample-2.2.spdx.yaml

@@ -217,7 +217,6 @@ packages:
   - referenceCategory: "PACKAGE_MANAGER"
     referenceLocator: "pkg:maven/org.apache.jena/apache-jena@3.12.0"
     referenceType: "purl"
-  filesAnalyzed: false
   homepage: "http://www.openjena.org/"
   licenseConcluded: "NOASSERTION"
   licenseDeclared: "NOASSERTION"

examples/sample-docs/yaml/SPDXYAMLExample-2.3.spdx.yaml

@@ -309,6 +309,7 @@ packages:
 - SPDXID: SPDXRef-fromDoap-1
   copyrightText: NOASSERTION
   downloadLocation: NOASSERTION
+  filesAnalyzed: false
   homepage: http://commons.apache.org/proper/commons-lang/
   licenseConcluded: NOASSERTION
   licenseDeclared: NOASSERTION
@@ -331,6 +332,7 @@ packages:
     checksumValue: 85ed0817af83a24ad8da68c2b5094de69833983c
   copyrightText: Copyright Saxonica Ltd
   description: The Saxon package is a collection of tools for processing XML documents.
+  filesAnalyzed: false
   downloadLocation: https://sourceforge.net/projects/saxon/files/Saxon-B/8.8.0.7/saxonb8-8-0-7j.zip/download
   homepage: http://saxon.sourceforge.net/
   licenseComments: Other versions available for a commercial license

spdx/v2/v2_2/example/example.go

@@ -123,8 +123,9 @@ var example = spdx.Document{
 				Originator:     "ExampleCodeInspect (contact@example.com)",
 				OriginatorType: "Organization",
 			},
-			PackageDownloadLocation: "http://ftp.gnu.org/gnu/glibc/glibc-ports-2.15.tar.gz",
-			FilesAnalyzed:           true,
+			PackageDownloadLocation:   "http://ftp.gnu.org/gnu/glibc/glibc-ports-2.15.tar.gz",
+			FilesAnalyzed:             true,
+			IsFilesAnalyzedTagPresent: true,
 			PackageVerificationCode: common.PackageVerificationCode{
 				Value:         "d6a770ba38583ed4bb4525bd96e50461655d2758",
 				ExcludedFiles: []string{"./package.spdx"},
@@ -187,14 +188,15 @@ var example = spdx.Document{
 			},
 		},
 		{
-			PackageSPDXIdentifier:   "fromDoap-1",
-			PackageCopyrightText:    "NOASSERTION",
-			PackageDownloadLocation: "NOASSERTION",
-			FilesAnalyzed:           false,
-			PackageHomePage:         "http://commons.apache.org/proper/commons-lang/",
-			PackageLicenseConcluded: "NOASSERTION",
-			PackageLicenseDeclared:  "NOASSERTION",
-			PackageName:             "Apache Commons Lang",
+			PackageSPDXIdentifier:     "fromDoap-1",
+			PackageCopyrightText:      "NOASSERTION",
+			PackageDownloadLocation:   "NOASSERTION",
+			FilesAnalyzed:             false,
+			IsFilesAnalyzedTagPresent: true,
+			PackageHomePage:           "http://commons.apache.org/proper/commons-lang/",
+			PackageLicenseConcluded:   "NOASSERTION",
+			PackageLicenseDeclared:    "NOASSERTION",
+			PackageName:               "Apache Commons Lang",
 		},
 		{
 			PackageName:             "Jena",
@@ -208,11 +210,12 @@ var example = spdx.Document{
 					Locator:  "pkg:maven/org.apache.jena/apache-jena@3.12.0",
 				},
 			},
-			FilesAnalyzed:           false,
-			PackageHomePage:         "http://www.openjena.org/",
-			PackageLicenseConcluded: "NOASSERTION",
-			PackageLicenseDeclared:  "NOASSERTION",
-			PackageVersion:          "3.12.0",
+			FilesAnalyzed:             true,
+			IsFilesAnalyzedTagPresent: false,
+			PackageHomePage:           "http://www.openjena.org/",
+			PackageLicenseConcluded:   "NOASSERTION",
+			PackageLicenseDeclared:    "NOASSERTION",
+			PackageVersion:            "3.12.0",
 		},
 		{
 			PackageSPDXIdentifier: "Saxon",
@@ -222,17 +225,18 @@ var example = spdx.Document{
 					Value:     "85ed0817af83a24ad8da68c2b5094de69833983c",
 				},
 			},
-			PackageCopyrightText:    "Copyright Saxonica Ltd",
-			PackageDescription:      "The Saxon package is a collection of tools for processing XML documents.",
-			PackageDownloadLocation: "https://sourceforge.net/projects/saxon/files/Saxon-B/8.8.0.7/saxonb8-8-0-7j.zip/download",
-			FilesAnalyzed:           false,
-			PackageHomePage:         "http://saxon.sourceforge.net/",
-			PackageLicenseComments:  "Other versions available for a commercial license",
-			PackageLicenseConcluded: "MPL-1.0",
-			PackageLicenseDeclared:  "MPL-1.0",
-			PackageName:             "Saxon",
-			PackageFileName:         "saxonB-8.8.zip",
-			PackageVersion:          "8.8",
+			PackageCopyrightText:      "Copyright Saxonica Ltd",
+			PackageDescription:        "The Saxon package is a collection of tools for processing XML documents.",
+			PackageDownloadLocation:   "https://sourceforge.net/projects/saxon/files/Saxon-B/8.8.0.7/saxonb8-8-0-7j.zip/download",
+			FilesAnalyzed:             false,
+			IsFilesAnalyzedTagPresent: true,
+			PackageHomePage:           "http://saxon.sourceforge.net/",
+			PackageLicenseComments:    "Other versions available for a commercial license",
+			PackageLicenseConcluded:   "MPL-1.0",
+			PackageLicenseDeclared:    "MPL-1.0",
+			PackageName:               "Saxon",
+			PackageFileName:           "saxonB-8.8.zip",
+			PackageVersion:            "8.8",
 		},
 	},
 	Files: []*spdx.File{

spdx/v2/v2_2/json/json_test.go

@@ -71,6 +71,11 @@ func TestLoad(t *testing.T) {
 func Test_Write(t *testing.T) {
 	want := example.Copy()
 
+	// we always output FilesAnalyzed, even though we handle reading files where it is omitted
+	for _, p := range want.Packages {
+		p.IsFilesAnalyzedTagPresent = true
+	}
+
 	w := &bytes.Buffer{}
 
 	if err := json.Write(&want, w); err != nil {
@@ -153,16 +158,19 @@ func Test_ShorthandFields(t *testing.T) {
 			{
 				PackageName:           "Container",
 				PackageSPDXIdentifier: "Container",
+				FilesAnalyzed:         true,
 			},
 			{
 				PackageName:           "Package-1",
 				PackageSPDXIdentifier: "Package-1",
 				PackageVersion:        "1.1.1",
+				FilesAnalyzed:         true,
 			},
 			{
 				PackageName:           "Package-2",
 				PackageSPDXIdentifier: "Package-2",
 				PackageVersion:        "2.2.2",
+				FilesAnalyzed:         true,
 			},
 		},
 		Files: []*spdx.File{
@@ -272,6 +280,7 @@ func Test_JsonEnums(t *testing.T) {
 			{
 				PackageName:           "Container",
 				PackageSPDXIdentifier: "Container",
+				FilesAnalyzed:         true,
 			},
 			{
 				PackageName:           "Package-1",
@@ -284,6 +293,7 @@ func Test_JsonEnums(t *testing.T) {
 						Locator:  "pkg:somepkg/ns/name1",
 					},
 				},
+				FilesAnalyzed: true,
 			},
 			{
 				PackageName:           "Package-2",
@@ -296,6 +306,7 @@ func Test_JsonEnums(t *testing.T) {
 						Locator:  "pkg:somepkg/ns/name2",
 					},
 				},
+				FilesAnalyzed: true,
 			},
 			{
 				PackageName:           "Package-3",
@@ -308,6 +319,7 @@ func Test_JsonEnums(t *testing.T) {
 						Locator:  "gitoid:blob:sha1:261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64",
 					},
 				},
+				FilesAnalyzed: true,
 			},
 			{
 				PackageName:           "Package-4",
@@ -320,6 +332,7 @@ func Test_JsonEnums(t *testing.T) {
 						Locator:  "gitoid:blob:sha1:261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64",
 					},
 				},
+				FilesAnalyzed: true,
 			},
 		},
 		Relationships: []*spdx.Relationship{

spdx/v2/v2_2/package.go

@@ -48,7 +48,7 @@ type Package struct {
 
 	// 7.8: FilesAnalyzed
 	// Cardinality: optional, one; default value is "true" if omitted
-	FilesAnalyzed bool `json:"filesAnalyzed,omitempty"`
+	FilesAnalyzed bool `json:"filesAnalyzed"`
 	// NOT PART OF SPEC: did FilesAnalyzed tag appear?
 	IsFilesAnalyzedTagPresent bool `json:"-"`
 
@@ -125,7 +125,8 @@ type Package struct {
 func (p *Package) UnmarshalJSON(b []byte) error {
 	type pkg Package
 	type extras struct {
-		HasFiles []common.DocElementID `json:"hasFiles"`
+		HasFiles      []common.DocElementID `json:"hasFiles"`
+		FilesAnalyzed *bool                 `json:"filesAnalyzed"`
 	}
 
 	var p2 pkg
@@ -141,6 +142,12 @@ func (p *Package) UnmarshalJSON(b []byte) error {
 	*p = Package(p2)
 
 	p.hasFiles = e.HasFiles
+	// FilesAnalyzed defaults to true if omitted
+	if e.FilesAnalyzed == nil {
+		p.FilesAnalyzed = true
+	} else {
+		p.IsFilesAnalyzedTagPresent = true
+	}
 
 	return nil
 }

spdx/v2/v2_2/yaml/yaml_test.go

@@ -69,6 +69,11 @@ func Test_Read(t *testing.T) {
 func Test_Write(t *testing.T) {
 	want := example.Copy()
 
+	// we always output FilesAnalyzed, even though we handle reading files where it is omitted
+	for _, p := range want.Packages {
+		p.IsFilesAnalyzedTagPresent = true
+	}
+
 	w := &bytes.Buffer{}
 	if err := yaml.Write(want, w); err != nil {
 		t.Errorf("Save() error = %v", err.Error())

spdx/v2/v2_3/example/example.go

@@ -123,8 +123,9 @@ var example = spdx.Document{
 				Originator:     "ExampleCodeInspect (contact@example.com)",
 				OriginatorType: "Organization",
 			},
-			PackageDownloadLocation: "http://ftp.gnu.org/gnu/glibc/glibc-ports-2.15.tar.gz",
-			FilesAnalyzed:           true,
+			PackageDownloadLocation:   "http://ftp.gnu.org/gnu/glibc/glibc-ports-2.15.tar.gz",
+			FilesAnalyzed:             true,
+			IsFilesAnalyzedTagPresent: true,
 			PackageVerificationCode: &common.PackageVerificationCode{
 				Value:         "d6a770ba38583ed4bb4525bd96e50461655d2758",
 				ExcludedFiles: []string{"./package.spdx"},
@@ -187,14 +188,15 @@ var example = spdx.Document{
 			},
 		},
 		{
-			PackageSPDXIdentifier:   "fromDoap-1",
-			PackageCopyrightText:    "NOASSERTION",
-			PackageDownloadLocation: "NOASSERTION",
-			FilesAnalyzed:           false,
-			PackageHomePage:         "http://commons.apache.org/proper/commons-lang/",
-			PackageLicenseConcluded: "NOASSERTION",
-			PackageLicenseDeclared:  "NOASSERTION",
-			PackageName:             "Apache Commons Lang",
+			PackageSPDXIdentifier:     "fromDoap-1",
+			PackageCopyrightText:      "NOASSERTION",
+			PackageDownloadLocation:   "NOASSERTION",
+			FilesAnalyzed:             false,
+			IsFilesAnalyzedTagPresent: true,
+			PackageHomePage:           "http://commons.apache.org/proper/commons-lang/",
+			PackageLicenseConcluded:   "NOASSERTION",
+			PackageLicenseDeclared:    "NOASSERTION",
+			PackageName:               "Apache Commons Lang",
 		},
 		{
 			PackageName:             "Jena",
@@ -208,11 +210,12 @@ var example = spdx.Document{
 					Locator:  "pkg:maven/org.apache.jena/apache-jena@3.12.0",
 				},
 			},
-			FilesAnalyzed:           false,
-			PackageHomePage:         "http://www.openjena.org/",
-			PackageLicenseConcluded: "NOASSERTION",
-			PackageLicenseDeclared:  "NOASSERTION",
-			PackageVersion:          "3.12.0",
+			FilesAnalyzed:             true,
+			IsFilesAnalyzedTagPresent: false,
+			PackageHomePage:           "http://www.openjena.org/",
+			PackageLicenseConcluded:   "NOASSERTION",
+			PackageLicenseDeclared:    "NOASSERTION",
+			PackageVersion:            "3.12.0",
 		},
 		{
 			PackageSPDXIdentifier: "Saxon",
@@ -222,25 +225,26 @@ var example = spdx.Document{
 					Value:     "85ed0817af83a24ad8da68c2b5094de69833983c",
 				},
 			},
-			PackageCopyrightText:    "Copyright Saxonica Ltd",
-			PackageDescription:      "The Saxon package is a collection of tools for processing XML documents.",
-			PackageDownloadLocation: "https://sourceforge.net/projects/saxon/files/Saxon-B/8.8.0.7/saxonb8-8-0-7j.zip/download",
-			FilesAnalyzed:           false,
-			PackageHomePage:         "http://saxon.sourceforge.net/",
-			PackageLicenseComments:  "Other versions available for a commercial license",
-			PackageLicenseConcluded: "MPL-1.0",
-			PackageLicenseDeclared:  "MPL-1.0",
-			PackageName:             "Saxon",
-			PackageFileName:         "saxonB-8.8.zip",
-			PackageVersion:          "8.8",
+			PackageCopyrightText:      "Copyright Saxonica Ltd",
+			PackageDescription:        "The Saxon package is a collection of tools for processing XML documents.",
+			PackageDownloadLocation:   "https://sourceforge.net/projects/saxon/files/Saxon-B/8.8.0.7/saxonb8-8-0-7j.zip/download",
+			FilesAnalyzed:             false,
+			IsFilesAnalyzedTagPresent: true,
+			PackageHomePage:           "http://saxon.sourceforge.net/",
+			PackageLicenseComments:    "Other versions available for a commercial license",
+			PackageLicenseConcluded:   "MPL-1.0",
+			PackageLicenseDeclared:    "MPL-1.0",
+			PackageName:               "Saxon",
+			PackageFileName:           "saxonB-8.8.zip",
+			PackageVersion:            "8.8",
 		},
 		{
 			PrimaryPackagePurpose:   "CONTAINER",
 			PackageSPDXIdentifier:   "CentOS-7",
 			PackageCopyrightText:    "NOASSERTION",
 			PackageDescription:      "The CentOS container used to run the application.",
 			PackageDownloadLocation: "NOASSERTION",
-			FilesAnalyzed:           false,
+			FilesAnalyzed:           true,
 			PackageHomePage:         "https://www.centos.org/",
 			PackageName:             "centos",
 			PackageFileName:         "saxonB-8.8.zip",