Add support for SPDX Spec version 3 (#167)

* Updated for SPDX spec version 3 changes to the library

Signed-off-by: Gary O'Neall <gary@sourceauditor.com>

* Remove type from ModelCopyManager interface

Signed-off-by: Gary O'Neall <gary@sourceauditor.com>

* Partial implementation of SPDX 3 support

Signed-off-by: Gary O'Neall <gary@sourceauditor.com>

* Implented SpdxConverter for SPDX V3

Signed-off-by: Gary O'Neall <gary@sourceauditor.com>

* Implement verify for spec version 3

Signed-off-by: Gary O'Neall <gary@sourceauditor.com>

* Update to SPDX 3.0.1

Signed-off-by: Gary O'Neall <gary@sourceauditor.com>

* Fix schema and update deps for release

Signed-off-by: Gary O'Neall <gary@sourceauditor.com>

* Handle JSON-LD files that may end in '.json'

Signed-off-by: Gary O'Neall <gary@sourceauditor.com>

* Remove unused dependency check suppresses

Signed-off-by: Gary O'Neall <gary@sourceauditor.com>

---------

Signed-off-by: Gary O'Neall <gary@sourceauditor.com>

Author: goneall

dependency-check-supress.xml

@@ -1,34 +1,4 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.3.xsd">
-   <suppress>
-      <notes><![CDATA[
-      The feature referenced in the CVE is not used by this software.
-      file name: guava-28.2-android.jar
-      ]]></notes>
-      <packageUrl regex="true">^pkg:maven/com\.google\.guava/guava@.*$</packageUrl>
-      <cve>CVE-2020-8908</cve>
-   </suppress>
-   <suppress>
-      <notes><![CDATA[
-      The feature referenced in the CVE is not used by this software.
-      file name: poi-4.1.2.jar
-      ]]></notes>
-      <packageUrl regex="true">^pkg:maven/org\.apache\.poi/poi@.*$</packageUrl>
-      <cve>CVE-2022-26336</cve>
-   </suppress>
-   <suppress>
-      <notes><![CDATA[
-      The feature referenced in the CVE is not used by this software.
-      file name: poi-ooxml-4.1.2.jar
-      ]]></notes>
-      <packageUrl regex="true">^pkg:maven/org\.apache\.poi/poi\-ooxml@.*$</packageUrl>
-      <cve>CVE-2022-26336</cve>
-   </suppress>
-   <suppress>
-      <notes><![CDATA[
-      file name: poi-ooxml-schemas-4.1.2.jar
-      ]]></notes>
-      <packageUrl regex="true">^pkg:maven/org\.apache\.poi/poi\-ooxml\-schemas@.*$</packageUrl>
-      <cve>CVE-2022-26336</cve>
-   </suppress>
+
 </suppressions>

…/spdx/examples/ExistingSpdxDocument.java …amples/ExistingSpdxDocumentV2Compat.javaexamples/org/spdx/examples/ExistingSpdxDocument.java renamed to examples/org/spdx/examples/ExistingSpdxDocumentV2Compat.java examples/org/spdx/examples/ExistingSpdxDocument.java renamed to examples/org/spdx/examples/ExistingSpdxDocumentV2Compat.java

@@ -10,23 +10,23 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.util.Collection;
-import java.util.Optional;
+import java.util.List;
+import java.util.stream.Collectors;
 
 import org.spdx.jacksonstore.MultiFormatStore;
 import org.spdx.jacksonstore.MultiFormatStore.Format;
-import org.spdx.library.InvalidSPDXAnalysisException;
+import org.spdx.core.InvalidSPDXAnalysisException;
 import org.spdx.library.ModelCopyManager;
-import org.spdx.library.SpdxConstants;
-import org.spdx.library.model.ModelObject;
-import org.spdx.library.model.SpdxDocument;
-import org.spdx.library.model.SpdxElement;
-import org.spdx.library.model.SpdxModelFactory;
+import org.spdx.library.SpdxModelFactory;
+import org.spdx.library.model.v2.SpdxConstantsCompatV2;
+import org.spdx.library.model.v2.SpdxDocument;
+import org.spdx.library.model.v2.SpdxElement;
 import org.spdx.storage.ISerializableModelStore;
 import org.spdx.storage.simple.InMemSpdxStore;
 
 /**
- * This example demonstrate opening an existing SPDX document and accessing it.  The format
- * for this example is assumed to be JSON (e.g. the output of the SimpleSpdxDocument example).
+ * This example demonstrate opening an existing SPDX spec version 2.X document and accessing it.  The format
+ * for this example is assumed to be JSON (e.g. the output of the SimpleSpdxDocumentV2Compat example).
  * Different format can be used by using the associated store rather than the spdx-jackson store
  * (e.g. spdx-spreadsheet-store, spdx-tagvalue-store, or the spdx-rdf-store).
  * 
@@ -35,7 +35,7 @@
  * @author Gary O'Neall
  *
  */
-public class ExistingSpdxDocument {
+public class ExistingSpdxDocumentV2Compat {
 
 	/**
 	 * @param args args[0] is the file path containing the SPDX document
@@ -74,10 +74,10 @@ public static void main(String[] args) {
 		 * license information over to the document model store
 		 */
 		ModelCopyManager copyManager = new ModelCopyManager();
-		String documentUri = null;
 		// Let's deseralize the document
 		try (InputStream stream = new FileInputStream(inputFile)) {
-			documentUri = modelStore.deSerialize(stream, false);
+			modelStore.deSerialize(stream, false);
+			
 		} catch (FileNotFoundException e1) {
 			System.out.println("Input file does not exist: "+args[0]);
 			System.exit(1);
@@ -90,22 +90,20 @@ public static void main(String[] args) {
 		}
 		// Now that the document is deserialized, we can access it using the SpdxModelFactory
 		try {
-			// To access the existing document, simply create the SPDX document passing in the 
-			// model store and document URI as parameters
-			SpdxDocument document = new SpdxDocument(modelStore, documentUri, copyManager, false);
+			// To find all the SPDX documents in the model store, use the getObjects method from the
+			// SpdxModelFactory passing in the SpdxDocument type
+			// When using the factory method, we have to type cast the result
+			@SuppressWarnings("unchecked")
+			List<SpdxDocument> allDocs = (List<SpdxDocument>) SpdxModelFactory.getSpdxObjects(modelStore, copyManager, 
+					SpdxConstantsCompatV2.CLASS_SPDX_DOCUMENT, null, null)
+					.collect(Collectors.toList());
+			SpdxDocument document = allDocs.get(0);
+			String documentUri = document.getDocumentUri();
+			// If you know the document URI, you can simply create an SPDX document using the followint constructor
+			SpdxDocument document2 = new SpdxDocument(modelStore, documentUri, copyManager, false);
 			// Note that all class objects in the Spdx Java Library follow the same pattern - 
 			// to access any existing object in the store, simply create the object passing in 
 			// the document URI, model store and the ID for the object
-			
-			// Another (more cumbersome) approach is to use the model factory
-			Optional<ModelObject> optionalDocument2 = SpdxModelFactory.getModelObject(modelStore, documentUri, SpdxConstants.SPDX_DOCUMENT_ID, copyManager);
-			if (!optionalDocument2.isPresent()) {
-				System.out.println("The SPDX document is not present in the model");
-				// Note - this should never happen
-				System.exit(1);
-			}
-			// When using the factory method, we have to type cast the result
-			SpdxDocument document2 = (SpdxDocument)optionalDocument2.get();
 			// Since the 2 documents are just references to the same object, they will always be equivalent
 			if (!document.equivalent(document2)) {
 				System.out.println("Oops - these 2 documents should be the same");

…rg/spdx/examples/SimpleSpdxDocument.java …examples/SimpleSpdxDocumentV2Compat.javaexamples/org/spdx/examples/SimpleSpdxDocument.java renamed to examples/org/spdx/examples/SimpleSpdxDocumentV2Compat.java examples/org/spdx/examples/SimpleSpdxDocument.java renamed to examples/org/spdx/examples/SimpleSpdxDocumentV2Compat.java

@@ -15,30 +15,29 @@
 
 import org.spdx.jacksonstore.MultiFormatStore;
 import org.spdx.jacksonstore.MultiFormatStore.Format;
-import org.spdx.library.InvalidSPDXAnalysisException;
+import org.spdx.core.InvalidSPDXAnalysisException;
+import org.spdx.library.LicenseInfoFactory;
 import org.spdx.library.ModelCopyManager;
-import org.spdx.library.SpdxConstants;
-import org.spdx.library.model.Relationship;
-import org.spdx.library.model.SpdxDocument;
-import org.spdx.library.model.SpdxModelFactory;
-import org.spdx.library.model.SpdxPackage;
-import org.spdx.library.model.enumerations.RelationshipType;
-import org.spdx.library.model.license.AnyLicenseInfo;
-import org.spdx.library.model.license.LicenseInfoFactory;
+import org.spdx.library.model.v2.Relationship;
+import org.spdx.library.model.v2.SpdxConstantsCompatV2;
+import org.spdx.library.model.v2.SpdxDocument;
+import org.spdx.library.model.v2.SpdxPackage;
+import org.spdx.library.model.v2.enumerations.RelationshipType;
+import org.spdx.library.model.v2.license.AnyLicenseInfo;
 import org.spdx.storage.IModelStore.IdType;
 import org.spdx.storage.ISerializableModelStore;
 import org.spdx.storage.simple.InMemSpdxStore;
 
 /**
- * This example demonstrate programmatically creating an SPDX document, adding document, files
+ * This example demonstrate programmatically creating an SPDX spec version 2.X document, adding document, files
  * and saving the document in a JSON file format
  * 
  * This example depends on the Spdx-Java-Library and the spdx-java-jackson store libraries
  * 
  * @author Gary O'Neall
  *
  */
-public class SimpleSpdxDocument {
+public class SimpleSpdxDocumentV2Compat {
 
 	/**
 	 * @param args args[0] is the file path to store the resultant JSON file
@@ -83,9 +82,9 @@ public static void main(String[] args) {
 		ModelCopyManager copyManager = new ModelCopyManager();
 		try {
 			// Time to create the document
-			SpdxDocument document = SpdxModelFactory.createSpdxDocument(modelStore, documentUri, copyManager);
+			SpdxDocument document = new SpdxDocument(modelStore, documentUri, copyManager, false);
 			// Let's add a few required fields to the document
-			SimpleDateFormat dateFormat = new SimpleDateFormat(SpdxConstants.SPDX_DATE_FORMAT);
+			SimpleDateFormat dateFormat = new SimpleDateFormat(SpdxConstantsCompatV2.SPDX_DATE_FORMAT);
 			String creationDate = dateFormat.format(new Date());
 			document.setCreationInfo(document.createCreationInfo(
 					Arrays.asList(new String[] {"Tool: Simple SPDX Document Example"}),
@@ -96,7 +95,7 @@ public static void main(String[] args) {
 			 * above.  These helper functions will use the same Document URI, Model Store and Model Copy Manager
 			 * as the document element.
 			 */
-			AnyLicenseInfo dataLicense = LicenseInfoFactory.parseSPDXLicenseString("CC0-1.0");
+			AnyLicenseInfo dataLicense = LicenseInfoFactory.parseSPDXLicenseStringCompatV2("CC0-1.0");
 			/*
 			 * Note that by passing in the modelStore and documentUri, the parsed license information is stored
 			 * in the same model store we are using for the document
@@ -106,9 +105,9 @@ public static void main(String[] args) {
 			document.setSpecVersion("SPDX-2.2");
 
 			// Now that we have the basic document information filled in, let's create a package
-			AnyLicenseInfo pkgConcludedLicense = LicenseInfoFactory.parseSPDXLicenseString("Apache-2.0 AND MIT");
-			AnyLicenseInfo pkgDeclaredLicense = LicenseInfoFactory.parseSPDXLicenseString("Apache-2.0");
-			String pkgId = modelStore.getNextId(IdType.SpdxId, documentUri);
+			AnyLicenseInfo pkgConcludedLicense = LicenseInfoFactory.parseSPDXLicenseStringCompatV2("Apache-2.0 AND MIT");
+			AnyLicenseInfo pkgDeclaredLicense = LicenseInfoFactory.parseSPDXLicenseStringCompatV2("Apache-2.0");
+			String pkgId = modelStore.getNextId(IdType.SpdxId);
 			// The ID's used for SPDX elements must be unique.  Calling the model store getNextId function is a
 			// convenient and safe method to make sure you have a correctly formatted and unique ID
 			SpdxPackage pkg = document.createPackage(pkgId, "Example Package Name", pkgConcludedLicense,
@@ -128,7 +127,7 @@ public static void main(String[] args) {
 			// This step will add a relationship between document and pkg as "DESCRIBES".
 			document.getDocumentDescribes().add(pkg);	
 			// Let's create another package
-			pkgId = modelStore.getNextId(IdType.SpdxId, documentUri);
+			pkgId = modelStore.getNextId(IdType.SpdxId);
 			SpdxPackage childPkg = document.createPackage(pkgId, "Child Example Package Name", pkgConcludedLicense,
 					"Copyright example.org", pkgDeclaredLicense)
 					.setFilesAnalyzed(false)  // Default is true and we don't want to add all the required fields
@@ -150,7 +149,7 @@ public static void main(String[] args) {
 			}
 			// Last step is to serialize
 			try (OutputStream outputStream = new FileOutputStream(outFile)) {
-				modelStore.serialize(documentUri, outputStream);
+				modelStore.serialize(outputStream);
 			}
 			System.out.println("Example document written to "+args[0]);
 			System.exit(0);

pom.xml

@@ -3,7 +3,7 @@
 
 	<groupId>org.spdx</groupId>
 	<artifactId>tools-java</artifactId>
-	<version>1.1.9-SNAPSHOT</version>
+	<version>2.0.0-SNAPSHOT</version>
 	<packaging>jar</packaging>
 
 	<name>tools-java</name>
@@ -55,7 +55,7 @@
 	  <sonar.host.url>https://sonarcloud.io</sonar.host.url>
 	  <sonar.organization>spdx</sonar.organization>
 	  <sonar.projectKey>tools-java</sonar.projectKey>
-	  <dependency-check-maven.version>8.0.1</dependency-check-maven.version>
+	  <dependency-check-maven.version>8.4.3</dependency-check-maven.version>
 	  <maven.compiler.release>11</maven.compiler.release>
 	  <javadoc.opts>-Xdoclint:none</javadoc.opts>
     </properties>
@@ -101,6 +101,16 @@
 		</profile>
 	</profiles>
 	<dependencies>
+	  <dependency>
+	    <groupId>commons-io</groupId>
+	    <artifactId>commons-io</artifactId>
+	    <version>2.16.1</version>
+	  </dependency>
+	  <dependency>
+	    <groupId>org.apache.commons</groupId>
+	    <artifactId>commons-compress</artifactId>
+	    <version>1.27.1</version>
+	  </dependency>
 	  <dependency>
 	    <groupId>junit</groupId>
 	    <artifactId>junit</artifactId>
@@ -110,17 +120,17 @@
 	  <dependency>
 	  	<groupId>org.spdx</groupId>
 	  	<artifactId>java-spdx-library</artifactId>
-	  	<version>1.1.10</version>
+	  	<version>2.0.0-Alpha</version>
 	  </dependency>
 	  <dependency>
 	  	<groupId>org.spdx</groupId>
 	  	<artifactId>spdx-rdf-store</artifactId>
-	  	<version>1.1.9</version>
+	  	<version>2.0.0-Alpha</version>
 	  </dependency>
 	  <dependency>
 	  	<groupId>org.spdx</groupId>
 	  	<artifactId>spdx-jackson-store</artifactId>
-	  	<version>1.1.9</version>
+	  	<version>2.0.0-Alpha</version>
 	  </dependency>
 	  <dependency>
 	  	<groupId>org.apache.ws.xmlschema</groupId>
@@ -130,24 +140,29 @@
 	  <dependency>
 	  	<groupId>org.spdx</groupId>
 	  	<artifactId>spdx-spreadsheet-store</artifactId>
-	  	<version>1.1.7</version>
+	  	<version>2.0.0-Alpha</version>
 	  </dependency>
 	  <dependency>
 	  	<groupId>org.spdx</groupId>
 	  	<artifactId>spdx-tagvalue-store</artifactId>
-	  	<version>1.1.7</version>
+	  	<version>2.0.0-Alpha</version>
 	  </dependency>
 	  <dependency>
-	  	<groupId>com.github.java-json-tools</groupId>
+	  	<groupId>com.networknt</groupId>
 	  	<artifactId>json-schema-validator</artifactId>
-	  	<version>2.2.14</version>
+	  	<version>1.5.1</version>
 	  </dependency>
 	  <dependency>
 	  	<groupId>org.slf4j</groupId>
 	  	<artifactId>slf4j-simple</artifactId>
-	  	<version>2.0.7</version>
+	  	<version>2.0.13</version>
 	  	<optional>true</optional>
 	  </dependency>
+	  <dependency>
+	  	<groupId>org.spdx</groupId>
+	  	<artifactId>spdx-v3jsonld-store</artifactId>
+	  	<version>0.1.0-Alpha</version>
+	  </dependency>
 	</dependencies>
     <build>
   		<resources>
@@ -299,7 +314,7 @@
 			<plugin>
 				<groupId>org.spdx</groupId>
 					<artifactId>spdx-maven-plugin</artifactId>
-					<version>0.7.2</version>
+					<version>0.7.3</version>
 					<executions>
 						<execution>
 							<id>build-spdx</id>