Merge pull request #246 from spdx/v3-prototype

Implementation of SPDX version 3.0.0 spec

Author: goneall

GETTING-STARTED.md

@@ -0,0 +1,70 @@
+# Getting Started
+
+## SPDX Version 3
+
+### Programmatically Creating SPDX Data
+
+Before executing any of the model class methods, the model versions need to be intialized.  This is done by calling:
+
+```
+SpdxModelFactory.init();
+```
+
+SPDX data is stored in a "model store" and copying between model stores requires a copy manager.
+
+A simple store is provided in the java library.  To create the simple in-memory model store and a copy manager, execute the following:
+
+```
+InMemSpdxStore modelStore = new InMemSpdxStore();
+IModelCopyManager copyManager = new ModelCopyManager();
+```
+
+All SPDX elements are required to have a unique SPDX ID which is an Object URI.  In the SPDX Java libraries, this is commonly referred to as the `objectUri` to avoid confusion with the SPDX 2.X version short SPDX IDs.
+
+A good practice is to create a common prefix to use for your programatic session.  The prefix should be unique to the session.  There are convenience methods in the library to append identifiers uniques to the model store.
+
+In these examples, we'll use:
+
+```
+String prefix = "https://org.spdx.spdxdata/899b1918-f72a-4755-9215-6262b3c346df/";
+```
+
+Since SPDX 3.0 requires creation info on every element, the easiest way to start is to use the SPDX 3 model convenience method `SpdxModelClassFactory.createCreationInfo(...)` which will create the `Agent` and `CreationInfo` classes which can be added to all of the subsequent elements.
+
+For example:
+
+```
+CreationInfo creationInfo = SpdxModelClassFactory.createCreationInfo(
+			modelStore, prefix + "Agent/Gary01123", "Gary O'Neall",
+			copyManager);
+```
+
+We're now ready to create our first SPDX element.  You can start anywhere, but let's start with an SBOM element.
+
+There is a factory method you can use to get started:
+
+```
+Sbom sbom = SpdxModelClassFactory.getModelObject(modelStore, 
+			prefix + "sbom/mysbom", SpdxConstantsV3.SOFTWARE_SBOM, 
+			copyManager, true, prefix);
+```
+
+Let's not forget to add the creation info:
+
+```
+sbom.setCreationInfo(creationInfo);
+```
+
+From here on, things get easier.  We can get and set properties to the sbom we just created.
+
+If we want to create another SPDX object or element, we can use the builder convenience methods available to all SPDX objects.  For example, if we want to create a package to add to the SBOM we can call:
+
+```
+sbom.getElements().add(
+			sbom.createSpdxPackage(prefix + "package/mypackage")
+			.setName("Package Name")
+			.build()
+			);
+```
+
+The model store, creation info, copy manager, and prefix information will all be copied from the sbom allowing you to focus just on the properties you need to add.

README-V3-UPGRADE.md

@@ -0,0 +1,78 @@
+# Upgrading from version 2 to version 3
+
+With the support of SPDX 3.0, several changes have been made to the library codebase that will break previous API's.
+Although we tried to keep breaking changes to a minimum, some of the changes were necessary due to breaking changes in the spec. itself.
+We also took advantage of the changes to fix some annoying design flaws in the previous implementation of the library.
+
+## Classes and Methods moved to SPDX Java Core library
+
+The SPDX Java Core Library is in a separate repository and jar file.
+
+The following classes and methods are moved from `org.spdx.library` to `org.spdx.core`:
+
+- `DefaultModelStore`
+- Most exception classes including `InvalidSPDXAnalysisException`
+- `ModelCollection`
+- `ModelSet`
+- `SimpleUriValue`
+- `TypedValue`
+
+The packages in `org.spdx.licenseTemplates` are now in the `java-spdx-core` repository.
+
+A new class `LicenseTextHelper` was added and the method `isLicenseTextEquivalent(String, String)` along with many supporting methods were moved to `LicenseTextHelper` from `org.spdx.utility.compare.LicenseCompareHelper`.
+
+## Changes to SPDX version 2 package, class, and method names
+To support accessing SPDX 2.X model object while updating the library for SPDX 3.0 support, the package names for the SPDX 2.X model objects are now named `org.spdx.library.model.v2.[package]`.
+
+Many of the class and property names have been changed to append `CompatV2` to clearly designate a compatible object is being referenced.
+
+Also note that the model classes are now stored in a separate repository `spdx-java-model-2_X`.
+
+## Changes to ExternalElement and ExternalExtractedLicenseInfo (SPDX Version 2.X classes)
+
+- Constructors changed to take the document URI for the document containing the external element or license.  This is different from the previous constructor which took the document URI of the document containing the reference and an ID of the form `DocumentRef-XX:[ID]`  To accomodate compatibility, the constructors
+will check for the old DocumentRef format and attempt a conversion.
+- Added a method `referenceElementId(SpdxDocument documentReferencingExternal)` which will convert return the `DocumentRef-XX:[ID]`.  This should be used in place of the getId which previously returned this format.
+
+Note that this incompatibility was introduced due to using a common mode store API which in some cases will not have the documentUri as a required parameter
+
+## Changes to deserialize interface
+Since SPDX documents are not generally required in SPDX spec version 3.0, the SPDX namespace was removed from the return value for deserialized and also removed as a parameter for the serialize method.  Serialize will now serialize all objects - which may be multiple SPDX documents.
+
+To find all the SPDX documents in a serialization, you can execute:
+
+```
+List<SpdxDocument> docs = (List<SpdxDocument>)SpdxModelFactory.getSpdxObjects(store, null, SpdxConstantsCompatV2.CLASS_SPDX_DOCUMENT, null, null)
+				.collect(Collectors.toList());
+```
+after deserialization to get a list of all SPDX documents.
+
+For the RDF store, to keep compatible with the SPDX 2.X requirements, it now only supports a single document namespace.
+
+## Changes to the SPI for the Model Store
+
+### Change propertyName to propertyDescriptor
+
+One significant change to the model store which impacts most of the API's.
+All `String` `propertyName` properties are replaced by a `propertyDescriptor` of type `ProperyDescriptor`.
+The `PropertyDescriptor` has a `name` property and a `nameSpace` property.
+The property constants defined in  `org.spdx.library.SpdxConstants` have all been changed to use constant `PropertyDescriptor`s.
+If you're using the constants, you may not need to change much beyond the method signatures for anything that was passing along the `propertyName`.
+
+### Make DocumentNamespace Optional
+
+In SPDX 3.0, not all elements are contained within an SPDX document and we can't be guaranteed that a namespace is available for all `TypedValue` typed properties.  Methods that are passed a `DocumentNamespace` and an `id` now are passed a URI.
+
+To translate from SPDX 2.X, the `DocumentNamespace` concatenated with the `id` can be used for the URI.
+
+### Change TypedValue structure
+
+`TypedValue` now takes an ObjectURI rather than an ID.
+Note that the method signature has not changed, so you may need to manually search for usage in order to change.
+There is a convenience helper method `CompatibleModelStoreWrapper.typedValueFromDocUri(String documentUri, String id, boolean anonymous, String type)` that will convert from the SPDX V2 TypedValue to the current version.
+
+### CompatibleModelStoreWrapper
+
+To help with the migration, the `CompatibleModelStoreWrapper` class was introduced supporting the `IModelStore` interface taking a base store as a parameter in the constructor.  This class "wraps" the base store and supports the SPDX 2 methods which take the document namespace parameters.
+
+There is also a convenience static method to convert a namespace and ID to an Object URI.

README.md

@@ -8,6 +8,14 @@ Java library which implements the Java object model for SPDX and provides useful
 
 |   [![Bugs](https://sonarcloud.io/api/project_badges/measure?project=java-spdx-library&metric=bugs)](https://sonarcloud.io/dashboard?id=java-spdx-library)    | [![Security Rating](https://sonarcloud.io/api/project_badges/measure?project=java-spdx-library&metric=security_rating)](https://sonarcloud.io/dashboard?id=java-spdx-library) | [![Maintainability Rating](https://sonarcloud.io/api/project_badges/measure?project=java-spdx-library&metric=sqale_rating)](https://sonarcloud.io/dashboard?id=java-spdx-library) | [![Technical Debt](https://sonarcloud.io/api/project_badges/measure?project=java-spdx-library&metric=sqale_index)](https://sonarcloud.io/dashboard?id=java-spdx-library) |
 
+## Library Version Compatibility
+
+Library version 2.0.0 and higher is not compatible with previous versions of the library due to breaking changes introduced in SPDX 3.0.
+
+The library does support the spec versions 2.X and 3.X.
+
+See the [README-V3-UPGRADE.md](README-V3-UPGRADE.md) file for information on how to upgrade from earlier versions of the library.
+
 ## Storage Interface
 The Spdx-Java-Library allows for different implementations of SPDX object storage.  The storage facility implements the org.spdx.storage.IModelStore interface.  This is a low level Service Provider Interface (SPI).  The ISerializableModelStore extends the IModelStore and supports serializing and de-serializing the store to an I/O Stream. This interface is currently used to implement JSON, XML, YAML, and RDF/XML formats.  The default storage interface is an in-memory Map which should be sufficient for light weight usage of the library.
 
@@ -24,16 +32,17 @@ If you are using Maven, you can add the following dependency in your POM file:
 <dependency>
   <groupId>org.spdx</groupId>
   <artifactId>java-spdx-library</artifactId>
-  <version>(,1.0]</version>
+  <version>(,2.0]</version>
 </dependency>
 ```
 
 [API JavaDocs are available here](https://spdx.github.io/Spdx-Java-Library/).
 
 There are a couple of static classes that help common usage scenarios:
 
-- `org.spdx.library.SPDXModelFactory` supports the creation of specific model objects
-- `org.spdx.library.model.license.LicenseInfoFactory` supports the parsing of SPDX license expressions, creation, and comparison of SPDX licenses
+- org.spdx.library.SpdxModelFactory supports the creation of specific model objects
+- org.spdx.library.model.license.LicenseInfoFactory supports the parsing of SPDX license expressions, creation, and comparison of SPDX licenses
+
 
 ## Configuration options
 
@@ -46,13 +55,21 @@ The library has these configuration options:
 
 Note that these configuration options can only be modified prior to first use of Spdx-Java-Library. Once the library is initialized, subsequent changes will have no effect.
 
-## Update for new properties or classes
+The first thing that needs to be done in your implementation is call `SpdxModelFactory.init()` - this will load all the supported versions.
+
+If you are programatically creating SPDX data, you will start by creating a model store.  The simplest model store is an in-memory model store which can be created with `store = new InMemSpdxStore()`.  A copy manager will be needed if you are working with more than one store (e.g. a serialized format of SPDX data and in memory).  If you're not sure, you should just create one.  This can be done with `copyManager = new ModelCopyManager()`.
+
+The first object you create will depend on the major version:
+- For SPDX 2.X, you would start by creating an SpdxDocument.  The factory method `SpdxDocument document = SpdxModelFactory.createSpdxDocumentV2(IModelStore modelStore, String documentUri, IModelCopyManager copyManager)` will create a new SPDX document.  Once created, you can use the setters to set the specific fields.  You can then use the convenience create methods on the document to create additional SPDX objects (e.g. `document.createSpdxFile(...)`);
+- For SPDX 3.X, you will start with a CreationInfo class.  The factory method `CreationInfo creationInfo = SpdxModelClassFactory.createCreationInfo(IModelStore modelStore, String createdByUri,String createdByName, @Nullable IModelCopyManager copyManager)` will create and initialize a CreationInfo with today's date and the Agent information.  To create any additional objects, you can use the builder convenience methods from the creationInfo (or any Elements created by the creationInfo) (e.g. `creationInfo.createSoftwareSpdxFile(String spdxFileObjectUri)`.  The created objects will copy the creationInfo.
+
+## Update for new versions of the spec
 To update Spdx-Java-Library, the following is a very brief checklist:
 
-  1. Update the SpdxContants with any new or changed properties and classes
-  2. Update the Java code representing the model
-  3. Update the SpdxComparer/SpdxFileComparer in the org.spdx.compare package
-  4. Update unit tests
+  1. Create a Java .jar file for the new version which contains an implementation of `ISpdxModelInfo` - typically named SpdxModelInfoVXXX - where XXX is the version of the spec.
+  2. Update the SpdxModelFactory source file to load the model info by adding the line `ModelRegistry.getModelRegistry().registerModel(new SpdxModelInfoVXXX());` in the static block at the very beginning of the class.
+  3. If there are any conversions that are needed when copying to or from the new model version, add conversion code to the `ModelCopyConverter` class.
+  4. Update SpdxModelFactory unit test for the highest version check
 
 ## Development Status
-Note: This library is mostly stable, but and contains some defects.  Reviews, suggestions are welcome.  Please enter an issue with any suggestions.
+Note: This library is currently unstable, and under development.  Reviews, suggestions are welcome.  Please enter an issue with any suggestions.

pom.xml

@@ -1,11 +1,9 @@
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
 	<modelVersion>4.0.0</modelVersion>
-
-	<groupId>org.spdx</groupId>
-	<artifactId>java-spdx-library</artifactId>
-	<version>1.1.13-SNAPSHOT</version>
-	<packaging>jar</packaging>
-
+    <groupId>org.spdx</groupId>
+    <artifactId>java-spdx-library</artifactId>
+    <version>2.0.0-SNAPSHOT</version>
+    <packaging>jar</packaging>
 	<name>java-spdx-library</name>
 	<url>https://github.com/spdx/Spdx-Java-Library</url>
 	<licenses>
@@ -69,15 +67,6 @@
 				</dependency>
 			</dependencies>
 		</profile>
-		<profile>
-			<id>doclint-java8-disable</id>
-			<activation>
-				<jdk>[1.8,)</jdk>
-			</activation>
-			<properties>
-				<javadoc.opts>-Xdoclint:none</javadoc.opts>
-			</properties>
-		</profile>
 		<profile>
 			<id>release</id>
 			<build>
@@ -118,48 +107,63 @@
 			</build>
 		</profile>
 	</profiles>
-	<dependencies>
-		<dependency>
-			<groupId>junit</groupId>
-			<artifactId>junit</artifactId>
-			<version>4.13.1</version>
-			<scope>test</scope>
-		</dependency>
-		<dependency>
-			<groupId>org.slf4j</groupId>
-			<artifactId>slf4j-api</artifactId>
-			<version>2.0.7</version>
-		</dependency>
-		<dependency>
-			<groupId>org.apache.commons</groupId>
-			<artifactId>commons-lang3</artifactId>
-			<version>3.5</version>
-		</dependency>
-		<dependency>
-			<groupId>org.jsoup</groupId>
-			<artifactId>jsoup</artifactId>
-			<version>1.15.3</version>
-		</dependency>
-		<dependency>
-			<groupId>com.google.code.gson</groupId>
-			<artifactId>gson</artifactId>
-			<version>2.8.9</version>
-		</dependency>
-		<dependency>
-			<groupId>net.jodah</groupId>
-			<artifactId>concurrentunit</artifactId>
-			<version>0.4.6</version>
-			<scope>test</scope>
-		</dependency>
-		<dependency>
-			<groupId>com.google.code.findbugs</groupId>
-			<artifactId>jsr305</artifactId>
-			<version>3.0.2</version>
-		</dependency>
-	</dependencies>
-
-	<build>
-		<resources>
+  <dependencies>
+    <dependency>
+      <groupId>junit</groupId>
+      <artifactId>junit</artifactId>
+      <version>4.13.1</version>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+    	<groupId>org.slf4j</groupId>
+    	<artifactId>slf4j-api</artifactId>
+    	<version>2.0.7</version>
+    </dependency>
+    <dependency>
+    	<groupId>org.apache.commons</groupId>
+    	<artifactId>commons-lang3</artifactId>
+    	<version>3.5</version>
+    </dependency>
+    <dependency>
+    	<groupId>org.jsoup</groupId>
+    	<artifactId>jsoup</artifactId>
+    	<version>1.15.3</version>
+    </dependency>
+    <dependency>
+    	<groupId>com.google.code.gson</groupId>
+    	<artifactId>gson</artifactId>
+    	<version>2.8.9</version>
+    </dependency>
+    <dependency>
+    	<groupId>net.jodah</groupId>
+    	<artifactId>concurrentunit</artifactId>
+    	<version>0.4.6</version>
+    	<scope>test</scope>
+    </dependency>
+    <dependency>
+    	<groupId>com.google.code.findbugs</groupId>
+    	<artifactId>jsr305</artifactId>
+    	<version>3.0.2</version>
+    </dependency>
+    <dependency>
+    	<groupId>org.spdx</groupId>
+    	<artifactId>spdx-java-model-2_X</artifactId>
+    	<version>0.1.0-Alpha</version>
+    </dependency>
+    <dependency>
+    	<groupId>org.spdx</groupId>
+    	<artifactId>spdx-java-core</artifactId>
+    	<version>0.1.0-Alpha</version>
+    </dependency>
+    <dependency>
+    	<groupId>org.spdx</groupId>
+    	<artifactId>spdx-java-model-3_0</artifactId>
+    	<version>0.1.0-Alpha</version>
+    </dependency>
+  </dependencies>
+  
+  <build>
+  		<resources>
 			<resource>
 				<targetPath>resources</targetPath>
 				<filtering>false</filtering>
@@ -183,6 +187,7 @@
 				</excludes>
 			</resource>
 		</resources>
+		<sourceDirectory>src/main/java</sourceDirectory>
 		<testResources>
 			<testResource>
 				<directory>src/test</directory>
@@ -223,7 +228,7 @@
 				<configuration>
 					<quiet>true</quiet>
 					<notimestamp>true</notimestamp>
-					<additionalparam>-Xdoclint:none</additionalparam>
+					<doclint>all,-missing</doclint>
 				</configuration>
 				<executions>
 					<execution>