python-ort 0.4.3__tar.gz → 0.6.0__tar.gz

{python_ort-0.4.3 → python_ort-0.6.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: python-ort
-Version: 0.4.3
+Version: 0.6.0
 Summary: A Python Ort model serialization library
 License-Expression: MIT
 License-File: LICENSE
@@ -13,7 +13,7 @@ Classifier: Programming Language :: Python :: 3.12
 Classifier: Programming Language :: Python :: 3.13
 Classifier: Programming Language :: Python :: 3.14
 Classifier: Topic :: Software Development :: Libraries :: Python Modules
-Requires-Dist: pydantic>=2.12.4
+Requires-Dist: pydantic>=2.12.5
 Requires-Python: >=3.10
 Description-Content-Type: text/markdown
 

{python_ort-0.4.3 → python_ort-0.6.0}/pyproject.toml

@@ -4,14 +4,14 @@ build-backend = "uv_build"
 
 [project]
 name = "python-ort"
-version = "0.4.3"
+version = "0.6.0"
 description = "A Python Ort model serialization library"
 readme = "README.md"
 license = "MIT"
 license-files = ["LICENSE"]
 requires-python = ">=3.10"
 dependencies = [
-    "pydantic>=2.12.4",
+    "pydantic>=2.12.5",
 ]
 classifiers = [
     "Development Status :: 3 - Alpha",
@@ -31,13 +31,11 @@ module-root = "src"
 
 [dependency-groups]
 dev = [
-    "datamodel-code-generator[http]>=0.35.0",
-    "pre-commit>=4.3.0",
-    "pycodestyle>=2.14.0",
-    "pyrefly>=0.40.0",
-    "pytest>=8.4.2",
-    "rich>=14.2.0",
-    "ruff>=0.14.4",
+    "datamodel-code-generator[http]>=0.54.0",
+    "pytest>=9.0.2",
+    "rich>=14.3.2",
+    "ruff>=0.15.1",
+    "ty>=0.0.17",
     "types-pyyaml>=6.0.12.20250915",
 ]
 

python_ort-0.6.0/src/ort/__init__.py

@@ -0,0 +1,13 @@
+# SPDX-FileCopyrightText: 2025 Helio Chissini de Castro <heliocastro@gmail.com>
+#
+# SPDX-License-Identifier: MIT
+
+from ort.models.analyzer_result import AnalyzerResult
+from ort.models.ort_result import OrtResult
+from ort.models.repository_configuration import RepositoryConfiguration
+
+__all__ = [
+    "AnalyzerResult",
+    "RepositoryConfiguration",
+    "OrtResult",
+]

python_ort-0.6.0/src/ort/models/__init__.py

@@ -0,0 +1,64 @@
+# SPDX-FileCopyrightText: 2025 Helio Chissini de Castro <heliocastro@gmail.com>
+# SPDX-License-Identifier: MIT
+
+from .advisor_capability import AdvisorCapability
+from .advisor_result import AdvisorResult
+from .advisor_run import AdvisorRun
+from .analyzer_result import AnalyzerResult
+from .analyzer_run import AnalyzerRun
+from .dependency_graph import DependencyGraph
+from .dependency_graph_edge import DependencyGraphEdge
+from .dependency_graph_node import DependencyGraphNode
+from .dependency_reference import DependencyReference
+from .hash import Hash
+from .hash_algorithm import HashAlgorithm
+from .identifier import Identifier
+from .issue import Issue
+from .ort_result import OrtResult
+from .package import Package
+from .package_curation import PackageCuration
+from .package_curation_data import PackageCurationData
+from .package_linkage import PackageLinkage
+from .package_reference import PackageReference
+from .project import Project
+from .remote_artifact import RemoteArtifact
+from .repository import Repository
+from .repository_configuration import RepositoryConfiguration
+from .root_dependency_index import RootDependencyIndex
+from .scope import Scope
+from .source_code_origin import SourceCodeOrigin
+from .vcsinfo import VcsInfo
+from .vcsinfo_curation_data import VcsInfoCurationData
+from .vcstype import VcsType
+
+__all__ = [
+    "AdvisorCapability",
+    "AdvisorResult",
+    "AdvisorRun",
+    "AnalyzerResult",
+    "AnalyzerRun",
+    "DependencyGraph",
+    "DependencyGraphEdge",
+    "DependencyGraphNode",
+    "DependencyReference",
+    "Hash",
+    "HashAlgorithm",
+    "Identifier",
+    "Issue",
+    "OrtResult",
+    "Package",
+    "PackageCuration",
+    "PackageCurationData",
+    "PackageLinkage",
+    "PackageReference",
+    "Project",
+    "RemoteArtifact",
+    "Repository",
+    "RepositoryConfiguration",
+    "RootDependencyIndex",
+    "Scope",
+    "SourceCodeOrigin",
+    "VcsInfo",
+    "VcsInfoCurationData",
+    "VcsType",
+]

python_ort-0.6.0/src/ort/models/advisor_capability.py

@@ -0,0 +1,21 @@
+# SPDX-FileCopyrightText: 2025 Helio Chissini de Castro <heliocastro@gmail.com>
+# SPDX-License-Identifier: MIT
+
+
+from enum import IntEnum
+
+
+class AdvisorCapability(IntEnum):
+    """
+    An enum class that defines the capabilities of a specific advisor implementation.
+
+    There are multiple types of findings that can be retrieved by an advisor, such as security vulnerabilities or
+    defects. An [AdvisorResult] has different fields for the different findings types. This enum corresponds to these
+    fields. It allows an advisor implementation to declare, which of these fields it can populate. This information is
+    of interest, for instance, when generating reports for specific findings to determine, which advisor may have
+    contributed.
+
+    """
+
+    DEFECTS = 1
+    VULNERABILITIES = 2

python_ort-0.6.0/src/ort/models/advisor_details.py

@@ -0,0 +1,41 @@
+# SPDX-FileCopyrightText: 2026 Helio Chissini de Castro <heliocastro@gmail.com>
+# SPDX-License-Identifier: MIT
+
+
+from pydantic import BaseModel, ConfigDict, Field, field_validator
+
+from ort.models import AdvisorCapability
+
+
+class AdvisorDetails(BaseModel):
+    """
+    Details about the used provider of vulnerability information.
+
+    """
+
+    model_config = ConfigDict(
+        extra="forbid",
+    )
+
+    name: str = Field(description="The name of the used advisor.")
+    capabilities: set[AdvisorCapability] = Field(
+        description="The capabilities of the used advisor. This property indicates, which kind of findings"
+        "are retrieved by the advisor."
+    )
+
+    @field_validator("capabilities", mode="before")
+    @classmethod
+    def convert_capability(cls, v):
+        def _convert(item):
+            if isinstance(item, str):
+                try:
+                    return AdvisorCapability[item]
+                except KeyError:
+                    raise ValueError(f"Invalid capability: {item}")
+            return item
+
+        if isinstance(v, (list, set)):
+            return {_convert(item) for item in v}
+        if isinstance(v, str):
+            return _convert(v)
+        return v

python_ort-0.6.0/src/ort/models/advisor_result.py

@@ -0,0 +1,42 @@
+# SPDX-FileCopyrightText: 2026 Helio Chissini de Castro <heliocastro@gmail.com>
+# SPDX-License-Identifier: MIT
+
+from pydantic import BaseModel, ConfigDict, Field
+
+from ort.models.vulnerabilities import Vulnerability
+
+from .advisor_details import AdvisorDetails
+from .advisor_summary import AdvisorSummary
+from .defect import Defect
+
+
+class AdvisorResult(BaseModel):
+    """
+    The result of a specific advisor execution for a single package.
+
+    Different advisor implementations may produce findings of different types. To reflect this, this class has multiple
+    fields for findings of these types. It is up to a concrete advisor, which of these fields it populates.
+
+    """
+
+    model_config = ConfigDict(
+        extra="forbid",
+    )
+
+    advisor: AdvisorDetails = Field(
+        description="Details about the used advisor.",
+    )
+
+    summary: AdvisorSummary = Field(
+        description="A summary of the advisor results.",
+    )
+
+    defects: list[Defect] = Field(
+        default_factory=list,
+        description="The defects.",
+    )
+
+    vulnerabilities: list[Vulnerability] = Field(
+        default_factory=list,
+        description="The vulnerabilities.",
+    )

python_ort-0.6.0/src/ort/models/advisor_run.py

@@ -0,0 +1,39 @@
+# SPDX-FileCopyrightText: 2026 Helio Chissini de Castro <heliocastro@gmail.com>
+# SPDX-License-Identifier: MIT
+
+from datetime import datetime
+
+from pydantic import BaseModel, ConfigDict, Field
+
+from ort.models import AdvisorResult
+from ort.models.config.advisor_configuration import AdvisorConfiguration
+from ort.utils.environment import Environment
+
+from .identifier import Identifier
+
+
+class AdvisorRun(BaseModel):
+    """
+    Type alias for a function that allows filtering of [AdvisorResult]s.
+
+    """
+
+    model_config = ConfigDict(
+        extra="forbid",
+    )
+    start_time: datetime = Field(
+        description="The time the advisor was started.",
+    )
+    end_time: datetime = Field(
+        description="The time the advisor has finished.",
+    )
+    environment: Environment = Field(
+        description="The [Environment] in which the advisor was executed.",
+    )
+    config: AdvisorConfiguration = Field(
+        description="The [AdvisorConfiguration] used for this run.",
+    )
+    results: dict[Identifier, list[AdvisorResult]] = Field(
+        default_factory=dict,
+        description="The result of this run.",
+    )

python_ort-0.6.0/src/ort/models/advisor_summary.py

@@ -0,0 +1,38 @@
+# SPDX-FileCopyrightText: 2026 Helio Chissini de Castro <heliocastro@gmail.com>
+# SPDX-License-Identifier: MIT
+
+from datetime import datetime
+
+from pydantic import BaseModel, ConfigDict, Field, field_validator
+
+from .issue import Issue
+
+
+class AdvisorSummary(BaseModel):
+    """
+    A short summary of the advisor result.
+
+    """
+
+    model_config = ConfigDict(
+        extra="forbid",
+    )
+
+    start_time: datetime = Field(
+        description="The time the advisor started.",
+    )
+    end_time: datetime = Field(
+        description="The time the advisor finished.",
+    )
+    issues: list[Issue] = Field(
+        default_factory=list,
+        description="The list of issues that occurred during the advisor run."
+        "This property is not serialized if the list is empty to reduce the size of the result file.",
+    )
+
+    @field_validator("start_time", "end_time", mode="before")
+    @classmethod
+    def transform_date(cls, v):
+        if isinstance(v, str):
+            return datetime.fromisoformat(v.replace("Z", "+00:00"))
+        return v

python_ort-0.6.0/src/ort/models/analyzer_result.py

@@ -0,0 +1,43 @@
+# SPDX-FileCopyrightText: 2025 Helio Chissini de Castro <heliocastro@gmail.com>
+# SPDX-License-Identifier: MIT
+
+
+from pydantic import BaseModel, ConfigDict, Field
+
+from .dependency_graph import DependencyGraph
+from .identifier import Identifier
+from .issue import Issue
+from .package import Package
+from .project import Project
+
+
+class AnalyzerResult(BaseModel):
+    """
+    A class that merges all information from individual [ProjectAnalyzerResult]s created for each found definition file.
+    """
+
+    model_config = ConfigDict(
+        extra="forbid",
+    )
+
+    projects: set[Project] = Field(
+        description="Sorted set of the projects, as they appear in the individual analyzer results.",
+    )
+
+    packages: set[Package] = Field(
+        description="The set of identified packages for all projects.",
+    )
+
+    issues: dict[Identifier, list[Issue]] = Field(
+        default_factory=dict,
+        description="The lists of Issue objects that occurred within the analyzed projects themselves. Issues related"
+        "to project dependencies are contained in the dependencies of the project's scopes. This property is not"
+        "serialized if the map is empty to reduce the size of the result file.",
+    )
+
+    dependency_graphs: dict[str, DependencyGraph] = Field(
+        default_factory=dict,
+        description="A map with DependencyGraph objects keyed by the name of the package manager that created this"
+        "graph. Package managers supporting this feature can construct a shared DependencyGraph over all projects and"
+        "store it in this map.",
+    )

python_ort-0.6.0/src/ort/models/analyzer_run.py

@@ -0,0 +1,37 @@
+# SPDX-FileCopyrightText: 2025 Helio Chissini de Castro <heliocastro@gmail.com>
+# SPDX-License-Identifier: MIT
+
+from datetime import datetime
+
+from pydantic import BaseModel, ConfigDict, Field
+
+from ort.models import AnalyzerResult
+from ort.models.config.analyzer_configuration import AnalyzerConfiguration
+from ort.utils.environment import Environment
+
+
+class AnalyzerRun(BaseModel):
+    """
+    The summary of a single run of the analyzer.
+
+    """
+
+    model_config = ConfigDict(
+        extra="forbid",
+    )
+    start_time: datetime = Field(
+        description="The time the analyzer was started.",
+    )
+    end_time: datetime = Field(
+        description="The time the analyzer has finished.",
+    )
+    environment: Environment = Field(
+        description="The [Environment] in which the analyzer was executed.",
+    )
+    config: AnalyzerConfiguration = Field(
+        description="The [AnalyzerConfiguration] used for this run.",
+    )
+    result: AnalyzerResult | None = Field(
+        default=None,
+        description="The result of this run.",
+    )

python_ort-0.6.0/src/ort/models/config/advisor_configuration.py

@@ -0,0 +1,28 @@
+# SPDX-FileCopyrightText: 2026 Helio Chissini de Castro <heliocastro@gmail.com>
+# SPDX-License-Identifier: MIT
+
+
+from typing import Any
+
+from pydantic import BaseModel, ConfigDict, Field
+
+
+class AdvisorConfiguration(BaseModel):
+    """
+    The configuration model of the advisor. This class is (de-)serialized in the following places:
+    - Deserialized from "config.yml" as part of [OrtConfiguration].
+    - (De-)Serialized as part of [org.ossreviewtoolkit.model.OrtResult].
+    """
+
+    model_config = ConfigDict(
+        extra="forbid",
+    )
+    skip_excluded: bool = Field(
+        default=False,
+        description="A flag to control whether excluded scopes and paths should be skipped when giving the advice.",
+    )
+    advisors: dict[str, Any] | None = Field(
+        default=None,
+        description="A map with [configuration][PluginConfig] for advice providers using the"
+        "[plugin id][PluginDescriptor.id] as key.",
+    )

{python_ort-0.4.3 → python_ort-0.6.0}/src/ort/models/config/analyzer_configuration.py

@@ -38,11 +38,9 @@ _package_managers: list[str] = [
 
 class AnalyzerConfiguration(BaseModel):
     """
-    Enable the analysis of projects that use version ranges to declare their dependencies. If set to true,
-    dependencies of exactly the same project might change with another scan done at a later time if any of the
-    (transitive) dependencies are declared using version ranges and a new version of such a dependency was
-    published in the meantime. If set to false, analysis of projects that use version ranges will fail. Defaults to
-    false.
+    The configuration model of the analyzer. This class is (de-)serialized in the following places:
+    - Deserialized from "config.yml" as part of [OrtConfiguration] (via Hoplite).
+    - (De-)Serialized as part of [org.ossreviewtoolkit.model.OrtResult] (via Jackson).
     """
 
     model_config = ConfigDict(

python_ort-0.6.0/src/ort/models/defect.py

@@ -0,0 +1,87 @@
+# SPDX-FileCopyrightText: 2026 Helio Chissini de Castro <heliocastro@gmail.com>
+# SPDX-License-Identifier: MIT
+
+from datetime import datetime
+
+from pydantic import AnyUrl, BaseModel, ConfigDict, Field
+
+
+class Defect(BaseModel):
+    """
+    A data model for software defects.
+
+    Instances of this class are created by advisor implementations that retrieve information about
+    known defects in packages.
+
+    """
+
+    model_config = ConfigDict(
+        extra="forbid",
+    )
+
+    id: str = Field(
+        description="The (external) ID of this defect. This is a string used by a concrete issue tracker"
+        "system to reference this defect, such as a bug ID or ticket number.",
+    )
+
+    url: AnyUrl = Field(
+        description="The URL pointing to the source of this defect. This is typically a reference into "
+        "the issue tracker system that contains this defect.",
+    )
+    title: str | None = Field(
+        default=None,
+        description="A title for this defect if available. This is a short summary describing the problem at hand.",
+    )
+    state: str | None = Field(
+        default=None,
+        description="A state of the associated defect if available. The concrete meaning of this string depends"
+        "on the source from where it was obtained, as different issue tracker systems use their specific "
+        "terminology. Possible values could be OPEN, IN PROGRESS, BLOCKED, etc.",
+    )
+    severity: str | None = Field(
+        default=None,
+        description="The severity assigned to the defect if available. The meaning of this string depends"
+        "on the source system.",
+    )
+    description: str | None = Field(
+        default=None,
+        description="An optional description of this defect. It can contain more detailed information about"
+        "the defect and its impact. The field may be undefined if the url of this defect already points to"
+        "a website with all this information.",
+    )
+    creation_time: datetime | None = Field(
+        default=None,
+        description="The creation time of this defect if available.",
+    )
+    modification_time: datetime | None = Field(
+        default=None,
+        description="Contains a time when this defect has been modified the last time in the tracker system"
+        "it has been obtained from. This information can be useful for instance to find out how up-to-date"
+        "this defect report might be.",
+    )
+    closing_time: datetime | None = Field(
+        default=None,
+        description="Contains a time when this defect has been closed if it has been resolved already"
+        "(and this information is available in the source system). For users of the component affected"
+        "by this defect, this information can be of interest to find out whether a fix is available,"
+        "maybe in a newer version.",
+    )
+    fix_release_version: str | None = Field(
+        default=None,
+        description="Contains the version of the release, in which this defect was fixed if available."
+        "This is important information for consumers of the component affected by the defect, so they"
+        "can upgrade to this version.",
+    )
+    fix_release_url: AnyUrl | None = Field(
+        default=None,
+        description="A URL pointing to the release, in which this defect was fixed if available."
+        "Depending on the information provided by a source, this URL could point to a website with detail"
+        "information about the release, to release notes, or something like that. This information is"
+        "important for consumers of the component affected by this defect, so they can upgrade to this release.",
+    )
+    labels: dict[str, str] = Field(
+        default_factory=dict,
+        description="A map with labels assigned to this defect. Labels provide a means frequently used by issue"
+        "tracker systems to classify defects based on defined criteria. The exact meaning of these labels is"
+        "depending on the source system.",
+    )

python_ort-0.6.0/src/ort/models/dependency_graph.py

@@ -0,0 +1,98 @@
+# SPDX-FileCopyrightText: 2025 Helio Chissini de Castro <heliocastro@gmail.com>
+# SPDX-License-Identifier: MIT
+
+
+from pydantic import BaseModel, ConfigDict, Field, field_validator
+
+from .dependency_graph_edge import DependencyGraphEdge
+from .dependency_graph_node import DependencyGraphNode
+from .dependency_reference import DependencyReference
+from .identifier import Identifier
+from .root_dependency_index import RootDependencyIndex
+
+
+class DependencyGraph(BaseModel):
+    """
+    Represents the graph of dependencies of a project.
+
+    This class holds information about a project's scopes and their dependencies in a format that minimizes the
+    consumption of memory. In projects with many scopes there is often a high degree of duplication in the dependencies
+    of the scopes. To avoid this, this class aims to share as many parts of the dependency graph as possible between
+    the different scopes. Ideally, there is only a single dependency graph containing the dependencies used by all
+    scopes. This is not always possible due to inconsistencies in dependency relations, like a package using different
+    dependencies in different scopes. Then the dependency graph is split into multiple fragments, and each fragment has
+    a consistent view on the dependencies it contains.
+
+    When constructing a dependency graph the dependencies are organized as a connected structure of DependencyReference
+    objects in memory. Originally, the serialization format of a graph was based on this structure, but that turned out
+    to be not ideal: During serialization, sub graphs referenced from multiple nodes (e.g. libraries with transitive
+    dependencies referenced from multiple projects) get duplicated, which can cause a significant amount of redundancy.
+    Therefore, the data representation has been changed again to a form, which can be serialized without introducing
+    redundancy. It consists of the following elements:
+
+    - packages: A list with the coordinates of all the packages (free of duplication) that are referenced by the graph.
+      This allows extracting the packages directly, but also has the advantage that the package coordinates do not have
+      to be repeated over and over: All the references to packages are expressed by indices into this list.
+    - nodes: An ordered list with the nodes of the dependency graph. A single node represents a package, and therefore
+      has a reference into the list with package coordinates. It can, however, happen that packages occur multiple
+      times in the graph if they are in different subtrees with different sets of transitive dependencies. Then there
+      are multiple nodes for the packages affected, and a fragment_index is used to identify them uniquely. Nodes also
+      store information about issues of a package and their linkage.
+    - edges: Here the structure of the graph comes in. Each edge connects two nodes and represents a directed
+      depends-on relationship. The nodes are referenced by numeric indices into the list of nodes.
+    - scopes: This is a map that associates the scopes used by projects with their direct dependencies. A single
+      dependency graph contains the dependencies of all the projects processed by a specific package manager.
+      Therefore, the keys of this map are scope names qualified by the coordinates of a project; which makes them
+      unique. The values are references to the nodes in the graph that correspond to the packages the scopes depend on
+      directly.
+
+    To navigate this structure, start with a scope and gather the references to its direct dependency nodes. Then, by
+    following the edges starting from these nodes, the set of transitive dependencies can be determined. The numeric
+    indices can be resolved via the packages list.
+    """
+
+    model_config = ConfigDict(
+        extra="forbid",
+    )
+
+    packages: list[Identifier] = Field(
+        default_factory=list,
+        description="A list with the identifiers of the packages that appear in the dependency graph. This list is "
+        "used to resolve the numeric indices contained in the dependency_graph_node objects.",
+    )
+
+    scope_roots: set[DependencyReference] = Field(
+        default_factory=set,
+        description="Stores the dependency graph as a list of root nodes for the direct dependencies referenced by "
+        "scopes. Starting with these nodes, the whole graph can be traversed. The nodes are constructed "
+        "from the direct dependencies declared by scopes that cannot be reached via other paths in the "
+        "dependency graph. Note that this property exists for backwards compatibility only; it is replaced "
+        "by the lists of nodes and edges.",
+    )
+
+    scopes: dict[str, list[RootDependencyIndex]] = Field(
+        default_factory=dict,
+        description="A mapping from scope names to the direct dependencies of the scopes. Based on this information, "
+        "the set of scopes of a project can be constructed from the serialized form.",
+    )
+
+    nodes: list[DependencyGraphNode] = Field(
+        default_factory=list,
+        description="A list with the nodes of this dependency graph. Nodes correspond to packages, but in contrast to "
+        "the packages list, there can be multiple nodes for a single package. The order of nodes in this "
+        "list is relevant; the edges of the graph reference their nodes by numeric indices.",
+    )
+
+    edges: set[DependencyGraphEdge] = Field(
+        default_factory=set,
+        description="A set with the edges of this dependency graph. By traversing the edges, the dependencies of "
+        "packages can be determined.",
+    )
+
+    @field_validator("edges", mode="before")
+    @classmethod
+    def sort_and_set_edges(cls, v):
+        if v is None:
+            return set()
+
+        return {DependencyGraphEdge.model_validate(e) for e in v}

python_ort-0.6.0/src/ort/models/dependency_graph_edge.py

@@ -0,0 +1,30 @@
+# SPDX-FileCopyrightText: 2025 Helio Chissini de Castro <heliocastro@gmail.com>
+# SPDX-License-Identifier: MIT
+
+
+from pydantic import BaseModel, ConfigDict, Field
+
+
+class DependencyGraphEdge(BaseModel):
+    """
+    A data class representing an edge in the dependency graph.
+
+    An edge corresponds to a directed depends-on relationship between two packages. The packages are identified by the
+    numeric indices into the list of nodes.
+    """
+
+    model_config = ConfigDict(
+        extra="forbid",
+        frozen=True,
+    )
+
+    from_: int = Field(
+        ...,
+        alias="from",
+        description="The index of the source node of this edge.",
+    )
+    to_: int = Field(
+        ...,
+        alias="to",
+        description="The index of the destination node of this edge.",
+    )