PyPI - spdx-diff - Versions diffs - 1.0.0__tar.gz - Mend

spdx-diff 1.0.0__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

spdx_diff-1.0.0/.github/workflows/test.yaml +63 -0
spdx_diff-1.0.0/.gitignore +56 -0
spdx_diff-1.0.0/CHANGELOG.md +34 -0
spdx_diff-1.0.0/INSTALL.md +77 -0
spdx_diff-1.0.0/LICENSE +21 -0
spdx_diff-1.0.0/PKG-INFO +233 -0
spdx_diff-1.0.0/README.md +209 -0
spdx_diff-1.0.0/pyproject.toml +116 -0
spdx_diff-1.0.0/src/spdx_diff/__init__.py +4 -0
spdx_diff-1.0.0/src/spdx_diff/cli.py +627 -0
spdx_diff-1.0.0/tests/conftest.py +48 -0
spdx_diff-1.0.0/tests/helper.py +149 -0
spdx_diff-1.0.0/tests/test_kernel.py +52 -0
spdx_diff-1.0.0/tests/test_package.py +65 -0
spdx_diff-1.0.0/tests/test_packageconfig.py +19 -0

spdx_diff-1.0.0/.github/workflows/test.yaml ADDED Viewed

@@ -0,0 +1,63 @@
+---
+name: Test sbom-cve-check
+on:
+  - pull_request
+  - workflow_dispatch
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version:
+          - "3.10"
+          - "3.11"
+          - "3.14"
+    steps:
+      - uses: actions/checkout@v5
+      - name: Checkout meta-spdx-diff-test for tests
+        uses: actions/checkout@v5
+        with:
+          repository: bootlin/meta-spdx-diff-test
+          path: meta-spdx-diff-test
+      - name: Setup Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install build
+      - name: Build package
+        run: |
+          python -m build
+      - name: Install package
+        run: |
+          pip install -e .
+      - name: Install test dependencies
+        run: |
+          pip install --group test
+      - name: Run tests
+        env:
+          SPDX_DIFF_SBOM_DATA: ${{ github.workspace }}/meta-spdx-diff-test/sbom-data
+        working-directory: tests
+        run: |
+          pytest -v
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v5
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.10"
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -e .
+          pip install --group lint --group test
+      - name: Run mypy
+        run: |
+          mypy src tests
+      - uses: astral-sh/ruff-action@v3

spdx_diff-1.0.0/.gitignore ADDED Viewed

@@ -0,0 +1,56 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+# PyInstaller
+*.manifest
+*.spec
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+.hypothesis/
+.pytest_cache/
+# Virtual environments
+venv/
+ENV/
+env/
+.venv
+# IDEs
+.vscode/
+.idea/
+*.swp
+*.swo
+*~

spdx_diff-1.0.0/CHANGELOG.md ADDED Viewed

@@ -0,0 +1,34 @@
+# Changelog
+All notable changes to this project will be documented in this file.
+## [Unreleased]
+### Added
+### Changed
+### Fixed
+### Removed
+## [1.0.0] - 2026-02-12
+### Added
+- Initial stable release of spdx-diff
+---
+## Release Information
+- **Version:** 1.0.0
+- **Release Date:** 2026-02-12
+- **Status:** Stable
+- **Breaking Changes:** None (initial release)
+This is the first stable release of spdx-diff.
+---
+<!-- Links -->
+[unreleased]: https://github.com/bootlin/spdx-diff/compare/v1.0.0...HEAD
+[1.0.0]: https://github.com/bootlin/spdx-diff/releases/tag/v1.0.0

spdx_diff-1.0.0/INSTALL.md ADDED Viewed

@@ -0,0 +1,77 @@
+# Installation
+## Method 1: Quick Install (System-wide)
+```bash
+cd spdx-diff
+pip install . --break-system-packages
+```
+**Use for:** Quick testing, single-user systems
+---
+## Method 2: Virtual Environment (Recommended)
+```bash
+cd spdx-diff
+# Create virtual environment
+python3 -m venv .venv
+# Activate
+source .venv/bin/activate
+# Install
+pip install -e .
+# Use the tool
+spdx-diff --help
+# When done
+deactivate
+```
+**Use for:** Development, multiple projects, safety
+**Note:** The `-e` flag allows code changes to take effect immediately without reinstalling.
+---
+## Usage
+After installation:
+```bash
+# Show help
+spdx-diff --help
+# Compare two SPDX files
+spdx-diff reference.json new.json
+# Show summary only
+spdx-diff reference.json new.json --summary
+# JSON output for automation
+spdx-diff reference.json new.json --format json --output results.json
+```
+See `README.md` for full documentation.
+---
+## Uninstall
+**System-wide:**
+```bash
+pip uninstall spdx-diff
+```
+**Virtual environment:**
+```bash
+source .venv/bin/activate
+pip uninstall spdx-diff
+deactivate
+```
+Or simply delete the `.venv/` directory.

spdx_diff-1.0.0/LICENSE ADDED Viewed

@@ -0,0 +1,21 @@
+GPL-2.0 License
+Copyright (c) 2025 Schneider Electric
+This program is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2 of the License, or
+(at your option) any later version.
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+You should have received a copy of the GNU General Public License along
+with this program; if not, write to the Free Software Foundation, Inc.,
+51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+---
+For the full license text, see: https://www.gnu.org/licenses/old-licenses/gpl-2.0.html

spdx_diff-1.0.0/PKG-INFO ADDED Viewed

@@ -0,0 +1,233 @@
+Metadata-Version: 2.4
+Name: spdx-diff
+Version: 1.0.0
+Summary: SPDX3 SBOM comparison tool for packages, kernel config, and PACKAGECONFIG
+Project-URL: Repository, https://github.com/bootlin/spdx-diff
+Project-URL: Documentation, https://github.com/bootlin/spdx-diff/blob/main/README.md
+Project-URL: Bug Tracker, https://github.com/bootlin/spdx-diff/issues
+Project-URL: Changelog, https://github.com/bootlin/spdx-diff/blob/main/CHANGELOG.md
+Author-email: Kamel BOUHARA <kamel.bouhara@bootlin.com>
+License: GPL-2.0
+License-File: LICENSE
+Keywords: embedded,kernel,linux,packageconfig,sbom,spdx,yocto
+Classifier: Development Status :: 5 - Production/Stable
+Classifier: Intended Audience :: Developers
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Programming Language :: Python :: 3.14
+Classifier: Topic :: Software Development :: Build Tools
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+SPDX3 Diff Tool
+===============
+Overview
+--------
+This tool compares two SPDX3 JSON documents and reports differences in:
+- Software packages (name + version)
+- Kernel configuration parameters (CONFIG_*)
+- PACKAGECONFIG entries per package
+It produces both human-readable output (console) and a structured JSON diff file.
+Usage
+-----
+```bash
+./spdx-diff reference.json new.json [OPTIONS]
+```
+Required arguments:
+  - `reference`: Path to the baseline SPDX3 JSON file.
+  - `new`: Path to the newer SPDX3 JSON file.
+Optional arguments:
+  - `--full`: For console output, always show section names (added, removed,
+    changed) even if there is no difference.
+  - `--output <file>`: Save diff results to the given JSON file.
+    Default: `spdx_diff_<timestamp>.json`
+  - `--ignore-proprietary`: Ignore packages with LicenseRef-Proprietary.
+  - `--summary`: Show only summary statistics without detailed differences.
+  - `--format {text,json,both}`: Control output format:
+    - `text`: Console output only (no JSON file)
+    - `json`: JSON file only (silent mode for automation)
+    - `both`: Both console and JSON output (**default**)
+Output filtering - change type:
+  - `--show-added`: Show only added items.
+  - `--show-removed`: Show only removed items.
+  - `--show-changed`: Show only changed items.
+Output filtering - category:
+  - `--show-packages`: Show only package differences.
+  - `--show-config`: Show only kernel config differences.
+  - `--show-packageconfig`: Show only PACKAGECONFIG differences.
+Output
+------
+The script prints differences grouped into three sections:
+1. Packages
+   - Added packages
+   - Removed packages
+   - Changed versions
+2. Kernel Config (CONFIG_*)
+   - Added options
+   - Removed options
+   - Modified options
+3. PACKAGECONFIG (per package)
+   - Packages with added PACKAGECONFIG entries
+   - Packages with removed PACKAGECONFIG entries
+   - Packages with changed feature configurations
+   - Shows package name and associated features
+Symbols:
+  + added
+  - removed
+  ~ changed
+Summary Mode
+------------
+When using --summary, the tool displays aggregate statistics:
+```
+SPDX-Diff Summary:
+Packages:
+  Added:   5
+  Removed: 2
+  Changed: 3
+Kernel Config:
+  Added:   10
+  Removed: 3
+  Changed: 7
+PACKAGECONFIG:
+  Features Added:   12
+  Features Removed: 4
+  Features Changed: 6
+```
+JSON Diff File
+--------------
+The output file (default: spdx_diff_<timestamp>.json) contains a structured diff:
+```json
+{
+  "package_diff": {
+    "added": { "pkgA": "1.2.3" },
+    "removed": { "pkgB": "4.5.6" },
+    "changed": { "pkgC": { "from": "1.0", "to": "2.0" } }
+  },
+  "kernel_config_diff": {
+    "added": { "CONFIG_XYZ": "y" },
+    "removed": { "CONFIG_ABC": "n" },
+    "changed": { "CONFIG_DEF": { "from": "m", "to": "y" } }
+  },
+  "packageconfig_diff": {
+    "added": {
+      "xz": { "doc": "enabled" }
+    },
+    "removed": {
+      "old-package": { "feature1": "disabled" }
+    },
+    "changed": {
+      "zstd-native": {
+        "added": { "zlib": "enabled" },
+        "removed": { "lz4": "disabled" },
+        "changed": {
+          "doc": { "from": "disabled", "to": "enabled" }
+        }
+      }
+    }
+  }
+}
+```
+PACKAGECONFIG Structure
+-----------------------
+PACKAGECONFIG entries are tracked per package, showing which features are
+enabled/disabled for each specific package:
+Console output example:
+```
+PACKAGECONFIG - Changed Packages:
+ ~ xz:
+     + doc: enabled
+ ~ zstd-native:
+     ~ lz4: disabled -> enabled
+     - lzma: disabled
+```
+This shows:
+- xz package: doc feature was added and enabled
+- zstd-native package: lz4 changed from disabled to enabled, lzma was removed
+Logging
+-------
+The script uses Python's logging module:
+```
+  INFO     Normal operations (file opened, counts, etc.)
+  WARNING  Missing sections (no build_Build objects found)
+  ERROR    Invalid input or format issues
+```
+Examples
+--------
+### Basic comparison with both console and JSON output:
+    ./spdx-diff reference.json new.json
+### Full details with proprietary packages excluded:
+    ./spdx-diff reference.json new.json --ignore-proprietary --full
+### Quick summary check:
+    ./spdx-diff reference.json new.json --summary
+### Silent mode for CI/CD (JSON output only):
+    ./spdx-diff reference.json new.json --format json --output results.json
+### Console output only (no JSON file):
+    ./spdx-diff reference.json new.json --format text --full
+### Show only changed packages:
+    ./spdx-diff reference.json new.json --show-packages --show-changed
+### Show only added packages:
+    ./spdx-diff reference.json new.json --show-packages --show-added
+### Show only kernel config changes:
+    ./spdx-diff reference.json new.json --show-config --show-changed
+### Show added and changed items across all categories:
+    ./spdx-diff reference.json new.json --show-added --show-changed
+### Show only PACKAGECONFIG differences:
+    ./spdx-diff reference.json new.json --show-packageconfig
+Console output example:
+```
+Packages - Added:
+ + libfoo: 2.0
+Packages - Changed:
+ ~ zlib: 1.2.11 -> 1.2.13
+Kernel Config - Removed:
+ - CONFIG_OLD_FEATURE
+PACKAGECONFIG - Added Packages:
+ + newpkg:
+     gtk: enabled
+     doc: disabled
+PACKAGECONFIG - Changed Packages:
+ ~ xz:
+     + lzma: enabled
+```

spdx_diff-1.0.0/README.md ADDED Viewed

@@ -0,0 +1,209 @@
+SPDX3 Diff Tool
+===============
+Overview
+--------
+This tool compares two SPDX3 JSON documents and reports differences in:
+- Software packages (name + version)
+- Kernel configuration parameters (CONFIG_*)
+- PACKAGECONFIG entries per package
+It produces both human-readable output (console) and a structured JSON diff file.
+Usage
+-----
+```bash
+./spdx-diff reference.json new.json [OPTIONS]
+```
+Required arguments:
+  - `reference`: Path to the baseline SPDX3 JSON file.
+  - `new`: Path to the newer SPDX3 JSON file.
+Optional arguments:
+  - `--full`: For console output, always show section names (added, removed,
+    changed) even if there is no difference.
+  - `--output <file>`: Save diff results to the given JSON file.
+    Default: `spdx_diff_<timestamp>.json`
+  - `--ignore-proprietary`: Ignore packages with LicenseRef-Proprietary.
+  - `--summary`: Show only summary statistics without detailed differences.
+  - `--format {text,json,both}`: Control output format:
+    - `text`: Console output only (no JSON file)
+    - `json`: JSON file only (silent mode for automation)
+    - `both`: Both console and JSON output (**default**)
+Output filtering - change type:
+  - `--show-added`: Show only added items.
+  - `--show-removed`: Show only removed items.
+  - `--show-changed`: Show only changed items.
+Output filtering - category:
+  - `--show-packages`: Show only package differences.
+  - `--show-config`: Show only kernel config differences.
+  - `--show-packageconfig`: Show only PACKAGECONFIG differences.
+Output
+------
+The script prints differences grouped into three sections:
+1. Packages
+   - Added packages
+   - Removed packages
+   - Changed versions
+2. Kernel Config (CONFIG_*)
+   - Added options
+   - Removed options
+   - Modified options
+3. PACKAGECONFIG (per package)
+   - Packages with added PACKAGECONFIG entries
+   - Packages with removed PACKAGECONFIG entries
+   - Packages with changed feature configurations
+   - Shows package name and associated features
+Symbols:
+  + added
+  - removed
+  ~ changed
+Summary Mode
+------------
+When using --summary, the tool displays aggregate statistics:
+```
+SPDX-Diff Summary:
+Packages:
+  Added:   5
+  Removed: 2
+  Changed: 3
+Kernel Config:
+  Added:   10
+  Removed: 3
+  Changed: 7
+PACKAGECONFIG:
+  Features Added:   12
+  Features Removed: 4
+  Features Changed: 6
+```
+JSON Diff File
+--------------
+The output file (default: spdx_diff_<timestamp>.json) contains a structured diff:
+```json
+{
+  "package_diff": {
+    "added": { "pkgA": "1.2.3" },
+    "removed": { "pkgB": "4.5.6" },
+    "changed": { "pkgC": { "from": "1.0", "to": "2.0" } }
+  },
+  "kernel_config_diff": {
+    "added": { "CONFIG_XYZ": "y" },
+    "removed": { "CONFIG_ABC": "n" },
+    "changed": { "CONFIG_DEF": { "from": "m", "to": "y" } }
+  },
+  "packageconfig_diff": {
+    "added": {
+      "xz": { "doc": "enabled" }
+    },
+    "removed": {
+      "old-package": { "feature1": "disabled" }
+    },
+    "changed": {
+      "zstd-native": {
+        "added": { "zlib": "enabled" },
+        "removed": { "lz4": "disabled" },
+        "changed": {
+          "doc": { "from": "disabled", "to": "enabled" }
+        }
+      }
+    }
+  }
+}
+```
+PACKAGECONFIG Structure
+-----------------------
+PACKAGECONFIG entries are tracked per package, showing which features are
+enabled/disabled for each specific package:
+Console output example:
+```
+PACKAGECONFIG - Changed Packages:
+ ~ xz:
+     + doc: enabled
+ ~ zstd-native:
+     ~ lz4: disabled -> enabled
+     - lzma: disabled
+```
+This shows:
+- xz package: doc feature was added and enabled
+- zstd-native package: lz4 changed from disabled to enabled, lzma was removed
+Logging
+-------
+The script uses Python's logging module:
+```
+  INFO     Normal operations (file opened, counts, etc.)
+  WARNING  Missing sections (no build_Build objects found)
+  ERROR    Invalid input or format issues
+```
+Examples
+--------
+### Basic comparison with both console and JSON output:
+    ./spdx-diff reference.json new.json
+### Full details with proprietary packages excluded:
+    ./spdx-diff reference.json new.json --ignore-proprietary --full
+### Quick summary check:
+    ./spdx-diff reference.json new.json --summary
+### Silent mode for CI/CD (JSON output only):
+    ./spdx-diff reference.json new.json --format json --output results.json
+### Console output only (no JSON file):
+    ./spdx-diff reference.json new.json --format text --full
+### Show only changed packages:
+    ./spdx-diff reference.json new.json --show-packages --show-changed
+### Show only added packages:
+    ./spdx-diff reference.json new.json --show-packages --show-added
+### Show only kernel config changes:
+    ./spdx-diff reference.json new.json --show-config --show-changed
+### Show added and changed items across all categories:
+    ./spdx-diff reference.json new.json --show-added --show-changed
+### Show only PACKAGECONFIG differences:
+    ./spdx-diff reference.json new.json --show-packageconfig
+Console output example:
+```
+Packages - Added:
+ + libfoo: 2.0
+Packages - Changed:
+ ~ zlib: 1.2.11 -> 1.2.13
+Kernel Config - Removed:
+ - CONFIG_OLD_FEATURE
+PACKAGECONFIG - Added Packages:
+ + newpkg:
+     gtk: enabled
+     doc: disabled
+PACKAGECONFIG - Changed Packages:
+ ~ xz:
+     + lzma: enabled
+```