feat: SPDX 2.3 support (#1311)

anchore · Nov 18, 2022 · 42cb0a4 · 42cb0a4
1 parent 0c4b99c
commit 42cb0a4
Show file tree

Hide file tree

Showing 71 changed files with 892 additions and 1,339 deletions.
diff --git a/cmd/syft/cli/attest/attest.go b/cmd/syft/cli/attest/attest.go
@@ -40,7 +40,7 @@ import (
 	"github.com/anchore/syft/syft"
 	"github.com/anchore/syft/syft/event"
 	"github.com/anchore/syft/syft/formats/cyclonedxjson"
-	"github.com/anchore/syft/syft/formats/spdx22json"
+	"github.com/anchore/syft/syft/formats/spdxjson"
 	"github.com/anchore/syft/syft/formats/syftjson"
 	"github.com/anchore/syft/syft/sbom"
 	"github.com/anchore/syft/syft/source"
@@ -49,7 +49,7 @@ import (
 var (
 	allowedAttestFormats = []sbom.FormatID{
 		syftjson.ID,
-		spdx22json.ID,
+		spdxjson.ID,
 		cyclonedxjson.ID,
 	}
 
@@ -356,7 +356,7 @@ func uploadAttestation(app *config.Application, signedPayload []byte, digest nam
 
 func formatPredicateType(format sbom.Format) string {
 	switch format.ID() {
-	case spdx22json.ID:
+	case spdxjson.ID:
 		return in_toto.PredicateSPDX
 	case cyclonedxjson.ID:
 		return in_toto.PredicateCycloneDX

diff --git a/cmd/syft/cli/options/format.go b/cmd/syft/cli/options/format.go
@@ -4,8 +4,8 @@ import (
 	"github.com/anchore/syft/syft/formats/cyclonedxjson"
 	"github.com/anchore/syft/syft/formats/cyclonedxxml"
 	"github.com/anchore/syft/syft/formats/github"
-	"github.com/anchore/syft/syft/formats/spdx22json"
-	"github.com/anchore/syft/syft/formats/spdx22tagvalue"
+	"github.com/anchore/syft/syft/formats/spdxjson"
+	"github.com/anchore/syft/syft/formats/spdxtagvalue"
 	"github.com/anchore/syft/syft/formats/syftjson"
 	"github.com/anchore/syft/syft/formats/table"
 	"github.com/anchore/syft/syft/formats/text"
@@ -21,9 +21,9 @@ func FormatAliases(ids ...sbom.FormatID) (aliases []string) {
 			aliases = append(aliases, "text")
 		case table.ID:
 			aliases = append(aliases, "table")
-		case spdx22json.ID:
+		case spdxjson.ID:
 			aliases = append(aliases, "spdx-json")
-		case spdx22tagvalue.ID:
+		case spdxtagvalue.ID:
 			aliases = append(aliases, "spdx-tag-value")
 		case cyclonedxxml.ID:
 			aliases = append(aliases, "cyclonedx-xml")

diff --git a/go.mod b/go.mod
@@ -32,7 +32,7 @@ require (
 	github.com/scylladb/go-set v1.0.3-0.20200225121959-cc7b2070d91e
 	github.com/sergi/go-diff v1.2.0
 	github.com/sirupsen/logrus v1.9.0
-	github.com/spdx/tools-golang v0.2.0
+	github.com/spdx/tools-golang v0.3.1-0.20221108182156-8a01147e6342
 	github.com/spf13/afero v1.8.2
 	github.com/spf13/cobra v1.6.0
 	github.com/spf13/pflag v1.0.5

diff --git a/go.sum b/go.sum
@@ -1817,8 +1817,8 @@ github.com/sony/gobreaker v0.4.1/go.mod h1:ZKptC7FHNvhBz7dN2LGjPVBz2sZJmc0/PkyDJ
 github.com/sourcegraph/go-diff v0.6.1/go.mod h1:iBszgVvyxdc8SFZ7gm69go2KDdt3ag071iBaWPF6cjs=
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
 github.com/spdx/gordf v0.0.0-20201111095634-7098f93598fb/go.mod h1:uKWaldnbMnjsSAXRurWqqrdyZen1R7kxl8TkmWk2OyM=
-github.com/spdx/tools-golang v0.2.0 h1:KBNcw7xvVycRWeCWZK/5xQJA+plymW1+rTCs8ekJDro=
-github.com/spdx/tools-golang v0.2.0/go.mod h1:RO4Y3IFROJnz+43JKm1YOrbtgQNljW4gAPpA/sY2eqo=
+github.com/spdx/tools-golang v0.3.1-0.20221108182156-8a01147e6342 h1:6uvaOTv4GeRqQV6O1/znbpziqhctMRLTy3OGeZrNMic=
+github.com/spdx/tools-golang v0.3.1-0.20221108182156-8a01147e6342/go.mod h1:VHzvNsKAfAGqs4ZvwRL+7a0dNsL20s7lGui4K9C0xQM=
 github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
 github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
 github.com/spf13/afero v1.3.3/go.mod h1:5KUK8ByomD5Ti5Artl0RtHeI5pTF7MIDuXL3yY520V4=

diff --git a/syft/formats.go b/syft/formats.go
@@ -5,8 +5,8 @@ import (
 	"github.com/anchore/syft/syft/formats/cyclonedxjson"
 	"github.com/anchore/syft/syft/formats/cyclonedxxml"
 	"github.com/anchore/syft/syft/formats/github"
-	"github.com/anchore/syft/syft/formats/spdx22json"
-	"github.com/anchore/syft/syft/formats/spdx22tagvalue"
+	"github.com/anchore/syft/syft/formats/spdxjson"
+	"github.com/anchore/syft/syft/formats/spdxtagvalue"
 	"github.com/anchore/syft/syft/formats/syftjson"
 	"github.com/anchore/syft/syft/formats/table"
 	"github.com/anchore/syft/syft/formats/template"
@@ -23,8 +23,8 @@ const (
 	CycloneDxXMLFormatID  = cyclonedxxml.ID
 	CycloneDxJSONFormatID = cyclonedxjson.ID
 	GitHubFormatID        = github.ID
-	SPDXTagValueFormatID  = spdx22tagvalue.ID
-	SPDXJSONFormatID      = spdx22json.ID
+	SPDXTagValueFormatID  = spdxtagvalue.ID
+	SPDXJSONFormatID      = spdxjson.ID
 	TemplateFormatID      = template.ID
 )
 

diff --git a/syft/formats/common/spdxhelpers/document_namespace.go b/syft/formats/common/spdxhelpers/document_namespace.go
@@ -11,6 +11,12 @@ import (
 	"github.com/anchore/syft/syft/source"
 )
 
+const (
+	inputImage     = "image"
+	inputDirectory = "dir"
+	inputFile      = "file"
+)
+
 func DocumentNameAndNamespace(srcMetadata source.Metadata) (string, string) {
 	name := DocumentName(srcMetadata)
 	return name, DocumentNamespace(name, srcMetadata)
@@ -20,11 +26,11 @@ func DocumentNamespace(name string, srcMetadata source.Metadata) string {
 	input := "unknown-source-type"
 	switch srcMetadata.Scheme {
 	case source.ImageScheme:
-		input = "image"
+		input = inputImage
 	case source.DirectoryScheme:
-		input = "dir"
+		input = inputDirectory
 	case source.FileScheme:
-		input = "file"
+		input = inputFile
 	}
 
 	uniqueID := uuid.Must(uuid.NewRandom())

diff --git a/syft/formats/common/spdxhelpers/external_ref.go b/syft/formats/common/spdxhelpers/external_ref.go
@@ -4,7 +4,7 @@ type ReferenceCategory string
 
 const (
 	SecurityReferenceCategory       ReferenceCategory = "SECURITY"
-	PackageManagerReferenceCategory ReferenceCategory = "PACKAGE_MANAGER"
+	PackageManagerReferenceCategory ReferenceCategory = "PACKAGE-MANAGER"
 	OtherReferenceCategory          ReferenceCategory = "OTHER"
 )
 

diff --git a/syft/formats/common/spdxhelpers/originator_test.go b/syft/formats/common/spdxhelpers/originator_test.go
@@ -109,7 +109,11 @@ func Test_Originator(t *testing.T) {
 	}
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
-			assert.Equal(t, test.expected, Originator(test.input))
+			typ, value := Originator(test.input)
+			if typ != "" {
+				value = typ + ": " + value
+			}
+			assert.Equal(t, test.expected, value)
 		})
 	}
 }
diff --git a/syft/formats/common/spdxhelpers/origintor.go b/syft/formats/common/spdxhelpers/origintor.go
@@ -9,9 +9,11 @@ import (
 // Originator needs to conform to the SPDX spec here:
 // https://spdx.github.io/spdx-spec/package-information/#76-package-originator-field
 // Available options are: <omit>, NOASSERTION, Person: <person>, Organization: <org>
-func Originator(p pkg.Package) string {
+// return values are: <type>, <value>
+func Originator(p pkg.Package) (string, string) {
+	typ := ""
+	author := ""
 	if hasMetadata(p) {
-		author := ""
 		switch metadata := p.Metadata.(type) {
 		case pkg.ApkMetadata:
 			author = metadata.Maintainer
@@ -29,13 +31,14 @@ func Originator(p pkg.Package) string {
 				author = metadata.Authors[0]
 			}
 		case pkg.RpmMetadata:
-			return "Organization: " + metadata.Vendor
+			typ = "Organization"
+			author = metadata.Vendor
 		case pkg.DpkgMetadata:
 			author = metadata.Maintainer
 		}
-		if author != "" {
-			return "Person: " + author
+		if typ == "" && author != "" {
+			typ = "Person"
 		}
 	}
-	return ""
+	return typ, author
 }