From 67888ee855ad37948bfee98e3aa7d592b4f91e95 Mon Sep 17 00:00:00 2001
From: Christopher Angelo Phillips <32073428+spiffcs@users.noreply.github.com>
Date: Fri, 18 Nov 2022 09:45:18 -0500
Subject: [PATCH] 1111 clean name bug (#1347)

---
 .../common/spdxhelpers/document_name.go       |  20 +++---------------
 .../common/spdxhelpers/document_name_test.go  |   2 +-
 .../common/spdxhelpers/document_namespace.go  |  12 +++++++++++
 syft/formats/spdxtagvalue/encoder_test.go     |   1 +
 .../snapshot/TestSPDXJSONSPDXIDs.golden       |   6 +++---
 .../TestSPDXTagValueDirectoryEncoder.golden   |   4 ++--
 .../TestSPDXTagValueImageEncoder.golden       |   4 ++--
 .../stereoscope-fixture-image-simple.golden   | Bin 15360 -> 15360 bytes
 8 files changed, 24 insertions(+), 25 deletions(-)

diff --git a/syft/formats/common/spdxhelpers/document_name.go b/syft/formats/common/spdxhelpers/document_name.go
index 2545b14f9ea..8967117e919 100644
--- a/syft/formats/common/spdxhelpers/document_name.go
+++ b/syft/formats/common/spdxhelpers/document_name.go
@@ -1,34 +1,20 @@
 package spdxhelpers
 
 import (
-	"path"
-	"strings"
-
 	"github.com/anchore/syft/syft/source"
 )
 
 func DocumentName(srcMetadata source.Metadata) string {
 	if srcMetadata.Name != "" {
-		return cleanName(srcMetadata.Name)
+		return srcMetadata.Name
 	}
 
 	switch srcMetadata.Scheme {
 	case source.ImageScheme:
-		return cleanName(srcMetadata.ImageMetadata.UserInput)
+		return srcMetadata.ImageMetadata.UserInput
 	case source.DirectoryScheme, source.FileScheme:
-		return cleanName(srcMetadata.Path)
+		return srcMetadata.Path
 	default:
 		return "unknown"
 	}
 }
-
-func cleanName(name string) string {
-	// remove # according to specification
-	name = strings.ReplaceAll(name, "#", "-")
-
-	// remove : for url construction
-	name = strings.ReplaceAll(name, ":", "-")
-
-	// clean relative pathing
-	return path.Clean(name)
-}
diff --git a/syft/formats/common/spdxhelpers/document_name_test.go b/syft/formats/common/spdxhelpers/document_name_test.go
index 6f4392d2981..cc1944247c2 100644
--- a/syft/formats/common/spdxhelpers/document_name_test.go
+++ b/syft/formats/common/spdxhelpers/document_name_test.go
@@ -35,7 +35,7 @@ func Test_DocumentName(t *testing.T) {
 					ManifestDigest: "digest",
 				},
 			},
-			expected: "image-repo/name-tag",
+			expected: "image-repo/name:tag",
 		},
 		{
 			name:      "directory",
diff --git a/syft/formats/common/spdxhelpers/document_namespace.go b/syft/formats/common/spdxhelpers/document_namespace.go
index f4ad43f8086..c2a2bd1296c 100644
--- a/syft/formats/common/spdxhelpers/document_namespace.go
+++ b/syft/formats/common/spdxhelpers/document_namespace.go
@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"net/url"
 	"path"
+	"strings"
 
 	"github.com/google/uuid"
 
@@ -23,6 +24,7 @@ func DocumentNameAndNamespace(srcMetadata source.Metadata) (string, string) {
 }
 
 func DocumentNamespace(name string, srcMetadata source.Metadata) string {
+	name = cleanName(name)
 	input := "unknown-source-type"
 	switch srcMetadata.Scheme {
 	case source.ImageScheme:
@@ -47,3 +49,13 @@ func DocumentNamespace(name string, srcMetadata source.Metadata) string {
 
 	return u.String()
 }
+
+// see: https://spdx.github.io/spdx-spec/v2.3/document-creation-information/#65-spdx-document-namespace-field
+func cleanName(name string) string {
+	// remove # according to specification
+	name = strings.ReplaceAll(name, "#", "-")
+	// remove : for url construction
+	name = strings.ReplaceAll(name, ":", "-")
+	// clean relative pathing
+	return path.Clean(name)
+}
diff --git a/syft/formats/spdxtagvalue/encoder_test.go b/syft/formats/spdxtagvalue/encoder_test.go
index 79f606ebd0c..55f00120786 100644
--- a/syft/formats/spdxtagvalue/encoder_test.go
+++ b/syft/formats/spdxtagvalue/encoder_test.go
@@ -52,6 +52,7 @@ func TestSPDXJSONSPDXIDs(t *testing.T) {
 			Relationships: nil,
 			Source: source.Metadata{
 				Scheme: source.DirectoryScheme,
+				Path:   "foobar/baz", // in this case, foobar is used as the spdx docment name
 			},
 			Descriptor: sbom.Descriptor{
 				Name:    "syft",
diff --git a/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden b/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden
index 71ef36533ee..8acb135b908 100644
--- a/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden
+++ b/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden
@@ -1,12 +1,12 @@
 SPDXVersion: SPDX-2.3
 DataLicense: CC0-1.0
 SPDXID: SPDXRef-DOCUMENT
-DocumentName: .
-DocumentNamespace: https://anchore.com/syft/dir/b51d2446-85b4-4b22-9762-12fc135730a7
+DocumentName: foobar/baz
+DocumentNamespace: https://anchore.com/syft/dir/foobar/baz-3d730196-4510-4ee4-9743-9322dd27cee7
 LicenseListVersion: 3.18
 Creator: Organization: Anchore, Inc
 Creator: Tool: syft-v0.42.0-bogus
-Created: 2022-11-11T19:25:16Z
+Created: 2022-11-18T14:21:45Z
 
 ##### Package: @at-sign
 
diff --git a/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden b/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden
index 6e2268072da..a450e019127 100644
--- a/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden
+++ b/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden
@@ -2,11 +2,11 @@ SPDXVersion: SPDX-2.3
 DataLicense: CC0-1.0
 SPDXID: SPDXRef-DOCUMENT
 DocumentName: /some/path
-DocumentNamespace: https://anchore.com/syft/dir/some/path-94301cf0-21fd-481a-b555-ea767674cc93
+DocumentNamespace: https://anchore.com/syft/dir/some/path-b6078c95-5b97-462d-acb3-9e74bc9ddb43
 LicenseListVersion: 3.18
 Creator: Organization: Anchore, Inc
 Creator: Tool: syft-v0.42.0-bogus
-Created: 2022-11-11T19:25:16Z
+Created: 2022-11-18T14:21:44Z
 
 ##### Package: package-2
 
diff --git a/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden b/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden
index 9638ebbd751..4d6a523d5ea 100644
--- a/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden
+++ b/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden
@@ -2,11 +2,11 @@ SPDXVersion: SPDX-2.3
 DataLicense: CC0-1.0
 SPDXID: SPDXRef-DOCUMENT
 DocumentName: user-image-input
-DocumentNamespace: https://anchore.com/syft/image/user-image-input-258730be-7925-4ef3-9009-d9dc532d2fec
+DocumentNamespace: https://anchore.com/syft/image/user-image-input-aa272d1e-8bb4-411f-a554-4c9a16ea66fb
 LicenseListVersion: 3.18
 Creator: Organization: Anchore, Inc
 Creator: Tool: syft-v0.42.0-bogus
-Created: 2022-11-11T19:25:16Z
+Created: 2022-11-18T14:21:45Z
 
 ##### Package: package-2
 
diff --git a/syft/formats/spdxtagvalue/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden b/syft/formats/spdxtagvalue/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden
index 0a4b4d25667754eaccaf5fe1dabb4e5a5b16005e..f902fc6aa28a96adb912012fc34d15c22edd31f8 100644
GIT binary patch
literal 15360
zcmeHOZExE)5ccQ&3Xl7m*d)a_8Q6!eDbNDNQnXnItOyFeCR%ODkmRC4kpI4u>^O<L
z#7X6-DN4hDMUgz7?sydM;bW3u%t*k53c{#WsR^mXQcF*?*DM$kybg)=#Ck!kGeJ>H
zTtXA!MVhMdVEYF~z>@O;UVb)zo4W(Tl7u9TgE9k5G3Ci%$hV8`-eOVJx&)QFO4@w5
zuJU^7PrCa5{foEnULF2<m%5l>EEwDL`(+s{mu&c-B!moxoqckbQkQi<yZ=YMSozZ0
z@%M>YpmY5HTNU}1XWAD3f|AYnhu1-j|1D<SN%c9(9Gal6(*W%uTY6plRv7Fc_A!C)
z5yq4D`%lxL$ZMVDzWfMRAv-~nbM&&P>Rit}r~oYviWxMxD*sjaa#{1NuC+aVSGz1n
zlc1-S-$Uzr#iIWDrZ1uEs^w9Aw!S```~0Sywse?VP-4~oMgAF0^2Kzzhn~;iiI$hI
zX8L5M==);2nEC3m=I^5Xl;tM}*-G0Nd0n2(i!2AdmVFQNKNi_^E$X#4e!A*@v4;w{
zMAIx^d_fmG@#_7BbaniAs?U5mYW7gKezwFv`+EOJu@Eu-Z#C!+E2?7VLpJsMWK@5t
zcPRLps4f1-n2Kior;H0oLXrU{q)8Xz{_mO%AM3I{&8lHD0fwi#8a7L`&+F>3MvHQz
z1)>F_1)>F>iUo|co?GoGQ<^GmwN=Ji<`d!^2~J_-(x55fHc;j~b6TX%xP)VsV1@M~
z;eS%#i2wC5M>_leQSd*CN!<VU;r;=M_+Kw}eyW3Xj{olXAK`TK{D%l8WB%92oLS+2
zU8ezncXM4r>bPqx5sm`sJ^?I|A7MJ7a>Dp1Nf@Dw$~2;iccF?u1j_mWy?J)@^7rwg
zD#z2p>gl*LSw6W|UKg(_+FQ#aT%zM|foaDuWgm*u>e8NOwYT-6Y=B@rbAo}G?+D*^
zULv{%{v+YPT*mXC&c3~mfHnS0zbF3NzW;CHzmWg+ax(pspZ~YmKV1XAzusrg#5U0a
z(E`x|(E>ld1&p^q&Xm?LE^Sa&DTh;GXqsBhoG_Lu$~~c00zZ=qn|L9t492IalTy0T
z4)T8roX?y5PePKI|MxPv&e1JN%~kf;vSD_Vr`=%6G%45(Vhm7Wu2@7{Gk-X_u8R_w
zJs-~R?8ZitQkLQ*Q7vGw<SBhL&=Wm7IA~A5m-L6>c)cBN=@7%;hNhwIe9CH2)fTha
z65+VKIdX;l<jZCcHTsOv#opbDY$6x`t4O;Kzoy8t{6Iw@BfgfD?xC_M>Hs98b5x(r
zo7A;s?NsnkE(_sf=AiBas!lcKVnVp2!lb~(h9c0tnNA$=w-Zbq91^9lA}C1}oCFzy
zmBmyBN3^k6V`Bt&5~Qvq38NiX+;YjWkvIscSSp;cu#TiURn(`RHI#EAiK7V)n0gr8
zD;x;sQlsOGzWGqS1l<!FWTx{h_^Q6oI{vL{Z{z=PAp5WA^UY7o{~<Kyf8T2FhxCKB
z^ZAO6iFUFVfarhg=f#meS*|IyFMUzjV(#}t_N772_OpgaxnE_o`P5Go2d<yxu#_m{
z9F;6cty0)tc=+2$3Tp<`veZi&f=xMx|E5?cJW&CAN-Z}H`uDowAhyHpj?M_ru{&%G
z7P8}C9^#hX+Lqv}DuefE<{ypqwJrYX)qjI7<6npv|GmtCb5w1K&}P@rIY=j+g9%++
VJk1E|#Z7ULXn|;fXn~zu;6DkhnS%fT

literal 15360
zcmeHOZExE)5YFfQ3QzkQ+kB^JU>~xkKnoO0(Pka6peQK5BwB3AkmRC4kpI4u?Krl(
zL`@_c$wtGl`FcD)r<3k@Cy5P`Tr=aC@SgZ2HYUbI3u`Q6PFw4}v;qpyELBXolU90<
zluLN5(D0!7gAju?_yJmcw*Twa1I#GGk{}__0U}5udC=p{q}z{}m6a}lrM8r|H`kWl
zp61K8^8fVu!^gKLzdyt-!Uze*w&i|X2ju9M{IO*Gpx0U^4>5Jy_dl0E9_$6>TeQRf
zGee-Y{{LO(S;L+h^dEDwegDT?ilF}uuy)dY9i=uJMQtyG=rEe<!etfEa++G|onzWa
zYDFxxL>@DZywiePNf;F(A;#H+Vaqhpv4-b9^N2V{jR#t$aJq6eV+0Y>M{%F<Q!GY=
zj8Hs?6{dm_8UIxe&9h3UnJd0P$*1Sh=sJ3nmsO@G4(7v%<9q@G?&^P(u2}RORh2du
zA1j+?(a7s@=?<e+TRwx$Y&W_BrY;*#tE*M{Wa_d_I`i5|W`K$1_}AIjXq3&y<HP9H
z1opNlzMbgvC8MA6@oeJC+nzu3;xf(7kJBZ$ud}MSn&xQ@@?!2u_S-BSuSmVqi5oAc
z-^`JD{&<{4?~hL3{5qVK#c-S(Jsy@xnvK@#tLk0HylGK|V)XebfDYlxcr2p2Fc)d%
zOf@TNk?DyQ49Mhwc{EP5*|+GX6Q$fEk+zCI9P2Ar3~C$t-cQ5*pM7ut6HZ9D|KAH}
zhaF`;aXuZpJ{eTsstyUSk!p}X0)G$ee}V~z9|V2^#*)$?|1}7AR$R!wS3gDJ>0SQ3
zvxNfTfIvVXAP^9ERtO~Apv3DqF<v4gxmCm^E=jx;+6y5S5|#@mytW(}DxLI-S|1ap
z1xutFbm0FJhPTiEI1cB3d$~@oqkEj1J8ydKw|3;GZTPgc3%23H)=uk>d;S+`S>*-z
z;Ahtj)1;u3B1-7|z+kb$mjq@;N5{v#xe0`8^S3u#nZt|vFTJF8urJdJST*@%vN++m
zZ5-I#T)LtrF!+k1o5LnXHcu}8m65p}zQ)L+{zyi^BVKb#52GT_D-T}kbyQtVYu9z|
zwUw|bn|l8xwa|AKl^2?DF#^T6*d&}Qs%$J12o4bip&n_G<`i+2BvdkDh!vb-CKz=D
zei68m9%*8M>MbQMm6FDLrDG~ERX7%es>FIHCE*Cla5jW2a#l&prNaorTHL|yg;A`c
z&o?j5q27zucDG2|!@3>C|9Bn$3Gu(~<a{5c*7Dy?{7*ngFvS1v6IzGuA^z7Pm@kl2
zYyEF;|06-Zv;P?l_Wxe4re*xE?PXA#$1BSnD~b9D!}k=S(fk`Cbq_`A)@=2C+q-QA
zzoYmMg*346{NKYJVAJ8<&4SJGAMsuMhXwiXMi^UED>y}&pMdl(bh!!xZ4C<5fIvVX
zAP^Av&ml0;S?XO`{YV_=she+l{&P;(a={`0AM!tN$p3jN+>e?Ev6ENJyveAOSRi<U
zAKWxQ)#r<tLgfmVmnNUOzE8i^nRETLPI>H?>0~-~qnJbPr{NgIabhiz%u5|Br<8-&
zMihb=q%cf5NxV0Tb9gbt!0RYD_Q(-pcv5Hoy{mK3=F4^G&cHsp%Z-CT#^;|NC6|2-
zE<jdg3URd5mAhKAN&m^+yFv9^G`0Q<5%hmo;@F^j9hD6lT1O3AD`^KA<~KLbQ-e0(
P43&UDKp-ISVi5QTZ?c|t