Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: use originator logic to fill supplier #1980

Merged
merged 4 commits into from
Aug 1, 2023
Merged

feat: use originator logic to fill supplier #1980

merged 4 commits into from
Aug 1, 2023

Conversation

spiffcs
Copy link
Contributor

@spiffcs spiffcs commented Jul 31, 2023
edited
Loading

Summary

Syft should be filling in the supplier information to meet NTIA minimum standards for SPDX sbom generated by the tool.

Partially Addressing #1961

There are additional refinements we can make where supplier can get it's own function when we determine a good fence for when one field should specify one value vs another:

A good example:

The SPDX document identifies the package as [glibc](https://www.gnu.org/software/libc/) 
and the Package Supplier as [Red Hat](https://www.redhat.com/), 
but the [Free Software Foundation](http://www.fsf.org/) is the Package Originator.

Supplier

Identify the actual distribution source for the package/directory identified in the SPDX document. 
This might or might not be different from the originating distribution source for the package. 
The name of the Package Supplier shall be an organization or recognized author and not a web site.

Originator

If the package identified in the SPDX document originated from a different person or organization than identified as Package Supplier (see [7.5](https://spdx.github.io/spdx-spec/v2-draft/package-information/#7.5) above)

This field identifies from where or whom the package originally came. 
In some cases, a package may be created and originally distributed by a different third party than the Package Supplier of the package.

In this case NOASSERTION is returned when:

the SPDX document creator has attempted to but cannot reach a reasonable objective determination

@spiffcs
feat: use Originator to fill supplier for NTIA minimum
c4fc637 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@github-actions
Copy link

github-actions bot commented Jul 31, 2023
edited
Loading

Benchmark Test Results

Benchmark results from the latest changes vs base branch 
goos: linux%0Agoarch: amd64%0Apkg: github.com/anchore/syft/test/integration%0Acpu: Intel(R) Xeon(R) Platinum 8171M CPU @ 2.60GHz%0A                                                              │ ./.tmp/benchmark-367f914.txt │%0A                                                              │            sec/op            │%0AImagePackageCatalogers/alpmdb-cataloger-2                                       14.08m ±  2%25%0AImagePackageCatalogers/apkdb-cataloger-2                                        827.1µ ±  1%25%0AImagePackageCatalogers/binary-cataloger-2                                       232.6µ ±  2%25%0AImagePackageCatalogers/dpkgdb-cataloger-2                                       693.1µ ±  3%25%0AImagePackageCatalogers/dotnet-portable-executable-cataloger-2                   25.92µ ±  4%25%0AImagePackageCatalogers/go-module-binary-cataloger-2                             106.2µ ±  6%25%0AImagePackageCatalogers/java-cataloger-2                                         16.26m ±  4%25%0AImagePackageCatalogers/graalvm-native-image-cataloger-2                         103.8µ ±  3%25%0AImagePackageCatalogers/javascript-package-cataloger-2                           442.0µ ±  2%25%0AImagePackageCatalogers/nix-store-cataloger-2                                    322.1µ ±  3%25%0AImagePackageCatalogers/php-composer-installed-cataloger-2                       941.5µ ±  3%25%0AImagePackageCatalogers/portage-cataloger-2                                      589.3µ ± 14%25%0AImagePackageCatalogers/python-package-cataloger-2                               3.899m ±  4%25%0AImagePackageCatalogers/r-package-cataloger-2                                    238.8µ ±  2%25%0AImagePackageCatalogers/rpm-db-cataloger-2                                       632.4µ ±  2%25%0AImagePackageCatalogers/ruby-gemspec-cataloger-2                                 1.073m ±  1%25%0AImagePackageCatalogers/sbom-cataloger-2                                         136.4µ ±  1%25%0Ageomean                                                                         564.1µ%0A%0A                                                              │ ./.tmp/benchmark-367f914.txt │%0A                                                              │             B/op             │%0AImagePackageCatalogers/alpmdb-cataloger-2                                       5.119Mi ± 0%25%0AImagePackageCatalogers/apkdb-cataloger-2                                        204.8Ki ± 0%25%0AImagePackageCatalogers/binary-cataloger-2                                       30.23Ki ± 0%25%0AImagePackageCatalogers/dpkgdb-cataloger-2                                       168.9Ki ± 0%25%0AImagePackageCatalogers/dotnet-portable-executable-cataloger-2                   3.696Ki ± 0%25%0AImagePackageCatalogers/go-module-binary-cataloger-2                             9.906Ki ± 0%25%0AImagePackageCatalogers/java-cataloger-2                                         2.840Mi ± 0%25%0AImagePackageCatalogers/graalvm-native-image-cataloger-2                         8.594Ki ± 0%25%0AImagePackageCatalogers/javascript-package-cataloger-2                           94.26Ki ± 0%25%0AImagePackageCatalogers/nix-store-cataloger-2                                    49.14Ki ± 0%25%0AImagePackageCatalogers/php-composer-installed-cataloger-2                       186.8Ki ± 0%25%0AImagePackageCatalogers/portage-cataloger-2                                      119.9Ki ± 0%25%0AImagePackageCatalogers/python-package-cataloger-2                               1.003Mi ± 0%25%0AImagePackageCatalogers/r-package-cataloger-2                                    53.30Ki ± 0%25%0AImagePackageCatalogers/rpm-db-cataloger-2                                       180.9Ki ± 0%25%0AImagePackageCatalogers/ruby-gemspec-cataloger-2                                 144.0Ki ± 0%25%0AImagePackageCatalogers/sbom-cataloger-2                                         14.20Ki ± 0%25%0Ageomean                                                                         100.3Ki%0A%0A                                                              │ ./.tmp/benchmark-367f914.txt │%0A                                                              │          allocs/op           │%0AImagePackageCatalogers/alpmdb-cataloger-2                                        87.74k ± 0%25%0AImagePackageCatalogers/apkdb-cataloger-2                                         4.181k ± 0%25%0AImagePackageCatalogers/binary-cataloger-2                                         830.0 ± 0%25%0AImagePackageCatalogers/dpkgdb-cataloger-2                                        3.002k ± 0%25%0AImagePackageCatalogers/dotnet-portable-executable-cataloger-2                     132.0 ± 0%25%0AImagePackageCatalogers/go-module-binary-cataloger-2                               281.0 ± 0%25%0AImagePackageCatalogers/java-cataloger-2                                          40.19k ± 0%25%0AImagePackageCatalogers/graalvm-native-image-cataloger-2                           228.0 ± 0%25%0AImagePackageCatalogers/javascript-package-cataloger-2                            1.342k ± 0%25%0AImagePackageCatalogers/nix-store-cataloger-2                                      895.0 ± 0%25%0AImagePackageCatalogers/php-composer-installed-cataloger-2                        4.079k ± 0%25%0AImagePackageCatalogers/portage-cataloger-2                                       2.268k ± 0%25%0AImagePackageCatalogers/python-package-cataloger-2                                16.44k ± 0%25%0AImagePackageCatalogers/r-package-cataloger-2                                      929.0 ± 0%25%0AImagePackageCatalogers/rpm-db-cataloger-2                                        3.989k ± 0%25%0AImagePackageCatalogers/ruby-gemspec-cataloger-2                                  2.447k ± 0%25%0AImagePackageCatalogers/sbom-cataloger-2                                           394.0 ± 0%25%0Ageomean                                                                          2.052k

@spiffcs
chore: use correct method
5aed0f5 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@spiffcs
test: update unit testing
3adf4a9 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@spiffcs spiffcs marked this pull request as ready for review July 31, 2023 19:01
@spiffcs spiffcs requested a review from a team July 31, 2023 19:14
@spiffcs spiffcs mentioned this pull request Aug 1, 2023
Open
@spiffcs spiffcs added the enhancement New feature or request label Aug 1, 2023
@spiffcs
Copy link
Contributor Author

spiffcs commented Aug 1, 2023

Update the root package to have supplier as noassertion since this is a manually synthesized package as part of the source object

wagoodman
wagoodman reviewed Aug 1, 2023
View reviewed changes
syft/formats/spdxtagvalue/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden Outdated
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

was this updated intentionally?

kzantow
kzantow approved these changes Aug 1, 2023
View reviewed changes
Copy link
Contributor

@kzantow kzantow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 -- per discussion, just add a NOASSERTION supplier to the root package

@spiffcs
fix: add supplier to top level package
57084c1 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@spiffcs spiffcs merged commit 8e893df into main Aug 1, 2023
9 checks passed
@spiffcs spiffcs deleted the update-supplier-field branch August 1, 2023 21:19
This was referenced Aug 15, 2023
Closed
Merged
Closed
Closed
Closed
Open
Closed
Closed
Closed
This was referenced Aug 28, 2023
Closed
Closed
Closed
GijsCalis pushed a commit to GijsCalis/syft that referenced this pull request Feb 19, 2024
@spiffcs
feat: use originator logic to fill supplier (anchore#1980)
f0c5c2e 
* feat: use Originator to fill supplier for NTIA minimum
---------
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wagoodman wagoodman wagoodman left review comments

@kzantow kzantow kzantow approved these changes

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
Meet NTIA Minimum SBOM Requirements
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@spiffcs @wagoodman @kzantow