Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: use originator logic to fill supplier #1980

Merged
merged 4 commits into from
Aug 1, 2023
Merged

feat: use originator logic to fill supplier #1980

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
c4fc637
feat: use Originator to fill supplier for NTIA minimum
spiffcs Jul 31, 2023
5aed0f5
chore: use correct method
spiffcs Jul 31, 2023
3adf4a9
test: update unit testing
spiffcs Jul 31, 2023
57084c1
fix: add supplier to top level package
spiffcs Aug 1, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 16 additions & 1 deletion syft/formats/common/spdxhelpers/to_format_model.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -357,7 +357,7 @@ func toPackages(catalog *pkg.Collection, sbom sbom.SBOM) (results []*spdx.Packag
// 7.6: Package Originator: may have single result for either Person or Organization,
// or NOASSERTION
// Cardinality: optional, one
PackageSupplier: nil,
PackageSupplier: toPackageSupplier(p),

PackageOriginator: toPackageOriginator(p),

Expand Down Expand Up @@ -514,6 +514,21 @@ func toPackageOriginator(p pkg.Package) *spdx.Originator {
}
}

func toPackageSupplier(p pkg.Package) *spdx.Supplier {
// this uses the Originator function for now until
// a better distinction can be made for supplier
kind, supplier := Originator(p)
if kind == "" || supplier == "" {
return &spdx.Supplier{
Supplier: NOASSERTION,
}
}
kzantow marked this conversation as resolved.
Show resolved Hide resolved
return &spdx.Supplier{
Supplier: supplier,
SupplierType: kind,
}
}

func formatSPDXExternalRefs(p pkg.Package) (refs []*spdx.PackageExternalReference) {
for _, ref := range ExternalRefs(p) {
refs = append(refs, &spdx.PackageExternalReference{
Expand Down
11 changes: 9 additions & 2 deletions syft/formats/common/spdxhelpers/to_format_model_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,12 +51,14 @@ func Test_toFormatModel(t *testing.T) {
SPDXVersion: spdx.Version,
DataLicense: spdx.DataLicense,
DocumentName: "alpine",

Packages: []*spdx.Package{
{
PackageSPDXIdentifier: "Package-pkg-1-pkg-1",
PackageName: "pkg-1",
PackageVersion: "version-1",
PackageSupplier: &spdx.Supplier{
Supplier: "NOASSERTION",
},
},
{
PackageSPDXIdentifier: "DocumentRoot-Image-alpine",
Expand Down Expand Up @@ -122,6 +124,9 @@ func Test_toFormatModel(t *testing.T) {
PackageSPDXIdentifier: "Package-pkg-1-pkg-1",
PackageName: "pkg-1",
PackageVersion: "version-1",
PackageSupplier: &spdx.Supplier{
Supplier: "NOASSERTION",
},
},
{
PackageSPDXIdentifier: "DocumentRoot-Directory-some-directory",
Expand Down Expand Up @@ -180,12 +185,14 @@ func Test_toFormatModel(t *testing.T) {
SPDXVersion: spdx.Version,
DataLicense: spdx.DataLicense,
DocumentName: "path/to/some.file",

Packages: []*spdx.Package{
{
PackageSPDXIdentifier: "Package-pkg-1-pkg-1",
PackageName: "pkg-1",
PackageVersion: "version-1",
PackageSupplier: &spdx.Supplier{
Supplier: "NOASSERTION",
},
},
{
PackageSPDXIdentifier: "DocumentRoot-File-path-to-some.file",
Expand Down
2 changes: 2 additions & 0 deletions syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
"name": "package-1",
"SPDXID": "SPDXRef-Package-python-package-1-9265397e5e15168a",
"versionInfo": "1.0.1",
"supplier": "NOASSERTION",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"sourceInfo": "acquired package info from installed python package manifest file: /some/path/pkg1",
Expand All @@ -40,6 +41,7 @@
"name": "package-2",
"SPDXID": "SPDXRef-Package-deb-package-2-db4abfe497c180d3",
"versionInfo": "2.0.1",
"supplier": "NOASSERTION",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"sourceInfo": "acquired package info from DPKG DB: /some/path/pkg1",
Expand Down
2 changes: 2 additions & 0 deletions syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
"name": "package-1",
"SPDXID": "SPDXRef-Package-python-package-1-125840abc1c66dd7",
"versionInfo": "1.0.1",
"supplier": "NOASSERTION",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"sourceInfo": "acquired package info from installed python package manifest file: /somefile-1.txt",
Expand All @@ -40,6 +41,7 @@
"name": "package-2",
"SPDXID": "SPDXRef-Package-deb-package-2-958443e2d9304af4",
"versionInfo": "2.0.1",
"supplier": "NOASSERTION",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"sourceInfo": "acquired package info from DPKG DB: /somefile-2.txt",
Expand Down
2 changes: 2 additions & 0 deletions syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
"name": "package-1",
"SPDXID": "SPDXRef-Package-python-package-1-125840abc1c66dd7",
"versionInfo": "1.0.1",
"supplier": "NOASSERTION",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"sourceInfo": "acquired package info from installed python package manifest file: /somefile-1.txt",
Expand All @@ -40,6 +41,7 @@
"name": "package-2",
"SPDXID": "SPDXRef-Package-deb-package-2-958443e2d9304af4",
"versionInfo": "2.0.1",
"supplier": "NOASSERTION",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"sourceInfo": "acquired package info from DPKG DB: /somefile-2.txt",
Expand Down
Binary file modified syft/formats/spdxjson/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden
View file
Open in desktop
Binary file not shown.
3 changes: 3 additions & 0 deletions syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ FilesAnalyzed: false

PackageName: @at-sign
SPDXID: SPDXRef-Package--at-sign-3732f7a5679bdec4
PackageSupplier: NOASSERTION
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageSourceInfo: acquired package info from the following paths:
Expand All @@ -30,6 +31,7 @@ PackageCopyrightText: NOASSERTION

PackageName: some/slashes
SPDXID: SPDXRef-Package-some-slashes-1345166d4801153b
PackageSupplier: NOASSERTION
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageSourceInfo: acquired package info from the following paths:
Expand All @@ -41,6 +43,7 @@ PackageCopyrightText: NOASSERTION

PackageName: under_scores
SPDXID: SPDXRef-Package-under-scores-290d5c77210978c1
PackageSupplier: NOASSERTION
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageSourceInfo: acquired package info from the following paths:
Expand Down
2 changes: 2 additions & 0 deletions syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@ ExternalRef: PACKAGE-MANAGER purl pkg:oci/user-image-input@sha256:2731251dc34951
PackageName: package-2
SPDXID: SPDXRef-Package-deb-package-2-958443e2d9304af4
PackageVersion: 2.0.1
PackageSupplier: NOASSERTION
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageSourceInfo: acquired package info from DPKG DB: /somefile-2.txt
Expand All @@ -75,6 +76,7 @@ ExternalRef: PACKAGE-MANAGER purl pkg:deb/debian/package-2@2.0.1
PackageName: package-1
SPDXID: SPDXRef-Package-python-package-1-125840abc1c66dd7
PackageVersion: 1.0.1
PackageSupplier: NOASSERTION
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageSourceInfo: acquired package info from installed python package manifest file: /somefile-1.txt
Expand Down
2 changes: 2 additions & 0 deletions syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ FilesAnalyzed: false
PackageName: package-2
SPDXID: SPDXRef-Package-deb-package-2-db4abfe497c180d3
PackageVersion: 2.0.1
PackageSupplier: NOASSERTION
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageSourceInfo: acquired package info from DPKG DB: /some/path/pkg1
Expand All @@ -34,6 +35,7 @@ ExternalRef: PACKAGE-MANAGER purl pkg:deb/debian/package-2@2.0.1
PackageName: package-1
SPDXID: SPDXRef-Package-python-package-1-9265397e5e15168a
PackageVersion: 1.0.1
PackageSupplier: NOASSERTION
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageSourceInfo: acquired package info from installed python package manifest file: /some/path/pkg1
Expand Down
2 changes: 2 additions & 0 deletions syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ ExternalRef: PACKAGE-MANAGER purl pkg:oci/user-image-input@sha256:2731251dc34951
PackageName: package-2
SPDXID: SPDXRef-Package-deb-package-2-958443e2d9304af4
PackageVersion: 2.0.1
PackageSupplier: NOASSERTION
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageSourceInfo: acquired package info from DPKG DB: /somefile-2.txt
Expand All @@ -37,6 +38,7 @@ ExternalRef: PACKAGE-MANAGER purl pkg:deb/debian/package-2@2.0.1
PackageName: package-1
SPDXID: SPDXRef-Package-python-package-1-125840abc1c66dd7
PackageVersion: 1.0.1
PackageSupplier: NOASSERTION
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageSourceInfo: acquired package info from installed python package manifest file: /somefile-1.txt
Expand Down
Binary file modified syft/formats/spdxtagvalue/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden
View file
Open in desktop
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

was this updated intentionally?

Binary file not shown.
Loading