Skip to content

feat: add support for user to flag root package supplier and package supplier inheritance #3646

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
spiffcs wants to merge 19 commits into from
Closed

feat: add support for user to flag root package supplier and package supplier inheritance #3646

spiffcs wants to merge 19 commits into from

Conversation

@spiffcs
Copy link
Contributor

@spiffcs spiffcs commented Feb 5, 2025
edited
Loading

Description

This PR adds a new flag to syft called --source-supplier. This flag allows syft users to associate an optional supplier to the root component of the final document. It makes no determination about other packages cataloged by syft.

Formats updated

  • syft-json
  • spdx-json
  • cyclonedx-json
  • spdx
  • cyclonedx

The --source-supplier will be used to determine the supplier of the root component of the SBOM

This allows organizations generating SBOMs who want to produce NTIA compliant documents to assume the supplier field for software/containers they are producing.

Adds supplier to the following outputs:

spdx

go run cmd/syft/main.go -o spdx alpine:latest --source-supplier optional-supplier > test.json

##### Package: alpine

PackageName: alpine
SPDXID: SPDXRef-DocumentRoot-Image-alpine
PackageVersion: sha256:47badde288cf303fe43766ba3c0be01df313b84ad91480c1f21b7e907a7f2337
PackageSupplier: optional-supplier <-----------
PackageDownloadLocation: NOASSERTION
PrimaryPackagePurpose: CONTAINER
FilesAnalyzed: false
PackageChecksum: SHA256: 47badde288cf303fe43766ba3c0be01df313b84ad91480c1f21b7e907a7f2337
PackageLicenseConcluded: NOASSERTION
PackageLicenseDeclared: NOASSERTION
PackageCopyrightText: NOASSERTION
ExternalRef: PACKAGE-MANAGER purl pkg:oci/alpine@sha256%3A47badde288cf303fe43766ba3c0be01df313b84ad91480c1f21b7e907a7f2337?arch=arm64&tag=latest

spdx-json

go run cmd/syft/main.go -o spdx-json alpine:latest --supplier optional-supplier > test.json

  {
   "name": "alpine",
   "SPDXID": "SPDXRef-DocumentRoot-Image-alpine",
   "versionInfo": "sha256:47badde288cf303fe43766ba3c0be01df313b84ad91480c1f21b7e907a7f2337",
   "supplier": "Organization: optional-supplier", <-----------
   "downloadLocation": "NOASSERTION",
   "filesAnalyzed": false,
   "checksums": [
    {
     "algorithm": "SHA256",
     "checksumValue": "47badde288cf303fe43766ba3c0be01df313b84ad91480c1f21b7e907a7f2337"
    }
   ],
   "licenseConcluded": "NOASSERTION",
   "licenseDeclared": "NOASSERTION",
   "copyrightText": "NOASSERTION",
   "externalRefs": [
    {
     "referenceCategory": "PACKAGE-MANAGER",
     "referenceType": "purl",
     "referenceLocator": "pkg:oci/alpine@sha256%3A47badde288cf303fe43766ba3c0be01df313b84ad91480c1f21b7e907a7f2337?arch=arm64&tag=latest"
    }
   ],
   "primaryPackagePurpose": "CONTAINER"
  }

syft-json

go run cmd/syft/main.go -o json alpine:latest --supplier optional-supplier > test.json

 "source": {
  "id": "47badde288cf303fe43766ba3c0be01df313b84ad91480c1f21b7e907a7f2337",
  "name": "alpine",
  "version": "sha256:47badde288cf303fe43766ba3c0be01df313b84ad91480c1f21b7e907a7f2337",
  "supplier": "optional-supplier", <-----------
  "type": "image",
  "metadata": {
   "userInput": "alpine:latest",
   "imageID": "sha256:7ad00e65ee25911881c06b97a3e562675d255e1265ba4abadd3e906d266c1dcc",
   "manifestDigest": "sha256:47badde288cf303fe43766ba3c0be01df313b84ad91480c1f21b7e907a7f2337",
   "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
   "tags": [
    "alpine:latest"
   ],
   "imageSize": 8169605,

cyclonedx-json

Note: for cyclonedx-json we're putting supplier in two spots that the format supports. One is the top level BOM description. The other is for the root component identified in the bom

- `metadata.supplier`
The organization that supplied the component that the BOM describes. 
The supplier may often be the manufacturer, but may also be a distributor or repackager.

- `metadata.component.supplier`
The organization that supplied the component. 
The supplier may often be the manufacturer, but may also be a distributor or repackager.

go run cmd/syft/main.go -o cyclonedx-json alpine:latest --supplier optional-supplier > test.json

  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:f6d124b0-c4ba-48dc-96a4-6b0e12d8eefe",
  "version": 1,
  "metadata": {
    "timestamp": "2025-02-07T12:54:04-05:00",
    "tools": {
      "components": [
        {
          "type": "application",
          "author": "anchore",
          "name": "syft",
          "version": "[not provided]"
        }
      ]
    },
    "component": {
      "bom-ref": "327aecd176f7b31f",
      "type": "container",
      "supplier": {
        "name": "optional-supplier" <------
      },
      "name": "alpine",
      "version": "sha256:47badde288cf303fe43766ba3c0be01df313b84ad91480c1f21b7e907a7f2337"
    },
    "supplier": {
      "name": "optional-supplier" <-------
    }
  },

cyclonedx

<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.6" serialNumber="urn:uuid:64f0a96d-319a-4faa-a13c-5deb1f46f8c9" version="1">
  <metadata>
    <timestamp>2025-02-07T12:59:47-05:00</timestamp>
    <tools>
      <components>
        <component type="application">
          <author>anchore</author>
          <name>syft</name>
          <version>[not provided]</version>
        </component>
      </components>
    </tools>
    <component bom-ref="327aecd176f7b31f" type="container">
      <supplier>
        <name>optional-supplier</name> <------
      </supplier>
      <name>alpine</name>
      <version>sha256:47badde288cf303fe43766ba3c0be01df313b84ad91480c1f21b7e907a7f2337</version>
    </component>
    <supplier>
      <name>optional-supplier</name> <-----
    </supplier>
  </metadata>
  <components>

Fixes

Type of change

  • New feature (non-breaking change which adds functionality)
  • Documentation (updates the documentation)

Checklist:

  • I have added unit tests that cover changed behavior
  • I have tested my code in common scenarios and confirmed there are no regressions
  • I have added comments to my code, particularly in hard-to-understand sections

@spiffcs
chore: add supplier field to the core syft document
7721188 
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
@spiffcs
feat: add supplier as flag for top level syft
1450d3e 
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
@spiffcs
feat: thread supplier field into create_sbom
8e2de41 
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
@spiffcs
feat: add supplier into format model and syft model paths
6f786e6 
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
@spiffcs
chore: update schema with syft-json tests
13f9b3c 
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
@spiffcs
question: unsure on location of supplier
58445ea 
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
@spiffcs
feat: thread supplier into spdx-json format
1b33456 
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
@spiffcs
feat: update tests and spdxjson to omit empty
64ff665 
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
@github-actions github-actions bot added the json-schema Changes the json schema label Feb 5, 2025
@spiffcs
chore: update schema and supplier org const
7da50a7 
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
This was linked to issues Feb 6, 2025
Option to set PackageSupplier in root of SPDX document generated by CLI #3098
Closed
Convert command should consider NTIA requirements #3067
Open
@spiffcs
Merge branch 'main' of https://github.com/anchore/syft into 1961-add-…
3acd0f7 
…suport-package-supplier

* 'main' of https://github.com/anchore/syft:
  chore(deps): bump github/codeql-action from 3.28.8 to 3.28.9 (#3648)
  feat: 3626 add option enable license content; disable by default (#3631)
@spiffcs
chore: test refactors and model updates
40a8d7d 
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
@spiffcs
test: cyclonedx-test
60feed1 
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
@spiffcs spiffcs marked this pull request as ready for review February 7, 2025 18:01
@spiffcs spiffcs changed the title feat: 1961 add support for root package supplier feat: 3098 add support for root package supplier Feb 7, 2025
@spiffcs spiffcs changed the title feat: 3098 add support for root package supplier feat: 3098 add support for user to flag root package supplier Feb 7, 2025
@spiffcs
chore: remove Supplier from tool descriptor
b96976b 
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
@spiffcs spiffcs removed a link to an issue Feb 7, 2025
Convert command should consider NTIA requirements #3067
Open
@spiffcs
feat: update supplier to only have type if != NOASSERTION
44a44b0 
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
@spiffcs spiffcs changed the title feat: 3098 add support for user to flag root package supplier feat: 3098 add support for user to flag root package supplier and supplier inheritance Feb 7, 2025
@spiffcs
test: update to include supplier type when not ""
f8ed147 
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
@spiffcs
feat: update cdx/spdx to applier --supplier to all components
f459370 
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
@spiffcs
feat: update flag to use new --source-supplier
d8e3767 
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
wagoodman
wagoodman reviewed Feb 10, 2025
View reviewed changes
syft/format/internal/cyclonedxutil/helpers/component.go
}

// TODO: we eventually want to update this so that we can read "supplier" from different syft metadata
func encodeSupplier(_ pkg.Package, sbomSupplier string) *cyclonedx.OrganizationalEntity {
Copy link
Contributor

@wagoodman wagoodman Feb 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the equivalent decoder support for this field I think is missing (getting supplier specified in a syft doc when decoding a cyclonedx one)

Copy link
Contributor

@wagoodman wagoodman Feb 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

might be worth updating the encoder-decoder cycle integration test to have a supplier specified in the source.

Copy link
Contributor Author

@spiffcs spiffcs May 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh I missed this comment on my last pass. Let me get this added now.

@spiffcs
Merge branch 'main' into 1961-add-suport-package-supplier
d428ff3 
* main: (142 commits)
  feat: detect when full license text has been provided and preserve as separate field (#3450)
  chore(deps): bump github.com/Masterminds/semver/v3 from 3.3.0 to 3.3.1 (#3843)
  chore(deps): update tools to latest versions (#3841)
  Update github.com/Masterminds/semver to v3 (#3836)
  Add support for PHP Pear (#2775)
  fix: Improve detection of erlang binary in alpine Linux (#3839)
  fix:Resolve ancestral symlinks correctly (#3783)
  chore(deps): update CPE dictionary index (#3834)
  chore(deps): update tools to latest versions (#3835)
  chore(deps): bump github.com/charmbracelet/bubbletea from 1.3.4 to 1.3.5 (#3838)
  fix the fluent-bit regex detection pattern (#3817)
  chore(deps): bump anchore/sbom-action from 0.18.0 to 0.19.0 (#3832)
  chore(deps): update tools to latest versions (#3830)
  Resolve owned file paths when searching for overlaps (#3828)
  chore(deps): update anchore dependencies (#3827)
  fix: Make the fileresolver Support Prefix Match of Files (#3820)
  Add support for detecting javascript assets in .NET projects using libman (#3825)
  chore(deps): update tools to latest versions (#3823)
  (feat): support skipping archive extraction with file source (#3795)
  Consider DLL claims for dependencies of .NET packages from deps.json (#3822)
  ...

Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
@github-actions github-actions bot removed the json-schema Changes the json schema label May 1, 2025
@spiffcs
feat: regenerate schema post merge
6393f60 
Signed-off-by: Christopher Phillips <32073428+spiffcs@users.noreply.github.com>
@github-actions github-actions bot added the json-schema Changes the json schema label May 2, 2025
@spiffcs spiffcs changed the title feat: 3098 add support for user to flag root package supplier and supplier inheritance feat: add support for user to flag root package supplier and supplier inheritance May 2, 2025
@spiffcs spiffcs changed the title feat: add support for user to flag root package supplier and supplier inheritance feat: add support for user to flag root package supplier and package supplier inheritance May 2, 2025
@spiffcs spiffcs mentioned this pull request Aug 12, 2025
Merged
10 tasks
@spiffcs
Copy link
Contributor Author

spiffcs commented Aug 12, 2025

Closed in favor of #4131

@spiffcs spiffcs closed this Aug 12, 2025
@spiffcs spiffcs deleted the 1961-add-suport-package-supplier branch October 14, 2025 05:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wagoodman wagoodman wagoodman left review comments

Assignees

No one assigned

Labels

json-schema Changes the json schema

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Option to set PackageSupplier in root of SPDX document generated by CLI

3 participants

@spiffcs @wagoodman