spdx: backpopulate supplier & originator for packages

This way image SBOM is correct, without rebuilding package SBOMs. Also update golden test data for affected integration tests. Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@chainguard.dev>
chainguard-dev · May 24, 2024 · 783ac88 · 783ac88
1 parent c530473
commit 783ac88
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 2 deletions.
diff --git a/internal/cli/publish_test.go b/internal/cli/publish_test.go
@@ -113,8 +113,8 @@ func TestPublish(t *testing.T) {
 	// We also want to check the children SBOMs because the index SBOM does not have
 	// references to the children SBOMs, just the children!
 	wantBoms := []string{
-		"sha256:3b499c0e0a0cc77d812057233db2b3277ec84617387526c6db158a3c0cb6f522",
-		"sha256:b581d950944c0106e251a53d9f8dd77bda7ae53f8ed0fc32fe338590fc8238a0",
+		"sha256:2e39fc5ce9d42eacd61cb60eb1d38b3f1cb30c07e053a46817c81e42a7b71fb3",
+		"sha256:6927f3fd44a3b03ef155dd8306135cd306ed6164c9a2a53508f207ed216ad21f",
 	}
 
 	for i, m := range im.Manifests {

diff --git a/internal/cli/testdata/golden/sboms/sbom-aarch64.spdx.json b/internal/cli/testdata/golden/sboms/sbom-aarch64.spdx.json
@@ -64,6 +64,7 @@
       "licenseDeclared": "MIT",
       "downloadLocation": "NOASSERTION",
       "originator": "Organization: Unknown",
+      "supplier": "Organization: Replaces",
       "copyrightText": "\n",
       "externalRefs": [
         {
@@ -85,6 +86,7 @@
       "licenseDeclared": "MIT",
       "downloadLocation": "NOASSERTION",
       "originator": "Organization: Unknown",
+      "supplier": "Organization: Replaces",
       "copyrightText": "\n",
       "externalRefs": [
         {

diff --git a/internal/cli/testdata/golden/sboms/sbom-x86_64.spdx.json b/internal/cli/testdata/golden/sboms/sbom-x86_64.spdx.json
@@ -64,6 +64,7 @@
       "licenseDeclared": "MIT",
       "downloadLocation": "NOASSERTION",
       "originator": "Organization: Unknown",
+      "supplier": "Organization: Replaces",
       "copyrightText": "\n",
       "externalRefs": [
         {
@@ -85,6 +86,7 @@
       "licenseDeclared": "MIT",
       "downloadLocation": "NOASSERTION",
       "originator": "Organization: Unknown",
+      "supplier": "Organization: Replaces",
       "copyrightText": "\n",
       "externalRefs": [
         {

diff --git a/pkg/sbom/generator/spdx/spdx.go b/pkg/sbom/generator/spdx/spdx.go
@@ -351,6 +351,19 @@ func (sx *SPDX) ParseInternalSBOM(opts *options.Options, path string) (*Document
 	if err := json.Unmarshal(data, internalSBOM); err != nil {
 		return nil, fmt.Errorf("parsing internal apk sbom: %w", err)
 	}
+
+	// Fix up missing data, checkers require Originator &
+	// Supplier, but older apks do not have it set, copy image
+	// Supplier.
+	for i := range internalSBOM.Packages {
+		if internalSBOM.Packages[i].Originator == "" {
+			internalSBOM.Packages[i].Originator = supplier(opts)
+		}
+		if internalSBOM.Packages[i].Supplier == "" {
+			internalSBOM.Packages[i].Supplier =  supplier(opts)
+		}
+	}
+
 	return internalSBOM, nil
 }