From 783ac88216bdfe8e3bedbe36888a279ec17e70fc Mon Sep 17 00:00:00 2001
From: Dimitri John Ledkov <dimitri.ledkov@chainguard.dev>
Date: Fri, 24 May 2024 17:22:02 +0100
Subject: [PATCH] spdx: backpopulate supplier & originator for packages

This way image SBOM is correct, without rebuilding package SBOMs.

Also update golden test data for affected integration tests.

Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@chainguard.dev>
---
 internal/cli/publish_test.go                        |  4 ++--
 .../testdata/golden/sboms/sbom-aarch64.spdx.json    |  2 ++
 .../cli/testdata/golden/sboms/sbom-x86_64.spdx.json |  2 ++
 pkg/sbom/generator/spdx/spdx.go                     | 13 +++++++++++++
 4 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/internal/cli/publish_test.go b/internal/cli/publish_test.go
index 1735f310..5ed6847b 100644
--- a/internal/cli/publish_test.go
+++ b/internal/cli/publish_test.go
@@ -113,8 +113,8 @@ func TestPublish(t *testing.T) {
 	// We also want to check the children SBOMs because the index SBOM does not have
 	// references to the children SBOMs, just the children!
 	wantBoms := []string{
-		"sha256:3b499c0e0a0cc77d812057233db2b3277ec84617387526c6db158a3c0cb6f522",
-		"sha256:b581d950944c0106e251a53d9f8dd77bda7ae53f8ed0fc32fe338590fc8238a0",
+		"sha256:2e39fc5ce9d42eacd61cb60eb1d38b3f1cb30c07e053a46817c81e42a7b71fb3",
+		"sha256:6927f3fd44a3b03ef155dd8306135cd306ed6164c9a2a53508f207ed216ad21f",
 	}
 
 	for i, m := range im.Manifests {
diff --git a/internal/cli/testdata/golden/sboms/sbom-aarch64.spdx.json b/internal/cli/testdata/golden/sboms/sbom-aarch64.spdx.json
index dc1c0139..7e855513 100644
--- a/internal/cli/testdata/golden/sboms/sbom-aarch64.spdx.json
+++ b/internal/cli/testdata/golden/sboms/sbom-aarch64.spdx.json
@@ -64,6 +64,7 @@
       "licenseDeclared": "MIT",
       "downloadLocation": "NOASSERTION",
       "originator": "Organization: Unknown",
+      "supplier": "Organization: Replaces",
       "copyrightText": "\n",
       "externalRefs": [
         {
@@ -85,6 +86,7 @@
       "licenseDeclared": "MIT",
       "downloadLocation": "NOASSERTION",
       "originator": "Organization: Unknown",
+      "supplier": "Organization: Replaces",
       "copyrightText": "\n",
       "externalRefs": [
         {
diff --git a/internal/cli/testdata/golden/sboms/sbom-x86_64.spdx.json b/internal/cli/testdata/golden/sboms/sbom-x86_64.spdx.json
index b2187c7b..1a4f42cd 100644
--- a/internal/cli/testdata/golden/sboms/sbom-x86_64.spdx.json
+++ b/internal/cli/testdata/golden/sboms/sbom-x86_64.spdx.json
@@ -64,6 +64,7 @@
       "licenseDeclared": "MIT",
       "downloadLocation": "NOASSERTION",
       "originator": "Organization: Unknown",
+      "supplier": "Organization: Replaces",
       "copyrightText": "\n",
       "externalRefs": [
         {
@@ -85,6 +86,7 @@
       "licenseDeclared": "MIT",
       "downloadLocation": "NOASSERTION",
       "originator": "Organization: Unknown",
+      "supplier": "Organization: Replaces",
       "copyrightText": "\n",
       "externalRefs": [
         {
diff --git a/pkg/sbom/generator/spdx/spdx.go b/pkg/sbom/generator/spdx/spdx.go
index d97d512a..384606ed 100644
--- a/pkg/sbom/generator/spdx/spdx.go
+++ b/pkg/sbom/generator/spdx/spdx.go
@@ -351,6 +351,19 @@ func (sx *SPDX) ParseInternalSBOM(opts *options.Options, path string) (*Document
 	if err := json.Unmarshal(data, internalSBOM); err != nil {
 		return nil, fmt.Errorf("parsing internal apk sbom: %w", err)
 	}
+
+	// Fix up missing data, checkers require Originator &
+	// Supplier, but older apks do not have it set, copy image
+	// Supplier.
+	for i := range internalSBOM.Packages {
+		if internalSBOM.Packages[i].Originator == "" {
+			internalSBOM.Packages[i].Originator = supplier(opts)
+		}
+		if internalSBOM.Packages[i].Supplier == "" {
+			internalSBOM.Packages[i].Supplier =  supplier(opts)
+		}
+	}
+
 	return internalSBOM, nil
 }