backpopulate supplier & set filesAnalyzed=false #1137
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
spdx: rename expected.spdx.json ahead of more tests
spdx: Add test case of merging pkg SBOM without supplier
Image SBOM should contain supplier and originator for every package,
when package SBOM does not have one, expect one based on the image
layer supplier.
Signed-off-by: Dimitri John Ledkov dimitri.ledkov@chainguard.dev
spdx: backpopulate supplier & originator for packages
This way image SBOM is correct, without rebuilding package SBOMs.
Also update golden test data for affected integration tests.
Signed-off-by: Dimitri John Ledkov dimitri.ledkov@chainguard.dev
spdx: fixup filesAnalyzed setting
Current implementation strips filesAnalyzed from individual package
SBOMs upon aggregation into image SBOM. When doing so, update package
stanza to say filesAnalyzed=false, as indeed FileRefs are missing.
spdx: fixup PackageVerificationCode setting
Current implementation strips filesAnalyzed from individual package SBOMs
upon aggregation into image SBOM. When doing so, omit PackageVerificationCode
as without files there cannot be verification code (it is defined as ordered hash of files).
Also observe that newly generated packages without files do not have VerifcationCode.
As a pleasant side-effect this removes SHA1 from arch-specific package manifest and makes it year 2030 safe.