backpopulate supplier & set filesAnalyzed=false

internal/cli/publish_test.go

@@ -113,8 +113,8 @@ func TestPublish(t *testing.T) {
 	// We also want to check the children SBOMs because the index SBOM does not have
 	// references to the children SBOMs, just the children!
 	wantBoms := []string{
-		"sha256:3b499c0e0a0cc77d812057233db2b3277ec84617387526c6db158a3c0cb6f522",
-		"sha256:b581d950944c0106e251a53d9f8dd77bda7ae53f8ed0fc32fe338590fc8238a0",
+		"sha256:8d5651b0ee5110df20af50925c13fa634d340e358b06c3941f2a17d38d366f08",
+		"sha256:8a3b851d420550508511c0426c141694cf385cc2ba8c2189d82db6a6eff41dbe",
 	}
 
 	for i, m := range im.Manifests {

internal/cli/testdata/golden/sboms/sbom-aarch64.spdx.json

@@ -59,43 +59,39 @@
       "SPDXID": "SPDXRef-Package-pretend-baselayout-1.0.0-r0",
       "name": "pretend-baselayout",
       "versionInfo": "1.0.0-r0",
-      "filesAnalyzed": true,
+      "filesAnalyzed": false,
       "licenseConcluded": "NOASSERTION",
       "licenseDeclared": "MIT",
       "downloadLocation": "NOASSERTION",
       "originator": "Organization: Unknown",
+      "supplier": "Organization: Unknown",
       "copyrightText": "\n",
       "externalRefs": [
         {
           "referenceCategory": "PACKAGE_MANAGER",
           "referenceLocator": "pkg:apk/unknown/pretend-baselayout@1.0.0-r0?arch=aarch64",
           "referenceType": "purl"
         }
-      ],
-      "packageVerificationCode": {
-        "packageVerificationCodeValue": "8058dd7b970804f7b4a4f6e10374b4d02a5a01f3"
-      }
+      ]
     },
     {
       "SPDXID": "SPDXRef-Package-replayout-1.0.0-r0",
       "name": "replayout",
       "versionInfo": "1.0.0-r0",
-      "filesAnalyzed": true,
+      "filesAnalyzed": false,
       "licenseConcluded": "NOASSERTION",
       "licenseDeclared": "MIT",
       "downloadLocation": "NOASSERTION",
       "originator": "Organization: Unknown",
+      "supplier": "Organization: Unknown",
       "copyrightText": "\n",
       "externalRefs": [
         {
           "referenceCategory": "PACKAGE_MANAGER",
           "referenceLocator": "pkg:apk/unknown/replayout@1.0.0-r0?arch=aarch64",
           "referenceType": "purl"
         }
-      ],
-      "packageVerificationCode": {
-        "packageVerificationCodeValue": "d70ccb53a479f44c7ac6f023492b3520f23c21b3"
-      }
+      ]
     }
   ],
   "relationships": [

internal/cli/testdata/golden/sboms/sbom-x86_64.spdx.json

@@ -59,43 +59,39 @@
       "SPDXID": "SPDXRef-Package-pretend-baselayout-1.0.0-r0",
       "name": "pretend-baselayout",
       "versionInfo": "1.0.0-r0",
-      "filesAnalyzed": true,
+      "filesAnalyzed": false,
       "licenseConcluded": "NOASSERTION",
       "licenseDeclared": "MIT",
       "downloadLocation": "NOASSERTION",
       "originator": "Organization: Unknown",
+      "supplier": "Organization: Unknown",
       "copyrightText": "\n",
       "externalRefs": [
         {
           "referenceCategory": "PACKAGE_MANAGER",
           "referenceLocator": "pkg:apk/unknown/pretend-baselayout@1.0.0-r0?arch=x86_64",
           "referenceType": "purl"
         }
-      ],
-      "packageVerificationCode": {
-        "packageVerificationCodeValue": "8058dd7b970804f7b4a4f6e10374b4d02a5a01f3"
-      }
+      ]
     },
     {
       "SPDXID": "SPDXRef-Package-replayout-1.0.0-r0",
       "name": "replayout",
       "versionInfo": "1.0.0-r0",
-      "filesAnalyzed": true,
+      "filesAnalyzed": false,
       "licenseConcluded": "NOASSERTION",
       "licenseDeclared": "MIT",
       "downloadLocation": "NOASSERTION",
       "originator": "Organization: Unknown",
+      "supplier": "Organization: Unknown",
       "copyrightText": "\n",
       "externalRefs": [
         {
           "referenceCategory": "PACKAGE_MANAGER",
           "referenceLocator": "pkg:apk/unknown/replayout@1.0.0-r0?arch=x86_64",
           "referenceType": "purl"
         }
-      ],
-      "packageVerificationCode": {
-        "packageVerificationCodeValue": "d70ccb53a479f44c7ac6f023492b3520f23c21b3"
-      }
+      ]
     }
   ],
   "relationships": [

pkg/sbom/generator/spdx/spdx.go

@@ -351,6 +351,26 @@ func (sx *SPDX) ParseInternalSBOM(opts *options.Options, path string) (*Document
 	if err := json.Unmarshal(data, internalSBOM); err != nil {
 		return nil, fmt.Errorf("parsing internal apk sbom: %w", err)
 	}
+
+	// Fix up missing data, checkers require Originator &
+	// Supplier, but older apks do not have it set, copy image
+	// Supplier. Also files are stripped from sbom, thus set
+	// filesAnalyzed to false and omit packageVerificationCode
+	for i := range internalSBOM.Packages {
+		if internalSBOM.Packages[i].Originator == "" {
+			internalSBOM.Packages[i].Originator = supplier(opts)
+		}
+		if internalSBOM.Packages[i].Supplier == "" {
+			internalSBOM.Packages[i].Supplier = internalSBOM.Packages[i].Originator
+		}
+		if internalSBOM.Packages[i].FilesAnalyzed {
+			internalSBOM.Packages[i].FilesAnalyzed = false
+		}
+		if internalSBOM.Packages[i].VerificationCode != nil {
+			internalSBOM.Packages[i].VerificationCode = nil
+		}
+	}
+
 	return internalSBOM, nil
 }
 

pkg/sbom/generator/spdx/spdx_test.go

@@ -85,6 +85,31 @@ var testCustomLicenseOpts = &options.Options{
 	},
 }
 
+var testNoSupplierOpts = &options.Options{
+	OS: struct {
+		Name    string
+		ID      string
+		Version string
+	}{
+		Name:    "Apko Images, Plc",
+		ID:      "apko-images",
+		Version: "3.0",
+	},
+	FileName: "sbom",
+	Packages: []*apk.InstalledPackage{
+		{
+			Package: apk.Package{
+				Name:        "libattr1",
+				Version:     "2.5.1-r2",
+				Arch:        "x86_64",
+				Description: "library for managing filesystem extended attributes",
+				License:     "GPL-2.0-or-later",
+				Origin:      "attr",
+			},
+		},
+	},
+}
+
 func TestGenerate(t *testing.T) {
 	dir := t.TempDir()
 	fsys := apkfs.NewMemFS()
@@ -112,11 +137,33 @@ func TestGenerateCustomLicense(t *testing.T) {
 
 	got, err := os.ReadFile(path)
 	require.NoError(t, err)
-	expected, err := os.ReadFile("testdata/expected.spdx.json")
+	expected, err := os.ReadFile("testdata/expected.ubuntu-font.spdx.json")
 	require.NoError(t, err)
 	require.Equal(t, expected, got, "CustomLicense SPDX")
 }
 
+func TestNoSupplier(t *testing.T) {
+	spdx, err := os.ReadFile("testdata/libattr1.spdx.json")
+	require.NoError(t, err)
+
+	fsys := apkfs.NewMemFS()
+	fsys.MkdirAll("/var/lib/db/sbom", 0750)
+
+	err = fsys.WriteFile("/var/lib/db/sbom/libattr1.spdx.json", spdx, 0644)
+	require.NoError(t, err)
+
+	sx := New(fsys)
+	path := filepath.Join(t.TempDir(), testNoSupplierOpts.FileName+"."+sx.Ext())
+	err = sx.Generate(testNoSupplierOpts, path)
+	require.NoError(t, err)
+
+	got, err := os.ReadFile(path)
+	require.NoError(t, err)
+	expected, err := os.ReadFile("testdata/expected.libattr1.spdx.json")
+	require.NoError(t, err)
+	require.Equal(t, expected, got, "NoSupplier SPDX")
+}
+
 func TestReproducible(t *testing.T) {
 	// Create two sboms based on the same input and ensure
 	// they are identical

pkg/sbom/generator/spdx/testdata/expected.libattr1.spdx.json

@@ -0,0 +1,56 @@
+{
+  "SPDXID": "SPDXRef-DOCUMENT",
+  "name": "sbom",
+  "spdxVersion": "SPDX-2.3",
+  "creationInfo": {
+    "created": "0001-01-01T00:00:00Z",
+    "creators": [
+      "Tool: apko (devel)",
+      "Organization: Chainguard, Inc"
+    ],
+    "licenseListVersion": "3.16"
+  },
+  "dataLicense": "CC0-1.0",
+  "documentNamespace": "https://spdx.org/spdxdocs/apko/",
+  "documentDescribes": [
+    "SPDXRef-Package-"
+  ],
+  "packages": [
+    {
+      "SPDXID": "SPDXRef-Package-",
+      "name": "",
+      "versionInfo": "3.0",
+      "filesAnalyzed": false,
+      "description": "apko operating system layer",
+      "downloadLocation": "NOASSERTION",
+      "supplier": "Organization: Apko Images, Plc",
+      "externalRefs": [
+        {
+          "referenceCategory": "PACKAGE-MANAGER",
+          "referenceLocator": "pkg:oci/image?mediaType=\u0026os=linux",
+          "referenceType": "purl"
+        }
+      ]
+    },
+    {
+      "SPDXID": "SPDXRef-Package-libattr1-2.5.1-r2",
+      "name": "libattr1",
+      "versionInfo": "2.5.1-r2",
+      "filesAnalyzed": false,
+      "licenseConcluded": "NOASSERTION",
+      "licenseDeclared": "GPL-2.0-or-later",
+      "downloadLocation": "NOASSERTION",
+      "originator": "Organization: Apko Images, Plc",
+      "supplier": "Organization: Apko Images, Plc",
+      "copyrightText": "TODO\n",
+      "externalRefs": [
+        {
+          "referenceCategory": "PACKAGE_MANAGER",
+          "referenceLocator": "pkg:apk/wolfi/libattr1@2.5.1-r2?arch=x86_64",
+          "referenceType": "purl"
+        }
+      ]
+    }
+  ],
+  "relationships": []
+}

pkg/sbom/generator/spdx/testdata/generate.sh

@@ -1,3 +1,3 @@
 #!/bin/sh
 curl -q https://packages.wolfi.dev/os/x86_64/font-ubuntu-0.869-r1.apk | tar Ozx var/lib/db/sbom/font-ubuntu-0.869-r1.spdx.json >font-ubuntu.spdx.json 2>/dev/null
-
+curl -q https://packages.wolfi.dev/os/x86_64/libattr1-2.5.1-r2.apk | tar Ozx var/lib/db/sbom/libattr1-2.5.1-r2.spdx.json >libattr1.spdx.json 2>/dev/null

pkg/sbom/generator/spdx/testdata/libattr1.spdx.json

@@ -0,0 +1,71 @@
+{
+  "SPDXID": "SPDXRef-DOCUMENT-apk-libattr1-2.5.1-r2",
+  "name": "apk-libattr1-2.5.1-r2",
+  "spdxVersion": "SPDX-2.3",
+  "creationInfo": {
+    "created": "2023-01-28T06:47:56Z",
+    "creators": [
+      "Tool: melange (v0.2.0-97-g0d91d11)",
+      "Organization: Chainguard, Inc"
+    ],
+    "licenseListVersion": "3.18"
+  },
+  "dataLicense": "CC0-1.0",
+  "documentNamespace": "https://spdx.org/spdxdocs/chainguard/melange/",
+  "documentDescribes": [
+    "SPDXRef-Package-libattr1-2.5.1-r2"
+  ],
+  "files": [
+    {
+      "SPDXID": "SPDXRef-File--lib-libattr.so.1.1.2501",
+      "fileName": "/lib/libattr.so.1.1.2501",
+      "licenseConcluded": "NOASSERTION",
+      "checksums": [
+        {
+          "algorithm": "SHA1",
+          "checksumValue": "1b3a09852617e25522cfb46410c7f68c4149a7b5"
+        },
+        {
+          "algorithm": "SHA256",
+          "checksumValue": "575c60ac3c5a5201ef30cec6b8f6aded46c76a35b27eaf0700a617f95236c3cd"
+        },
+        {
+          "algorithm": "SHA512",
+          "checksumValue": "b437a3dd87c7777b0c0ee0ecb7ce3d24794e027471891f9861ec08e6b30e2896e5962a887cda2170156721d99685405fea39cc655a8606e441fdf6c1b3697980"
+        }
+      ]
+    }
+  ],
+  "packages": [
+    {
+      "SPDXID": "SPDXRef-Package-libattr1-2.5.1-r2",
+      "name": "libattr1",
+      "versionInfo": "2.5.1-r2",
+      "filesAnalyzed": true,
+      "hasFiles": [
+        "SPDXRef-File--lib-libattr.so.1.1.2501"
+      ],
+      "licenseConcluded": "NOASSERTION",
+      "licenseDeclared": "GPL-2.0-or-later",
+      "downloadLocation": "NOASSERTION",
+      "copyrightText": "TODO\n",
+      "externalRefs": [
+        {
+          "referenceCategory": "PACKAGE_MANAGER",
+          "referenceLocator": "pkg:apk/wolfi/libattr1@2.5.1-r2?arch=x86_64",
+          "referenceType": "purl"
+        }
+      ],
+      "packageVerificationCode": {
+        "packageVerificationCodeValue": "ac84254f783b469f1ea6212ab2645b7c839144f9"
+      }
+    }
+  ],
+  "relationships": [
+    {
+      "spdxElementId": "SPDXRef-Package-libattr1-2.5.1-r2",
+      "relationshipType": "CONTAINS",
+      "relatedSpdxElement": "SPDXRef-File--lib-libattr.so.1.1.2501"
+    }
+  ]
+}