remove extension parameter suffix from sbom 'version' tag. (#44)

* remove extension parameter suffix from sbom 'version' tag. fixes #43
sonatype-nexus-community · Nov 9, 2020 · 8b6ddef · 8b6ddef
1 parent 86967b8
commit 8b6ddef
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 1 deletion.
diff --git a/jake/cyclonedx/v1_1/generator.py b/jake/cyclonedx/v1_1/generator.py
@@ -110,7 +110,8 @@ def __create_component_nodes(self, component_list: list) -> (list):
   def __get_name_version_from_purl(purl):
     split_list = purl.split("/")
     second_split = split_list[1].split("@")
-    return (second_split[0], second_split[1])
+    version_split = second_split[1].split("?")
+    return (second_split[0], version_split[0])
 
   @staticmethod
   def __create_vulnerability_node(vulnerability_list, purl, vulnerabilities, node):

diff --git a/jake/test/test_sbom_generator.py b/jake/test/test_sbom_generator.py
@@ -21,6 +21,7 @@
 
 from lxml import etree
 
+from ..types.coordinateresults import CoordinateResults
 from ..types.results_decoder import ResultsDecoder
 from ..cyclonedx.generator import CycloneDxSbomGenerator
 
@@ -61,3 +62,39 @@ def test_can_create_valid_root_element(self):
     self.assertEqual(vulnerable_component.__len__(), 4)
     vulnerabilities = vulnerable_component.__getitem__(3)
     self.assertEqual(vulnerabilities.__len__(), 5)
+
+  def test__get_name_version_from_purl(self):
+    """test__get_name_version_from_purl tests if a parameter suffix is removed from the
+    sbom version field"""
+    coord_result = CoordinateResults()
+    coord_result.set_coordinates("pkg:pypi/yaspin@0.16.0?extension=tar.gz")
+    coord_result_normal = CoordinateResults()
+    coord_result_normal.set_coordinates("pkg:pypi/normalpurl@0.17.0")
+    coord_results = [coord_result, coord_result_normal]
+    sbom = self.func.create_and_return_sbom(coord_results)
+    # Assert that it has a <bom>
+    self.assertIsNotNone(sbom)
+    self.assertEqual(etree.iselement(sbom), True)
+    self.assertEqual(sbom.tag, 'bom')
+    # Assert that it has a <components>
+    self.assertIs(sbom.__len__(), 1, sbom.__len__())
+    item = sbom.__getitem__(0)
+    self.assertIsNotNone(item)
+    self.assertEqual(item.tag, "components")
+    self.assertIs(item.__len__(), 2)
+
+    component = item.__getitem__(0)
+    self.assertIsNotNone(component)
+    self.assertEqual(component.tag, "component")
+    self.assertEqual(component.__getitem__(0).text, "yaspin")
+    self.assertEqual(component.__getitem__(1).text, "0.16.0")
+    self.assertEqual(component.__getitem__(2).text, "pkg:pypi/yaspin@0.16.0?extension=tar.gz")
+    self.assertIsNotNone(component)
+
+    component_normal = item.__getitem__(1)
+    self.assertIsNotNone(component_normal)
+    self.assertEqual(component_normal.tag, "component")
+    self.assertEqual(component_normal.__getitem__(0).text, "normalpurl")
+    self.assertEqual(component_normal.__getitem__(1).text, "0.17.0")
+    self.assertEqual(component_normal.__getitem__(2).text, "pkg:pypi/normalpurl@0.17.0")
+    self.assertIsNotNone(component_normal)