Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(sbom): Add marshal for spdx #2573

Closed
wants to merge 17 commits into from
Closed

feat(sbom): Add marshal for spdx #2573

wants to merge 17 commits into from

Conversation

masahiro331
Copy link
Contributor

@masahiro331 masahiro331 commented Jul 23, 2022
edited
Loading

Description

Add RelationShip for SPDX

Add RelationShip document for spdx output.
The following dependencies are added.

スクリーンショット 2022-09-12 21 15 56

Add purl to SPDX.

This change is necessary for vulnerability detection using SPDX.
#2170 (comment)

Before


                {
                        "SPDXID": "SPDXRef-fe2fe0f208812c6b",
                        "filesAnalyzed": false,
                        "licenseConcluded": "GPLv2 ",
                        "licenseDeclared": "GPLv2 ",
                        "name": "hostname",
                        "versionInfo": "3.20"
                }

After

                {
                        "SPDXID": "SPDXRef-fe2fe0f208812c6b",
                        "externalRefs": [
                                {
                                        "referenceCategory": "PACKAGE-MANAGER",
                                        "referenceLocator": "pkg:rpm/centos/[email protected]?arch=aarch64\u0026distro=centos-8.4.2105",
                                        "referenceType": "purl"
                                }
                        ],
                        "filesAnalyzed": false,
                        "licenseConcluded": "GPLv2 ",
                        "licenseDeclared": "GPLv2 ",
                        "name": "hostname",
                        "versionInfo": "3.20"
                }

Related issues

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@masahiro331 masahiro331 changed the title Feat/add purl to spdx feat(sbom): add purl to spdx Jul 23, 2022
@masahiro331 masahiro331 mentioned this pull request Jul 23, 2022
Closed
6 tasks
@masahiro331 masahiro331 changed the title feat(sbom): add purl to spdx feat(sbom): add marshal for spdx Sep 12, 2022
@masahiro331 masahiro331 changed the title feat(sbom): add marshal for spdx feat(sbom): Add marshal for spdx Sep 12, 2022
masahiro331
masahiro331 commented Sep 12, 2022
View reviewed changes
pkg/sbom/spdx/marshal_test.go Outdated
Comment on lines 404 to 412
RefA: spdx.DocElementID{ElementRefID: "Application-441a648f2aeeee72"},
RefB: spdx.DocElementID{ElementRefID: "Package-826226d056ff30c0"},
Relationship: "DEPENDS_ON",
},
{
RefA: spdx.DocElementID{ElementRefID: "Application-441a648f2aeeee72"},
RefB: spdx.DocElementID{ElementRefID: "Package-826226d056ff30c0"},
Relationship: "DEPENDS_ON",
},
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The logic for generating the ID of a package has been designed to ignore the FilePath, so the relation is duplicated as the same package.
I would like to discuss whether packages with different FilePaths should be treated as identical.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@knqyf263 knqyf263 Awaiting requested review from knqyf263 knqyf263 is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Unit Test cases are failing for Power(ppc64le).
1 participant
@masahiro331