diff --git a/tools/sbom/generate-sbom.py b/tools/sbom/generate-sbom.py index 0c5deb2868..192061ea4e 100755 --- a/tools/sbom/generate-sbom.py +++ b/tools/sbom/generate-sbom.py @@ -279,12 +279,13 @@ def get_sbom_fragments(installed_file_metadata, metadata_file_path): name, external_refs = get_source_package_info(installed_file_metadata, metadata_file_path) source_package_id = new_package_id(name, PKG_SOURCE) source_package = sbom_data.Package(id=source_package_id, name=name, version=args.build_version, + download_location=sbom_data.VALUE_NONE, supplier='Organization: ' + args.product_mfr, external_refs=external_refs) upstream_package_id = new_package_id(name, PKG_UPSTREAM) upstream_package = sbom_data.Package(id=upstream_package_id, name=name, version=version, - supplier='Organization: ' + homepage if homepage else None, + supplier=('Organization: ' + homepage) if homepage else sbom_data.VALUE_NOASSERTION, download_location=download_location) packages += [source_package, upstream_package] relationships.append(sbom_data.Relationship(id1=source_package_id, @@ -296,6 +297,7 @@ def get_sbom_fragments(installed_file_metadata, metadata_file_path): prebuilt_package_id = new_package_id(name, PKG_PREBUILT) prebuilt_package = sbom_data.Package(id=prebuilt_package_id, name=name, + download_location=sbom_data.VALUE_NONE, version=args.build_version, supplier='Organization: ' + args.product_mfr) packages.append(prebuilt_package) @@ -438,6 +440,7 @@ def main(): product_package = sbom_data.Package(id=sbom_data.SPDXID_PRODUCT, name=sbom_data.PACKAGE_NAME_PRODUCT, + download_location=sbom_data.VALUE_NONE, version=args.build_version, supplier='Organization: ' + args.product_mfr, files_analyzed=True) @@ -445,6 +448,7 @@ def main(): doc.packages.append(sbom_data.Package(id=sbom_data.SPDXID_PLATFORM, name=sbom_data.PACKAGE_NAME_PLATFORM, + download_location=sbom_data.VALUE_NONE, version=args.build_version, supplier='Organization: ' + args.product_mfr)) diff --git a/tools/sbom/sbom_data.py b/tools/sbom/sbom_data.py index 0c380f60d4..d2ef48d52c 100644 --- a/tools/sbom/sbom_data.py +++ b/tools/sbom/sbom_data.py @@ -33,6 +33,9 @@ SPDXID_PLATFORM = 'SPDXRef-PLATFORM' PACKAGE_NAME_PRODUCT = 'PRODUCT' PACKAGE_NAME_PLATFORM = 'PLATFORM' +VALUE_NOASSERTION = 'NOASSERTION' +VALUE_NONE = 'NONE' + class PackageExternalRefCategory: SECURITY = 'SECURITY' diff --git a/tools/sbom/sbom_writers.py b/tools/sbom/sbom_writers.py index 66aa6b4a2f..b1c66c5f80 100644 --- a/tools/sbom/sbom_writers.py +++ b/tools/sbom/sbom_writers.py @@ -86,7 +86,7 @@ class TagValueWriter: @staticmethod def marshal_package(package): - download_location = 'NONE' + download_location = sbom_data.VALUE_NOASSERTION if package.download_location: download_location = package.download_location tagvalues = [ @@ -296,7 +296,7 @@ class JSONWriter: package = { PropNames.NAME: p.name, PropNames.SPDXID: p.id, - PropNames.PACKAGE_DOWNLOAD_LOCATION: p.download_location if p.download_location else 'NONE', + PropNames.PACKAGE_DOWNLOAD_LOCATION: p.download_location if p.download_location else sbom_data.VALUE_NOASSERTION, PropNames.FILES_ANALYZED: p.files_analyzed } if p.version: diff --git a/tools/sbom/sbom_writers_test.py b/tools/sbom/sbom_writers_test.py index 4db2bb7601..361dae6f5d 100644 --- a/tools/sbom/sbom_writers_test.py +++ b/tools/sbom/sbom_writers_test.py @@ -49,6 +49,7 @@ class SBOMWritersTest(unittest.TestCase): self.sbom_doc.add_package( sbom_data.Package(id=sbom_data.SPDXID_PRODUCT, name=sbom_data.PACKAGE_NAME_PRODUCT, + download_location=sbom_data.VALUE_NONE, supplier=SUPPLIER_GOOGLE, version=BUILD_FINGER_PRINT, files_analyzed=True, @@ -58,6 +59,7 @@ class SBOMWritersTest(unittest.TestCase): self.sbom_doc.add_package( sbom_data.Package(id=sbom_data.SPDXID_PLATFORM, name=sbom_data.PACKAGE_NAME_PLATFORM, + download_location=sbom_data.VALUE_NONE, supplier=SUPPLIER_GOOGLE, version=BUILD_FINGER_PRINT, )) @@ -65,6 +67,7 @@ class SBOMWritersTest(unittest.TestCase): self.sbom_doc.add_package( sbom_data.Package(id=SPDXID_PREBUILT_PACKAGE1, name='Prebuilt package1', + download_location=sbom_data.VALUE_NONE, supplier=SUPPLIER_GOOGLE, version=BUILD_FINGER_PRINT, )) @@ -72,6 +75,7 @@ class SBOMWritersTest(unittest.TestCase): self.sbom_doc.add_package( sbom_data.Package(id=SPDXID_SOURCE_PACKAGE1, name='Source package1', + download_location=sbom_data.VALUE_NONE, supplier=SUPPLIER_GOOGLE, version=BUILD_FINGER_PRINT, external_refs=[sbom_data.PackageExternalRef( @@ -121,6 +125,7 @@ class SBOMWritersTest(unittest.TestCase): self.unbundled_sbom_doc.add_package( sbom_data.Package(id=SPDXID_SOURCE_PACKAGE1, name='Unbundled apk package', + download_location=sbom_data.VALUE_NONE, supplier=SUPPLIER_GOOGLE, version=BUILD_FINGER_PRINT)) self.unbundled_sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_FILE1, diff --git a/tools/sbom/testdata/expected_json_sbom.spdx.json b/tools/sbom/testdata/expected_json_sbom.spdx.json index 628615fe26..32715a5392 100644 --- a/tools/sbom/testdata/expected_json_sbom.spdx.json +++ b/tools/sbom/testdata/expected_json_sbom.spdx.json @@ -74,7 +74,7 @@ { "name": "Upstream package1", "SPDXID": "SPDXRef-UPSTREAM-package1", - "downloadLocation": "NONE", + "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "versionInfo": "1.1", "supplier": "Organization: upstream" diff --git a/tools/sbom/testdata/expected_tagvalue_sbom.spdx b/tools/sbom/testdata/expected_tagvalue_sbom.spdx index 0f1c6f8ec8..ee39e82fcf 100644 --- a/tools/sbom/testdata/expected_tagvalue_sbom.spdx +++ b/tools/sbom/testdata/expected_tagvalue_sbom.spdx @@ -53,7 +53,7 @@ ExternalRef: SECURITY cpe22Type cpe:/a:jsoncpp_project:jsoncpp:1.9.4 PackageName: Upstream package1 SPDXID: SPDXRef-UPSTREAM-package1 -PackageDownloadLocation: NONE +PackageDownloadLocation: NOASSERTION FilesAnalyzed: false PackageVersion: 1.1 PackageSupplier: Organization: upstream