From 5290825452f61013ea692d1113649c0de08e3e3c Mon Sep 17 00:00:00 2001 From: Wei Li Date: Fri, 14 Apr 2023 18:49:42 -0700 Subject: [PATCH] Fix the following issues mentioned in Pixel SBOM review. 1) PackageSupplier should be NOASSERTION if there is no homepage information in METADATA file of source packages 2) PackageDownloadLocation of upstream packages should be NOASSERTION if there is no code repository URL in METADATA file of source packages Test: CIs Test: atest --host sbom_writers_test Change-Id: I8a0298b7bacc2f96555f9d7dde0d21ada8c6b564 --- tools/sbom/generate-sbom.py | 6 +++++- tools/sbom/sbom_data.py | 3 +++ tools/sbom/sbom_writers.py | 4 ++-- tools/sbom/sbom_writers_test.py | 5 +++++ tools/sbom/testdata/expected_json_sbom.spdx.json | 2 +- tools/sbom/testdata/expected_tagvalue_sbom.spdx | 2 +- 6 files changed, 17 insertions(+), 5 deletions(-) diff --git a/tools/sbom/generate-sbom.py b/tools/sbom/generate-sbom.py index 0c5deb2868..192061ea4e 100755 --- a/tools/sbom/generate-sbom.py +++ b/tools/sbom/generate-sbom.py @@ -279,12 +279,13 @@ def get_sbom_fragments(installed_file_metadata, metadata_file_path): name, external_refs = get_source_package_info(installed_file_metadata, metadata_file_path) source_package_id = new_package_id(name, PKG_SOURCE) source_package = sbom_data.Package(id=source_package_id, name=name, version=args.build_version, + download_location=sbom_data.VALUE_NONE, supplier='Organization: ' + args.product_mfr, external_refs=external_refs) upstream_package_id = new_package_id(name, PKG_UPSTREAM) upstream_package = sbom_data.Package(id=upstream_package_id, name=name, version=version, - supplier='Organization: ' + homepage if homepage else None, + supplier=('Organization: ' + homepage) if homepage else sbom_data.VALUE_NOASSERTION, download_location=download_location) packages += [source_package, upstream_package] relationships.append(sbom_data.Relationship(id1=source_package_id, @@ -296,6 +297,7 @@ def get_sbom_fragments(installed_file_metadata, metadata_file_path): prebuilt_package_id = new_package_id(name, PKG_PREBUILT) prebuilt_package = sbom_data.Package(id=prebuilt_package_id, name=name, + download_location=sbom_data.VALUE_NONE, version=args.build_version, supplier='Organization: ' + args.product_mfr) packages.append(prebuilt_package) @@ -438,6 +440,7 @@ def main(): product_package = sbom_data.Package(id=sbom_data.SPDXID_PRODUCT, name=sbom_data.PACKAGE_NAME_PRODUCT, + download_location=sbom_data.VALUE_NONE, version=args.build_version, supplier='Organization: ' + args.product_mfr, files_analyzed=True) @@ -445,6 +448,7 @@ def main(): doc.packages.append(sbom_data.Package(id=sbom_data.SPDXID_PLATFORM, name=sbom_data.PACKAGE_NAME_PLATFORM, + download_location=sbom_data.VALUE_NONE, version=args.build_version, supplier='Organization: ' + args.product_mfr)) diff --git a/tools/sbom/sbom_data.py b/tools/sbom/sbom_data.py index 0c380f60d4..d2ef48d52c 100644 --- a/tools/sbom/sbom_data.py +++ b/tools/sbom/sbom_data.py @@ -33,6 +33,9 @@ SPDXID_PLATFORM = 'SPDXRef-PLATFORM' PACKAGE_NAME_PRODUCT = 'PRODUCT' PACKAGE_NAME_PLATFORM = 'PLATFORM' +VALUE_NOASSERTION = 'NOASSERTION' +VALUE_NONE = 'NONE' + class PackageExternalRefCategory: SECURITY = 'SECURITY' diff --git a/tools/sbom/sbom_writers.py b/tools/sbom/sbom_writers.py index 66aa6b4a2f..b1c66c5f80 100644 --- a/tools/sbom/sbom_writers.py +++ b/tools/sbom/sbom_writers.py @@ -86,7 +86,7 @@ class TagValueWriter: @staticmethod def marshal_package(package): - download_location = 'NONE' + download_location = sbom_data.VALUE_NOASSERTION if package.download_location: download_location = package.download_location tagvalues = [ @@ -296,7 +296,7 @@ class JSONWriter: package = { PropNames.NAME: p.name, PropNames.SPDXID: p.id, - PropNames.PACKAGE_DOWNLOAD_LOCATION: p.download_location if p.download_location else 'NONE', + PropNames.PACKAGE_DOWNLOAD_LOCATION: p.download_location if p.download_location else sbom_data.VALUE_NOASSERTION, PropNames.FILES_ANALYZED: p.files_analyzed } if p.version: diff --git a/tools/sbom/sbom_writers_test.py b/tools/sbom/sbom_writers_test.py index 4db2bb7601..361dae6f5d 100644 --- a/tools/sbom/sbom_writers_test.py +++ b/tools/sbom/sbom_writers_test.py @@ -49,6 +49,7 @@ class SBOMWritersTest(unittest.TestCase): self.sbom_doc.add_package( sbom_data.Package(id=sbom_data.SPDXID_PRODUCT, name=sbom_data.PACKAGE_NAME_PRODUCT, + download_location=sbom_data.VALUE_NONE, supplier=SUPPLIER_GOOGLE, version=BUILD_FINGER_PRINT, files_analyzed=True, @@ -58,6 +59,7 @@ class SBOMWritersTest(unittest.TestCase): self.sbom_doc.add_package( sbom_data.Package(id=sbom_data.SPDXID_PLATFORM, name=sbom_data.PACKAGE_NAME_PLATFORM, + download_location=sbom_data.VALUE_NONE, supplier=SUPPLIER_GOOGLE, version=BUILD_FINGER_PRINT, )) @@ -65,6 +67,7 @@ class SBOMWritersTest(unittest.TestCase): self.sbom_doc.add_package( sbom_data.Package(id=SPDXID_PREBUILT_PACKAGE1, name='Prebuilt package1', + download_location=sbom_data.VALUE_NONE, supplier=SUPPLIER_GOOGLE, version=BUILD_FINGER_PRINT, )) @@ -72,6 +75,7 @@ class SBOMWritersTest(unittest.TestCase): self.sbom_doc.add_package( sbom_data.Package(id=SPDXID_SOURCE_PACKAGE1, name='Source package1', + download_location=sbom_data.VALUE_NONE, supplier=SUPPLIER_GOOGLE, version=BUILD_FINGER_PRINT, external_refs=[sbom_data.PackageExternalRef( @@ -121,6 +125,7 @@ class SBOMWritersTest(unittest.TestCase): self.unbundled_sbom_doc.add_package( sbom_data.Package(id=SPDXID_SOURCE_PACKAGE1, name='Unbundled apk package', + download_location=sbom_data.VALUE_NONE, supplier=SUPPLIER_GOOGLE, version=BUILD_FINGER_PRINT)) self.unbundled_sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_FILE1, diff --git a/tools/sbom/testdata/expected_json_sbom.spdx.json b/tools/sbom/testdata/expected_json_sbom.spdx.json index 628615fe26..32715a5392 100644 --- a/tools/sbom/testdata/expected_json_sbom.spdx.json +++ b/tools/sbom/testdata/expected_json_sbom.spdx.json @@ -74,7 +74,7 @@ { "name": "Upstream package1", "SPDXID": "SPDXRef-UPSTREAM-package1", - "downloadLocation": "NONE", + "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "versionInfo": "1.1", "supplier": "Organization: upstream" diff --git a/tools/sbom/testdata/expected_tagvalue_sbom.spdx b/tools/sbom/testdata/expected_tagvalue_sbom.spdx index 0f1c6f8ec8..ee39e82fcf 100644 --- a/tools/sbom/testdata/expected_tagvalue_sbom.spdx +++ b/tools/sbom/testdata/expected_tagvalue_sbom.spdx @@ -53,7 +53,7 @@ ExternalRef: SECURITY cpe22Type cpe:/a:jsoncpp_project:jsoncpp:1.9.4 PackageName: Upstream package1 SPDXID: SPDXRef-UPSTREAM-package1 -PackageDownloadLocation: NONE +PackageDownloadLocation: NOASSERTION FilesAnalyzed: false PackageVersion: 1.1 PackageSupplier: Organization: upstream