Fix the following issues mentioned in Pixel SBOM review.
1) PackageSupplier should be NOASSERTION if there is no homepage information in METADATA file of source packages 2) PackageDownloadLocation of upstream packages should be NOASSERTION if there is no code repository URL in METADATA file of source packages Test: CIs Test: atest --host sbom_writers_test Change-Id: I8a0298b7bacc2f96555f9d7dde0d21ada8c6b564
This commit is contained in:
Wei Li
@@ -279,12 +279,13 @@ def get_sbom_fragments(installed_file_metadata, metadata_file_path):
|
||||
name, external_refs = get_source_package_info(installed_file_metadata, metadata_file_path)
|
||||
source_package_id = new_package_id(name, PKG_SOURCE)
|
||||
source_package = sbom_data.Package(id=source_package_id, name=name, version=args.build_version,
|
||||
download_location=sbom_data.VALUE_NONE,
|
||||
supplier='Organization: ' + args.product_mfr,
|
||||
external_refs=external_refs)
|
||||
|
||||
upstream_package_id = new_package_id(name, PKG_UPSTREAM)
|
||||
upstream_package = sbom_data.Package(id=upstream_package_id, name=name, version=version,
|
||||
supplier='Organization: ' + homepage if homepage else None,
|
||||
supplier=('Organization: ' + homepage) if homepage else sbom_data.VALUE_NOASSERTION,
|
||||
download_location=download_location)
|
||||
packages += [source_package, upstream_package]
|
||||
relationships.append(sbom_data.Relationship(id1=source_package_id,
|
||||
@@ -296,6 +297,7 @@ def get_sbom_fragments(installed_file_metadata, metadata_file_path):
|
||||
prebuilt_package_id = new_package_id(name, PKG_PREBUILT)
|
||||
prebuilt_package = sbom_data.Package(id=prebuilt_package_id,
|
||||
name=name,
|
||||
download_location=sbom_data.VALUE_NONE,
|
||||
version=args.build_version,
|
||||
supplier='Organization: ' + args.product_mfr)
|
||||
packages.append(prebuilt_package)
|
||||
@@ -438,6 +440,7 @@ def main():
|
||||
|
||||
product_package = sbom_data.Package(id=sbom_data.SPDXID_PRODUCT,
|
||||
name=sbom_data.PACKAGE_NAME_PRODUCT,
|
||||
download_location=sbom_data.VALUE_NONE,
|
||||
version=args.build_version,
|
||||
supplier='Organization: ' + args.product_mfr,
|
||||
files_analyzed=True)
|
||||
@@ -445,6 +448,7 @@ def main():
|
||||
|
||||
doc.packages.append(sbom_data.Package(id=sbom_data.SPDXID_PLATFORM,
|
||||
name=sbom_data.PACKAGE_NAME_PLATFORM,
|
||||
download_location=sbom_data.VALUE_NONE,
|
||||
version=args.build_version,
|
||||
supplier='Organization: ' + args.product_mfr))
|
||||
|
||||
|
||||
@@ -33,6 +33,9 @@ SPDXID_PLATFORM = 'SPDXRef-PLATFORM'
|
||||
PACKAGE_NAME_PRODUCT = 'PRODUCT'
|
||||
PACKAGE_NAME_PLATFORM = 'PLATFORM'
|
||||
|
||||
VALUE_NOASSERTION = 'NOASSERTION'
|
||||
VALUE_NONE = 'NONE'
|
||||
|
||||
|
||||
class PackageExternalRefCategory:
|
||||
SECURITY = 'SECURITY'
|
||||
|
||||
@@ -86,7 +86,7 @@ class TagValueWriter:
|
||||
|
||||
@staticmethod
|
||||
def marshal_package(package):
|
||||
download_location = 'NONE'
|
||||
download_location = sbom_data.VALUE_NOASSERTION
|
||||
if package.download_location:
|
||||
download_location = package.download_location
|
||||
tagvalues = [
|
||||
@@ -296,7 +296,7 @@ class JSONWriter:
|
||||
package = {
|
||||
PropNames.NAME: p.name,
|
||||
PropNames.SPDXID: p.id,
|
||||
PropNames.PACKAGE_DOWNLOAD_LOCATION: p.download_location if p.download_location else 'NONE',
|
||||
PropNames.PACKAGE_DOWNLOAD_LOCATION: p.download_location if p.download_location else sbom_data.VALUE_NOASSERTION,
|
||||
PropNames.FILES_ANALYZED: p.files_analyzed
|
||||
}
|
||||
if p.version:
|
||||
|
||||
@@ -49,6 +49,7 @@ class SBOMWritersTest(unittest.TestCase):
|
||||
self.sbom_doc.add_package(
|
||||
sbom_data.Package(id=sbom_data.SPDXID_PRODUCT,
|
||||
name=sbom_data.PACKAGE_NAME_PRODUCT,
|
||||
download_location=sbom_data.VALUE_NONE,
|
||||
supplier=SUPPLIER_GOOGLE,
|
||||
version=BUILD_FINGER_PRINT,
|
||||
files_analyzed=True,
|
||||
@@ -58,6 +59,7 @@ class SBOMWritersTest(unittest.TestCase):
|
||||
self.sbom_doc.add_package(
|
||||
sbom_data.Package(id=sbom_data.SPDXID_PLATFORM,
|
||||
name=sbom_data.PACKAGE_NAME_PLATFORM,
|
||||
download_location=sbom_data.VALUE_NONE,
|
||||
supplier=SUPPLIER_GOOGLE,
|
||||
version=BUILD_FINGER_PRINT,
|
||||
))
|
||||
@@ -65,6 +67,7 @@ class SBOMWritersTest(unittest.TestCase):
|
||||
self.sbom_doc.add_package(
|
||||
sbom_data.Package(id=SPDXID_PREBUILT_PACKAGE1,
|
||||
name='Prebuilt package1',
|
||||
download_location=sbom_data.VALUE_NONE,
|
||||
supplier=SUPPLIER_GOOGLE,
|
||||
version=BUILD_FINGER_PRINT,
|
||||
))
|
||||
@@ -72,6 +75,7 @@ class SBOMWritersTest(unittest.TestCase):
|
||||
self.sbom_doc.add_package(
|
||||
sbom_data.Package(id=SPDXID_SOURCE_PACKAGE1,
|
||||
name='Source package1',
|
||||
download_location=sbom_data.VALUE_NONE,
|
||||
supplier=SUPPLIER_GOOGLE,
|
||||
version=BUILD_FINGER_PRINT,
|
||||
external_refs=[sbom_data.PackageExternalRef(
|
||||
@@ -121,6 +125,7 @@ class SBOMWritersTest(unittest.TestCase):
|
||||
self.unbundled_sbom_doc.add_package(
|
||||
sbom_data.Package(id=SPDXID_SOURCE_PACKAGE1,
|
||||
name='Unbundled apk package',
|
||||
download_location=sbom_data.VALUE_NONE,
|
||||
supplier=SUPPLIER_GOOGLE,
|
||||
version=BUILD_FINGER_PRINT))
|
||||
self.unbundled_sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_FILE1,
|
||||
|
||||
@@ -74,7 +74,7 @@
|
||||
{
|
||||
"name": "Upstream package1",
|
||||
"SPDXID": "SPDXRef-UPSTREAM-package1",
|
||||
"downloadLocation": "NONE",
|
||||
"downloadLocation": "NOASSERTION",
|
||||
"filesAnalyzed": false,
|
||||
"versionInfo": "1.1",
|
||||
"supplier": "Organization: upstream"
|
||||
|
||||
@@ -53,7 +53,7 @@ ExternalRef: SECURITY cpe22Type cpe:/a:jsoncpp_project:jsoncpp:1.9.4
|
||||
|
||||
PackageName: Upstream package1
|
||||
SPDXID: SPDXRef-UPSTREAM-package1
|
||||
PackageDownloadLocation: NONE
|
||||
PackageDownloadLocation: NOASSERTION
|
||||
FilesAnalyzed: false
|
||||
PackageVersion: 1.1
|
||||
PackageSupplier: Organization: upstream
|
||||
|
||||
Reference in New Issue
Block a user