StrixOS/build
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add upstream package of a prebuilt fork package, which will have the package information from the METADATA file.

Browse Source 
Bug: 266726655
Test: CIs
Test: lunch barbet-user && m sbom
(cherry picked from https://android-review.googlesource.com/q/commit:16e7aa3c2ea779ff91a0d88b431a2437964ae1a6)
Merged-In: Ic8eb42c369de8c94c7977b9631ff4b9084dfef01
Change-Id: Ic8eb42c369de8c94c7977b9631ff4b9084dfef01
This commit is contained in:
Wei Li
2023-05-15 15:11:43 -07:00
parent a75b82f9d2
commit 6284936f20
1 changed files with 27 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
tools/sbom/generate-sbom.py
View File

@@ -263,8 +263,8 @@ def get_package_download_location(metadata_file_path):
def get_sbom_fragments(installed_file_metadata, metadata_file_path): def get_sbom_fragments(installed_file_metadata, metadata_file_path):
"""Return SPDX fragment of source/prebuilt packages, which usually contains a SOURCE/PREBUILT """Return SPDX fragment of source/prebuilt packages, which usually contains a SOURCE/PREBUILT
package, a UPSTREAM package if it's a source package and a external SBOM document reference if package, a UPSTREAM package and an external SBOM document reference if sbom_ref defined in its
it's a prebuilt package with sbom_ref defined in its METADATA file. METADATA file.
See go/android-spdx and go/android-sbom-gen for more details. See go/android-spdx and go/android-sbom-gen for more details.
""" """
@@ -301,25 +301,33 @@ def get_sbom_fragments(installed_file_metadata, metadata_file_path):
prebuilt_package = sbom_data.Package(id=prebuilt_package_id, prebuilt_package = sbom_data.Package(id=prebuilt_package_id,
name=name, name=name,
download_location=sbom_data.VALUE_NONE, download_location=sbom_data.VALUE_NONE,
version=args.build_version, version=version if version else args.build_version,
supplier='Organization: ' + args.product_mfr) supplier='Organization: ' + args.product_mfr)
packages.append(prebuilt_package)
if metadata_file_path: upstream_package_id = new_package_id(name, PKG_UPSTREAM)
metadata_proto = metadata_file_protos[metadata_file_path] upstream_package = sbom_data.Package(id=upstream_package_id, name=name, version = version,
if metadata_proto.third_party.WhichOneof('sbom') == 'sbom_ref': supplier=('Organization: ' + homepage) if homepage else sbom_data.VALUE_NOASSERTION,
sbom_url = metadata_proto.third_party.sbom_ref.url download_location=download_location)
sbom_checksum = metadata_proto.third_party.sbom_ref.checksum packages += [prebuilt_package, upstream_package]
upstream_element_id = metadata_proto.third_party.sbom_ref.element_id relationships.append(sbom_data.Relationship(id1=prebuilt_package_id,
if sbom_url and sbom_checksum and upstream_element_id: relationship=sbom_data.RelationshipType.VARIANT_OF,
doc_ref_id = f'DocumentRef-{PKG_UPSTREAM}-{encode_for_spdxid(name)}' id2=upstream_package_id))
external_doc_ref = sbom_data.DocumentExternalReference(id=doc_ref_id,
uri=sbom_url, if metadata_file_path:
checksum=sbom_checksum) metadata_proto = metadata_file_protos[metadata_file_path]
relationships.append( if metadata_proto.third_party.WhichOneof('sbom') == 'sbom_ref':
sbom_data.Relationship(id1=prebuilt_package_id, sbom_url = metadata_proto.third_party.sbom_ref.url
relationship=sbom_data.RelationshipType.VARIANT_OF, sbom_checksum = metadata_proto.third_party.sbom_ref.checksum
id2=doc_ref_id + ':' + upstream_element_id)) upstream_element_id = metadata_proto.third_party.sbom_ref.element_id
if sbom_url and sbom_checksum and upstream_element_id:
doc_ref_id = f'DocumentRef-{PKG_UPSTREAM}-{encode_for_spdxid(name)}'
external_doc_ref = sbom_data.DocumentExternalReference(id=doc_ref_id,
uri=sbom_url,
checksum=sbom_checksum)
relationships.append(
sbom_data.Relationship(id1=upstream_package_id,
relationship=sbom_data.RelationshipType.VARIANT_OF,
id2=doc_ref_id + ':' + upstream_element_id))
return external_doc_ref, packages, relationships return external_doc_ref, packages, relationships