Merge "Add upstream package of a prebuilt fork package, which will have the package information from the METADATA file."

2023-05-17 18:48:16 +00:00
parent 7833547153 16e7aa3c2e
commit 82d450e501
1 changed files with 27 additions and 19 deletions
--- a/tools/sbom/generate-sbom.py
+++ b/tools/sbom/generate-sbom.py
@@ -265,8 +265,8 @@ def get_package_download_location(metadata_file_path):

 def get_sbom_fragments(installed_file_metadata, metadata_file_path):
  """Return SPDX fragment of source/prebuilt packages, which usually contains a SOURCE/PREBUILT
-  package, a UPSTREAM package if it's a source package and a external SBOM document reference if
-  it's a prebuilt package with sbom_ref defined in its METADATA file.
+  package, a UPSTREAM package and an external SBOM document reference if sbom_ref defined in its
+  METADATA file.

  See go/android-spdx and go/android-sbom-gen for more details.
  """
@@ -303,9 +303,17 @@ def get_sbom_fragments(installed_file_metadata, metadata_file_path):
    prebuilt_package = sbom_data.Package(id=prebuilt_package_id,
                                         name=name,
                                         download_location=sbom_data.VALUE_NONE,
-                                         version=args.build_version,
+                                         version=version if version else args.build_version,
                                         supplier='Organization: ' + args.product_mfr)
-    packages.append(prebuilt_package)
+
+    upstream_package_id = new_package_id(name, PKG_UPSTREAM)
+    upstream_package = sbom_data.Package(id=upstream_package_id, name=name, version = version,
+                                         supplier=('Organization: ' + homepage) if homepage else sbom_data.VALUE_NOASSERTION,
+                                         download_location=download_location)
+    packages += [prebuilt_package, upstream_package]
+    relationships.append(sbom_data.Relationship(id1=prebuilt_package_id,
+                                                relationship=sbom_data.RelationshipType.VARIANT_OF,
+                                                id2=upstream_package_id))

  if metadata_file_path:
    metadata_proto = metadata_file_protos[metadata_file_path]
@@ -319,7 +327,7 @@ def get_sbom_fragments(installed_file_metadata, metadata_file_path):
                                                               uri=sbom_url,
                                                               checksum=sbom_checksum)
        relationships.append(
-            sbom_data.Relationship(id1=prebuilt_package_id,
+          sbom_data.Relationship(id1=upstream_package_id,
                                 relationship=sbom_data.RelationshipType.VARIANT_OF,
                                 id2=doc_ref_id + ':' + upstream_element_id))