Create separate python libraries for the following logic and refactor SBOM generation script accordingly.

1) writer classes of generating SBOM in different SPDX formats 2) data classes to model the SBOM structure in SPDX Bug: 272358880 Test: CIs Test: build/soong/tests/sbom_test.sh Test: atest --host sbom_writers_test Change-Id: I1175cf0d99864bc4304559a59484ef0ba401cd64
2023-04-07 16:45:17 -07:00
parent a0ffed1fa1
commit dec97b1462
9 changed files with 1020 additions and 285 deletions
--- a/tools/sbom/sbom_writers_test.py
+++ b/tools/sbom/sbom_writers_test.py
@@ -0,0 +1,153 @@
+#!/usr/bin/env python3
+#
+# Copyright (C) 2023 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import io
+import pathlib
+import unittest
+import sbom_data
+import sbom_writers
+
+BUILD_FINGER_PRINT = 'build_finger_print'
+SUPPLIER_GOOGLE = 'Organization: Google'
+SUPPLIER_UPSTREAM = 'Organization: upstream'
+
+SPDXID_PREBUILT_PACKAGE1 = 'SPDXRef-PREBUILT-package1'
+SPDXID_SOURCE_PACKAGE1 = 'SPDXRef-SOURCE-package1'
+SPDXID_UPSTREAM_PACKAGE1 = 'SPDXRef-UPSTREAM-package1'
+
+SPDXID_FILE1 = 'SPDXRef-file1'
+SPDXID_FILE2 = 'SPDXRef-file2'
+SPDXID_FILE3 = 'SPDXRef-file3'
+
+
+class SBOMWritersTest(unittest.TestCase):
+
+  def setUp(self):
+    # SBOM of a product
+    self.sbom_doc = sbom_data.Document(name='test doc',
+                                       namespace='http://www.google.com/sbom/spdx/android',
+                                       creators=[SUPPLIER_GOOGLE],
+                                       created='2023-03-31T22:17:58Z',
+                                       describes=sbom_data.SPDXID_PRODUCT)
+    self.sbom_doc.add_external_ref(
+      sbom_data.DocumentExternalReference(id='DocumentRef-external_doc_ref',
+                                          uri='external_doc_uri',
+                                          checksum='SHA1: 1234567890'))
+    self.sbom_doc.add_package(
+      sbom_data.Package(id=sbom_data.SPDXID_PRODUCT,
+                        name=sbom_data.PACKAGE_NAME_PRODUCT,
+                        supplier=SUPPLIER_GOOGLE,
+                        version=BUILD_FINGER_PRINT,
+                        files_analyzed=True,
+                        verification_code='123456',
+                        file_ids=[SPDXID_FILE1, SPDXID_FILE2, SPDXID_FILE3]))
+
+    self.sbom_doc.add_package(
+      sbom_data.Package(id=sbom_data.SPDXID_PLATFORM,
+                        name=sbom_data.PACKAGE_NAME_PLATFORM,
+                        supplier=SUPPLIER_GOOGLE,
+                        version=BUILD_FINGER_PRINT,
+                        ))
+
+    self.sbom_doc.add_package(
+      sbom_data.Package(id=SPDXID_PREBUILT_PACKAGE1,
+                        name='Prebuilt package1',
+                        supplier=SUPPLIER_GOOGLE,
+                        version=BUILD_FINGER_PRINT,
+                        ))
+
+    self.sbom_doc.add_package(
+      sbom_data.Package(id=SPDXID_SOURCE_PACKAGE1,
+                        name='Source package1',
+                        supplier=SUPPLIER_GOOGLE,
+                        version=BUILD_FINGER_PRINT,
+                        external_refs=[sbom_data.PackageExternalRef(
+                          category=sbom_data.PackageExternalRefCategory.SECURITY,
+                          type=sbom_data.PackageExternalRefType.cpe22Type,
+                          locator='cpe:/a:jsoncpp_project:jsoncpp:1.9.4')]
+                        ))
+
+    self.sbom_doc.add_package(
+      sbom_data.Package(id=SPDXID_UPSTREAM_PACKAGE1,
+                        name='Upstream package1',
+                        supplier=SUPPLIER_UPSTREAM,
+                        version='1.1',
+                        ))
+
+    self.sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_SOURCE_PACKAGE1,
+                                                          relationship=sbom_data.RelationshipType.VARIANT_OF,
+                                                          id2=SPDXID_UPSTREAM_PACKAGE1))
+
+    self.sbom_doc.files.append(
+      sbom_data.File(id=SPDXID_FILE1, name='/bin/file1', checksum='SHA1: 11111'))
+    self.sbom_doc.files.append(
+      sbom_data.File(id=SPDXID_FILE2, name='/bin/file2', checksum='SHA1: 22222'))
+    self.sbom_doc.files.append(
+      sbom_data.File(id=SPDXID_FILE3, name='/bin/file3', checksum='SHA1: 33333'))
+
+    self.sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_FILE1,
+                                                          relationship=sbom_data.RelationshipType.GENERATED_FROM,
+                                                          id2=sbom_data.SPDXID_PLATFORM))
+    self.sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_FILE2,
+                                                          relationship=sbom_data.RelationshipType.GENERATED_FROM,
+                                                          id2=SPDXID_PREBUILT_PACKAGE1))
+    self.sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_FILE3,
+                                                          relationship=sbom_data.RelationshipType.GENERATED_FROM,
+                                                          id2=SPDXID_SOURCE_PACKAGE1
+                                                          ))
+
+    # SBOM fragment of a APK
+    self.unbundled_sbom_doc = sbom_data.Document(name='test doc',
+                                                 namespace='http://www.google.com/sbom/spdx/android',
+                                                 creators=[SUPPLIER_GOOGLE],
+                                                 created='2023-03-31T22:17:58Z',
+                                                 describes=SPDXID_FILE1)
+
+    self.unbundled_sbom_doc.files.append(
+      sbom_data.File(id=SPDXID_FILE1, name='/bin/file1.apk', checksum='SHA1: 11111'))
+    self.unbundled_sbom_doc.add_package(
+      sbom_data.Package(id=SPDXID_SOURCE_PACKAGE1,
+                        name='Unbundled apk package',
+                        supplier=SUPPLIER_GOOGLE,
+                        version=BUILD_FINGER_PRINT))
+    self.unbundled_sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_FILE1,
+                                                                    relationship=sbom_data.RelationshipType.GENERATED_FROM,
+                                                                    id2=SPDXID_SOURCE_PACKAGE1))
+
+  def test_tagvalue_writer(self):
+    with io.StringIO() as output:
+      sbom_writers.TagValueWriter.write(self.sbom_doc, output)
+      expected_output = pathlib.Path('testdata/expected_tagvalue_sbom.spdx').read_text()
+      self.maxDiff = None
+      self.assertEqual(expected_output, output.getvalue())
+
+  def test_tagvalue_writer_unbundled(self):
+    with io.StringIO() as output:
+      sbom_writers.TagValueWriter.write(self.unbundled_sbom_doc, output, fragment=True)
+      expected_output = pathlib.Path('testdata/expected_tagvalue_sbom_unbundled.spdx').read_text()
+      self.maxDiff = None
+      self.assertEqual(expected_output, output.getvalue())
+
+  def test_json_writer(self):
+    with io.StringIO() as output:
+      sbom_writers.JSONWriter.write(self.sbom_doc, output)
+      expected_output = pathlib.Path('testdata/expected_json_sbom.spdx.json').read_text()
+      self.maxDiff = None
+      self.assertEqual(expected_output, output.getvalue())
+
+
+if __name__ == '__main__':
+  unittest.main(verbosity=2)