StrixOS/build
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Create separate python libraries for the following logic and refactor SBOM generation script accordingly.

Browse Source 
1) writer classes of generating SBOM in different SPDX formats
2) data classes to model the SBOM structure in SPDX

Bug: 272358880
Test: CIs
Test: build/soong/tests/sbom_test.sh
Test: atest --host sbom_writers_test

Change-Id: I1175cf0d99864bc4304559a59484ef0ba401cd64
This commit is contained in:
Wei Li
2023-04-07 16:45:17 -07:00
parent a0ffed1fa1
commit dec97b1462
9 changed files with 1020 additions and 285 deletions
Download Patch File Download Diff File Expand all files Collapse all files

137
tools/sbom/testdata/expected_json_sbom.spdx.json vendored Normal file
View File

@@ -0,0 +1,137 @@
{
"spdxVersion": "SPDX-2.3",
"dataLicense": "CC0-1.0",
"SPDXID": "SPDXRef-DOCUMENT",
"name": "test doc",
"documentNamespace": "http://www.google.com/sbom/spdx/android",
"creationInfo": {
"creators": [
"Organization: Google"
],
"created": "2023-03-31T22:17:58Z"
},
"externalDocumentRefs": [
{
"externalDocumentId": "DocumentRef-external_doc_ref",
"spdxDocument": "external_doc_uri",
"checksum": {
"algorithm": "SHA1",
"checksumValue": "1234567890"
}
}
],
"documentDescribes": [
"SPDXRef-PRODUCT"
],
"packages": [
{
"name": "PRODUCT",
"SPDXID": "SPDXRef-PRODUCT",
"downloadLocation": "NONE",
"filesAnalyzed": true,
"versionInfo": "build_finger_print",
"supplier": "Organization: Google",
"packageVerificationCode": {
"packageVerificationCodeValue": "123456"
},
"hasFiles": [
"SPDXRef-file1",
"SPDXRef-file2",
"SPDXRef-file3"
]
},
{
"name": "PLATFORM",
"SPDXID": "SPDXRef-PLATFORM",
"downloadLocation": "NONE",
"filesAnalyzed": false,
"versionInfo": "build_finger_print",
"supplier": "Organization: Google"
},
{
"name": "Prebuilt package1",
"SPDXID": "SPDXRef-PREBUILT-package1",
"downloadLocation": "NONE",
"filesAnalyzed": false,
"versionInfo": "build_finger_print",
"supplier": "Organization: Google"
},
{
"name": "Source package1",
"SPDXID": "SPDXRef-SOURCE-package1",
"downloadLocation": "NONE",
"filesAnalyzed": false,
"versionInfo": "build_finger_print",
"supplier": "Organization: Google",
"externalRefs": [
{
"referenceCategory": "SECURITY",
"referenceType": "cpe22Type",
"referenceLocator": "cpe:/a:jsoncpp_project:jsoncpp:1.9.4"
}
]
},
{
"name": "Upstream package1",
"SPDXID": "SPDXRef-UPSTREAM-package1",
"downloadLocation": "NONE",
"filesAnalyzed": false,
"versionInfo": "1.1",
"supplier": "Organization: upstream"
}
],
"files": [
{
"fileName": "/bin/file1",
"SPDXID": "SPDXRef-file1",
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "11111"
}
]
},
{
"fileName": "/bin/file2",
"SPDXID": "SPDXRef-file2",
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "22222"
}
]
},
{
"fileName": "/bin/file3",
"SPDXID": "SPDXRef-file3",
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "33333"
}
]
}
],
"relationships": [
{
"spdxElementId": "SPDXRef-file1",
"relatedSpdxElement": "SPDXRef-PLATFORM",
"relationshipType": "GENERATED_FROM"
},
{
"spdxElementId": "SPDXRef-file2",
"relatedSpdxElement": "SPDXRef-PREBUILT-package1",
"relationshipType": "GENERATED_FROM"
},
{
"spdxElementId": "SPDXRef-file3",
"relatedSpdxElement": "SPDXRef-SOURCE-package1",
"relationshipType": "GENERATED_FROM"
},
{
"spdxElementId": "SPDXRef-SOURCE-package1",
"relatedSpdxElement": "SPDXRef-UPSTREAM-package1",
"relationshipType": "VARIANT_OF"
}
]
}

65
tools/sbom/testdata/expected_tagvalue_sbom.spdx vendored Normal file
View File

@@ -0,0 +1,65 @@
SPDXVersion: SPDX-2.3
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: test doc
DocumentNamespace: http://www.google.com/sbom/spdx/android
Creator: Organization: Google
Created: 2023-03-31T22:17:58Z
ExternalDocumentRef: DocumentRef-external_doc_ref external_doc_uri SHA1: 1234567890
PackageName: PRODUCT
SPDXID: SPDXRef-PRODUCT
PackageDownloadLocation: NONE
FilesAnalyzed: true
PackageVersion: build_finger_print
PackageSupplier: Organization: Google
PackageVerificationCode: 123456
Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-PRODUCT
FileName: /bin/file1
SPDXID: SPDXRef-file1
FileChecksum: SHA1: 11111
FileName: /bin/file2
SPDXID: SPDXRef-file2
FileChecksum: SHA1: 22222
FileName: /bin/file3
SPDXID: SPDXRef-file3
FileChecksum: SHA1: 33333
PackageName: PLATFORM
SPDXID: SPDXRef-PLATFORM
PackageDownloadLocation: NONE
FilesAnalyzed: false
PackageVersion: build_finger_print
PackageSupplier: Organization: Google
PackageName: Prebuilt package1
SPDXID: SPDXRef-PREBUILT-package1
PackageDownloadLocation: NONE
FilesAnalyzed: false
PackageVersion: build_finger_print
PackageSupplier: Organization: Google
PackageName: Source package1
SPDXID: SPDXRef-SOURCE-package1
PackageDownloadLocation: NONE
FilesAnalyzed: false
PackageVersion: build_finger_print
PackageSupplier: Organization: Google
ExternalRef: SECURITY cpe22Type cpe:/a:jsoncpp_project:jsoncpp:1.9.4
PackageName: Upstream package1
SPDXID: SPDXRef-UPSTREAM-package1
PackageDownloadLocation: NONE
FilesAnalyzed: false
PackageVersion: 1.1
PackageSupplier: Organization: upstream
Relationship: SPDXRef-SOURCE-package1 VARIANT_OF SPDXRef-UPSTREAM-package1
Relationship: SPDXRef-file1 GENERATED_FROM SPDXRef-PLATFORM
Relationship: SPDXRef-file2 GENERATED_FROM SPDXRef-PREBUILT-package1
Relationship: SPDXRef-file3 GENERATED_FROM SPDXRef-SOURCE-package1

12
tools/sbom/testdata/expected_tagvalue_sbom_unbundled.spdx vendored Normal file
View File

@@ -0,0 +1,12 @@
FileName: /bin/file1.apk
SPDXID: SPDXRef-file1
FileChecksum: SHA1: 11111
PackageName: Unbundled apk package
SPDXID: SPDXRef-SOURCE-package1
PackageDownloadLocation: NONE
FilesAnalyzed: false
PackageVersion: build_finger_print
PackageSupplier: Organization: Google
Relationship: SPDXRef-file1 GENERATED_FROM SPDXRef-SOURCE-package1