diff --git a/tools/sbom/Android.bp b/tools/sbom/Android.bp index 4837dde51d..519251e1c7 100644 --- a/tools/sbom/Android.bp +++ b/tools/sbom/Android.bp @@ -53,5 +53,27 @@ python_test_host { libs: [ "sbom_lib", ], + version: { + py3: { + embedded_launcher: true, + }, + }, + test_suites: ["general-tests"], +} + +python_test_host { + name: "sbom_data_test", + main: "sbom_data_test.py", + srcs: [ + "sbom_data_test.py", + ], + libs: [ + "sbom_lib", + ], + version: { + py3: { + embedded_launcher: true, + }, + }, test_suites: ["general-tests"], } diff --git a/tools/sbom/sbom_data.py b/tools/sbom/sbom_data.py index ea38e364dc..71f8660d67 100644 --- a/tools/sbom/sbom_data.py +++ b/tools/sbom/sbom_data.py @@ -133,7 +133,7 @@ class Document: checksums = [] for file in self.files: if file.id in package.file_ids: - checksums.append(file.checksum) + checksums.append(file.checksum.split(': ')[1]) checksums.sort() h = hashlib.sha1() h.update(''.join(checksums).encode(encoding='utf-8')) diff --git a/tools/sbom/sbom_data_test.py b/tools/sbom/sbom_data_test.py new file mode 100644 index 0000000000..69bc9d2d29 --- /dev/null +++ b/tools/sbom/sbom_data_test.py @@ -0,0 +1,139 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2023 The Android Open Source Project +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import hashlib +import unittest +import sbom_data + +BUILD_FINGER_PRINT = 'build_finger_print' +SUPPLIER_GOOGLE = 'Organization: Google' +SUPPLIER_UPSTREAM = 'Organization: upstream' + +SPDXID_PREBUILT_PACKAGE1 = 'SPDXRef-PREBUILT-package1' +SPDXID_SOURCE_PACKAGE1 = 'SPDXRef-SOURCE-package1' +SPDXID_UPSTREAM_PACKAGE1 = 'SPDXRef-UPSTREAM-package1' + +SPDXID_FILE1 = 'SPDXRef-file1' +SPDXID_FILE2 = 'SPDXRef-file2' +SPDXID_FILE3 = 'SPDXRef-file3' +SPDXID_FILE4 = 'SPDXRef-file4' + + +class SBOMDataTest(unittest.TestCase): + + def setUp(self): + # SBOM of a product + self.sbom_doc = sbom_data.Document(name='test doc', + namespace='http://www.google.com/sbom/spdx/android', + creators=[SUPPLIER_GOOGLE], + created='2023-03-31T22:17:58Z', + describes=sbom_data.SPDXID_PRODUCT) + self.sbom_doc.add_external_ref( + sbom_data.DocumentExternalReference(id='DocumentRef-external_doc_ref', + uri='external_doc_uri', + checksum='SHA1: 1234567890')) + self.sbom_doc.add_package( + sbom_data.Package(id=sbom_data.SPDXID_PRODUCT, + name=sbom_data.PACKAGE_NAME_PRODUCT, + download_location=sbom_data.VALUE_NONE, + supplier=SUPPLIER_GOOGLE, + version=BUILD_FINGER_PRINT, + files_analyzed=True, + verification_code='', + file_ids=[SPDXID_FILE1, SPDXID_FILE2, SPDXID_FILE3, SPDXID_FILE4])) + + self.sbom_doc.add_package( + sbom_data.Package(id=sbom_data.SPDXID_PLATFORM, + name=sbom_data.PACKAGE_NAME_PLATFORM, + download_location=sbom_data.VALUE_NONE, + supplier=SUPPLIER_GOOGLE, + version=BUILD_FINGER_PRINT, + )) + + self.sbom_doc.add_package( + sbom_data.Package(id=SPDXID_PREBUILT_PACKAGE1, + name='Prebuilt package1', + download_location=sbom_data.VALUE_NONE, + supplier=SUPPLIER_GOOGLE, + version=BUILD_FINGER_PRINT, + )) + + self.sbom_doc.add_package( + sbom_data.Package(id=SPDXID_SOURCE_PACKAGE1, + name='Source package1', + download_location=sbom_data.VALUE_NONE, + supplier=SUPPLIER_GOOGLE, + version=BUILD_FINGER_PRINT, + external_refs=[sbom_data.PackageExternalRef( + category=sbom_data.PackageExternalRefCategory.SECURITY, + type=sbom_data.PackageExternalRefType.cpe22Type, + locator='cpe:/a:jsoncpp_project:jsoncpp:1.9.4')] + )) + + self.sbom_doc.add_package( + sbom_data.Package(id=SPDXID_UPSTREAM_PACKAGE1, + name='Upstream package1', + supplier=SUPPLIER_UPSTREAM, + version='1.1', + )) + + self.sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_SOURCE_PACKAGE1, + relationship=sbom_data.RelationshipType.VARIANT_OF, + id2=SPDXID_UPSTREAM_PACKAGE1)) + + self.sbom_doc.files.append( + sbom_data.File(id=SPDXID_FILE1, name='/bin/file1', + checksum='SHA1: 356a192b7913b04c54574d18c28d46e6395428ab')) # sha1 hash of 1 + self.sbom_doc.files.append( + sbom_data.File(id=SPDXID_FILE2, name='/bin/file2', + checksum='SHA1: da4b9237bacccdf19c0760cab7aec4a8359010b0')) # sha1 hash of 2 + self.sbom_doc.files.append( + sbom_data.File(id=SPDXID_FILE3, name='/bin/file3', + checksum='SHA1: 77de68daecd823babbb58edb1c8e14d7106e83bb')) # sha1 hash of 3 + self.sbom_doc.files.append( + sbom_data.File(id=SPDXID_FILE4, name='file4.a', + checksum='SHA1: 1b6453892473a467d07372d45eb05abc2031647a')) # sha1 of 4 + + self.sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_FILE1, + relationship=sbom_data.RelationshipType.GENERATED_FROM, + id2=sbom_data.SPDXID_PLATFORM)) + self.sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_FILE2, + relationship=sbom_data.RelationshipType.GENERATED_FROM, + id2=SPDXID_PREBUILT_PACKAGE1)) + self.sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_FILE3, + relationship=sbom_data.RelationshipType.GENERATED_FROM, + id2=SPDXID_SOURCE_PACKAGE1 + )) + self.sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_FILE1, + relationship=sbom_data.RelationshipType.STATIC_LINK, + id2=SPDXID_FILE4 + )) + + def test_package_verification_code(self): + checksums = [] + for file in self.sbom_doc.files: + checksums.append(file.checksum.split(': ')[1]) + checksums.sort() + h = hashlib.sha1() + h.update(''.join(checksums).encode(encoding='utf-8')) + expected_package_verification_code = h.hexdigest() + + self.sbom_doc.generate_packages_verification_code() + self.assertEqual(expected_package_verification_code, self.sbom_doc.packages[0].verification_code) + + +if __name__ == '__main__': + unittest.main(verbosity=2)