Skip to content

Commit

Permalink
chore: update spdx/tools-golang to v0.5.0-rc1 (#1503)
Browse files Browse the repository at this point in the history
  • Loading branch information
kzantow authored Jan 31, 2023
1 parent cdac224 commit 1530ef3
Show file tree
Hide file tree
Showing 9 changed files with 56 additions and 57 deletions.
3 changes: 2 additions & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ require (
github.com/scylladb/go-set v1.0.3-0.20200225121959-cc7b2070d91e
github.com/sergi/go-diff v1.3.1
github.com/sirupsen/logrus v1.9.0
github.com/spdx/tools-golang v0.4.0
github.com/spdx/tools-golang v0.5.0-rc1
github.com/spf13/afero v1.9.3
github.com/spf13/cobra v1.6.1
github.com/spf13/pflag v1.0.5
Expand Down Expand Up @@ -69,6 +69,7 @@ require (
github.com/Masterminds/goutils v1.1.1 // indirect
github.com/Masterminds/semver/v3 v3.2.0 // indirect
github.com/Microsoft/go-winio v0.6.0 // indirect
github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 // indirect
github.com/containerd/containerd v1.6.12 // indirect
github.com/containerd/stargz-snapshotter/estargz v0.12.1 // indirect
github.com/davecgh/go-spew v1.1.1 // indirect
Expand Down
6 changes: 4 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -138,6 +138,8 @@ github.com/anchore/go-logger v0.0.0-20220728155337-03b66a5207d8 h1:imgMA0gN0TZx7
github.com/anchore/go-logger v0.0.0-20220728155337-03b66a5207d8/go.mod h1:+gPap4jha079qzRTUaehv+UZ6sSdaNwkH0D3b6zhTuk=
github.com/anchore/go-macholibre v0.0.0-20220308212642-53e6d0aaf6fb h1:iDMnx6LIjtjZ46C0akqveX83WFzhpTD3eqOthawb5vU=
github.com/anchore/go-macholibre v0.0.0-20220308212642-53e6d0aaf6fb/go.mod h1:DmTY2Mfcv38hsHbG78xMiTDdxFtkHpgYNVDPsF2TgHk=
github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 h1:aM1rlcoLz8y5B2r4tTLMiVTrMtpfY0O8EScKJxaSaEc=
github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092/go.mod h1:rYqSE9HbjzpHTI74vwPvae4ZVYZd1lue2ta6xHPdblA=
github.com/anchore/go-testutils v0.0.0-20200925183923-d5f45b0d3c04 h1:VzprUTpc0vW0nnNKJfJieyH/TZ9UYAnTZs5/gHTdAe8=
github.com/anchore/go-testutils v0.0.0-20200925183923-d5f45b0d3c04/go.mod h1:6dK64g27Qi1qGQZ67gFmBFvEHScy0/C8qhQhNe5B5pQ=
github.com/anchore/go-version v1.2.2-0.20200701162849-18adb9c92b9b h1:e1bmaoJfZVsCYMrIZBpFxwV26CbsuoEh5muXD5I1Ods=
Expand Down Expand Up @@ -1046,8 +1048,8 @@ github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4k
github.com/soheilhy/cmux v0.1.5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE1GqG0=
github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
github.com/spdx/gordf v0.0.0-20201111095634-7098f93598fb/go.mod h1:uKWaldnbMnjsSAXRurWqqrdyZen1R7kxl8TkmWk2OyM=
github.com/spdx/tools-golang v0.4.0 h1:jdhnW8zYelURCbYTphiviFKZkWu51in0E4A1KT2csP0=
github.com/spdx/tools-golang v0.4.0/go.mod h1:VHzvNsKAfAGqs4ZvwRL+7a0dNsL20s7lGui4K9C0xQM=
github.com/spdx/tools-golang v0.5.0-rc1 h1:ooCSe48QatlidqEFd+nSI308tyeNTR6NJvauUj3ApX8=
github.com/spdx/tools-golang v0.5.0-rc1/go.mod h1:LI6onw172PdO57Ob/hgnLDD4Y2PMnroeNT3wO/2WJJI=
github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
github.com/spf13/afero v1.3.3/go.mod h1:5KUK8ByomD5Ti5Artl0RtHeI5pTF7MIDuXL3yY520V4=
Expand Down
52 changes: 25 additions & 27 deletions syft/formats/common/spdxhelpers/to_format_model.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,7 @@ import (
"strings"
"time"

"github.com/spdx/tools-golang/spdx/common"
spdx "github.com/spdx/tools-golang/spdx/v2_3"
"github.com/spdx/tools-golang/spdx"

"github.com/anchore/syft/internal"
"github.com/anchore/syft/internal/log"
Expand All @@ -23,7 +22,6 @@ import (
)

const (
spdxVersion = "SPDX-2.3"
noAssertion = "NOASSERTION"
)

Expand All @@ -40,11 +38,11 @@ func ToFormatModel(s sbom.SBOM) *spdx.Document {
// for the primary package purpose field:
// https://spdx.github.io/spdx-spec/v2.3/package-information/#724-primary-package-purpose-field
documentDescribesRelationship := &spdx.Relationship{
RefA: common.DocElementID{
RefA: spdx.DocElementID{
ElementRefID: "DOCUMENT",
},
Relationship: string(DescribesRelationship),
RefB: common.DocElementID{
RefB: spdx.DocElementID{
ElementRefID: "DOCUMENT",
},
RelationshipComment: "",
Expand All @@ -55,11 +53,11 @@ func ToFormatModel(s sbom.SBOM) *spdx.Document {
return &spdx.Document{
// 6.1: SPDX Version; should be in the format "SPDX-x.x"
// Cardinality: mandatory, one
SPDXVersion: spdxVersion,
SPDXVersion: spdx.Version,

// 6.2: Data License; should be "CC0-1.0"
// Cardinality: mandatory, one
DataLicense: "CC0-1.0",
DataLicense: spdx.DataLicense,

// 6.3: SPDX Identifier; should be "DOCUMENT" to represent mandatory identifier of SPDXRef-DOCUMENT
// Cardinality: mandatory, one
Expand Down Expand Up @@ -104,7 +102,7 @@ func ToFormatModel(s sbom.SBOM) *spdx.Document {
// 6.8: Creators: may have multiple keys for Person, Organization
// and/or Tool
// Cardinality: mandatory, one or many
Creators: []common.Creator{
Creators: []spdx.Creator{
{
Creator: "Anchore, Inc",
CreatorType: "Organization",
Expand All @@ -129,15 +127,15 @@ func ToFormatModel(s sbom.SBOM) *spdx.Document {
}
}

func toSPDXID(identifiable artifact.Identifiable) common.ElementID {
func toSPDXID(identifiable artifact.Identifiable) spdx.ElementID {
id := ""
if p, ok := identifiable.(pkg.Package); ok {
id = SanitizeElementID(fmt.Sprintf("Package-%+v-%s-%s", p.Type, p.Name, p.ID()))
} else {
id = string(identifiable.ID())
}
// NOTE: the spdx libraries prepend SPDXRef-, so we don't do it here
return common.ElementID(id)
return spdx.ElementID(id)
}

// packages populates all Package Information from the package Catalog (see https://spdx.github.io/spdx-spec/3-package-information/)
Expand Down Expand Up @@ -313,9 +311,9 @@ func toPackages(catalog *pkg.Catalog, sbom sbom.SBOM) (results []*spdx.Package)
return results
}

func toPackageChecksums(p pkg.Package) ([]common.Checksum, bool) {
func toPackageChecksums(p pkg.Package) ([]spdx.Checksum, bool) {
filesAnalyzed := false
var checksums []common.Checksum
var checksums []spdx.Checksum
switch meta := p.Metadata.(type) {
// we generate digest for some Java packages
// spdx.github.io/spdx-spec/package-information/#710-package-checksum-field
Expand All @@ -325,8 +323,8 @@ func toPackageChecksums(p pkg.Package) ([]common.Checksum, bool) {
filesAnalyzed = true
for _, digest := range meta.ArchiveDigests {
algo := strings.ToUpper(digest.Algorithm)
checksums = append(checksums, common.Checksum{
Algorithm: common.ChecksumAlgorithm(algo),
checksums = append(checksums, spdx.Checksum{
Algorithm: spdx.ChecksumAlgorithm(algo),
Value: digest.Value,
})
}
Expand All @@ -339,20 +337,20 @@ func toPackageChecksums(p pkg.Package) ([]common.Checksum, bool) {
break
}
algo = strings.ToUpper(algo)
checksums = append(checksums, common.Checksum{
Algorithm: common.ChecksumAlgorithm(algo),
checksums = append(checksums, spdx.Checksum{
Algorithm: spdx.ChecksumAlgorithm(algo),
Value: hexStr,
})
}
return checksums, filesAnalyzed
}

func toPackageOriginator(p pkg.Package) *common.Originator {
func toPackageOriginator(p pkg.Package) *spdx.Originator {
kind, originator := Originator(p)
if kind == "" || originator == "" {
return nil
}
return &common.Originator{
return &spdx.Originator{
Originator: originator,
OriginatorType: kind,
}
Expand Down Expand Up @@ -386,11 +384,11 @@ func toRelationships(relationships []artifact.Relationship) (result []*spdx.Rela
}

result = append(result, &spdx.Relationship{
RefA: common.DocElementID{
RefA: spdx.DocElementID{
ElementRefID: toSPDXID(r.From),
},
Relationship: string(relationshipType),
RefB: common.DocElementID{
RefB: spdx.DocElementID{
ElementRefID: toSPDXID(r.To),
},
RelationshipComment: comment,
Expand Down Expand Up @@ -462,20 +460,20 @@ func toFiles(s sbom.SBOM) (results []*spdx.File) {
return results
}

func toFileChecksums(digests []file.Digest) (checksums []common.Checksum) {
checksums = make([]common.Checksum, 0, len(digests))
func toFileChecksums(digests []file.Digest) (checksums []spdx.Checksum) {
checksums = make([]spdx.Checksum, 0, len(digests))
for _, digest := range digests {
checksums = append(checksums, common.Checksum{
checksums = append(checksums, spdx.Checksum{
Algorithm: toChecksumAlgorithm(digest.Algorithm),
Value: digest.Value,
})
}
return checksums
}

func toChecksumAlgorithm(algorithm string) common.ChecksumAlgorithm {
func toChecksumAlgorithm(algorithm string) spdx.ChecksumAlgorithm {
// this needs to be an uppercase version of our algorithm
return common.ChecksumAlgorithm(strings.ToUpper(algorithm))
return spdx.ChecksumAlgorithm(strings.ToUpper(algorithm))
}

func toFileTypes(metadata *source.FileMetadata) (ty []string) {
Expand Down Expand Up @@ -517,7 +515,7 @@ func toFileTypes(metadata *source.FileMetadata) (ty []string) {
// f file is an "excludes" file, skip it /* exclude SPDX analysis file(s) */
// see: https://spdx.github.io/spdx-spec/v2.3/package-information/#79-package-verification-code-field
// the above link contains the SPDX algorithm for a package verification code
func newPackageVerificationCode(p pkg.Package, sbom sbom.SBOM) *common.PackageVerificationCode {
func newPackageVerificationCode(p pkg.Package, sbom sbom.SBOM) *spdx.PackageVerificationCode {
// key off of the contains relationship;
// spdx validator will fail if a package claims to contain a file but no sha1 provided
// if a sha1 for a file is provided then the validator will fail if the package does not have
Expand Down Expand Up @@ -558,7 +556,7 @@ func newPackageVerificationCode(p pkg.Package, sbom sbom.SBOM) *common.PackageVe
//nolint:gosec
hasher := sha1.New()
_, _ = hasher.Write([]byte(b.String()))
return &common.PackageVerificationCode{
return &spdx.PackageVerificationCode{
// 7.9.1: Package Verification Code Value
// Cardinality: mandatory, one
Value: fmt.Sprintf("%+x", hasher.Sum(nil)),
Expand Down
23 changes: 11 additions & 12 deletions syft/formats/common/spdxhelpers/to_format_model_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,7 @@ import (
"fmt"
"testing"

"github.com/spdx/tools-golang/spdx/common"
spdx "github.com/spdx/tools-golang/spdx/v2_3"
"github.com/spdx/tools-golang/spdx"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"

Expand All @@ -21,7 +20,7 @@ func Test_toPackageChecksums(t *testing.T) {
tests := []struct {
name string
pkg pkg.Package
expected []common.Checksum
expected []spdx.Checksum
filesAnalyzed bool
}{
{
Expand All @@ -39,7 +38,7 @@ func Test_toPackageChecksums(t *testing.T) {
},
},
},
expected: []common.Checksum{
expected: []spdx.Checksum{
{
Algorithm: "SHA1",
Value: "1234",
Expand All @@ -57,7 +56,7 @@ func Test_toPackageChecksums(t *testing.T) {
ArchiveDigests: []file.Digest{},
},
},
expected: []common.Checksum{},
expected: []spdx.Checksum{},
filesAnalyzed: false,
},
{
Expand All @@ -67,7 +66,7 @@ func Test_toPackageChecksums(t *testing.T) {
Version: "1.0.0",
Language: pkg.Java,
},
expected: []common.Checksum{},
expected: []spdx.Checksum{},
filesAnalyzed: false,
},
{
Expand All @@ -81,7 +80,7 @@ func Test_toPackageChecksums(t *testing.T) {
H1Digest: "h1:9fHAtK0uDfpveeqqo1hkEZJcFvYXAiCN3UutL8F9xHw=",
},
},
expected: []common.Checksum{
expected: []spdx.Checksum{
{
Algorithm: "SHA256",
Value: "f5f1c0b4ad2e0dfa6f79eaaaa3586411925c16f61702208ddd4bad2fc17dc47c",
Expand All @@ -97,7 +96,7 @@ func Test_toPackageChecksums(t *testing.T) {
Language: pkg.Java,
Metadata: struct{}{},
},
expected: []common.Checksum{},
expected: []spdx.Checksum{},
filesAnalyzed: false,
},
}
Expand Down Expand Up @@ -229,7 +228,7 @@ func Test_toFileChecksums(t *testing.T) {
tests := []struct {
name string
digests []file.Digest
expected []common.Checksum
expected []spdx.Checksum
}{
{
name: "empty",
Expand All @@ -246,7 +245,7 @@ func Test_toFileChecksums(t *testing.T) {
Value: "meh",
},
},
expected: []common.Checksum{
expected: []spdx.Checksum{
{
Algorithm: "SHA256",
Value: "deadbeefcafe",
Expand Down Expand Up @@ -275,8 +274,8 @@ func Test_fileIDsForPackage(t *testing.T) {
FileSystemID: "nowhere",
}

docElementId := func(identifiable artifact.Identifiable) common.DocElementID {
return common.DocElementID{
docElementId := func(identifiable artifact.Identifiable) spdx.DocElementID {
return spdx.DocElementID{
ElementRefID: toSPDXID(identifiable),
}
}
Expand Down
2 changes: 1 addition & 1 deletion syft/formats/common/spdxhelpers/to_syft_model.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ import (
"strconv"
"strings"

spdx "github.com/spdx/tools-golang/spdx/v2_3"
"github.com/spdx/tools-golang/spdx"

"github.com/anchore/packageurl-go"
"github.com/anchore/syft/internal/log"
Expand Down
15 changes: 7 additions & 8 deletions syft/formats/common/spdxhelpers/to_syft_model_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,7 @@ package spdxhelpers
import (
"testing"

"github.com/spdx/tools-golang/spdx/common"
spdx "github.com/spdx/tools-golang/spdx/v2_3"
"github.com/spdx/tools-golang/spdx"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"

Expand Down Expand Up @@ -246,9 +245,9 @@ func TestH1Digest(t *testing.T) {
RefType: "purl",
},
},
PackageChecksums: []common.Checksum{
PackageChecksums: []spdx.Checksum{
{
Algorithm: common.SHA256,
Algorithm: spdx.SHA256,
Value: "f5f1c0b4ad2e0dfa6f79eaaaa3586411925c16f61702208ddd4bad2fc17dc47c",
},
},
Expand All @@ -267,9 +266,9 @@ func TestH1Digest(t *testing.T) {
RefType: "purl",
},
},
PackageChecksums: []common.Checksum{
PackageChecksums: []spdx.Checksum{
{
Algorithm: common.SHA1,
Algorithm: spdx.SHA1,
Value: "f5f1c0b4ad2e0dfa6f79eaaaa3586411925c16f61702208ddd4bad2fc17dc47c",
},
},
Expand All @@ -288,9 +287,9 @@ func TestH1Digest(t *testing.T) {
RefType: "purl",
},
},
PackageChecksums: []common.Checksum{
PackageChecksums: []spdx.Checksum{
{
Algorithm: common.SHA256,
Algorithm: spdx.SHA256,
Value: "",
},
},
Expand Down
4 changes: 2 additions & 2 deletions syft/formats/spdxjson/decoder.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,14 +4,14 @@ import (
"fmt"
"io"

spdx "github.com/spdx/tools-golang/json"
"github.com/spdx/tools-golang/json"

"github.com/anchore/syft/syft/formats/common/spdxhelpers"
"github.com/anchore/syft/syft/sbom"
)

func decoder(reader io.Reader) (s *sbom.SBOM, err error) {
doc, err := spdx.Load2_3(reader)
doc, err := json.Read(reader)
if err != nil {
return nil, fmt.Errorf("unable to decode spdx-json: %w", err)
}
Expand Down
4 changes: 2 additions & 2 deletions syft/formats/spdxtagvalue/decoder.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,14 +4,14 @@ import (
"fmt"
"io"

"github.com/spdx/tools-golang/tvloader"
"github.com/spdx/tools-golang/tagvalue"

"github.com/anchore/syft/syft/formats/common/spdxhelpers"
"github.com/anchore/syft/syft/sbom"
)

func decoder(reader io.Reader) (*sbom.SBOM, error) {
doc, err := tvloader.Load2_3(reader)
doc, err := tagvalue.Read(reader)
if err != nil {
return nil, fmt.Errorf("unable to decode spdx-tag-value: %w", err)
}
Expand Down
Loading

0 comments on commit 1530ef3

Please sign in to comment.