Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update SPDX tools-golang lib to v0.5.0 #1503

Merged
merged 3 commits into from
Jan 31, 2023
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ require (
github.com/scylladb/go-set v1.0.3-0.20200225121959-cc7b2070d91e
github.com/sergi/go-diff v1.3.1
github.com/sirupsen/logrus v1.9.0
github.com/spdx/tools-golang v0.4.0
github.com/spdx/tools-golang v0.5.0-rc1
github.com/spf13/afero v1.9.3
github.com/spf13/cobra v1.6.1
github.com/spf13/pflag v1.0.5
Expand Down Expand Up @@ -69,6 +69,7 @@ require (
github.com/Masterminds/goutils v1.1.1 // indirect
github.com/Masterminds/semver/v3 v3.1.1 // indirect
github.com/Microsoft/go-winio v0.6.0 // indirect
github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 // indirect
github.com/containerd/containerd v1.6.12 // indirect
github.com/containerd/stargz-snapshotter/estargz v0.12.1 // indirect
github.com/davecgh/go-spew v1.1.1 // indirect
Expand Down
6 changes: 4 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -138,6 +138,8 @@ github.com/anchore/go-logger v0.0.0-20220728155337-03b66a5207d8 h1:imgMA0gN0TZx7
github.com/anchore/go-logger v0.0.0-20220728155337-03b66a5207d8/go.mod h1:+gPap4jha079qzRTUaehv+UZ6sSdaNwkH0D3b6zhTuk=
github.com/anchore/go-macholibre v0.0.0-20220308212642-53e6d0aaf6fb h1:iDMnx6LIjtjZ46C0akqveX83WFzhpTD3eqOthawb5vU=
github.com/anchore/go-macholibre v0.0.0-20220308212642-53e6d0aaf6fb/go.mod h1:DmTY2Mfcv38hsHbG78xMiTDdxFtkHpgYNVDPsF2TgHk=
github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 h1:aM1rlcoLz8y5B2r4tTLMiVTrMtpfY0O8EScKJxaSaEc=
github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092/go.mod h1:rYqSE9HbjzpHTI74vwPvae4ZVYZd1lue2ta6xHPdblA=
github.com/anchore/go-testutils v0.0.0-20200925183923-d5f45b0d3c04 h1:VzprUTpc0vW0nnNKJfJieyH/TZ9UYAnTZs5/gHTdAe8=
github.com/anchore/go-testutils v0.0.0-20200925183923-d5f45b0d3c04/go.mod h1:6dK64g27Qi1qGQZ67gFmBFvEHScy0/C8qhQhNe5B5pQ=
github.com/anchore/go-version v1.2.2-0.20200701162849-18adb9c92b9b h1:e1bmaoJfZVsCYMrIZBpFxwV26CbsuoEh5muXD5I1Ods=
Expand Down Expand Up @@ -1046,8 +1048,8 @@ github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4k
github.com/soheilhy/cmux v0.1.5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE1GqG0=
github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
github.com/spdx/gordf v0.0.0-20201111095634-7098f93598fb/go.mod h1:uKWaldnbMnjsSAXRurWqqrdyZen1R7kxl8TkmWk2OyM=
github.com/spdx/tools-golang v0.4.0 h1:jdhnW8zYelURCbYTphiviFKZkWu51in0E4A1KT2csP0=
github.com/spdx/tools-golang v0.4.0/go.mod h1:VHzvNsKAfAGqs4ZvwRL+7a0dNsL20s7lGui4K9C0xQM=
github.com/spdx/tools-golang v0.5.0-rc1 h1:ooCSe48QatlidqEFd+nSI308tyeNTR6NJvauUj3ApX8=
github.com/spdx/tools-golang v0.5.0-rc1/go.mod h1:LI6onw172PdO57Ob/hgnLDD4Y2PMnroeNT3wO/2WJJI=
github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
github.com/spf13/afero v1.3.3/go.mod h1:5KUK8ByomD5Ti5Artl0RtHeI5pTF7MIDuXL3yY520V4=
Expand Down
52 changes: 25 additions & 27 deletions syft/formats/common/spdxhelpers/to_format_model.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,7 @@ import (
"strings"
"time"

"github.com/spdx/tools-golang/spdx/common"
spdx "github.com/spdx/tools-golang/spdx/v2_3"
"github.com/spdx/tools-golang/spdx"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

already so clean!


"github.com/anchore/syft/internal"
"github.com/anchore/syft/internal/log"
Expand All @@ -23,7 +22,6 @@ import (
)

const (
spdxVersion = "SPDX-2.3"
noAssertion = "NOASSERTION"
)

Expand All @@ -40,11 +38,11 @@ func ToFormatModel(s sbom.SBOM) *spdx.Document {
// for the primary package purpose field:
// https://spdx.github.io/spdx-spec/v2.3/package-information/#724-primary-package-purpose-field
documentDescribesRelationship := &spdx.Relationship{
RefA: common.DocElementID{
RefA: spdx.DocElementID{
ElementRefID: "DOCUMENT",
},
Relationship: string(DescribesRelationship),
RefB: common.DocElementID{
RefB: spdx.DocElementID{
ElementRefID: "DOCUMENT",
},
RelationshipComment: "",
Expand All @@ -55,11 +53,11 @@ func ToFormatModel(s sbom.SBOM) *spdx.Document {
return &spdx.Document{
// 6.1: SPDX Version; should be in the format "SPDX-x.x"
// Cardinality: mandatory, one
SPDXVersion: spdxVersion,
SPDXVersion: spdx.Version,

// 6.2: Data License; should be "CC0-1.0"
// Cardinality: mandatory, one
DataLicense: "CC0-1.0",
DataLicense: spdx.DataLicense,

// 6.3: SPDX Identifier; should be "DOCUMENT" to represent mandatory identifier of SPDXRef-DOCUMENT
// Cardinality: mandatory, one
Expand Down Expand Up @@ -104,7 +102,7 @@ func ToFormatModel(s sbom.SBOM) *spdx.Document {
// 6.8: Creators: may have multiple keys for Person, Organization
// and/or Tool
// Cardinality: mandatory, one or many
Creators: []common.Creator{
Creators: []spdx.Creator{
{
Creator: "Anchore, Inc",
CreatorType: "Organization",
Expand All @@ -129,15 +127,15 @@ func ToFormatModel(s sbom.SBOM) *spdx.Document {
}
}

func toSPDXID(identifiable artifact.Identifiable) common.ElementID {
func toSPDXID(identifiable artifact.Identifiable) spdx.ElementID {
id := ""
if p, ok := identifiable.(pkg.Package); ok {
id = SanitizeElementID(fmt.Sprintf("Package-%+v-%s-%s", p.Type, p.Name, p.ID()))
} else {
id = string(identifiable.ID())
}
// NOTE: the spdx libraries prepend SPDXRef-, so we don't do it here
return common.ElementID(id)
return spdx.ElementID(id)
}

// packages populates all Package Information from the package Catalog (see https://spdx.github.io/spdx-spec/3-package-information/)
Expand Down Expand Up @@ -313,9 +311,9 @@ func toPackages(catalog *pkg.Catalog, sbom sbom.SBOM) (results []*spdx.Package)
return results
}

func toPackageChecksums(p pkg.Package) ([]common.Checksum, bool) {
func toPackageChecksums(p pkg.Package) ([]spdx.Checksum, bool) {
filesAnalyzed := false
var checksums []common.Checksum
var checksums []spdx.Checksum
switch meta := p.Metadata.(type) {
// we generate digest for some Java packages
// spdx.github.io/spdx-spec/package-information/#710-package-checksum-field
Expand All @@ -325,8 +323,8 @@ func toPackageChecksums(p pkg.Package) ([]common.Checksum, bool) {
filesAnalyzed = true
for _, digest := range meta.ArchiveDigests {
algo := strings.ToUpper(digest.Algorithm)
checksums = append(checksums, common.Checksum{
Algorithm: common.ChecksumAlgorithm(algo),
checksums = append(checksums, spdx.Checksum{
Algorithm: spdx.ChecksumAlgorithm(algo),
Value: digest.Value,
})
}
Expand All @@ -339,20 +337,20 @@ func toPackageChecksums(p pkg.Package) ([]common.Checksum, bool) {
break
}
algo = strings.ToUpper(algo)
checksums = append(checksums, common.Checksum{
Algorithm: common.ChecksumAlgorithm(algo),
checksums = append(checksums, spdx.Checksum{
Algorithm: spdx.ChecksumAlgorithm(algo),
Value: hexStr,
})
}
return checksums, filesAnalyzed
}

func toPackageOriginator(p pkg.Package) *common.Originator {
func toPackageOriginator(p pkg.Package) *spdx.Originator {
kind, originator := Originator(p)
if kind == "" || originator == "" {
return nil
}
return &common.Originator{
return &spdx.Originator{
Originator: originator,
OriginatorType: kind,
}
Expand Down Expand Up @@ -386,11 +384,11 @@ func toRelationships(relationships []artifact.Relationship) (result []*spdx.Rela
}

result = append(result, &spdx.Relationship{
RefA: common.DocElementID{
RefA: spdx.DocElementID{
ElementRefID: toSPDXID(r.From),
},
Relationship: string(relationshipType),
RefB: common.DocElementID{
RefB: spdx.DocElementID{
ElementRefID: toSPDXID(r.To),
},
RelationshipComment: comment,
Expand Down Expand Up @@ -462,20 +460,20 @@ func toFiles(s sbom.SBOM) (results []*spdx.File) {
return results
}

func toFileChecksums(digests []file.Digest) (checksums []common.Checksum) {
checksums = make([]common.Checksum, 0, len(digests))
func toFileChecksums(digests []file.Digest) (checksums []spdx.Checksum) {
checksums = make([]spdx.Checksum, 0, len(digests))
for _, digest := range digests {
checksums = append(checksums, common.Checksum{
checksums = append(checksums, spdx.Checksum{
Algorithm: toChecksumAlgorithm(digest.Algorithm),
Value: digest.Value,
})
}
return checksums
}

func toChecksumAlgorithm(algorithm string) common.ChecksumAlgorithm {
func toChecksumAlgorithm(algorithm string) spdx.ChecksumAlgorithm {
// this needs to be an uppercase version of our algorithm
return common.ChecksumAlgorithm(strings.ToUpper(algorithm))
return spdx.ChecksumAlgorithm(strings.ToUpper(algorithm))
}

func toFileTypes(metadata *source.FileMetadata) (ty []string) {
Expand Down Expand Up @@ -517,7 +515,7 @@ func toFileTypes(metadata *source.FileMetadata) (ty []string) {
// f file is an "excludes" file, skip it /* exclude SPDX analysis file(s) */
// see: https://spdx.github.io/spdx-spec/v2.3/package-information/#79-package-verification-code-field
// the above link contains the SPDX algorithm for a package verification code
func newPackageVerificationCode(p pkg.Package, sbom sbom.SBOM) *common.PackageVerificationCode {
func newPackageVerificationCode(p pkg.Package, sbom sbom.SBOM) *spdx.PackageVerificationCode {
// key off of the contains relationship;
// spdx validator will fail if a package claims to contain a file but no sha1 provided
// if a sha1 for a file is provided then the validator will fail if the package does not have
Expand Down Expand Up @@ -558,7 +556,7 @@ func newPackageVerificationCode(p pkg.Package, sbom sbom.SBOM) *common.PackageVe
//nolint:gosec
hasher := sha1.New()
_, _ = hasher.Write([]byte(b.String()))
return &common.PackageVerificationCode{
return &spdx.PackageVerificationCode{
// 7.9.1: Package Verification Code Value
// Cardinality: mandatory, one
Value: fmt.Sprintf("%+x", hasher.Sum(nil)),
Expand Down
23 changes: 11 additions & 12 deletions syft/formats/common/spdxhelpers/to_format_model_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,7 @@ import (
"fmt"
"testing"

"github.com/spdx/tools-golang/spdx/common"
spdx "github.com/spdx/tools-golang/spdx/v2_3"
"github.com/spdx/tools-golang/spdx"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"

Expand All @@ -21,7 +20,7 @@ func Test_toPackageChecksums(t *testing.T) {
tests := []struct {
name string
pkg pkg.Package
expected []common.Checksum
expected []spdx.Checksum
filesAnalyzed bool
}{
{
Expand All @@ -39,7 +38,7 @@ func Test_toPackageChecksums(t *testing.T) {
},
},
},
expected: []common.Checksum{
expected: []spdx.Checksum{
{
Algorithm: "SHA1",
Value: "1234",
Expand All @@ -57,7 +56,7 @@ func Test_toPackageChecksums(t *testing.T) {
ArchiveDigests: []file.Digest{},
},
},
expected: []common.Checksum{},
expected: []spdx.Checksum{},
filesAnalyzed: false,
},
{
Expand All @@ -67,7 +66,7 @@ func Test_toPackageChecksums(t *testing.T) {
Version: "1.0.0",
Language: pkg.Java,
},
expected: []common.Checksum{},
expected: []spdx.Checksum{},
filesAnalyzed: false,
},
{
Expand All @@ -81,7 +80,7 @@ func Test_toPackageChecksums(t *testing.T) {
H1Digest: "h1:9fHAtK0uDfpveeqqo1hkEZJcFvYXAiCN3UutL8F9xHw=",
},
},
expected: []common.Checksum{
expected: []spdx.Checksum{
{
Algorithm: "SHA256",
Value: "f5f1c0b4ad2e0dfa6f79eaaaa3586411925c16f61702208ddd4bad2fc17dc47c",
Expand All @@ -97,7 +96,7 @@ func Test_toPackageChecksums(t *testing.T) {
Language: pkg.Java,
Metadata: struct{}{},
},
expected: []common.Checksum{},
expected: []spdx.Checksum{},
filesAnalyzed: false,
},
}
Expand Down Expand Up @@ -229,7 +228,7 @@ func Test_toFileChecksums(t *testing.T) {
tests := []struct {
name string
digests []file.Digest
expected []common.Checksum
expected []spdx.Checksum
}{
{
name: "empty",
Expand All @@ -246,7 +245,7 @@ func Test_toFileChecksums(t *testing.T) {
Value: "meh",
},
},
expected: []common.Checksum{
expected: []spdx.Checksum{
{
Algorithm: "SHA256",
Value: "deadbeefcafe",
Expand Down Expand Up @@ -275,8 +274,8 @@ func Test_fileIDsForPackage(t *testing.T) {
FileSystemID: "nowhere",
}

docElementId := func(identifiable artifact.Identifiable) common.DocElementID {
return common.DocElementID{
docElementId := func(identifiable artifact.Identifiable) spdx.DocElementID {
return spdx.DocElementID{
ElementRefID: toSPDXID(identifiable),
}
}
Expand Down
2 changes: 1 addition & 1 deletion syft/formats/common/spdxhelpers/to_syft_model.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ import (
"strconv"
"strings"

spdx "github.com/spdx/tools-golang/spdx/v2_3"
"github.com/spdx/tools-golang/spdx"

"github.com/anchore/packageurl-go"
"github.com/anchore/syft/internal/log"
Expand Down
15 changes: 7 additions & 8 deletions syft/formats/common/spdxhelpers/to_syft_model_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,7 @@ package spdxhelpers
import (
"testing"

"github.com/spdx/tools-golang/spdx/common"
spdx "github.com/spdx/tools-golang/spdx/v2_3"
"github.com/spdx/tools-golang/spdx"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"

Expand Down Expand Up @@ -246,9 +245,9 @@ func TestH1Digest(t *testing.T) {
RefType: "purl",
},
},
PackageChecksums: []common.Checksum{
PackageChecksums: []spdx.Checksum{
{
Algorithm: common.SHA256,
Algorithm: spdx.SHA256,
Value: "f5f1c0b4ad2e0dfa6f79eaaaa3586411925c16f61702208ddd4bad2fc17dc47c",
},
},
Expand All @@ -267,9 +266,9 @@ func TestH1Digest(t *testing.T) {
RefType: "purl",
},
},
PackageChecksums: []common.Checksum{
PackageChecksums: []spdx.Checksum{
{
Algorithm: common.SHA1,
Algorithm: spdx.SHA1,
Value: "f5f1c0b4ad2e0dfa6f79eaaaa3586411925c16f61702208ddd4bad2fc17dc47c",
},
},
Expand All @@ -288,9 +287,9 @@ func TestH1Digest(t *testing.T) {
RefType: "purl",
},
},
PackageChecksums: []common.Checksum{
PackageChecksums: []spdx.Checksum{
{
Algorithm: common.SHA256,
Algorithm: spdx.SHA256,
Value: "",
},
},
Expand Down
4 changes: 2 additions & 2 deletions syft/formats/spdxjson/decoder.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,14 +4,14 @@ import (
"fmt"
"io"

spdx "github.com/spdx/tools-golang/json"
"github.com/spdx/tools-golang/json"

"github.com/anchore/syft/syft/formats/common/spdxhelpers"
"github.com/anchore/syft/syft/sbom"
)

func decoder(reader io.Reader) (s *sbom.SBOM, err error) {
doc, err := spdx.Load2_3(reader)
doc, err := json.Read(reader)
if err != nil {
return nil, fmt.Errorf("unable to decode spdx-json: %w", err)
}
Expand Down
4 changes: 2 additions & 2 deletions syft/formats/spdxtagvalue/decoder.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,14 +4,14 @@ import (
"fmt"
"io"

"github.com/spdx/tools-golang/tvloader"
"github.com/spdx/tools-golang/tagvalue"

"github.com/anchore/syft/syft/formats/common/spdxhelpers"
"github.com/anchore/syft/syft/sbom"
)

func decoder(reader io.Reader) (*sbom.SBOM, error) {
doc, err := tvloader.Load2_3(reader)
doc, err := tagvalue.Read(reader)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is also awesome

if err != nil {
return nil, fmt.Errorf("unable to decode spdx-tag-value: %w", err)
}
Expand Down
Loading