diff --git a/syft/format/common/spdxhelpers/to_format_model.go b/syft/format/common/spdxhelpers/to_format_model.go index 3a2061b658c..6b8a412974b 100644 --- a/syft/format/common/spdxhelpers/to_format_model.go +++ b/syft/format/common/spdxhelpers/to_format_model.go @@ -245,6 +245,8 @@ func toRootPackage(s source.Description) *spdx.Package { Supplier: helpers.NOASSERTION, }, PackageDownloadLocation: helpers.NOASSERTION, + PackageLicenseConcluded: helpers.NOASSERTION, + PackageLicenseDeclared: helpers.NOASSERTION, } if purl != nil { @@ -624,6 +626,9 @@ func toFiles(s sbom.SBOM) (results []*spdx.File) { Checksums: toFileChecksums(digests), FileName: coordinates.RealPath, FileTypes: toFileTypes(metadata), + LicenseInfoInFiles: []string{ // required in SPDX 2.2 + helpers.NOASSERTION, + }, }) } diff --git a/syft/format/spdxjson/encoder_test.go b/syft/format/spdxjson/encoder_test.go index 8fdee1b8ceb..83999b53f85 100644 --- a/syft/format/spdxjson/encoder_test.go +++ b/syft/format/spdxjson/encoder_test.go @@ -3,6 +3,8 @@ package spdxjson import ( "bytes" "flag" + "github.com/anchore/syft/syft/artifact" + "github.com/anchore/syft/syft/file" "strings" "testing" @@ -113,6 +115,74 @@ func TestSPDXJSONImageEncoder(t *testing.T) { ) } +func TestSPDX22JSONRequredProperties(t *testing.T) { + cfg := DefaultEncoderConfig() + cfg.Pretty = true + cfg.Version = "2.2" + + enc, err := NewFormatEncoderWithConfig(cfg) + require.NoError(t, err) + + coords := file.Coordinates{ + RealPath: "/some/file", + FileSystemID: "ac897d978b6c38749a1", + } + + p1 := pkg.Package{ + Name: "files-analyzed-true", + Version: "v1", + Locations: file.NewLocationSet(file.NewLocation(coords.RealPath)), + Licenses: pkg.LicenseSet{}, + Language: pkg.Java, + Metadata: pkg.JavaArchive{ + ArchiveDigests: []file.Digest{ + { + Algorithm: "sha256", + Value: "a9b87321a9879c79d87987987a97c97b9789ce978dffea987", + }, + }, + Parent: nil, + }, + } + p1.SetID() + + p2 := pkg.Package{ + Name: "files-analyzed-false", + Version: "v2", + } + p2.SetID() + + testutil.AssertEncoderAgainstGoldenSnapshot(t, + testutil.EncoderSnapshotTestConfig{ + Subject: sbom.SBOM{ + Artifacts: sbom.Artifacts{ + Packages: pkg.NewCollection(p1, p2), + FileDigests: map[file.Coordinates][]file.Digest{ + coords: { + { + Algorithm: "sha1", + Value: "3b4ab96c371d913e2a88c269844b6c5fb5cbe761", + }, + }, + }, + }, + Relationships: []artifact.Relationship{ + { + From: p1, + To: coords, + Type: artifact.ContainsRelationship, + }, + }, + }, + Format: enc, + UpdateSnapshot: *updateSnapshot, + PersistRedactionsInSnapshot: true, + IsJSON: true, + Redactor: redactor(), + }, + ) +} + func TestSPDXRelationshipOrder(t *testing.T) { testImage := "image-simple" diff --git a/syft/format/spdxjson/test-fixtures/snapshot/TestSPDX22JSONRequredProperties.golden b/syft/format/spdxjson/test-fixtures/snapshot/TestSPDX22JSONRequredProperties.golden new file mode 100644 index 00000000000..118247b1dc0 --- /dev/null +++ b/syft/format/spdxjson/test-fixtures/snapshot/TestSPDX22JSONRequredProperties.golden @@ -0,0 +1,100 @@ +{ + "spdxVersion": "SPDX-2.2", + "dataLicense": "CC0-1.0", + "SPDXID": "SPDXRef-DOCUMENT", + "name": "unknown", + "documentNamespace":"redacted", + "creationInfo": { + "licenseListVersion":"redacted", + "creators": [ + "Organization: Anchore, Inc", + "Tool: -" + ], + "created":"redacted" + }, + "packages": [ + { + "SPDXID": "SPDXRef-Package-files-analyzed-false-7d37ba9d2f7c574b", + "copyrightText": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "name": "files-analyzed-false", + "sourceInfo": "acquired package info from the following paths: ", + "supplier": "NOASSERTION", + "versionInfo": "v2" + }, + { + "name": "files-analyzed-true", + "SPDXID": "SPDXRef-Package-files-analyzed-true-035066c2086b8bb4", + "versionInfo": "v1", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": true, + "packageVerificationCode": { + "packageVerificationCodeValue": "6fe0c471faaaa544e33cae0918eabcdc1c798d18" + }, + "checksums": [ + { + "algorithm": "SHA256", + "checksumValue": "a9b87321a9879c79d87987987a97c97b9789ce978dffea987" + } + ], + "sourceInfo": "acquired package info from the following paths: /some/file", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION" + }, + { + "SPDXID": "SPDXRef-DocumentRoot-Unknown-", + "copyrightText": "", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "name": "", + "supplier": "NOASSERTION" + } + ], + "files": [ + { + "fileName": "/some/file", + "SPDXID": "SPDXRef-File-some-file-2c5bc344430decac", + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "3b4ab96c371d913e2a88c269844b6c5fb5cbe761" + } + ], + "licenseConcluded": "NOASSERTION", + "licenseInfoInFiles": [ + "NOASSERTION" + ], + "copyrightText": "", + "comment": "layerID: ac897d978b6c38749a1" + } + ], + "relationships": [ + { + "spdxElementId": "SPDXRef-Package-files-analyzed-true-035066c2086b8bb4", + "relatedSpdxElement": "SPDXRef-File-some-file-2c5bc344430decac", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-Unknown-", + "relatedSpdxElement": "SPDXRef-Package-files-analyzed-false-7d37ba9d2f7c574b", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-Unknown-", + "relatedSpdxElement": "SPDXRef-Package-files-analyzed-true-035066c2086b8bb4", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DOCUMENT", + "relatedSpdxElement": "SPDXRef-DocumentRoot-Unknown-", + "relationshipType": "DESCRIBES" + } + ] +} diff --git a/syft/format/spdxjson/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden b/syft/format/spdxjson/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden index a1efd833a16..dad2c03d5d5 100644 --- a/syft/format/spdxjson/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden +++ b/syft/format/spdxjson/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden @@ -67,6 +67,8 @@ "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "primaryPackagePurpose": "FILE" } ], diff --git a/syft/format/spdxjson/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden b/syft/format/spdxjson/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden index 687265f611b..f305951e8e3 100644 --- a/syft/format/spdxjson/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden +++ b/syft/format/spdxjson/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden @@ -74,6 +74,8 @@ "checksumValue": "2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368" } ], + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", diff --git a/syft/format/spdxjson/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden b/syft/format/spdxjson/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden index 906cd78f004..129804196b4 100644 --- a/syft/format/spdxjson/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden +++ b/syft/format/spdxjson/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden @@ -74,6 +74,8 @@ "checksumValue": "2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368" } ], + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -98,6 +100,9 @@ } ], "licenseConcluded": "NOASSERTION", + "licenseInfoInFiles": [ + "NOASSERTION" + ], "copyrightText": "" }, { @@ -113,6 +118,9 @@ } ], "licenseConcluded": "NOASSERTION", + "licenseInfoInFiles": [ + "NOASSERTION" + ], "copyrightText": "" }, { @@ -128,6 +136,9 @@ } ], "licenseConcluded": "NOASSERTION", + "licenseInfoInFiles": [ + "NOASSERTION" + ], "copyrightText": "" }, { @@ -143,6 +154,9 @@ } ], "licenseConcluded": "NOASSERTION", + "licenseInfoInFiles": [ + "NOASSERTION" + ], "copyrightText": "" }, { @@ -158,6 +172,9 @@ } ], "licenseConcluded": "NOASSERTION", + "licenseInfoInFiles": [ + "NOASSERTION" + ], "copyrightText": "" }, { @@ -173,6 +190,9 @@ } ], "licenseConcluded": "NOASSERTION", + "licenseInfoInFiles": [ + "NOASSERTION" + ], "copyrightText": "" } ], diff --git a/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden b/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden index d33939beeac..dd946aa235b 100644 --- a/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden +++ b/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden @@ -16,6 +16,8 @@ PackageSupplier: NOASSERTION PackageDownloadLocation: NOASSERTION PrimaryPackagePurpose: FILE FilesAnalyzed: false +PackageLicenseConcluded: NOASSERTION +PackageLicenseDeclared: NOASSERTION ##### Package: @at-sign diff --git a/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden b/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden index af5f725b4de..dcd45e96a90 100644 --- a/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden +++ b/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden @@ -15,36 +15,42 @@ SPDXID: SPDXRef-File-a1-f6-9c2f7510199b17f6 FileType: OTHER FileChecksum: SHA1: 0000000000000000000000000000000000000000 LicenseConcluded: NOASSERTION +LicenseInfoInFile: NOASSERTION FileName: /d1/f3 SPDXID: SPDXRef-File-d1-f3-c6f5b29dca12661f FileType: OTHER FileChecksum: SHA1: 0000000000000000000000000000000000000000 LicenseConcluded: NOASSERTION +LicenseInfoInFile: NOASSERTION FileName: /d2/f4 SPDXID: SPDXRef-File-d2-f4-c641caa71518099f FileType: OTHER FileChecksum: SHA1: 0000000000000000000000000000000000000000 LicenseConcluded: NOASSERTION +LicenseInfoInFile: NOASSERTION FileName: /f1 SPDXID: SPDXRef-File-f1-5265a4dde3edbf7c FileType: OTHER FileChecksum: SHA1: 0000000000000000000000000000000000000000 LicenseConcluded: NOASSERTION +LicenseInfoInFile: NOASSERTION FileName: /f2 SPDXID: SPDXRef-File-f2-f9e49132a4b96ccd FileType: OTHER FileChecksum: SHA1: 0000000000000000000000000000000000000000 LicenseConcluded: NOASSERTION +LicenseInfoInFile: NOASSERTION FileName: /z1/f5 SPDXID: SPDXRef-File-z1-f5-839d99ee67d9d174 FileType: OTHER FileChecksum: SHA1: 0000000000000000000000000000000000000000 LicenseConcluded: NOASSERTION +LicenseInfoInFile: NOASSERTION ##### Package: user-image-input @@ -56,6 +62,8 @@ PackageDownloadLocation: NOASSERTION PrimaryPackagePurpose: CONTAINER FilesAnalyzed: false PackageChecksum: SHA256: 2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368 +PackageLicenseConcluded: NOASSERTION +PackageLicenseDeclared: NOASSERTION ExternalRef: PACKAGE-MANAGER purl pkg:oci/user-image-input@sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368?arch= ##### Package: package-2 diff --git a/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden b/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden index f422d3952e9..727f222917c 100644 --- a/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden +++ b/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden @@ -16,6 +16,8 @@ PackageSupplier: NOASSERTION PackageDownloadLocation: NOASSERTION PrimaryPackagePurpose: FILE FilesAnalyzed: false +PackageLicenseConcluded: NOASSERTION +PackageLicenseDeclared: NOASSERTION ##### Package: package-2 diff --git a/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden b/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden index 642bb365853..edaac4c9abf 100644 --- a/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden +++ b/syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden @@ -18,6 +18,8 @@ PackageDownloadLocation: NOASSERTION PrimaryPackagePurpose: CONTAINER FilesAnalyzed: false PackageChecksum: SHA256: 2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368 +PackageLicenseConcluded: NOASSERTION +PackageLicenseDeclared: NOASSERTION ExternalRef: PACKAGE-MANAGER purl pkg:oci/user-image-input@sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368?arch= ##### Package: package-2