Skip to content

Commit

Permalink
fix(purl): skip local Go packages
Browse files Browse the repository at this point in the history
  • Loading branch information
javierfreire committed Sep 18, 2023
1 parent 3ab655e commit f31ea9b
Show file tree
Hide file tree
Showing 4 changed files with 125 additions and 5 deletions.
6 changes: 6 additions & 0 deletions pkg/purl/purl.go
Original file line number Diff line number Diff line change
Expand Up @@ -194,6 +194,9 @@ func NewPackageURL(t string, metadata types.Metadata, pkg ftypes.Package) (Packa
namespace, name = parseComposer(name)
case packageurl.TypeGolang:
namespace, name = parseGolang(name)
if (name == "") {
return PackageURL{PackageURL: *packageurl.NewPackageURL("", "", "", "", nil, "")}, nil
}
case packageurl.TypeNPM:
namespace, name = parseNpm(name)
case packageurl.TypeSwift:
Expand Down Expand Up @@ -310,6 +313,9 @@ func parseMaven(pkgName string) (string, string) {

// ref. https://github.com/package-url/purl-spec/blob/a748c36ad415c8aeffe2b8a4a5d8a50d16d6d85f/PURL-TYPES.rst#golang
func parseGolang(pkgName string) (string, string) {
if strings.HasPrefix(pkgName, "./") || strings.HasPrefix(pkgName, "../") {
return "", ""
}
name := strings.ToLower(pkgName)
return parsePkgName(name)
}
Expand Down
8 changes: 4 additions & 4 deletions pkg/purl/purl_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -190,10 +190,10 @@ func TestNewPackageURL(t *testing.T) {
},
want: purl.PackageURL{
PackageURL: packageurl.PackageURL{
Type: packageurl.TypeGolang,
Namespace: "./private_repos/cnrm.googlesource.com",
Name: "cnrm",
Version: "(devel)",
Type: "",
Namespace: "",
Name: "",
Version: "",
},
},
},
Expand Down
4 changes: 3 additions & 1 deletion pkg/sbom/spdx/marshal.go
Original file line number Diff line number Diff line change
Expand Up @@ -321,11 +321,13 @@ func (m *Marshaler) pkgToSpdxPackage(t, pkgDownloadLocation string, class types.
pkgSrcInfo = fmt.Sprintf("%s: %s %s", SourcePackagePrefix, pkg.SrcName, utils.FormatSrcVersion(pkg))
}

var pkgExtRefs []*spdx.PackageExternalReference
packageURL, err := purl.NewPackageURL(t, metadata, pkg)
if err != nil {
return spdx.Package{}, xerrors.Errorf("failed to parse purl (%s): %w", pkg.Name, err)
} else if packageURL.Type != "" {
pkgExtRefs = []*spdx.PackageExternalReference{purlExternalReference(packageURL.String())}
}
pkgExtRefs := []*spdx.PackageExternalReference{purlExternalReference(packageURL.String())}

var attrTexts []string
attrTexts = appendAttributionText(attrTexts, PropertyPkgID, pkg.ID)
Expand Down
112 changes: 112 additions & 0 deletions pkg/sbom/spdx/marshal_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -836,6 +836,118 @@ func TestMarshaler_Marshal(t *testing.T) {
},
},
},
{
name: "go library local",
inputReport: types.Report{
SchemaVersion: report.SchemaVersion,
ArtifactName: "go-artifact",
ArtifactType: ftypes.ArtifactFilesystem,
Results: types.Results{
{
Target: "artifact",
Class: types.ClassLangPkg,
Type: ftypes.GoBinary,
Packages: []ftypes.Package{
{
Name: "./private_repos/cnrm.googlesource.com/cnrm/",
Version: "(devel)",
},
{
Name: "golang.org/x/crypto",
Version: "v0.0.1",
},
},
},
},
},
wantSBOM: &spdx.Document{
SPDXVersion: spdx.Version,
DataLicense: spdx.DataLicense,
SPDXIdentifier: "DOCUMENT",
DocumentName: "go-artifact",
DocumentNamespace: "http://aquasecurity.github.io/trivy/filesystem/go-artifact-3ff14136-e09f-4df9-80ea-000000000001",
CreationInfo: &spdx.CreationInfo{
Creators: []common.Creator{
{
Creator: "aquasecurity",
CreatorType: "Organization",
},
{
Creator: "trivy-0.38.1",
CreatorType: "Tool",
},
},
Created: "2021-08-25T12:20:30Z",
},
Packages: []*spdx.Package{
{
PackageSPDXIdentifier: spdx.ElementID("Package-9164ae38c5cdf815"),
PackageDownloadLocation: "NONE",
PackageName: "./private_repos/cnrm.googlesource.com/cnrm/",
PackageVersion: "(devel)",
PackageLicenseConcluded: "NONE",
PackageLicenseDeclared: "NONE",
PrimaryPackagePurpose: tspdx.PackagePurposeLibrary,
PackageSupplier: &spdx.Supplier{Supplier: tspdx.PackageSupplierNoAssertion},
},
{
PackageName: "go-artifact",
PackageSPDXIdentifier: "Filesystem-e340f27468b382be",
PackageDownloadLocation: "NONE",
PackageAttributionTexts: []string{
"SchemaVersion: 2",
},
PrimaryPackagePurpose: tspdx.PackagePurposeSource,
},
{
PackageSPDXIdentifier: spdx.ElementID("Application-6666b83a5d554671"),
PackageDownloadLocation: "NONE",
PackageName: "gobinary",
PackageSourceInfo: "artifact",
PrimaryPackagePurpose: tspdx.PackagePurposeApplication,
},
{
PackageSPDXIdentifier: spdx.ElementID("Package-8451f2bc8e1f45aa"),
PackageDownloadLocation: "NONE",
PackageName: "golang.org/x/crypto",
PackageVersion: "v0.0.1",
PackageLicenseConcluded: "NONE",
PackageLicenseDeclared: "NONE",
PackageExternalReferences: []*spdx.PackageExternalReference{
{
Category: tspdx.CategoryPackageManager,
RefType: tspdx.RefTypePurl,
Locator: "pkg:golang/golang.org/x/crypto@v0.0.1",
},
},
PrimaryPackagePurpose: tspdx.PackagePurposeLibrary,
PackageSupplier: &spdx.Supplier{Supplier: tspdx.PackageSupplierNoAssertion},
},
},
Relationships: []*spdx.Relationship{
{
RefA: spdx.DocElementID{ElementRefID: "DOCUMENT"},
RefB: spdx.DocElementID{ElementRefID: "Filesystem-e340f27468b382be"},
Relationship: "DESCRIBES",
},
{
RefA: spdx.DocElementID{ElementRefID: "Filesystem-e340f27468b382be"},
RefB: spdx.DocElementID{ElementRefID: "Application-6666b83a5d554671"},
Relationship: "CONTAINS",
},
{
RefA: spdx.DocElementID{ElementRefID: "Application-6666b83a5d554671"},
RefB: spdx.DocElementID{ElementRefID: "Package-9164ae38c5cdf815"},
Relationship: "CONTAINS",
},
{
RefA: spdx.DocElementID{ElementRefID: "Application-6666b83a5d554671"},
RefB: spdx.DocElementID{ElementRefID: "Package-8451f2bc8e1f45aa"},
Relationship: "CONTAINS",
},
},
},
},
}

for _, tc := range testCases {
Expand Down

0 comments on commit f31ea9b

Please sign in to comment.