Add pURL type data

This change completes the pURL externalRef data by extracting
pURL type from a package

Signed-off-by: Ivana Atanasova <iyovcheva@vmware.com>

tern/classes/image_layer.py

@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 #
-# Copyright (c) 2017-2022 VMware, Inc. All Rights Reserved.
+# Copyright (c) 2017-2023 VMware, Inc. All Rights Reserved.
 # SPDX-License-Identifier: BSD-2-Clause
 import os
 import re
@@ -222,7 +222,7 @@ def add_checksums(self, checksums):
     def add_package(self, package):
         if isinstance(package, Package):
             if package.name not in self.get_package_names():
-                purl = add_purl(package.name, package.version)
+                purl = add_purl(package.proj_url, package.name, package.version)
                 package.external_refs.append(purl)
                 self.__packages.append(package)
         else:

tern/extensions/scancode/executor.py

@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 #
-# Copyright (c) 2019-2022 VMware, Inc. All Rights Reserved.
+# Copyright (c) 2019-2023 VMware, Inc. All Rights Reserved.
 # SPDX-License-Identifier: BSD-2-Clause
 
 """
@@ -119,7 +119,10 @@ def get_scancode_package(package_dict):
     package.download_url = package_dict['download_url']
     package.licenses = [package_dict['declared_license'],
                         package_dict['license_expression']]
-    purl = add_purl(package_dict['name'], package_dict['version'])
+    proj_url = ''
+    if package_dict['proj_url']:
+        proj_url = package_dict['proj_url']
+    purl = add_purl(proj_url, package_dict['name'], package_dict['version'])
     package.external_refs.append(purl)
     return package
 

tern/formats/spdx/spdx.py

@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 #
-# Copyright (c) 2019-2020 VMware, Inc. All Rights Reserved.
+# Copyright (c) 2019-2023 VMware, Inc. All Rights Reserved.
 # SPDX-License-Identifier: BSD-2-Clause
 
 from tern.classes.template import Template
@@ -21,7 +21,8 @@ def package(self):
                 'copyright': 'PackageCopyrightText',
                 'download_url': 'PackageDownloadLocation',
                 'src_name': 'SourcePackageName',
-                'src_version': 'SourcePackageVersion'}
+                'src_version': 'SourcePackageVersion',
+                'external_refs': 'ExternalRef'}
 
     def image_layer(self):
         return {'tar_file': 'PackageFileName'}

tern/formats/spdx/spdxjson/package_helpers.py

@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 #
-# Copyright (c) 2021 VMware, Inc. All Rights Reserved.
+# Copyright (c) 2021-2023 VMware, Inc. All Rights Reserved.
 # SPDX-License-Identifier: BSD-2-Clause
 
 """
@@ -72,6 +72,7 @@ def get_package_dict(package, template):
             mapping['PackageLicenseDeclared']),
         'copyrightText': mapping['PackageCopyrightText'] if
         mapping['PackageCopyrightText'] else 'NONE',
+        'externalRef': mapping['ExternalRef'],
         'comment': get_package_comment(package)
     }
 

tern/formats/spdx/spdxtagvalue/package_helpers.py

@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 #
-# Copyright (c) 2020 VMware, Inc. All Rights Reserved.
+# Copyright (c) 2020-2023 VMware, Inc. All Rights Reserved.
 # SPDX-License-Identifier: BSD-2-Clause
 
 """
@@ -67,7 +67,6 @@ def get_source_package_block(package_obj, template):
     block += spdx_formats.source_comment
     return block
 
-
 def get_package_block(package_obj, template):
     '''Given a package object and its SPDX template mapping, return a SPDX
     document block for the package. The mapping should have keys:
@@ -110,6 +109,8 @@ def get_package_block(package_obj, template):
             message=mapping['PackageCopyrightText']) + '\n'
     else:
         block += 'PackageCopyrightText: NONE\n'
+    # External References
+    block += 'ExternalRef: {}\n'.format(mapping['ExternalRef'])
     # Package Comments
     block += get_package_comment(package_obj)
     return block

tern/utils/externals.py

@@ -1,21 +1,103 @@
 # -*- coding: utf-8 -*-
 #
-# Copyright (c) 2017-2022 VMware, Inc. All Rights Reserved.
+# Copyright (c) 2023 VMware, Inc. All Rights Reserved.
 # SPDX-License-Identifier: BSD-2-Clause
 
 import logging
+from enum import Enum
 from packageurl import PackageURL
+from urllib.parse import urlparse
 
 from tern.utils import constants
 
 # global logger
 logger = logging.getLogger(constants.logger_name)
 
-def generate_purl_package_reference(package_name, package_version):
-    return "pkg:" + package_name +  "@" + package_version
+class PurlType(str, Enum):
+    ALPM = "alpm"
+    APK = "apk"
+    BITBUCKET = "bitbucket"
+    CARGO = "cargo"
+    COMPOSER = "composer"
+    CONAN = "conan"
+    CONDA = "conda"
+    CRAN = "cran"
+    DEB = "deb"
+    DOCKER = "docker"
+    GEM = "gem"
+    GENERIC = "generic"
+    GITHUB = "github"
+    GOLANG = "golang"
+    HACKAGE = "hackage"
+    HEX = "hex"
+    MAVEN = "maven"
+    NPM = "npm"
+    NUGET = "nuget"
+    QPKG = "qpkg"
+    OCI = "oci"
+    PUB = "pub"
+    PYPI = "pypi"
+    RPM = "rpm"
+    SWID = "swid"
+    SWIFT = "swift"
+    MISSING = "unknown"
 
-def add_purl(package_name, package_version):
-    purl_package_reference = generate_purl_package_reference(package_name, package_version)
+def get_purl_type_from_url(proj_url):
+    pkg_type = urlparse(proj_url).netloc
+    if pkg_type:
+        pkg_type = pkg_type.split('.')
+        if len(pkg_type) > 1:
+            pkg_type = pkg_type[-2]
+    return pkg_type
+
+def get_purl_type(proj_url):
+    pkg_type = get_purl_type_from_url(proj_url)
+
+    if len(pkg_type) == 0:
+        return PurlType.MISSING
+    if pkg_type in ('alpine', 'openwrt', 'alpinelinux'):
+        return PurlType.APK
+    if pkg_type == "crates":
+        return PurlType.CARGO
+    if pkg_type == "packagist":
+        return PurlType.COMPOSER
+    if pkg_type == "anaconda":
+        return PurlType.CONDA
+    if pkg_type == "r-project":
+        return PurlType.CRAN
+    if pkg_type in ('debian', 'ubuntu', 'gnu'):
+        return PurlType.DEB
+    if pkg_type == "rubygems":
+        return PurlType.GEM
+    if pkg_type == "haskell":
+        return PurlType.HACKAGE
+    if pkg_type == "apache":
+        return PurlType.MAVEN
+    if pkg_type == "npmjs":
+        return PurlType.NPM
+    if pkg_type == "dartlang":
+        return PurlType.PUB
+    if pkg_type == "python":
+        return PurlType.PYPI
+    return pkg_type
+
+def get_purl_namespace():
+    return ""
+
+def generate_purl_package_reference(proj_url, pkg_name, pkg_version, qualifiers=None):
+    pkg_type = get_purl_type(proj_url)
+    pkg_namespace = get_purl_namespace()
+    qualifiers_str = ""
+    if qualifiers:
+        for k,v in qualifiers.items():
+            qualifiers_str += "&" + k + "=" + v
+        if len(qualifiers_str) > 0:
+            qualifiers_str = "?" + qualifiers_str[1:]
+
+    return "pkg:" + pkg_type +"/" + pkg_namespace + "/" + pkg_name +  "@" + pkg_version + qualifiers_str
+
+def add_purl(proj_url, pkg_name, pkg_version, qualifiers=None):
+    purl_package_reference = generate_purl_package_reference(proj_url, pkg_name, pkg_version, qualifiers)
     purl = 'not_found'
     try:
         purl = PackageURL.from_string(purl_package_reference)

tests/test_class_package.py

@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 #
-# Copyright (c) 2017-2022 VMware, Inc. All Rights Reserved.
+# Copyright (c) 2017-2023 VMware, Inc. All Rights Reserved.
 # SPDX-License-Identifier: BSD-2-Clause
 
 import unittest