tern-tools · ivanayov · Jan 13, 2023 · Jan 27, 2023
diff --git a/tern/classes/image_layer.py b/tern/classes/image_layer.py
@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 #
-# Copyright (c) 2017-2021 VMware, Inc. All Rights Reserved.
+# Copyright (c) 2017-2023 VMware, Inc. All Rights Reserved.
 # SPDX-License-Identifier: BSD-2-Clause
 import os
 import re
@@ -11,6 +11,7 @@
 from tern.utils import rootfs
 from tern.utils import constants
 from tern.utils.general import prop_names
+from tern.utils.externals import add_purl
 
 
 class ImageLayer:
@@ -221,6 +222,8 @@ def add_checksums(self, checksums):
     def add_package(self, package):
         if isinstance(package, Package):
             if package.name not in self.get_package_names():
+                purl = add_purl(package.proj_url, package.name, package.version)
+                package.external_refs.append(purl)
                 self.__packages.append(package)
         else:
             raise TypeError('Object type is {0}, should be Package'.format(

diff --git a/tern/classes/package.py b/tern/classes/package.py
@@ -24,6 +24,7 @@ class Package:
         pkg_licenses: all licenses found within a package
         src_name: the source package associated with the binary package
         src_version: the source package version
+        external_refs: a list of external references
 
     methods:
         to_dict: returns a dict representation of the instance
@@ -47,6 +48,7 @@ def __init__(self, name):
         self.__pkg_format = ''
         self.__src_name = ''
         self.__src_version = ''
+        self.__external_refs = []
 
     @property
     def name(self):
@@ -144,6 +146,14 @@ def src_version(self):
     def src_version(self, src_version):
         self.__src_version = src_version
 
+    @property
+    def external_refs(self):
+        return self.__external_refs
+
+    @external_refs.setter
+    def external_refs(self, external_refs):
+        self.__external_refs = external_refs
+
     def get_file_paths(self):
         """Return a list of paths of all the files in a package"""
         return [f.path for f in self.__files]

diff --git a/tern/extensions/scancode/executor.py b/tern/extensions/scancode/executor.py
@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 #
-# Copyright (c) 2019-2021 VMware, Inc. All Rights Reserved.
+# Copyright (c) 2019-2023 VMware, Inc. All Rights Reserved.
 # SPDX-License-Identifier: BSD-2-Clause
 
 """
@@ -26,6 +26,7 @@
 from tern.extensions.executor import Executor
 from tern.utils import constants
 from tern.utils import rootfs
+from tern.utils.externals import add_purl
 
 
 logger = logging.getLogger(constants.logger_name)
@@ -118,6 +119,11 @@ def get_scancode_package(package_dict):
     package.download_url = package_dict['download_url']
     package.licenses = [package_dict['declared_license'],
                         package_dict['license_expression']]
+    proj_url = ''
+    if package_dict['proj_url']:
+        proj_url = package_dict['proj_url']
+    purl = add_purl(proj_url, package_dict['name'], package_dict['version'])
+    package.external_refs.append(purl)
     return package
 
 

diff --git a/tern/formats/spdx/spdx.py b/tern/formats/spdx/spdx.py
@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 #
-# Copyright (c) 2019-2020 VMware, Inc. All Rights Reserved.
+# Copyright (c) 2019-2023 VMware, Inc. All Rights Reserved.
 # SPDX-License-Identifier: BSD-2-Clause
 
 from tern.classes.template import Template
@@ -21,7 +21,8 @@ def package(self):
                 'copyright': 'PackageCopyrightText',
                 'download_url': 'PackageDownloadLocation',
                 'src_name': 'SourcePackageName',
-                'src_version': 'SourcePackageVersion'}
+                'src_version': 'SourcePackageVersion',
+                'external_refs': 'ExternalRef'}
 
     def image_layer(self):
         return {'tar_file': 'PackageFileName'}

diff --git a/tern/formats/spdx/spdxjson/package_helpers.py b/tern/formats/spdx/spdxjson/package_helpers.py
@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 #
-# Copyright (c) 2021 VMware, Inc. All Rights Reserved.
+# Copyright (c) 2021-2023 VMware, Inc. All Rights Reserved.
 # SPDX-License-Identifier: BSD-2-Clause
 
 """
@@ -72,6 +72,7 @@ def get_package_dict(package, template):
             mapping['PackageLicenseDeclared']),
         'copyrightText': mapping['PackageCopyrightText'] if
         mapping['PackageCopyrightText'] else 'NONE',
+        'externalRef': mapping['ExternalRef'],
         'comment': get_package_comment(package)
     }
 

diff --git a/tern/formats/spdx/spdxtagvalue/package_helpers.py b/tern/formats/spdx/spdxtagvalue/package_helpers.py
@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 #
-# Copyright (c) 2020 VMware, Inc. All Rights Reserved.
+# Copyright (c) 2020-2023 VMware, Inc. All Rights Reserved.
 # SPDX-License-Identifier: BSD-2-Clause
 
 """
@@ -67,7 +67,6 @@ def get_source_package_block(package_obj, template):
     block += spdx_formats.source_comment
     return block
 
-
 def get_package_block(package_obj, template):
     '''Given a package object and its SPDX template mapping, return a SPDX
     document block for the package. The mapping should have keys:
@@ -110,6 +109,8 @@ def get_package_block(package_obj, template):
             message=mapping['PackageCopyrightText']) + '\n'
     else:
         block += 'PackageCopyrightText: NONE\n'
+    # External References
+    block += 'ExternalRef: {}\n'.format(mapping['ExternalRef'])
     # Package Comments
     block += get_package_comment(package_obj)
     return block
diff --git a/tern/utils/externals.py b/tern/utils/externals.py
@@ -0,0 +1,107 @@
+# -*- coding: utf-8 -*-
+#
+# Copyright (c) 2023 VMware, Inc. All Rights Reserved.
+# SPDX-License-Identifier: BSD-2-Clause
+
+import logging
+from enum import Enum
+from packageurl import PackageURL
+from urllib.parse import urlparse
+
+from tern.utils import constants
+
+# global logger
+logger = logging.getLogger(constants.logger_name)
+
+class PurlType(str, Enum):
+    ALPM = "alpm"
+    APK = "apk"
+    BITBUCKET = "bitbucket"
+    CARGO = "cargo"
+    COMPOSER = "composer"
+    CONAN = "conan"
+    CONDA = "conda"
+    CRAN = "cran"
+    DEB = "deb"
+    DOCKER = "docker"
+    GEM = "gem"
+    GENERIC = "generic"
+    GITHUB = "github"
+    GOLANG = "golang"
+    HACKAGE = "hackage"
+    HEX = "hex"
+    MAVEN = "maven"
+    NPM = "npm"
+    NUGET = "nuget"
+    QPKG = "qpkg"
+    OCI = "oci"
+    PUB = "pub"
+    PYPI = "pypi"
+    RPM = "rpm"
+    SWID = "swid"
+    SWIFT = "swift"
+    MISSING = "unknown"
+
+def get_purl_type_from_url(proj_url):
+    pkg_type = urlparse(proj_url).netloc
+    if pkg_type:
+        pkg_type = pkg_type.split('.')
+        if len(pkg_type) > 1:
+            pkg_type = pkg_type[-2]
+    return pkg_type
+
+def get_purl_type(proj_url):
+    pkg_type = get_purl_type_from_url(proj_url)
+
+    if len(pkg_type) == 0:
+        return PurlType.MISSING
+    if pkg_type in ('alpine', 'openwrt', 'alpinelinux'):
+        return PurlType.APK
+    if pkg_type == "crates":
+        return PurlType.CARGO
+    if pkg_type == "packagist":
+        return PurlType.COMPOSER
+    if pkg_type == "anaconda":
+        return PurlType.CONDA
+    if pkg_type == "r-project":
+        return PurlType.CRAN
+    if pkg_type in ('debian', 'ubuntu', 'gnu'):
+        return PurlType.DEB
+    if pkg_type == "rubygems":
+        return PurlType.GEM
+    if pkg_type == "haskell":
+        return PurlType.HACKAGE
+    if pkg_type == "apache":
+        return PurlType.MAVEN
+    if pkg_type == "npmjs":
+        return PurlType.NPM
+    if pkg_type == "dartlang":
+        return PurlType.PUB
+    if pkg_type == "python":
+        return PurlType.PYPI
+    return pkg_type
+
+def get_purl_namespace():
+    return ""
+
+def generate_purl_package_reference(proj_url, pkg_name, pkg_version, qualifiers=None):
+    pkg_type = get_purl_type(proj_url)
+    pkg_namespace = get_purl_namespace()
+    qualifiers_str = ""
+    if qualifiers:
+        for k,v in qualifiers.items():
+            qualifiers_str += "&" + k + "=" + v
+        if len(qualifiers_str) > 0:
+            qualifiers_str = "?" + qualifiers_str[1:]
+
+    return "pkg:" + pkg_type +"/" + pkg_namespace + "/" + pkg_name +  "@" + pkg_version + qualifiers_str
+
+def add_purl(proj_url, pkg_name, pkg_version, qualifiers=None):
+    purl_package_reference = generate_purl_package_reference(proj_url, pkg_name, pkg_version, qualifiers)
+    purl = 'not_found'
+    try:
+        purl = PackageURL.from_string(purl_package_reference)
+    except (ValueError):
+        logger.debug("purl is missing required component for package %s",
+                     purl_package_reference)
+    return purl
diff --git a/tests/test_class_package.py b/tests/test_class_package.py
@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 #
-# Copyright (c) 2017-2019 VMware, Inc. All Rights Reserved.
+# Copyright (c) 2017-2023 VMware, Inc. All Rights Reserved.
 # SPDX-License-Identifier: BSD-2-Clause
 
 import unittest
@@ -175,7 +175,8 @@ def testFill(self):
                             {'name': 'b.txt', 'path': '/lib/b.txt'}],
                   'pkg_format': 'rpm',
                   'src_name': 'p1src',
-                  'src_version': '1.0'
+                  'src_version': '1.0',
+                  'external_refs': []
                   }
         p = Package('p1')
         p.fill(p_dict)