tern-tools · ivanayov · Jan 13, 2023 · Jan 27, 2023
diff --git a/tern/classes/image_layer.py b/tern/classes/image_layer.py
@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 #
-# Copyright (c) 2017-2021 VMware, Inc. All Rights Reserved.
+# Copyright (c) 2017-2022 VMware, Inc. All Rights Reserved.
 # SPDX-License-Identifier: BSD-2-Clause
 import os
 import re
@@ -11,6 +11,7 @@
 from tern.utils import rootfs
 from tern.utils import constants
 from tern.utils.general import prop_names
+from tern.utils.externals import add_purl
 
 
 class ImageLayer:
@@ -221,6 +222,8 @@ def add_checksums(self, checksums):
     def add_package(self, package):
         if isinstance(package, Package):
             if package.name not in self.get_package_names():
+                purl = add_purl(package.name, package.version)
+                package.external_refs.append(purl)
                 self.__packages.append(package)
         else:
             raise TypeError('Object type is {0}, should be Package'.format(

diff --git a/tern/classes/package.py b/tern/classes/package.py
@@ -24,6 +24,7 @@ class Package:
         pkg_licenses: all licenses found within a package
         src_name: the source package associated with the binary package
         src_version: the source package version
+        external_refs: a list of external references
 
     methods:
         to_dict: returns a dict representation of the instance
@@ -47,6 +48,7 @@ def __init__(self, name):
         self.__pkg_format = ''
         self.__src_name = ''
         self.__src_version = ''
+        self.__external_refs = []
 
     @property
     def name(self):
@@ -144,6 +146,14 @@ def src_version(self):
     def src_version(self, src_version):
         self.__src_version = src_version
 
+    @property
+    def external_refs(self):
+        return self.__external_refs
+
+    @external_refs.setter
+    def external_refs(self, external_refs):
+        self.__external_refs = external_refs
+
     def get_file_paths(self):
         """Return a list of paths of all the files in a package"""
         return [f.path for f in self.__files]

diff --git a/tern/extensions/scancode/executor.py b/tern/extensions/scancode/executor.py
@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 #
-# Copyright (c) 2019-2021 VMware, Inc. All Rights Reserved.
+# Copyright (c) 2019-2022 VMware, Inc. All Rights Reserved.
 # SPDX-License-Identifier: BSD-2-Clause
 
 """
@@ -26,6 +26,7 @@
 from tern.extensions.executor import Executor
 from tern.utils import constants
 from tern.utils import rootfs
+from tern.utils.externals import add_purl
 
 
 logger = logging.getLogger(constants.logger_name)
@@ -118,6 +119,8 @@ def get_scancode_package(package_dict):
     package.download_url = package_dict['download_url']
     package.licenses = [package_dict['declared_license'],
                         package_dict['license_expression']]
+    purl = add_purl(package_dict['name'], package_dict['version'])
+    package.external_refs.append(purl)
     return package
 
 

diff --git a/tern/utils/externals.py b/tern/utils/externals.py
@@ -0,0 +1,25 @@
+# -*- coding: utf-8 -*-
+#
+# Copyright (c) 2017-2022 VMware, Inc. All Rights Reserved.
+# SPDX-License-Identifier: BSD-2-Clause
+
+import logging
+from packageurl import PackageURL
+
+from tern.utils import constants
+
+# global logger
+logger = logging.getLogger(constants.logger_name)
+
+def generate_purl_package_reference(package_name, package_version):
+    return "pkg:" + package_name +  "@" + package_version
+
+def add_purl(package_name, package_version):
+    purl_package_reference = generate_purl_package_reference(package_name, package_version)
+    purl = 'not_found'
+    try:
+        purl = PackageURL.from_string(purl_package_reference)
+    except (ValueError):
+        logger.debug("purl is missing required component for package %s",
+                     purl_package_reference)
+    return purl
diff --git a/tests/test_class_package.py b/tests/test_class_package.py
@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 #
-# Copyright (c) 2017-2019 VMware, Inc. All Rights Reserved.
+# Copyright (c) 2017-2022 VMware, Inc. All Rights Reserved.
 # SPDX-License-Identifier: BSD-2-Clause
 
 import unittest
@@ -175,7 +175,8 @@ def testFill(self):
                             {'name': 'b.txt', 'path': '/lib/b.txt'}],
                   'pkg_format': 'rpm',
                   'src_name': 'p1src',
-                  'src_version': '1.0'
+                  'src_version': '1.0',
+                  'external_refs': []
                   }
         p = Package('p1')
         p.fill(p_dict)