Merge "Updated SBOM generator module to generate JSON spdx utility bill of material"
This commit is contained in:
Treehugger Robot
Gerrit Code Review
commit
09df4c6562
3 changed files with 1990 additions and 1360 deletions
|
|
@ -138,6 +138,10 @@ blueprint_go_binary {
|
|||
"compliance-module",
|
||||
"blueprint-deptools",
|
||||
"soong-response",
|
||||
"spdx-tools-spdxv2_2",
|
||||
"spdx-tools-builder2v2",
|
||||
"spdx-tools-spdxcommon",
|
||||
"spdx-tools-spdx-json",
|
||||
],
|
||||
testSrcs: ["cmd/sbom/sbom_test.go"],
|
||||
}
|
||||
|
|
|
|||
|
|
@ -31,13 +31,21 @@ import (
|
|||
"android/soong/tools/compliance/projectmetadata"
|
||||
|
||||
"github.com/google/blueprint/deptools"
|
||||
|
||||
"github.com/spdx/tools-golang/builder/builder2v2"
|
||||
"github.com/spdx/tools-golang/json"
|
||||
"github.com/spdx/tools-golang/spdx/common"
|
||||
spdx "github.com/spdx/tools-golang/spdx/v2_2"
|
||||
)
|
||||
|
||||
var (
|
||||
failNoneRequested = fmt.Errorf("\nNo license metadata files requested")
|
||||
failNoLicenses = fmt.Errorf("No licenses found")
|
||||
mainPkgName = flag.String("main_package_name", "", "The name of the first target node in the licensegraph")
|
||||
)
|
||||
|
||||
const NOASSERTION = "NOASSERTION"
|
||||
|
||||
type context struct {
|
||||
stdout io.Writer
|
||||
stderr io.Writer
|
||||
|
|
@ -154,7 +162,8 @@ Options:
|
|||
|
||||
ctx := &context{ofile, os.Stderr, compliance.FS, *product, *stripPrefix, actualTime}
|
||||
|
||||
deps, err := sbomGenerator(ctx, flags.Args()...)
|
||||
spdxDoc, deps, err := sbomGenerator(ctx, flags.Args()...)
|
||||
|
||||
if err != nil {
|
||||
if err == failNoneRequested {
|
||||
flags.Usage()
|
||||
|
|
@ -163,6 +172,11 @@ Options:
|
|||
os.Exit(1)
|
||||
}
|
||||
|
||||
if err := spdx_json.Save2_2(spdxDoc, ofile); err != nil {
|
||||
fmt.Fprintf(os.Stderr, "failed to write document to %v: %v", *outputFile, err)
|
||||
os.Exit(1)
|
||||
}
|
||||
|
||||
if *outputFile != "-" {
|
||||
err := os.WriteFile(*outputFile, obuf.Bytes(), 0666)
|
||||
if err != nil {
|
||||
|
|
@ -218,17 +232,17 @@ func getDocumentName(ctx *context, tn *compliance.TargetNode, pm *projectmetadat
|
|||
// or NOASSERTION if not available, none determined or ambiguous
|
||||
func getDownloadUrl(_ *context, pm *projectmetadata.ProjectMetadata) string {
|
||||
if pm == nil {
|
||||
return "NOASSERTION"
|
||||
return NOASSERTION
|
||||
}
|
||||
|
||||
urlsByTypeName := pm.UrlsByTypeName()
|
||||
if urlsByTypeName == nil {
|
||||
return "NOASSERTION"
|
||||
return NOASSERTION
|
||||
}
|
||||
|
||||
url := urlsByTypeName.DownloadUrl()
|
||||
if url == "" {
|
||||
return "NOASSERTION"
|
||||
return NOASSERTION
|
||||
}
|
||||
return url
|
||||
}
|
||||
|
|
@ -274,7 +288,7 @@ func getProjectMetadata(_ *context, pmix *projectmetadata.Index,
|
|||
// inputFiles returns the complete list of files read
|
||||
func inputFiles(lg *compliance.LicenseGraph, pmix *projectmetadata.Index, licenseTexts []string) []string {
|
||||
projectMeta := pmix.AllMetadataFiles()
|
||||
targets := lg.TargetNames()
|
||||
targets := lg.TargetNames()
|
||||
files := make([]string, 0, len(licenseTexts)+len(targets)+len(projectMeta))
|
||||
files = append(files, licenseTexts...)
|
||||
files = append(files, targets...)
|
||||
|
|
@ -289,10 +303,10 @@ func inputFiles(lg *compliance.LicenseGraph, pmix *projectmetadata.Index, licens
|
|||
|
||||
// sbomGenerator uses the SPDX standard, see the SPDX specification (https://spdx.github.io/spdx-spec/)
|
||||
// sbomGenerator is also following the internal google SBOM styleguide (http://goto.google.com/spdx-style-guide)
|
||||
func sbomGenerator(ctx *context, files ...string) ([]string, error) {
|
||||
func sbomGenerator(ctx *context, files ...string) (*spdx.Document, []string, error) {
|
||||
// Must be at least one root file.
|
||||
if len(files) < 1 {
|
||||
return nil, failNoneRequested
|
||||
return nil, nil, failNoneRequested
|
||||
}
|
||||
|
||||
pmix := projectmetadata.NewIndex(ctx.rootFS)
|
||||
|
|
@ -300,9 +314,18 @@ func sbomGenerator(ctx *context, files ...string) ([]string, error) {
|
|||
lg, err := compliance.ReadLicenseGraph(ctx.rootFS, ctx.stderr, files)
|
||||
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("Unable to read license text file(s) for %q: %v\n", files, err)
|
||||
return nil, nil, fmt.Errorf("Unable to read license text file(s) for %q: %v\n", files, err)
|
||||
}
|
||||
|
||||
// creating the packages section
|
||||
pkgs := []*spdx.Package{}
|
||||
|
||||
// creating the relationship section
|
||||
relationships := []*spdx.Relationship{}
|
||||
|
||||
// creating the license section
|
||||
otherLicenses := []*spdx.OtherLicense{}
|
||||
|
||||
// implementing the licenses references for the packages
|
||||
licenses := make(map[string]string)
|
||||
concludedLicenses := func(licenseTexts []string) string {
|
||||
|
|
@ -325,7 +348,6 @@ func sbomGenerator(ctx *context, files ...string) ([]string, error) {
|
|||
}
|
||||
|
||||
isMainPackage := true
|
||||
var mainPackage string
|
||||
visitedNodes := make(map[*compliance.TargetNode]struct{})
|
||||
|
||||
// performing a Breadth-first top down walk of licensegraph and building package information
|
||||
|
|
@ -341,45 +363,50 @@ func sbomGenerator(ctx *context, files ...string) ([]string, error) {
|
|||
}
|
||||
|
||||
if isMainPackage {
|
||||
mainPackage = getDocumentName(ctx, tn, pm)
|
||||
fmt.Fprintf(ctx.stdout, "SPDXVersion: SPDX-2.2\n")
|
||||
fmt.Fprintf(ctx.stdout, "DataLicense: CC0-1.0\n")
|
||||
fmt.Fprintf(ctx.stdout, "DocumentName: %s\n", mainPackage)
|
||||
fmt.Fprintf(ctx.stdout, "SPDXID: SPDXRef-DOCUMENT\n")
|
||||
fmt.Fprintf(ctx.stdout, "DocumentNamespace: Android\n")
|
||||
fmt.Fprintf(ctx.stdout, "Creator: Organization: Google LLC\n")
|
||||
fmt.Fprintf(ctx.stdout, "Created: %s\n", ctx.creationTime().Format("2006-01-02T15:04:05Z"))
|
||||
*mainPkgName = replaceSlashes(getPackageName(ctx, tn))
|
||||
isMainPackage = false
|
||||
}
|
||||
|
||||
relationships := make([]string, 0, 1)
|
||||
defer func() {
|
||||
if r := recover(); r != nil {
|
||||
panic(r)
|
||||
}
|
||||
for _, relationship := range relationships {
|
||||
fmt.Fprintln(ctx.stdout, relationship)
|
||||
}
|
||||
}()
|
||||
if len(path) == 0 {
|
||||
relationships = append(relationships,
|
||||
fmt.Sprintf("Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Package-%s",
|
||||
getPackageName(ctx, tn)))
|
||||
// Add the describe relationship for the main package
|
||||
rln := &spdx.Relationship{
|
||||
RefA: common.MakeDocElementID("" /* this document */, "DOCUMENT"),
|
||||
RefB: common.MakeDocElementID("", *mainPkgName),
|
||||
Relationship: "DESCRIBES",
|
||||
}
|
||||
relationships = append(relationships, rln)
|
||||
|
||||
} else {
|
||||
// Check parent and identify annotation
|
||||
parent := path[len(path)-1]
|
||||
targetEdge := parent.Edge()
|
||||
if targetEdge.IsRuntimeDependency() {
|
||||
// Adding the dynamic link annotation RUNTIME_DEPENDENCY_OF relationship
|
||||
relationships = append(relationships, fmt.Sprintf("Relationship: SPDXRef-Package-%s RUNTIME_DEPENDENCY_OF SPDXRef-Package-%s", getPackageName(ctx, tn), getPackageName(ctx, targetEdge.Target())))
|
||||
rln := &spdx.Relationship{
|
||||
RefA: common.MakeDocElementID("", replaceSlashes(getPackageName(ctx, tn))),
|
||||
RefB: common.MakeDocElementID("", replaceSlashes(getPackageName(ctx, targetEdge.Target()))),
|
||||
Relationship: "RUNTIME_DEPENDENCY_OF",
|
||||
}
|
||||
relationships = append(relationships, rln)
|
||||
|
||||
} else if targetEdge.IsDerivation() {
|
||||
// Adding the derivation annotation as a CONTAINS relationship
|
||||
relationships = append(relationships, fmt.Sprintf("Relationship: SPDXRef-Package-%s CONTAINS SPDXRef-Package-%s", getPackageName(ctx, targetEdge.Target()), getPackageName(ctx, tn)))
|
||||
rln := &spdx.Relationship{
|
||||
RefA: common.MakeDocElementID("", replaceSlashes(getPackageName(ctx, targetEdge.Target()))),
|
||||
RefB: common.MakeDocElementID("", replaceSlashes(getPackageName(ctx, tn))),
|
||||
Relationship: "CONTAINS",
|
||||
}
|
||||
relationships = append(relationships, rln)
|
||||
|
||||
} else if targetEdge.IsBuildTool() {
|
||||
// Adding the toolchain annotation as a BUILD_TOOL_OF relationship
|
||||
relationships = append(relationships, fmt.Sprintf("Relationship: SPDXRef-Package-%s BUILD_TOOL_OF SPDXRef-Package-%s", getPackageName(ctx, tn), getPackageName(ctx, targetEdge.Target())))
|
||||
rln := &spdx.Relationship{
|
||||
RefA: common.MakeDocElementID("", replaceSlashes(getPackageName(ctx, tn))),
|
||||
RefB: common.MakeDocElementID("", replaceSlashes(getPackageName(ctx, targetEdge.Target()))),
|
||||
Relationship: "BUILD_TOOL_OF",
|
||||
}
|
||||
relationships = append(relationships, rln)
|
||||
|
||||
} else {
|
||||
panic(fmt.Errorf("Unknown dependency type: %v", targetEdge.Annotations()))
|
||||
}
|
||||
|
|
@ -390,18 +417,27 @@ func sbomGenerator(ctx *context, files ...string) ([]string, error) {
|
|||
}
|
||||
visitedNodes[tn] = struct{}{}
|
||||
pkgName := getPackageName(ctx, tn)
|
||||
fmt.Fprintf(ctx.stdout, "##### Package: %s\n", strings.Replace(pkgName, "-", "/", -2))
|
||||
fmt.Fprintf(ctx.stdout, "PackageName: %s\n", pkgName)
|
||||
if pm != nil && pm.Version() != "" {
|
||||
fmt.Fprintf(ctx.stdout, "PackageVersion: %s\n", pm.Version())
|
||||
|
||||
// Making an spdx package and adding it to pkgs
|
||||
pkg := &spdx.Package{
|
||||
PackageName: replaceSlashes(pkgName),
|
||||
PackageDownloadLocation: getDownloadUrl(ctx, pm),
|
||||
PackageSPDXIdentifier: common.ElementID(replaceSlashes(pkgName)),
|
||||
PackageLicenseConcluded: concludedLicenses(tn.LicenseTexts()),
|
||||
}
|
||||
fmt.Fprintf(ctx.stdout, "SPDXID: SPDXRef-Package-%s\n", pkgName)
|
||||
fmt.Fprintf(ctx.stdout, "PackageDownloadLocation: %s\n", getDownloadUrl(ctx, pm))
|
||||
fmt.Fprintf(ctx.stdout, "PackageLicenseConcluded: %s\n", concludedLicenses(tn.LicenseTexts()))
|
||||
|
||||
if pm != nil && pm.Version() != "" {
|
||||
pkg.PackageVersion = pm.Version()
|
||||
} else {
|
||||
pkg.PackageVersion = NOASSERTION
|
||||
}
|
||||
|
||||
pkgs = append(pkgs, pkg)
|
||||
|
||||
return true
|
||||
})
|
||||
|
||||
fmt.Fprintf(ctx.stdout, "##### Non-standard license:\n")
|
||||
// Adding Non-standard licenses
|
||||
|
||||
licenseTexts := make([]string, 0, len(licenses))
|
||||
|
||||
|
|
@ -412,23 +448,39 @@ func sbomGenerator(ctx *context, files ...string) ([]string, error) {
|
|||
sort.Strings(licenseTexts)
|
||||
|
||||
for _, licenseText := range licenseTexts {
|
||||
fmt.Fprintf(ctx.stdout, "LicenseID: %s\n", licenses[licenseText])
|
||||
// open the file
|
||||
f, err := ctx.rootFS.Open(filepath.Clean(licenseText))
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error opening license text file %q: %w", licenseText, err)
|
||||
return nil, nil, fmt.Errorf("error opening license text file %q: %w", licenseText, err)
|
||||
}
|
||||
|
||||
// read the file
|
||||
text, err := io.ReadAll(f)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error reading license text file %q: %w", licenseText, err)
|
||||
return nil, nil, fmt.Errorf("error reading license text file %q: %w", licenseText, err)
|
||||
}
|
||||
// adding the extracted license text
|
||||
fmt.Fprintf(ctx.stdout, "ExtractedText: <text>%v</text>\n", string(text))
|
||||
// Making an spdx License and adding it to otherLicenses
|
||||
otherLicenses = append(otherLicenses, &spdx.OtherLicense{
|
||||
LicenseName: strings.Replace(licenses[licenseText], "LicenseRef-", "", -1),
|
||||
LicenseIdentifier: string(licenses[licenseText]),
|
||||
ExtractedText: string(text),
|
||||
})
|
||||
}
|
||||
|
||||
deps := inputFiles(lg, pmix, licenseTexts)
|
||||
sort.Strings(deps)
|
||||
return deps, nil
|
||||
|
||||
// Making the SPDX doc
|
||||
ci, err := builder2v2.BuildCreationInfoSection2_2("Organization", "Google LLC", nil)
|
||||
if err != nil {
|
||||
return nil, nil, fmt.Errorf("Unable to build creation info section for SPDX doc: %v\n", err)
|
||||
}
|
||||
|
||||
return &spdx.Document{
|
||||
SPDXIdentifier: "DOCUMENT",
|
||||
CreationInfo: ci,
|
||||
Packages: pkgs,
|
||||
Relationships: relationships,
|
||||
OtherLicenses: otherLicenses,
|
||||
}, deps, nil
|
||||
}
|
||||
|
|
|
|||
File diff suppressed because it is too large
Load diff
Loading…
Reference in a new issue