Merge "Fix the following issues mentioned in Pixel SBOM review."
This commit is contained in:
Treehugger Robot
Gerrit Code Review
commit
3fb8d2bad8
6 changed files with 17 additions and 5 deletions
|
|
@ -279,12 +279,13 @@ def get_sbom_fragments(installed_file_metadata, metadata_file_path):
|
||||||
name, external_refs = get_source_package_info(installed_file_metadata, metadata_file_path)
|
name, external_refs = get_source_package_info(installed_file_metadata, metadata_file_path)
|
||||||
source_package_id = new_package_id(name, PKG_SOURCE)
|
source_package_id = new_package_id(name, PKG_SOURCE)
|
||||||
source_package = sbom_data.Package(id=source_package_id, name=name, version=args.build_version,
|
source_package = sbom_data.Package(id=source_package_id, name=name, version=args.build_version,
|
||||||
|
download_location=sbom_data.VALUE_NONE,
|
||||||
supplier='Organization: ' + args.product_mfr,
|
supplier='Organization: ' + args.product_mfr,
|
||||||
external_refs=external_refs)
|
external_refs=external_refs)
|
||||||
|
|
||||||
upstream_package_id = new_package_id(name, PKG_UPSTREAM)
|
upstream_package_id = new_package_id(name, PKG_UPSTREAM)
|
||||||
upstream_package = sbom_data.Package(id=upstream_package_id, name=name, version=version,
|
upstream_package = sbom_data.Package(id=upstream_package_id, name=name, version=version,
|
||||||
supplier='Organization: ' + homepage if homepage else None,
|
supplier=('Organization: ' + homepage) if homepage else sbom_data.VALUE_NOASSERTION,
|
||||||
download_location=download_location)
|
download_location=download_location)
|
||||||
packages += [source_package, upstream_package]
|
packages += [source_package, upstream_package]
|
||||||
relationships.append(sbom_data.Relationship(id1=source_package_id,
|
relationships.append(sbom_data.Relationship(id1=source_package_id,
|
||||||
|
|
@ -296,6 +297,7 @@ def get_sbom_fragments(installed_file_metadata, metadata_file_path):
|
||||||
prebuilt_package_id = new_package_id(name, PKG_PREBUILT)
|
prebuilt_package_id = new_package_id(name, PKG_PREBUILT)
|
||||||
prebuilt_package = sbom_data.Package(id=prebuilt_package_id,
|
prebuilt_package = sbom_data.Package(id=prebuilt_package_id,
|
||||||
name=name,
|
name=name,
|
||||||
|
download_location=sbom_data.VALUE_NONE,
|
||||||
version=args.build_version,
|
version=args.build_version,
|
||||||
supplier='Organization: ' + args.product_mfr)
|
supplier='Organization: ' + args.product_mfr)
|
||||||
packages.append(prebuilt_package)
|
packages.append(prebuilt_package)
|
||||||
|
|
@ -438,6 +440,7 @@ def main():
|
||||||
|
|
||||||
product_package = sbom_data.Package(id=sbom_data.SPDXID_PRODUCT,
|
product_package = sbom_data.Package(id=sbom_data.SPDXID_PRODUCT,
|
||||||
name=sbom_data.PACKAGE_NAME_PRODUCT,
|
name=sbom_data.PACKAGE_NAME_PRODUCT,
|
||||||
|
download_location=sbom_data.VALUE_NONE,
|
||||||
version=args.build_version,
|
version=args.build_version,
|
||||||
supplier='Organization: ' + args.product_mfr,
|
supplier='Organization: ' + args.product_mfr,
|
||||||
files_analyzed=True)
|
files_analyzed=True)
|
||||||
|
|
@ -445,6 +448,7 @@ def main():
|
||||||
|
|
||||||
doc.packages.append(sbom_data.Package(id=sbom_data.SPDXID_PLATFORM,
|
doc.packages.append(sbom_data.Package(id=sbom_data.SPDXID_PLATFORM,
|
||||||
name=sbom_data.PACKAGE_NAME_PLATFORM,
|
name=sbom_data.PACKAGE_NAME_PLATFORM,
|
||||||
|
download_location=sbom_data.VALUE_NONE,
|
||||||
version=args.build_version,
|
version=args.build_version,
|
||||||
supplier='Organization: ' + args.product_mfr))
|
supplier='Organization: ' + args.product_mfr))
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -33,6 +33,9 @@ SPDXID_PLATFORM = 'SPDXRef-PLATFORM'
|
||||||
PACKAGE_NAME_PRODUCT = 'PRODUCT'
|
PACKAGE_NAME_PRODUCT = 'PRODUCT'
|
||||||
PACKAGE_NAME_PLATFORM = 'PLATFORM'
|
PACKAGE_NAME_PLATFORM = 'PLATFORM'
|
||||||
|
|
||||||
|
VALUE_NOASSERTION = 'NOASSERTION'
|
||||||
|
VALUE_NONE = 'NONE'
|
||||||
|
|
||||||
|
|
||||||
class PackageExternalRefCategory:
|
class PackageExternalRefCategory:
|
||||||
SECURITY = 'SECURITY'
|
SECURITY = 'SECURITY'
|
||||||
|
|
|
||||||
|
|
@ -86,7 +86,7 @@ class TagValueWriter:
|
||||||
|
|
||||||
@staticmethod
|
@staticmethod
|
||||||
def marshal_package(package):
|
def marshal_package(package):
|
||||||
download_location = 'NONE'
|
download_location = sbom_data.VALUE_NOASSERTION
|
||||||
if package.download_location:
|
if package.download_location:
|
||||||
download_location = package.download_location
|
download_location = package.download_location
|
||||||
tagvalues = [
|
tagvalues = [
|
||||||
|
|
@ -296,7 +296,7 @@ class JSONWriter:
|
||||||
package = {
|
package = {
|
||||||
PropNames.NAME: p.name,
|
PropNames.NAME: p.name,
|
||||||
PropNames.SPDXID: p.id,
|
PropNames.SPDXID: p.id,
|
||||||
PropNames.PACKAGE_DOWNLOAD_LOCATION: p.download_location if p.download_location else 'NONE',
|
PropNames.PACKAGE_DOWNLOAD_LOCATION: p.download_location if p.download_location else sbom_data.VALUE_NOASSERTION,
|
||||||
PropNames.FILES_ANALYZED: p.files_analyzed
|
PropNames.FILES_ANALYZED: p.files_analyzed
|
||||||
}
|
}
|
||||||
if p.version:
|
if p.version:
|
||||||
|
|
|
||||||
|
|
@ -49,6 +49,7 @@ class SBOMWritersTest(unittest.TestCase):
|
||||||
self.sbom_doc.add_package(
|
self.sbom_doc.add_package(
|
||||||
sbom_data.Package(id=sbom_data.SPDXID_PRODUCT,
|
sbom_data.Package(id=sbom_data.SPDXID_PRODUCT,
|
||||||
name=sbom_data.PACKAGE_NAME_PRODUCT,
|
name=sbom_data.PACKAGE_NAME_PRODUCT,
|
||||||
|
download_location=sbom_data.VALUE_NONE,
|
||||||
supplier=SUPPLIER_GOOGLE,
|
supplier=SUPPLIER_GOOGLE,
|
||||||
version=BUILD_FINGER_PRINT,
|
version=BUILD_FINGER_PRINT,
|
||||||
files_analyzed=True,
|
files_analyzed=True,
|
||||||
|
|
@ -58,6 +59,7 @@ class SBOMWritersTest(unittest.TestCase):
|
||||||
self.sbom_doc.add_package(
|
self.sbom_doc.add_package(
|
||||||
sbom_data.Package(id=sbom_data.SPDXID_PLATFORM,
|
sbom_data.Package(id=sbom_data.SPDXID_PLATFORM,
|
||||||
name=sbom_data.PACKAGE_NAME_PLATFORM,
|
name=sbom_data.PACKAGE_NAME_PLATFORM,
|
||||||
|
download_location=sbom_data.VALUE_NONE,
|
||||||
supplier=SUPPLIER_GOOGLE,
|
supplier=SUPPLIER_GOOGLE,
|
||||||
version=BUILD_FINGER_PRINT,
|
version=BUILD_FINGER_PRINT,
|
||||||
))
|
))
|
||||||
|
|
@ -65,6 +67,7 @@ class SBOMWritersTest(unittest.TestCase):
|
||||||
self.sbom_doc.add_package(
|
self.sbom_doc.add_package(
|
||||||
sbom_data.Package(id=SPDXID_PREBUILT_PACKAGE1,
|
sbom_data.Package(id=SPDXID_PREBUILT_PACKAGE1,
|
||||||
name='Prebuilt package1',
|
name='Prebuilt package1',
|
||||||
|
download_location=sbom_data.VALUE_NONE,
|
||||||
supplier=SUPPLIER_GOOGLE,
|
supplier=SUPPLIER_GOOGLE,
|
||||||
version=BUILD_FINGER_PRINT,
|
version=BUILD_FINGER_PRINT,
|
||||||
))
|
))
|
||||||
|
|
@ -72,6 +75,7 @@ class SBOMWritersTest(unittest.TestCase):
|
||||||
self.sbom_doc.add_package(
|
self.sbom_doc.add_package(
|
||||||
sbom_data.Package(id=SPDXID_SOURCE_PACKAGE1,
|
sbom_data.Package(id=SPDXID_SOURCE_PACKAGE1,
|
||||||
name='Source package1',
|
name='Source package1',
|
||||||
|
download_location=sbom_data.VALUE_NONE,
|
||||||
supplier=SUPPLIER_GOOGLE,
|
supplier=SUPPLIER_GOOGLE,
|
||||||
version=BUILD_FINGER_PRINT,
|
version=BUILD_FINGER_PRINT,
|
||||||
external_refs=[sbom_data.PackageExternalRef(
|
external_refs=[sbom_data.PackageExternalRef(
|
||||||
|
|
@ -121,6 +125,7 @@ class SBOMWritersTest(unittest.TestCase):
|
||||||
self.unbundled_sbom_doc.add_package(
|
self.unbundled_sbom_doc.add_package(
|
||||||
sbom_data.Package(id=SPDXID_SOURCE_PACKAGE1,
|
sbom_data.Package(id=SPDXID_SOURCE_PACKAGE1,
|
||||||
name='Unbundled apk package',
|
name='Unbundled apk package',
|
||||||
|
download_location=sbom_data.VALUE_NONE,
|
||||||
supplier=SUPPLIER_GOOGLE,
|
supplier=SUPPLIER_GOOGLE,
|
||||||
version=BUILD_FINGER_PRINT))
|
version=BUILD_FINGER_PRINT))
|
||||||
self.unbundled_sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_FILE1,
|
self.unbundled_sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_FILE1,
|
||||||
|
|
|
||||||
|
|
@ -74,7 +74,7 @@
|
||||||
{
|
{
|
||||||
"name": "Upstream package1",
|
"name": "Upstream package1",
|
||||||
"SPDXID": "SPDXRef-UPSTREAM-package1",
|
"SPDXID": "SPDXRef-UPSTREAM-package1",
|
||||||
"downloadLocation": "NONE",
|
"downloadLocation": "NOASSERTION",
|
||||||
"filesAnalyzed": false,
|
"filesAnalyzed": false,
|
||||||
"versionInfo": "1.1",
|
"versionInfo": "1.1",
|
||||||
"supplier": "Organization: upstream"
|
"supplier": "Organization: upstream"
|
||||||
|
|
|
||||||
|
|
@ -53,7 +53,7 @@ ExternalRef: SECURITY cpe22Type cpe:/a:jsoncpp_project:jsoncpp:1.9.4
|
||||||
|
|
||||||
PackageName: Upstream package1
|
PackageName: Upstream package1
|
||||||
SPDXID: SPDXRef-UPSTREAM-package1
|
SPDXID: SPDXRef-UPSTREAM-package1
|
||||||
PackageDownloadLocation: NONE
|
PackageDownloadLocation: NOASSERTION
|
||||||
FilesAnalyzed: false
|
FilesAnalyzed: false
|
||||||
PackageVersion: 1.1
|
PackageVersion: 1.1
|
||||||
PackageSupplier: Organization: upstream
|
PackageSupplier: Organization: upstream
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue