Merge "Add upstream package of a prebuilt fork package, which will have the package information from the METADATA file." am: 82d450e501 am: f04ce4eb36 am: 67884191ca

Original change: https://android-review.googlesource.com/c/platform/build/+/2590485

Change-Id: I49b96f2049220e0f12d9bbaa681ee37ed4003488
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

tools/sbom/generate-sbom.py

@@ -265,8 +265,8 @@ def get_package_download_location(metadata_file_path):
 
 def get_sbom_fragments(installed_file_metadata, metadata_file_path):
   """Return SPDX fragment of source/prebuilt packages, which usually contains a SOURCE/PREBUILT
-  package, a UPSTREAM package if it's a source package and a external SBOM document reference if
+  package, a UPSTREAM package and an external SBOM document reference if sbom_ref defined in its
-  it's a prebuilt package with sbom_ref defined in its METADATA file.
+  METADATA file.
 
   See go/android-spdx and go/android-sbom-gen for more details.
   """
@@ -303,25 +303,33 @@ def get_sbom_fragments(installed_file_metadata, metadata_file_path):
     prebuilt_package = sbom_data.Package(id=prebuilt_package_id,
                                          name=name,
                                          download_location=sbom_data.VALUE_NONE,
-                                         version=args.build_version,
+                                         version=version if version else args.build_version,
                                          supplier='Organization: ' + args.product_mfr)
-    packages.append(prebuilt_package)
 
-    if metadata_file_path:
+    upstream_package_id = new_package_id(name, PKG_UPSTREAM)
-      metadata_proto = metadata_file_protos[metadata_file_path]
+    upstream_package = sbom_data.Package(id=upstream_package_id, name=name, version = version,
-      if metadata_proto.third_party.WhichOneof('sbom') == 'sbom_ref':
+                                         supplier=('Organization: ' + homepage) if homepage else sbom_data.VALUE_NOASSERTION,
-        sbom_url = metadata_proto.third_party.sbom_ref.url
+                                         download_location=download_location)
-        sbom_checksum = metadata_proto.third_party.sbom_ref.checksum
+    packages += [prebuilt_package, upstream_package]
-        upstream_element_id = metadata_proto.third_party.sbom_ref.element_id
+    relationships.append(sbom_data.Relationship(id1=prebuilt_package_id,
-        if sbom_url and sbom_checksum and upstream_element_id:
+                                                relationship=sbom_data.RelationshipType.VARIANT_OF,
-          doc_ref_id = f'DocumentRef-{PKG_UPSTREAM}-{encode_for_spdxid(name)}'
+                                                id2=upstream_package_id))
-          external_doc_ref = sbom_data.DocumentExternalReference(id=doc_ref_id,
+
-                                                                 uri=sbom_url,
+  if metadata_file_path:
-                                                                 checksum=sbom_checksum)
+    metadata_proto = metadata_file_protos[metadata_file_path]
-          relationships.append(
+    if metadata_proto.third_party.WhichOneof('sbom') == 'sbom_ref':
-            sbom_data.Relationship(id1=prebuilt_package_id,
+      sbom_url = metadata_proto.third_party.sbom_ref.url
-                                   relationship=sbom_data.RelationshipType.VARIANT_OF,
+      sbom_checksum = metadata_proto.third_party.sbom_ref.checksum
-                                   id2=doc_ref_id + ':' + upstream_element_id))
+      upstream_element_id = metadata_proto.third_party.sbom_ref.element_id
+      if sbom_url and sbom_checksum and upstream_element_id:
+        doc_ref_id = f'DocumentRef-{PKG_UPSTREAM}-{encode_for_spdxid(name)}'
+        external_doc_ref = sbom_data.DocumentExternalReference(id=doc_ref_id,
+                                                               uri=sbom_url,
+                                                               checksum=sbom_checksum)
+        relationships.append(
+          sbom_data.Relationship(id1=upstream_package_id,
+                                 relationship=sbom_data.RelationshipType.VARIANT_OF,
+                                 id2=doc_ref_id + ':' + upstream_element_id))
 
   return external_doc_ref, packages, relationships