Merge "Fix the calculation of package verification code which should not include algorithm information." into main
This commit is contained in:
commit
fb55377c4b
3 changed files with 162 additions and 1 deletions
|
@ -53,5 +53,27 @@ python_test_host {
|
|||
libs: [
|
||||
"sbom_lib",
|
||||
],
|
||||
version: {
|
||||
py3: {
|
||||
embedded_launcher: true,
|
||||
},
|
||||
},
|
||||
test_suites: ["general-tests"],
|
||||
}
|
||||
|
||||
python_test_host {
|
||||
name: "sbom_data_test",
|
||||
main: "sbom_data_test.py",
|
||||
srcs: [
|
||||
"sbom_data_test.py",
|
||||
],
|
||||
libs: [
|
||||
"sbom_lib",
|
||||
],
|
||||
version: {
|
||||
py3: {
|
||||
embedded_launcher: true,
|
||||
},
|
||||
},
|
||||
test_suites: ["general-tests"],
|
||||
}
|
||||
|
|
|
@ -133,7 +133,7 @@ class Document:
|
|||
checksums = []
|
||||
for file in self.files:
|
||||
if file.id in package.file_ids:
|
||||
checksums.append(file.checksum)
|
||||
checksums.append(file.checksum.split(': ')[1])
|
||||
checksums.sort()
|
||||
h = hashlib.sha1()
|
||||
h.update(''.join(checksums).encode(encoding='utf-8'))
|
||||
|
|
139
tools/sbom/sbom_data_test.py
Normal file
139
tools/sbom/sbom_data_test.py
Normal file
|
@ -0,0 +1,139 @@
|
|||
#!/usr/bin/env python3
|
||||
#
|
||||
# Copyright (C) 2023 The Android Open Source Project
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
import hashlib
|
||||
import unittest
|
||||
import sbom_data
|
||||
|
||||
BUILD_FINGER_PRINT = 'build_finger_print'
|
||||
SUPPLIER_GOOGLE = 'Organization: Google'
|
||||
SUPPLIER_UPSTREAM = 'Organization: upstream'
|
||||
|
||||
SPDXID_PREBUILT_PACKAGE1 = 'SPDXRef-PREBUILT-package1'
|
||||
SPDXID_SOURCE_PACKAGE1 = 'SPDXRef-SOURCE-package1'
|
||||
SPDXID_UPSTREAM_PACKAGE1 = 'SPDXRef-UPSTREAM-package1'
|
||||
|
||||
SPDXID_FILE1 = 'SPDXRef-file1'
|
||||
SPDXID_FILE2 = 'SPDXRef-file2'
|
||||
SPDXID_FILE3 = 'SPDXRef-file3'
|
||||
SPDXID_FILE4 = 'SPDXRef-file4'
|
||||
|
||||
|
||||
class SBOMDataTest(unittest.TestCase):
|
||||
|
||||
def setUp(self):
|
||||
# SBOM of a product
|
||||
self.sbom_doc = sbom_data.Document(name='test doc',
|
||||
namespace='http://www.google.com/sbom/spdx/android',
|
||||
creators=[SUPPLIER_GOOGLE],
|
||||
created='2023-03-31T22:17:58Z',
|
||||
describes=sbom_data.SPDXID_PRODUCT)
|
||||
self.sbom_doc.add_external_ref(
|
||||
sbom_data.DocumentExternalReference(id='DocumentRef-external_doc_ref',
|
||||
uri='external_doc_uri',
|
||||
checksum='SHA1: 1234567890'))
|
||||
self.sbom_doc.add_package(
|
||||
sbom_data.Package(id=sbom_data.SPDXID_PRODUCT,
|
||||
name=sbom_data.PACKAGE_NAME_PRODUCT,
|
||||
download_location=sbom_data.VALUE_NONE,
|
||||
supplier=SUPPLIER_GOOGLE,
|
||||
version=BUILD_FINGER_PRINT,
|
||||
files_analyzed=True,
|
||||
verification_code='',
|
||||
file_ids=[SPDXID_FILE1, SPDXID_FILE2, SPDXID_FILE3, SPDXID_FILE4]))
|
||||
|
||||
self.sbom_doc.add_package(
|
||||
sbom_data.Package(id=sbom_data.SPDXID_PLATFORM,
|
||||
name=sbom_data.PACKAGE_NAME_PLATFORM,
|
||||
download_location=sbom_data.VALUE_NONE,
|
||||
supplier=SUPPLIER_GOOGLE,
|
||||
version=BUILD_FINGER_PRINT,
|
||||
))
|
||||
|
||||
self.sbom_doc.add_package(
|
||||
sbom_data.Package(id=SPDXID_PREBUILT_PACKAGE1,
|
||||
name='Prebuilt package1',
|
||||
download_location=sbom_data.VALUE_NONE,
|
||||
supplier=SUPPLIER_GOOGLE,
|
||||
version=BUILD_FINGER_PRINT,
|
||||
))
|
||||
|
||||
self.sbom_doc.add_package(
|
||||
sbom_data.Package(id=SPDXID_SOURCE_PACKAGE1,
|
||||
name='Source package1',
|
||||
download_location=sbom_data.VALUE_NONE,
|
||||
supplier=SUPPLIER_GOOGLE,
|
||||
version=BUILD_FINGER_PRINT,
|
||||
external_refs=[sbom_data.PackageExternalRef(
|
||||
category=sbom_data.PackageExternalRefCategory.SECURITY,
|
||||
type=sbom_data.PackageExternalRefType.cpe22Type,
|
||||
locator='cpe:/a:jsoncpp_project:jsoncpp:1.9.4')]
|
||||
))
|
||||
|
||||
self.sbom_doc.add_package(
|
||||
sbom_data.Package(id=SPDXID_UPSTREAM_PACKAGE1,
|
||||
name='Upstream package1',
|
||||
supplier=SUPPLIER_UPSTREAM,
|
||||
version='1.1',
|
||||
))
|
||||
|
||||
self.sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_SOURCE_PACKAGE1,
|
||||
relationship=sbom_data.RelationshipType.VARIANT_OF,
|
||||
id2=SPDXID_UPSTREAM_PACKAGE1))
|
||||
|
||||
self.sbom_doc.files.append(
|
||||
sbom_data.File(id=SPDXID_FILE1, name='/bin/file1',
|
||||
checksum='SHA1: 356a192b7913b04c54574d18c28d46e6395428ab')) # sha1 hash of 1
|
||||
self.sbom_doc.files.append(
|
||||
sbom_data.File(id=SPDXID_FILE2, name='/bin/file2',
|
||||
checksum='SHA1: da4b9237bacccdf19c0760cab7aec4a8359010b0')) # sha1 hash of 2
|
||||
self.sbom_doc.files.append(
|
||||
sbom_data.File(id=SPDXID_FILE3, name='/bin/file3',
|
||||
checksum='SHA1: 77de68daecd823babbb58edb1c8e14d7106e83bb')) # sha1 hash of 3
|
||||
self.sbom_doc.files.append(
|
||||
sbom_data.File(id=SPDXID_FILE4, name='file4.a',
|
||||
checksum='SHA1: 1b6453892473a467d07372d45eb05abc2031647a')) # sha1 of 4
|
||||
|
||||
self.sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_FILE1,
|
||||
relationship=sbom_data.RelationshipType.GENERATED_FROM,
|
||||
id2=sbom_data.SPDXID_PLATFORM))
|
||||
self.sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_FILE2,
|
||||
relationship=sbom_data.RelationshipType.GENERATED_FROM,
|
||||
id2=SPDXID_PREBUILT_PACKAGE1))
|
||||
self.sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_FILE3,
|
||||
relationship=sbom_data.RelationshipType.GENERATED_FROM,
|
||||
id2=SPDXID_SOURCE_PACKAGE1
|
||||
))
|
||||
self.sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_FILE1,
|
||||
relationship=sbom_data.RelationshipType.STATIC_LINK,
|
||||
id2=SPDXID_FILE4
|
||||
))
|
||||
|
||||
def test_package_verification_code(self):
|
||||
checksums = []
|
||||
for file in self.sbom_doc.files:
|
||||
checksums.append(file.checksum.split(': ')[1])
|
||||
checksums.sort()
|
||||
h = hashlib.sha1()
|
||||
h.update(''.join(checksums).encode(encoding='utf-8'))
|
||||
expected_package_verification_code = h.hexdigest()
|
||||
|
||||
self.sbom_doc.generate_packages_verification_code()
|
||||
self.assertEqual(expected_package_verification_code, self.sbom_doc.packages[0].verification_code)
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
unittest.main(verbosity=2)
|
Loading…
Reference in a new issue