From 220f3a24fdf55ba379535983d32bd41ada76e4bf Mon Sep 17 00:00:00 2001 From: Alex Goodman Date: Thu, 10 Feb 2022 16:18:00 -0500 Subject: [PATCH] deduplicate SPDX tag-value package IDs (#813) Signed-off-by: Alex Goodman --- .../snapshot/TestSPDXTagValueDirectoryEncoder.golden | 10 +++++----- .../snapshot/TestSPDXTagValueImageEncoder.golden | 10 +++++----- internal/formats/spdx22tagvalue/to_format_model.go | 4 ++-- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/internal/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden b/internal/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden index c20858109..84a7de316 100644 --- a/internal/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden +++ b/internal/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden @@ -2,16 +2,16 @@ SPDXVersion: SPDX-2.2 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: /some/path -DocumentNamespace: https://anchore.com/syft/dir/some/path-22f5732a-cab0-4376-9b79-15e413049500 -LicenseListVersion: 3.15 +DocumentNamespace: https://anchore.com/syft/dir/some/path-4b90f56d-d596-4ad8-b6a5-17f7d801350d +LicenseListVersion: 3.16 Creator: Organization: Anchore, Inc Creator: Tool: syft-[not provided] -Created: 2021-12-01T15:08:43Z +Created: 2022-02-10T21:09:27Z ##### Package: package-2 PackageName: package-2 -SPDXID: SPDXRef-Package-deb-package-2 +SPDXID: SPDXRef-Package-deb-package-2-ad3d1c4abd84bf75 PackageVersion: 2.0.1 PackageDownloadLocation: NOASSERTION FilesAnalyzed: false @@ -24,7 +24,7 @@ ExternalRef: PACKAGE_MANAGER purl a-purl-2 ##### Package: package-1 PackageName: package-1 -SPDXID: SPDXRef-Package-python-package-1 +SPDXID: SPDXRef-Package-python-package-1-1d97af55efe9512f PackageVersion: 1.0.1 PackageDownloadLocation: NOASSERTION FilesAnalyzed: false diff --git a/internal/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden b/internal/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden index 7743514fd..f54713441 100644 --- a/internal/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden +++ b/internal/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden @@ -2,16 +2,16 @@ SPDXVersion: SPDX-2.2 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: user-image-input -DocumentNamespace: https://anchore.com/syft/image/user-image-input-ce4d4ae5-9d79-4f84-a410-361e394c2908 -LicenseListVersion: 3.15 +DocumentNamespace: https://anchore.com/syft/image/user-image-input-26a2def6-53d0-4504-b99a-a046832508ac +LicenseListVersion: 3.16 Creator: Organization: Anchore, Inc Creator: Tool: syft-[not provided] -Created: 2021-12-01T15:08:44Z +Created: 2022-02-10T21:09:27Z ##### Package: package-2 PackageName: package-2 -SPDXID: SPDXRef-Package-deb-package-2 +SPDXID: SPDXRef-Package-deb-package-2-73f796c846875b9e PackageVersion: 2.0.1 PackageDownloadLocation: NOASSERTION FilesAnalyzed: false @@ -24,7 +24,7 @@ ExternalRef: PACKAGE_MANAGER purl a-purl-2 ##### Package: package-1 PackageName: package-1 -SPDXID: SPDXRef-Package-python-package-1 +SPDXID: SPDXRef-Package-python-package-1-d9527e708c11f8b9 PackageVersion: 1.0.1 PackageDownloadLocation: NOASSERTION FilesAnalyzed: false diff --git a/internal/formats/spdx22tagvalue/to_format_model.go b/internal/formats/spdx22tagvalue/to_format_model.go index c240eeaa7..ef17dc54a 100644 --- a/internal/formats/spdx22tagvalue/to_format_model.go +++ b/internal/formats/spdx22tagvalue/to_format_model.go @@ -94,9 +94,9 @@ func toFormatModel(s sbom.SBOM) (*spdx.Document2_2, error) { func toFormatPackages(catalog *pkg.Catalog) map[spdx.ElementID]*spdx.Package2_2 { results := make(map[spdx.ElementID]*spdx.Package2_2) - for p := range catalog.Enumerate() { + for _, p := range catalog.Sorted() { // name should be guaranteed to be unique, but semantically useful and stable - id := fmt.Sprintf("Package-%+v-%s", p.Type, p.Name) + id := fmt.Sprintf("Package-%+v-%s-%s", p.Type, p.Name, p.ID()) // If the Concluded License is not the same as the Declared License, a written explanation should be provided // in the Comments on License field (section 3.16). With respect to NOASSERTION, a written explanation in