1111 clean name bug (#1347)

2025-11-17 08:23:15 +01:00 · 2022-11-18 09:45:18 -05:00 · 2022-11-18 09:45:18 -05:00 · 67888ee855
commit 67888ee855
parent 9afc9231c0
8 changed files with 24 additions and 25 deletions
--- a/syft/formats/common/spdxhelpers/document_name.go
+++ b/syft/formats/common/spdxhelpers/document_name.go
@ -1,34 +1,20 @@
 package spdxhelpers

 import (
-	"path"
-	"strings"
-
 	"github.com/anchore/syft/syft/source"
 )

 func DocumentName(srcMetadata source.Metadata) string {
 	if srcMetadata.Name != "" {
-		return cleanName(srcMetadata.Name)
+		return srcMetadata.Name
 	}

 	switch srcMetadata.Scheme {
 	case source.ImageScheme:
-		return cleanName(srcMetadata.ImageMetadata.UserInput)
+		return srcMetadata.ImageMetadata.UserInput
 	case source.DirectoryScheme, source.FileScheme:
-		return cleanName(srcMetadata.Path)
+		return srcMetadata.Path
 	default:
 		return "unknown"
 	}
 }
-
-func cleanName(name string) string {
-	// remove # according to specification
-	name = strings.ReplaceAll(name, "#", "-")
-
-	// remove : for url construction
-	name = strings.ReplaceAll(name, ":", "-")
-
-	// clean relative pathing
-	return path.Clean(name)
-}
--- a/syft/formats/common/spdxhelpers/document_name_test.go
+++ b/syft/formats/common/spdxhelpers/document_name_test.go
@ -35,7 +35,7 @@ func Test_DocumentName(t *testing.T) {
 					ManifestDigest: "digest",
 				},
 			},
-			expected: "image-repo/name-tag",
+			expected: "image-repo/name:tag",
 		},
 		{
 			name:      "directory",
--- a/syft/formats/common/spdxhelpers/document_namespace.go
+++ b/syft/formats/common/spdxhelpers/document_namespace.go
@ -4,6 +4,7 @@ import (
 	"fmt"
 	"net/url"
 	"path"
+	"strings"

 	"github.com/google/uuid"

@ -23,6 +24,7 @@ func DocumentNameAndNamespace(srcMetadata source.Metadata) (string, string) {
 }

 func DocumentNamespace(name string, srcMetadata source.Metadata) string {
+	name = cleanName(name)
 	input := "unknown-source-type"
 	switch srcMetadata.Scheme {
 	case source.ImageScheme:
@ -47,3 +49,13 @@ func DocumentNamespace(name string, srcMetadata source.Metadata) string {

 	return u.String()
 }
+
+// see: https://spdx.github.io/spdx-spec/v2.3/document-creation-information/#65-spdx-document-namespace-field
+func cleanName(name string) string {
+	// remove # according to specification
+	name = strings.ReplaceAll(name, "#", "-")
+	// remove : for url construction
+	name = strings.ReplaceAll(name, ":", "-")
+	// clean relative pathing
+	return path.Clean(name)
+}
--- a/syft/formats/spdxtagvalue/encoder_test.go
+++ b/syft/formats/spdxtagvalue/encoder_test.go
@ -52,6 +52,7 @@ func TestSPDXJSONSPDXIDs(t *testing.T) {
 			Relationships: nil,
 			Source: source.Metadata{
 				Scheme: source.DirectoryScheme,
+				Path:   "foobar/baz", // in this case, foobar is used as the spdx docment name
 			},
 			Descriptor: sbom.Descriptor{
 				Name:    "syft",
--- a/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden
+++ b/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden
@ -1,12 +1,12 @@
 SPDXVersion: SPDX-2.3
 DataLicense: CC0-1.0
 SPDXID: SPDXRef-DOCUMENT
-DocumentName: .
-DocumentNamespace: https://anchore.com/syft/dir/b51d2446-85b4-4b22-9762-12fc135730a7
+DocumentName: foobar/baz
+DocumentNamespace: https://anchore.com/syft/dir/foobar/baz-3d730196-4510-4ee4-9743-9322dd27cee7
 LicenseListVersion: 3.18
 Creator: Organization: Anchore, Inc
 Creator: Tool: syft-v0.42.0-bogus
-Created: 2022-11-11T19:25:16Z
+Created: 2022-11-18T14:21:45Z

 ##### Package: @at-sign

--- a/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden
+++ b/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden
@ -2,11 +2,11 @@ SPDXVersion: SPDX-2.3
 DataLicense: CC0-1.0
 SPDXID: SPDXRef-DOCUMENT
 DocumentName: /some/path
-DocumentNamespace: https://anchore.com/syft/dir/some/path-94301cf0-21fd-481a-b555-ea767674cc93
+DocumentNamespace: https://anchore.com/syft/dir/some/path-b6078c95-5b97-462d-acb3-9e74bc9ddb43
 LicenseListVersion: 3.18
 Creator: Organization: Anchore, Inc
 Creator: Tool: syft-v0.42.0-bogus
-Created: 2022-11-11T19:25:16Z
+Created: 2022-11-18T14:21:44Z

 ##### Package: package-2

--- a/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden
+++ b/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden
@ -2,11 +2,11 @@ SPDXVersion: SPDX-2.3
 DataLicense: CC0-1.0
 SPDXID: SPDXRef-DOCUMENT
 DocumentName: user-image-input
-DocumentNamespace: https://anchore.com/syft/image/user-image-input-258730be-7925-4ef3-9009-d9dc532d2fec
+DocumentNamespace: https://anchore.com/syft/image/user-image-input-aa272d1e-8bb4-411f-a554-4c9a16ea66fb
 LicenseListVersion: 3.18
 Creator: Organization: Anchore, Inc
 Creator: Tool: syft-v0.42.0-bogus
-Created: 2022-11-11T19:25:16Z
+Created: 2022-11-18T14:21:45Z

 ##### Package: package-2

--- a/syft/formats/spdxtagvalue/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden
+++ b/syft/formats/spdxtagvalue/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden