diff --git a/syft/formats/common/spdxhelpers/document_name.go b/syft/formats/common/spdxhelpers/document_name.go index 2545b14f9..8967117e9 100644 --- a/syft/formats/common/spdxhelpers/document_name.go +++ b/syft/formats/common/spdxhelpers/document_name.go @@ -1,34 +1,20 @@ package spdxhelpers import ( - "path" - "strings" - "github.com/anchore/syft/syft/source" ) func DocumentName(srcMetadata source.Metadata) string { if srcMetadata.Name != "" { - return cleanName(srcMetadata.Name) + return srcMetadata.Name } switch srcMetadata.Scheme { case source.ImageScheme: - return cleanName(srcMetadata.ImageMetadata.UserInput) + return srcMetadata.ImageMetadata.UserInput case source.DirectoryScheme, source.FileScheme: - return cleanName(srcMetadata.Path) + return srcMetadata.Path default: return "unknown" } } - -func cleanName(name string) string { - // remove # according to specification - name = strings.ReplaceAll(name, "#", "-") - - // remove : for url construction - name = strings.ReplaceAll(name, ":", "-") - - // clean relative pathing - return path.Clean(name) -} diff --git a/syft/formats/common/spdxhelpers/document_name_test.go b/syft/formats/common/spdxhelpers/document_name_test.go index 6f4392d29..cc1944247 100644 --- a/syft/formats/common/spdxhelpers/document_name_test.go +++ b/syft/formats/common/spdxhelpers/document_name_test.go @@ -35,7 +35,7 @@ func Test_DocumentName(t *testing.T) { ManifestDigest: "digest", }, }, - expected: "image-repo/name-tag", + expected: "image-repo/name:tag", }, { name: "directory", diff --git a/syft/formats/common/spdxhelpers/document_namespace.go b/syft/formats/common/spdxhelpers/document_namespace.go index f4ad43f80..c2a2bd129 100644 --- a/syft/formats/common/spdxhelpers/document_namespace.go +++ b/syft/formats/common/spdxhelpers/document_namespace.go @@ -4,6 +4,7 @@ import ( "fmt" "net/url" "path" + "strings" "github.com/google/uuid" @@ -23,6 +24,7 @@ func DocumentNameAndNamespace(srcMetadata source.Metadata) (string, string) { } func DocumentNamespace(name string, srcMetadata source.Metadata) string { + name = cleanName(name) input := "unknown-source-type" switch srcMetadata.Scheme { case source.ImageScheme: @@ -47,3 +49,13 @@ func DocumentNamespace(name string, srcMetadata source.Metadata) string { return u.String() } + +// see: https://spdx.github.io/spdx-spec/v2.3/document-creation-information/#65-spdx-document-namespace-field +func cleanName(name string) string { + // remove # according to specification + name = strings.ReplaceAll(name, "#", "-") + // remove : for url construction + name = strings.ReplaceAll(name, ":", "-") + // clean relative pathing + return path.Clean(name) +} diff --git a/syft/formats/spdxtagvalue/encoder_test.go b/syft/formats/spdxtagvalue/encoder_test.go index 79f606ebd..55f001207 100644 --- a/syft/formats/spdxtagvalue/encoder_test.go +++ b/syft/formats/spdxtagvalue/encoder_test.go @@ -52,6 +52,7 @@ func TestSPDXJSONSPDXIDs(t *testing.T) { Relationships: nil, Source: source.Metadata{ Scheme: source.DirectoryScheme, + Path: "foobar/baz", // in this case, foobar is used as the spdx docment name }, Descriptor: sbom.Descriptor{ Name: "syft", diff --git a/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden b/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden index 71ef36533..8acb135b9 100644 --- a/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden +++ b/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden @@ -1,12 +1,12 @@ SPDXVersion: SPDX-2.3 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT -DocumentName: . -DocumentNamespace: https://anchore.com/syft/dir/b51d2446-85b4-4b22-9762-12fc135730a7 +DocumentName: foobar/baz +DocumentNamespace: https://anchore.com/syft/dir/foobar/baz-3d730196-4510-4ee4-9743-9322dd27cee7 LicenseListVersion: 3.18 Creator: Organization: Anchore, Inc Creator: Tool: syft-v0.42.0-bogus -Created: 2022-11-11T19:25:16Z +Created: 2022-11-18T14:21:45Z ##### Package: @at-sign diff --git a/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden b/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden index 6e2268072..a450e0191 100644 --- a/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden +++ b/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden @@ -2,11 +2,11 @@ SPDXVersion: SPDX-2.3 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: /some/path -DocumentNamespace: https://anchore.com/syft/dir/some/path-94301cf0-21fd-481a-b555-ea767674cc93 +DocumentNamespace: https://anchore.com/syft/dir/some/path-b6078c95-5b97-462d-acb3-9e74bc9ddb43 LicenseListVersion: 3.18 Creator: Organization: Anchore, Inc Creator: Tool: syft-v0.42.0-bogus -Created: 2022-11-11T19:25:16Z +Created: 2022-11-18T14:21:44Z ##### Package: package-2 diff --git a/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden b/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden index 9638ebbd7..4d6a523d5 100644 --- a/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden +++ b/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden @@ -2,11 +2,11 @@ SPDXVersion: SPDX-2.3 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: user-image-input -DocumentNamespace: https://anchore.com/syft/image/user-image-input-258730be-7925-4ef3-9009-d9dc532d2fec +DocumentNamespace: https://anchore.com/syft/image/user-image-input-aa272d1e-8bb4-411f-a554-4c9a16ea66fb LicenseListVersion: 3.18 Creator: Organization: Anchore, Inc Creator: Tool: syft-v0.42.0-bogus -Created: 2022-11-11T19:25:16Z +Created: 2022-11-18T14:21:45Z ##### Package: package-2 diff --git a/syft/formats/spdxtagvalue/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden b/syft/formats/spdxtagvalue/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden index 0a4b4d256..f902fc6aa 100644 Binary files a/syft/formats/spdxtagvalue/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden and b/syft/formats/spdxtagvalue/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden differ