From 7cb8e1fc14a278ec5afce379623a47577aba9917 Mon Sep 17 00:00:00 2001 From: Jonas Xavier Date: Wed, 25 May 2022 14:40:08 -0700 Subject: [PATCH] Use SBOM descriptor version (#1011) * Use SBOM descriptor version Signed-off-by: Jonas Xavier * Update tests Signed-off-by: Jonas Xavier * CycloneDX extract tools metadata in decoding stage Signed-off-by: Jonas Xavier * add descriptor to spdx tag-value test Signed-off-by: Jonas Xavier * remove comment Signed-off-by: Jonas Xavier --- .../common/cyclonedxhelpers/decoder.go | 58 ++++++++++++------ .../formats/common/cyclonedxhelpers/format.go | 4 +- .../TestCycloneDxDirectoryEncoder.golden | 6 +- .../snapshot/TestCycloneDxImageEncoder.golden | 12 ++-- .../stereoscope-fixture-image-simple.golden | Bin 15360 -> 15360 bytes .../TestCycloneDxDirectoryEncoder.golden | 6 +- .../snapshot/TestCycloneDxImageEncoder.golden | 12 ++-- .../stereoscope-fixture-image-simple.golden | Bin 15360 -> 15360 bytes internal/formats/github/encoder.go | 5 +- .../TestSPDXJSONDirectoryEncoder.golden | 8 +-- .../snapshot/TestSPDXJSONImageEncoder.golden | 8 +-- .../stereoscope-fixture-image-simple.golden | Bin 15360 -> 15360 bytes .../formats/spdx22json/to_format_model.go | 3 +- .../formats/spdx22tagvalue/encoder_test.go | 8 ++- .../snapshot/TestSPDXJSONSPDXIDs.golden | 8 +-- .../TestSPDXTagValueDirectoryEncoder.golden | 8 +-- .../TestSPDXTagValueImageEncoder.golden | 8 +-- .../stereoscope-fixture-image-simple.golden | Bin 15360 -> 15360 bytes .../formats/spdx22tagvalue/to_format_model.go | 3 +- 19 files changed, 88 insertions(+), 69 deletions(-) diff --git a/internal/formats/common/cyclonedxhelpers/decoder.go b/internal/formats/common/cyclonedxhelpers/decoder.go index 139cf06ee..27215aa22 100644 --- a/internal/formats/common/cyclonedxhelpers/decoder.go +++ b/internal/formats/common/cyclonedxhelpers/decoder.go @@ -45,17 +45,17 @@ func GetDecoder(format cyclonedx.BOMFileFormat) sbom.Decoder { } func toSyftModel(bom *cyclonedx.BOM) (*sbom.SBOM, error) { - meta := source.Metadata{} - if bom.Metadata != nil && bom.Metadata.Component != nil { - meta = decodeMetadata(bom.Metadata.Component) + if bom == nil { + return nil, fmt.Errorf("no content defined in CycloneDX BOM") } + s := &sbom.SBOM{ Artifacts: sbom.Artifacts{ PackageCatalog: pkg.NewCatalog(), LinuxDistribution: linuxReleaseFromComponents(*bom.Components), }, - Source: meta, - //Descriptor: sbom.Descriptor{}, + Source: extractComponents(bom.Metadata), + Descriptor: extractDescriptor(bom.Metadata), } idMap := make(map[string]interface{}) @@ -205,27 +205,45 @@ func collectRelationships(bom *cyclonedx.BOM, s *sbom.SBOM, idMap map[string]int } } -func decodeMetadata(component *cyclonedx.Component) source.Metadata { - switch component.Type { +func extractComponents(meta *cyclonedx.Metadata) source.Metadata { + if meta == nil || meta.Component == nil { + return source.Metadata{} + } + c := meta.Component + + image := source.ImageMetadata{ + UserInput: c.Name, + ID: c.BOMRef, + ManifestDigest: c.Version, + } + + switch c.Type { case cyclonedx.ComponentTypeContainer: return source.Metadata{ - Scheme: source.ImageScheme, - ImageMetadata: source.ImageMetadata{ - UserInput: component.Name, - ID: component.BOMRef, - ManifestDigest: component.Version, - }, + Scheme: source.ImageScheme, + ImageMetadata: image, } case cyclonedx.ComponentTypeFile: return source.Metadata{ - Scheme: source.FileScheme, // or source.DirectoryScheme - Path: component.Name, - ImageMetadata: source.ImageMetadata{ - UserInput: component.Name, - ID: component.BOMRef, - ManifestDigest: component.Version, - }, + Scheme: source.FileScheme, // or source.DirectoryScheme + Path: c.Name, + ImageMetadata: image, } } return source.Metadata{} } + +// if there is more than one tool in meta.Tools' list the last item will be used +// as descriptor. If there is a way to know which tool to use here please fix it. +func extractDescriptor(meta *cyclonedx.Metadata) (desc sbom.Descriptor) { + if meta == nil || meta.Tools == nil { + return + } + + for _, t := range *meta.Tools { + desc.Name = t.Name + desc.Version = t.Version + } + + return +} diff --git a/internal/formats/common/cyclonedxhelpers/format.go b/internal/formats/common/cyclonedxhelpers/format.go index 2fe525919..a22b191b2 100644 --- a/internal/formats/common/cyclonedxhelpers/format.go +++ b/internal/formats/common/cyclonedxhelpers/format.go @@ -8,7 +8,6 @@ import ( "github.com/anchore/syft/internal" "github.com/anchore/syft/internal/log" - "github.com/anchore/syft/internal/version" "github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/linux" "github.com/anchore/syft/syft/sbom" @@ -17,13 +16,12 @@ import ( func ToFormatModel(s sbom.SBOM) *cyclonedx.BOM { cdxBOM := cyclonedx.NewBOM() - versionInfo := version.FromBuild() // NOTE(jonasagx): cycloneDX requires URN uuids (URN returns the RFC 2141 URN form of uuid): // https://github.com/CycloneDX/specification/blob/master/schema/bom-1.3-strict.schema.json#L36 // "pattern": "^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$" cdxBOM.SerialNumber = uuid.New().URN() - cdxBOM.Metadata = toBomDescriptor(internal.ApplicationName, versionInfo.Version, s.Source) + cdxBOM.Metadata = toBomDescriptor(internal.ApplicationName, s.Descriptor.Version, s.Source) packages := s.Artifacts.PackageCatalog.Sorted() components := make([]cyclonedx.Component, len(packages)) diff --git a/internal/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden b/internal/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden index 1e78b418b..3b23a84e5 100644 --- a/internal/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden +++ b/internal/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden @@ -1,15 +1,15 @@ { "bomFormat": "CycloneDX", "specVersion": "1.4", - "serialNumber": "urn:uuid:dec3f6b4-8458-48bb-b60d-dfd312f6ec4e", + "serialNumber": "urn:uuid:3ea3363f-3945-4859-9ba1-9a395983d248", "version": 1, "metadata": { - "timestamp": "2022-04-01T11:48:04-04:00", + "timestamp": "2022-05-23T12:05:00-07:00", "tools": [ { "vendor": "anchore", "name": "syft", - "version": "[not provided]" + "version": "v0.42.0-bogus" } ], "component": { diff --git a/internal/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden b/internal/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden index 315a41826..6dac17e18 100644 --- a/internal/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden +++ b/internal/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden @@ -1,19 +1,19 @@ { "bomFormat": "CycloneDX", "specVersion": "1.4", - "serialNumber": "urn:uuid:054d973e-fe99-4762-92e4-eaf01997ae41", + "serialNumber": "urn:uuid:c825402b-bbfa-4ad5-81b1-6a8332a6a8b6", "version": 1, "metadata": { - "timestamp": "2022-04-01T11:48:04-04:00", + "timestamp": "2022-05-23T12:05:01-07:00", "tools": [ { "vendor": "anchore", "name": "syft", - "version": "[not provided]" + "version": "v0.42.0-bogus" } ], "component": { - "bom-ref": "e777314b02b362e4", + "bom-ref": "e779c1ed804ba529", "type": "container", "name": "user-image-input", "version": "sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368" @@ -53,7 +53,7 @@ }, { "name": "syft:location:0:layerID", - "value": "sha256:fb6beecb75b39f4bb813dbf177e501edd5ddb3e69bb45cedeb78c676ee1b7a59" + "value": "sha256:cd8f3884f1211d65c19ce5bbc5174bcd2ce8ba96b63e5b3693969a53279c4405" }, { "name": "syft:location:0:path", @@ -83,7 +83,7 @@ }, { "name": "syft:location:0:layerID", - "value": "sha256:319b588ce64253a87b533c8ed01cf0025e0eac98e7b516e12532957e1244fdec" + "value": "sha256:42d2ea51c688e6dc7be81a305acbe006d27a6ef0c26ae3888fd0d4ce44f69265" }, { "name": "syft:location:0:path", diff --git a/internal/formats/cyclonedxjson/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden b/internal/formats/cyclonedxjson/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden index 5b5b8030509a612ac6c0d1e630d5a86b6f232f65..3d93b6d3ad1c86098e440073bcf8cfdf5eea53e1 100644 GIT binary patch literal 15360 zcmeHOTW{Mo6wdR0g{Qs7Ht(bi?4fH4v_P>GZPo!Rih$xJ(P~SEBo_&S{P!Knj$?am z)kLz<3k3t>^@#iqk90mB8hfg2qL?y9Ag3+2)O%%-k1=6b3(TYz+QdS}i7?nu&ZWUT z<^=Ir$#{I!ej&t=cx7{l9(o`pt{eKfg3wgb@-9^t!xu?@&s&^-mBifTKZYoqTCfcXdCz{znHv`3~)H z|HcsLZ2$k3dDb$g7W>B>i(UH{6bJinfwhBff zwKA4_DW$hqdvGlzPZCF&N<{2pNC@I;XT!z@dL`Ox?m?C*oUU9wFoFmkVmw6j46zBr z6Q)L-63h|*r*4>Ml}f0eFS);y^yZ7$zb zHqD}m*VED+N9(eD0aMv6bOm%>6`obs>-6c|W!rL^+-YWD5UcjjvX9XuTTG|N(bE~s zY?*v9(-*6OzRjnLnJe#V{?3aJX?Agvu15PTtBUJ+p4JdA`<`ZhEYj&()JvVX>8kr} zgUq*&$Ghm&le6c)j~8Vzp5{hR$7Pacla2g3dtcEMEwhk}-aiJ=F|3S-BB~2>nO4qJ zi=tMUo>{>_Ob(bw(==OLMYp|}~ZU%O&d`_P}gTHgN*9KfCTKjs{T_y1=B z?XjZFXU?ZnHzcF#s_IejhNu?(BSaegQ;9GWk^uk1k^%oah-dnf`~OSb59;qIe7(zG zH`ErA0fB%(Kp-IS10x`Tomqxs=_#?)VM>uVf|g`oH}@hGqEvA7a_vM4zEG_k6lxu01ieEmm8Tuq_f>)7GzL{+DT4Awd*?=uU+9~{v|i>P=K#&uiM+@U;@A zWK-|YQww$PqViG`E+)n*2nQ(UF~QghZg6ZIY}gnM4tZiMF-|2q7KxxxOhrs%5o_3v zk+ES6age%_#E2zMb8LiCPFN!or?94oYm+#L23P`NCFhYLLOXb*@)lWU9AjR@MDXbS z?RQ9~4`Hx9Kcnkr-Cp8#YC1#Q$J_H}L;YXsiDs9O8fdgZdpw z>}>zt{eL6~-r4^p2nGNDAggE<|LeL8Y8QF!xdWR-Lj*B9e1_1Z`Gr{Bmtu7r9{Zua z-mZ$@PyB~SN&^2s#0y}X^zP@0?eU-H{Kr=OhX?)dM;SX(E7(VAc0mT0x?G2Wb{d6j zKp-Fx5C{nTa0twFmU>rKUlYf9?Bv_N|D4miGvW0K@#g#o4&VRB!u_Cr5IuRiIyo8j z5(@+-_}b0$Gkvj)EL5&=d1>;w8~XIBK07x|>qC#jGM&w*ZlWNvC?LRqlu9gw1(=sw z!P(Fl!UQZvUO+92oh06y82)^Mq_M(b<&h)A@T5Nf_p&~N);z91Is^0Q?`#}|Gv5F5 zAiW%_aRIt2Q;4LcuH4r%+w7m*|2OE){)Gtkzb|!c$-Rln77MLohn-x+QcVFg&@vJX2t^PzT*a0% z&z*4^V<9Bvh!I7Z1KUCwjx;ySlbBOOBvG-n#5e-9Y~gj~YsLs7#e z8YOyM`h#fImd{`*+l{_}smsRG>Sk3wnfh##&b)S#Szuy0{y6&_jk4Kzd=R~!z{(cI zw-bG_Wb|V`o=tpt-}6^qT&3B?QM%;zIID`AX`a>)FXob`T}OAFsN`OWv{n4!Sl{?!P}|Voyc*vB>`VKf5F*0+|C@kz*iq&a zpQK}dNCwq))gj?EQVsG);P1iykBGpSa4dTWV@bpQzlPxMiVNBI>wOe<@ABu}-6>EG z2m}NI0s(=SgaE{N6GJW0%n_nkOf5Hvv&373A@&;+OO0mQ3WkZ25b*VhB~)VY>jc6+ z9(3UU6Z%E`4?!3>#Q*m2pxj2^aBCj?>AC0Hk*Bud)z(hfh7()6t>5eUU#4Z17vO_` zx^0?-2t$<4!vzcK=LY6Qua1uTbMpt+rf+|^GKClQU;3tYudmVy*tGd%vW#vl8wW18 zSH7qT3_hdi?x2y4wW!5c*_d14Yium)Ph@im3Ii+1Pp%ek%yd;^3Z{W2fLp_7)U~avBY^Bo!$L_ z&h#Giwd-574c6@>|A!%4$U^?FYgvDdUTgX9B>#s5CSm{on!LJh!y*6IHKacjz1I5Q z-u_2|;H~^0VsKm_*#CQYl9u_uwvRz=BCjlW97_ZVyEUT@Rs-OVkV^FQ_ZkIno~c>nK47TZ)Sh@;G-ApJ{SuF^o;qe49( z5D*9m1O)zT2uyUACcdn`Cy(>owKwhmoYS?l;AnpSBgB86i}uszLH6YJ^5kUHNiGmP z!S{ZepX!T6W})(h&r6$6{b7<`*JtMr)B4ckVVO>*V?R3-JOktbjI0FPZP|Z zMi(HfGKEZ9>dRf-vPu8R!?!{8S2VT$3lZYKyAsC+-P@>a(9k+}*jh - + - 2022-04-01T11:57:46-04:00 + 2022-05-23T12:02:41-07:00 anchore syft - [not provided] + v0.42.0-bogus diff --git a/internal/formats/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden b/internal/formats/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden index 78caa7f7a..6ef8367e6 100644 --- a/internal/formats/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden +++ b/internal/formats/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden @@ -1,15 +1,15 @@ - + - 2022-04-01T11:57:46-04:00 + 2022-05-23T12:02:42-07:00 anchore syft - [not provided] + v0.42.0-bogus - + user-image-input sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368 @@ -30,7 +30,7 @@ python PythonPackageMetadata python - sha256:fb6beecb75b39f4bb813dbf177e501edd5ddb3e69bb45cedeb78c676ee1b7a59 + sha256:cd8f3884f1211d65c19ce5bbc5174bcd2ce8ba96b63e5b3693969a53279c4405 /somefile-1.txt @@ -43,7 +43,7 @@ the-cataloger-2 DpkgMetadata deb - sha256:319b588ce64253a87b533c8ed01cf0025e0eac98e7b516e12532957e1244fdec + sha256:42d2ea51c688e6dc7be81a305acbe006d27a6ef0c26ae3888fd0d4ce44f69265 /somefile-2.txt 0 diff --git a/internal/formats/cyclonedxxml/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden b/internal/formats/cyclonedxxml/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden index 5b5b8030509a612ac6c0d1e630d5a86b6f232f65..3d93b6d3ad1c86098e440073bcf8cfdf5eea53e1 100644 GIT binary patch literal 15360 zcmeHOTW{Mo6wdR0g{Qs7Ht(bi?4fH4v_P>GZPo!Rih$xJ(P~SEBo_&S{P!Knj$?am z)kLz<3k3t>^@#iqk90mB8hfg2qL?y9Ag3+2)O%%-k1=6b3(TYz+QdS}i7?nu&ZWUT z<^=Ir$#{I!ej&t=cx7{l9(o`pt{eKfg3wgb@-9^t!xu?@&s&^-mBifTKZYoqTCfcXdCz{znHv`3~)H z|HcsLZ2$k3dDb$g7W>B>i(UH{6bJinfwhBff zwKA4_DW$hqdvGlzPZCF&N<{2pNC@I;XT!z@dL`Ox?m?C*oUU9wFoFmkVmw6j46zBr z6Q)L-63h|*r*4>Ml}f0eFS);y^yZ7$zb zHqD}m*VED+N9(eD0aMv6bOm%>6`obs>-6c|W!rL^+-YWD5UcjjvX9XuTTG|N(bE~s zY?*v9(-*6OzRjnLnJe#V{?3aJX?Agvu15PTtBUJ+p4JdA`<`ZhEYj&()JvVX>8kr} zgUq*&$Ghm&le6c)j~8Vzp5{hR$7Pacla2g3dtcEMEwhk}-aiJ=F|3S-BB~2>nO4qJ zi=tMUo>{>_Ob(bw(==OLMYp|}~ZU%O&d`_P}gTHgN*9KfCTKjs{T_y1=B z?XjZFXU?ZnHzcF#s_IejhNu?(BSaegQ;9GWk^uk1k^%oah-dnf`~OSb59;qIe7(zG zH`ErA0fB%(Kp-IS10x`Tomqxs=_#?)VM>uVf|g`oH}@hGqEvA7a_vM4zEG_k6lxu01ieEmm8Tuq_f>)7GzL{+DT4Awd*?=uU+9~{v|i>P=K#&uiM+@U;@A zWK-|YQww$PqViG`E+)n*2nQ(UF~QghZg6ZIY}gnM4tZiMF-|2q7KxxxOhrs%5o_3v zk+ES6age%_#E2zMb8LiCPFN!or?94oYm+#L23P`NCFhYLLOXb*@)lWU9AjR@MDXbS z?RQ9~4`Hx9Kcnkr-Cp8#YC1#Q$J_H}L;YXsiDs9O8fdgZdpw z>}>zt{eL6~-r4^p2nGNDAggE<|LeL8Y8QF!xdWR-Lj*B9e1_1Z`Gr{Bmtu7r9{Zua z-mZ$@PyB~SN&^2s#0y}X^zP@0?eU-H{Kr=OhX?)dM;SX(E7(VAc0mT0x?G2Wb{d6j zKp-Fx5C{nTa0twFmU>rKUlYf9?Bv_N|D4miGvW0K@#g#o4&VRB!u_Cr5IuRiIyo8j z5(@+-_}b0$Gkvj)EL5&=d1>;w8~XIBK07x|>qC#jGM&w*ZlWNvC?LRqlu9gw1(=sw z!P(Fl!UQZvUO+92oh06y82)^Mq_M(b<&h)A@T5Nf_p&~N);z91Is^0Q?`#}|Gv5F5 zAiW%_aRIt2Q;4LcuH4r%+w7m*|2OE){)Gtkzb|!c$-Rln77MLohn-x+QcVFg&@vJX2t^PzT*a0% z&z*4^V<9Bvh!I7Z1KUCwjx;ySlbBOOBvG-n#5e-9Y~gj~YsLs7#e z8YOyM`h#fImd{`*+l{_}smsRG>Sk3wnfh##&b)S#Szuy0{y6&_jk4Kzd=R~!z{(cI zw-bG_Wb|V`o=tpt-}6^qT&3B?QM%;zIID`AX`a>)FXob`T}OAFsN`OWv{n4!Sl{?!P}|Voyc*vB>`VKf5F*0+|C@kz*iq&a zpQK}dNCwq))gj?EQVsG);P1iykBGpSa4dTWV@bpQzlPxMiVNBI>wOe<@ABu}-6>EG z2m}NI0s(=SgaE{N6GJW0%n_nkOf5Hvv&373A@&;+OO0mQ3WkZ25b*VhB~)VY>jc6+ z9(3UU6Z%E`4?!3>#Q*m2pxj2^aBCj?>AC0Hk*Bud)z(hfh7()6t>5eUU#4Z17vO_` zx^0?-2t$<4!vzcK=LY6Qua1uTbMpt+rf+|^GKClQU;3tYudmVy*tGd%vW#vl8wW18 zSH7qT3_hdi?x2y4wW!5c*_d14Yium)Ph@im3Ii+1Pp%ek%yd;^3Z{W2fLp_7)U~avBY^Bo!$L_ z&h#Giwd-574c6@>|A!%4$U^?FYgvDdUTgX9B>#s5CSm{on!LJh!y*6IHKacjz1I5Q z-u_2|;H~^0VsKm_*#CQYl9u_uwvRz=BCjlW97_ZVyEUT@Rs-OVkV^FQ_ZkIno~c>nK47TZ)Sh@;G-ApJ{SuF^o;qe49( z5D*9m1O)zT2uyUACcdn`Cy(>owKwhmoYS?l;AnpSBgB86i}uszLH6YJ^5kUHNiGmP z!S{ZepX!T6W})(h&r6$6{b7<`*JtMr)B4ckVVO>*V?R3-JOktbjI0FPZP|Z zMi(HfGKEZ9>dRf-vPu8R!?!{8S2VT$3lZYKyAsC+-P@>a(9k+}*jhGZPo!Rih$xJ(P~SEBo_&S{P!Knj$?am z)kLz<3k3t>^@#iqk90mB8hfg2qL?y9Ag3+2)O%%-k1=6b3(TYz+QdS}i7?nu&ZWUT z<^=Ir$#{I!ej&t=cx7{l9(o`pt{eKfg3wgb@-9^t!xu?@&s&^-mBifTKZYoqTCfcXdCz{znHv`3~)H z|HcsLZ2$k3dDb$g7W>B>i(UH{6bJinfwhBff zwKA4_DW$hqdvGlzPZCF&N<{2pNC@I;XT!z@dL`Ox?m?C*oUU9wFoFmkVmw6j46zBr z6Q)L-63h|*r*4>Ml}f0eFS);y^yZ7$zb zHqD}m*VED+N9(eD0aMv6bOm%>6`obs>-6c|W!rL^+-YWD5UcjjvX9XuTTG|N(bE~s zY?*v9(-*6OzRjnLnJe#V{?3aJX?Agvu15PTtBUJ+p4JdA`<`ZhEYj&()JvVX>8kr} zgUq*&$Ghm&le6c)j~8Vzp5{hR$7Pacla2g3dtcEMEwhk}-aiJ=F|3S-BB~2>nO4qJ zi=tMUo>{>_Ob(bw(==OLMYp|}~ZU%O&d`_P}gTHgN*9KfCTKjs{T_y1=B z?XjZFXU?ZnHzcF#s_IejhNu?(BSaegQ;9GWk^uk1k^%oah-dnf`~OSb59;qIe7(zG zH`ErA0fB%(Kp-IS10x`Tomqxs=_#?)VM>uVf|g`oH}@hGqEvA7a_vM4zEG_k6lxu01ieEmm8Tuq_f>)7GzL{+DT4Awd*?=uU+9~{v|i>P=K#&uiM+@U;@A zWK-|YQww$PqViG`E+)n*2nQ(UF~QghZg6ZIY}gnM4tZiMF-|2q7KxxxOhrs%5o_3v zk+ES6age%_#E2zMb8LiCPFN!or?94oYm+#L23P`NCFhYLLOXb*@)lWU9AjR@MDXbS z?RQ9~4`Hx9Kcnkr-Cp8#YC1#Q$J_H}L;YXsiDs9O8fdgZdpw z>}>zt{eL6~-r4^p2nGNDAggE<|LeL8Y8QF!xdWR-Lj*B9e1_1Z`Gr{Bmtu7r9{Zua z-mZ$@PyB~SN&^2s#0y}X^zP@0?eU-H{Kr=OhX?)dM;SX(E7(VAc0mT0x?G2Wb{d6j zKp-Fx5C{nTa0twFmU>rKUlYf9?Bv_N|D4miGvW0K@#g#o4&VRB!u_Cr5IuRiIyo8j z5(@+-_}b0$Gkvj)EL5&=d1>;w8~XIBK07x|>qC#jGM&w*ZlWNvC?LRqlu9gw1(=sw z!P(Fl!UQZvUO+92oh06y82)^Mq_M(b<&h)A@T5Nf_p&~N);z91Is^0Q?`#}|Gv5F5 zAiW%_aRIt2Q;4LcuH4r%+w7m*|2OE){)Gtkzb|!c$-Rln77MLohnZaKc z4r#BxuDkuJ7{OBcm#%FzyUOYr8lw^9HIDjR+4F_Fg0dOV`$VGKgH38I>Hgnpur)R2 zl)HY_XM^MD!m4A0dKhDcAS?&*f(4T;Kn>ke#l4gzVN` ze(?Rjwf#RFzkC1s- z9>CiEk8VKl|Mzk`OrxxEw%gtY==qIJx$uy+*ED8?qX(EcDL{I387Ngsb4dh?x$wg9 z*h*rg6@ZQ(w@kA*(GHyphO!?TNJz`YJ>fe4rt;(!W2awfa(sRRC68dzXajVE@y-n>o(^op5E2ZJDVs7 z4hRGU0s;YnXN7=m8LaJu|D{?6{&zpONo)J>g#RTf@W1=9f8c-jgY$EprS<=wcn6J zY-{-4@PCvC{%=1g#vT7ROM=?XoSXT-=K0?$|A*;W&6n z=@JS7fq+0jARzERL||m{EQP9mOdkK&{`^hnzm$9>7qof)M_D-kzZUPOjKl2tmy1l1 zh;8Ft5R3%h!MHdz7xT>W8cHZCSB&8>&90l53=Xp<>E*D>M<2Vo8*8l9D*K-ZL#y zZQ=xy1TbwlA*sSvk$`4t>Jlk6(avMSc$^Yo%t_n4Rq$q>(~gPk+Y4v#cWf^=0@K;g zetL>o_SUyVTU8mpNs&Rdt4TMle|Dc6KFbBi^{-S||GP5Biri^bZCIhryCba^=@v2! WZ*QOH3R;0P6aoSPfq=kwgTOxo35itz diff --git a/internal/formats/spdx22json/to_format_model.go b/internal/formats/spdx22json/to_format_model.go index 917738955..6d8e47ea6 100644 --- a/internal/formats/spdx22json/to_format_model.go +++ b/internal/formats/spdx22json/to_format_model.go @@ -11,7 +11,6 @@ import ( "github.com/anchore/syft/internal/formats/spdx22json/model" "github.com/anchore/syft/internal/log" "github.com/anchore/syft/internal/spdxlicense" - "github.com/anchore/syft/internal/version" "github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/pkg" @@ -34,7 +33,7 @@ func toFormatModel(s sbom.SBOM) *model.Document { Creators: []string{ // note: key-value format derived from the JSON example document examples: https://github.com/spdx/spdx-spec/blob/v2.2/examples/SPDXJSONExample-v2.2.spdx.json "Organization: Anchore, Inc", - "Tool: " + internal.ApplicationName + "-" + version.FromBuild().Version, + "Tool: " + internal.ApplicationName + "-" + s.Descriptor.Version, }, LicenseListVersion: spdxlicense.Version, }, diff --git a/internal/formats/spdx22tagvalue/encoder_test.go b/internal/formats/spdx22tagvalue/encoder_test.go index 9c3dba9e9..8d0afa7fd 100644 --- a/internal/formats/spdx22tagvalue/encoder_test.go +++ b/internal/formats/spdx22tagvalue/encoder_test.go @@ -53,7 +53,13 @@ func TestSPDXJSONSPDXIDs(t *testing.T) { Source: source.Metadata{ Scheme: source.DirectoryScheme, }, - Descriptor: sbom.Descriptor{}, + Descriptor: sbom.Descriptor{ + Name: "syft", + Version: "v0.42.0-bogus", + Configuration: map[string]string{ + "config-key": "config-value", + }, + }, }, true, spdxTagValueRedactor, diff --git a/internal/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden b/internal/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden index 6e83d7d8e..ad82041e1 100644 --- a/internal/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden +++ b/internal/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden @@ -2,11 +2,11 @@ SPDXVersion: SPDX-2.2 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: . -DocumentNamespace: https://anchore.com/syft/dir/8fbb3714-785d-4e3e-95cf-44a258bc65b0 -LicenseListVersion: 3.16 +DocumentNamespace: https://anchore.com/syft/dir/422d92b9-57e8-44ee-8039-f75c1d19be87 +LicenseListVersion: 3.17 Creator: Organization: Anchore, Inc -Creator: Tool: syft-[not provided] -Created: 2022-05-02T15:27:05Z +Creator: Tool: syft-v0.42.0-bogus +Created: 2022-05-24T22:52:02Z ##### Package: @at-sign diff --git a/internal/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden b/internal/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden index ba0ba4c69..83e333e4b 100644 --- a/internal/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden +++ b/internal/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden @@ -2,11 +2,11 @@ SPDXVersion: SPDX-2.2 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: /some/path -DocumentNamespace: https://anchore.com/syft/dir/some/path-d227b0f2-4ee8-4e10-ac43-019db86d16ff -LicenseListVersion: 3.16 +DocumentNamespace: https://anchore.com/syft/dir/some/path-c6b20d03-1478-4513-9feb-1ec427d4b547 +LicenseListVersion: 3.17 Creator: Organization: Anchore, Inc -Creator: Tool: syft-[not provided] -Created: 2022-04-01T15:48:44Z +Creator: Tool: syft-v0.42.0-bogus +Created: 2022-05-24T22:51:02Z ##### Package: package-2 diff --git a/internal/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden b/internal/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden index f2e7d394f..aae5ebf53 100644 --- a/internal/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden +++ b/internal/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden @@ -2,11 +2,11 @@ SPDXVersion: SPDX-2.2 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: user-image-input -DocumentNamespace: https://anchore.com/syft/image/user-image-input-49f98c61-3418-4427-9e00-8b1c735e9799 -LicenseListVersion: 3.16 +DocumentNamespace: https://anchore.com/syft/image/user-image-input-12a877bc-fe9b-40ef-aa9c-4d34f108d0d6 +LicenseListVersion: 3.17 Creator: Organization: Anchore, Inc -Creator: Tool: syft-[not provided] -Created: 2022-04-01T15:48:44Z +Creator: Tool: syft-v0.42.0-bogus +Created: 2022-05-24T22:51:02Z ##### Package: package-2 diff --git a/internal/formats/spdx22tagvalue/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden b/internal/formats/spdx22tagvalue/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden index c1b1d2b797ecd34a5276a1aa2fb18c5b0a58c732..3d93b6d3ad1c86098e440073bcf8cfdf5eea53e1 100644 GIT binary patch literal 15360 zcmeHOTW{Mo6wdR0g{Qs7Ht(bi?4fH4v_P>GZPo!Rih$xJ(P~SEBo_&S{P!Knj$?am z)kLz<3k3t>^@#iqk90mB8hfg2qL?y9Ag3+2)O%%-k1=6b3(TYz+QdS}i7?nu&ZWUT z<^=Ir$#{I!ej&t=cx7{l9(o`pt{eKfg3wgb@-9^t!xu?@&s&^-mBifTKZYoqTCfcXdCz{znHv`3~)H z|HcsLZ2$k3dDb$g7W>B>i(UH{6bJinfwhBff zwKA4_DW$hqdvGlzPZCF&N<{2pNC@I;XT!z@dL`Ox?m?C*oUU9wFoFmkVmw6j46zBr z6Q)L-63h|*r*4>Ml}f0eFS);y^yZ7$zb zHqD}m*VED+N9(eD0aMv6bOm%>6`obs>-6c|W!rL^+-YWD5UcjjvX9XuTTG|N(bE~s zY?*v9(-*6OzRjnLnJe#V{?3aJX?Agvu15PTtBUJ+p4JdA`<`ZhEYj&()JvVX>8kr} zgUq*&$Ghm&le6c)j~8Vzp5{hR$7Pacla2g3dtcEMEwhk}-aiJ=F|3S-BB~2>nO4qJ zi=tMUo>{>_Ob(bw(==OLMYp|}~ZU%O&d`_P}gTHgN*9KfCTKjs{T_y1=B z?XjZFXU?ZnHzcF#s_IejhNu?(BSaegQ;9GWk^uk1k^%oah-dnf`~OSb59;qIe7(zG zH`ErA0fB%(Kp-IS10x`Tomqxs=_#?)VM>uVf|g`oH}@hGqEvA7a_vM4zEG_k6lxu01ieEmm8Tuq_f>)7GzL{+DT4Awd*?=uU+9~{v|i>P=K#&uiM+@U;@A zWK-|YQww$PqViG`E+)n*2nQ(UF~QghZg6ZIY}gnM4tZiMF-|2q7KxxxOhrs%5o_3v zk+ES6age%_#E2zMb8LiCPFN!or?94oYm+#L23P`NCFhYLLOXb*@)lWU9AjR@MDXbS z?RQ9~4`Hx9Kcnkr-Cp8#YC1#Q$J_H}L;YXsiDs9O8fdgZdpw z>}>zt{eL6~-r4^p2nGNDAggE<|LeL8Y8QF!xdWR-Lj*B9e1_1Z`Gr{Bmtu7r9{Zua z-mZ$@PyB~SN&^2s#0y}X^zP@0?eU-H{Kr=OhX?)dM;SX(E7(VAc0mT0x?G2Wb{d6j zKp-Fx5C{nTa0twFmU>rKUlYf9?Bv_N|D4miGvW0K@#g#o4&VRB!u_Cr5IuRiIyo8j z5(@+-_}b0$Gkvj)EL5&=d1>;w8~XIBK07x|>qC#jGM&w*ZlWNvC?LRqlu9gw1(=sw z!P(Fl!UQZvUO+92oh06y82)^Mq_M(b<&h)A@T5Nf_p&~N);z91Is^0Q?`#}|Gv5F5 zAiW%_aRIt2Q;4LcuH4r%+w7m*|2OE){)Gtkzb|!c$-Rln77MLohnZaKc z4r#BxuDkuJ7{OBcm#%FzyUOYr8lw^9HIDjR+4F_Fg0dOV`$VGKgH38I>Hgnpur)R2 zl)HY_XM^MD!m4A0dKhDcAS?&*f(4T;Kn>ke#l4gzVN` ze(?Rjwf#RFzkC1s- z9>CiEk8VKl|Mzk`OrxxEw%gtY==qIJx$uy+*ED8?qX(EcDL{I387Ngsb4dh?x$wg9 z*h*rg6@ZQ(w@kA*(GHyphO!?TNJz`YJ>fe4rt;(!W2awfa(sRRC68dzXajVE@y-n>o(^op5E2ZJDVs7 z4hRGU0s;YnXN7=m8LaJu|D{?6{&zpONo)J>g#RTf@W1=9f8c-jgY$EprS<=wcn6J zY-{-4@PCvC{%=1g#vT7ROM=?XoSXT-=K0?$|A*;W&6n z=@JS7fq+0jARzERL||m{EQP9mOdkK&{`^hnzm$9>7qof)M_D-kzZUPOjKl2tmy1l1 zh;8Ft5R3%h!MHdz7xT>W8cHZCSB&8>&90l53=Xp<>E*D>M<2Vo8*8l9D*K-ZL#y zZQ=xy1TbwlA*sSvk$`4t>Jlk6(avMSc$^Yo%t_n4Rq$q>(~gPk+Y4v#cWf^=0@K;g zetL>o_SUyVTU8mpNs&Rdt4TMle|Dc6KFbBi^{-S||GP5Biri^bZCIhryCba^=@v2! WZ*QOH3R;0P6aoSPfq=kwgTOxo35itz diff --git a/internal/formats/spdx22tagvalue/to_format_model.go b/internal/formats/spdx22tagvalue/to_format_model.go index 99e007af5..c67835421 100644 --- a/internal/formats/spdx22tagvalue/to_format_model.go +++ b/internal/formats/spdx22tagvalue/to_format_model.go @@ -9,7 +9,6 @@ import ( "github.com/anchore/syft/internal" "github.com/anchore/syft/internal/formats/common/spdxhelpers" "github.com/anchore/syft/internal/spdxlicense" - "github.com/anchore/syft/internal/version" "github.com/anchore/syft/syft/pkg" "github.com/spdx/tools-golang/spdx" ) @@ -69,7 +68,7 @@ func toFormatModel(s sbom.SBOM) *spdx.Document2_2 { // Cardinality: mandatory, one or many CreatorPersons: nil, CreatorOrganizations: []string{"Anchore, Inc"}, - CreatorTools: []string{internal.ApplicationName + "-" + version.FromBuild().Version}, + CreatorTools: []string{internal.ApplicationName + "-" + s.Descriptor.Version}, // 2.9: Created: data format YYYY-MM-DDThh:mm:ssZ // Cardinality: mandatory, one