From 93d00dc3409ded9a31aa8b52b0512d96bc252f6b Mon Sep 17 00:00:00 2001
From: Christopher Angelo Phillips <32073428+spiffcs@users.noreply.github.com>
Date: Fri, 17 Sep 2021 09:06:12 -0400
Subject: [PATCH] Populate Files and Relationship fields for spdx-json output
 (#507)

* update spdx22 Document model to include relationships field

Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>

* update document and relationship to match current JSON spec
https://github.com/spdx/spdx-spec/blob/development/v2.2.1/schemas/spdx-schema.json
https://github.com/spdx/spdx-spec/pull/528
https://github.com/spdx/spdx-spec/pull/528#issuecomment-904180177

Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>

* update File struct based on SPDX schema

Required fields:
[ "SPDXID", "fileName", "copyrightText", "licenseConcluded" ]
Signed-off-by: Christopher Angelo Phillips <christopher.phillips@anchore.com>
---
 .../packages/model/spdx22/document.go         |   2 +
 .../presenter/packages/model/spdx22/file.go   |  12 +++---
 .../packages/model/spdx22/relationship.go     |   8 ++--
 internal/presenter/packages/spdx_helpers.go   |  39 ++++++++++++++++++
 .../presenter/packages/spdx_json_presenter.go |  28 ++++++++++---
 .../TestJSONDirectoryPresenter.golden         |   5 +++
 .../snapshot/TestJSONImagePresenter.golden    |  14 +++----
 .../TestSPDXJSONDirectoryPresenter.golden     |  22 +++++++++-
 .../TestSPDXJSONImagePresenter.golden         |   4 +-
 .../snapshot/TestTextImagePresenter.golden    |   4 +-
 .../stereoscope-fixture-image-simple.golden   | Bin 15360 -> 15360 bytes
 internal/presenter/packages/utils_test.go     |   5 +++
 syft/pkg/apk_metadata.go                      |   4 +-
 syft/pkg/apk_metadata_test.go                 |   4 +-
 syft/pkg/dpkg_metadata.go                     |   4 +-
 syft/pkg/dpkg_metadata_test.go                |   4 +-
 syft/pkg/file_owner.go                        |   8 +++-
 syft/pkg/ownership_by_files_relationship.go   |   4 +-
 syft/pkg/python_package_metadata.go           |   4 +-
 syft/pkg/python_package_metadata_test.go      |   4 +-
 syft/pkg/rpmdb_metadata.go                    |   4 +-
 syft/pkg/rpmdb_metadata_test.go               |   4 +-
 22 files changed, 139 insertions(+), 48 deletions(-)

diff --git a/internal/presenter/packages/model/spdx22/document.go b/internal/presenter/packages/model/spdx22/document.go
index 995ae8f7d..1c9ab1f2a 100644
--- a/internal/presenter/packages/model/spdx22/document.go
+++ b/internal/presenter/packages/model/spdx22/document.go
@@ -40,4 +40,6 @@ type Document struct {
 	Files []File `json:"files,omitempty"`
 	// Snippets referenced in the SPDX document
 	Snippets []Snippet `json:"snippets,omitempty"`
+	// Relationships referenced in the SPDX document
+	Relationships []Relationship `json:"relationships,omitempty"`
 }
diff --git a/internal/presenter/packages/model/spdx22/file.go b/internal/presenter/packages/model/spdx22/file.go
index 913642493..eefe05472 100644
--- a/internal/presenter/packages/model/spdx22/file.go
+++ b/internal/presenter/packages/model/spdx22/file.go
@@ -20,22 +20,22 @@ type File struct {
 	Item
 	// (At least one is required.) The checksum property provides a mechanism that can be used to verify that the
 	// contents of a File or Package have not changed.
-	Checksums []Checksum `json:"checksums"`
+	Checksums []Checksum `json:"checksums,omitempty"`
 	// This field provides a place for the SPDX file creator to record file contributors. Contributors could include
 	// names of copyright holders and/or authors who may not be copyright holders yet contributed to the file content.
-	FileContributors []string `json:"fileContributors"`
+	FileContributors []string `json:"fileContributors,omitempty"`
 	// Each element is a SPDX ID for a File.
-	FileDependencies []string `json:"fileDependencies"`
+	FileDependencies []string `json:"fileDependencies,omitempty"`
 	// The name of the file relative to the root of the package.
 	FileName string `json:"fileName"`
 	// The type of the file
-	FileTypes []string `json:"fileTypes"`
+	FileTypes []string `json:"fileTypes,omitempty"`
 	// This field provides a place for the SPDX file creator to record potential legal notices found in the file.
 	// This may or may not include copyright statements.
 	NoticeText string `json:"noticeText,omitempty"`
 	// Indicates the project in which the SpdxElement originated. Tools must preserve doap:homepage and doap:name
 	// properties and the URI (if one is known) of doap:Project resources that are values of this property. All other
 	// properties of doap:Projects are not directly supported by SPDX and may be dropped when translating to or
-	// from some SPDX formats.
-	ArtifactOf []string `json:"artifactOf"`
+	// from some SPDX formats(deprecated).
+	ArtifactOf []string `json:"artifactOf,omitempty"`
 }
diff --git a/internal/presenter/packages/model/spdx22/relationship.go b/internal/presenter/packages/model/spdx22/relationship.go
index c1f52204f..ca99a879e 100644
--- a/internal/presenter/packages/model/spdx22/relationship.go
+++ b/internal/presenter/packages/model/spdx22/relationship.go
@@ -1,11 +1,13 @@
 package spdx22
 
 type Relationship struct {
-	// SPDX ID for SpdxElement. A related SpdxElement.
-	RelatedSpdxElement string `json:"relatedSpdxElement"`
+	// Id to which the SPDX element is related
+	SpdxElementID string `json:"spdxElementId"`
 	// Describes the type of relationship between two SPDX elements.
 	RelationshipType RelationshipType `json:"relationshipType"`
-	Comment          string           `json:"comment,omitempty"`
+	// SPDX ID for SpdxElement.  A related SpdxElement.
+	RelatedSpdxElement string `json:"relatedSpdxElement"`
+	Comment            string `json:"comment,omitempty"`
 }
 
 // source: https://spdx.github.io/spdx-spec/7-relationships-between-SPDX-elements/
diff --git a/internal/presenter/packages/spdx_helpers.go b/internal/presenter/packages/spdx_helpers.go
index a847a2430..c175e0da9 100644
--- a/internal/presenter/packages/spdx_helpers.go
+++ b/internal/presenter/packages/spdx_helpers.go
@@ -1,7 +1,9 @@
 package packages
 
 import (
+	"crypto/sha256"
 	"fmt"
+	"path/filepath"
 	"strings"
 
 	"github.com/anchore/syft/internal/presenter/packages/model/spdx22"
@@ -29,6 +31,43 @@ func getSPDXExternalRefs(p *pkg.Package) (externalRefs []spdx22.ExternalRef) {
 	return externalRefs
 }
 
+func getSPDXFiles(packageSpdxID string, p *pkg.Package) (files []spdx22.File, fileIDs []string, relationships []spdx22.Relationship) {
+	files = make([]spdx22.File, 0)
+	fileIDs = make([]string, 0)
+	relationships = make([]spdx22.Relationship, 0)
+
+	pkgFileOwner, ok := p.Metadata.(pkg.FileOwner)
+	if !ok {
+		return files, fileIDs, relationships
+	}
+
+	for _, ownedFilePath := range pkgFileOwner.OwnedFiles() {
+		baseFileName := filepath.Base(ownedFilePath)
+		pathHash := sha256.Sum256([]byte(ownedFilePath))
+		fileSpdxID := spdx22.ElementID(fmt.Sprintf("File-%s-%x", p.Name, pathHash)).String()
+
+		fileIDs = append(fileIDs, fileSpdxID)
+
+		files = append(files, spdx22.File{
+			FileName: ownedFilePath,
+			Item: spdx22.Item{
+				Element: spdx22.Element{
+					SPDXID: fileSpdxID,
+					Name:   baseFileName,
+				},
+			},
+		})
+
+		relationships = append(relationships, spdx22.Relationship{
+			SpdxElementID:      packageSpdxID,
+			RelationshipType:   spdx22.ContainsRelationship,
+			RelatedSpdxElement: fileSpdxID,
+		})
+	}
+
+	return files, fileIDs, relationships
+}
+
 func getSPDXLicense(p *pkg.Package) string {
 	// source: https://spdx.github.io/spdx-spec/3-package-information/#313-concluded-license
 	// The options to populate this field are limited to:
diff --git a/internal/presenter/packages/spdx_json_presenter.go b/internal/presenter/packages/spdx_json_presenter.go
index da90c3626..0e34f4d9c 100644
--- a/internal/presenter/packages/spdx_json_presenter.go
+++ b/internal/presenter/packages/spdx_json_presenter.go
@@ -39,6 +39,7 @@ func (pres *SPDXJsonPresenter) Present(output io.Writer) error {
 	return enc.Encode(&doc)
 }
 
+// newSPDXJsonDocument creates and populates a new JSON document struct that follows the SPDX 2.2 spec from the given cataloging results.
 func newSPDXJsonDocument(catalog *pkg.Catalog, srcMetadata source.Metadata) spdx22.Document {
 	var name string
 	switch srcMetadata.Scheme {
@@ -48,6 +49,8 @@ func newSPDXJsonDocument(catalog *pkg.Catalog, srcMetadata source.Metadata) spdx
 		name = srcMetadata.Path
 	}
 
+	packages, files, relationships := newSPDXJsonElements(catalog)
+
 	return spdx22.Document{
 		Element: spdx22.Element{
 			SPDXID: spdx22.ElementID("DOCUMENT").String(),
@@ -65,22 +68,34 @@ func newSPDXJsonDocument(catalog *pkg.Catalog, srcMetadata source.Metadata) spdx
 		},
 		DataLicense:       "CC0-1.0",
 		DocumentNamespace: fmt.Sprintf("https://anchore.com/syft/image/%s", srcMetadata.ImageMetadata.UserInput),
-		Packages:          newSPDXJsonPackages(catalog),
+		Packages:          packages,
+		Files:             files,
+		Relationships:     relationships,
 	}
 }
 
-func newSPDXJsonPackages(catalog *pkg.Catalog) []spdx22.Package {
-	results := make([]spdx22.Package, 0)
+func newSPDXJsonElements(catalog *pkg.Catalog) ([]spdx22.Package, []spdx22.File, []spdx22.Relationship) {
+	packages := make([]spdx22.Package, 0)
+	relationships := make([]spdx22.Relationship, 0)
+	files := make([]spdx22.File, 0)
+
 	for _, p := range catalog.Sorted() {
 		license := getSPDXLicense(p)
+		packageSpdxID := spdx22.ElementID(fmt.Sprintf("Package-%+v-%s-%s", p.Type, p.Name, p.Version)).String()
+
+		packageFiles, fileIDs, packageFileRelationships := getSPDXFiles(packageSpdxID, p)
+		files = append(files, packageFiles...)
+
+		relationships = append(relationships, packageFileRelationships...)
 
 		// note: the license concluded and declared should be the same since we are collecting license information
 		// from the project data itself (the installed package files).
-		results = append(results, spdx22.Package{
+		packages = append(packages, spdx22.Package{
 			Description:      getSPDXDescription(p),
 			DownloadLocation: getSPDXDownloadLocation(p),
 			ExternalRefs:     getSPDXExternalRefs(p),
 			FilesAnalyzed:    false,
+			HasFiles:         fileIDs,
 			Homepage:         getSPDXHomepage(p),
 			LicenseDeclared:  license, // The Declared License is what the authors of a project believe govern the package
 			Originator:       getSPDXOriginator(p),
@@ -89,11 +104,12 @@ func newSPDXJsonPackages(catalog *pkg.Catalog) []spdx22.Package {
 			Item: spdx22.Item{
 				LicenseConcluded: license, // The Concluded License field is the license the SPDX file creator believes governs the package
 				Element: spdx22.Element{
-					SPDXID: spdx22.ElementID(fmt.Sprintf("Package-%+v-%s-%s", p.Type, p.Name, p.Version)).String(),
+					SPDXID: packageSpdxID,
 					Name:   p.Name,
 				},
 			},
 		})
 	}
-	return results
+
+	return packages, files, relationships
 }
diff --git a/internal/presenter/packages/test-fixtures/snapshot/TestJSONDirectoryPresenter.golden b/internal/presenter/packages/test-fixtures/snapshot/TestJSONDirectoryPresenter.golden
index 5a58549c9..2abdef222 100644
--- a/internal/presenter/packages/test-fixtures/snapshot/TestJSONDirectoryPresenter.golden
+++ b/internal/presenter/packages/test-fixtures/snapshot/TestJSONDirectoryPresenter.golden
@@ -27,6 +27,11 @@
     "author": "",
     "authorEmail": "",
     "platform": "",
+    "files": [
+     {
+      "path": "/some/path/pkg1/depedencies/foo"
+     }
+    ],
     "sitePackagesRootPath": ""
    }
   },
diff --git a/internal/presenter/packages/test-fixtures/snapshot/TestJSONImagePresenter.golden b/internal/presenter/packages/test-fixtures/snapshot/TestJSONImagePresenter.golden
index 092d50b3e..abcda45b5 100644
--- a/internal/presenter/packages/test-fixtures/snapshot/TestJSONImagePresenter.golden
+++ b/internal/presenter/packages/test-fixtures/snapshot/TestJSONImagePresenter.golden
@@ -9,7 +9,7 @@
    "locations": [
     {
      "path": "/somefile-1.txt",
-     "layerID": "sha256:fb6beecb75b39f4bb813dbf177e501edd5ddb3e69bb45cedeb78c676ee1b7a59"
+     "layerID": "sha256:ffb5e9eaa453a002110719d12c294960117ca2903953d1faa40f01dc3f77045c"
     }
    ],
    "licenses": [
@@ -40,7 +40,7 @@
    "locations": [
     {
      "path": "/somefile-2.txt",
-     "layerID": "sha256:319b588ce64253a87b533c8ed01cf0025e0eac98e7b516e12532957e1244fdec"
+     "layerID": "sha256:8463854829fc53d47b9dcdf7ee79fe7eb4ca7933c910f67f8521412f7a2f5c21"
     }
    ],
    "licenses": [],
@@ -67,7 +67,7 @@
   "type": "image",
   "target": {
    "userInput": "user-image-input",
-   "imageID": "sha256:5900c94a5bc1e083aa24ad1a223bf6eb9910dc8a6b01cb979ec306cb91709ea1",
+   "imageID": "sha256:112851310e48e604f7379e2a3acddab50e91ce926edacb598a532e60ff6b776a",
    "manifestDigest": "sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368",
    "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
    "tags": [
@@ -77,17 +77,17 @@
    "layers": [
     {
      "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
-     "digest": "sha256:fb6beecb75b39f4bb813dbf177e501edd5ddb3e69bb45cedeb78c676ee1b7a59",
+     "digest": "sha256:ffb5e9eaa453a002110719d12c294960117ca2903953d1faa40f01dc3f77045c",
      "size": 22
     },
     {
      "mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
-     "digest": "sha256:319b588ce64253a87b533c8ed01cf0025e0eac98e7b516e12532957e1244fdec",
+     "digest": "sha256:8463854829fc53d47b9dcdf7ee79fe7eb4ca7933c910f67f8521412f7a2f5c21",
      "size": 16
     }
    ],
-   "manifest": "eyJzY2hlbWFWZXJzaW9uIjoyLCJtZWRpYVR5cGUiOiJhcHBsaWNhdGlvbi92bmQuZG9ja2VyLmRpc3RyaWJ1dGlvbi5tYW5pZmVzdC52Mitqc29uIiwiY29uZmlnIjp7Im1lZGlhVHlwZSI6ImFwcGxpY2F0aW9uL3ZuZC5kb2NrZXIuY29udGFpbmVyLmltYWdlLnYxK2pzb24iLCJzaXplIjo2NjUsImRpZ2VzdCI6InNoYTI1Njo1OTAwYzk0YTViYzFlMDgzYWEyNGFkMWEyMjNiZjZlYjk5MTBkYzhhNmIwMWNiOTc5ZWMzMDZjYjkxNzA5ZWExIn0sImxheWVycyI6W3sibWVkaWFUeXBlIjoiYXBwbGljYXRpb24vdm5kLmRvY2tlci5pbWFnZS5yb290ZnMuZGlmZi50YXIuZ3ppcCIsInNpemUiOjIwNDgsImRpZ2VzdCI6InNoYTI1NjpmYjZiZWVjYjc1YjM5ZjRiYjgxM2RiZjE3N2U1MDFlZGQ1ZGRiM2U2OWJiNDVjZWRlYjc4YzY3NmVlMWI3YTU5In0seyJtZWRpYVR5cGUiOiJhcHBsaWNhdGlvbi92bmQuZG9ja2VyLmltYWdlLnJvb3Rmcy5kaWZmLnRhci5nemlwIiwic2l6ZSI6MjA0OCwiZGlnZXN0Ijoic2hhMjU2OjMxOWI1ODhjZTY0MjUzYTg3YjUzM2M4ZWQwMWNmMDAyNWUwZWFjOThlN2I1MTZlMTI1MzI5NTdlMTI0NGZkZWMifV19",
-   "config": "eyJhcmNoaXRlY3R1cmUiOiJhbWQ2NCIsImNvbmZpZyI6eyJFbnYiOlsiUEFUSD0vdXNyL2xvY2FsL3NiaW46L3Vzci9sb2NhbC9iaW46L3Vzci9zYmluOi91c3IvYmluOi9zYmluOi9iaW4iXSwiV29ya2luZ0RpciI6Ii8iLCJPbkJ1aWxkIjpudWxsfSwiY3JlYXRlZCI6IjIwMjEtMDQtMDZUMTk6MTM6NTIuNTI0Mzc4WiIsImhpc3RvcnkiOlt7ImNyZWF0ZWQiOiIyMDIxLTA0LTA2VDE5OjEzOjUyLjQ1ODIwNjFaIiwiY3JlYXRlZF9ieSI6IkFERCBmaWxlLTEudHh0IC9zb21lZmlsZS0xLnR4dCAjIGJ1aWxka2l0IiwiY29tbWVudCI6ImJ1aWxka2l0LmRvY2tlcmZpbGUudjAifSx7ImNyZWF0ZWQiOiIyMDIxLTA0LTA2VDE5OjEzOjUyLjUyNDM3OFoiLCJjcmVhdGVkX2J5IjoiQUREIGZpbGUtMi50eHQgL3NvbWVmaWxlLTIudHh0ICMgYnVpbGRraXQiLCJjb21tZW50IjoiYnVpbGRraXQuZG9ja2VyZmlsZS52MCJ9XSwib3MiOiJsaW51eCIsInJvb3RmcyI6eyJ0eXBlIjoibGF5ZXJzIiwiZGlmZl9pZHMiOlsic2hhMjU2OmZiNmJlZWNiNzViMzlmNGJiODEzZGJmMTc3ZTUwMWVkZDVkZGIzZTY5YmI0NWNlZGViNzhjNjc2ZWUxYjdhNTkiLCJzaGEyNTY6MzE5YjU4OGNlNjQyNTNhODdiNTMzYzhlZDAxY2YwMDI1ZTBlYWM5OGU3YjUxNmUxMjUzMjk1N2UxMjQ0ZmRlYyJdfX0=",
+   "manifest": "eyJzY2hlbWFWZXJzaW9uIjoyLCJtZWRpYVR5cGUiOiJhcHBsaWNhdGlvbi92bmQuZG9ja2VyLmRpc3RyaWJ1dGlvbi5tYW5pZmVzdC52Mitqc29uIiwiY29uZmlnIjp7Im1lZGlhVHlwZSI6ImFwcGxpY2F0aW9uL3ZuZC5kb2NrZXIuY29udGFpbmVyLmltYWdlLnYxK2pzb24iLCJzaXplIjo2NzMsImRpZ2VzdCI6InNoYTI1NjoxMTI4NTEzMTBlNDhlNjA0ZjczNzllMmEzYWNkZGFiNTBlOTFjZTkyNmVkYWNiNTk4YTUzMmU2MGZmNmI3NzZhIn0sImxheWVycyI6W3sibWVkaWFUeXBlIjoiYXBwbGljYXRpb24vdm5kLmRvY2tlci5pbWFnZS5yb290ZnMuZGlmZi50YXIuZ3ppcCIsInNpemUiOjIwNDgsImRpZ2VzdCI6InNoYTI1NjpmZmI1ZTllYWE0NTNhMDAyMTEwNzE5ZDEyYzI5NDk2MDExN2NhMjkwMzk1M2QxZmFhNDBmMDFkYzNmNzcwNDVjIn0seyJtZWRpYVR5cGUiOiJhcHBsaWNhdGlvbi92bmQuZG9ja2VyLmltYWdlLnJvb3Rmcy5kaWZmLnRhci5nemlwIiwic2l6ZSI6MjA0OCwiZGlnZXN0Ijoic2hhMjU2Ojg0NjM4NTQ4MjlmYzUzZDQ3YjlkY2RmN2VlNzlmZTdlYjRjYTc5MzNjOTEwZjY3Zjg1MjE0MTJmN2EyZjVjMjEifV19",
+   "config": "eyJhcmNoaXRlY3R1cmUiOiJhbWQ2NCIsImNvbmZpZyI6eyJFbnYiOlsiUEFUSD0vdXNyL2xvY2FsL3NiaW46L3Vzci9sb2NhbC9iaW46L3Vzci9zYmluOi91c3IvYmluOi9zYmluOi9iaW4iXSwiV29ya2luZ0RpciI6Ii8iLCJPbkJ1aWxkIjpudWxsfSwiY3JlYXRlZCI6IjIwMjEtMDktMDhUMTc6MjE6NTguODk2NTI5MTkyWiIsImhpc3RvcnkiOlt7ImNyZWF0ZWQiOiIyMDIxLTA5LTA4VDE3OjIxOjU4Ljg3OTY5MDgyNFoiLCJjcmVhdGVkX2J5IjoiQUREIGZpbGUtMS50eHQgL3NvbWVmaWxlLTEudHh0ICMgYnVpbGRraXQiLCJjb21tZW50IjoiYnVpbGRraXQuZG9ja2VyZmlsZS52MCJ9LHsiY3JlYXRlZCI6IjIwMjEtMDktMDhUMTc6MjE6NTguODk2NTI5MTkyWiIsImNyZWF0ZWRfYnkiOiJBREQgZmlsZS0yLnR4dCAvc29tZWZpbGUtMi50eHQgIyBidWlsZGtpdCIsImNvbW1lbnQiOiJidWlsZGtpdC5kb2NrZXJmaWxlLnYwIn1dLCJvcyI6ImxpbnV4Iiwicm9vdGZzIjp7InR5cGUiOiJsYXllcnMiLCJkaWZmX2lkcyI6WyJzaGEyNTY6ZmZiNWU5ZWFhNDUzYTAwMjExMDcxOWQxMmMyOTQ5NjAxMTdjYTI5MDM5NTNkMWZhYTQwZjAxZGMzZjc3MDQ1YyIsInNoYTI1Njo4NDYzODU0ODI5ZmM1M2Q0N2I5ZGNkZjdlZTc5ZmU3ZWI0Y2E3OTMzYzkxMGY2N2Y4NTIxNDEyZjdhMmY1YzIxIl19fQ==",
    "repoDigests": [],
    "scope": "Squashed"
   }
diff --git a/internal/presenter/packages/test-fixtures/snapshot/TestSPDXJSONDirectoryPresenter.golden b/internal/presenter/packages/test-fixtures/snapshot/TestSPDXJSONDirectoryPresenter.golden
index 169f9bd8c..249517449 100644
--- a/internal/presenter/packages/test-fixtures/snapshot/TestSPDXJSONDirectoryPresenter.golden
+++ b/internal/presenter/packages/test-fixtures/snapshot/TestSPDXJSONDirectoryPresenter.golden
@@ -3,12 +3,12 @@
  "name": "/some/path",
  "spdxVersion": "SPDX-2.2",
  "creationInfo": {
-  "created": "2021-06-23T17:48:32.734847Z",
+  "created": "2021-09-16T20:44:35.198887Z",
   "creators": [
    "Organization: Anchore, Inc",
    "Tool: syft-[not provided]"
   ],
-  "licenseListVersion": "3.13"
+  "licenseListVersion": "3.14"
  },
  "dataLicense": "CC0-1.0",
  "documentNamespace": "https://anchore.com/syft/image/",
@@ -31,6 +31,9 @@
     }
    ],
    "filesAnalyzed": false,
+   "hasFiles": [
+    "SPDXRef-File-package-1-04cd22424378dcd6c77fce08beb52493b5494a60ea5e1f9bdf9b16dc0cacffe9"
+   ],
    "licenseDeclared": "MIT",
    "sourceInfo": "acquired package info from installed python package manifest file: /some/path/pkg1",
    "versionInfo": "1.0.1"
@@ -57,5 +60,20 @@
    "sourceInfo": "acquired package info from DPKG DB: /some/path/pkg1",
    "versionInfo": "2.0.1"
   }
+ ],
+ "files": [
+  {
+   "SPDXID": "SPDXRef-File-package-1-04cd22424378dcd6c77fce08beb52493b5494a60ea5e1f9bdf9b16dc0cacffe9",
+   "name": "foo",
+   "licenseConcluded": "",
+   "fileName": "/some/path/pkg1/depedencies/foo"
+  }
+ ],
+ "relationships": [
+  {
+   "spdxElementId": "SPDXRef-Package-python-package-1-1.0.1",
+   "relationshipType": "CONTAINS",
+   "relatedSpdxElement": "SPDXRef-File-package-1-04cd22424378dcd6c77fce08beb52493b5494a60ea5e1f9bdf9b16dc0cacffe9"
+  }
  ]
 }
diff --git a/internal/presenter/packages/test-fixtures/snapshot/TestSPDXJSONImagePresenter.golden b/internal/presenter/packages/test-fixtures/snapshot/TestSPDXJSONImagePresenter.golden
index f9dc50d19..8906ef161 100644
--- a/internal/presenter/packages/test-fixtures/snapshot/TestSPDXJSONImagePresenter.golden
+++ b/internal/presenter/packages/test-fixtures/snapshot/TestSPDXJSONImagePresenter.golden
@@ -3,12 +3,12 @@
  "name": "user-image-input",
  "spdxVersion": "SPDX-2.2",
  "creationInfo": {
-  "created": "2021-06-23T17:48:32.7379Z",
+  "created": "2021-09-16T20:44:35.203911Z",
   "creators": [
    "Organization: Anchore, Inc",
    "Tool: syft-[not provided]"
   ],
-  "licenseListVersion": "3.13"
+  "licenseListVersion": "3.14"
  },
  "dataLicense": "CC0-1.0",
  "documentNamespace": "https://anchore.com/syft/image/user-image-input",
diff --git a/internal/presenter/packages/test-fixtures/snapshot/TestTextImagePresenter.golden b/internal/presenter/packages/test-fixtures/snapshot/TestTextImagePresenter.golden
index 4ab3a446e..eb23e8bca 100644
--- a/internal/presenter/packages/test-fixtures/snapshot/TestTextImagePresenter.golden
+++ b/internal/presenter/packages/test-fixtures/snapshot/TestTextImagePresenter.golden
@@ -1,11 +1,11 @@
 [Image]
  Layer:		 0
- Digest:	 sha256:fb6beecb75b39f4bb813dbf177e501edd5ddb3e69bb45cedeb78c676ee1b7a59
+ Digest:	 sha256:ffb5e9eaa453a002110719d12c294960117ca2903953d1faa40f01dc3f77045c
  Size:		 22
  MediaType:	 application/vnd.docker.image.rootfs.diff.tar.gzip
 
  Layer:		 1
- Digest:	 sha256:319b588ce64253a87b533c8ed01cf0025e0eac98e7b516e12532957e1244fdec
+ Digest:	 sha256:8463854829fc53d47b9dcdf7ee79fe7eb4ca7933c910f67f8521412f7a2f5c21
  Size:		 16
  MediaType:	 application/vnd.docker.image.rootfs.diff.tar.gzip
 
diff --git a/internal/presenter/packages/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden b/internal/presenter/packages/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden
index a5985f95c4f36dfec9b67737ea614680187f8ae7..249e2544c8e3eceb179648aed525d18d1cadff14 100644
GIT binary patch
literal 15360
zcmeHOZExE)5ccQ&3Xl65+a$#o(ZD`rO@J0CmZHr%U_}s66q#tTB}0;n1cv|nPO=-n
zbcy50c2k5#fS4lhc)sJE?jD^8p&=&$!Ip(qVCG~Xm8Ck+CXRK)u~o!aMTL#EiMR?i
z4=5~jPDD})-Tk-7($?c2OfVLVweak-{-01rT7(fIh{Q~Y7N&$?)@tL&+3sd`T$DNo
zk(zQ_|8Y(E9f*E{bZ)Mb(wcIdThvE-7z>7ukjYY)T%rC1ou*$={|owXeE#<L-nhtn
zgUskbuZWVgzcjudE+*<rvmty%7f0ytEWb(8tCJ*$t$MJ{S^CE~8N{fcjt7G&Y@1tM
zS{Ne=$Do5%2Z!fG_9^M}up27DsUnL01EkkUQD*ra$TrzTCY4Y)q^u&F?{FCbB|1Ji
zX}e@#JEU9QmhE1V4eiqSw{}!XcaxO0MutP1mO%CGVmHprjm;~9?pKVaM;irMmjC|+
zp=*N7##;&kn$8LkbdaRuTM#|ZveLnY2`cYKm6Zqj&gKQo#EEm4NepveP;sp(7k%d<
zZk5%V@j&C+86{CMp@u4^1SUipO%)Cl4`SkA9d?++CU6q`mmA<Z=M*v#gq(#`IRk5%
zj8tr5C#{vrS!p9?v{XT06v0kN7jg=5fI6wE<AxG+F`XXB4_@mwJPHjBtktn4l81qa
zA-F3?jSNC%7+9Ih80@22gmHu;#+kAqqb$^>n(sY9aTqf!IbV<a-^NwsT#NtJscW_Q
z6L>dX^2+0XWBY$T{rKtK*`JTuVZ;3&%pa`TpI|Qi{r@qY?rM&78)rVd62<fR0UBuR
z|IPD%EFjpg=Koj{i2nyUnXf$lPf$`N+f9!_l^)+`?nFu4!H~R@bBz1-U!8boX{nRc
z=9i1w;%!!xsUB7-DX=)nhOl5U{;RN6od7e(WvR{er!s~zqVM#euuIpnF(l>d7i|ut
z^NZ&t<ofgPXCs@g@~KB>sR1G8YwC)pDoBpdo8i1RIYRG-`f4ud=WH+@T1c8_i&m-{
zkoGh!^Se=&RK>z<#Y&lTgx>4O4(8-g^epA-ht7AK8opOo65XnXe(<y5{?ES8|A+{D
z{r{jocR8_I@a~fHg4YK7L$WXG_|Jt57zg|ZDoo+y|3ZO#{8j>rQX?SkYhAP<FqZ&v
z6noszv-TSB8t@wM8h8;Ja3l;3QH+={HkNPzY(>Okz+;UKA|{zos=|Q<i2$6%gp!zR
zKn9I)9EVEp1^<KFKjR+%JH!ELZ2!IBe^>$}=<ELj8~~619YD!1c#FpV-yHuVoPPKG
zhx_{fFo$N2|1~`Z0D6sdK6^Ue6jB0S3oLPC7eH0AdQ`E-D%ViOp8{pwQD4dSFm2U*
zvMo;gK&#9Tgl`)MiKdRfC;XQQ?DN0I#(e^Vd;GWVGkOBSGnQ<|e`ojqW&D?W{Qnu6
z-kzjxcBA*e@2}f)@DyGHUIShOUIRa)28KFKoGr?y^zlFU_ieiWa~`bpf>zIe3HABk
zbM?Iq9rVt>nRoglvWs^?psf06N7=c)n)Q^IHn&+}vXSk$<hFXrpp#UMG@T+Djs~_L
zax8@51czZ1$5g@_DDZs2DrKQ<SV3Dj%tFhtq|O<|xx~`M!jjNoOR3>e^;W_ASvNbh
zus6jX7Uc~5j@{Kp(8zxA%Qj{?*xDRyRV45pMPm2%)PIxz(?xH1-3t!>FNF91gPeg0
kDmHj%_0~vZC+#<OCN!PCOb<GUnfxYR16~7O13TBie_=_5tpET3

literal 15360
zcmeHOZExE)5ccQ&icI?&+kB^JU>~}sKno1Z&}JR5qA2)sO0?RNA<0F9Apd<Q+l^yy
zjg!iD)0IvDiz0bEKgXAQPA6#y@kUtbJOz?+YniZtTE@7`6gXoj2|l&T5$c`M20SMU
zuc#&lEFJt^mqqXH521u8A$nx-+5D!A(;gLsbBce8^a!Jrirx{qTkLLXXLVyMRH>`9
z%^%lQ-hujGCARVxc>}(gRgjDlI|)i8$B8eCEI&_1SIM*DLo#}k{Ql(Z`Om{yT@A;j
zx8q^$@?vzWd{bOi%x^7<c$vICPW~*b_jz%Cl2<s?5QjM}ewpRtkc^7iczlh+R$v>z
za>8&L^oi&bbw<sI@{wc%$pqKwU)b*=ubZ;EM8&SQ^bs;;MA5d>QusTE{gNjqCr4R6
zhCUrMADg3LT~6Ru`KKe-D)v5a=3q=FP&C-<)6GFB{d=g|4ucOQxjx>e#!B`7)`D$l
zu_!-K3q-iAQOj{&%s!&tRarI}-ndGd%V}%fvAu+<#+s04*}FVo-J7JouuQ5^=9B~Q
zPD{s4CY(zt4=$rxgCrC}kRdn@$~Y&ahX78eUTFnDowm}T)TJa&jgx8WK?x?gO|_Gp
z`xFB1AsHb|0s-qy3RpoEP;A7E)OaC87QiQOudfd@|G)QP6v?D@R@>Bhow*=@8lzJu
zm~&_f<ub{@;$F`c<J>|pAS^IE2OP7I(&0S-Bt#G`<>tQssod_I8~Z;|68C?3580iY
zeCPXrXZyc?_VU$>)8Fp0!<O?O&CfUNPc>!n{J#s+UDeS+XU}I>szf<o0fElze+T}*
zq;hlpOQGZXKg4vnO7hm(?m7+7_nX>k=_2c(Df-+TeL&--02y4clq#jUB!Z<}1YvpV
zBthCK09`-sm}aTbp1HtK)_qw3l9a~g1yt`=bme(jH-(+F-Y!ZyDJR%qRsN%fmU>{#
zlcur$;#CunnT#?!uHn|ba)!?S=1r)u>+<GVgB)UceL96=UCz98T6k1q*=A0nT8?v^
zJe@4*&T;Z$V$YX~zAneJ37|i|XtYL@P}^rkQ(aEWyd@!v7HiDuIQi8&7%#iGJnDwN
zJz_j|L@FN+Xv;hwis)x}@-4pgEpnEw3x7Cgl!G>g^4ZT8|4;ne|7SwQ{r|Ig?y}-0
z>M@Tu>{9Yd))xC?Kw!@Qn4%a7pt?sW)jZmN1>hd9<`FM;)E=aGde=Yhai}OdA`lUX
z2t))P5dy9wS=&qemulIb|1ti%|B2Gs{(Fi45~*d3|LouTy<Uv}9s=dZJ4WaA-#z|I
z6x+=Iz$jtle+QW~%lL2CX@K#xRm_$eP5K0rH|QB5qxt_l`yvKwKgDi0g0){UhS=5c
z`-%TiF5~mxgRK9X_}@GWYCl76kN>Im`QKXn57Px>{@;Ggu_m>_M7ntz+|h-tZ^D3U
zO=2M;5D|z7L<Iha2uy5|XHYly$>aahpTF(=my)mLg0|29V*cNkqW!Rbm_Gk>nJSXV
zUAzl|Oz<U4%QJhv$SrT6g0lAI6#7~Iv3<#)pSM{r{W_ma$1qAIQOZk7($s~(w8$_Q
z*?=*CX~TwO3TuS{&9clJDK*hPV9I!!5n#+q*S=No>msWiQ`vV%XYhCIE;j-b+TZ^0
zFvA?Eb%nO7b9|K|hk9Q_Zd?Csl^Z_K1;_QTROEmAGRK<StEAqtLff}TIxo^4WEfsw
VKh71j24^fp1R??vfo}$Ze*hf-k0}5E

diff --git a/internal/presenter/packages/utils_test.go b/internal/presenter/packages/utils_test.go
index c23d4caf8..9c6a88242 100644
--- a/internal/presenter/packages/utils_test.go
+++ b/internal/presenter/packages/utils_test.go
@@ -158,6 +158,11 @@ func presenterDirectoryInput(t testing.TB) (*pkg.Catalog, source.Metadata, *dist
 		Metadata: pkg.PythonPackageMetadata{
 			Name:    "package-1",
 			Version: "1.0.1",
+			Files: []pkg.PythonFileRecord{
+				{
+					Path: "/some/path/pkg1/depedencies/foo",
+				},
+			},
 		},
 		PURL: "a-purl-2",
 		CPEs: []pkg.CPE{
diff --git a/syft/pkg/apk_metadata.go b/syft/pkg/apk_metadata.go
index 84b148645..0578f3061 100644
--- a/syft/pkg/apk_metadata.go
+++ b/syft/pkg/apk_metadata.go
@@ -11,7 +11,7 @@ import (
 
 const ApkDbGlob = "**/lib/apk/db/installed"
 
-var _ fileOwner = (*ApkMetadata)(nil)
+var _ FileOwner = (*ApkMetadata)(nil)
 
 // ApkMetadata represents all captured data for a Alpine DB package entry.
 // See the following sources for more information:
@@ -63,7 +63,7 @@ func (m ApkMetadata) PackageURL() string {
 	return pURL.ToString()
 }
 
-func (m ApkMetadata) ownedFiles() (result []string) {
+func (m ApkMetadata) OwnedFiles() (result []string) {
 	s := strset.New()
 	for _, f := range m.Files {
 		if f.Path != "" {
diff --git a/syft/pkg/apk_metadata_test.go b/syft/pkg/apk_metadata_test.go
index ef58401a7..791d28cfd 100644
--- a/syft/pkg/apk_metadata_test.go
+++ b/syft/pkg/apk_metadata_test.go
@@ -73,7 +73,7 @@ func TestApkMetadata_pURL(t *testing.T) {
 	}
 }
 
-func TestApkMetadata_fileOwner(t *testing.T) {
+func TestApkMetadata_FileOwner(t *testing.T) {
 	tests := []struct {
 		metadata ApkMetadata
 		expected []string
@@ -107,7 +107,7 @@ func TestApkMetadata_fileOwner(t *testing.T) {
 		t.Run(strings.Join(test.expected, ","), func(t *testing.T) {
 			var i interface{}
 			i = test.metadata
-			actual := i.(fileOwner).ownedFiles()
+			actual := i.(FileOwner).OwnedFiles()
 			for _, d := range deep.Equal(test.expected, actual) {
 				t.Errorf("diff: %+v", d)
 			}
diff --git a/syft/pkg/dpkg_metadata.go b/syft/pkg/dpkg_metadata.go
index 8f2245c55..b17bc385a 100644
--- a/syft/pkg/dpkg_metadata.go
+++ b/syft/pkg/dpkg_metadata.go
@@ -12,7 +12,7 @@ import (
 
 const DpkgDbGlob = "**/var/lib/dpkg/{status,status.d/**}"
 
-var _ fileOwner = (*DpkgMetadata)(nil)
+var _ FileOwner = (*DpkgMetadata)(nil)
 
 // DpkgMetadata represents all captured data for a Debian package DB entry; available fields are described
 // at http://manpages.ubuntu.com/manpages/xenial/man1/dpkg-query.1.html in the --showformat section.
@@ -55,7 +55,7 @@ func (m DpkgMetadata) PackageURL(d *distro.Distro) string {
 	return pURL.ToString()
 }
 
-func (m DpkgMetadata) ownedFiles() (result []string) {
+func (m DpkgMetadata) OwnedFiles() (result []string) {
 	s := strset.New()
 	for _, f := range m.Files {
 		if f.Path != "" {
diff --git a/syft/pkg/dpkg_metadata_test.go b/syft/pkg/dpkg_metadata_test.go
index 81a0cb665..36fa1a256 100644
--- a/syft/pkg/dpkg_metadata_test.go
+++ b/syft/pkg/dpkg_metadata_test.go
@@ -54,7 +54,7 @@ func TestDpkgMetadata_pURL(t *testing.T) {
 	}
 }
 
-func TestDpkgMetadata_fileOwner(t *testing.T) {
+func TestDpkgMetadata_FileOwner(t *testing.T) {
 	tests := []struct {
 		metadata DpkgMetadata
 		expected []string
@@ -88,7 +88,7 @@ func TestDpkgMetadata_fileOwner(t *testing.T) {
 		t.Run(strings.Join(test.expected, ","), func(t *testing.T) {
 			var i interface{}
 			i = test.metadata
-			actual := i.(fileOwner).ownedFiles()
+			actual := i.(FileOwner).OwnedFiles()
 			for _, d := range deep.Equal(test.expected, actual) {
 				t.Errorf("diff: %+v", d)
 			}
diff --git a/syft/pkg/file_owner.go b/syft/pkg/file_owner.go
index 24520c304..1e13cf614 100644
--- a/syft/pkg/file_owner.go
+++ b/syft/pkg/file_owner.go
@@ -1,5 +1,9 @@
 package pkg
 
-type fileOwner interface {
-	ownedFiles() []string
+// FileOwner is the interface that wraps OwnedFiles method.
+//
+// OwnedFiles returns a list of files that a piece of
+// package Metadata indicates are owned by the package.
+type FileOwner interface {
+	OwnedFiles() []string
 }
diff --git a/syft/pkg/ownership_by_files_relationship.go b/syft/pkg/ownership_by_files_relationship.go
index f235557a4..4e2b4d314 100644
--- a/syft/pkg/ownership_by_files_relationship.go
+++ b/syft/pkg/ownership_by_files_relationship.go
@@ -55,11 +55,11 @@ func findOwnershipByFilesRelationships(catalog *Catalog) map[ID]map[ID]*strset.S
 		}
 
 		// check to see if this is a file owner
-		pkgFileOwner, ok := candidateOwnerPkg.Metadata.(fileOwner)
+		pkgFileOwner, ok := candidateOwnerPkg.Metadata.(FileOwner)
 		if !ok {
 			continue
 		}
-		for _, ownedFilePath := range pkgFileOwner.ownedFiles() {
+		for _, ownedFilePath := range pkgFileOwner.OwnedFiles() {
 			if matchesAny(ownedFilePath, globsForbiddenFromBeingOwned) {
 				// we skip over known exceptions to file ownership, such as the RPM package owning
 				// the RPM DB path, otherwise the RPM package would "own" all RPMs, which is not intended
diff --git a/syft/pkg/python_package_metadata.go b/syft/pkg/python_package_metadata.go
index c1e752d21..f059dfac3 100644
--- a/syft/pkg/python_package_metadata.go
+++ b/syft/pkg/python_package_metadata.go
@@ -6,7 +6,7 @@ import (
 	"github.com/scylladb/go-set/strset"
 )
 
-var _ fileOwner = (*PythonPackageMetadata)(nil)
+var _ FileOwner = (*PythonPackageMetadata)(nil)
 
 // PythonFileDigest represents the file metadata for a single file attributed to a python package.
 type PythonFileDigest struct {
@@ -34,7 +34,7 @@ type PythonPackageMetadata struct {
 	TopLevelPackages     []string           `json:"topLevelPackages,omitempty"`
 }
 
-func (m PythonPackageMetadata) ownedFiles() (result []string) {
+func (m PythonPackageMetadata) OwnedFiles() (result []string) {
 	s := strset.New()
 	for _, f := range m.Files {
 		if f.Path != "" {
diff --git a/syft/pkg/python_package_metadata_test.go b/syft/pkg/python_package_metadata_test.go
index c2cd37817..5364d3329 100644
--- a/syft/pkg/python_package_metadata_test.go
+++ b/syft/pkg/python_package_metadata_test.go
@@ -7,7 +7,7 @@ import (
 	"github.com/go-test/deep"
 )
 
-func TestPythonMetadata_fileOwner(t *testing.T) {
+func TestPythonMetadata_FileOwner(t *testing.T) {
 	tests := []struct {
 		metadata PythonPackageMetadata
 		expected []string
@@ -41,7 +41,7 @@ func TestPythonMetadata_fileOwner(t *testing.T) {
 		t.Run(strings.Join(test.expected, ","), func(t *testing.T) {
 			var i interface{}
 			i = test.metadata
-			actual := i.(fileOwner).ownedFiles()
+			actual := i.(FileOwner).OwnedFiles()
 			for _, d := range deep.Equal(test.expected, actual) {
 				t.Errorf("diff: %+v", d)
 			}
diff --git a/syft/pkg/rpmdb_metadata.go b/syft/pkg/rpmdb_metadata.go
index b6460c824..e48eb723c 100644
--- a/syft/pkg/rpmdb_metadata.go
+++ b/syft/pkg/rpmdb_metadata.go
@@ -15,7 +15,7 @@ import (
 
 const RpmDbGlob = "**/var/lib/rpm/Packages"
 
-var _ fileOwner = (*RpmdbMetadata)(nil)
+var _ FileOwner = (*RpmdbMetadata)(nil)
 
 // RpmdbMetadata represents all captured data for a RPM DB package entry.
 type RpmdbMetadata struct {
@@ -79,7 +79,7 @@ func (m RpmdbMetadata) PackageURL(d *distro.Distro) string {
 	return pURL.ToString()
 }
 
-func (m RpmdbMetadata) ownedFiles() (result []string) {
+func (m RpmdbMetadata) OwnedFiles() (result []string) {
 	s := strset.New()
 	for _, f := range m.Files {
 		if f.Path != "" {
diff --git a/syft/pkg/rpmdb_metadata_test.go b/syft/pkg/rpmdb_metadata_test.go
index 7eded2046..6e4fa7cce 100644
--- a/syft/pkg/rpmdb_metadata_test.go
+++ b/syft/pkg/rpmdb_metadata_test.go
@@ -56,7 +56,7 @@ func TestRpmMetadata_pURL(t *testing.T) {
 	}
 }
 
-func TestRpmMetadata_fileOwner(t *testing.T) {
+func TestRpmMetadata_FileOwner(t *testing.T) {
 	tests := []struct {
 		metadata RpmdbMetadata
 		expected []string
@@ -90,7 +90,7 @@ func TestRpmMetadata_fileOwner(t *testing.T) {
 		t.Run(strings.Join(test.expected, ","), func(t *testing.T) {
 			var i interface{}
 			i = test.metadata
-			actual := i.(fileOwner).ownedFiles()
+			actual := i.(FileOwner).OwnedFiles()
 			for _, d := range deep.Equal(test.expected, actual) {
 				t.Errorf("diff: %+v", d)
 			}