Align SPDX export more with SPDX 2.2 specification (#743)

2025-11-17 08:23:15 +01:00 · 2022-01-13 15:27:06 -05:00 · 2022-01-13 15:27:06 -05:00 · f59af255e3
commit f59af255e3
parent 706f291679
4 changed files with 28 additions and 26 deletions
--- a/internal/formats/common/spdxhelpers/originator_test.go
+++ b/internal/formats/common/spdxhelpers/originator_test.go
@ -29,7 +29,7 @@ func Test_Originator(t *testing.T) {
 					},
 				},
 			},
-			expected: "auth1",
+			expected: "Person: auth1",
 		},
 		{
 			name: "from npm",
@ -38,7 +38,7 @@ func Test_Originator(t *testing.T) {
 					Author: "auth",
 				},
 			},
-			expected: "auth",
+			expected: "Person: auth",
 		},
 		{
 			name: "from apk",
@ -47,7 +47,7 @@ func Test_Originator(t *testing.T) {
 					Maintainer: "auth",
 				},
 			},
-			expected: "auth",
+			expected: "Person: auth",
 		},
 		{
 			name: "from python - just name",
@ -56,7 +56,7 @@ func Test_Originator(t *testing.T) {
 					Author: "auth",
 				},
 			},
-			expected: "auth",
+			expected: "Person: auth",
 		},
 		{
 			name: "from python - just email",
@ -65,7 +65,7 @@ func Test_Originator(t *testing.T) {
 					AuthorEmail: "auth@auth.gov",
 				},
 			},
-			expected: "auth@auth.gov",
+			expected: "Person: auth@auth.gov",
 		},
 		{
 			name: "from python - both name and email",
@ -75,7 +75,7 @@ func Test_Originator(t *testing.T) {
 					AuthorEmail: "auth@auth.gov",
 				},
 			},
-			expected: "auth <auth@auth.gov>",
+			expected: "Person: auth (auth@auth.gov)",
 		},
 		{
 			name: "from rpm",
@ -84,7 +84,7 @@ func Test_Originator(t *testing.T) {
 					Vendor: "auth",
 				},
 			},
-			expected: "auth",
+			expected: "Organization: auth",
 		},
 		{
 			name: "from dpkg",
@ -93,7 +93,7 @@ func Test_Originator(t *testing.T) {
 					Maintainer: "auth",
 				},
 			},
-			expected: "auth",
+			expected: "Person: auth",
 		},
 		{
 			// note: since this is an optional field, no value is preferred over NONE or NOASSERTION
--- a/internal/formats/common/spdxhelpers/origintor.go
+++ b/internal/formats/common/spdxhelpers/origintor.go
@ -6,31 +6,35 @@ import (
 	"github.com/anchore/syft/syft/pkg"
 )

+// Originator needs to conform to the SPDX spec here:
+// https://spdx.github.io/spdx-spec/package-information/#76-package-originator-field
+// Available options are: <omit>, NOASSERTION, Person: <person>, Organization: <org>
 func Originator(p pkg.Package) string {
 	if hasMetadata(p) {
+		author := ""
 		switch metadata := p.Metadata.(type) {
 		case pkg.ApkMetadata:
-			return metadata.Maintainer
+			author = metadata.Maintainer
 		case pkg.NpmPackageJSONMetadata:
-			return metadata.Author
+			author = metadata.Author
 		case pkg.PythonPackageMetadata:
-			author := metadata.Author
+			author = metadata.Author
 			if author == "" {
-				return metadata.AuthorEmail
+				author = metadata.AuthorEmail
+			} else if metadata.AuthorEmail != "" {
+				author = fmt.Sprintf("%s (%s)", author, metadata.AuthorEmail)
 			}
-			if metadata.AuthorEmail != "" {
-				author += fmt.Sprintf(" <%s>", metadata.AuthorEmail)
-			}
-			return author
 		case pkg.GemMetadata:
 			if len(metadata.Authors) > 0 {
-				return metadata.Authors[0]
+				author = metadata.Authors[0]
 			}
-			return ""
 		case pkg.RpmdbMetadata:
-			return metadata.Vendor
+			return "Organization: " + metadata.Vendor
 		case pkg.DpkgMetadata:
-			return metadata.Maintainer
+			author = metadata.Maintainer
+		}
+		if author != "" {
+			return "Person: " + author
 		}
 	}
 	return ""
--- a/internal/formats/spdx22json/model/element.go
+++ b/internal/formats/spdx22json/model/element.go
@ -3,7 +3,7 @@ package model
 type Element struct {
 	SPDXID string `json:"SPDXID"`
 	// Identify name of this SpdxElement.
-	Name string `json:"name"`
+	Name string `json:"name,omitempty"`
 	// Relationships referenced in the SPDX document
 	Relationships []Relationship `json:"relationships,omitempty"`
 	// Provide additional information about an SpdxElement.
--- a/internal/formats/spdx22json/to_format_model.go
+++ b/internal/formats/spdx22json/to_format_model.go
@ -2,7 +2,6 @@ package spdx22json

 import (
 	"fmt"
-	"path/filepath"
 	"sort"
 	"strings"
 	"time"
@ -131,8 +130,7 @@ func toFiles(s sbom.SBOM) []model.File {
 		results = append(results, model.File{
 			Item: model.Item{
 				Element: model.Element{
-					SPDXID:  string(coordinates.ID()),
-					Name:    filepath.Base(coordinates.RealPath),
+					SPDXID:  model.ElementID(coordinates.ID()).String(),
 					Comment: comment,
 				},
 				// required, no attempt made to determine license information
@ -206,9 +204,9 @@ func toRelationships(relationships []artifact.Relationship) (result []model.Rela
 		}

 		result = append(result, model.Relationship{
-			SpdxElementID:      string(r.From.ID()),
+			SpdxElementID:      model.ElementID(r.From.ID()).String(),
 			RelationshipType:   relationshipType,
-			RelatedSpdxElement: string(r.To.ID()),
+			RelatedSpdxElement: model.ElementID(r.To.ID()).String(),
 			Comment:            comment,
 		})
 	}