From 80a73b117bd939e4427f0137cd2ba92a497afdc0 Mon Sep 17 00:00:00 2001 From: Dimitri John Ledkov Date: Fri, 24 May 2024 07:37:07 +0100 Subject: [PATCH 1/5] spdx: rename expected.spdx.json ahead of more tests Signed-off-by: Dimitri John Ledkov --- pkg/sbom/generator/spdx/spdx_test.go | 2 +- .../{expected.spdx.json => expected.ubuntu-font.spdx.json} | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename pkg/sbom/generator/spdx/testdata/{expected.spdx.json => expected.ubuntu-font.spdx.json} (100%) diff --git a/pkg/sbom/generator/spdx/spdx_test.go b/pkg/sbom/generator/spdx/spdx_test.go index 3b050b7bb..fd498b633 100644 --- a/pkg/sbom/generator/spdx/spdx_test.go +++ b/pkg/sbom/generator/spdx/spdx_test.go @@ -112,7 +112,7 @@ func TestGenerateCustomLicense(t *testing.T) { got, err := os.ReadFile(path) require.NoError(t, err) - expected, err := os.ReadFile("testdata/expected.spdx.json") + expected, err := os.ReadFile("testdata/expected.ubuntu-font.spdx.json") require.NoError(t, err) require.Equal(t, expected, got, "CustomLicense SPDX") } diff --git a/pkg/sbom/generator/spdx/testdata/expected.spdx.json b/pkg/sbom/generator/spdx/testdata/expected.ubuntu-font.spdx.json similarity index 100% rename from pkg/sbom/generator/spdx/testdata/expected.spdx.json rename to pkg/sbom/generator/spdx/testdata/expected.ubuntu-font.spdx.json From d952ba15bc7d102c360bb4e19ef26a5d671e53f3 Mon Sep 17 00:00:00 2001 From: Dimitri John Ledkov Date: Fri, 24 May 2024 07:59:34 +0100 Subject: [PATCH 2/5] spdx: Add test case of merging pkg SBOM without supplier Image SBOM should contain supplier and originator for every package, when package SBOM does not have one, expect one based on the image layer supplier. Signed-off-by: Dimitri John Ledkov --- pkg/sbom/generator/spdx/spdx_test.go | 47 ++++++++++++ .../spdx/testdata/expected.libattr1.spdx.json | 59 +++++++++++++++ pkg/sbom/generator/spdx/testdata/generate.sh | 2 +- .../spdx/testdata/libattr1.spdx.json | 71 +++++++++++++++++++ 4 files changed, 178 insertions(+), 1 deletion(-) create mode 100644 pkg/sbom/generator/spdx/testdata/expected.libattr1.spdx.json create mode 100644 pkg/sbom/generator/spdx/testdata/libattr1.spdx.json diff --git a/pkg/sbom/generator/spdx/spdx_test.go b/pkg/sbom/generator/spdx/spdx_test.go index fd498b633..37dcd0438 100644 --- a/pkg/sbom/generator/spdx/spdx_test.go +++ b/pkg/sbom/generator/spdx/spdx_test.go @@ -85,6 +85,31 @@ var testCustomLicenseOpts = &options.Options{ }, } +var testNoSupplierOpts = &options.Options{ + OS: struct { + Name string + ID string + Version string + }{ + Name: "Apko Images, Plc", + ID: "apko-images", + Version: "3.0", + }, + FileName: "sbom", + Packages: []*apk.InstalledPackage{ + { + Package: apk.Package{ + Name: "libattr1", + Version: "2.5.1-r2", + Arch: "x86_64", + Description: "library for managing filesystem extended attributes", + License: "GPL-2.0-or-later", + Origin: "attr", + }, + }, + }, +} + func TestGenerate(t *testing.T) { dir := t.TempDir() fsys := apkfs.NewMemFS() @@ -117,6 +142,28 @@ func TestGenerateCustomLicense(t *testing.T) { require.Equal(t, expected, got, "CustomLicense SPDX") } +func TestNoSupplier(t *testing.T) { + spdx, err := os.ReadFile("testdata/libattr1.spdx.json") + require.NoError(t, err) + + fsys := apkfs.NewMemFS() + fsys.MkdirAll("/var/lib/db/sbom", 0750) + + err = fsys.WriteFile("/var/lib/db/sbom/libattr1.spdx.json", spdx, 0644) + require.NoError(t, err) + + sx := New(fsys) + path := filepath.Join(t.TempDir(), testNoSupplierOpts.FileName+"."+sx.Ext()) + err = sx.Generate(testNoSupplierOpts, path) + require.NoError(t, err) + + got, err := os.ReadFile(path) + require.NoError(t, err) + expected, err := os.ReadFile("testdata/expected.libattr1.spdx.json") + require.NoError(t, err) + require.Equal(t, expected, got, "NoSupplier SPDX") +} + func TestReproducible(t *testing.T) { // Create two sboms based on the same input and ensure // they are identical diff --git a/pkg/sbom/generator/spdx/testdata/expected.libattr1.spdx.json b/pkg/sbom/generator/spdx/testdata/expected.libattr1.spdx.json new file mode 100644 index 000000000..f5534b562 --- /dev/null +++ b/pkg/sbom/generator/spdx/testdata/expected.libattr1.spdx.json @@ -0,0 +1,59 @@ +{ + "SPDXID": "SPDXRef-DOCUMENT", + "name": "sbom", + "spdxVersion": "SPDX-2.3", + "creationInfo": { + "created": "0001-01-01T00:00:00Z", + "creators": [ + "Tool: apko (devel)", + "Organization: Chainguard, Inc" + ], + "licenseListVersion": "3.16" + }, + "dataLicense": "CC0-1.0", + "documentNamespace": "https://spdx.org/spdxdocs/apko/", + "documentDescribes": [ + "SPDXRef-Package-" + ], + "packages": [ + { + "SPDXID": "SPDXRef-Package-", + "name": "", + "versionInfo": "3.0", + "filesAnalyzed": false, + "description": "apko operating system layer", + "downloadLocation": "NOASSERTION", + "supplier": "Organization: Apko Images, Plc", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceLocator": "pkg:oci/image?mediaType=\u0026os=linux", + "referenceType": "purl" + } + ] + }, + { + "SPDXID": "SPDXRef-Package-libattr1-2.5.1-r2", + "name": "libattr1", + "versionInfo": "2.5.1-r2", + "filesAnalyzed": true, + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "GPL-2.0-or-later", + "downloadLocation": "NOASSERTION", + "originator": "Organization: Apko Images, Plc", + "supplier": "Organization: Apko Images, Plc", + "copyrightText": "TODO\n", + "externalRefs": [ + { + "referenceCategory": "PACKAGE_MANAGER", + "referenceLocator": "pkg:apk/wolfi/libattr1@2.5.1-r2?arch=x86_64", + "referenceType": "purl" + } + ], + "packageVerificationCode": { + "packageVerificationCodeValue": "ac84254f783b469f1ea6212ab2645b7c839144f9" + } + } + ], + "relationships": [] +} diff --git a/pkg/sbom/generator/spdx/testdata/generate.sh b/pkg/sbom/generator/spdx/testdata/generate.sh index 333dd5457..d2acb23ef 100755 --- a/pkg/sbom/generator/spdx/testdata/generate.sh +++ b/pkg/sbom/generator/spdx/testdata/generate.sh @@ -1,3 +1,3 @@ #!/bin/sh curl -q https://packages.wolfi.dev/os/x86_64/font-ubuntu-0.869-r1.apk | tar Ozx var/lib/db/sbom/font-ubuntu-0.869-r1.spdx.json >font-ubuntu.spdx.json 2>/dev/null - +curl -q https://packages.wolfi.dev/os/x86_64/libattr1-2.5.1-r2.apk | tar Ozx var/lib/db/sbom/libattr1-2.5.1-r2.spdx.json >libattr1.spdx.json 2>/dev/null diff --git a/pkg/sbom/generator/spdx/testdata/libattr1.spdx.json b/pkg/sbom/generator/spdx/testdata/libattr1.spdx.json new file mode 100644 index 000000000..6ecd06ae2 --- /dev/null +++ b/pkg/sbom/generator/spdx/testdata/libattr1.spdx.json @@ -0,0 +1,71 @@ +{ + "SPDXID": "SPDXRef-DOCUMENT-apk-libattr1-2.5.1-r2", + "name": "apk-libattr1-2.5.1-r2", + "spdxVersion": "SPDX-2.3", + "creationInfo": { + "created": "2023-01-28T06:47:56Z", + "creators": [ + "Tool: melange (v0.2.0-97-g0d91d11)", + "Organization: Chainguard, Inc" + ], + "licenseListVersion": "3.18" + }, + "dataLicense": "CC0-1.0", + "documentNamespace": "https://spdx.org/spdxdocs/chainguard/melange/", + "documentDescribes": [ + "SPDXRef-Package-libattr1-2.5.1-r2" + ], + "files": [ + { + "SPDXID": "SPDXRef-File--lib-libattr.so.1.1.2501", + "fileName": "/lib/libattr.so.1.1.2501", + "licenseConcluded": "NOASSERTION", + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "1b3a09852617e25522cfb46410c7f68c4149a7b5" + }, + { + "algorithm": "SHA256", + "checksumValue": "575c60ac3c5a5201ef30cec6b8f6aded46c76a35b27eaf0700a617f95236c3cd" + }, + { + "algorithm": "SHA512", + "checksumValue": "b437a3dd87c7777b0c0ee0ecb7ce3d24794e027471891f9861ec08e6b30e2896e5962a887cda2170156721d99685405fea39cc655a8606e441fdf6c1b3697980" + } + ] + } + ], + "packages": [ + { + "SPDXID": "SPDXRef-Package-libattr1-2.5.1-r2", + "name": "libattr1", + "versionInfo": "2.5.1-r2", + "filesAnalyzed": true, + "hasFiles": [ + "SPDXRef-File--lib-libattr.so.1.1.2501" + ], + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "GPL-2.0-or-later", + "downloadLocation": "NOASSERTION", + "copyrightText": "TODO\n", + "externalRefs": [ + { + "referenceCategory": "PACKAGE_MANAGER", + "referenceLocator": "pkg:apk/wolfi/libattr1@2.5.1-r2?arch=x86_64", + "referenceType": "purl" + } + ], + "packageVerificationCode": { + "packageVerificationCodeValue": "ac84254f783b469f1ea6212ab2645b7c839144f9" + } + } + ], + "relationships": [ + { + "spdxElementId": "SPDXRef-Package-libattr1-2.5.1-r2", + "relationshipType": "CONTAINS", + "relatedSpdxElement": "SPDXRef-File--lib-libattr.so.1.1.2501" + } + ] +} From 7df43d4216cb2b134350da94222e930c785bfb02 Mon Sep 17 00:00:00 2001 From: Dimitri John Ledkov Date: Fri, 24 May 2024 17:22:02 +0100 Subject: [PATCH 3/5] spdx: backpopulate supplier & originator for packages This way image SBOM is correct, without rebuilding package SBOMs. Note some packages have neither originator nor supplier, some have originator without supplier. Hence set originator first, then copy it to supplier. Also update golden test data for affected integration tests. Signed-off-by: Dimitri John Ledkov --- internal/cli/publish_test.go | 4 ++-- .../testdata/golden/sboms/sbom-aarch64.spdx.json | 2 ++ .../cli/testdata/golden/sboms/sbom-x86_64.spdx.json | 2 ++ pkg/sbom/generator/spdx/spdx.go | 13 +++++++++++++ 4 files changed, 19 insertions(+), 2 deletions(-) diff --git a/internal/cli/publish_test.go b/internal/cli/publish_test.go index 1735f310f..735ae2080 100644 --- a/internal/cli/publish_test.go +++ b/internal/cli/publish_test.go @@ -113,8 +113,8 @@ func TestPublish(t *testing.T) { // We also want to check the children SBOMs because the index SBOM does not have // references to the children SBOMs, just the children! wantBoms := []string{ - "sha256:3b499c0e0a0cc77d812057233db2b3277ec84617387526c6db158a3c0cb6f522", - "sha256:b581d950944c0106e251a53d9f8dd77bda7ae53f8ed0fc32fe338590fc8238a0", + "sha256:5341016254c76bad393671cc41ef496f3ecd47ff8d08aa6d52617ee79e9c0358", + "sha256:f39bdbd2c160067a66ce681a97e40a70e157b556318ad0d728396a33b20ece1c", } for i, m := range im.Manifests { diff --git a/internal/cli/testdata/golden/sboms/sbom-aarch64.spdx.json b/internal/cli/testdata/golden/sboms/sbom-aarch64.spdx.json index dc1c01393..bf1df1d5b 100644 --- a/internal/cli/testdata/golden/sboms/sbom-aarch64.spdx.json +++ b/internal/cli/testdata/golden/sboms/sbom-aarch64.spdx.json @@ -64,6 +64,7 @@ "licenseDeclared": "MIT", "downloadLocation": "NOASSERTION", "originator": "Organization: Unknown", + "supplier": "Organization: Unknown", "copyrightText": "\n", "externalRefs": [ { @@ -85,6 +86,7 @@ "licenseDeclared": "MIT", "downloadLocation": "NOASSERTION", "originator": "Organization: Unknown", + "supplier": "Organization: Unknown", "copyrightText": "\n", "externalRefs": [ { diff --git a/internal/cli/testdata/golden/sboms/sbom-x86_64.spdx.json b/internal/cli/testdata/golden/sboms/sbom-x86_64.spdx.json index b2187c7b5..4a4264dad 100644 --- a/internal/cli/testdata/golden/sboms/sbom-x86_64.spdx.json +++ b/internal/cli/testdata/golden/sboms/sbom-x86_64.spdx.json @@ -64,6 +64,7 @@ "licenseDeclared": "MIT", "downloadLocation": "NOASSERTION", "originator": "Organization: Unknown", + "supplier": "Organization: Unknown", "copyrightText": "\n", "externalRefs": [ { @@ -85,6 +86,7 @@ "licenseDeclared": "MIT", "downloadLocation": "NOASSERTION", "originator": "Organization: Unknown", + "supplier": "Organization: Unknown", "copyrightText": "\n", "externalRefs": [ { diff --git a/pkg/sbom/generator/spdx/spdx.go b/pkg/sbom/generator/spdx/spdx.go index d97d512af..b977ca77e 100644 --- a/pkg/sbom/generator/spdx/spdx.go +++ b/pkg/sbom/generator/spdx/spdx.go @@ -351,6 +351,19 @@ func (sx *SPDX) ParseInternalSBOM(opts *options.Options, path string) (*Document if err := json.Unmarshal(data, internalSBOM); err != nil { return nil, fmt.Errorf("parsing internal apk sbom: %w", err) } + + // Fix up missing data, checkers require Originator & + // Supplier, but older apks do not have it set, copy image + // Supplier. + for i := range internalSBOM.Packages { + if internalSBOM.Packages[i].Originator == "" { + internalSBOM.Packages[i].Originator = supplier(opts) + } + if internalSBOM.Packages[i].Supplier == "" { + internalSBOM.Packages[i].Supplier = internalSBOM.Packages[i].Originator + } + } + return internalSBOM, nil } From 8231da0ae52048d3875640e599284a187a5ffbbe Mon Sep 17 00:00:00 2001 From: Dimitri John Ledkov Date: Fri, 24 May 2024 18:06:58 +0100 Subject: [PATCH 4/5] spdx: fixup filesAnalyzed setting Current implementation strips filesAnalyzed from individual package SBOMs upon aggregation into image SBOM. When doing so, update package stanza to say filesAnalyzed=false, as indeed FileRefs are missing. Signed-off-by: Dimitri John Ledkov --- internal/cli/publish_test.go | 4 ++-- internal/cli/testdata/golden/sboms/sbom-aarch64.spdx.json | 4 ++-- internal/cli/testdata/golden/sboms/sbom-x86_64.spdx.json | 4 ++-- pkg/sbom/generator/spdx/spdx.go | 6 +++++- .../generator/spdx/testdata/expected.libattr1.spdx.json | 2 +- 5 files changed, 12 insertions(+), 8 deletions(-) diff --git a/internal/cli/publish_test.go b/internal/cli/publish_test.go index 735ae2080..f7fea45cd 100644 --- a/internal/cli/publish_test.go +++ b/internal/cli/publish_test.go @@ -113,8 +113,8 @@ func TestPublish(t *testing.T) { // We also want to check the children SBOMs because the index SBOM does not have // references to the children SBOMs, just the children! wantBoms := []string{ - "sha256:5341016254c76bad393671cc41ef496f3ecd47ff8d08aa6d52617ee79e9c0358", - "sha256:f39bdbd2c160067a66ce681a97e40a70e157b556318ad0d728396a33b20ece1c", + "sha256:4d78d7a2d5686afac96ac8d0d8191a08f03b4df5a56d95f67e9c5dc94bb5b273", + "sha256:ef8d74964d6edee3ba9a1d3a3a44e3b69e87af17dbd1b4646e516e83bc6c939d", } for i, m := range im.Manifests { diff --git a/internal/cli/testdata/golden/sboms/sbom-aarch64.spdx.json b/internal/cli/testdata/golden/sboms/sbom-aarch64.spdx.json index bf1df1d5b..431fcef11 100644 --- a/internal/cli/testdata/golden/sboms/sbom-aarch64.spdx.json +++ b/internal/cli/testdata/golden/sboms/sbom-aarch64.spdx.json @@ -59,7 +59,7 @@ "SPDXID": "SPDXRef-Package-pretend-baselayout-1.0.0-r0", "name": "pretend-baselayout", "versionInfo": "1.0.0-r0", - "filesAnalyzed": true, + "filesAnalyzed": false, "licenseConcluded": "NOASSERTION", "licenseDeclared": "MIT", "downloadLocation": "NOASSERTION", @@ -81,7 +81,7 @@ "SPDXID": "SPDXRef-Package-replayout-1.0.0-r0", "name": "replayout", "versionInfo": "1.0.0-r0", - "filesAnalyzed": true, + "filesAnalyzed": false, "licenseConcluded": "NOASSERTION", "licenseDeclared": "MIT", "downloadLocation": "NOASSERTION", diff --git a/internal/cli/testdata/golden/sboms/sbom-x86_64.spdx.json b/internal/cli/testdata/golden/sboms/sbom-x86_64.spdx.json index 4a4264dad..6606c428a 100644 --- a/internal/cli/testdata/golden/sboms/sbom-x86_64.spdx.json +++ b/internal/cli/testdata/golden/sboms/sbom-x86_64.spdx.json @@ -59,7 +59,7 @@ "SPDXID": "SPDXRef-Package-pretend-baselayout-1.0.0-r0", "name": "pretend-baselayout", "versionInfo": "1.0.0-r0", - "filesAnalyzed": true, + "filesAnalyzed": false, "licenseConcluded": "NOASSERTION", "licenseDeclared": "MIT", "downloadLocation": "NOASSERTION", @@ -81,7 +81,7 @@ "SPDXID": "SPDXRef-Package-replayout-1.0.0-r0", "name": "replayout", "versionInfo": "1.0.0-r0", - "filesAnalyzed": true, + "filesAnalyzed": false, "licenseConcluded": "NOASSERTION", "licenseDeclared": "MIT", "downloadLocation": "NOASSERTION", diff --git a/pkg/sbom/generator/spdx/spdx.go b/pkg/sbom/generator/spdx/spdx.go index b977ca77e..aeaa8f1d0 100644 --- a/pkg/sbom/generator/spdx/spdx.go +++ b/pkg/sbom/generator/spdx/spdx.go @@ -354,7 +354,8 @@ func (sx *SPDX) ParseInternalSBOM(opts *options.Options, path string) (*Document // Fix up missing data, checkers require Originator & // Supplier, but older apks do not have it set, copy image - // Supplier. + // Supplier. Also files are stripped from sbom, thus set + // filesAnalyzed to false. for i := range internalSBOM.Packages { if internalSBOM.Packages[i].Originator == "" { internalSBOM.Packages[i].Originator = supplier(opts) @@ -362,6 +363,9 @@ func (sx *SPDX) ParseInternalSBOM(opts *options.Options, path string) (*Document if internalSBOM.Packages[i].Supplier == "" { internalSBOM.Packages[i].Supplier = internalSBOM.Packages[i].Originator } + if internalSBOM.Packages[i].FilesAnalyzed { + internalSBOM.Packages[i].FilesAnalyzed = false + } } return internalSBOM, nil diff --git a/pkg/sbom/generator/spdx/testdata/expected.libattr1.spdx.json b/pkg/sbom/generator/spdx/testdata/expected.libattr1.spdx.json index f5534b562..f83c5f905 100644 --- a/pkg/sbom/generator/spdx/testdata/expected.libattr1.spdx.json +++ b/pkg/sbom/generator/spdx/testdata/expected.libattr1.spdx.json @@ -36,7 +36,7 @@ "SPDXID": "SPDXRef-Package-libattr1-2.5.1-r2", "name": "libattr1", "versionInfo": "2.5.1-r2", - "filesAnalyzed": true, + "filesAnalyzed": false, "licenseConcluded": "NOASSERTION", "licenseDeclared": "GPL-2.0-or-later", "downloadLocation": "NOASSERTION", From 4690135975744fbbf09327c052e99875f59da0e9 Mon Sep 17 00:00:00 2001 From: Dimitri John Ledkov Date: Fri, 24 May 2024 18:19:13 +0100 Subject: [PATCH 5/5] spdx: fixup PackageVerificationCode setting Current implementation strips filesAnalyzed from individual package SBOMs upon aggregation into image SBOM. When doing so, omit PackageVerificationCode as without files there cannot be verification code (it is defined as ordered hash of files). Also observe that newly generated packages without files do not have VerifcationCode. As a pleasant side-effect this removes SHA1 from arch-specific package manifest and makes it year 2030 safe. Signed-off-by: Dimitri John Ledkov --- internal/cli/publish_test.go | 4 ++-- .../cli/testdata/golden/sboms/sbom-aarch64.spdx.json | 10 ++-------- .../cli/testdata/golden/sboms/sbom-x86_64.spdx.json | 10 ++-------- pkg/sbom/generator/spdx/spdx.go | 5 ++++- .../spdx/testdata/expected.libattr1.spdx.json | 5 +---- 5 files changed, 11 insertions(+), 23 deletions(-) diff --git a/internal/cli/publish_test.go b/internal/cli/publish_test.go index f7fea45cd..1148e4161 100644 --- a/internal/cli/publish_test.go +++ b/internal/cli/publish_test.go @@ -113,8 +113,8 @@ func TestPublish(t *testing.T) { // We also want to check the children SBOMs because the index SBOM does not have // references to the children SBOMs, just the children! wantBoms := []string{ - "sha256:4d78d7a2d5686afac96ac8d0d8191a08f03b4df5a56d95f67e9c5dc94bb5b273", - "sha256:ef8d74964d6edee3ba9a1d3a3a44e3b69e87af17dbd1b4646e516e83bc6c939d", + "sha256:8d5651b0ee5110df20af50925c13fa634d340e358b06c3941f2a17d38d366f08", + "sha256:8a3b851d420550508511c0426c141694cf385cc2ba8c2189d82db6a6eff41dbe", } for i, m := range im.Manifests { diff --git a/internal/cli/testdata/golden/sboms/sbom-aarch64.spdx.json b/internal/cli/testdata/golden/sboms/sbom-aarch64.spdx.json index 431fcef11..f687a4c21 100644 --- a/internal/cli/testdata/golden/sboms/sbom-aarch64.spdx.json +++ b/internal/cli/testdata/golden/sboms/sbom-aarch64.spdx.json @@ -72,10 +72,7 @@ "referenceLocator": "pkg:apk/unknown/pretend-baselayout@1.0.0-r0?arch=aarch64", "referenceType": "purl" } - ], - "packageVerificationCode": { - "packageVerificationCodeValue": "8058dd7b970804f7b4a4f6e10374b4d02a5a01f3" - } + ] }, { "SPDXID": "SPDXRef-Package-replayout-1.0.0-r0", @@ -94,10 +91,7 @@ "referenceLocator": "pkg:apk/unknown/replayout@1.0.0-r0?arch=aarch64", "referenceType": "purl" } - ], - "packageVerificationCode": { - "packageVerificationCodeValue": "d70ccb53a479f44c7ac6f023492b3520f23c21b3" - } + ] } ], "relationships": [ diff --git a/internal/cli/testdata/golden/sboms/sbom-x86_64.spdx.json b/internal/cli/testdata/golden/sboms/sbom-x86_64.spdx.json index 6606c428a..639f52f0e 100644 --- a/internal/cli/testdata/golden/sboms/sbom-x86_64.spdx.json +++ b/internal/cli/testdata/golden/sboms/sbom-x86_64.spdx.json @@ -72,10 +72,7 @@ "referenceLocator": "pkg:apk/unknown/pretend-baselayout@1.0.0-r0?arch=x86_64", "referenceType": "purl" } - ], - "packageVerificationCode": { - "packageVerificationCodeValue": "8058dd7b970804f7b4a4f6e10374b4d02a5a01f3" - } + ] }, { "SPDXID": "SPDXRef-Package-replayout-1.0.0-r0", @@ -94,10 +91,7 @@ "referenceLocator": "pkg:apk/unknown/replayout@1.0.0-r0?arch=x86_64", "referenceType": "purl" } - ], - "packageVerificationCode": { - "packageVerificationCodeValue": "d70ccb53a479f44c7ac6f023492b3520f23c21b3" - } + ] } ], "relationships": [ diff --git a/pkg/sbom/generator/spdx/spdx.go b/pkg/sbom/generator/spdx/spdx.go index aeaa8f1d0..60433a794 100644 --- a/pkg/sbom/generator/spdx/spdx.go +++ b/pkg/sbom/generator/spdx/spdx.go @@ -355,7 +355,7 @@ func (sx *SPDX) ParseInternalSBOM(opts *options.Options, path string) (*Document // Fix up missing data, checkers require Originator & // Supplier, but older apks do not have it set, copy image // Supplier. Also files are stripped from sbom, thus set - // filesAnalyzed to false. + // filesAnalyzed to false and omit packageVerificationCode for i := range internalSBOM.Packages { if internalSBOM.Packages[i].Originator == "" { internalSBOM.Packages[i].Originator = supplier(opts) @@ -366,6 +366,9 @@ func (sx *SPDX) ParseInternalSBOM(opts *options.Options, path string) (*Document if internalSBOM.Packages[i].FilesAnalyzed { internalSBOM.Packages[i].FilesAnalyzed = false } + if internalSBOM.Packages[i].VerificationCode != nil { + internalSBOM.Packages[i].VerificationCode = nil + } } return internalSBOM, nil diff --git a/pkg/sbom/generator/spdx/testdata/expected.libattr1.spdx.json b/pkg/sbom/generator/spdx/testdata/expected.libattr1.spdx.json index f83c5f905..956d62c0d 100644 --- a/pkg/sbom/generator/spdx/testdata/expected.libattr1.spdx.json +++ b/pkg/sbom/generator/spdx/testdata/expected.libattr1.spdx.json @@ -49,10 +49,7 @@ "referenceLocator": "pkg:apk/wolfi/libattr1@2.5.1-r2?arch=x86_64", "referenceType": "purl" } - ], - "packageVerificationCode": { - "packageVerificationCodeValue": "ac84254f783b469f1ea6212ab2645b7c839144f9" - } + ] } ], "relationships": []