diff --git a/.github/workflows/test-validator.yml b/.github/workflows/test-validator.yml new file mode 100644 index 0000000..a20b03b --- /dev/null +++ b/.github/workflows/test-validator.yml @@ -0,0 +1,25 @@ +name: "Test validator" +on: + pull_request: + paths: + - 'tools/openchain_telco_sbom_validator/**' + +jobs: + test: + runs-on: ubuntu-latest + env: + TERM: linux + steps: + - name: Check out repository code + uses: actions/checkout@v4 + - name: Building environment + run: | + cd tools/openchain_telco_sbom_validator/ + python3 -m venv .env + cd testing/ + wget https://raw.githubusercontent.com/thorsteinssonh/bash_test_tools/master/bash_test_tools + - name: Run tests + run: | + cd tools/openchain_telco_sbom_validator/testing/ + echo $TERM + ./test-test.sh \ No newline at end of file diff --git a/tools/openchain_telco_sbom_validator/README.md b/tools/openchain_telco_sbom_validator/README.md index 12a3569..7f035cf 100644 --- a/tools/openchain_telco_sbom_validator/README.md +++ b/tools/openchain_telco_sbom_validator/README.md @@ -1,20 +1,22 @@ # openchain-telco-sbom-validator -A script to validate SBOMs against version 1.0 of the OpenChain Telco SBOM Guide. +A script to validate SBOMs against version 1.0 of +the [OpenChain Telco SBOM Guide](https://github.com/OpenChain-Project/Telco-WG/blob/main/OpenChain-Telco-SBOM-Guide_EN.md). -# Installation +# Installation -From this folder issue `pip3 install openchain-telco-sbom-validator`. +To install from [PyPI](https://pypi.org/project/openchain-telco-sbom-validator/), issue `pip3 install openchain-telco-sbom-validator`. -## Installation of prerequisities +# Manual installation -This script is written in Python and uses a requirements.txt to list its dependencies. To install Python on an Ubuntu +This script is written in Python and uses a `requirements.txt` to list its dependencies. To install Python on an Ubuntu environment run `sudo apt install python3-pip`. It is usually a good practice to install Python dependencies to a Python virtual environment. To be able to manage virtual environments you need to install `venv` with `sudo apt install python3-venv`. -If you do not have a virtual environment yet cretate it with `python3 -m venv .env`, if you already have a virtual environment start it with `. .env/bin/activate`. +If you do not have a virtual environment you can create it with `python3 -m venv .env`, +if you already have a virtual environment start it with `. .env/bin/activate`. # Usage @@ -22,7 +24,7 @@ If you do not have a virtual environment yet cretate it with `python3 -m venv .e ## From command line ``` -usage: open-chain-telco-sbom-validator [options] input +usage: openchain-telco-sbom-validator [options] input positional arguments: input The input SPDX file. @@ -55,9 +57,9 @@ from openchain_telco_sbom_validator.validator import Validator def main(): # Instantiate a validator - + myValidator = Validator() - + # Do validate result, problems = myValidator.validate(filePath, # path to the SPDX file as a string strict_purl_check, # If strict purl check is needed @@ -96,7 +98,7 @@ It is possible to add additional CLI arguments if needed for example: #### Additional checks -It is possible to add additional checks both on global and on package level. +It is possible to add additional checks both on global and on package level. ``` # Import in addition of the previous imports diff --git a/tools/openchain_telco_sbom_validator/open-source-compliance-artifacts/open-chain-telco-sbom-validator-0.1.spdx b/tools/openchain_telco_sbom_validator/open-source-compliance-artifacts/openchain-telco-sbom-validator-0.1.6.spdx similarity index 96% rename from tools/openchain_telco_sbom_validator/open-source-compliance-artifacts/open-chain-telco-sbom-validator-0.1.spdx rename to tools/openchain_telco_sbom_validator/open-source-compliance-artifacts/openchain-telco-sbom-validator-0.1.6.spdx index 7324e77..64b92b3 100644 --- a/tools/openchain_telco_sbom_validator/open-source-compliance-artifacts/open-chain-telco-sbom-validator-0.1.spdx +++ b/tools/openchain_telco_sbom_validator/open-source-compliance-artifacts/openchain-telco-sbom-validator-0.1.6.spdx @@ -2,8 +2,8 @@ SPDXVersion: SPDX-2.2 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT -DocumentName: open-chain-telco-sbom-validator-0.1 -DocumentNamespace: https://nokia.com/spdx/open-chain-telco-sbom-validator-0.1 +DocumentName: openchain-telco-sbom-validator-0.1.6 +DocumentNamespace: https://nokia.com/spdx/openchain-telco-sbom-validator-0.1.6 ## Creation Information LicenseListVersion: 3.22 @@ -14,8 +14,8 @@ CreatorComment: CISA SBOM type: Source ## Package Information PackageName: openchain_telco_sbom_validator-with-requirements-requirements.txt -SPDXID: SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1 -PackageVersion: 0.1 +SPDXID: SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1.6 +PackageVersion: 0.1.6 PackageDownloadLocation: NONE FilesAnalyzed: false PackageChecksum: SHA256: d74a3c7142c82926b73d6928c04dc85e5759b649b403e024d7a44e9998415177 @@ -25,7 +25,7 @@ PackageLicenseDeclared: Apache-2.0 PackageCopyrightText: (c) 2024 Nokia Authors Gergely Csatari, Marc-Etienne Vargenau PackageSupplier: Organization: Nokia PackageOriginator: Organization: Nokia -ExternalRef: PACKAGE-MANAGER purl pkg:pypi/openchain_telco_sbom_validator@0.1 +ExternalRef: PACKAGE-MANAGER purl pkg:pypi/openchain_telco_sbom_validator@0.1.6 ## Package Information PackageName: beartype @@ -435,9 +435,9 @@ Relationship: SPDXRef-Package-PyPI-spdx-tools-0.8.2 DEPENDS_ON SPDXRef-Package-P Relationship: SPDXRef-Package-PyPI-spdx-tools-0.8.2 DEPENDS_ON SPDXRef-Package-PyPI-semantic-version-2.10.0 Relationship: SPDXRef-Package-PyPI-spdx-tools-0.8.2 DEPENDS_ON SPDXRef-Package-PyPI-uritools-4.0.3 Relationship: SPDXRef-Package-PyPI-spdx-tools-0.8.2 DEPENDS_ON SPDXRef-Package-PyPI-xmltodict-0.13.0 -Relationship: SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1 DEPENDS_ON SPDXRef-Package-PyPI-ntia-conformance-checker-3.0.0 -Relationship: SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1 DEPENDS_ON SPDXRef-Package-PyPI-packageurl-python-0.15.6 -Relationship: SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1 DEPENDS_ON SPDXRef-Package-PyPI-prettytable-3.11.0 -Relationship: SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1 DEPENDS_ON SPDXRef-Package-PyPI-requests-2.32.3 -Relationship: SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1 DEPENDS_ON SPDXRef-Package-PyPI-validators-0.33.0 -Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1 +Relationship: SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1.6 DEPENDS_ON SPDXRef-Package-PyPI-ntia-conformance-checker-3.0.0 +Relationship: SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1.6 DEPENDS_ON SPDXRef-Package-PyPI-packageurl-python-0.15.6 +Relationship: SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1.6 DEPENDS_ON SPDXRef-Package-PyPI-prettytable-3.11.0 +Relationship: SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1.6 DEPENDS_ON SPDXRef-Package-PyPI-requests-2.32.3 +Relationship: SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1.6 DEPENDS_ON SPDXRef-Package-PyPI-validators-0.33.0 +Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1.6 diff --git a/tools/openchain_telco_sbom_validator/open-source-compliance-artifacts/open-chain-telco-sbom-validator-0.1.spdx.json b/tools/openchain_telco_sbom_validator/open-source-compliance-artifacts/openchain-telco-sbom-validator-0.1.6.spdx.json similarity index 98% rename from tools/openchain_telco_sbom_validator/open-source-compliance-artifacts/open-chain-telco-sbom-validator-0.1.spdx.json rename to tools/openchain_telco_sbom_validator/open-source-compliance-artifacts/openchain-telco-sbom-validator-0.1.6.spdx.json index 6f1f721..10c08ba 100644 --- a/tools/openchain_telco_sbom_validator/open-source-compliance-artifacts/open-chain-telco-sbom-validator-0.1.spdx.json +++ b/tools/openchain_telco_sbom_validator/open-source-compliance-artifacts/openchain-telco-sbom-validator-0.1.6.spdx.json @@ -10,12 +10,12 @@ "comment": "CISA SBOM type: Source" }, "dataLicense": "CC0-1.0", - "name": "open-chain-telco-sbom-validator-0.1", + "name": "openchain-telco-sbom-validator-0.1.6", "spdxVersion": "SPDX-2.2", - "documentNamespace": "https://nokia.com/spdx/open-chain-telco-sbom-validator-0.1", + "documentNamespace": "https://nokia.com/spdx/openchain-telco-sbom-validator-0.1.6", "packages": [ { - "SPDXID": "SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1", + "SPDXID": "SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1.6", "checksums": [ { "algorithm": "SHA256", @@ -27,7 +27,7 @@ "externalRefs": [ { "referenceCategory": "PACKAGE_MANAGER", - "referenceLocator": "pkg:pypi/openchain_telco_sbom_validator@0.1", + "referenceLocator": "pkg:pypi/openchain_telco_sbom_validator@0.1.6", "referenceType": "purl" } ], @@ -38,7 +38,7 @@ "name": "openchain_telco_sbom_validator-with-requirements-requirements.txt", "originator": "Organization: Nokia", "supplier": "Organization: Nokia", - "versionInfo": "0.1" + "versionInfo": "0.1.6" }, { "SPDXID": "SPDXRef-Package-PyPI-beartype-0.18.5", @@ -762,33 +762,33 @@ "relationshipType": "DEPENDS_ON" }, { - "spdxElementId": "SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1", + "spdxElementId": "SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1.6", "relatedSpdxElement": "SPDXRef-Package-PyPI-ntia-conformance-checker-3.0.0", "relationshipType": "DEPENDS_ON" }, { - "spdxElementId": "SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1", + "spdxElementId": "SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1.6", "relatedSpdxElement": "SPDXRef-Package-PyPI-packageurl-python-0.15.6", "relationshipType": "DEPENDS_ON" }, { - "spdxElementId": "SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1", + "spdxElementId": "SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1.6", "relatedSpdxElement": "SPDXRef-Package-PyPI-prettytable-3.11.0", "relationshipType": "DEPENDS_ON" }, { - "spdxElementId": "SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1", + "spdxElementId": "SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1.6", "relatedSpdxElement": "SPDXRef-Package-PyPI-requests-2.32.3", "relationshipType": "DEPENDS_ON" }, { - "spdxElementId": "SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1", + "spdxElementId": "SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1.6", "relatedSpdxElement": "SPDXRef-Package-PyPI-validators-0.33.0", "relationshipType": "DEPENDS_ON" }, { "spdxElementId": "SPDXRef-DOCUMENT", - "relatedSpdxElement": "SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1", + "relatedSpdxElement": "SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1.6", "relationshipType": "DESCRIBES" } ] diff --git a/tools/openchain_telco_sbom_validator/open-source-compliance-artifacts/open-chain-telco-sbom-validator-0.1.spdx.yml b/tools/openchain_telco_sbom_validator/open-source-compliance-artifacts/openchain-telco-sbom-validator-0.1.6.spdx.yml similarity index 98% rename from tools/openchain_telco_sbom_validator/open-source-compliance-artifacts/open-chain-telco-sbom-validator-0.1.spdx.yml rename to tools/openchain_telco_sbom_validator/open-source-compliance-artifacts/openchain-telco-sbom-validator-0.1.6.spdx.yml index 2081f5a..cba083f 100644 --- a/tools/openchain_telco_sbom_validator/open-source-compliance-artifacts/open-chain-telco-sbom-validator-0.1.spdx.yml +++ b/tools/openchain_telco_sbom_validator/open-source-compliance-artifacts/openchain-telco-sbom-validator-0.1.6.spdx.yml @@ -7,10 +7,10 @@ creationInfo: - 'Tool: Nokia Compliance Tool - 1.0' licenseListVersion: '3.22' dataLicense: CC0-1.0 -documentNamespace: https://nokia.com/spdx/open-chain-telco-sbom-validator-0.1 -name: open-chain-telco-sbom-validator-0.1 +documentNamespace: https://nokia.com/spdx/openchain-telco-sbom-validator-0.1.6 +name: openchain-telco-sbom-validator-0.1.6 packages: -- SPDXID: SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1 +- SPDXID: SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1.6 checksums: - algorithm: SHA256 checksumValue: d74a3c7142c82926b73d6928c04dc85e5759b649b403e024d7a44e9998415177 @@ -18,7 +18,7 @@ packages: downloadLocation: NONE externalRefs: - referenceCategory: PACKAGE_MANAGER - referenceLocator: pkg:pypi/openchain_telco_sbom_validator@0.1 + referenceLocator: pkg:pypi/openchain_telco_sbom_validator@0.1.6 referenceType: purl filesAnalyzed: false homepage: https://github.com/OpenChain-Project/Telco-WG/tree/main/tools @@ -27,7 +27,7 @@ packages: name: openchain_telco_sbom_validator-with-requirements-requirements.txt originator: 'Organization: Nokia' supplier: 'Organization: Nokia' - versionInfo: '0.1' + versionInfo: 0.1.6 - SPDXID: SPDXRef-Package-PyPI-beartype-0.18.5 checksums: - algorithm: SHA256 @@ -585,20 +585,20 @@ relationships: spdxElementId: SPDXRef-Package-PyPI-spdx-tools-0.8.2 - relatedSpdxElement: SPDXRef-Package-PyPI-ntia-conformance-checker-3.0.0 relationshipType: DEPENDS_ON - spdxElementId: SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1 + spdxElementId: SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1.6 - relatedSpdxElement: SPDXRef-Package-PyPI-packageurl-python-0.15.6 relationshipType: DEPENDS_ON - spdxElementId: SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1 + spdxElementId: SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1.6 - relatedSpdxElement: SPDXRef-Package-PyPI-prettytable-3.11.0 relationshipType: DEPENDS_ON - spdxElementId: SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1 + spdxElementId: SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1.6 - relatedSpdxElement: SPDXRef-Package-PyPI-requests-2.32.3 relationshipType: DEPENDS_ON - spdxElementId: SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1 + spdxElementId: SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1.6 - relatedSpdxElement: SPDXRef-Package-PyPI-validators-0.33.0 relationshipType: DEPENDS_ON - spdxElementId: SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1 -- relatedSpdxElement: SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1 + spdxElementId: SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1.6 +- relatedSpdxElement: SPDXRef-Project-PIP-openchain-telco-sbom-validator-with-requirements-requirements.txt-0.1.6 relationshipType: DESCRIBES spdxElementId: SPDXRef-DOCUMENT spdxVersion: SPDX-2.2 diff --git a/tools/openchain_telco_sbom_validator/open-source-compliance-artifacts/open-chain-telco-sbom-validator-0.1_disclosure_document.html b/tools/openchain_telco_sbom_validator/open-source-compliance-artifacts/openchain-telco-sbom-validator-0.1.6_disclosure_document.html similarity index 100% rename from tools/openchain_telco_sbom_validator/open-source-compliance-artifacts/open-chain-telco-sbom-validator-0.1_disclosure_document.html rename to tools/openchain_telco_sbom_validator/open-source-compliance-artifacts/openchain-telco-sbom-validator-0.1.6_disclosure_document.html diff --git a/tools/openchain_telco_sbom_validator/src/openchain_telco_sbom_validator/validator.py b/tools/openchain_telco_sbom_validator/src/openchain_telco_sbom_validator/validator.py index 8050ad0..6aac85a 100755 --- a/tools/openchain_telco_sbom_validator/src/openchain_telco_sbom_validator/validator.py +++ b/tools/openchain_telco_sbom_validator/src/openchain_telco_sbom_validator/validator.py @@ -96,7 +96,7 @@ def __init__(self): return None def validate(self, filePath, strict_purl_check=False, strict_url_check=False, functionRegistry:FunctionRegistry = FunctionRegistry()): - """ Validates, Returns a status and a list of problems. filePath: Path to the SPDX file to validate. strict_purl_check: Not only checks the syntax of the PURL, but also cecks if the package can be downloaded. strict_url_check: Checks if the given URLs in PackageHomepages can be accesses.""" + """ Validates, Returns a status and a list of problems. filePath: Path to the SPDX file to validate. strict_purl_check: Not only checks the syntax of the PURL, but also checks if the package can be downloaded. strict_url_check: Checks if the given URLs in PackageHomepages can be accessed.""" try: doc = parse_anything.parse_file(filePath) @@ -213,9 +213,9 @@ def validate(self, filePath, strict_purl_check=False, strict_url_check=False, fu else: logger.debug(f"Package homepage is ({package.homepage})") if not validators.url(package.homepage): - logger.debug("Package homepage is not a valid url") + logger.debug("Package homepage is not a valid URL") # Adding this to the problem list is not needed as the SPDX validator also adds it - # problems.append(["Invalid field in Package", package.spdx_id, package.name, f"PackageHomePage is not a valid url ({package.homepage})"]) + # problems.append(["Invalid field in Package", package.spdx_id, package.name, f"PackageHomePage is not a valid URL ({package.homepage})"]) else: if strict_url_check: try: