fix(project CreateBom): use purl from SW360 instead of inventing it

We create a legacy BOM and convert it, so the purl has to be stored in the "RepositoryId", otherwise LegacySupport.legacy_component_to_cdx will ignore and re-build it. Closes #26
sw360 · Jul 12, 2023 · 66e4780 · 66e4780
1 parent 7292828
commit 66e4780
Show file tree

Hide file tree

Showing 3 changed files with 51 additions and 3 deletions.
diff --git a/ChangeLog.md b/ChangeLog.md
@@ -8,6 +8,7 @@
 ## NEXT
 
 * Be more resilient about missing metadata in CycloneDX SBOMs.
+* `project createbom` uses purl from SW360 if available instead of building it
 
 ## 2.0.0 (2023-06-02)
 

diff --git a/capycli/project/create_bom.py b/capycli/project/create_bom.py
@@ -93,10 +93,13 @@ def create_project_bom(self, project_id) -> list:
                 rel_item["Language"] = self.list_to_string(release_details.get("languages", ""))
                 rel_item["SourceCodeDownloadUrl"] = release_details.get("sourceCodeDownloadurl", "")
                 rel_item["BinaryDownloadUrl"] = release_details.get("binaryDownloadurl", "")
-                rel_item["Purl"] = self.get_external_id("purl", release_details)
-                if not rel_item["Purl"]:
+
+                rel_item["RepositoryId"] = self.get_external_id("package-url", release_details)
+                if not rel_item["RepositoryId"]:
                     # try another id name
-                    rel_item["Purl"] = self.get_external_id("package-url", release_details)
+                    rel_item["RepositoryId"] = self.get_external_id("purl", release_details)
+                if rel_item["RepositoryId"]:
+                    rel_item["RepositoryType"] = "package-url"
 
                 if "repository" in release_details:
                     rel_item["Repository"] = release_details["repository"].get("url", "")

diff --git a/tests/test_create_bom.py b/tests/test_create_bom.py
@@ -125,6 +125,50 @@ def test_project_not_found(self) -> None:
         except SystemExit as ex:
             self.assertEqual(ResultCode.RESULT_ERROR_ACCESSING_SW360, ex.code)
 
+    @responses.activate
+    def test_project_by_id(self):
+        sut = CreateBom()
+
+        self.add_login_response()
+        sut.login(token=TestBase.MYTOKEN, url=TestBase.MYURL)
+
+        # the project
+        project = self.get_project_for_test()
+        responses.add(
+            responses.GET,
+            url=self.MYURL + "resource/api/projects/p001",
+            json=project,
+            status=200,
+            content_type="application/json",
+            adding_headers={"Authorization": "Token " + self.MYTOKEN},
+        )
+
+        # the first release
+        responses.add(
+            responses.GET,
+            url=self.MYURL + "resource/api/releases/r001",
+            json=self.get_release_wheel_for_test(),
+            status=200,
+            content_type="application/json",
+            adding_headers={"Authorization": "Token " + self.MYTOKEN},
+        )
+
+        # the second release
+        release = self.get_release_cli_for_test()
+        # use a specific purl
+        release["externalIds"]["package-url"] = "pkg:deb/debian/cli-support@1.3-1"
+        responses.add(
+            responses.GET,
+            url=self.MYURL + "resource/api/releases/r002",
+            json=release,
+            status=200,
+            content_type="application/json",
+            adding_headers={"Authorization": "Token " + self.MYTOKEN},
+        )
+
+        cdx_bom = sut.create_project_cdx_bom("p001")
+        self.assertEqual(cdx_bom[0].purl, release["externalIds"]["package-url"])
+
     @responses.activate
     def test_project_show_by_name(self):
         sut = CreateBom()