Skip to content

Commit

Permalink
- Fixed tests
Browse files Browse the repository at this point in the history 
- Added new files to the Dockerfile
- Added "middle element" to base_images_sbom_script.py to generate
  files consistent with merge_cachi2_sboms.py

Signed-off-by: Jindrich Luza <[email protected]>
  • Loading branch information
@midnightercz
midnightercz committed Oct 10, 2024
1 parent 9721f14 commit d757a6a
Show file tree
Hide file tree
Showing 4 changed files with 56 additions and 22 deletions.
2 changes: 2 additions & 0 deletions sbom-utility-scripts/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,10 @@ FROM registry.access.redhat.com/ubi9/python-39:1-192.1722518946@sha256:0176b4770
WORKDIR /scripts

COPY scripts/merge_syft_sboms.py /scripts
COPY scripts/merge_syft_sboms_spdx.py /scripts
COPY scripts/merge-cachi2-sboms-script/merge_cachi2_sboms.py /scripts
COPY scripts/create_purl_sbom.py /scripts
COPY scripts/create_purl_sbom_spdx.py /scripts
COPY scripts/base-images-sbom-script/app/base_images_sbom_script.py /scripts
COPY scripts/base-images-sbom-script/app/requirements.txt /scripts

Expand Down
43 changes: 32 additions & 11 deletions sbom-utility-scripts/scripts/base-images-sbom-script/app/base_images_sbom_script.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -122,12 +122,14 @@ def parse_args():


def map_relationships(relationships):
""" Map relationships of spdx element.
Method returns triplet containing root element, map of relations and inverse map of relations.
Root element is considered as element which is not listed as related document in any of the relationships.
Relationship map is dict of {key: value} where key is spdx element and list of related elements is the value.
Inverse map is dict of {key: value} where key is related spdx element in the relation ship and value is spdx element.
"""
"""Map relationships of spdx element.
Method returns triplet containing root element, map of relations and inverse map of relations.
Root element is considered as element which is not listed as related document
in any of the relationships. Relationship map is dict of {key: value} where key is spdx
element and list of related elements is the value.
Inverse map is dict of {key: value} where key is related spdx element in the relation ship
and value is spdx element.
"""

relations_map = {}
relations_inverse_map = {}
Expand All @@ -136,11 +138,13 @@ def map_relationships(relationships):
relations_map.setdefault(relation["spdxElementId"], []).append(relation["relatedSpdxElement"])
relations_inverse_map[relation["relatedSpdxElement"]] = relation["spdxElementId"]

parent_element = None
for parent_element in relations_map.keys():
if parent_element not in relations_inverse_map:
break
return parent_element, relations_map, relations_inverse_map


def main():

args = parse_args()
Expand All @@ -162,20 +166,37 @@ def main():
else:
sbom.update({"formulation": [{"components": base_images_sbom_components}]})
else:
root_element1, map1, inverse_map1 = map_relationships(sbom['relationships'])
package_ids = [package["SPDXID"] for package in sbom['packages']]
root_element1, map1, inverse_map1 = map_relationships(sbom["relationships"])

packages = []
relationships = []

# Try to calculate middle element based on the relationships maps.
# SPDX has usually root element which contains a wrapper element which then contains
# all of the other elements
middle_element1 = None
for r, contains in map1.items():
if contains and inverse_map1.get(r) == root_element1:
middle_element1 = r
# if not middle_element1:
# middle_element1 = root_element1
if not middle_element1:
middle_element1 = root_element1
middle_element1 = "SPDXRef-DocumentRoot-Unknown-"
packages.append(
{
"SPDXID": "SPDXRef-DocumentRoot-Unknown-",
"name": "",
}
)
relationships.append(
{
"spdxElementId": root_element1 or sbom["SPDXID"],
"relatedSpdxElement": "SPDXRef-DocumentRoot-Unknown-",
"relationshipType": "DESCRIBES",
}
)

packages = []
relationships = []
print("PACKAGES", packages)
annotation_date = datetime.datetime.now().isoformat()
for component in base_images_sbom_components:
# Calculate unique identifier SPDXID based on the component name and purl
Expand Down
22 changes: 16 additions & 6 deletions sbom-utility-scripts/scripts/base-images-sbom-script/app/test_base_images_sbom_script.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -534,7 +534,8 @@ def test_main_input_sbom_spdx_minimal(tmp_path, mocker, isodate):
"SPDXID": "SPDXRef-Document",
"project_name": "MyProject",
"version": "1.0",
"packages": []
"packages": [],
"relationships": []
}"""
)

Expand All @@ -559,6 +560,10 @@ def test_main_input_sbom_spdx_minimal(tmp_path, mocker, isodate):

expected_output = {
"packages": [
{
"SPDXID": "SPDXRef-DocumentRoot-Unknown-",
"name": "",
},
{
"SPDXID": "SPDXRef-container-quay.io/mkosiarc_rhtap/single-container-app-"
"9520a72cbb69edfca5cac88ea2a9e0e09142ec934952b9420d686e77765f002c",
Expand Down Expand Up @@ -606,16 +611,21 @@ def test_main_input_sbom_spdx_minimal(tmp_path, mocker, isodate):
],
"relationships": [
{
"relatedSpdxElement": "SPDXRef-container-quay.io/mkosiarc_rhtap/"
"single-container-app-9520a72cbb69edfca5cac88ea2a9e0e09142ec934952b9420d686e77765f002c",
"relationshipType": "BUILD_TOOL_OF",
"relatedSpdxElement": "SPDXRef-DocumentRoot-Unknown-",
"relationshipType": "DESCRIBES",
"spdxElementId": "SPDXRef-Document",
},
{
"relatedSpdxElement": "SPDXRef-container-registry.access.redhat.com/"
"relatedSpdxElement": "SPDXRef-DocumentRoot-Unknown-",
"relationshipType": "BUILD_TOOL_OF",
"spdxElementId": "SPDXRef-container-quay.io/mkosiarc_rhtap/"
"single-container-app-9520a72cbb69edfca5cac88ea2a9e0e09142ec934952b9420d686e77765f002c",
},
{
"spdxElementId": "SPDXRef-container-registry.access.redhat.com/"
"ubi8/ubi-0f22256f634f8205fbd9c438c387ccf2d4859250e04104571c93fdb89a62bae1",
"relationshipType": "BUILD_TOOL_OF",
"spdxElementId": "SPDXRef-Document",
"relatedSpdxElement": "SPDXRef-DocumentRoot-Unknown-",
},
],
}
Expand Down
11 changes: 6 additions & 5 deletions sbom-utility-scripts/scripts/merge-cachi2-sboms-script/merge_cachi2_sboms.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -290,10 +290,9 @@ def _merge_tools_metadata(syft_sbom: dict[Any, Any], cachi2_sbom: dict[Any, Any]


def _merge_tools_metadata_spdx(syft_sbom: dict[Any, Any], cachi2_sbom: dict[Any, Any]) -> None:
"""Merge the creators in the metadata section of the SBOM.
"""
"""Merge the creators in the metadata section of the SBOM."""
cachi2_creators = cachi2_sbom["creationInfo"]["creators"]

for creator in cachi2_creators:
syft_sbom["creationInfo"]["creators"].append(creator)

Expand Down Expand Up @@ -364,7 +363,7 @@ def merge_annotations(annotations1, annotations2):

def merge_relationships(relationships1, relationships2, packages):
"""Merge SPDX relationships."""

def map_relationships(relationships):
relations_map = {}
relations_inverse_map = {}
Expand Down Expand Up @@ -465,7 +464,9 @@ def merge_sboms(cachi2_sbom_path: str, syft_sbom_path: str, format: str = "cyclo
syft_sbom["packages"] = merge_packages(syft_sbom, cachi2_sbom)

syft_sbom["relationships"] = merge_relationships(
syft_sbom.get("relationships", []), cachi2_sbom.get("relationships", []), syft_sbom["packages"]
syft_sbom.get("relationships", []),
cachi2_sbom.get("relationships", []),
syft_sbom["packages"],
)
packages_in_relationships = []
for relation in syft_sbom["relationships"]:
Expand Down

0 comments on commit d757a6a

Please sign in to comment.