From 0863133f458a7eb838cea6e20f2173d16c58a576 Mon Sep 17 00:00:00 2001 From: Jindrich Luza Date: Tue, 17 Sep 2024 10:44:17 +0200 Subject: [PATCH 01/12] Added SPDX format support in sbom scripts Signed-off-by: Jindrich Luza --- .../app/base_images_sbom_script.py | 60 +++- .../app/test_base_images_sbom_script.py | 119 ++++++- .../merge_cachi2_sboms.py | 332 +++++++++++++++++- .../test_merge_cachi2_sboms.py | 19 +- 4 files changed, 515 insertions(+), 15 deletions(-) diff --git a/sbom-utility-scripts/scripts/base-images-sbom-script/app/base_images_sbom_script.py b/sbom-utility-scripts/scripts/base-images-sbom-script/app/base_images_sbom_script.py index ce2221f..82eecd4 100644 --- a/sbom-utility-scripts/scripts/base-images-sbom-script/app/base_images_sbom_script.py +++ b/sbom-utility-scripts/scripts/base-images-sbom-script/app/base_images_sbom_script.py @@ -1,5 +1,7 @@ -import json import argparse +import hashlib +import json +import datetime import pathlib from collections import namedtuple @@ -92,6 +94,13 @@ def parse_args(): description="Updates the sbom file with base images data based on the provided files" ) parser.add_argument("--sbom", type=pathlib.Path, help="Path to the sbom file", required=True) + parser.add_argument( + "--sbom-type", + choices=["spdx", "cyclonedx"], + default="cyclonedx", + help="Type of the sbom file", + required=True, + ) parser.add_argument( "--base-images-from-dockerfile", type=pathlib.Path, @@ -127,10 +136,53 @@ def main(): sbom = json.load(f) base_images_sbom_components = get_base_images_sbom_components(base_images_digests, is_last_from_scratch) - if "formulation" in sbom: - sbom["formulation"].append({"components": base_images_sbom_components}) + if args.sbom_type == "cyclonedx": + if "formulation" in sbom: + sbom["formulation"].append({"components": base_images_sbom_components}) + else: + sbom.update({"formulation": [{"components": base_images_sbom_components}]}) else: - sbom.update({"formulation": [{"components": base_images_sbom_components}]}) + packages = [] + relationships = [] + for component in base_images_sbom_components: + SPDXID = ( + f"SPDXRef-{component['type']}-{component['name']}-" + + f"{hashlib.sha256(component['purl'].encode()).hexdigest()}" + ) + packages.append( + { + "SPDXID": SPDXID, + "name": component["name"], + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": component["purl"], + } + ], + "annotations": [ + { + "annotator": "konflux", + "annotationDate": datetime.datetime.now().isoformat(), + "annotationType": "OTHER", + "comment": json.dumps( + {"name": property["name"], "value": property["value"]}, + separators=(",", ":"), + ), + } + for property in component["properties"] + ], + } + ) + relationships.append( + { + "spdxElementId": sbom["SPDXID"], + "relatedSpdxElement": SPDXID, + "relationshipType": "BUILD_TOOL_OF", + } + ) + sbom["packages"] = sbom.get("packages", []) + packages + sbom["relationships"] = sbom.get("relationships", []) + relationships with args.sbom.open("w") as f: json.dump(sbom, f, indent=4) diff --git a/sbom-utility-scripts/scripts/base-images-sbom-script/app/test_base_images_sbom_script.py b/sbom-utility-scripts/scripts/base-images-sbom-script/app/test_base_images_sbom_script.py index 6d36dcc..05e45dd 100644 --- a/sbom-utility-scripts/scripts/base-images-sbom-script/app/test_base_images_sbom_script.py +++ b/sbom-utility-scripts/scripts/base-images-sbom-script/app/test_base_images_sbom_script.py @@ -1,7 +1,7 @@ import pytest import json -from unittest.mock import MagicMock +from unittest.mock import MagicMock, patch from base_images_sbom_script import get_base_images_sbom_components, main, parse_image_reference_to_parts, ParsedImage @@ -467,7 +467,7 @@ def test_main_input_sbom_does_not_contain_formulation(tmp_path, mocker): ) # mock the parsed args, to avoid testing parse_args function - mock_args = MagicMock() + mock_args = MagicMock(sbom_type="cyclonedx") mock_args.sbom = sbom_file mock_args.base_images_from_dockerfile = base_images_from_dockerfile_file mock_args.base_images_digests = base_images_digests_file @@ -516,6 +516,117 @@ def test_main_input_sbom_does_not_contain_formulation(tmp_path, mocker): assert expected_output["formulation"] == sbom["formulation"] +@pytest.fixture +def isodate(): + with patch("datetime.datetime") as mock_datetime: + mock_datetime.now.return_value.isoformat.return_value = "2021-07-01T00:00:00Z" + yield mock_datetime + + +def test_main_input_sbom_spdx_minimal(tmp_path, mocker, isodate): + sbom_file = tmp_path / "sbom.json" + base_images_from_dockerfile_file = tmp_path / "base_images_from_dockerfile.txt" + base_images_digests_file = tmp_path / "base_images_digests.txt" + + # minimal input sbom file + sbom_file.write_text( + """{ + "SPDXID": "SPDXRef-Document", + "project_name": "MyProject", + "version": "1.0", + "packages": [] + }""" + ) + + # one builder images and one base image + base_images_from_dockerfile_file.write_text( + "quay.io/mkosiarc_rhtap/single-container-app:f2566ab\nregistry.access.redhat.com/ubi8/ubi:latest" + ) + base_images_digests_file.write_text( + "quay.io/mkosiarc_rhtap/single-container-app:f2566ab@sha256" + ":8f99627e843e931846855c5d899901bf093f5093e613a92745696a26b5420941\nregistry.access.redhat.com/ubi8/ubi" + ":latest@sha256:627867e53ad6846afba2dfbf5cef1d54c868a9025633ef0afd546278d4654eac " + ) + + # mock the parsed args, to avoid testing parse_args function + mock_args = MagicMock(sbom_type="spdx") + mock_args.sbom = sbom_file + mock_args.base_images_from_dockerfile = base_images_from_dockerfile_file + mock_args.base_images_digests = base_images_digests_file + mocker.patch("base_images_sbom_script.parse_args", return_value=mock_args) + + main() + + expected_output = { + "packages": [ + { + "SPDXID": "SPDXRef-container-quay.io/mkosiarc_rhtap/single-container-app-" + "9520a72cbb69edfca5cac88ea2a9e0e09142ec934952b9420d686e77765f002c", + "name": "quay.io/mkosiarc_rhtap/single-container-app", + "externalRefs": [ + { + "referenceType": "purl", + "referenceLocator": "pkg:oci/single-container-app@sha256" + ":8f99627e843e931846855c5d899901bf093f5093e613a92745696a26b5420941?repository_url" + "=quay.io/mkosiarc_rhtap/single-container-app", + "referenceCategory": "PACKAGE-MANAGER", + } + ], + "annotations": [ + { + "annotator": "konflux", + "annotationDate": "2021-07-01T00:00:00Z", + "annotationType": "OTHER", + "comment": '{"name":"konflux:container:is_builder_image:for_stage","value":"0"}', + } + ], + }, + { + "name": "registry.access.redhat.com/ubi8/ubi", + "SPDXID": "SPDXRef-container-registry.access.redhat.com/ubi8/ubi-" + "0f22256f634f8205fbd9c438c387ccf2d4859250e04104571c93fdb89a62bae1", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:oci/ubi@sha256:" + "627867e53ad6846afba2dfbf5cef1d54c868a9025633ef0afd546278d4654eac" + "?repository_url=registry.access.redhat.com/ubi8/ubi", + } + ], + "annotations": [ + { + "annotator": "konflux", + "annotationDate": "2021-07-01T00:00:00Z", + "annotationType": "OTHER", + "comment": '{"name":"konflux:container:is_base_image","value":"true"}', + } + ], + }, + ], + "relationships": [ + { + "relatedSpdxElement": "SPDXRef-container-quay.io/mkosiarc_rhtap/" + "single-container-app-9520a72cbb69edfca5cac88ea2a9e0e09142ec934952b9420d686e77765f002c", + "relationshipType": "BUILD_TOOL_OF", + "spdxElementId": "SPDXRef-Document", + }, + { + "relatedSpdxElement": "SPDXRef-container-registry.access.redhat.com/" + "ubi8/ubi-0f22256f634f8205fbd9c438c387ccf2d4859250e04104571c93fdb89a62bae1", + "relationshipType": "BUILD_TOOL_OF", + "spdxElementId": "SPDXRef-Document", + }, + ], + } + + with sbom_file.open("r") as f: + sbom = json.load(f) + + assert expected_output["packages"] == sbom["packages"] + assert expected_output["relationships"] == sbom["relationships"] + + def test_main_input_sbom_does_not_contain_formulation_and_base_image_from_scratch(tmp_path, mocker): sbom_file = tmp_path / "sbom.json" base_images_from_dockerfile_file = tmp_path / "base_images_from_dockerfile.txt" @@ -541,7 +652,7 @@ def test_main_input_sbom_does_not_contain_formulation_and_base_image_from_scratc ) # mock the parsed args, to avoid testing parse_args function - mock_args = MagicMock() + mock_args = MagicMock(sbom_type="cyclonedx") mock_args.sbom = sbom_file mock_args.base_images_from_dockerfile = base_images_from_dockerfile_file mock_args.base_images_digests = base_images_digests_file @@ -629,7 +740,7 @@ def test_main_input_sbom_contains_formulation(tmp_path, mocker): ) # mock the parsed args, to avoid testing parse_args function - mock_args = MagicMock() + mock_args = MagicMock(sbom_type="cyclonedx") mock_args.sbom = sbom_file mock_args.base_images_from_dockerfile = base_images_from_dockerfile_file mock_args.base_images_digests = base_images_digests_file diff --git a/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/merge_cachi2_sboms.py b/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/merge_cachi2_sboms.py index 3473862..c9aad0c 100644 --- a/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/merge_cachi2_sboms.py +++ b/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/merge_cachi2_sboms.py @@ -5,6 +5,17 @@ from urllib.parse import quote_plus, urlsplit +class _ANY: + def __eq__(self, other): + return True + + def __hash__(self): + return hash("Any") + + +ANY = _ANY() + + def _is_syft_local_golang_component(component: dict) -> bool: """ Check if a Syft Golang reported component is a local replacement. @@ -17,6 +28,23 @@ def _is_syft_local_golang_component(component: dict) -> bool: ) +def _is_syft_local_golang_package(package: dict) -> bool: + """ + Check if a Syft Golang reported package is a local replacement. + + Local replacements are reported in a very different way by Cachi2, which is why the same + reports by Syft should be removed. + """ + for ref in package.get("externalRefs", []): + if ( + ref["referenceType"] == "purl" + and ref["referenceLocator"].startswith("pkg:golang") + and (package.get("name", "").startswith(".") or package.get("versionInfo", "") == "(devel)") + ): + return True + return False + + def _is_cachi2_non_registry_dependency(component: dict) -> bool: """ Check if Cachi2 component was fetched from a VCS or a direct file location. @@ -37,6 +65,29 @@ def _is_cachi2_non_registry_dependency(component: dict) -> bool: ) +def _is_cachi2_non_registry_dependency_spdx(package: dict) -> bool: + """ + Check if Cachi2 component was fetched from a VCS or a direct file location. + + Cachi2 reports non-registry package in a different way from Syft, so the reports from + Syft need to be removed. + + Unfortunately, there's no way to determine which components are non-registry by looking + at the Syft report alone. This function is meant to create a list of non-registry components + from Cachi2's SBOM, then remove the corresponding ones reported by Syft for the merged SBOM. + + Note that this function is only applicable for PyPI or NPM components. + """ + for ref in package.get("externalRefs", []): + if ref["referenceType"] == "purl": + purl = ref["referenceLocator"] + if (purl.startswith("pkg:pypi") or purl.startswith("pkg:npm")) and ( + "vcs_url=" in purl or "download_url=" in purl + ): + return True + return False + + def _unique_key_cachi2(component: dict) -> str: """ Create a unique key from Cachi2 reported components. @@ -49,6 +100,20 @@ def _unique_key_cachi2(component: dict) -> str: return url.scheme + ":" + url.path +def _unique_key_cachi2_spdx(package: dict) -> list[str]: + """ + Create a unique key from Cachi2 reported packages. + + Cachi2 produce unique packages and combining purls togher to package with the same name and version + """ + keys = [] + for ref in package.get("externalRefs", []): + if ref["referenceType"] == "purl": + url = urlsplit(ref["referenceLocator"]) + keys.append(url.scheme + ":" + url.path) + return keys + + def _unique_key_syft(component: dict) -> str: """ Create a unique key for Syft reported components. @@ -77,6 +142,42 @@ def _unique_key_syft(component: dict) -> str: return component["purl"] +def _unique_keys_syft_spdx(package: dict) -> str: + """ + Create a unique key for Syft reported components. + + This is done by taking a lowercase namespace/name, and URL encoding the version. + + Syft does not set any qualifier for NPM, Pip or Golang, so there's no need to remove them + as done in _unique_key_cachi2. + + If a Syft component lacks a purl (e.g. type OS), we'll use its name and version instead. + """ + for ref in package.get("externalRefs", []): + if ref["referenceType"] == "purl": + break + else: + return package.get("name", "") + "@" + package.get("versionInfo", "") + + keys = [] + + for ref in package.get("externalRefs", []): + if ref["referenceType"] == "purl": + purl = ref["referenceLocator"] + if "@" in purl: + name, version = purl.split("@") + + if name.startswith("pkg:pypi"): + name = name.lower() + + if name.startswith("pkg:golang"): + version = quote_plus(version) + keys.append(f"{name}@{version}") + else: + keys.append(purl) + return keys + + def _get_syft_component_filter(cachi_sbom_components: list[dict[str, Any]]) -> Callable: """ Get a function that filters out Syft components for the merged SBOM. @@ -114,6 +215,46 @@ def component_is_duplicated(component: dict[str, Any]) -> bool: return component_is_duplicated +def _get_syft_package_filter(cachi_sbom_packages: list[dict[str, Any]]) -> Callable: + """ + Get a function that filters out Syft components for the merged SBOM. + + This function currently considers a Syft component as a duplicate/removable if: + - it has the same key as a Cachi2 component + - it is a local Golang replacement + - is a non-registry component also reported by Cachi2 + + Note that for the last bullet, we can only rely on the Pip dependency's name to find a + duplicate. This is because Cachi2 does not report a non-PyPI Pip dependency's version. + + Even though multiple versions of a same dependency can be available in the same project, + we are removing all Syft instances by name only because Cachi2 will report them correctly, + given that it scans all the source code properly and the image is built hermetically. + """ + cachi2_non_registry_packages = [ + package["name"] for package in cachi_sbom_packages if _is_cachi2_non_registry_dependency_spdx(package) + ] + + cachi2_indexed_packages = {} + for package in cachi_sbom_packages: + for key in _unique_key_cachi2_spdx(package): + cachi2_indexed_packages[key] = package + + def is_duplicate_non_registry_package(package: dict[str, Any]) -> bool: + return package["name"] in cachi2_non_registry_packages + + def package_is_duplicated(package: dict[str, Any]) -> bool: + keys = _unique_keys_syft_spdx(package) + + return ( + _is_syft_local_golang_package(package) + or is_duplicate_non_registry_package(package) + or set(keys) & set(cachi2_indexed_packages.keys()) + ) + + return package_is_duplicated + + def _merge_tools_metadata(syft_sbom: dict[Any, Any], cachi2_sbom: dict[Any, Any]) -> None: """Merge the content of tools in the metadata section of the SBOM. @@ -148,7 +289,170 @@ def _merge_tools_metadata(syft_sbom: dict[Any, Any], cachi2_sbom: dict[Any, Any] ) -def merge_sboms(cachi2_sbom_path: str, syft_sbom_path: str) -> str: +def _merge_tools_metadata_spdx(syft_sbom: dict[Any, Any], cachi2_sbom: dict[Any, Any]) -> None: + """Merge the content of tools in the metadata section of the SBOM. + + With CycloneDX 1.5, a new format for specifying tools was introduced, and the format from 1.4 + was marked as deprecated. + + This function aims to support both formats in the Syft SBOM. We're assuming the Cachi2 SBOM + was generated with the same version as this script, and it will be in the older format. + """ + cachi2_creators = cachi2_sbom["creationInfo"]["creators"] + + for creator in cachi2_creators: + syft_sbom["creationInfo"]["creators"].append(creator) + + +def merge_components(syft_sbom: dict, cachi2_sbom: dict) -> dict: + """Merge Cachi2 components into the Syft SBOM while removing duplicates.""" + is_duplicate_component = _get_syft_component_filter(cachi2_sbom["components"]) + filtered_syft_components = [c for c in syft_sbom.get("components", []) if not is_duplicate_component(c)] + return filtered_syft_components + cachi2_sbom["components"] + + +def merge_external_refs(refs1, refs2): + ref_tuples = [] + unique_refs2 = [] + + for ref in refs1: + ref_tuples.append( + ( + ref["referenceCategory"].lower(), + ref["referenceType"].lower(), + ref["referenceLocator"].lower(), + ) + ) + + for ref in refs2: + if ( + ref["referenceCategory"].lower(), + ref["referenceType"].lower(), + ref["referenceLocator"].lower(), + ) not in ref_tuples: + unique_refs2.append(ref) + return [ref for ref in refs1 + unique_refs2] + + +def merge_annotations(annotations1, annotations2): + annotation_tuples = [] + for annotation in annotations1: + annotation_tuples.append( + ( + annotation["annotator"], + annotation["comment"], + annotation["annotationDate"], + annotation["annotationType"], + ) + ) + for annotation in annotations2: + annotation_tuples.append( + ( + annotation["annotator"], + annotation["comment"], + annotation["annotationDate"], + annotation["annotationType"], + ) + ) + annotations = set(annotation_tuples) + return [ + { + "annotator": annotation[0], + "comment": annotation[1], + "annotationDate": annotation[2], + "annotationType": annotation[3], + } + for annotation in annotations + ] + + +def merge_relationships(relationships1, relationships2, packages): + def map_relationships(relationships): + relations_map = {} + relations_inverse_map = {} + + for relation in relationships: + relations_map.setdefault(relation["spdxElementId"], []).append(relation["relatedSpdxElement"]) + relations_inverse_map[relation["relatedSpdxElement"]] = relation["spdxElementId"] + + for parent_element in relations_map.keys(): + if parent_element not in relations_inverse_map: + break + return parent_element, relations_map, relations_inverse_map + + relationships = [] + + root_element1, map1, inverse_map1 = map_relationships(relationships1) + root_element2, map2, inverse_map2 = map_relationships(relationships2) + package_ids = [package["SPDXID"] for package in packages] + for r, contains in map2.items(): + if contains and inverse_map2.get(r) == root_element2: + middle_element2 = r + for r, contains in map1.items(): + if contains and inverse_map1.get(r) == root_element1: + middle_element1 = r + + for relation in relationships2: + _relation = { + "spdxElementId": relation["spdxElementId"], + "relatedSpdxElement": relation["relatedSpdxElement"], + "relationshipType": relation["relationshipType"], + } + if _relation["spdxElementId"] == root_element2: + _relation["spdxElementId"] = root_element1 + elif relation["relatedSpdxElement"] == root_element2: + _relation["relatedSpdxElement"] = root_element1 + + if _relation["relatedSpdxElement"] in package_ids: + relationships.append(_relation) + elif _relation["spdxElementId"] in package_ids: + relationships.append(_relation) + + for relation in relationships1: + _relation = { + "spdxElementId": relation["spdxElementId"], + "relatedSpdxElement": relation["relatedSpdxElement"], + "relationshipType": relation["relationshipType"], + } + if _relation["relatedSpdxElement"] == middle_element1: + continue + if _relation["spdxElementId"] == middle_element1: + _relation["spdxElementId"] = middle_element2 + if relation["relatedSpdxElement"] in package_ids: + relationships.append(_relation) + return relationships + + +def merge_packages(syft_sbom: dict, cachi2_sbom: dict) -> dict: + """Merge Cachi2 packages into the Syft SBOM while removing duplicates.""" + + is_duplicate_package = _get_syft_package_filter(cachi2_sbom["packages"]) + cachi2_packages_map = {(p["name"], p.get("versionInfo", ANY)): p for p in cachi2_sbom["packages"]} + + filtered_packages = [] + for p in syft_sbom.get("packages", []): + if is_duplicate_package(p): + if (p["name"], p.get("versionInfo", ANY)) in list(cachi2_packages_map.keys()): + try: + cpackage = cachi2_packages_map[(p["name"], p.get("versionInfo"))] + except KeyError: + cpackage = cachi2_packages_map[(p["name"], ANY)] + cpackage["externalRefs"] = sorted( + merge_external_refs(cpackage.get("externalRefs", []), p.get("externalRefs", [])), + key=lambda x: ( + x["referenceCategory"], + x["referenceType"], + x["referenceLocator"], + ), + ) + cpackage["annotations"] = merge_annotations(cpackage.get("annotations", []), p.get("annotations", [])) + else: + filtered_packages.append(p) + + return filtered_packages + cachi2_sbom["packages"] + + +def merge_sboms(cachi2_sbom_path: str, syft_sbom_path: str, format: str = "cyclonedx") -> str: """Merge Cachi2 components into the Syft SBOM while removing duplicates.""" with open(cachi2_sbom_path) as file: cachi2_sbom = json.load(file) @@ -156,13 +460,28 @@ def merge_sboms(cachi2_sbom_path: str, syft_sbom_path: str) -> str: with open(syft_sbom_path) as file: syft_sbom = json.load(file) - is_duplicate_component = _get_syft_component_filter(cachi2_sbom["components"]) + if format == "cyclonedx": + syft_sbom["components"] = merge_components(syft_sbom, cachi2_sbom) + _merge_tools_metadata(syft_sbom, cachi2_sbom) + else: + syft_sbom["packages"] = merge_packages(syft_sbom, cachi2_sbom) - filtered_syft_components = [c for c in syft_sbom.get("components", []) if not is_duplicate_component(c)] + syft_sbom["relationships"] = merge_relationships( + syft_sbom.get("relationships", []), cachi2_sbom.get("relationships", []), syft_sbom["packages"] + ) + packages_in_relationships = [] + for relation in syft_sbom["relationships"]: + packages_in_relationships.append(relation["spdxElementId"]) + packages_in_relationships.append(relation["relatedSpdxElement"]) - syft_sbom["components"] = filtered_syft_components + cachi2_sbom["components"] + filtered_packages = [] + # Remove packages which don't have any relationships + for package in syft_sbom["packages"]: + if package["SPDXID"] in packages_in_relationships: + filtered_packages.append(package) + syft_sbom["packages"] = filtered_packages - _merge_tools_metadata(syft_sbom, cachi2_sbom) + _merge_tools_metadata_spdx(syft_sbom, cachi2_sbom) return json.dumps(syft_sbom, indent=2) @@ -172,9 +491,10 @@ def merge_sboms(cachi2_sbom_path: str, syft_sbom_path: str) -> str: parser.add_argument("cachi2_sbom_path") parser.add_argument("syft_sbom_path") + parser.add_argument("--sbom-format", default="cyclonedx", choices=["cyclonedx", "spdx"]) args = parser.parse_args() - merged_sbom = merge_sboms(args.cachi2_sbom_path, args.syft_sbom_path) + merged_sbom = merge_sboms(args.cachi2_sbom_path, args.syft_sbom_path, format=args.sbom_format) print(merged_sbom) diff --git a/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_merge_cachi2_sboms.py b/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_merge_cachi2_sboms.py index b88c945..761d7ae 100644 --- a/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_merge_cachi2_sboms.py +++ b/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_merge_cachi2_sboms.py @@ -1,6 +1,7 @@ import json from pathlib import Path -from typing import Any +from typing import Any, Generator +from unittest.mock import patch import pytest @@ -45,6 +46,22 @@ def test_merge_sboms(data_dir: Path) -> None: assert json.loads(result) == expected_sbom +@pytest.fixture +def isodate() -> Generator: + with patch("datetime.datetime") as mock_datetime: + mock_datetime.now.return_value.isoformat.return_value = "2021-07-01T00:00:00Z" + yield mock_datetime + + +def test_merge_sboms_spdx(data_dir: Path, isodate: Generator) -> None: + result = merge_sboms(f"{data_dir}/cachi2.bom.spdx.json", f"{data_dir}/syft.bom.spdx.json", format="spdx") + + with open(f"{data_dir}/merged.bom.spdx.json") as file: + expected_sbom = json.load(file) + + assert json.loads(result) == expected_sbom + + @pytest.mark.parametrize( "syft_tools_metadata, expected_result", [ From 277939aea45e6f01b20221d8d95f9db2ae386aed Mon Sep 17 00:00:00 2001 From: Jindrich Luza Date: Tue, 17 Sep 2024 11:14:08 +0200 Subject: [PATCH 02/12] Added test files Signed-off-by: Jindrich Luza --- .../test_data/cachi2.bom.spdx.json | 1 + .../test_data/merged.bom.spdx.json | 850 ++++++++++++++++++ .../test_data/syft.bom.spdx.json | 1 + 3 files changed, 852 insertions(+) create mode 100644 sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_data/cachi2.bom.spdx.json create mode 100644 sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_data/merged.bom.spdx.json create mode 100644 sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_data/syft.bom.spdx.json diff --git a/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_data/cachi2.bom.spdx.json b/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_data/cachi2.bom.spdx.json new file mode 100644 index 0000000..9cfcdf2 --- /dev/null +++ b/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_data/cachi2.bom.spdx.json @@ -0,0 +1 @@ +{"spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "unknown", "documentNamespace": "https://anchore.com/cachi2/unknown-source-type/unknown-39ed26e1-4737-4096-b565-7153db20b96d", "creationInfo": {"licenseListVersion": "3.24", "creators": ["Organization: Anchore, Inc", "Tool: cachi2-"], "created": "2024-09-12T14:07:37Z"}, "packages": [{"name": "", "SPDXID": "SPDXRef-DocumentRoot-Unknown-", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "primaryPackagePurpose": "OTHER"}, {"name": "PyYAML", "SPDXID": "SPDXRef-Package-python-PyYAML-696696f5e92f1b5e", "versionInfo": "6.0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from installed python package manifest file: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:pypi/pyyaml@6.0"}]}, {"name": "aiowsgi", "SPDXID": "SPDXRef-Package-python-aiowsgi-78716bdabf6daae1", "versionInfo": "0.8", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from installed python package manifest file: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:pypi/aiowsgi@0.8"}]}, {"name": "appr", "SPDXID": "SPDXRef-Package-python-appr-d869da81f0adbece", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from installed python package manifest file: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:pypi/appr?checksum=sha256:ee6a0a38bed8cff46a562ed3620bc453141a02262ab0c8dd055824af2829ee5c&download_url=https://github.com/quay/appr/archive/37ff9a487a54ad41b59855ecd76ee092fe206a84.zip"}]}, {"name": "archive/tar", "SPDXID": "SPDXRef-Package-go-module-archive-tar-1ce4dbb5cf96f1c7", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from go module information: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/archive/tar?type=package"}]}, {"name": "cachi2", "SPDXID": "SPDXRef-Package-python-cachi2-865cdb2c6f0ff5c5", "versionInfo": "0.0.1", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from installed python package manifest file: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:pypi/cachi2@0.0.1?vcs_url=git%2Bssh://git%40github.com/containerbuildsystem/cachi2%40fc0d6079c2dc9b2a491c0848e550ad3509986110"}]}, {"name": "cachito-npm-without-deps", "SPDXID": "SPDXRef-Package-npm-cachito-npm-without-deps-563e3658e3eb288e", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from installed node module manifest file: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/cachito-npm-without-deps?vcs_url=git%2Bhttps://github.com/cachito-testing/cachito-npm-without-deps.git%402f0ce1d7b1f8b35572d919428b965285a69583f6"}]}, {"name": "code.gitea.io/sdk/gitea", "SPDXID": "SPDXRef-Package-go-module-code.gitea.io-sdk-gitea-cdc94d3a9074a69b", "versionInfo": "v0.15.1", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from go module information: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/code.gitea.io/sdk/gitea@v0.15.1?type=module"}]}, {"name": "fecha", "SPDXID": "SPDXRef-Package-npm-fecha-874399c7dda48850", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from installed node module manifest file: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/fecha?checksum=sha512:8ae71e98d68e38e1f6e4c629187684dd85e4dc96647c7219b1dd189598ea52865e947f0ad94a7001fa8fb5eccf58467fe34ad10066e831af3374120134604bd5&download_url=https://github.com/taylorhakes/fecha/archive/91680e4db1415fea33eac878cfd889c80a7b55c7.tar.gz"}]}, {"name": "github.com/cachito-testing/gomod-pandemonium/terminaltor", "SPDXID": "SPDXRef-Package-go-module-github.com-cachito-testing-gomod-pandemonium-terminaltor-d85aa69f7b0304e3", "versionInfo": "v1.0.0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from go module information: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/github.com/cachito-testing/gomod-pandemonium/terminaltor@v1.0.0?type=module"}]}, {"name": "github.com/docker/cli", "SPDXID": "SPDXRef-Package-go-module-github.com-docker-cli-ea403731821a081e", "versionInfo": "v23.0.0-rc.3+incompatible", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from go module information: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/github.com/docker/cli@v23.0.0-rc.3%2Bincompatible?type=module"}]}, {"name": "github.com/docker/cli/cli/config", "SPDXID": "SPDXRef-Package-go-module-github.com-docker-cli-cli-config-73cc4b7b8f510817", "versionInfo": "v23.0.0-rc.3+incompatible", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from go module information: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/github.com/docker/cli/cli/config@v23.0.0-rc.3%2Bincompatible?type=package"}]}, {"name": "github.com/redhat-appstudio/build-service", "SPDXID": "SPDXRef-Package-go-module-github.com-redhat-appstudio-build-service-574d786c89acf613", "versionInfo": "v0.0.0-20230503110830-d1a9e858489d", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from go module information: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/github.com/redhat-appstudio/build-service@v0.0.0-20230503110830-d1a9e858489d?type=module"}]}, {"name": "knative.dev/pkg", "SPDXID": "SPDXRef-Package-go-module-knative.dev-pkg-0a00bf33a820e7f1", "versionInfo": "v0.0.0-20230125083639-408ad0773f47", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from go module information: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/knative.dev/pkg@v0.0.0-20230125083639-408ad0773f47?type=module"}]}, {"name": "knative.dev/pkg/metrics", "SPDXID": "SPDXRef-Package-go-module-knative.dev-pkg-metrics-c613be23287c5dc4", "versionInfo": "v0.0.0-20230125083639-408ad0773f47", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from go module information: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/knative.dev/pkg/metrics@v0.0.0-20230125083639-408ad0773f47?type=package"}]}, {"name": "test_package_cachi2", "SPDXID": "SPDXRef-Package-python-test-package-cachi2-bdec7caf7aac75f3", "versionInfo": "1.0.0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from installed python package manifest file: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:pypi/test-package-cachi2@1.0.0?vcs_url=git%2Bssh://git%40github.com/brunoapimentel/pip-e2e-test.git%40294df352deed835cf703ae8a799926418ae5fd3b"}]}], "relationships": [{"spdxElementId": "SPDXRef-DocumentRoot-Unknown-", "relatedSpdxElement": "SPDXRef-Package-python-PyYAML-696696f5e92f1b5e", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-Unknown-", "relatedSpdxElement": "SPDXRef-Package-python-aiowsgi-78716bdabf6daae1", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-Unknown-", "relatedSpdxElement": "SPDXRef-Package-python-appr-d869da81f0adbece", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-Unknown-", "relatedSpdxElement": "SPDXRef-Package-go-module-archive-tar-1ce4dbb5cf96f1c7", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-Unknown-", "relatedSpdxElement": "SPDXRef-Package-python-cachi2-865cdb2c6f0ff5c5", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-Unknown-", "relatedSpdxElement": "SPDXRef-Package-npm-cachito-npm-without-deps-563e3658e3eb288e", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-Unknown-", "relatedSpdxElement": "SPDXRef-Package-go-module-code.gitea.io-sdk-gitea-cdc94d3a9074a69b", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-Unknown-", "relatedSpdxElement": "SPDXRef-Package-npm-fecha-874399c7dda48850", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-Unknown-", "relatedSpdxElement": "SPDXRef-Package-go-module-github.com-cachito-testing-gomod-pandemonium-terminaltor-d85aa69f7b0304e3", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-Unknown-", "relatedSpdxElement": "SPDXRef-Package-go-module-github.com-docker-cli-ea403731821a081e", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-Unknown-", "relatedSpdxElement": "SPDXRef-Package-go-module-github.com-docker-cli-cli-config-73cc4b7b8f510817", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-Unknown-", "relatedSpdxElement": "SPDXRef-Package-go-module-github.com-redhat-appstudio-build-service-574d786c89acf613", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-Unknown-", "relatedSpdxElement": "SPDXRef-Package-go-module-knative.dev-pkg-0a00bf33a820e7f1", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-Unknown-", "relatedSpdxElement": "SPDXRef-Package-go-module-knative.dev-pkg-metrics-c613be23287c5dc4", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-Unknown-", "relatedSpdxElement": "SPDXRef-Package-python-test-package-cachi2-bdec7caf7aac75f3", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-DocumentRoot-Unknown-", "relationshipType": "DESCRIBES"}]} diff --git a/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_data/merged.bom.spdx.json b/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_data/merged.bom.spdx.json new file mode 100644 index 0000000..3f8ed39 --- /dev/null +++ b/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_data/merged.bom.spdx.json @@ -0,0 +1,850 @@ +{ + "spdxVersion": "SPDX-2.3", + "dataLicense": "CC0-1.0", + "SPDXID": "SPDXRef-DOCUMENT", + "name": "/var/lib/containers/storage/vfs/dir/517aef0ffe20db360d19aa475dbbfbe03f452f53403881a31f9a475c83af788b", + "documentNamespace": "https://anchore.com/syft/file/var/lib/containers/storage/vfs/dir/517aef0ffe20db360d19aa475dbbfbe03f452f53403881a31f9a475c83af788b-8efaed6f-2f42-453b-b9dd-3fb60491d7cf", + "creationInfo": { + "licenseListVersion": "3.24", + "creators": [ + "Organization: Anchore, Inc", + "Tool: syft-0.100.0", + "Organization: Anchore, Inc", + "Tool: cachi2-" + ], + "created": "2024-09-12T14:07:12Z" + }, + "packages": [ + { + "name": "bash", + "SPDXID": "SPDXRef-Package-rpm-bash-1a6619bdab5f8a2d", + "versionInfo": "4.4.20-4.el8_6", + "supplier": "Organization: Red Hat, Inc.", + "originator": "Organization: Red Hat, Inc.", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from RPM DB: var/lib/rpm/Packages", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:redhat:bash:4.4.20-4.el8_6:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:bash:bash:4.4.20-4.el8_6:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:rpm/rhel/bash@4.4.20-4.el8_6?arch=x86_64&upstream=bash-4.4.20-4.el8_6.src.rpm&distro=rhel-8.7" + } + ] + }, + { + "SPDXID": "SPDXRef-DocumentRoot-Unknown-", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "name": "", + "primaryPackagePurpose": "OTHER", + "supplier": "NOASSERTION" + }, + { + "SPDXID": "SPDXRef-Package-python-PyYAML-696696f5e92f1b5e", + "copyrightText": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "annotations": [], + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceLocator": "pkg:pypi/pyyaml@6.0", + "referenceType": "purl" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:PyYAML:PyYAML:6.0:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:PyYAML:python-PyYAML:6.0:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:PyYAML:python_PyYAML:6.0:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:kirill_simonov:PyYAML:6.0:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:kirill_simonov:python-PyYAML:6.0:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:kirill_simonov:python_PyYAML:6.0:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:python-PyYAML:PyYAML:6.0:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:python-PyYAML:python-PyYAML:6.0:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:python-PyYAML:python_PyYAML:6.0:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:python:PyYAML:6.0:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:python:python-PyYAML:6.0:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:python:python_PyYAML:6.0:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:python_PyYAML:PyYAML:6.0:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:python_PyYAML:python-PyYAML:6.0:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:python_PyYAML:python_PyYAML:6.0:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:xi:PyYAML:6.0:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:xi:python-PyYAML:6.0:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:xi:python_PyYAML:6.0:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + } + ], + "filesAnalyzed": false, + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "name": "PyYAML", + "sourceInfo": "acquired package info from installed python package manifest file: ", + "supplier": "NOASSERTION", + "versionInfo": "6.0" + }, + { + "SPDXID": "SPDXRef-Package-python-aiowsgi-78716bdabf6daae1", + "annotations": [], + "copyrightText": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceLocator": "pkg:pypi/aiowsgi@0.8", + "referenceType": "purl" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:aiowsgi:aiowsgi:0.8:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:aiowsgi:python-aiowsgi:0.8:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:aiowsgi:python_aiowsgi:0.8:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:gael:aiowsgi:0.8:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:gael:python-aiowsgi:0.8:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:gael:python_aiowsgi:0.8:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:gael_pasgrimaud:aiowsgi:0.8:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:gael_pasgrimaud:python-aiowsgi:0.8:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:gael_pasgrimaud:python_aiowsgi:0.8:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:python-aiowsgi:aiowsgi:0.8:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:python-aiowsgi:python-aiowsgi:0.8:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:python-aiowsgi:python_aiowsgi:0.8:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:python:aiowsgi:0.8:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:python:python-aiowsgi:0.8:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:python:python_aiowsgi:0.8:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:python_aiowsgi:aiowsgi:0.8:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:python_aiowsgi:python-aiowsgi:0.8:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:python_aiowsgi:python_aiowsgi:0.8:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + } + ], + "filesAnalyzed": false, + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "name": "aiowsgi", + "sourceInfo": "acquired package info from installed python package manifest file: ", + "supplier": "NOASSERTION", + "versionInfo": "0.8" + }, + { + "SPDXID": "SPDXRef-Package-python-appr-d869da81f0adbece", + "copyrightText": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "annotations": [], + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceLocator": "pkg:pypi/appr?checksum=sha256:ee6a0a38bed8cff46a562ed3620bc453141a02262ab0c8dd055824af2829ee5c&download_url=https://github.com/quay/appr/archive/37ff9a487a54ad41b59855ecd76ee092fe206a84.zip", + "referenceType": "purl" + }, + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceLocator": "pkg:pypi/appr@0.7.4", + "referenceType": "purl" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:2t-antoine:appr:0.7.4:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:2t-antoine:python-appr:0.7.4:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:2t-antoine:python_appr:0.7.4:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:2t_antoine:appr:0.7.4:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:2t_antoine:python-appr:0.7.4:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:2t_antoine:python_appr:0.7.4:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:antoine_legrand:appr:0.7.4:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:antoine_legrand:python-appr:0.7.4:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:antoine_legrand:python_appr:0.7.4:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:appr:appr:0.7.4:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:appr:python-appr:0.7.4:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:appr:python_appr:0.7.4:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:python-appr:appr:0.7.4:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:python-appr:python-appr:0.7.4:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:python-appr:python_appr:0.7.4:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:python:appr:0.7.4:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:python:python-appr:0.7.4:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:python:python_appr:0.7.4:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:python_appr:appr:0.7.4:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:python_appr:python-appr:0.7.4:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:python_appr:python_appr:0.7.4:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + } + ], + "filesAnalyzed": false, + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "name": "appr", + "sourceInfo": "acquired package info from installed python package manifest file: ", + "supplier": "NOASSERTION" + }, + { + "SPDXID": "SPDXRef-Package-go-module-archive-tar-1ce4dbb5cf96f1c7", + "copyrightText": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceLocator": "pkg:golang/archive/tar?type=package", + "referenceType": "purl" + } + ], + "filesAnalyzed": false, + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "name": "archive/tar", + "sourceInfo": "acquired package info from go module information: ", + "supplier": "NOASSERTION" + }, + { + "name": "cachi2", + "SPDXID": "SPDXRef-Package-python-cachi2-865cdb2c6f0ff5c5", + "versionInfo": "0.0.1", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from installed python package manifest file: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:pypi/cachi2@0.0.1?vcs_url=git%2Bssh://git%40github.com/containerbuildsystem/cachi2%40fc0d6079c2dc9b2a491c0848e550ad3509986110" + } + ] + }, + { + "name": "cachito-npm-without-deps", + "SPDXID": "SPDXRef-Package-npm-cachito-npm-without-deps-563e3658e3eb288e", + "annotations": [], + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from installed node module manifest file: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:npm/cachito-npm-without-deps?vcs_url=git%2Bhttps://github.com/cachito-testing/cachito-npm-without-deps.git%402f0ce1d7b1f8b35572d919428b965285a69583f6" + }, + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceLocator": "pkg:npm/cachito-npm-without-deps@git+https://github.com/cachito-testing/cachito-npm-without-deps.git%232f0ce1d7b1f8b35572d919428b965285a69583f6", + "referenceType": "purl" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:*:cachito-npm-without-deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:*:cachito_npm_without_deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:cachito-npm-without-deps:cachito-npm-without-deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:cachito-npm-without-deps:cachito_npm_without_deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:cachito-npm-without:cachito-npm-without-deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:cachito-npm-without:cachito_npm_without_deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:cachito-npm:cachito-npm-without-deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:cachito-npm:cachito_npm_without_deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:cachito:cachito-npm-without-deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:cachito:cachito_npm_without_deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:cachito_npm:cachito-npm-without-deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:cachito_npm:cachito_npm_without_deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:cachito_npm_without:cachito-npm-without-deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:cachito_npm_without:cachito_npm_without_deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:cachito_npm_without_deps:cachito-npm-without-deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:cachito_npm_without_deps:cachito_npm_without_deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + } + ] + }, + { + "name": "code.gitea.io/sdk/gitea", + "SPDXID": "SPDXRef-Package-go-module-code.gitea.io-sdk-gitea-cdc94d3a9074a69b", + "annotations": [], + "versionInfo": "v0.15.1", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from go module information: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:golang/code.gitea.io/sdk/gitea@v0.15.1" + }, + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:golang/code.gitea.io/sdk/gitea@v0.15.1?type=module" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:sdk:gitea:v0.15.1:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + } + ] + }, + { + "name": "fecha", + "SPDXID": "SPDXRef-Package-npm-fecha-874399c7dda48850", + "annotations": [], + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from installed node module manifest file: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:npm/fecha?checksum=sha512:8ae71e98d68e38e1f6e4c629187684dd85e4dc96647c7219b1dd189598ea52865e947f0ad94a7001fa8fb5eccf58467fe34ad10066e831af3374120134604bd5&download_url=https://github.com/taylorhakes/fecha/archive/91680e4db1415fea33eac878cfd889c80a7b55c7.tar.gz" + }, + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceLocator": "pkg:npm/fecha@https://github.com/taylorhakes/fecha/archive/91680e4db1415fea33eac878cfd889c80a7b55c7.tar.gz", + "referenceType": "purl" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:*:fecha:https\\:\\/\\/github.com\\/taylorhakes\\/fecha\\/archive\\/91680e4db1415fea33eac878cfd889c80a7b55c7.tar.gz:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:fecha:fecha:https\\:\\/\\/github.com\\/taylorhakes\\/fecha\\/archive\\/91680e4db1415fea33eac878cfd889c80a7b55c7.tar.gz:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + } + ] + }, + { + "name": "github.com/cachito-testing/gomod-pandemonium/terminaltor", + "SPDXID": "SPDXRef-Package-go-module-github.com-cachito-testing-gomod-pandemonium-terminaltor-d85aa69f7b0304e3", + "versionInfo": "v1.0.0", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from go module information: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:golang/github.com/cachito-testing/gomod-pandemonium/terminaltor@v1.0.0?type=module" + } + ] + }, + { + "name": "github.com/docker/cli", + "SPDXID": "SPDXRef-Package-go-module-github.com-docker-cli-ea403731821a081e", + "annotations": [], + "versionInfo": "v23.0.0-rc.3+incompatible", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from go module information: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:golang/github.com/docker/cli@v23.0.0-rc.3%2Bincompatible?type=module" + }, + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:golang/github.com/docker/cli@v23.0.0-rc.3+incompatible" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:2.3:a:docker:cli:v23.0.0-rc.3\\+incompatible:*:*:*:*:*:*:*", + "referenceType": "cpe23Type" + } + ] + }, + { + "name": "github.com/docker/cli/cli/config", + "SPDXID": "SPDXRef-Package-go-module-github.com-docker-cli-cli-config-73cc4b7b8f510817", + "versionInfo": "v23.0.0-rc.3+incompatible", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from go module information: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:golang/github.com/docker/cli/cli/config@v23.0.0-rc.3%2Bincompatible?type=package" + } + ] + }, + { + "name": "github.com/redhat-appstudio/build-service", + "SPDXID": "SPDXRef-Package-go-module-github.com-redhat-appstudio-build-service-574d786c89acf613", + "versionInfo": "v0.0.0-20230503110830-d1a9e858489d", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from go module information: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:golang/github.com/redhat-appstudio/build-service@v0.0.0-20230503110830-d1a9e858489d?type=module" + } + ] + }, + { + "name": "knative.dev/pkg", + "SPDXID": "SPDXRef-Package-go-module-knative.dev-pkg-0a00bf33a820e7f1", + "annotations": [], + "versionInfo": "v0.0.0-20230125083639-408ad0773f47", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from go module information: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:golang/knative.dev/pkg@v0.0.0-20230125083639-408ad0773f47" + }, + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:golang/knative.dev/pkg@v0.0.0-20230125083639-408ad0773f47?type=module" + } + ] + }, + { + "name": "knative.dev/pkg/metrics", + "SPDXID": "SPDXRef-Package-go-module-knative.dev-pkg-metrics-c613be23287c5dc4", + "versionInfo": "v0.0.0-20230125083639-408ad0773f47", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from go module information: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:golang/knative.dev/pkg/metrics@v0.0.0-20230125083639-408ad0773f47?type=package" + } + ] + }, + { + "name": "test_package_cachi2", + "SPDXID": "SPDXRef-Package-python-test-package-cachi2-bdec7caf7aac75f3", + "versionInfo": "1.0.0", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from installed python package manifest file: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:pypi/test-package-cachi2@1.0.0?vcs_url=git%2Bssh://git%40github.com/brunoapimentel/pip-e2e-test.git%40294df352deed835cf703ae8a799926418ae5fd3b" + } + ] + } + ], + "relationships": [ + { + "relatedSpdxElement": "SPDXRef-Package-python-PyYAML-696696f5e92f1b5e", + "relationshipType": "CONTAINS", + "spdxElementId": "SPDXRef-DocumentRoot-Unknown-" + }, + { + "relatedSpdxElement": "SPDXRef-Package-python-aiowsgi-78716bdabf6daae1", + "relationshipType": "CONTAINS", + "spdxElementId": "SPDXRef-DocumentRoot-Unknown-" + }, + { + "relatedSpdxElement": "SPDXRef-Package-python-appr-d869da81f0adbece", + "relationshipType": "CONTAINS", + "spdxElementId": "SPDXRef-DocumentRoot-Unknown-" + }, + { + "relatedSpdxElement": "SPDXRef-Package-go-module-archive-tar-1ce4dbb5cf96f1c7", + "relationshipType": "CONTAINS", + "spdxElementId": "SPDXRef-DocumentRoot-Unknown-" + }, + { + "relatedSpdxElement": "SPDXRef-Package-python-cachi2-865cdb2c6f0ff5c5", + "relationshipType": "CONTAINS", + "spdxElementId": "SPDXRef-DocumentRoot-Unknown-" + }, + { + "relatedSpdxElement": "SPDXRef-Package-npm-cachito-npm-without-deps-563e3658e3eb288e", + "relationshipType": "CONTAINS", + "spdxElementId": "SPDXRef-DocumentRoot-Unknown-" + }, + { + "relatedSpdxElement": "SPDXRef-Package-go-module-code.gitea.io-sdk-gitea-cdc94d3a9074a69b", + "relationshipType": "CONTAINS", + "spdxElementId": "SPDXRef-DocumentRoot-Unknown-" + }, + { + "relatedSpdxElement": "SPDXRef-Package-npm-fecha-874399c7dda48850", + "relationshipType": "CONTAINS", + "spdxElementId": "SPDXRef-DocumentRoot-Unknown-" + }, + { + "relatedSpdxElement": "SPDXRef-Package-go-module-github.com-cachito-testing-gomod-pandemonium-terminaltor-d85aa69f7b0304e3", + "relationshipType": "CONTAINS", + "spdxElementId": "SPDXRef-DocumentRoot-Unknown-" + }, + { + "relatedSpdxElement": "SPDXRef-Package-go-module-github.com-docker-cli-ea403731821a081e", + "relationshipType": "CONTAINS", + "spdxElementId": "SPDXRef-DocumentRoot-Unknown-" + }, + { + "relatedSpdxElement": "SPDXRef-Package-go-module-github.com-docker-cli-cli-config-73cc4b7b8f510817", + "relationshipType": "CONTAINS", + "spdxElementId": "SPDXRef-DocumentRoot-Unknown-" + }, + { + "relatedSpdxElement": "SPDXRef-Package-go-module-github.com-redhat-appstudio-build-service-574d786c89acf613", + "relationshipType": "CONTAINS", + "spdxElementId": "SPDXRef-DocumentRoot-Unknown-" + }, + { + "relatedSpdxElement": "SPDXRef-Package-go-module-knative.dev-pkg-0a00bf33a820e7f1", + "relationshipType": "CONTAINS", + "spdxElementId": "SPDXRef-DocumentRoot-Unknown-" + }, + { + "relatedSpdxElement": "SPDXRef-Package-go-module-knative.dev-pkg-metrics-c613be23287c5dc4", + "relationshipType": "CONTAINS", + "spdxElementId": "SPDXRef-DocumentRoot-Unknown-" + }, + { + "relatedSpdxElement": "SPDXRef-Package-python-test-package-cachi2-bdec7caf7aac75f3", + "relationshipType": "CONTAINS", + "spdxElementId": "SPDXRef-DocumentRoot-Unknown-" + }, + { + "relatedSpdxElement": "SPDXRef-DocumentRoot-Unknown-", + "relationshipType": "DESCRIBES", + "spdxElementId": "SPDXRef-DOCUMENT" + }, + { + "relatedSpdxElement": "SPDXRef-Package-rpm-bash-1a6619bdab5f8a2d", + "relationshipType": "CONTAINS", + "spdxElementId": "SPDXRef-DocumentRoot-Unknown-" + } + ] +} diff --git a/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_data/syft.bom.spdx.json b/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_data/syft.bom.spdx.json new file mode 100644 index 0000000..4d8dbcf --- /dev/null +++ b/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_data/syft.bom.spdx.json @@ -0,0 +1 @@ +{"spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "/var/lib/containers/storage/vfs/dir/517aef0ffe20db360d19aa475dbbfbe03f452f53403881a31f9a475c83af788b", "documentNamespace": "https://anchore.com/syft/file/var/lib/containers/storage/vfs/dir/517aef0ffe20db360d19aa475dbbfbe03f452f53403881a31f9a475c83af788b-8efaed6f-2f42-453b-b9dd-3fb60491d7cf", "creationInfo": {"licenseListVersion": "3.24", "creators": ["Organization: Anchore, Inc", "Tool: syft-0.100.0"], "created": "2024-09-12T14:07:12Z"}, "packages": [{"name": "", "SPDXID": "SPDXRef-DocumentRoot-File-", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "primaryPackagePurpose": "FILE"}, {"name": "./terminaltor", "SPDXID": "SPDXRef-Package-go-module-.-terminaltor-1b79094a8c283d88", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from go module information: opt/app-root/src/go.mod", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/./terminaltor"}]}, {"name": "./terminaltor", "SPDXID": "SPDXRef-Package-go-module-.-terminaltor-9c8431f4d44b5c65", "versionInfo": "(devel)", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from go module information: opt/app-root/src/main", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/./terminaltor@(devel)"}]}, {"name": "PyYAML", "SPDXID": "SPDXRef-Package-python-PyYAML-0172906cb007d3b6", "versionInfo": "6.0", "supplier": "Person: Kirill Simonov (xi@resolvent.net)", "originator": "Person: Kirill Simonov (xi@resolvent.net)", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from installed python package manifest file: usr/local/lib64/python3.11/site-packages/PyYAML-6.0.dist-info/METADATA, usr/local/lib64/python3.11/site-packages/PyYAML-6.0.dist-info/RECORD, usr/local/lib64/python3.11/site-packages/PyYAML-6.0.dist-info/top_level.txt", "licenseConcluded": "NOASSERTION", "licenseDeclared": "MIT", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:kirill_simonov:python-PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:kirill_simonov:python_PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python-PyYAML:python-PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python-PyYAML:python_PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python_PyYAML:python-PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python_PyYAML:python_PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:kirill_simonov:PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:PyYAML:python-PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:PyYAML:python_PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python-PyYAML:PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python:python-PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python:python_PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python_PyYAML:PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:xi:python-PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:xi:python_PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:PyYAML:PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python:PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:xi:PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:pypi/PyYAML@6.0"}]}, {"name": "aiowsgi", "SPDXID": "SPDXRef-Package-python-aiowsgi-b32dee5d93047994", "versionInfo": "0.8", "supplier": "Person: Gael Pasgrimaud (gael@gawel.org)", "originator": "Person: Gael Pasgrimaud (gael@gawel.org)", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from installed python package manifest file: opt/app-root/lib/python3.9/site-packages/aiowsgi-0.8.dist-info/METADATA, opt/app-root/lib/python3.9/site-packages/aiowsgi-0.8.dist-info/RECORD, opt/app-root/lib/python3.9/site-packages/aiowsgi-0.8.dist-info/top_level.txt", "licenseConcluded": "NOASSERTION", "licenseDeclared": "MIT", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:gael_pasgrimaud:python-aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:gael_pasgrimaud:python_aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python-aiowsgi:python-aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python-aiowsgi:python_aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python_aiowsgi:python-aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python_aiowsgi:python_aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:gael_pasgrimaud:aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:aiowsgi:python-aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:aiowsgi:python_aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python-aiowsgi:aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python_aiowsgi:aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python:python-aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python:python_aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:gael:python-aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:gael:python_aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:aiowsgi:aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python:aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:gael:aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:pypi/aiowsgi@0.8"}]}, {"name": "appr", "SPDXID": "SPDXRef-Package-python-appr-93a64d044490691c", "versionInfo": "0.7.4", "supplier": "Person: Antoine Legrand (2t.antoine@gmail.com)", "originator": "Person: Antoine Legrand (2t.antoine@gmail.com)", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from installed python package manifest file: opt/app-root/lib/python3.9/site-packages/appr-0.7.4-py3.9.egg-info/PKG-INFO, opt/app-root/lib/python3.9/site-packages/appr-0.7.4-py3.9.egg-info/top_level.txt", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:antoine_legrand:python-appr:0.7.4:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:antoine_legrand:python_appr:0.7.4:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python-appr:python-appr:0.7.4:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python-appr:python_appr:0.7.4:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python_appr:python-appr:0.7.4:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python_appr:python_appr:0.7.4:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:2t-antoine:python-appr:0.7.4:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:2t-antoine:python_appr:0.7.4:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:2t_antoine:python-appr:0.7.4:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:2t_antoine:python_appr:0.7.4:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:antoine_legrand:appr:0.7.4:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python:python-appr:0.7.4:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python:python_appr:0.7.4:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:appr:python-appr:0.7.4:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:appr:python_appr:0.7.4:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python-appr:appr:0.7.4:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python_appr:appr:0.7.4:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:2t-antoine:appr:0.7.4:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:2t_antoine:appr:0.7.4:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python:appr:0.7.4:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:appr:appr:0.7.4:*:*:*:*:*:*:*"}, {"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:pypi/appr@0.7.4"}]}, {"name": "bash", "SPDXID": "SPDXRef-Package-rpm-bash-1a6619bdab5f8a2d", "versionInfo": "4.4.20-4.el8_6", "supplier": "Organization: Red Hat, Inc.", "originator": "Organization: Red Hat, Inc.", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from RPM DB: var/lib/rpm/Packages", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:redhat:bash:4.4.20-4.el8_6:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:bash:bash:4.4.20-4.el8_6:*:*:*:*:*:*:*"}, {"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:rpm/rhel/bash@4.4.20-4.el8_6?arch=x86_64&upstream=bash-4.4.20-4.el8_6.src.rpm&distro=rhel-8.7"}]}, {"name": "cachi2", "SPDXID": "SPDXRef-Package-python-cachi2-71a99443e114c112", "versionInfo": "0.0.post1+gdfd2180.d20230704", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from installed python package manifest file: src/cachi2.egg-info/PKG-INFO, src/cachi2.egg-info/top_level.txt", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python-cachi2:python-cachi2:0.0.post1\\+gdfd2180.d20230704:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python-cachi2:python_cachi2:0.0.post1\\+gdfd2180.d20230704:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python_cachi2:python-cachi2:0.0.post1\\+gdfd2180.d20230704:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python_cachi2:python_cachi2:0.0.post1\\+gdfd2180.d20230704:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:cachi2:python-cachi2:0.0.post1\\+gdfd2180.d20230704:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:cachi2:python_cachi2:0.0.post1\\+gdfd2180.d20230704:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python-cachi2:cachi2:0.0.post1\\+gdfd2180.d20230704:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python:python-cachi2:0.0.post1\\+gdfd2180.d20230704:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python:python_cachi2:0.0.post1\\+gdfd2180.d20230704:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python_cachi2:cachi2:0.0.post1\\+gdfd2180.d20230704:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:cachi2:cachi2:0.0.post1\\+gdfd2180.d20230704:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python:cachi2:0.0.post1\\+gdfd2180.d20230704:*:*:*:*:*:*:*"}, {"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:pypi/cachi2@0.0.post1+gdfd2180.d20230704"}]}, {"name": "cachito-npm-without-deps", "SPDXID": "SPDXRef-Package-npm-cachito-npm-without-deps-72138119b55a065d", "versionInfo": "git+https://github.com/cachito-testing/cachito-npm-without-deps.git#2f0ce1d7b1f8b35572d919428b965285a69583f6", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from installed node module manifest file: opt/app-root/src/package-lock.json", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:cachito-npm-without-deps:cachito-npm-without-deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:cachito-npm-without-deps:cachito_npm_without_deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:cachito_npm_without_deps:cachito-npm-without-deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:cachito_npm_without_deps:cachito_npm_without_deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:cachito-npm-without:cachito-npm-without-deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:cachito-npm-without:cachito_npm_without_deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:cachito_npm_without:cachito-npm-without-deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:cachito_npm_without:cachito_npm_without_deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:cachito-npm:cachito-npm-without-deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:cachito-npm:cachito_npm_without_deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:cachito_npm:cachito-npm-without-deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:cachito_npm:cachito_npm_without_deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:cachito:cachito-npm-without-deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:cachito:cachito_npm_without_deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:*:cachito-npm-without-deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:*:cachito_npm_without_deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*"}, {"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/cachito-npm-without-deps@git+https://github.com/cachito-testing/cachito-npm-without-deps.git%232f0ce1d7b1f8b35572d919428b965285a69583f6"}]}, {"name": "code.gitea.io/sdk/gitea", "SPDXID": "SPDXRef-Package-go-module-code.gitea.io-sdk-gitea-3172f131171fcbf8", "versionInfo": "v0.15.1", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "checksums": [{"algorithm": "SHA256", "checksumValue": "589ade0bb618bb16e7d140da3ee5887bf9ad88d293bcb37c30b91ac3bd72c7f3"}], "sourceInfo": "acquired package info from go module information: manager", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:sdk:gitea:v0.15.1:*:*:*:*:*:*:*"}, {"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/code.gitea.io/sdk/gitea@v0.15.1"}]}, {"name": "fecha", "SPDXID": "SPDXRef-Package-npm-fecha-ff4ad17b28d08441", "versionInfo": "https://github.com/taylorhakes/fecha/archive/91680e4db1415fea33eac878cfd889c80a7b55c7.tar.gz", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from installed node module manifest file: opt/app-root/src/package-lock.json", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:fecha:fecha:https\\:\\/\\/github.com\\/taylorhakes\\/fecha\\/archive\\/91680e4db1415fea33eac878cfd889c80a7b55c7.tar.gz:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:*:fecha:https\\:\\/\\/github.com\\/taylorhakes\\/fecha\\/archive\\/91680e4db1415fea33eac878cfd889c80a7b55c7.tar.gz:*:*:*:*:*:*:*"}, {"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/fecha@https://github.com/taylorhakes/fecha/archive/91680e4db1415fea33eac878cfd889c80a7b55c7.tar.gz"}]}, {"name": "github.com/docker/cli", "SPDXID": "SPDXRef-Package-go-module-github.com-docker-cli-1671a7feec4073fe", "versionInfo": "v23.0.0-rc.3+incompatible", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "checksums": [{"algorithm": "SHA256", "checksumValue": "38fadc503ae902956b559b19072212b79d73203ec74f45710ca6bfa27bd4ccea"}], "sourceInfo": "acquired package info from go module information: manager", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:docker:cli:v23.0.0-rc.3\\+incompatible:*:*:*:*:*:*:*"}, {"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/github.com/docker/cli@v23.0.0-rc.3+incompatible"}]}, {"name": "github.com/redhat-appstudio/build-service", "SPDXID": "SPDXRef-Package-go-module-github.com-redhat-appstudio-build-service-5719506d15c0a3dd", "versionInfo": "(devel)", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from go module information: manager", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:redhat-appstudio:build-service:\\(devel\\):*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:redhat-appstudio:build_service:\\(devel\\):*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:redhat_appstudio:build-service:\\(devel\\):*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:redhat_appstudio:build_service:\\(devel\\):*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:redhat:build-service:\\(devel\\):*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:redhat:build_service:\\(devel\\):*:*:*:*:*:*:*"}, {"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/github.com/redhat-appstudio/build-service@(devel)"}]}, {"name": "knative.dev/pkg", "SPDXID": "SPDXRef-Package-go-module-knative.dev-pkg-8ce424e944b2a02f", "versionInfo": "v0.0.0-20230125083639-408ad0773f47", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "checksums": [{"algorithm": "SHA256", "checksumValue": "ce544eef05ce1d56202afb02de721a606a9e40694b24bf04214637d11877ec8b"}], "sourceInfo": "acquired package info from go module information: manager", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/knative.dev/pkg@v0.0.0-20230125083639-408ad0773f47"}]}], "relationships": [{"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-go-module-.-terminaltor-1b79094a8c283d88", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-go-module-.-terminaltor-9c8431f4d44b5c65", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-python-PyYAML-0172906cb007d3b6", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-python-aiowsgi-b32dee5d93047994", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-python-appr-93a64d044490691c", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-rpm-bash-1a6619bdab5f8a2d", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-python-cachi2-71a99443e114c112", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-npm-cachito-npm-without-deps-72138119b55a065d", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-go-module-code.gitea.io-sdk-gitea-3172f131171fcbf8", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-npm-fecha-ff4ad17b28d08441", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-go-module-github.com-docker-cli-1671a7feec4073fe", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-go-module-github.com-redhat-appstudio-build-service-5719506d15c0a3dd", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-go-module-knative.dev-pkg-8ce424e944b2a02f", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-DocumentRoot-File-", "relationshipType": "DESCRIBES"}]} From 53d222703671570f3ac8060a60eea92b8e5bd8ab Mon Sep 17 00:00:00 2001 From: Jindrich Luza Date: Tue, 17 Sep 2024 14:05:51 +0200 Subject: [PATCH 03/12] Fixed docs Signed-off-by: Jindrich Luza --- .../merge_cachi2_sboms.py | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/merge_cachi2_sboms.py b/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/merge_cachi2_sboms.py index c9aad0c..a018de5 100644 --- a/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/merge_cachi2_sboms.py +++ b/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/merge_cachi2_sboms.py @@ -217,7 +217,7 @@ def component_is_duplicated(component: dict[str, Any]) -> bool: def _get_syft_package_filter(cachi_sbom_packages: list[dict[str, Any]]) -> Callable: """ - Get a function that filters out Syft components for the merged SBOM. + Get a function that filters out Syft packages for the merged SBOM. This function currently considers a Syft component as a duplicate/removable if: - it has the same key as a Cachi2 component @@ -290,16 +290,10 @@ def _merge_tools_metadata(syft_sbom: dict[Any, Any], cachi2_sbom: dict[Any, Any] def _merge_tools_metadata_spdx(syft_sbom: dict[Any, Any], cachi2_sbom: dict[Any, Any]) -> None: - """Merge the content of tools in the metadata section of the SBOM. - - With CycloneDX 1.5, a new format for specifying tools was introduced, and the format from 1.4 - was marked as deprecated. - - This function aims to support both formats in the Syft SBOM. We're assuming the Cachi2 SBOM - was generated with the same version as this script, and it will be in the older format. + """Merge the creators in the metadata section of the SBOM. """ cachi2_creators = cachi2_sbom["creationInfo"]["creators"] - + for creator in cachi2_creators: syft_sbom["creationInfo"]["creators"].append(creator) @@ -312,6 +306,7 @@ def merge_components(syft_sbom: dict, cachi2_sbom: dict) -> dict: def merge_external_refs(refs1, refs2): + """Merge SPDX external references while removing duplicates.""" ref_tuples = [] unique_refs2 = [] @@ -335,6 +330,7 @@ def merge_external_refs(refs1, refs2): def merge_annotations(annotations1, annotations2): + """Merge SPDX package annotations.""" annotation_tuples = [] for annotation in annotations1: annotation_tuples.append( @@ -367,6 +363,8 @@ def merge_annotations(annotations1, annotations2): def merge_relationships(relationships1, relationships2, packages): + """Merge SPDX relationships.""" + def map_relationships(relationships): relations_map = {} relations_inverse_map = {} From 435923f7f9c407c5059b4cbea2e304e5b92da2f9 Mon Sep 17 00:00:00 2001 From: Jindrich Luza Date: Tue, 17 Sep 2024 14:06:34 +0200 Subject: [PATCH 04/12] - Added create_purl_sbom_spdx.py - Added merge_syft_sboms_spdx.py --- .../scripts/create_purl_sbom_spdx.py | 15 ++ .../scripts/merge_syft_sboms_spdx.py | 166 ++++++++++++++++++ 2 files changed, 181 insertions(+) create mode 100644 sbom-utility-scripts/scripts/create_purl_sbom_spdx.py create mode 100644 sbom-utility-scripts/scripts/merge_syft_sboms_spdx.py diff --git a/sbom-utility-scripts/scripts/create_purl_sbom_spdx.py b/sbom-utility-scripts/scripts/create_purl_sbom_spdx.py new file mode 100644 index 0000000..34d39ef --- /dev/null +++ b/sbom-utility-scripts/scripts/create_purl_sbom_spdx.py @@ -0,0 +1,15 @@ +import json + +with open("./sbom-spdx.json") as f: + spdx_sbom = json.load(f) + +purls = [] +for package in spdx_sbom["packages"]: + for ref in package["externalRefs"]: + if ref["referenceType"] == "purl": + purls.append({"purl": ref["referenceLocator"]}) + +purl_content = {"image_contents": {"dependencies": purls}} + +with open("sbom-purl.json", "w") as output_file: + json.dump(purl_content, output_file, indent=4) diff --git a/sbom-utility-scripts/scripts/merge_syft_sboms_spdx.py b/sbom-utility-scripts/scripts/merge_syft_sboms_spdx.py new file mode 100644 index 0000000..31ada1e --- /dev/null +++ b/sbom-utility-scripts/scripts/merge_syft_sboms_spdx.py @@ -0,0 +1,166 @@ +import json + +class _ANY: + def __eq__(self, other): + return True + + def __hash__(self): + return hash("Any") + + +ANY = _ANY() + + +def merge_annotations(annotations1, annotations2): + annotation_tuples = [] + for annotation in annotations1: + annotation_tuples.append( + ( + annotation["annotator"], + annotation["comment"], + annotation["annotationDate"], + annotation["annotationType"], + ) + ) + for annotation in annotations2: + annotation_tuples.append( + ( + annotation["annotator"], + annotation["comment"], + annotation["annotationDate"], + annotation["annotationType"], + ) + ) + annotations = set(annotation_tuples) + return [ + { + "annotator": annotation[0], + "comment": annotation[1], + "annotationDate": annotation[2], + "annotationType": annotation[3], + } + for annotation in annotations + ] + +def merge_relationships(relationships1, relationships2, packages): + def map_relationships(relationships): + relations_map = {} + relations_inverse_map = {} + + for relation in relationships: + relations_map.setdefault(relation["spdxElementId"], []).append(relation["relatedSpdxElement"]) + relations_inverse_map[relation["relatedSpdxElement"]] = relation["spdxElementId"] + + for parent_element in relations_map.keys(): + if parent_element not in relations_inverse_map: + break + return parent_element, relations_map, relations_inverse_map + + relationships = [] + + root_element1, map1, inverse_map1 = map_relationships(relationships1) + root_element2, map2, inverse_map2 = map_relationships(relationships2) + package_ids = [package["SPDXID"] for package in packages] + for r, contains in map2.items(): + if contains and inverse_map2.get(r) == root_element2: + middle_element2 = r + for r, contains in map1.items(): + if contains and inverse_map1.get(r) == root_element1: + middle_element1 = r + + for relation in relationships2: + _relation = { + "spdxElementId": relation["spdxElementId"], + "relatedSpdxElement": relation["relatedSpdxElement"], + "relationshipType": relation["relationshipType"], + } + if _relation["spdxElementId"] == root_element2: + _relation["spdxElementId"] = root_element1 + elif relation["relatedSpdxElement"] == root_element2: + _relation["relatedSpdxElement"] = root_element1 + + if _relation["relatedSpdxElement"] in package_ids: + relationships.append(_relation) + elif _relation["spdxElementId"] in package_ids: + relationships.append(_relation) + + for relation in relationships1: + _relation = { + "spdxElementId": relation["spdxElementId"], + "relatedSpdxElement": relation["relatedSpdxElement"], + "relationshipType": relation["relationshipType"], + } + if _relation["relatedSpdxElement"] == middle_element1: + continue + if _relation["spdxElementId"] == middle_element1: + _relation["spdxElementId"] = middle_element2 + if relation["relatedSpdxElement"] in package_ids: + relationships.append(_relation) + return relationships + + +def merge_packages(sbom1: dict, sbom2: dict) -> dict: + """Merge SBOM packages from two SBOMs.""" + + package_map1 = {(p["name"], p.get("versionInfo", ANY)): p for p in cachi2_sbom["packages"]} + + packages2 = [] + for p in sbom2.get("packages", []): + if (p["name"], p.get("versionInfo", ANY)) in list(package_map1.keys()): + try: + package1 = package_map1[(p["name"], p.get("versionInfo"))] + except KeyError: + package1 = package_map1[(p["name"], ANY)] + package1["externalRefs"] = sorted( + merge_external_refs(package1.get("externalRefs", []), p.get("externalRefs", [])), + key=lambda x: ( + x["referenceCategory"], + x["referenceType"], + x["referenceLocator"], + ), + ) + package1["annotations"] = merge_annotations(package1.get("annotations", []), p.get("annotations", [])) + else: + packages2.append(p) + + return packages2 + sbom1['packages'] + +def merge_metadata(sbom1: dict[Any, Any], sbom2: dict[Any, Any]) -> None: + """Merge the content of tools in the metadata section of the SBOM. + """ + creators = sbom2["creationInfo"]["creators"] + + for creator in creators: + sbom1["creationInfo"]["creators"].append(creator) + + +# load SBOMs +with open("./sbom-image.json") as f: + image_sbom = json.load(f) + +with open("./sbom-source.json") as f: + source_sbom = json.load(f) + +packages = merge_packages(image_sbom, source_sbom) +relationships = merge_relationships(image_sbom.get("relationships", []), + source_sbom.get("relationships", []), + packages) + +packages_in_relationships = [] +for relation in relationships: + packages_in_relationships.append(relation["spdxElementId"]) + packages_in_relationships.append(relation["relatedSpdxElement"]) +filtered_packages = [] + +# Remove packages which don't have any relationships +for package in packages: + if package["SPDXID"] in packages_in_relationships: + filtered_packages.append(package) + +merge_metadata(image_sbom, source_sbom) +image_sbom["packages"] = filtered_packages +image_sbom["relationships"] = relationships + +# write the CycloneDX unified SBOM +with open("./sbom-spdx.json", "w") as f: + json.dump(image_sbom, f, indent=4) From ae372257fb90846a575c7e5b3ef0f39087d2e9da Mon Sep 17 00:00:00 2001 From: Jindrich Luza Date: Thu, 19 Sep 2024 15:55:29 +0200 Subject: [PATCH 05/12] - Fixed datetime used - Added format explanatory comments --- .../base-images-sbom-script/app/base_images_sbom_script.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/sbom-utility-scripts/scripts/base-images-sbom-script/app/base_images_sbom_script.py b/sbom-utility-scripts/scripts/base-images-sbom-script/app/base_images_sbom_script.py index 82eecd4..4fbddf9 100644 --- a/sbom-utility-scripts/scripts/base-images-sbom-script/app/base_images_sbom_script.py +++ b/sbom-utility-scripts/scripts/base-images-sbom-script/app/base_images_sbom_script.py @@ -144,6 +144,7 @@ def main(): else: packages = [] relationships = [] + annotation_date = datetime.datetime.now().isoformat() for component in base_images_sbom_components: SPDXID = ( f"SPDXRef-{component['type']}-{component['name']}-" @@ -153,6 +154,8 @@ def main(): { "SPDXID": SPDXID, "name": component["name"], + # See more info about external refs here: + # https://spdx.github.io/spdx-spec/v2.3/package-information/#7211-description "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -160,10 +163,12 @@ def main(): "referenceLocator": component["purl"], } ], + # Annotations are used to provide cyclonedx custom properties + # as json string "annotations": [ { "annotator": "konflux", - "annotationDate": datetime.datetime.now().isoformat(), + "annotationDate": annotation_date, "annotationType": "OTHER", "comment": json.dumps( {"name": property["name"], "value": property["value"]}, From 8f316eb2e8f3e50f82473c278f34c936c2ad18b8 Mon Sep 17 00:00:00 2001 From: Jindrich Luza Date: Fri, 20 Sep 2024 15:15:24 +0200 Subject: [PATCH 06/12] Fixed BUILD_TOOL_OF relationship generation Signed-off-by: Jindrich Luza --- .../app/base_images_sbom_script.py | 26 +++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) diff --git a/sbom-utility-scripts/scripts/base-images-sbom-script/app/base_images_sbom_script.py b/sbom-utility-scripts/scripts/base-images-sbom-script/app/base_images_sbom_script.py index 4fbddf9..1233405 100644 --- a/sbom-utility-scripts/scripts/base-images-sbom-script/app/base_images_sbom_script.py +++ b/sbom-utility-scripts/scripts/base-images-sbom-script/app/base_images_sbom_script.py @@ -121,6 +121,19 @@ def parse_args(): return args +def map_relationships(relationships): + relations_map = {} + relations_inverse_map = {} + + for relation in relationships: + relations_map.setdefault(relation["spdxElementId"], []).append(relation["relatedSpdxElement"]) + relations_inverse_map[relation["relatedSpdxElement"]] = relation["spdxElementId"] + + for parent_element in relations_map.keys(): + if parent_element not in relations_inverse_map: + break + return parent_element, relations_map, relations_inverse_map + def main(): args = parse_args() @@ -142,6 +155,15 @@ def main(): else: sbom.update({"formulation": [{"components": base_images_sbom_components}]}) else: + + root_element1, map1, inverse_map1 = map_relationships(sbom['relationships']) + package_ids = [package["SPDXID"] for package in sbom['packages']] + for r, contains in map1.items(): + if contains and inverse_map1.get(r) == root_element1: + middle_element1 = r + if not middle_element1: + middle_element1 = root_element1 + packages = [] relationships = [] annotation_date = datetime.datetime.now().isoformat() @@ -181,8 +203,8 @@ def main(): ) relationships.append( { - "spdxElementId": sbom["SPDXID"], - "relatedSpdxElement": SPDXID, + "spdxElementId": SPDXID, + "relatedSpdxElement": middle_element1, "relationshipType": "BUILD_TOOL_OF", } ) From f3a94106f4d392285e6300f35984c9fcac8e3a56 Mon Sep 17 00:00:00 2001 From: Jindrich Luza Date: Fri, 20 Sep 2024 15:35:23 +0200 Subject: [PATCH 07/12] Added SPDXID calculation comment Signed-off-by: Jindrich Luza --- .../base-images-sbom-script/app/base_images_sbom_script.py | 1 + 1 file changed, 1 insertion(+) diff --git a/sbom-utility-scripts/scripts/base-images-sbom-script/app/base_images_sbom_script.py b/sbom-utility-scripts/scripts/base-images-sbom-script/app/base_images_sbom_script.py index 1233405..420f4dc 100644 --- a/sbom-utility-scripts/scripts/base-images-sbom-script/app/base_images_sbom_script.py +++ b/sbom-utility-scripts/scripts/base-images-sbom-script/app/base_images_sbom_script.py @@ -168,6 +168,7 @@ def main(): relationships = [] annotation_date = datetime.datetime.now().isoformat() for component in base_images_sbom_components: + # Calculate unique identifier SPDXID based on the component name and purl SPDXID = ( f"SPDXRef-{component['type']}-{component['name']}-" + f"{hashlib.sha256(component['purl'].encode()).hexdigest()}" From 81d7cf7911db66dd1d41bb9185eca4d3a05f7260 Mon Sep 17 00:00:00 2001 From: Jindrich Luza Date: Mon, 30 Sep 2024 14:27:09 +0200 Subject: [PATCH 08/12] Added more explanatory comments and map relationships documentation Signed-off-by: Jindrich Luza --- sbom-utility-scripts/Dockerfile | 1 + .../app/base_images_sbom_script.py | 43 ++++++++++++++++--- .../app/test_base_images_sbom_script.py | 22 +++++++--- .../merge_cachi2_sboms.py | 11 ++--- 4 files changed, 61 insertions(+), 16 deletions(-) diff --git a/sbom-utility-scripts/Dockerfile b/sbom-utility-scripts/Dockerfile index e9e727a..1bc0891 100644 --- a/sbom-utility-scripts/Dockerfile +++ b/sbom-utility-scripts/Dockerfile @@ -3,6 +3,7 @@ FROM registry.access.redhat.com/ubi9/python-39:1-197.1725907694@sha256:278ae38e8 WORKDIR /scripts COPY scripts/merge_syft_sboms.py /scripts +COPY scripts/merge_syft_sboms_spdx.py /scripts COPY scripts/merge-cachi2-sboms-script/merge_cachi2_sboms.py /scripts COPY scripts/base-images-sbom-script/app/base_images_sbom_script.py /scripts COPY scripts/base-images-sbom-script/app/requirements.txt /scripts/base-images-sbom-script-requirements.txt diff --git a/sbom-utility-scripts/scripts/base-images-sbom-script/app/base_images_sbom_script.py b/sbom-utility-scripts/scripts/base-images-sbom-script/app/base_images_sbom_script.py index 420f4dc..8635e44 100644 --- a/sbom-utility-scripts/scripts/base-images-sbom-script/app/base_images_sbom_script.py +++ b/sbom-utility-scripts/scripts/base-images-sbom-script/app/base_images_sbom_script.py @@ -122,6 +122,15 @@ def parse_args(): def map_relationships(relationships): + """Map relationships of spdx element. + Method returns triplet containing root element, map of relations and inverse map of relations. + Root element is considered as element which is not listed as related document + in any of the relationships. Relationship map is dict of {key: value} where key is spdx + element and list of related elements is the value. + Inverse map is dict of {key: value} where key is related spdx element in the relation ship + and value is spdx element. + """ + relations_map = {} relations_inverse_map = {} @@ -129,11 +138,13 @@ def map_relationships(relationships): relations_map.setdefault(relation["spdxElementId"], []).append(relation["relatedSpdxElement"]) relations_inverse_map[relation["relatedSpdxElement"]] = relation["spdxElementId"] + parent_element = None for parent_element in relations_map.keys(): if parent_element not in relations_inverse_map: break return parent_element, relations_map, relations_inverse_map + def main(): args = parse_args() @@ -155,17 +166,37 @@ def main(): else: sbom.update({"formulation": [{"components": base_images_sbom_components}]}) else: + root_element1, map1, inverse_map1 = map_relationships(sbom["relationships"]) + + packages = [] + relationships = [] - root_element1, map1, inverse_map1 = map_relationships(sbom['relationships']) - package_ids = [package["SPDXID"] for package in sbom['packages']] + # Try to calculate middle element based on the relationships maps. + # SPDX has usually root element which contains a wrapper element which then contains + # all of the other elements + middle_element1 = None for r, contains in map1.items(): if contains and inverse_map1.get(r) == root_element1: middle_element1 = r + # if not middle_element1: + # middle_element1 = root_element1 if not middle_element1: - middle_element1 = root_element1 + middle_element1 = "SPDXRef-DocumentRoot-Unknown-" + packages.append( + { + "SPDXID": "SPDXRef-DocumentRoot-Unknown-", + "name": "", + } + ) + relationships.append( + { + "spdxElementId": root_element1 or sbom["SPDXID"], + "relatedSpdxElement": "SPDXRef-DocumentRoot-Unknown-", + "relationshipType": "DESCRIBES", + } + ) - packages = [] - relationships = [] + print("PACKAGES", packages) annotation_date = datetime.datetime.now().isoformat() for component in base_images_sbom_components: # Calculate unique identifier SPDXID based on the component name and purl @@ -202,6 +233,8 @@ def main(): ], } ) + # Add relationship for parsed base image components and "middle" element which wraps + # all spdx packages, but it's not spdx document itself. relationships.append( { "spdxElementId": SPDXID, diff --git a/sbom-utility-scripts/scripts/base-images-sbom-script/app/test_base_images_sbom_script.py b/sbom-utility-scripts/scripts/base-images-sbom-script/app/test_base_images_sbom_script.py index 05e45dd..c28f994 100644 --- a/sbom-utility-scripts/scripts/base-images-sbom-script/app/test_base_images_sbom_script.py +++ b/sbom-utility-scripts/scripts/base-images-sbom-script/app/test_base_images_sbom_script.py @@ -534,7 +534,8 @@ def test_main_input_sbom_spdx_minimal(tmp_path, mocker, isodate): "SPDXID": "SPDXRef-Document", "project_name": "MyProject", "version": "1.0", - "packages": [] + "packages": [], + "relationships": [] }""" ) @@ -559,6 +560,10 @@ def test_main_input_sbom_spdx_minimal(tmp_path, mocker, isodate): expected_output = { "packages": [ + { + "SPDXID": "SPDXRef-DocumentRoot-Unknown-", + "name": "", + }, { "SPDXID": "SPDXRef-container-quay.io/mkosiarc_rhtap/single-container-app-" "9520a72cbb69edfca5cac88ea2a9e0e09142ec934952b9420d686e77765f002c", @@ -606,16 +611,21 @@ def test_main_input_sbom_spdx_minimal(tmp_path, mocker, isodate): ], "relationships": [ { - "relatedSpdxElement": "SPDXRef-container-quay.io/mkosiarc_rhtap/" - "single-container-app-9520a72cbb69edfca5cac88ea2a9e0e09142ec934952b9420d686e77765f002c", - "relationshipType": "BUILD_TOOL_OF", + "relatedSpdxElement": "SPDXRef-DocumentRoot-Unknown-", + "relationshipType": "DESCRIBES", "spdxElementId": "SPDXRef-Document", }, { - "relatedSpdxElement": "SPDXRef-container-registry.access.redhat.com/" + "relatedSpdxElement": "SPDXRef-DocumentRoot-Unknown-", + "relationshipType": "BUILD_TOOL_OF", + "spdxElementId": "SPDXRef-container-quay.io/mkosiarc_rhtap/" + "single-container-app-9520a72cbb69edfca5cac88ea2a9e0e09142ec934952b9420d686e77765f002c", + }, + { + "spdxElementId": "SPDXRef-container-registry.access.redhat.com/" "ubi8/ubi-0f22256f634f8205fbd9c438c387ccf2d4859250e04104571c93fdb89a62bae1", "relationshipType": "BUILD_TOOL_OF", - "spdxElementId": "SPDXRef-Document", + "relatedSpdxElement": "SPDXRef-DocumentRoot-Unknown-", }, ], } diff --git a/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/merge_cachi2_sboms.py b/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/merge_cachi2_sboms.py index a018de5..0c242bb 100644 --- a/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/merge_cachi2_sboms.py +++ b/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/merge_cachi2_sboms.py @@ -290,10 +290,9 @@ def _merge_tools_metadata(syft_sbom: dict[Any, Any], cachi2_sbom: dict[Any, Any] def _merge_tools_metadata_spdx(syft_sbom: dict[Any, Any], cachi2_sbom: dict[Any, Any]) -> None: - """Merge the creators in the metadata section of the SBOM. - """ + """Merge the creators in the metadata section of the SBOM.""" cachi2_creators = cachi2_sbom["creationInfo"]["creators"] - + for creator in cachi2_creators: syft_sbom["creationInfo"]["creators"].append(creator) @@ -364,7 +363,7 @@ def merge_annotations(annotations1, annotations2): def merge_relationships(relationships1, relationships2, packages): """Merge SPDX relationships.""" - + def map_relationships(relationships): relations_map = {} relations_inverse_map = {} @@ -465,7 +464,9 @@ def merge_sboms(cachi2_sbom_path: str, syft_sbom_path: str, format: str = "cyclo syft_sbom["packages"] = merge_packages(syft_sbom, cachi2_sbom) syft_sbom["relationships"] = merge_relationships( - syft_sbom.get("relationships", []), cachi2_sbom.get("relationships", []), syft_sbom["packages"] + syft_sbom.get("relationships", []), + cachi2_sbom.get("relationships", []), + syft_sbom["packages"], ) packages_in_relationships = [] for relation in syft_sbom["relationships"]: From 4fd6e238af16f50bf551dcd72e18b328e1c2b261 Mon Sep 17 00:00:00 2001 From: Jindrich Luza Date: Fri, 11 Oct 2024 11:30:23 +0200 Subject: [PATCH 09/12] Removed stray code and comments Signed-off-by: Jindrich Luza --- .../base-images-sbom-script/app/base_images_sbom_script.py | 3 --- 1 file changed, 3 deletions(-) diff --git a/sbom-utility-scripts/scripts/base-images-sbom-script/app/base_images_sbom_script.py b/sbom-utility-scripts/scripts/base-images-sbom-script/app/base_images_sbom_script.py index 8635e44..14bbed2 100644 --- a/sbom-utility-scripts/scripts/base-images-sbom-script/app/base_images_sbom_script.py +++ b/sbom-utility-scripts/scripts/base-images-sbom-script/app/base_images_sbom_script.py @@ -178,8 +178,6 @@ def main(): for r, contains in map1.items(): if contains and inverse_map1.get(r) == root_element1: middle_element1 = r - # if not middle_element1: - # middle_element1 = root_element1 if not middle_element1: middle_element1 = "SPDXRef-DocumentRoot-Unknown-" packages.append( @@ -196,7 +194,6 @@ def main(): } ) - print("PACKAGES", packages) annotation_date = datetime.datetime.now().isoformat() for component in base_images_sbom_components: # Calculate unique identifier SPDXID based on the component name and purl From a6ccb65d8ba6815bb4d145a3e11e7c229438fbcb Mon Sep 17 00:00:00 2001 From: Jindrich Luza Date: Fri, 15 Nov 2024 13:15:10 +0100 Subject: [PATCH 10/12] - Added :jsonencoded suffix to coverted spdx properties - Formated test spdx files - Improved merging spdx files - Added test to compared merged cdx and spdx outputs --- .../app/base_images_sbom_script.py | 15 +- .../app/test_base_images_sbom_script.py | 4 +- .../base-images-sbom-script/app/tox.ini | 2 +- .../merge_cachi2_sboms.py | 135 ++- .../requirements-test.in | 1 + .../requirements-test.txt | 6 +- .../test_data/cachi2.bom.spdx.json | 406 +++++++- .../test_data/merged.bom.spdx.json | 851 +---------------- .../test_data/syft.bom.spdx.json | 886 +++++++++++++++++- .../test_merge_cachi2_sboms.py | 28 + 10 files changed, 1423 insertions(+), 911 deletions(-) diff --git a/sbom-utility-scripts/scripts/base-images-sbom-script/app/base_images_sbom_script.py b/sbom-utility-scripts/scripts/base-images-sbom-script/app/base_images_sbom_script.py index 14bbed2..0b75d97 100644 --- a/sbom-utility-scripts/scripts/base-images-sbom-script/app/base_images_sbom_script.py +++ b/sbom-utility-scripts/scripts/base-images-sbom-script/app/base_images_sbom_script.py @@ -171,13 +171,18 @@ def main(): packages = [] relationships = [] - # Try to calculate middle element based on the relationships maps. - # SPDX has usually root element which contains a wrapper element which then contains - # all of the other elements + # Try to calculate middle element represeting the container image or directory, which was + # used to build the SBOM, based on the relationships maps. + # SPDX has relationsship ROOT-ID DESCRIBES MIDDLE-ID which express the fact the SBOM documents + # describes container image or directory represented by MIDDLE-ID package. middle_element1 = None for r, contains in map1.items(): + # middle element is the one which contains another elements and is in relationship with + # the root element where it stand as relatedSpdxElement if contains and inverse_map1.get(r) == root_element1: middle_element1 = r + # If not middle element is found then create one with ID "Uknown" as source for the SBOM + # is not known. if not middle_element1: middle_element1 = "SPDXRef-DocumentRoot-Unknown-" packages.append( @@ -218,7 +223,7 @@ def main(): # as json string "annotations": [ { - "annotator": "konflux", + "annotator": "konflux:jsonencoded", "annotationDate": annotation_date, "annotationType": "OTHER", "comment": json.dumps( @@ -239,7 +244,9 @@ def main(): "relationshipType": "BUILD_TOOL_OF", } ) + # merge newly created packages for build tools with existing packages sbom["packages"] = sbom.get("packages", []) + packages + # merge newly created relationships of the build tools with existing relationships sbom["relationships"] = sbom.get("relationships", []) + relationships with args.sbom.open("w") as f: diff --git a/sbom-utility-scripts/scripts/base-images-sbom-script/app/test_base_images_sbom_script.py b/sbom-utility-scripts/scripts/base-images-sbom-script/app/test_base_images_sbom_script.py index c28f994..c3c6807 100644 --- a/sbom-utility-scripts/scripts/base-images-sbom-script/app/test_base_images_sbom_script.py +++ b/sbom-utility-scripts/scripts/base-images-sbom-script/app/test_base_images_sbom_script.py @@ -579,7 +579,7 @@ def test_main_input_sbom_spdx_minimal(tmp_path, mocker, isodate): ], "annotations": [ { - "annotator": "konflux", + "annotator": "konflux:jsonencoded", "annotationDate": "2021-07-01T00:00:00Z", "annotationType": "OTHER", "comment": '{"name":"konflux:container:is_builder_image:for_stage","value":"0"}', @@ -601,7 +601,7 @@ def test_main_input_sbom_spdx_minimal(tmp_path, mocker, isodate): ], "annotations": [ { - "annotator": "konflux", + "annotator": "konflux:jsonencoded", "annotationDate": "2021-07-01T00:00:00Z", "annotationType": "OTHER", "comment": '{"name":"konflux:container:is_base_image","value":"true"}', diff --git a/sbom-utility-scripts/scripts/base-images-sbom-script/app/tox.ini b/sbom-utility-scripts/scripts/base-images-sbom-script/app/tox.ini index 846a495..9b536d9 100644 --- a/sbom-utility-scripts/scripts/base-images-sbom-script/app/tox.ini +++ b/sbom-utility-scripts/scripts/base-images-sbom-script/app/tox.ini @@ -4,7 +4,7 @@ env_list = flake8,black,test [testenv:test] deps = -r requirements-test.txt -r requirements.txt -commands = pytest test_base_images_sbom_script.py +commands = pytest -vv test_base_images_sbom_script.py [testenv:flake8] deps = flake8 diff --git a/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/merge_cachi2_sboms.py b/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/merge_cachi2_sboms.py index 0c242bb..b1e2885 100644 --- a/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/merge_cachi2_sboms.py +++ b/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/merge_cachi2_sboms.py @@ -3,17 +3,7 @@ from argparse import ArgumentParser from typing import Any, Callable from urllib.parse import quote_plus, urlsplit - - -class _ANY: - def __eq__(self, other): - return True - - def __hash__(self): - return hash("Any") - - -ANY = _ANY() +from packageurl import PackageURL def _is_syft_local_golang_component(component: dict) -> bool: @@ -109,8 +99,14 @@ def _unique_key_cachi2_spdx(package: dict) -> list[str]: keys = [] for ref in package.get("externalRefs", []): if ref["referenceType"] == "purl": - url = urlsplit(ref["referenceLocator"]) - keys.append(url.scheme + ":" + url.path) + parsed_purl = PackageURL.from_string(ref["referenceLocator"]) + name = parsed_purl.type + "/" + (parsed_purl.namespace or "") + "/" + parsed_purl.name + version = parsed_purl.version or "" + if parsed_purl.type == "pypi": + name = name.lower() + if parsed_purl.type == "golang": + version = quote_plus(version) + keys.append(name + "@" + version) return keys @@ -144,33 +140,38 @@ def _unique_key_syft(component: dict) -> str: def _unique_keys_syft_spdx(package: dict) -> str: """ - Create a unique key for Syft reported components. + Create a unique keys for Syft reported components. - This is done by taking a lowercase namespace/name, and URL encoding the version. + This is done in following way: + - If package doesn't have purl, return [@] as unique keys + - If package has purl(s), take each purl and parse it and take type/namespace/name and version of it + -- If package is pypy, convert type/namespace/name to loweracse + -- If package is golang, encode version + - Append this final key to list of unique keys Syft does not set any qualifier for NPM, Pip or Golang, so there's no need to remove them as done in _unique_key_cachi2. - - If a Syft component lacks a purl (e.g. type OS), we'll use its name and version instead. """ for ref in package.get("externalRefs", []): if ref["referenceType"] == "purl": break else: - return package.get("name", "") + "@" + package.get("versionInfo", "") + return [package.get("name", "") + "@" + package.get("versionInfo", "")] keys = [] for ref in package.get("externalRefs", []): if ref["referenceType"] == "purl": purl = ref["referenceLocator"] - if "@" in purl: - name, version = purl.split("@") + parsed_purl = PackageURL.from_string(purl) + if parsed_purl.version: + version = parsed_purl.version + name = (parsed_purl.type + "/" + (parsed_purl.namespace or "") + "/" + parsed_purl.name).lower() - if name.startswith("pkg:pypi"): + if parsed_purl.type == "pypi": name = name.lower() - if name.startswith("pkg:golang"): + if parsed_purl.type == "golang": version = quote_plus(version) keys.append(f"{name}@{version}") else: @@ -309,7 +310,15 @@ def merge_external_refs(refs1, refs2): ref_tuples = [] unique_refs2 = [] - for ref in refs1: + for _ref in refs1: + ref = _ref.copy() + if ref["referenceType"].lower() == "purl": + parsed_purl = PackageURL.from_string(ref["referenceLocator"]) + purl_dict = parsed_purl.to_dict() + purl_dict["qualifiers"] = {} + parsed_purl = PackageURL(**purl_dict) + ref["referenceLocator"] = parsed_purl.to_string() + ref_tuples.append( ( ref["referenceCategory"].lower(), @@ -318,7 +327,14 @@ def merge_external_refs(refs1, refs2): ) ) - for ref in refs2: + for _ref in refs2: + ref = _ref.copy() + if ref["referenceType"].lower() == "purl": + parsed_purl = PackageURL.from_string(ref["referenceLocator"]) + purl_dict = parsed_purl.to_dict() + purl_dict["qualifiers"] = {} + parsed_purl = PackageURL(**purl_dict) + ref["referenceLocator"] = parsed_purl.to_string() if ( ref["referenceCategory"].lower(), ref["referenceType"].lower(), @@ -365,6 +381,14 @@ def merge_relationships(relationships1, relationships2, packages): """Merge SPDX relationships.""" def map_relationships(relationships): + """Map relationships of spdx element. + Method returns triplet containing root element, map of relations and inverse map of relations. + Root element is considered as element which is not listed as related document + in any of the relationships. Relationship map is dict of {key: value} where key is spdx + element and list of related elements is the value. + Inverse map is dict of {key: value} where key is related spdx element in the relation ship + and value is spdx element. + """ relations_map = {} relations_inverse_map = {} @@ -377,44 +401,54 @@ def map_relationships(relationships): break return parent_element, relations_map, relations_inverse_map + def calculate_middle_element(root_element, map, inverse_map): + """Calculate middle element of the relationship. + Middle element is considered as element which is related to root element and is not root element. + """ + middle_element = None + for r, contains in map.items(): + if contains and inverse_map.get(r) == root_element: + middle_element = r + return middle_element + relationships = [] root_element1, map1, inverse_map1 = map_relationships(relationships1) root_element2, map2, inverse_map2 = map_relationships(relationships2) package_ids = [package["SPDXID"] for package in packages] - for r, contains in map2.items(): - if contains and inverse_map2.get(r) == root_element2: - middle_element2 = r - for r, contains in map1.items(): - if contains and inverse_map1.get(r) == root_element1: - middle_element1 = r + + middle_element1 = calculate_middle_element(root_element1, map1, inverse_map1) + middle_element2 = calculate_middle_element(root_element2, map2, inverse_map2) for relation in relationships2: - _relation = { - "spdxElementId": relation["spdxElementId"], - "relatedSpdxElement": relation["relatedSpdxElement"], - "relationshipType": relation["relationshipType"], - } + _relation = relation.copy() + + # If relations is Root decribes middle element, skip it + if ( + _relation["relatedSpdxElement"] == middle_element2 + and _relation["spdxElementId"] == root_element2 + and _relation["relationshipType"] == "DESCRIBES" + ): + continue + # if spdxElementId is root_element2, replace it with root_element1 + # if not and relatedSpdxElement is root_element2, replace it with root_element1 if _relation["spdxElementId"] == root_element2: _relation["spdxElementId"] = root_element1 elif relation["relatedSpdxElement"] == root_element2: _relation["relatedSpdxElement"] = root_element1 + if _relation["spdxElementId"] == middle_element2: + _relation["spdxElementId"] = middle_element1 + if _relation["relatedSpdxElement"] == middle_element2: + _relation["relatedSpdxElement"] = middle_element1 + # include only relations to packages which exists in merged packages. if _relation["relatedSpdxElement"] in package_ids: relationships.append(_relation) elif _relation["spdxElementId"] in package_ids: relationships.append(_relation) for relation in relationships1: - _relation = { - "spdxElementId": relation["spdxElementId"], - "relatedSpdxElement": relation["relatedSpdxElement"], - "relationshipType": relation["relationshipType"], - } - if _relation["relatedSpdxElement"] == middle_element1: - continue - if _relation["spdxElementId"] == middle_element1: - _relation["spdxElementId"] = middle_element2 + _relation = relation.copy() if relation["relatedSpdxElement"] in package_ids: relationships.append(_relation) return relationships @@ -423,17 +457,17 @@ def map_relationships(relationships): def merge_packages(syft_sbom: dict, cachi2_sbom: dict) -> dict: """Merge Cachi2 packages into the Syft SBOM while removing duplicates.""" + def get_package_key(pkg): + return json.dumps(sorted(set(_unique_keys_syft_spdx(pkg))), separators=(",", ":")) + is_duplicate_package = _get_syft_package_filter(cachi2_sbom["packages"]) - cachi2_packages_map = {(p["name"], p.get("versionInfo", ANY)): p for p in cachi2_sbom["packages"]} + cachi2_packages_map = {get_package_key(p): p for p in cachi2_sbom["packages"]} filtered_packages = [] for p in syft_sbom.get("packages", []): if is_duplicate_package(p): - if (p["name"], p.get("versionInfo", ANY)) in list(cachi2_packages_map.keys()): - try: - cpackage = cachi2_packages_map[(p["name"], p.get("versionInfo"))] - except KeyError: - cpackage = cachi2_packages_map[(p["name"], ANY)] + if get_package_key(p) in cachi2_packages_map: + cpackage = cachi2_packages_map[get_package_key(p)] cpackage["externalRefs"] = sorted( merge_external_refs(cpackage.get("externalRefs", []), p.get("externalRefs", [])), key=lambda x: ( @@ -445,7 +479,6 @@ def merge_packages(syft_sbom: dict, cachi2_sbom: dict) -> dict: cpackage["annotations"] = merge_annotations(cpackage.get("annotations", []), p.get("annotations", [])) else: filtered_packages.append(p) - return filtered_packages + cachi2_sbom["packages"] diff --git a/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/requirements-test.in b/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/requirements-test.in index e079f8a..e17c365 100644 --- a/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/requirements-test.in +++ b/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/requirements-test.in @@ -1 +1,2 @@ pytest +packageurl-python==0.14.0 diff --git a/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/requirements-test.txt b/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/requirements-test.txt index 18bd5a4..f74feb8 100644 --- a/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/requirements-test.txt +++ b/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/requirements-test.txt @@ -1,5 +1,5 @@ # -# This file is autogenerated by pip-compile with Python 3.11 +# This file is autogenerated by pip-compile with Python 3.12 # by the following command: # # pip-compile --generate-hashes --output-file=requirements-test.txt requirements-test.in @@ -8,6 +8,10 @@ iniconfig==2.0.0 \ --hash=sha256:2d91e135bf72d31a410b17c16da610a82cb55f6b0477d1a902134b24a455b8b3 \ --hash=sha256:b6a85871a79d2e3b22d2d1b94ac2824226a63c6b741c88f7ae975f18b6778374 # via pytest +packageurl-python==0.14.0 \ + --hash=sha256:cf5e55cdcd61e6de858f47c4986aa87ba493bfa56ba58de11103dfdc2c00e4e1 \ + --hash=sha256:ff09147cddaae9e5c59ffcb12df8ec0e1b774b45099399f28c36b1a3dfdf52e2 + # via -r requirements-test.in packaging==24.1 \ --hash=sha256:026ed72c8ed3fcce5bf8950572258698927fd1dbda10a5e981cdf0ac37f4f002 \ --hash=sha256:5b8f2217dbdbd2f7f384c41c628544e6d52f2d0f53c6d0c3ea61aa5d1d7ff124 diff --git a/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_data/cachi2.bom.spdx.json b/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_data/cachi2.bom.spdx.json index 9cfcdf2..99a9afb 100644 --- a/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_data/cachi2.bom.spdx.json +++ b/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_data/cachi2.bom.spdx.json @@ -1 +1,405 @@ -{"spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "unknown", "documentNamespace": "https://anchore.com/cachi2/unknown-source-type/unknown-39ed26e1-4737-4096-b565-7153db20b96d", "creationInfo": {"licenseListVersion": "3.24", "creators": ["Organization: Anchore, Inc", "Tool: cachi2-"], "created": "2024-09-12T14:07:37Z"}, "packages": [{"name": "", "SPDXID": "SPDXRef-DocumentRoot-Unknown-", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "primaryPackagePurpose": "OTHER"}, {"name": "PyYAML", "SPDXID": "SPDXRef-Package-python-PyYAML-696696f5e92f1b5e", "versionInfo": "6.0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from installed python package manifest file: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:pypi/pyyaml@6.0"}]}, {"name": "aiowsgi", "SPDXID": "SPDXRef-Package-python-aiowsgi-78716bdabf6daae1", "versionInfo": "0.8", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from installed python package manifest file: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:pypi/aiowsgi@0.8"}]}, {"name": "appr", "SPDXID": "SPDXRef-Package-python-appr-d869da81f0adbece", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from installed python package manifest file: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:pypi/appr?checksum=sha256:ee6a0a38bed8cff46a562ed3620bc453141a02262ab0c8dd055824af2829ee5c&download_url=https://github.com/quay/appr/archive/37ff9a487a54ad41b59855ecd76ee092fe206a84.zip"}]}, {"name": "archive/tar", "SPDXID": "SPDXRef-Package-go-module-archive-tar-1ce4dbb5cf96f1c7", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from go module information: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/archive/tar?type=package"}]}, {"name": "cachi2", "SPDXID": "SPDXRef-Package-python-cachi2-865cdb2c6f0ff5c5", "versionInfo": "0.0.1", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from installed python package manifest file: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:pypi/cachi2@0.0.1?vcs_url=git%2Bssh://git%40github.com/containerbuildsystem/cachi2%40fc0d6079c2dc9b2a491c0848e550ad3509986110"}]}, {"name": "cachito-npm-without-deps", "SPDXID": "SPDXRef-Package-npm-cachito-npm-without-deps-563e3658e3eb288e", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from installed node module manifest file: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/cachito-npm-without-deps?vcs_url=git%2Bhttps://github.com/cachito-testing/cachito-npm-without-deps.git%402f0ce1d7b1f8b35572d919428b965285a69583f6"}]}, {"name": "code.gitea.io/sdk/gitea", "SPDXID": "SPDXRef-Package-go-module-code.gitea.io-sdk-gitea-cdc94d3a9074a69b", "versionInfo": "v0.15.1", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from go module information: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/code.gitea.io/sdk/gitea@v0.15.1?type=module"}]}, {"name": "fecha", "SPDXID": "SPDXRef-Package-npm-fecha-874399c7dda48850", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from installed node module manifest file: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/fecha?checksum=sha512:8ae71e98d68e38e1f6e4c629187684dd85e4dc96647c7219b1dd189598ea52865e947f0ad94a7001fa8fb5eccf58467fe34ad10066e831af3374120134604bd5&download_url=https://github.com/taylorhakes/fecha/archive/91680e4db1415fea33eac878cfd889c80a7b55c7.tar.gz"}]}, {"name": "github.com/cachito-testing/gomod-pandemonium/terminaltor", "SPDXID": "SPDXRef-Package-go-module-github.com-cachito-testing-gomod-pandemonium-terminaltor-d85aa69f7b0304e3", "versionInfo": "v1.0.0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from go module information: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/github.com/cachito-testing/gomod-pandemonium/terminaltor@v1.0.0?type=module"}]}, {"name": "github.com/docker/cli", "SPDXID": "SPDXRef-Package-go-module-github.com-docker-cli-ea403731821a081e", "versionInfo": "v23.0.0-rc.3+incompatible", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from go module information: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/github.com/docker/cli@v23.0.0-rc.3%2Bincompatible?type=module"}]}, {"name": "github.com/docker/cli/cli/config", "SPDXID": "SPDXRef-Package-go-module-github.com-docker-cli-cli-config-73cc4b7b8f510817", "versionInfo": "v23.0.0-rc.3+incompatible", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from go module information: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/github.com/docker/cli/cli/config@v23.0.0-rc.3%2Bincompatible?type=package"}]}, {"name": "github.com/redhat-appstudio/build-service", "SPDXID": "SPDXRef-Package-go-module-github.com-redhat-appstudio-build-service-574d786c89acf613", "versionInfo": "v0.0.0-20230503110830-d1a9e858489d", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from go module information: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/github.com/redhat-appstudio/build-service@v0.0.0-20230503110830-d1a9e858489d?type=module"}]}, {"name": "knative.dev/pkg", "SPDXID": "SPDXRef-Package-go-module-knative.dev-pkg-0a00bf33a820e7f1", "versionInfo": "v0.0.0-20230125083639-408ad0773f47", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from go module information: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/knative.dev/pkg@v0.0.0-20230125083639-408ad0773f47?type=module"}]}, {"name": "knative.dev/pkg/metrics", "SPDXID": "SPDXRef-Package-go-module-knative.dev-pkg-metrics-c613be23287c5dc4", "versionInfo": "v0.0.0-20230125083639-408ad0773f47", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from go module information: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/knative.dev/pkg/metrics@v0.0.0-20230125083639-408ad0773f47?type=package"}]}, {"name": "test_package_cachi2", "SPDXID": "SPDXRef-Package-python-test-package-cachi2-bdec7caf7aac75f3", "versionInfo": "1.0.0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from installed python package manifest file: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:pypi/test-package-cachi2@1.0.0?vcs_url=git%2Bssh://git%40github.com/brunoapimentel/pip-e2e-test.git%40294df352deed835cf703ae8a799926418ae5fd3b"}]}], "relationships": [{"spdxElementId": "SPDXRef-DocumentRoot-Unknown-", "relatedSpdxElement": "SPDXRef-Package-python-PyYAML-696696f5e92f1b5e", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-Unknown-", "relatedSpdxElement": "SPDXRef-Package-python-aiowsgi-78716bdabf6daae1", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-Unknown-", "relatedSpdxElement": "SPDXRef-Package-python-appr-d869da81f0adbece", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-Unknown-", "relatedSpdxElement": "SPDXRef-Package-go-module-archive-tar-1ce4dbb5cf96f1c7", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-Unknown-", "relatedSpdxElement": "SPDXRef-Package-python-cachi2-865cdb2c6f0ff5c5", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-Unknown-", "relatedSpdxElement": "SPDXRef-Package-npm-cachito-npm-without-deps-563e3658e3eb288e", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-Unknown-", "relatedSpdxElement": "SPDXRef-Package-go-module-code.gitea.io-sdk-gitea-cdc94d3a9074a69b", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-Unknown-", "relatedSpdxElement": "SPDXRef-Package-npm-fecha-874399c7dda48850", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-Unknown-", "relatedSpdxElement": "SPDXRef-Package-go-module-github.com-cachito-testing-gomod-pandemonium-terminaltor-d85aa69f7b0304e3", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-Unknown-", "relatedSpdxElement": "SPDXRef-Package-go-module-github.com-docker-cli-ea403731821a081e", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-Unknown-", "relatedSpdxElement": "SPDXRef-Package-go-module-github.com-docker-cli-cli-config-73cc4b7b8f510817", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-Unknown-", "relatedSpdxElement": "SPDXRef-Package-go-module-github.com-redhat-appstudio-build-service-574d786c89acf613", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-Unknown-", "relatedSpdxElement": "SPDXRef-Package-go-module-knative.dev-pkg-0a00bf33a820e7f1", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-Unknown-", "relatedSpdxElement": "SPDXRef-Package-go-module-knative.dev-pkg-metrics-c613be23287c5dc4", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-Unknown-", "relatedSpdxElement": "SPDXRef-Package-python-test-package-cachi2-bdec7caf7aac75f3", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-DocumentRoot-Unknown-", "relationshipType": "DESCRIBES"}]} +{ + "spdxVersion": "SPDX-2.3", + "dataLicense": "CC0-1.0", + "SPDXID": "SPDXRef-DOCUMENT", + "name": "unknown", + "documentNamespace": "https://anchore.com/cachi2/unknown-source-type/unknown-39ed26e1-4737-4096-b565-7153db20b96d", + "creationInfo": { + "licenseListVersion": "3.24", + "creators": [ + "Organization: Anchore, Inc", + "Tool: cachi2-" + ], + "created": "2024-09-12T14:07:37Z" + }, + "packages": [ + { + "name": "", + "SPDXID": "SPDXRef-DocumentRoot-Unknown-", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "primaryPackagePurpose": "OTHER" + }, + { + "name": "PyYAML", + "SPDXID": "SPDXRef-Package-python-PyYAML-696696f5e92f1b5e", + "versionInfo": "6.0", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from installed python package manifest file: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:pypi/pyyaml@6.0" + } + ] + }, + { + "name": "aiowsgi", + "SPDXID": "SPDXRef-Package-python-aiowsgi-78716bdabf6daae1", + "versionInfo": "0.8", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from installed python package manifest file: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:pypi/aiowsgi@0.8" + } + ] + }, + { + "name": "appr", + "SPDXID": "SPDXRef-Package-python-appr-d869da81f0adbece", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from installed python package manifest file: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:pypi/appr?checksum=sha256:ee6a0a38bed8cff46a562ed3620bc453141a02262ab0c8dd055824af2829ee5c&download_url=https://github.com/quay/appr/archive/37ff9a487a54ad41b59855ecd76ee092fe206a84.zip" + } + ] + }, + { + "name": "archive/tar", + "SPDXID": "SPDXRef-Package-go-module-archive-tar-1ce4dbb5cf96f1c7", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from go module information: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:golang/archive/tar?type=package" + } + ] + }, + { + "name": "cachi2", + "SPDXID": "SPDXRef-Package-python-cachi2-865cdb2c6f0ff5c5", + "versionInfo": "0.0.1", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from installed python package manifest file: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:pypi/cachi2@0.0.1?vcs_url=git%2Bssh://git%40github.com/containerbuildsystem/cachi2%40fc0d6079c2dc9b2a491c0848e550ad3509986110" + } + ] + }, + { + "name": "cachito-npm-without-deps", + "SPDXID": "SPDXRef-Package-npm-cachito-npm-without-deps-563e3658e3eb288e", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from installed node module manifest file: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:npm/cachito-npm-without-deps?vcs_url=git%2Bhttps://github.com/cachito-testing/cachito-npm-without-deps.git%402f0ce1d7b1f8b35572d919428b965285a69583f6" + } + ] + }, + { + "name": "code.gitea.io/sdk/gitea", + "SPDXID": "SPDXRef-Package-go-module-code.gitea.io-sdk-gitea-cdc94d3a9074a69b", + "versionInfo": "v0.15.1", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from go module information: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:golang/code.gitea.io/sdk/gitea@v0.15.1?type=module" + }, + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:golang/code.gitea.io/sdk/gitea@v0.15.1?type=package" + } + ] + }, + { + "name": "fecha", + "SPDXID": "SPDXRef-Package-npm-fecha-874399c7dda48850", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from installed node module manifest file: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:npm/fecha?checksum=sha512:8ae71e98d68e38e1f6e4c629187684dd85e4dc96647c7219b1dd189598ea52865e947f0ad94a7001fa8fb5eccf58467fe34ad10066e831af3374120134604bd5&download_url=https://github.com/taylorhakes/fecha/archive/91680e4db1415fea33eac878cfd889c80a7b55c7.tar.gz" + } + ] + }, + { + "name": "github.com/cachito-testing/gomod-pandemonium/terminaltor", + "SPDXID": "SPDXRef-Package-go-module-github.com-cachito-testing-gomod-pandemonium-terminaltor-d85aa69f7b0304e3", + "versionInfo": "v1.0.0", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from go module information: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:golang/github.com/cachito-testing/gomod-pandemonium/terminaltor@v1.0.0?type=module" + }, + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:golang/github.com/cachito-testing/gomod-pandemonium/terminaltor@v1.0.0?type=package" + } + ] + }, + { + "name": "github.com/docker/cli", + "SPDXID": "SPDXRef-Package-go-module-github.com-docker-cli-ea403731821a081e", + "versionInfo": "v23.0.0-rc.3+incompatible", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from go module information: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:golang/github.com/docker/cli@v23.0.0-rc.3%2Bincompatible?type=module" + } + ] + }, + { + "name": "github.com/docker/cli/cli/config", + "SPDXID": "SPDXRef-Package-go-module-github.com-docker-cli-cli-config-73cc4b7b8f510817", + "versionInfo": "v23.0.0-rc.3+incompatible", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from go module information: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:golang/github.com/docker/cli/cli/config@v23.0.0-rc.3%2Bincompatible?type=package" + } + ] + }, + { + "name": "github.com/redhat-appstudio/build-service", + "SPDXID": "SPDXRef-Package-go-module-github.com-redhat-appstudio-build-service-574d786c89acf613", + "versionInfo": "v0.0.0-20230503110830-d1a9e858489d", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from go module information: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:golang/github.com/redhat-appstudio/build-service@v0.0.0-20230503110830-d1a9e858489d?type=module" + }, + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:golang/github.com/redhat-appstudio/build-service@v0.0.0-20230503110830-d1a9e858489d?type=package" + } + ] + }, + { + "name": "knative.dev/pkg", + "SPDXID": "SPDXRef-Package-go-module-knative.dev-pkg-0a00bf33a820e7f1", + "versionInfo": "v0.0.0-20230125083639-408ad0773f47", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from go module information: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:golang/knative.dev/pkg@v0.0.0-20230125083639-408ad0773f47?type=module" + } + ] + }, + { + "name": "knative.dev/pkg/metrics", + "SPDXID": "SPDXRef-Package-go-module-knative.dev-pkg-metrics-c613be23287c5dc4", + "versionInfo": "v0.0.0-20230125083639-408ad0773f47", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from go module information: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:golang/knative.dev/pkg/metrics@v0.0.0-20230125083639-408ad0773f47?type=package" + } + ] + }, + { + "name": "test_package_cachi2", + "SPDXID": "SPDXRef-Package-python-test-package-cachi2-bdec7caf7aac75f3", + "versionInfo": "1.0.0", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from installed python package manifest file: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:pypi/test-package-cachi2@1.0.0?vcs_url=git%2Bssh://git%40github.com/brunoapimentel/pip-e2e-test.git%40294df352deed835cf703ae8a799926418ae5fd3b" + } + ] + } + ], + "relationships": [ + { + "spdxElementId": "SPDXRef-DocumentRoot-Unknown-", + "relatedSpdxElement": "SPDXRef-Package-python-PyYAML-696696f5e92f1b5e", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-Unknown-", + "relatedSpdxElement": "SPDXRef-Package-python-aiowsgi-78716bdabf6daae1", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-Unknown-", + "relatedSpdxElement": "SPDXRef-Package-python-appr-d869da81f0adbece", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-Unknown-", + "relatedSpdxElement": "SPDXRef-Package-go-module-archive-tar-1ce4dbb5cf96f1c7", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-Unknown-", + "relatedSpdxElement": "SPDXRef-Package-python-cachi2-865cdb2c6f0ff5c5", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-Unknown-", + "relatedSpdxElement": "SPDXRef-Package-npm-cachito-npm-without-deps-563e3658e3eb288e", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-Unknown-", + "relatedSpdxElement": "SPDXRef-Package-go-module-code.gitea.io-sdk-gitea-cdc94d3a9074a69b", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-Unknown-", + "relatedSpdxElement": "SPDXRef-Package-npm-fecha-874399c7dda48850", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-Unknown-", + "relatedSpdxElement": "SPDXRef-Package-go-module-github.com-cachito-testing-gomod-pandemonium-terminaltor-d85aa69f7b0304e3", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-Unknown-", + "relatedSpdxElement": "SPDXRef-Package-go-module-github.com-docker-cli-ea403731821a081e", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-Unknown-", + "relatedSpdxElement": "SPDXRef-Package-go-module-github.com-docker-cli-cli-config-73cc4b7b8f510817", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-Unknown-", + "relatedSpdxElement": "SPDXRef-Package-go-module-github.com-redhat-appstudio-build-service-574d786c89acf613", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-Unknown-", + "relatedSpdxElement": "SPDXRef-Package-go-module-knative.dev-pkg-0a00bf33a820e7f1", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-Unknown-", + "relatedSpdxElement": "SPDXRef-Package-go-module-knative.dev-pkg-metrics-c613be23287c5dc4", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-Unknown-", + "relatedSpdxElement": "SPDXRef-Package-python-test-package-cachi2-bdec7caf7aac75f3", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DOCUMENT", + "relatedSpdxElement": "SPDXRef-DocumentRoot-Unknown-", + "relationshipType": "DESCRIBES" + } + ] +} diff --git a/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_data/merged.bom.spdx.json b/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_data/merged.bom.spdx.json index 3f8ed39..94a92aa 100644 --- a/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_data/merged.bom.spdx.json +++ b/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_data/merged.bom.spdx.json @@ -1,850 +1 @@ -{ - "spdxVersion": "SPDX-2.3", - "dataLicense": "CC0-1.0", - "SPDXID": "SPDXRef-DOCUMENT", - "name": "/var/lib/containers/storage/vfs/dir/517aef0ffe20db360d19aa475dbbfbe03f452f53403881a31f9a475c83af788b", - "documentNamespace": "https://anchore.com/syft/file/var/lib/containers/storage/vfs/dir/517aef0ffe20db360d19aa475dbbfbe03f452f53403881a31f9a475c83af788b-8efaed6f-2f42-453b-b9dd-3fb60491d7cf", - "creationInfo": { - "licenseListVersion": "3.24", - "creators": [ - "Organization: Anchore, Inc", - "Tool: syft-0.100.0", - "Organization: Anchore, Inc", - "Tool: cachi2-" - ], - "created": "2024-09-12T14:07:12Z" - }, - "packages": [ - { - "name": "bash", - "SPDXID": "SPDXRef-Package-rpm-bash-1a6619bdab5f8a2d", - "versionInfo": "4.4.20-4.el8_6", - "supplier": "Organization: Red Hat, Inc.", - "originator": "Organization: Red Hat, Inc.", - "downloadLocation": "NOASSERTION", - "filesAnalyzed": false, - "sourceInfo": "acquired package info from RPM DB: var/lib/rpm/Packages", - "licenseConcluded": "NOASSERTION", - "licenseDeclared": "NOASSERTION", - "copyrightText": "NOASSERTION", - "externalRefs": [ - { - "referenceCategory": "SECURITY", - "referenceType": "cpe23Type", - "referenceLocator": "cpe:2.3:a:redhat:bash:4.4.20-4.el8_6:*:*:*:*:*:*:*" - }, - { - "referenceCategory": "SECURITY", - "referenceType": "cpe23Type", - "referenceLocator": "cpe:2.3:a:bash:bash:4.4.20-4.el8_6:*:*:*:*:*:*:*" - }, - { - "referenceCategory": "PACKAGE-MANAGER", - "referenceType": "purl", - "referenceLocator": "pkg:rpm/rhel/bash@4.4.20-4.el8_6?arch=x86_64&upstream=bash-4.4.20-4.el8_6.src.rpm&distro=rhel-8.7" - } - ] - }, - { - "SPDXID": "SPDXRef-DocumentRoot-Unknown-", - "downloadLocation": "NOASSERTION", - "filesAnalyzed": false, - "licenseConcluded": "NOASSERTION", - "licenseDeclared": "NOASSERTION", - "name": "", - "primaryPackagePurpose": "OTHER", - "supplier": "NOASSERTION" - }, - { - "SPDXID": "SPDXRef-Package-python-PyYAML-696696f5e92f1b5e", - "copyrightText": "NOASSERTION", - "downloadLocation": "NOASSERTION", - "annotations": [], - "externalRefs": [ - { - "referenceCategory": "PACKAGE-MANAGER", - "referenceLocator": "pkg:pypi/pyyaml@6.0", - "referenceType": "purl" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:PyYAML:PyYAML:6.0:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:PyYAML:python-PyYAML:6.0:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:PyYAML:python_PyYAML:6.0:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:kirill_simonov:PyYAML:6.0:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:kirill_simonov:python-PyYAML:6.0:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:kirill_simonov:python_PyYAML:6.0:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:python-PyYAML:PyYAML:6.0:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:python-PyYAML:python-PyYAML:6.0:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:python-PyYAML:python_PyYAML:6.0:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:python:PyYAML:6.0:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:python:python-PyYAML:6.0:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:python:python_PyYAML:6.0:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:python_PyYAML:PyYAML:6.0:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:python_PyYAML:python-PyYAML:6.0:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:python_PyYAML:python_PyYAML:6.0:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:xi:PyYAML:6.0:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:xi:python-PyYAML:6.0:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:xi:python_PyYAML:6.0:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - } - ], - "filesAnalyzed": false, - "licenseConcluded": "NOASSERTION", - "licenseDeclared": "NOASSERTION", - "name": "PyYAML", - "sourceInfo": "acquired package info from installed python package manifest file: ", - "supplier": "NOASSERTION", - "versionInfo": "6.0" - }, - { - "SPDXID": "SPDXRef-Package-python-aiowsgi-78716bdabf6daae1", - "annotations": [], - "copyrightText": "NOASSERTION", - "downloadLocation": "NOASSERTION", - "externalRefs": [ - { - "referenceCategory": "PACKAGE-MANAGER", - "referenceLocator": "pkg:pypi/aiowsgi@0.8", - "referenceType": "purl" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:aiowsgi:aiowsgi:0.8:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:aiowsgi:python-aiowsgi:0.8:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:aiowsgi:python_aiowsgi:0.8:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:gael:aiowsgi:0.8:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:gael:python-aiowsgi:0.8:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:gael:python_aiowsgi:0.8:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:gael_pasgrimaud:aiowsgi:0.8:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:gael_pasgrimaud:python-aiowsgi:0.8:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:gael_pasgrimaud:python_aiowsgi:0.8:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:python-aiowsgi:aiowsgi:0.8:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:python-aiowsgi:python-aiowsgi:0.8:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:python-aiowsgi:python_aiowsgi:0.8:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:python:aiowsgi:0.8:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:python:python-aiowsgi:0.8:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:python:python_aiowsgi:0.8:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:python_aiowsgi:aiowsgi:0.8:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:python_aiowsgi:python-aiowsgi:0.8:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:python_aiowsgi:python_aiowsgi:0.8:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - } - ], - "filesAnalyzed": false, - "licenseConcluded": "NOASSERTION", - "licenseDeclared": "NOASSERTION", - "name": "aiowsgi", - "sourceInfo": "acquired package info from installed python package manifest file: ", - "supplier": "NOASSERTION", - "versionInfo": "0.8" - }, - { - "SPDXID": "SPDXRef-Package-python-appr-d869da81f0adbece", - "copyrightText": "NOASSERTION", - "downloadLocation": "NOASSERTION", - "annotations": [], - "externalRefs": [ - { - "referenceCategory": "PACKAGE-MANAGER", - "referenceLocator": "pkg:pypi/appr?checksum=sha256:ee6a0a38bed8cff46a562ed3620bc453141a02262ab0c8dd055824af2829ee5c&download_url=https://github.com/quay/appr/archive/37ff9a487a54ad41b59855ecd76ee092fe206a84.zip", - "referenceType": "purl" - }, - { - "referenceCategory": "PACKAGE-MANAGER", - "referenceLocator": "pkg:pypi/appr@0.7.4", - "referenceType": "purl" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:2t-antoine:appr:0.7.4:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:2t-antoine:python-appr:0.7.4:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:2t-antoine:python_appr:0.7.4:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:2t_antoine:appr:0.7.4:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:2t_antoine:python-appr:0.7.4:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:2t_antoine:python_appr:0.7.4:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:antoine_legrand:appr:0.7.4:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:antoine_legrand:python-appr:0.7.4:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:antoine_legrand:python_appr:0.7.4:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:appr:appr:0.7.4:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:appr:python-appr:0.7.4:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:appr:python_appr:0.7.4:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:python-appr:appr:0.7.4:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:python-appr:python-appr:0.7.4:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:python-appr:python_appr:0.7.4:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:python:appr:0.7.4:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:python:python-appr:0.7.4:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:python:python_appr:0.7.4:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:python_appr:appr:0.7.4:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:python_appr:python-appr:0.7.4:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:python_appr:python_appr:0.7.4:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - } - ], - "filesAnalyzed": false, - "licenseConcluded": "NOASSERTION", - "licenseDeclared": "NOASSERTION", - "name": "appr", - "sourceInfo": "acquired package info from installed python package manifest file: ", - "supplier": "NOASSERTION" - }, - { - "SPDXID": "SPDXRef-Package-go-module-archive-tar-1ce4dbb5cf96f1c7", - "copyrightText": "NOASSERTION", - "downloadLocation": "NOASSERTION", - "externalRefs": [ - { - "referenceCategory": "PACKAGE-MANAGER", - "referenceLocator": "pkg:golang/archive/tar?type=package", - "referenceType": "purl" - } - ], - "filesAnalyzed": false, - "licenseConcluded": "NOASSERTION", - "licenseDeclared": "NOASSERTION", - "name": "archive/tar", - "sourceInfo": "acquired package info from go module information: ", - "supplier": "NOASSERTION" - }, - { - "name": "cachi2", - "SPDXID": "SPDXRef-Package-python-cachi2-865cdb2c6f0ff5c5", - "versionInfo": "0.0.1", - "supplier": "NOASSERTION", - "downloadLocation": "NOASSERTION", - "filesAnalyzed": false, - "sourceInfo": "acquired package info from installed python package manifest file: ", - "licenseConcluded": "NOASSERTION", - "licenseDeclared": "NOASSERTION", - "copyrightText": "NOASSERTION", - "externalRefs": [ - { - "referenceCategory": "PACKAGE-MANAGER", - "referenceType": "purl", - "referenceLocator": "pkg:pypi/cachi2@0.0.1?vcs_url=git%2Bssh://git%40github.com/containerbuildsystem/cachi2%40fc0d6079c2dc9b2a491c0848e550ad3509986110" - } - ] - }, - { - "name": "cachito-npm-without-deps", - "SPDXID": "SPDXRef-Package-npm-cachito-npm-without-deps-563e3658e3eb288e", - "annotations": [], - "supplier": "NOASSERTION", - "downloadLocation": "NOASSERTION", - "filesAnalyzed": false, - "sourceInfo": "acquired package info from installed node module manifest file: ", - "licenseConcluded": "NOASSERTION", - "licenseDeclared": "NOASSERTION", - "copyrightText": "NOASSERTION", - "externalRefs": [ - { - "referenceCategory": "PACKAGE-MANAGER", - "referenceType": "purl", - "referenceLocator": "pkg:npm/cachito-npm-without-deps?vcs_url=git%2Bhttps://github.com/cachito-testing/cachito-npm-without-deps.git%402f0ce1d7b1f8b35572d919428b965285a69583f6" - }, - { - "referenceCategory": "PACKAGE-MANAGER", - "referenceLocator": "pkg:npm/cachito-npm-without-deps@git+https://github.com/cachito-testing/cachito-npm-without-deps.git%232f0ce1d7b1f8b35572d919428b965285a69583f6", - "referenceType": "purl" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:*:cachito-npm-without-deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:*:cachito_npm_without_deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:cachito-npm-without-deps:cachito-npm-without-deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:cachito-npm-without-deps:cachito_npm_without_deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:cachito-npm-without:cachito-npm-without-deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:cachito-npm-without:cachito_npm_without_deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:cachito-npm:cachito-npm-without-deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:cachito-npm:cachito_npm_without_deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:cachito:cachito-npm-without-deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:cachito:cachito_npm_without_deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:cachito_npm:cachito-npm-without-deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:cachito_npm:cachito_npm_without_deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:cachito_npm_without:cachito-npm-without-deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:cachito_npm_without:cachito_npm_without_deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:cachito_npm_without_deps:cachito-npm-without-deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:cachito_npm_without_deps:cachito_npm_without_deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - } - ] - }, - { - "name": "code.gitea.io/sdk/gitea", - "SPDXID": "SPDXRef-Package-go-module-code.gitea.io-sdk-gitea-cdc94d3a9074a69b", - "annotations": [], - "versionInfo": "v0.15.1", - "supplier": "NOASSERTION", - "downloadLocation": "NOASSERTION", - "filesAnalyzed": false, - "sourceInfo": "acquired package info from go module information: ", - "licenseConcluded": "NOASSERTION", - "licenseDeclared": "NOASSERTION", - "copyrightText": "NOASSERTION", - "externalRefs": [ - { - "referenceCategory": "PACKAGE-MANAGER", - "referenceType": "purl", - "referenceLocator": "pkg:golang/code.gitea.io/sdk/gitea@v0.15.1" - }, - { - "referenceCategory": "PACKAGE-MANAGER", - "referenceType": "purl", - "referenceLocator": "pkg:golang/code.gitea.io/sdk/gitea@v0.15.1?type=module" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:sdk:gitea:v0.15.1:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - } - ] - }, - { - "name": "fecha", - "SPDXID": "SPDXRef-Package-npm-fecha-874399c7dda48850", - "annotations": [], - "supplier": "NOASSERTION", - "downloadLocation": "NOASSERTION", - "filesAnalyzed": false, - "sourceInfo": "acquired package info from installed node module manifest file: ", - "licenseConcluded": "NOASSERTION", - "licenseDeclared": "NOASSERTION", - "copyrightText": "NOASSERTION", - "externalRefs": [ - { - "referenceCategory": "PACKAGE-MANAGER", - "referenceType": "purl", - "referenceLocator": "pkg:npm/fecha?checksum=sha512:8ae71e98d68e38e1f6e4c629187684dd85e4dc96647c7219b1dd189598ea52865e947f0ad94a7001fa8fb5eccf58467fe34ad10066e831af3374120134604bd5&download_url=https://github.com/taylorhakes/fecha/archive/91680e4db1415fea33eac878cfd889c80a7b55c7.tar.gz" - }, - { - "referenceCategory": "PACKAGE-MANAGER", - "referenceLocator": "pkg:npm/fecha@https://github.com/taylorhakes/fecha/archive/91680e4db1415fea33eac878cfd889c80a7b55c7.tar.gz", - "referenceType": "purl" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:*:fecha:https\\:\\/\\/github.com\\/taylorhakes\\/fecha\\/archive\\/91680e4db1415fea33eac878cfd889c80a7b55c7.tar.gz:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:fecha:fecha:https\\:\\/\\/github.com\\/taylorhakes\\/fecha\\/archive\\/91680e4db1415fea33eac878cfd889c80a7b55c7.tar.gz:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - } - ] - }, - { - "name": "github.com/cachito-testing/gomod-pandemonium/terminaltor", - "SPDXID": "SPDXRef-Package-go-module-github.com-cachito-testing-gomod-pandemonium-terminaltor-d85aa69f7b0304e3", - "versionInfo": "v1.0.0", - "supplier": "NOASSERTION", - "downloadLocation": "NOASSERTION", - "filesAnalyzed": false, - "sourceInfo": "acquired package info from go module information: ", - "licenseConcluded": "NOASSERTION", - "licenseDeclared": "NOASSERTION", - "copyrightText": "NOASSERTION", - "externalRefs": [ - { - "referenceCategory": "PACKAGE-MANAGER", - "referenceType": "purl", - "referenceLocator": "pkg:golang/github.com/cachito-testing/gomod-pandemonium/terminaltor@v1.0.0?type=module" - } - ] - }, - { - "name": "github.com/docker/cli", - "SPDXID": "SPDXRef-Package-go-module-github.com-docker-cli-ea403731821a081e", - "annotations": [], - "versionInfo": "v23.0.0-rc.3+incompatible", - "supplier": "NOASSERTION", - "downloadLocation": "NOASSERTION", - "filesAnalyzed": false, - "sourceInfo": "acquired package info from go module information: ", - "licenseConcluded": "NOASSERTION", - "licenseDeclared": "NOASSERTION", - "copyrightText": "NOASSERTION", - "externalRefs": [ - { - "referenceCategory": "PACKAGE-MANAGER", - "referenceType": "purl", - "referenceLocator": "pkg:golang/github.com/docker/cli@v23.0.0-rc.3%2Bincompatible?type=module" - }, - { - "referenceCategory": "PACKAGE-MANAGER", - "referenceType": "purl", - "referenceLocator": "pkg:golang/github.com/docker/cli@v23.0.0-rc.3+incompatible" - }, - { - "referenceCategory": "SECURITY", - "referenceLocator": "cpe:2.3:a:docker:cli:v23.0.0-rc.3\\+incompatible:*:*:*:*:*:*:*", - "referenceType": "cpe23Type" - } - ] - }, - { - "name": "github.com/docker/cli/cli/config", - "SPDXID": "SPDXRef-Package-go-module-github.com-docker-cli-cli-config-73cc4b7b8f510817", - "versionInfo": "v23.0.0-rc.3+incompatible", - "supplier": "NOASSERTION", - "downloadLocation": "NOASSERTION", - "filesAnalyzed": false, - "sourceInfo": "acquired package info from go module information: ", - "licenseConcluded": "NOASSERTION", - "licenseDeclared": "NOASSERTION", - "copyrightText": "NOASSERTION", - "externalRefs": [ - { - "referenceCategory": "PACKAGE-MANAGER", - "referenceType": "purl", - "referenceLocator": "pkg:golang/github.com/docker/cli/cli/config@v23.0.0-rc.3%2Bincompatible?type=package" - } - ] - }, - { - "name": "github.com/redhat-appstudio/build-service", - "SPDXID": "SPDXRef-Package-go-module-github.com-redhat-appstudio-build-service-574d786c89acf613", - "versionInfo": "v0.0.0-20230503110830-d1a9e858489d", - "supplier": "NOASSERTION", - "downloadLocation": "NOASSERTION", - "filesAnalyzed": false, - "sourceInfo": "acquired package info from go module information: ", - "licenseConcluded": "NOASSERTION", - "licenseDeclared": "NOASSERTION", - "copyrightText": "NOASSERTION", - "externalRefs": [ - { - "referenceCategory": "PACKAGE-MANAGER", - "referenceType": "purl", - "referenceLocator": "pkg:golang/github.com/redhat-appstudio/build-service@v0.0.0-20230503110830-d1a9e858489d?type=module" - } - ] - }, - { - "name": "knative.dev/pkg", - "SPDXID": "SPDXRef-Package-go-module-knative.dev-pkg-0a00bf33a820e7f1", - "annotations": [], - "versionInfo": "v0.0.0-20230125083639-408ad0773f47", - "supplier": "NOASSERTION", - "downloadLocation": "NOASSERTION", - "filesAnalyzed": false, - "sourceInfo": "acquired package info from go module information: ", - "licenseConcluded": "NOASSERTION", - "licenseDeclared": "NOASSERTION", - "copyrightText": "NOASSERTION", - "externalRefs": [ - { - "referenceCategory": "PACKAGE-MANAGER", - "referenceType": "purl", - "referenceLocator": "pkg:golang/knative.dev/pkg@v0.0.0-20230125083639-408ad0773f47" - }, - { - "referenceCategory": "PACKAGE-MANAGER", - "referenceType": "purl", - "referenceLocator": "pkg:golang/knative.dev/pkg@v0.0.0-20230125083639-408ad0773f47?type=module" - } - ] - }, - { - "name": "knative.dev/pkg/metrics", - "SPDXID": "SPDXRef-Package-go-module-knative.dev-pkg-metrics-c613be23287c5dc4", - "versionInfo": "v0.0.0-20230125083639-408ad0773f47", - "supplier": "NOASSERTION", - "downloadLocation": "NOASSERTION", - "filesAnalyzed": false, - "sourceInfo": "acquired package info from go module information: ", - "licenseConcluded": "NOASSERTION", - "licenseDeclared": "NOASSERTION", - "copyrightText": "NOASSERTION", - "externalRefs": [ - { - "referenceCategory": "PACKAGE-MANAGER", - "referenceType": "purl", - "referenceLocator": "pkg:golang/knative.dev/pkg/metrics@v0.0.0-20230125083639-408ad0773f47?type=package" - } - ] - }, - { - "name": "test_package_cachi2", - "SPDXID": "SPDXRef-Package-python-test-package-cachi2-bdec7caf7aac75f3", - "versionInfo": "1.0.0", - "supplier": "NOASSERTION", - "downloadLocation": "NOASSERTION", - "filesAnalyzed": false, - "sourceInfo": "acquired package info from installed python package manifest file: ", - "licenseConcluded": "NOASSERTION", - "licenseDeclared": "NOASSERTION", - "copyrightText": "NOASSERTION", - "externalRefs": [ - { - "referenceCategory": "PACKAGE-MANAGER", - "referenceType": "purl", - "referenceLocator": "pkg:pypi/test-package-cachi2@1.0.0?vcs_url=git%2Bssh://git%40github.com/brunoapimentel/pip-e2e-test.git%40294df352deed835cf703ae8a799926418ae5fd3b" - } - ] - } - ], - "relationships": [ - { - "relatedSpdxElement": "SPDXRef-Package-python-PyYAML-696696f5e92f1b5e", - "relationshipType": "CONTAINS", - "spdxElementId": "SPDXRef-DocumentRoot-Unknown-" - }, - { - "relatedSpdxElement": "SPDXRef-Package-python-aiowsgi-78716bdabf6daae1", - "relationshipType": "CONTAINS", - "spdxElementId": "SPDXRef-DocumentRoot-Unknown-" - }, - { - "relatedSpdxElement": "SPDXRef-Package-python-appr-d869da81f0adbece", - "relationshipType": "CONTAINS", - "spdxElementId": "SPDXRef-DocumentRoot-Unknown-" - }, - { - "relatedSpdxElement": "SPDXRef-Package-go-module-archive-tar-1ce4dbb5cf96f1c7", - "relationshipType": "CONTAINS", - "spdxElementId": "SPDXRef-DocumentRoot-Unknown-" - }, - { - "relatedSpdxElement": "SPDXRef-Package-python-cachi2-865cdb2c6f0ff5c5", - "relationshipType": "CONTAINS", - "spdxElementId": "SPDXRef-DocumentRoot-Unknown-" - }, - { - "relatedSpdxElement": "SPDXRef-Package-npm-cachito-npm-without-deps-563e3658e3eb288e", - "relationshipType": "CONTAINS", - "spdxElementId": "SPDXRef-DocumentRoot-Unknown-" - }, - { - "relatedSpdxElement": "SPDXRef-Package-go-module-code.gitea.io-sdk-gitea-cdc94d3a9074a69b", - "relationshipType": "CONTAINS", - "spdxElementId": "SPDXRef-DocumentRoot-Unknown-" - }, - { - "relatedSpdxElement": "SPDXRef-Package-npm-fecha-874399c7dda48850", - "relationshipType": "CONTAINS", - "spdxElementId": "SPDXRef-DocumentRoot-Unknown-" - }, - { - "relatedSpdxElement": "SPDXRef-Package-go-module-github.com-cachito-testing-gomod-pandemonium-terminaltor-d85aa69f7b0304e3", - "relationshipType": "CONTAINS", - "spdxElementId": "SPDXRef-DocumentRoot-Unknown-" - }, - { - "relatedSpdxElement": "SPDXRef-Package-go-module-github.com-docker-cli-ea403731821a081e", - "relationshipType": "CONTAINS", - "spdxElementId": "SPDXRef-DocumentRoot-Unknown-" - }, - { - "relatedSpdxElement": "SPDXRef-Package-go-module-github.com-docker-cli-cli-config-73cc4b7b8f510817", - "relationshipType": "CONTAINS", - "spdxElementId": "SPDXRef-DocumentRoot-Unknown-" - }, - { - "relatedSpdxElement": "SPDXRef-Package-go-module-github.com-redhat-appstudio-build-service-574d786c89acf613", - "relationshipType": "CONTAINS", - "spdxElementId": "SPDXRef-DocumentRoot-Unknown-" - }, - { - "relatedSpdxElement": "SPDXRef-Package-go-module-knative.dev-pkg-0a00bf33a820e7f1", - "relationshipType": "CONTAINS", - "spdxElementId": "SPDXRef-DocumentRoot-Unknown-" - }, - { - "relatedSpdxElement": "SPDXRef-Package-go-module-knative.dev-pkg-metrics-c613be23287c5dc4", - "relationshipType": "CONTAINS", - "spdxElementId": "SPDXRef-DocumentRoot-Unknown-" - }, - { - "relatedSpdxElement": "SPDXRef-Package-python-test-package-cachi2-bdec7caf7aac75f3", - "relationshipType": "CONTAINS", - "spdxElementId": "SPDXRef-DocumentRoot-Unknown-" - }, - { - "relatedSpdxElement": "SPDXRef-DocumentRoot-Unknown-", - "relationshipType": "DESCRIBES", - "spdxElementId": "SPDXRef-DOCUMENT" - }, - { - "relatedSpdxElement": "SPDXRef-Package-rpm-bash-1a6619bdab5f8a2d", - "relationshipType": "CONTAINS", - "spdxElementId": "SPDXRef-DocumentRoot-Unknown-" - } - ] -} +{"spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "/var/lib/containers/storage/vfs/dir/517aef0ffe20db360d19aa475dbbfbe03f452f53403881a31f9a475c83af788b", "documentNamespace": "https://anchore.com/syft/file/var/lib/containers/storage/vfs/dir/517aef0ffe20db360d19aa475dbbfbe03f452f53403881a31f9a475c83af788b-8efaed6f-2f42-453b-b9dd-3fb60491d7cf", "creationInfo": {"licenseListVersion": "3.24", "creators": ["Organization: Anchore, Inc", "Tool: syft-0.100.0", "Organization: Anchore, Inc", "Tool: cachi2-"], "created": "2024-09-12T14:07:12Z"}, "packages": [{"name": "", "SPDXID": "SPDXRef-DocumentRoot-File-", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "primaryPackagePurpose": "FILE"}, {"name": "bash", "SPDXID": "SPDXRef-Package-rpm-bash-1a6619bdab5f8a2d", "versionInfo": "4.4.20-4.el8_6", "supplier": "Organization: Red Hat, Inc.", "originator": "Organization: Red Hat, Inc.", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from RPM DB: var/lib/rpm/Packages", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:redhat:bash:4.4.20-4.el8_6:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:bash:bash:4.4.20-4.el8_6:*:*:*:*:*:*:*"}, {"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:rpm/rhel/bash@4.4.20-4.el8_6?arch=x86_64&upstream=bash-4.4.20-4.el8_6.src.rpm&distro=rhel-8.7"}]}, {"name": "rhel", "SPDXID": "SPDXRef-Package-rhel", "versionInfo": "8.7", "description": "Red Hat Enterprise Linux 8.7 (Ootpa)", "externalRefs": [{"referenceCategory": "SECURITY", "referenceType": "cpe22Type", "referenceLocator": "cpe:/o:redhat:enterprise_linux:8::baseos"}, {"referenceCategory": "SECURITY", "referenceType": "swid", "referenceLocator": "cpe:2.3:o:redhat:enterprise_linux:8::baseos:*:*:*:*:*:*:*"}, {"referenceCategory": "OTHER", "referenceType": "issue-tracker", "referenceLocator": "https://bugzilla.redhat.com/"}, {"referenceCategory": "OTHER", "referenceType": "website", "referenceLocator": "https://www.redhat.com/"}]}, {"name": "PyYAML", "SPDXID": "SPDXRef-Package-python-PyYAML-696696f5e92f1b5e", "versionInfo": "6.0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from installed python package manifest file: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:pypi/pyyaml@6.0"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:PyYAML:PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:PyYAML:python-PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:PyYAML:python_PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:kirill_simonov:PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:kirill_simonov:python-PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:kirill_simonov:python_PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python-PyYAML:PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python-PyYAML:python-PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python-PyYAML:python_PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python:PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python:python-PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python:python_PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python_PyYAML:PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python_PyYAML:python-PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python_PyYAML:python_PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:xi:PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:xi:python-PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:xi:python_PyYAML:6.0:*:*:*:*:*:*:*"}], "annotations": []}, {"name": "aiowsgi", "SPDXID": "SPDXRef-Package-python-aiowsgi-78716bdabf6daae1", "versionInfo": "0.8", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from installed python package manifest file: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:pypi/aiowsgi@0.8"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:aiowsgi:aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:aiowsgi:python-aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:aiowsgi:python_aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:gael:aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:gael:python-aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:gael:python_aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:gael_pasgrimaud:aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:gael_pasgrimaud:python-aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:gael_pasgrimaud:python_aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python-aiowsgi:aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python-aiowsgi:python-aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python-aiowsgi:python_aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python:aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python:python-aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python:python_aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python_aiowsgi:aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python_aiowsgi:python-aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python_aiowsgi:python_aiowsgi:0.8:*:*:*:*:*:*:*"}], "annotations": []}, {"name": "appr", "SPDXID": "SPDXRef-Package-python-appr-d869da81f0adbece", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from installed python package manifest file: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:pypi/appr?checksum=sha256:ee6a0a38bed8cff46a562ed3620bc453141a02262ab0c8dd055824af2829ee5c&download_url=https://github.com/quay/appr/archive/37ff9a487a54ad41b59855ecd76ee092fe206a84.zip"}]}, {"name": "archive/tar", "SPDXID": "SPDXRef-Package-go-module-archive-tar-1ce4dbb5cf96f1c7", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from go module information: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/archive/tar?type=package"}]}, {"name": "cachi2", "SPDXID": "SPDXRef-Package-python-cachi2-865cdb2c6f0ff5c5", "versionInfo": "0.0.1", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from installed python package manifest file: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:pypi/cachi2@0.0.1?vcs_url=git%2Bssh://git%40github.com/containerbuildsystem/cachi2%40fc0d6079c2dc9b2a491c0848e550ad3509986110"}]}, {"name": "cachito-npm-without-deps", "SPDXID": "SPDXRef-Package-npm-cachito-npm-without-deps-563e3658e3eb288e", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from installed node module manifest file: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/cachito-npm-without-deps?vcs_url=git%2Bhttps://github.com/cachito-testing/cachito-npm-without-deps.git%402f0ce1d7b1f8b35572d919428b965285a69583f6"}]}, {"name": "code.gitea.io/sdk/gitea", "SPDXID": "SPDXRef-Package-go-module-code.gitea.io-sdk-gitea-cdc94d3a9074a69b", "versionInfo": "v0.15.1", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from go module information: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/code.gitea.io/sdk/gitea@v0.15.1?type=module"}, {"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/code.gitea.io/sdk/gitea@v0.15.1?type=package"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:sdk:gitea:v0.15.1:*:*:*:*:*:*:*"}], "annotations": []}, {"name": "fecha", "SPDXID": "SPDXRef-Package-npm-fecha-874399c7dda48850", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from installed node module manifest file: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/fecha?checksum=sha512:8ae71e98d68e38e1f6e4c629187684dd85e4dc96647c7219b1dd189598ea52865e947f0ad94a7001fa8fb5eccf58467fe34ad10066e831af3374120134604bd5&download_url=https://github.com/taylorhakes/fecha/archive/91680e4db1415fea33eac878cfd889c80a7b55c7.tar.gz"}]}, {"name": "github.com/cachito-testing/gomod-pandemonium/terminaltor", "SPDXID": "SPDXRef-Package-go-module-github.com-cachito-testing-gomod-pandemonium-terminaltor-d85aa69f7b0304e3", "versionInfo": "v1.0.0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from go module information: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/github.com/cachito-testing/gomod-pandemonium/terminaltor@v1.0.0?type=module"}, {"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/github.com/cachito-testing/gomod-pandemonium/terminaltor@v1.0.0?type=package"}]}, {"name": "github.com/docker/cli", "SPDXID": "SPDXRef-Package-go-module-github.com-docker-cli-ea403731821a081e", "versionInfo": "v23.0.0-rc.3+incompatible", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from go module information: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/github.com/docker/cli@v23.0.0-rc.3%2Bincompatible?type=module"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:docker:cli:v23.0.0-rc.3\\+incompatible:*:*:*:*:*:*:*"}], "annotations": []}, {"name": "github.com/docker/cli/cli/config", "SPDXID": "SPDXRef-Package-go-module-github.com-docker-cli-cli-config-73cc4b7b8f510817", "versionInfo": "v23.0.0-rc.3+incompatible", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from go module information: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/github.com/docker/cli/cli/config@v23.0.0-rc.3%2Bincompatible?type=package"}]}, {"name": "github.com/redhat-appstudio/build-service", "SPDXID": "SPDXRef-Package-go-module-github.com-redhat-appstudio-build-service-574d786c89acf613", "versionInfo": "v0.0.0-20230503110830-d1a9e858489d", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from go module information: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/github.com/redhat-appstudio/build-service@v0.0.0-20230503110830-d1a9e858489d?type=module"}, {"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/github.com/redhat-appstudio/build-service@v0.0.0-20230503110830-d1a9e858489d?type=package"}]}, {"name": "knative.dev/pkg", "SPDXID": "SPDXRef-Package-go-module-knative.dev-pkg-0a00bf33a820e7f1", "versionInfo": "v0.0.0-20230125083639-408ad0773f47", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from go module information: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/knative.dev/pkg@v0.0.0-20230125083639-408ad0773f47?type=module"}], "annotations": []}, {"name": "knative.dev/pkg/metrics", "SPDXID": "SPDXRef-Package-go-module-knative.dev-pkg-metrics-c613be23287c5dc4", "versionInfo": "v0.0.0-20230125083639-408ad0773f47", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from go module information: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/knative.dev/pkg/metrics@v0.0.0-20230125083639-408ad0773f47?type=package"}]}, {"name": "test_package_cachi2", "SPDXID": "SPDXRef-Package-python-test-package-cachi2-bdec7caf7aac75f3", "versionInfo": "1.0.0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from installed python package manifest file: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:pypi/test-package-cachi2@1.0.0?vcs_url=git%2Bssh://git%40github.com/brunoapimentel/pip-e2e-test.git%40294df352deed835cf703ae8a799926418ae5fd3b"}]}], "relationships": [{"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-python-PyYAML-696696f5e92f1b5e", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-python-aiowsgi-78716bdabf6daae1", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-python-appr-d869da81f0adbece", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-go-module-archive-tar-1ce4dbb5cf96f1c7", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-python-cachi2-865cdb2c6f0ff5c5", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-npm-cachito-npm-without-deps-563e3658e3eb288e", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-go-module-code.gitea.io-sdk-gitea-cdc94d3a9074a69b", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-npm-fecha-874399c7dda48850", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-go-module-github.com-cachito-testing-gomod-pandemonium-terminaltor-d85aa69f7b0304e3", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-go-module-github.com-docker-cli-ea403731821a081e", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-go-module-github.com-docker-cli-cli-config-73cc4b7b8f510817", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-go-module-github.com-redhat-appstudio-build-service-574d786c89acf613", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-go-module-knative.dev-pkg-0a00bf33a820e7f1", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-go-module-knative.dev-pkg-metrics-c613be23287c5dc4", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-python-test-package-cachi2-bdec7caf7aac75f3", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-rpm-bash-1a6619bdab5f8a2d", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-rhel", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-DocumentRoot-File-", "relationshipType": "DESCRIBES"}]} \ No newline at end of file diff --git a/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_data/syft.bom.spdx.json b/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_data/syft.bom.spdx.json index 4d8dbcf..f250ed5 100644 --- a/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_data/syft.bom.spdx.json +++ b/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_data/syft.bom.spdx.json @@ -1 +1,885 @@ -{"spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "/var/lib/containers/storage/vfs/dir/517aef0ffe20db360d19aa475dbbfbe03f452f53403881a31f9a475c83af788b", "documentNamespace": "https://anchore.com/syft/file/var/lib/containers/storage/vfs/dir/517aef0ffe20db360d19aa475dbbfbe03f452f53403881a31f9a475c83af788b-8efaed6f-2f42-453b-b9dd-3fb60491d7cf", "creationInfo": {"licenseListVersion": "3.24", "creators": ["Organization: Anchore, Inc", "Tool: syft-0.100.0"], "created": "2024-09-12T14:07:12Z"}, "packages": [{"name": "", "SPDXID": "SPDXRef-DocumentRoot-File-", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "primaryPackagePurpose": "FILE"}, {"name": "./terminaltor", "SPDXID": "SPDXRef-Package-go-module-.-terminaltor-1b79094a8c283d88", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from go module information: opt/app-root/src/go.mod", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/./terminaltor"}]}, {"name": "./terminaltor", "SPDXID": "SPDXRef-Package-go-module-.-terminaltor-9c8431f4d44b5c65", "versionInfo": "(devel)", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from go module information: opt/app-root/src/main", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/./terminaltor@(devel)"}]}, {"name": "PyYAML", "SPDXID": "SPDXRef-Package-python-PyYAML-0172906cb007d3b6", "versionInfo": "6.0", "supplier": "Person: Kirill Simonov (xi@resolvent.net)", "originator": "Person: Kirill Simonov (xi@resolvent.net)", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from installed python package manifest file: usr/local/lib64/python3.11/site-packages/PyYAML-6.0.dist-info/METADATA, usr/local/lib64/python3.11/site-packages/PyYAML-6.0.dist-info/RECORD, usr/local/lib64/python3.11/site-packages/PyYAML-6.0.dist-info/top_level.txt", "licenseConcluded": "NOASSERTION", "licenseDeclared": "MIT", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:kirill_simonov:python-PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:kirill_simonov:python_PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python-PyYAML:python-PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python-PyYAML:python_PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python_PyYAML:python-PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python_PyYAML:python_PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:kirill_simonov:PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:PyYAML:python-PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:PyYAML:python_PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python-PyYAML:PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python:python-PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python:python_PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python_PyYAML:PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:xi:python-PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:xi:python_PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:PyYAML:PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python:PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:xi:PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:pypi/PyYAML@6.0"}]}, {"name": "aiowsgi", "SPDXID": "SPDXRef-Package-python-aiowsgi-b32dee5d93047994", "versionInfo": "0.8", "supplier": "Person: Gael Pasgrimaud (gael@gawel.org)", "originator": "Person: Gael Pasgrimaud (gael@gawel.org)", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from installed python package manifest file: opt/app-root/lib/python3.9/site-packages/aiowsgi-0.8.dist-info/METADATA, opt/app-root/lib/python3.9/site-packages/aiowsgi-0.8.dist-info/RECORD, opt/app-root/lib/python3.9/site-packages/aiowsgi-0.8.dist-info/top_level.txt", "licenseConcluded": "NOASSERTION", "licenseDeclared": "MIT", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:gael_pasgrimaud:python-aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:gael_pasgrimaud:python_aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python-aiowsgi:python-aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python-aiowsgi:python_aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python_aiowsgi:python-aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python_aiowsgi:python_aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:gael_pasgrimaud:aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:aiowsgi:python-aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:aiowsgi:python_aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python-aiowsgi:aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python_aiowsgi:aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python:python-aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python:python_aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:gael:python-aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:gael:python_aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:aiowsgi:aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python:aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:gael:aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:pypi/aiowsgi@0.8"}]}, {"name": "appr", "SPDXID": "SPDXRef-Package-python-appr-93a64d044490691c", "versionInfo": "0.7.4", "supplier": "Person: Antoine Legrand (2t.antoine@gmail.com)", "originator": "Person: Antoine Legrand (2t.antoine@gmail.com)", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from installed python package manifest file: opt/app-root/lib/python3.9/site-packages/appr-0.7.4-py3.9.egg-info/PKG-INFO, opt/app-root/lib/python3.9/site-packages/appr-0.7.4-py3.9.egg-info/top_level.txt", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:antoine_legrand:python-appr:0.7.4:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:antoine_legrand:python_appr:0.7.4:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python-appr:python-appr:0.7.4:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python-appr:python_appr:0.7.4:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python_appr:python-appr:0.7.4:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python_appr:python_appr:0.7.4:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:2t-antoine:python-appr:0.7.4:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:2t-antoine:python_appr:0.7.4:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:2t_antoine:python-appr:0.7.4:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:2t_antoine:python_appr:0.7.4:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:antoine_legrand:appr:0.7.4:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python:python-appr:0.7.4:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python:python_appr:0.7.4:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:appr:python-appr:0.7.4:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:appr:python_appr:0.7.4:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python-appr:appr:0.7.4:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python_appr:appr:0.7.4:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:2t-antoine:appr:0.7.4:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:2t_antoine:appr:0.7.4:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python:appr:0.7.4:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:appr:appr:0.7.4:*:*:*:*:*:*:*"}, {"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:pypi/appr@0.7.4"}]}, {"name": "bash", "SPDXID": "SPDXRef-Package-rpm-bash-1a6619bdab5f8a2d", "versionInfo": "4.4.20-4.el8_6", "supplier": "Organization: Red Hat, Inc.", "originator": "Organization: Red Hat, Inc.", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from RPM DB: var/lib/rpm/Packages", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:redhat:bash:4.4.20-4.el8_6:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:bash:bash:4.4.20-4.el8_6:*:*:*:*:*:*:*"}, {"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:rpm/rhel/bash@4.4.20-4.el8_6?arch=x86_64&upstream=bash-4.4.20-4.el8_6.src.rpm&distro=rhel-8.7"}]}, {"name": "cachi2", "SPDXID": "SPDXRef-Package-python-cachi2-71a99443e114c112", "versionInfo": "0.0.post1+gdfd2180.d20230704", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from installed python package manifest file: src/cachi2.egg-info/PKG-INFO, src/cachi2.egg-info/top_level.txt", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python-cachi2:python-cachi2:0.0.post1\\+gdfd2180.d20230704:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python-cachi2:python_cachi2:0.0.post1\\+gdfd2180.d20230704:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python_cachi2:python-cachi2:0.0.post1\\+gdfd2180.d20230704:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python_cachi2:python_cachi2:0.0.post1\\+gdfd2180.d20230704:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:cachi2:python-cachi2:0.0.post1\\+gdfd2180.d20230704:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:cachi2:python_cachi2:0.0.post1\\+gdfd2180.d20230704:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python-cachi2:cachi2:0.0.post1\\+gdfd2180.d20230704:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python:python-cachi2:0.0.post1\\+gdfd2180.d20230704:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python:python_cachi2:0.0.post1\\+gdfd2180.d20230704:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python_cachi2:cachi2:0.0.post1\\+gdfd2180.d20230704:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:cachi2:cachi2:0.0.post1\\+gdfd2180.d20230704:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python:cachi2:0.0.post1\\+gdfd2180.d20230704:*:*:*:*:*:*:*"}, {"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:pypi/cachi2@0.0.post1+gdfd2180.d20230704"}]}, {"name": "cachito-npm-without-deps", "SPDXID": "SPDXRef-Package-npm-cachito-npm-without-deps-72138119b55a065d", "versionInfo": "git+https://github.com/cachito-testing/cachito-npm-without-deps.git#2f0ce1d7b1f8b35572d919428b965285a69583f6", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from installed node module manifest file: opt/app-root/src/package-lock.json", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:cachito-npm-without-deps:cachito-npm-without-deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:cachito-npm-without-deps:cachito_npm_without_deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:cachito_npm_without_deps:cachito-npm-without-deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:cachito_npm_without_deps:cachito_npm_without_deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:cachito-npm-without:cachito-npm-without-deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:cachito-npm-without:cachito_npm_without_deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:cachito_npm_without:cachito-npm-without-deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:cachito_npm_without:cachito_npm_without_deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:cachito-npm:cachito-npm-without-deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:cachito-npm:cachito_npm_without_deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:cachito_npm:cachito-npm-without-deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:cachito_npm:cachito_npm_without_deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:cachito:cachito-npm-without-deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:cachito:cachito_npm_without_deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:*:cachito-npm-without-deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:*:cachito_npm_without_deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*"}, {"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/cachito-npm-without-deps@git+https://github.com/cachito-testing/cachito-npm-without-deps.git%232f0ce1d7b1f8b35572d919428b965285a69583f6"}]}, {"name": "code.gitea.io/sdk/gitea", "SPDXID": "SPDXRef-Package-go-module-code.gitea.io-sdk-gitea-3172f131171fcbf8", "versionInfo": "v0.15.1", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "checksums": [{"algorithm": "SHA256", "checksumValue": "589ade0bb618bb16e7d140da3ee5887bf9ad88d293bcb37c30b91ac3bd72c7f3"}], "sourceInfo": "acquired package info from go module information: manager", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:sdk:gitea:v0.15.1:*:*:*:*:*:*:*"}, {"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/code.gitea.io/sdk/gitea@v0.15.1"}]}, {"name": "fecha", "SPDXID": "SPDXRef-Package-npm-fecha-ff4ad17b28d08441", "versionInfo": "https://github.com/taylorhakes/fecha/archive/91680e4db1415fea33eac878cfd889c80a7b55c7.tar.gz", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from installed node module manifest file: opt/app-root/src/package-lock.json", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:fecha:fecha:https\\:\\/\\/github.com\\/taylorhakes\\/fecha\\/archive\\/91680e4db1415fea33eac878cfd889c80a7b55c7.tar.gz:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:*:fecha:https\\:\\/\\/github.com\\/taylorhakes\\/fecha\\/archive\\/91680e4db1415fea33eac878cfd889c80a7b55c7.tar.gz:*:*:*:*:*:*:*"}, {"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/fecha@https://github.com/taylorhakes/fecha/archive/91680e4db1415fea33eac878cfd889c80a7b55c7.tar.gz"}]}, {"name": "github.com/docker/cli", "SPDXID": "SPDXRef-Package-go-module-github.com-docker-cli-1671a7feec4073fe", "versionInfo": "v23.0.0-rc.3+incompatible", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "checksums": [{"algorithm": "SHA256", "checksumValue": "38fadc503ae902956b559b19072212b79d73203ec74f45710ca6bfa27bd4ccea"}], "sourceInfo": "acquired package info from go module information: manager", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:docker:cli:v23.0.0-rc.3\\+incompatible:*:*:*:*:*:*:*"}, {"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/github.com/docker/cli@v23.0.0-rc.3+incompatible"}]}, {"name": "github.com/redhat-appstudio/build-service", "SPDXID": "SPDXRef-Package-go-module-github.com-redhat-appstudio-build-service-5719506d15c0a3dd", "versionInfo": "(devel)", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from go module information: manager", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:redhat-appstudio:build-service:\\(devel\\):*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:redhat-appstudio:build_service:\\(devel\\):*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:redhat_appstudio:build-service:\\(devel\\):*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:redhat_appstudio:build_service:\\(devel\\):*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:redhat:build-service:\\(devel\\):*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:redhat:build_service:\\(devel\\):*:*:*:*:*:*:*"}, {"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/github.com/redhat-appstudio/build-service@(devel)"}]}, {"name": "knative.dev/pkg", "SPDXID": "SPDXRef-Package-go-module-knative.dev-pkg-8ce424e944b2a02f", "versionInfo": "v0.0.0-20230125083639-408ad0773f47", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "checksums": [{"algorithm": "SHA256", "checksumValue": "ce544eef05ce1d56202afb02de721a606a9e40694b24bf04214637d11877ec8b"}], "sourceInfo": "acquired package info from go module information: manager", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/knative.dev/pkg@v0.0.0-20230125083639-408ad0773f47"}]}], "relationships": [{"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-go-module-.-terminaltor-1b79094a8c283d88", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-go-module-.-terminaltor-9c8431f4d44b5c65", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-python-PyYAML-0172906cb007d3b6", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-python-aiowsgi-b32dee5d93047994", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-python-appr-93a64d044490691c", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-rpm-bash-1a6619bdab5f8a2d", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-python-cachi2-71a99443e114c112", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-npm-cachito-npm-without-deps-72138119b55a065d", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-go-module-code.gitea.io-sdk-gitea-3172f131171fcbf8", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-npm-fecha-ff4ad17b28d08441", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-go-module-github.com-docker-cli-1671a7feec4073fe", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-go-module-github.com-redhat-appstudio-build-service-5719506d15c0a3dd", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-go-module-knative.dev-pkg-8ce424e944b2a02f", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-DocumentRoot-File-", "relationshipType": "DESCRIBES"}]} +{ + "spdxVersion": "SPDX-2.3", + "dataLicense": "CC0-1.0", + "SPDXID": "SPDXRef-DOCUMENT", + "name": "/var/lib/containers/storage/vfs/dir/517aef0ffe20db360d19aa475dbbfbe03f452f53403881a31f9a475c83af788b", + "documentNamespace": "https://anchore.com/syft/file/var/lib/containers/storage/vfs/dir/517aef0ffe20db360d19aa475dbbfbe03f452f53403881a31f9a475c83af788b-8efaed6f-2f42-453b-b9dd-3fb60491d7cf", + "creationInfo": { + "licenseListVersion": "3.24", + "creators": [ + "Organization: Anchore, Inc", + "Tool: syft-0.100.0" + ], + "created": "2024-09-12T14:07:12Z" + }, + "packages": [ + { + "name": "", + "SPDXID": "SPDXRef-DocumentRoot-File-", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "primaryPackagePurpose": "FILE" + }, + { + "name": "./terminaltor", + "SPDXID": "SPDXRef-Package-go-module-.-terminaltor-1b79094a8c283d88", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from go module information: opt/app-root/src/go.mod", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:golang/./terminaltor" + } + ] + }, + { + "name": "./terminaltor", + "SPDXID": "SPDXRef-Package-go-module-.-terminaltor-9c8431f4d44b5c65", + "versionInfo": "(devel)", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from go module information: opt/app-root/src/main", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:golang/./terminaltor@(devel)" + } + ] + }, + { + "name": "PyYAML", + "SPDXID": "SPDXRef-Package-python-PyYAML-0172906cb007d3b6", + "versionInfo": "6.0", + "supplier": "Person: Kirill Simonov (xi@resolvent.net)", + "originator": "Person: Kirill Simonov (xi@resolvent.net)", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from installed python package manifest file: usr/local/lib64/python3.11/site-packages/PyYAML-6.0.dist-info/METADATA, usr/local/lib64/python3.11/site-packages/PyYAML-6.0.dist-info/RECORD, usr/local/lib64/python3.11/site-packages/PyYAML-6.0.dist-info/top_level.txt", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "MIT", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:kirill_simonov:python-PyYAML:6.0:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:kirill_simonov:python_PyYAML:6.0:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python-PyYAML:python-PyYAML:6.0:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python-PyYAML:python_PyYAML:6.0:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python_PyYAML:python-PyYAML:6.0:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python_PyYAML:python_PyYAML:6.0:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:kirill_simonov:PyYAML:6.0:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:PyYAML:python-PyYAML:6.0:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:PyYAML:python_PyYAML:6.0:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python-PyYAML:PyYAML:6.0:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python:python-PyYAML:6.0:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python:python_PyYAML:6.0:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python_PyYAML:PyYAML:6.0:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:xi:python-PyYAML:6.0:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:xi:python_PyYAML:6.0:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:PyYAML:PyYAML:6.0:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python:PyYAML:6.0:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:xi:PyYAML:6.0:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:pypi/PyYAML@6.0" + } + ] + }, + { + "name": "aiowsgi", + "SPDXID": "SPDXRef-Package-python-aiowsgi-b32dee5d93047994", + "versionInfo": "0.8", + "supplier": "Person: Gael Pasgrimaud (gael@gawel.org)", + "originator": "Person: Gael Pasgrimaud (gael@gawel.org)", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from installed python package manifest file: opt/app-root/lib/python3.9/site-packages/aiowsgi-0.8.dist-info/METADATA, opt/app-root/lib/python3.9/site-packages/aiowsgi-0.8.dist-info/RECORD, opt/app-root/lib/python3.9/site-packages/aiowsgi-0.8.dist-info/top_level.txt", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "MIT", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:gael_pasgrimaud:python-aiowsgi:0.8:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:gael_pasgrimaud:python_aiowsgi:0.8:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python-aiowsgi:python-aiowsgi:0.8:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python-aiowsgi:python_aiowsgi:0.8:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python_aiowsgi:python-aiowsgi:0.8:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python_aiowsgi:python_aiowsgi:0.8:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:gael_pasgrimaud:aiowsgi:0.8:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:aiowsgi:python-aiowsgi:0.8:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:aiowsgi:python_aiowsgi:0.8:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python-aiowsgi:aiowsgi:0.8:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python_aiowsgi:aiowsgi:0.8:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python:python-aiowsgi:0.8:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python:python_aiowsgi:0.8:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:gael:python-aiowsgi:0.8:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:gael:python_aiowsgi:0.8:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:aiowsgi:aiowsgi:0.8:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python:aiowsgi:0.8:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:gael:aiowsgi:0.8:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:pypi/aiowsgi@0.8" + } + ] + }, + { + "name": "appr", + "SPDXID": "SPDXRef-Package-python-appr-93a64d044490691c", + "versionInfo": "0.7.4", + "supplier": "Person: Antoine Legrand (2t.antoine@gmail.com)", + "originator": "Person: Antoine Legrand (2t.antoine@gmail.com)", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from installed python package manifest file: opt/app-root/lib/python3.9/site-packages/appr-0.7.4-py3.9.egg-info/PKG-INFO, opt/app-root/lib/python3.9/site-packages/appr-0.7.4-py3.9.egg-info/top_level.txt", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:antoine_legrand:python-appr:0.7.4:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:antoine_legrand:python_appr:0.7.4:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python-appr:python-appr:0.7.4:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python-appr:python_appr:0.7.4:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python_appr:python-appr:0.7.4:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python_appr:python_appr:0.7.4:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:2t-antoine:python-appr:0.7.4:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:2t-antoine:python_appr:0.7.4:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:2t_antoine:python-appr:0.7.4:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:2t_antoine:python_appr:0.7.4:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:antoine_legrand:appr:0.7.4:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python:python-appr:0.7.4:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python:python_appr:0.7.4:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:appr:python-appr:0.7.4:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:appr:python_appr:0.7.4:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python-appr:appr:0.7.4:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python_appr:appr:0.7.4:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:2t-antoine:appr:0.7.4:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:2t_antoine:appr:0.7.4:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python:appr:0.7.4:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:appr:appr:0.7.4:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:pypi/appr@0.7.4" + } + ] + }, + { + "name": "bash", + "SPDXID": "SPDXRef-Package-rpm-bash-1a6619bdab5f8a2d", + "versionInfo": "4.4.20-4.el8_6", + "supplier": "Organization: Red Hat, Inc.", + "originator": "Organization: Red Hat, Inc.", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from RPM DB: var/lib/rpm/Packages", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:redhat:bash:4.4.20-4.el8_6:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:bash:bash:4.4.20-4.el8_6:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:rpm/rhel/bash@4.4.20-4.el8_6?arch=x86_64&upstream=bash-4.4.20-4.el8_6.src.rpm&distro=rhel-8.7" + } + ] + }, + { + "name": "cachi2", + "SPDXID": "SPDXRef-Package-python-cachi2-71a99443e114c112", + "versionInfo": "0.0.post1+gdfd2180.d20230704", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from installed python package manifest file: src/cachi2.egg-info/PKG-INFO, src/cachi2.egg-info/top_level.txt", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python-cachi2:python-cachi2:0.0.post1\\+gdfd2180.d20230704:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python-cachi2:python_cachi2:0.0.post1\\+gdfd2180.d20230704:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python_cachi2:python-cachi2:0.0.post1\\+gdfd2180.d20230704:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python_cachi2:python_cachi2:0.0.post1\\+gdfd2180.d20230704:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:cachi2:python-cachi2:0.0.post1\\+gdfd2180.d20230704:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:cachi2:python_cachi2:0.0.post1\\+gdfd2180.d20230704:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python-cachi2:cachi2:0.0.post1\\+gdfd2180.d20230704:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python:python-cachi2:0.0.post1\\+gdfd2180.d20230704:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python:python_cachi2:0.0.post1\\+gdfd2180.d20230704:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python_cachi2:cachi2:0.0.post1\\+gdfd2180.d20230704:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:cachi2:cachi2:0.0.post1\\+gdfd2180.d20230704:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python:cachi2:0.0.post1\\+gdfd2180.d20230704:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:pypi/cachi2@0.0.post1+gdfd2180.d20230704" + } + ] + }, + { + "name": "cachito-npm-without-deps", + "SPDXID": "SPDXRef-Package-npm-cachito-npm-without-deps-72138119b55a065d", + "versionInfo": "git+https://github.com/cachito-testing/cachito-npm-without-deps.git#2f0ce1d7b1f8b35572d919428b965285a69583f6", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from installed node module manifest file: opt/app-root/src/package-lock.json", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:cachito-npm-without-deps:cachito-npm-without-deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:cachito-npm-without-deps:cachito_npm_without_deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:cachito_npm_without_deps:cachito-npm-without-deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:cachito_npm_without_deps:cachito_npm_without_deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:cachito-npm-without:cachito-npm-without-deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:cachito-npm-without:cachito_npm_without_deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:cachito_npm_without:cachito-npm-without-deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:cachito_npm_without:cachito_npm_without_deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:cachito-npm:cachito-npm-without-deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:cachito-npm:cachito_npm_without_deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:cachito_npm:cachito-npm-without-deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:cachito_npm:cachito_npm_without_deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:cachito:cachito-npm-without-deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:cachito:cachito_npm_without_deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:*:cachito-npm-without-deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:*:cachito_npm_without_deps:git\\+https\\:\\/\\/github.com\\/cachito-testing\\/cachito-npm-without-deps.git\\#2f0ce1d7b1f8b35572d919428b965285a69583f6:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:npm/cachito-npm-without-deps@git+https://github.com/cachito-testing/cachito-npm-without-deps.git%232f0ce1d7b1f8b35572d919428b965285a69583f6" + } + ] + }, + { + "name": "code.gitea.io/sdk/gitea", + "SPDXID": "SPDXRef-Package-go-module-code.gitea.io-sdk-gitea-3172f131171fcbf8", + "versionInfo": "v0.15.1", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "checksums": [ + { + "algorithm": "SHA256", + "checksumValue": "589ade0bb618bb16e7d140da3ee5887bf9ad88d293bcb37c30b91ac3bd72c7f3" + } + ], + "sourceInfo": "acquired package info from go module information: manager", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:sdk:gitea:v0.15.1:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:golang/code.gitea.io/sdk/gitea@v0.15.1?type=package" + } + ] + }, + { + "name": "fecha", + "SPDXID": "SPDXRef-Package-npm-fecha-ff4ad17b28d08441", + "versionInfo": "https://github.com/taylorhakes/fecha/archive/91680e4db1415fea33eac878cfd889c80a7b55c7.tar.gz", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from installed node module manifest file: opt/app-root/src/package-lock.json", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:fecha:fecha:https\\:\\/\\/github.com\\/taylorhakes\\/fecha\\/archive\\/91680e4db1415fea33eac878cfd889c80a7b55c7.tar.gz:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:*:fecha:https\\:\\/\\/github.com\\/taylorhakes\\/fecha\\/archive\\/91680e4db1415fea33eac878cfd889c80a7b55c7.tar.gz:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:npm/fecha@https://github.com/taylorhakes/fecha/archive/91680e4db1415fea33eac878cfd889c80a7b55c7.tar.gz" + } + ] + }, + { + "name": "github.com/docker/cli", + "SPDXID": "SPDXRef-Package-go-module-github.com-docker-cli-1671a7feec4073fe", + "versionInfo": "v23.0.0-rc.3+incompatible", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "checksums": [ + { + "algorithm": "SHA256", + "checksumValue": "38fadc503ae902956b559b19072212b79d73203ec74f45710ca6bfa27bd4ccea" + } + ], + "sourceInfo": "acquired package info from go module information: manager", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:docker:cli:v23.0.0-rc.3\\+incompatible:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:golang/github.com/docker/cli@v23.0.0-rc.3+incompatible" + } + ] + }, + { + "name": "github.com/redhat-appstudio/build-service", + "SPDXID": "SPDXRef-Package-go-module-github.com-redhat-appstudio-build-service-5719506d15c0a3dd", + "versionInfo": "(devel)", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from go module information: manager", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:redhat-appstudio:build-service:\\(devel\\):*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:redhat-appstudio:build_service:\\(devel\\):*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:redhat_appstudio:build-service:\\(devel\\):*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:redhat_appstudio:build_service:\\(devel\\):*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:redhat:build-service:\\(devel\\):*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:redhat:build_service:\\(devel\\):*:*:*:*:*:*:*" + }, + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:golang/github.com/redhat-appstudio/build-service@(devel)" + } + ] + }, + { + "name": "knative.dev/pkg", + "SPDXID": "SPDXRef-Package-go-module-knative.dev-pkg-8ce424e944b2a02f", + "versionInfo": "v0.0.0-20230125083639-408ad0773f47", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "checksums": [ + { + "algorithm": "SHA256", + "checksumValue": "ce544eef05ce1d56202afb02de721a606a9e40694b24bf04214637d11877ec8b" + } + ], + "sourceInfo": "acquired package info from go module information: manager", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:golang/knative.dev/pkg@v0.0.0-20230125083639-408ad0773f47" + } + ] + }, + { + "name": "rhel", + "SPDXID": "SPDXRef-Package-rhel", + "versionInfo": "8.7", + "description": "Red Hat Enterprise Linux 8.7 (Ootpa)", + "externalRefs": [ + { + "referenceCategory": "SECURITY", + "referenceType": "cpe22Type", + "referenceLocator": "cpe:/o:redhat:enterprise_linux:8::baseos" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "swid", + "referenceLocator": "cpe:2.3:o:redhat:enterprise_linux:8::baseos:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "OTHER", + "referenceType": "issue-tracker", + "referenceLocator": "https://bugzilla.redhat.com/" + }, + { + "referenceCategory": "OTHER", + "referenceType": "website", + "referenceLocator": "https://www.redhat.com/" + } + ] + } + ], + "relationships": [ + { + "spdxElementId": "SPDXRef-DocumentRoot-File-", + "relatedSpdxElement": "SPDXRef-Package-go-module-.-terminaltor-1b79094a8c283d88", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-File-", + "relatedSpdxElement": "SPDXRef-Package-go-module-.-terminaltor-9c8431f4d44b5c65", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-File-", + "relatedSpdxElement": "SPDXRef-Package-python-PyYAML-0172906cb007d3b6", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-File-", + "relatedSpdxElement": "SPDXRef-Package-python-aiowsgi-b32dee5d93047994", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-File-", + "relatedSpdxElement": "SPDXRef-Package-python-appr-93a64d044490691c", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-File-", + "relatedSpdxElement": "SPDXRef-Package-rpm-bash-1a6619bdab5f8a2d", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-File-", + "relatedSpdxElement": "SPDXRef-Package-python-cachi2-71a99443e114c112", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-File-", + "relatedSpdxElement": "SPDXRef-Package-npm-cachito-npm-without-deps-72138119b55a065d", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-File-", + "relatedSpdxElement": "SPDXRef-Package-go-module-code.gitea.io-sdk-gitea-3172f131171fcbf8", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-File-", + "relatedSpdxElement": "SPDXRef-Package-npm-fecha-ff4ad17b28d08441", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-File-", + "relatedSpdxElement": "SPDXRef-Package-go-module-github.com-docker-cli-1671a7feec4073fe", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-File-", + "relatedSpdxElement": "SPDXRef-Package-go-module-github.com-redhat-appstudio-build-service-5719506d15c0a3dd", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-File-", + "relatedSpdxElement": "SPDXRef-Package-go-module-knative.dev-pkg-8ce424e944b2a02f", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-File-", + "relatedSpdxElement": "SPDXRef-Package-rhel", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DOCUMENT", + "relatedSpdxElement": "SPDXRef-DocumentRoot-File-", + "relationshipType": "DESCRIBES" + } + ] +} diff --git a/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_merge_cachi2_sboms.py b/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_merge_cachi2_sboms.py index 761d7ae..8813985 100644 --- a/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_merge_cachi2_sboms.py +++ b/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_merge_cachi2_sboms.py @@ -62,6 +62,34 @@ def test_merge_sboms_spdx(data_dir: Path, isodate: Generator) -> None: assert json.loads(result) == expected_sbom +def test_merge_both_formats_equal(data_dir: Path, isodate: Generator) -> None: + """Test that the merge result is the same for both formats.""" + + result_cdx = json.loads(merge_sboms(f"{data_dir}/cachi2.bom.json", f"{data_dir}/syft.bom.json")) + result_spdx = json.loads( + merge_sboms(f"{data_dir}/cachi2.bom.spdx.json", f"{data_dir}/syft.bom.spdx.json", format="spdx") + ) + cdx_components = [] + for component in result_cdx["components"]: + cdx_components.append( + {"name": component["name"], "version": component.get("version"), "purl": component.get("purl")} + ) + spdx_packages = [] + for package in result_spdx["packages"]: + purl = "" + purl = None + for ref in package.get("externalRefs", []): + if ref["referenceType"] == "purl": + purl = ref["referenceLocator"] + spdx_packages.append({"name": package["name"], "version": package.get("versionInfo"), "purl": purl}) + if not purl and package["name"]: + spdx_packages.append({"name": package["name"], "version": package.get("versionInfo"), "purl": None}) + cdx_components.sort(key=lambda x: (x["name"], x["version"], x["purl"])) + spdx_packages.sort(key=lambda x: (x["name"], x["version"], x["purl"])) + + assert cdx_components == spdx_packages + + @pytest.mark.parametrize( "syft_tools_metadata, expected_result", [ From 66625d799d2d188939193e8ba4da7ed32d3c3759 Mon Sep 17 00:00:00 2001 From: Jindrich Luza Date: Fri, 22 Nov 2024 11:38:18 +0100 Subject: [PATCH 11/12] - Added format autodetection - Renamed middle element to root package - Added mandatory attributes to spdx elements Signed-off-by: Jindrich Luza --- .../app/base_images_sbom_script.py | 32 ++-- .../app/test_base_images_sbom_script.py | 15 +- .../merge_cachi2_sboms.py | 47 +++-- .../test_merge_cachi2_sboms.py | 6 +- .../scripts/merge_syft_sboms_spdx.py | 166 ------------------ 5 files changed, 65 insertions(+), 201 deletions(-) delete mode 100644 sbom-utility-scripts/scripts/merge_syft_sboms_spdx.py diff --git a/sbom-utility-scripts/scripts/base-images-sbom-script/app/base_images_sbom_script.py b/sbom-utility-scripts/scripts/base-images-sbom-script/app/base_images_sbom_script.py index 0b75d97..da747f9 100644 --- a/sbom-utility-scripts/scripts/base-images-sbom-script/app/base_images_sbom_script.py +++ b/sbom-utility-scripts/scripts/base-images-sbom-script/app/base_images_sbom_script.py @@ -89,6 +89,14 @@ def get_base_images_sbom_components(base_images_digests, is_last_from_scratch): return components +def detect_sbom_format(sbom): + if sbom.get("bomFormat") == "CycloneDX": + return "cyclonedx" + elif sbom.get("spdxVersion"): + return "spdx" + else: + raise ValueError("Unknown SBOM format") + def parse_args(): parser = argparse.ArgumentParser( description="Updates the sbom file with base images data based on the provided files" @@ -160,7 +168,7 @@ def main(): sbom = json.load(f) base_images_sbom_components = get_base_images_sbom_components(base_images_digests, is_last_from_scratch) - if args.sbom_type == "cyclonedx": + if detect_sbom_format(sbom) == "cyclonedx": if "formulation" in sbom: sbom["formulation"].append({"components": base_images_sbom_components}) else: @@ -171,24 +179,25 @@ def main(): packages = [] relationships = [] - # Try to calculate middle element represeting the container image or directory, which was + # Try to calculate root package represeting the container image or directory, which was # used to build the SBOM, based on the relationships maps. # SPDX has relationsship ROOT-ID DESCRIBES MIDDLE-ID which express the fact the SBOM documents # describes container image or directory represented by MIDDLE-ID package. - middle_element1 = None + root_package1 = None for r, contains in map1.items(): - # middle element is the one which contains another elements and is in relationship with - # the root element where it stand as relatedSpdxElement + # root package is the one which contains another elements and is in relationship with + # the document element where it stand as relatedSpdxElement if contains and inverse_map1.get(r) == root_element1: - middle_element1 = r - # If not middle element is found then create one with ID "Uknown" as source for the SBOM + root_package1 = r + # If not root package is found then create one with ID "Uknown" as source for the SBOM # is not known. - if not middle_element1: - middle_element1 = "SPDXRef-DocumentRoot-Unknown-" + if not root_package1: + root_package1 = "SPDXRef-DocumentRoot-Unknown-" packages.append( { "SPDXID": "SPDXRef-DocumentRoot-Unknown-", "name": "", + "downloadLocation": "NOASSERTION", } ) relationships.append( @@ -210,6 +219,7 @@ def main(): { "SPDXID": SPDXID, "name": component["name"], + "downloadLocation": "NOASSERTION", # See more info about external refs here: # https://spdx.github.io/spdx-spec/v2.3/package-information/#7211-description "externalRefs": [ @@ -223,7 +233,7 @@ def main(): # as json string "annotations": [ { - "annotator": "konflux:jsonencoded", + "annotator": "Tool:konflux:jsonencoded", "annotationDate": annotation_date, "annotationType": "OTHER", "comment": json.dumps( @@ -240,7 +250,7 @@ def main(): relationships.append( { "spdxElementId": SPDXID, - "relatedSpdxElement": middle_element1, + "relatedSpdxElement": root_package1, "relationshipType": "BUILD_TOOL_OF", } ) diff --git a/sbom-utility-scripts/scripts/base-images-sbom-script/app/test_base_images_sbom_script.py b/sbom-utility-scripts/scripts/base-images-sbom-script/app/test_base_images_sbom_script.py index c3c6807..8a22f2b 100644 --- a/sbom-utility-scripts/scripts/base-images-sbom-script/app/test_base_images_sbom_script.py +++ b/sbom-utility-scripts/scripts/base-images-sbom-script/app/test_base_images_sbom_script.py @@ -450,6 +450,7 @@ def test_main_input_sbom_does_not_contain_formulation(tmp_path, mocker): # minimal input sbom file sbom_file.write_text( """{ + "bomFormat": "CycloneDX", "project_name": "MyProject", "version": "1.0", "components": [] @@ -532,8 +533,9 @@ def test_main_input_sbom_spdx_minimal(tmp_path, mocker, isodate): sbom_file.write_text( """{ "SPDXID": "SPDXRef-Document", - "project_name": "MyProject", - "version": "1.0", + "spdxVersion": "SPDX-2.3", + "name": "MyProject", + "documentNamespace": "http://example.com/uid-1234", "packages": [], "relationships": [] }""" @@ -562,12 +564,14 @@ def test_main_input_sbom_spdx_minimal(tmp_path, mocker, isodate): "packages": [ { "SPDXID": "SPDXRef-DocumentRoot-Unknown-", + "downloadLocation": "NOASSERTION", "name": "", }, { "SPDXID": "SPDXRef-container-quay.io/mkosiarc_rhtap/single-container-app-" "9520a72cbb69edfca5cac88ea2a9e0e09142ec934952b9420d686e77765f002c", "name": "quay.io/mkosiarc_rhtap/single-container-app", + "downloadLocation": "NOASSERTION", "externalRefs": [ { "referenceType": "purl", @@ -579,7 +583,7 @@ def test_main_input_sbom_spdx_minimal(tmp_path, mocker, isodate): ], "annotations": [ { - "annotator": "konflux:jsonencoded", + "annotator": "Tool:konflux:jsonencoded", "annotationDate": "2021-07-01T00:00:00Z", "annotationType": "OTHER", "comment": '{"name":"konflux:container:is_builder_image:for_stage","value":"0"}', @@ -590,6 +594,7 @@ def test_main_input_sbom_spdx_minimal(tmp_path, mocker, isodate): "name": "registry.access.redhat.com/ubi8/ubi", "SPDXID": "SPDXRef-container-registry.access.redhat.com/ubi8/ubi-" "0f22256f634f8205fbd9c438c387ccf2d4859250e04104571c93fdb89a62bae1", + "downloadLocation": "NOASSERTION", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", @@ -601,7 +606,7 @@ def test_main_input_sbom_spdx_minimal(tmp_path, mocker, isodate): ], "annotations": [ { - "annotator": "konflux:jsonencoded", + "annotator": "Tool:konflux:jsonencoded", "annotationDate": "2021-07-01T00:00:00Z", "annotationType": "OTHER", "comment": '{"name":"konflux:container:is_base_image","value":"true"}', @@ -646,6 +651,7 @@ def test_main_input_sbom_does_not_contain_formulation_and_base_image_from_scratc sbom_file.write_text( """{ "project_name": "MyProject", + "bomFormat": "CycloneDX", "version": "1.0", "components": [] }""" @@ -720,6 +726,7 @@ def test_main_input_sbom_contains_formulation(tmp_path, mocker): sbom_file.write_text( """ { + "bomFormat": "CycloneDX", "project_name": "MyProject", "version": "1.0", "components": [], diff --git a/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/merge_cachi2_sboms.py b/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/merge_cachi2_sboms.py index b1e2885..f81f62e 100644 --- a/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/merge_cachi2_sboms.py +++ b/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/merge_cachi2_sboms.py @@ -6,6 +6,15 @@ from packageurl import PackageURL +def detect_sbom_format(sbom): + if sbom.get("bomFormat") == "CycloneDX": + return "cyclonedx" + elif sbom.get("spdxVersion"): + return "spdx" + else: + raise ValueError("Unknown SBOM format") + + def _is_syft_local_golang_component(component: dict) -> bool: """ Check if a Syft Golang reported component is a local replacement. @@ -401,15 +410,16 @@ def map_relationships(relationships): break return parent_element, relations_map, relations_inverse_map - def calculate_middle_element(root_element, map, inverse_map): - """Calculate middle element of the relationship. - Middle element is considered as element which is related to root element and is not root element. + def calculate_root_package(root_element, map, inverse_map): + """Calculate root package from relationship map. + Root package is considered as package which contains other packages and + is described by the document itself. """ - middle_element = None + root_package = None for r, contains in map.items(): if contains and inverse_map.get(r) == root_element: - middle_element = r - return middle_element + root_package = r + return root_package relationships = [] @@ -417,15 +427,15 @@ def calculate_middle_element(root_element, map, inverse_map): root_element2, map2, inverse_map2 = map_relationships(relationships2) package_ids = [package["SPDXID"] for package in packages] - middle_element1 = calculate_middle_element(root_element1, map1, inverse_map1) - middle_element2 = calculate_middle_element(root_element2, map2, inverse_map2) + root_package1 = calculate_root_package(root_element1, map1, inverse_map1) + root_package2 = calculate_root_package(root_element2, map2, inverse_map2) for relation in relationships2: _relation = relation.copy() # If relations is Root decribes middle element, skip it if ( - _relation["relatedSpdxElement"] == middle_element2 + _relation["relatedSpdxElement"] == root_package2 and _relation["spdxElementId"] == root_element2 and _relation["relationshipType"] == "DESCRIBES" ): @@ -436,10 +446,10 @@ def calculate_middle_element(root_element, map, inverse_map): _relation["spdxElementId"] = root_element1 elif relation["relatedSpdxElement"] == root_element2: _relation["relatedSpdxElement"] = root_element1 - if _relation["spdxElementId"] == middle_element2: - _relation["spdxElementId"] = middle_element1 - if _relation["relatedSpdxElement"] == middle_element2: - _relation["relatedSpdxElement"] = middle_element1 + if _relation["spdxElementId"] == root_package2: + _relation["spdxElementId"] = root_package1 + if _relation["relatedSpdxElement"] == root_package2: + _relation["relatedSpdxElement"] = root_package1 # include only relations to packages which exists in merged packages. if _relation["relatedSpdxElement"] in package_ids: @@ -482,7 +492,7 @@ def get_package_key(pkg): return filtered_packages + cachi2_sbom["packages"] -def merge_sboms(cachi2_sbom_path: str, syft_sbom_path: str, format: str = "cyclonedx") -> str: +def merge_sboms(cachi2_sbom_path: str, syft_sbom_path: str) -> str: """Merge Cachi2 components into the Syft SBOM while removing duplicates.""" with open(cachi2_sbom_path) as file: cachi2_sbom = json.load(file) @@ -490,7 +500,12 @@ def merge_sboms(cachi2_sbom_path: str, syft_sbom_path: str, format: str = "cyclo with open(syft_sbom_path) as file: syft_sbom = json.load(file) - if format == "cyclonedx": + format1 = detect_sbom_format(cachi2_sbom) + format2 = detect_sbom_format(syft_sbom) + if format1 != format2: + raise ValueError("SBOMs are in different formats") + + if format1 == "cyclonedx": syft_sbom["components"] = merge_components(syft_sbom, cachi2_sbom) _merge_tools_metadata(syft_sbom, cachi2_sbom) else: @@ -527,6 +542,6 @@ def merge_sboms(cachi2_sbom_path: str, syft_sbom_path: str, format: str = "cyclo args = parser.parse_args() - merged_sbom = merge_sboms(args.cachi2_sbom_path, args.syft_sbom_path, format=args.sbom_format) + merged_sbom = merge_sboms(args.cachi2_sbom_path, args.syft_sbom_path) print(merged_sbom) diff --git a/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_merge_cachi2_sboms.py b/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_merge_cachi2_sboms.py index 8813985..3de069c 100644 --- a/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_merge_cachi2_sboms.py +++ b/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_merge_cachi2_sboms.py @@ -54,7 +54,7 @@ def isodate() -> Generator: def test_merge_sboms_spdx(data_dir: Path, isodate: Generator) -> None: - result = merge_sboms(f"{data_dir}/cachi2.bom.spdx.json", f"{data_dir}/syft.bom.spdx.json", format="spdx") + result = merge_sboms(f"{data_dir}/cachi2.bom.spdx.json", f"{data_dir}/syft.bom.spdx.json") with open(f"{data_dir}/merged.bom.spdx.json") as file: expected_sbom = json.load(file) @@ -66,9 +66,7 @@ def test_merge_both_formats_equal(data_dir: Path, isodate: Generator) -> None: """Test that the merge result is the same for both formats.""" result_cdx = json.loads(merge_sboms(f"{data_dir}/cachi2.bom.json", f"{data_dir}/syft.bom.json")) - result_spdx = json.loads( - merge_sboms(f"{data_dir}/cachi2.bom.spdx.json", f"{data_dir}/syft.bom.spdx.json", format="spdx") - ) + result_spdx = json.loads(merge_sboms(f"{data_dir}/cachi2.bom.spdx.json", f"{data_dir}/syft.bom.spdx.json")) cdx_components = [] for component in result_cdx["components"]: cdx_components.append( diff --git a/sbom-utility-scripts/scripts/merge_syft_sboms_spdx.py b/sbom-utility-scripts/scripts/merge_syft_sboms_spdx.py deleted file mode 100644 index 31ada1e..0000000 --- a/sbom-utility-scripts/scripts/merge_syft_sboms_spdx.py +++ /dev/null @@ -1,166 +0,0 @@ -import json - -class _ANY: - def __eq__(self, other): - return True - - def __hash__(self): - return hash("Any") - - -ANY = _ANY() - - -def merge_annotations(annotations1, annotations2): - annotation_tuples = [] - for annotation in annotations1: - annotation_tuples.append( - ( - annotation["annotator"], - annotation["comment"], - annotation["annotationDate"], - annotation["annotationType"], - ) - ) - for annotation in annotations2: - annotation_tuples.append( - ( - annotation["annotator"], - annotation["comment"], - annotation["annotationDate"], - annotation["annotationType"], - ) - ) - annotations = set(annotation_tuples) - return [ - { - "annotator": annotation[0], - "comment": annotation[1], - "annotationDate": annotation[2], - "annotationType": annotation[3], - } - for annotation in annotations - ] - -def merge_relationships(relationships1, relationships2, packages): - def map_relationships(relationships): - relations_map = {} - relations_inverse_map = {} - - for relation in relationships: - relations_map.setdefault(relation["spdxElementId"], []).append(relation["relatedSpdxElement"]) - relations_inverse_map[relation["relatedSpdxElement"]] = relation["spdxElementId"] - - for parent_element in relations_map.keys(): - if parent_element not in relations_inverse_map: - break - return parent_element, relations_map, relations_inverse_map - - relationships = [] - - root_element1, map1, inverse_map1 = map_relationships(relationships1) - root_element2, map2, inverse_map2 = map_relationships(relationships2) - package_ids = [package["SPDXID"] for package in packages] - for r, contains in map2.items(): - if contains and inverse_map2.get(r) == root_element2: - middle_element2 = r - for r, contains in map1.items(): - if contains and inverse_map1.get(r) == root_element1: - middle_element1 = r - - for relation in relationships2: - _relation = { - "spdxElementId": relation["spdxElementId"], - "relatedSpdxElement": relation["relatedSpdxElement"], - "relationshipType": relation["relationshipType"], - } - if _relation["spdxElementId"] == root_element2: - _relation["spdxElementId"] = root_element1 - elif relation["relatedSpdxElement"] == root_element2: - _relation["relatedSpdxElement"] = root_element1 - - if _relation["relatedSpdxElement"] in package_ids: - relationships.append(_relation) - elif _relation["spdxElementId"] in package_ids: - relationships.append(_relation) - - for relation in relationships1: - _relation = { - "spdxElementId": relation["spdxElementId"], - "relatedSpdxElement": relation["relatedSpdxElement"], - "relationshipType": relation["relationshipType"], - } - if _relation["relatedSpdxElement"] == middle_element1: - continue - if _relation["spdxElementId"] == middle_element1: - _relation["spdxElementId"] = middle_element2 - if relation["relatedSpdxElement"] in package_ids: - relationships.append(_relation) - return relationships - - -def merge_packages(sbom1: dict, sbom2: dict) -> dict: - """Merge SBOM packages from two SBOMs.""" - - package_map1 = {(p["name"], p.get("versionInfo", ANY)): p for p in cachi2_sbom["packages"]} - - packages2 = [] - for p in sbom2.get("packages", []): - if (p["name"], p.get("versionInfo", ANY)) in list(package_map1.keys()): - try: - package1 = package_map1[(p["name"], p.get("versionInfo"))] - except KeyError: - package1 = package_map1[(p["name"], ANY)] - package1["externalRefs"] = sorted( - merge_external_refs(package1.get("externalRefs", []), p.get("externalRefs", [])), - key=lambda x: ( - x["referenceCategory"], - x["referenceType"], - x["referenceLocator"], - ), - ) - package1["annotations"] = merge_annotations(package1.get("annotations", []), p.get("annotations", [])) - else: - packages2.append(p) - - return packages2 + sbom1['packages'] - -def merge_metadata(sbom1: dict[Any, Any], sbom2: dict[Any, Any]) -> None: - """Merge the content of tools in the metadata section of the SBOM. - """ - creators = sbom2["creationInfo"]["creators"] - - for creator in creators: - sbom1["creationInfo"]["creators"].append(creator) - - -# load SBOMs -with open("./sbom-image.json") as f: - image_sbom = json.load(f) - -with open("./sbom-source.json") as f: - source_sbom = json.load(f) - -packages = merge_packages(image_sbom, source_sbom) -relationships = merge_relationships(image_sbom.get("relationships", []), - source_sbom.get("relationships", []), - packages) - -packages_in_relationships = [] -for relation in relationships: - packages_in_relationships.append(relation["spdxElementId"]) - packages_in_relationships.append(relation["relatedSpdxElement"]) -filtered_packages = [] - -# Remove packages which don't have any relationships -for package in packages: - if package["SPDXID"] in packages_in_relationships: - filtered_packages.append(package) - -merge_metadata(image_sbom, source_sbom) -image_sbom["packages"] = filtered_packages -image_sbom["relationships"] = relationships - -# write the CycloneDX unified SBOM -with open("./sbom-spdx.json", "w") as f: - json.dump(image_sbom, f, indent=4) From 14b867da68e42633b62d3d9e77543c82bae330ab Mon Sep 17 00:00:00 2001 From: Jindrich Luza Date: Wed, 4 Dec 2024 10:43:28 +0100 Subject: [PATCH 12/12] - Simplified root package discovery - spdx_find_doc_and_root_package wraps spdx related code - fixed isodate generator - fixed annotator string - build deps are generated as SPDXRef-Image- instead of SPDXRef-container- - added test_main_input_sbom_spdx_with_packages Signed-off-by: Jindrich Luza --- .../app/base_images_sbom_script.py | 190 +++-- .../app/test_base_images_sbom_script.py | 212 ++++- .../base-images-sbom-script/app/tox.ini | 2 +- .../scripts/create_purl_sbom_spdx.py | 15 - .../merge_cachi2_sboms.py | 64 +- .../test_data/cachi2.bom.spdx.json | 25 + .../test_data/merged.bom.spdx.json | 721 +++++++++++++++++- .../test_data/syft.bom.spdx.json | 25 + .../test_merge_cachi2_sboms.py | 7 + 9 files changed, 1084 insertions(+), 177 deletions(-) delete mode 100644 sbom-utility-scripts/scripts/create_purl_sbom_spdx.py diff --git a/sbom-utility-scripts/scripts/base-images-sbom-script/app/base_images_sbom_script.py b/sbom-utility-scripts/scripts/base-images-sbom-script/app/base_images_sbom_script.py index da747f9..eb2ce91 100644 --- a/sbom-utility-scripts/scripts/base-images-sbom-script/app/base_images_sbom_script.py +++ b/sbom-utility-scripts/scripts/base-images-sbom-script/app/base_images_sbom_script.py @@ -97,18 +97,12 @@ def detect_sbom_format(sbom): else: raise ValueError("Unknown SBOM format") + def parse_args(): parser = argparse.ArgumentParser( description="Updates the sbom file with base images data based on the provided files" ) parser.add_argument("--sbom", type=pathlib.Path, help="Path to the sbom file", required=True) - parser.add_argument( - "--sbom-type", - choices=["spdx", "cyclonedx"], - default="cyclonedx", - help="Type of the sbom file", - required=True, - ) parser.add_argument( "--base-images-from-dockerfile", type=pathlib.Path, @@ -129,28 +123,93 @@ def parse_args(): return args -def map_relationships(relationships): - """Map relationships of spdx element. - Method returns triplet containing root element, map of relations and inverse map of relations. - Root element is considered as element which is not listed as related document - in any of the relationships. Relationship map is dict of {key: value} where key is spdx - element and list of related elements is the value. - Inverse map is dict of {key: value} where key is related spdx element in the relation ship - and value is spdx element. - """ +def spdx_find_doc_and_root_package(relationships): + """Find SPDX root package and document in the SBOM - relations_map = {} - relations_inverse_map = {} + :param relationships: (List) - List of relationships in the SBOM - for relation in relationships: - relations_map.setdefault(relation["spdxElementId"], []).append(relation["relatedSpdxElement"]) - relations_inverse_map[relation["relatedSpdxElement"]] = relation["spdxElementId"] + Method scans relationships for relationshipType "DESCRIBES" and returns + relatedSpdxElement and spdxElementId which are SPDX root package and document. + In the case there's no relationship with relationshipType "DESCRIBES" ValueError is raised. + """ - parent_element = None - for parent_element in relations_map.keys(): - if parent_element not in relations_inverse_map: + for relationship in relationships: + if relationship["relationshipType"] == "DESCRIBES": + root_package1 = relationship["relatedSpdxElement"] + doc = relationship["spdxElementId"] break - return parent_element, relations_map, relations_inverse_map + else: + raise ValueError("No DESCRIBES relationship found in the SBOM") + return root_package1, doc + + +def spdx_create_dependency_package(component, annotation_date): + """Create SPDX package for the base image component.""" + + # Calculate unique identifier SPDXID based on the component name and purl + # See: https://github.com/konflux-ci/architecture/blob/main/ADR/0044-spdx-support.md + SPDXID = f"SPDXRef-Image-{component['name']}-" + f"{hashlib.sha256(component['purl'].encode()).hexdigest()}" + package = { + "SPDXID": SPDXID, + "name": component["name"], + "downloadLocation": "NOASSERTION", + # See more info about external refs here: + # https://spdx.github.io/spdx-spec/v2.3/package-information/#7211-description + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": component["purl"], + } + ], + # Annotations are used to provide cyclonedx custom properties + # as json string + # See: https://github.com/konflux-ci/architecture/blob/main/ADR/0044-spdx-support.md + "annotations": [ + { + "annotator": "Tool: konflux:jsonencoded", + "annotationDate": annotation_date, + "annotationType": "OTHER", + "comment": json.dumps( + {"name": property["name"], "value": property["value"]}, + separators=(",", ":"), + ), + } + for property in component["properties"] + ], + } + return package, SPDXID + + +def create_build_relationship(SPDXID, root_package1): + return { + "spdxElementId": SPDXID, + "relatedSpdxElement": root_package1, + "relationshipType": "BUILD_TOOL_OF", + } + + +def create_build_packages_and_relationships(sbom, base_images_sbom_components): + """Create SPDX packages and relationships for base images components. + + :param sbom: (Dict) - SBOM data + :param base_images_sbom_components: (List) - List of base images components + + Method creates SPDX packages for base images components and relationships + """ + + packages = [] + relationships = [] + root_package, doc = spdx_find_doc_and_root_package(sbom["relationships"]) + annotation_date = datetime.datetime.now().isoformat()[:-7] + "Z" + for component in base_images_sbom_components: + # create dependency package for each base image + package, SPDXID = spdx_create_dependency_package(component, annotation_date) + + packages.append(package) + # Add relationship for parsed base image components and root package + relationships.append(create_build_relationship(SPDXID, root_package)) + return packages, relationships def main(): @@ -174,86 +233,7 @@ def main(): else: sbom.update({"formulation": [{"components": base_images_sbom_components}]}) else: - root_element1, map1, inverse_map1 = map_relationships(sbom["relationships"]) - - packages = [] - relationships = [] - - # Try to calculate root package represeting the container image or directory, which was - # used to build the SBOM, based on the relationships maps. - # SPDX has relationsship ROOT-ID DESCRIBES MIDDLE-ID which express the fact the SBOM documents - # describes container image or directory represented by MIDDLE-ID package. - root_package1 = None - for r, contains in map1.items(): - # root package is the one which contains another elements and is in relationship with - # the document element where it stand as relatedSpdxElement - if contains and inverse_map1.get(r) == root_element1: - root_package1 = r - # If not root package is found then create one with ID "Uknown" as source for the SBOM - # is not known. - if not root_package1: - root_package1 = "SPDXRef-DocumentRoot-Unknown-" - packages.append( - { - "SPDXID": "SPDXRef-DocumentRoot-Unknown-", - "name": "", - "downloadLocation": "NOASSERTION", - } - ) - relationships.append( - { - "spdxElementId": root_element1 or sbom["SPDXID"], - "relatedSpdxElement": "SPDXRef-DocumentRoot-Unknown-", - "relationshipType": "DESCRIBES", - } - ) - - annotation_date = datetime.datetime.now().isoformat() - for component in base_images_sbom_components: - # Calculate unique identifier SPDXID based on the component name and purl - SPDXID = ( - f"SPDXRef-{component['type']}-{component['name']}-" - + f"{hashlib.sha256(component['purl'].encode()).hexdigest()}" - ) - packages.append( - { - "SPDXID": SPDXID, - "name": component["name"], - "downloadLocation": "NOASSERTION", - # See more info about external refs here: - # https://spdx.github.io/spdx-spec/v2.3/package-information/#7211-description - "externalRefs": [ - { - "referenceCategory": "PACKAGE-MANAGER", - "referenceType": "purl", - "referenceLocator": component["purl"], - } - ], - # Annotations are used to provide cyclonedx custom properties - # as json string - "annotations": [ - { - "annotator": "Tool:konflux:jsonencoded", - "annotationDate": annotation_date, - "annotationType": "OTHER", - "comment": json.dumps( - {"name": property["name"], "value": property["value"]}, - separators=(",", ":"), - ), - } - for property in component["properties"] - ], - } - ) - # Add relationship for parsed base image components and "middle" element which wraps - # all spdx packages, but it's not spdx document itself. - relationships.append( - { - "spdxElementId": SPDXID, - "relatedSpdxElement": root_package1, - "relationshipType": "BUILD_TOOL_OF", - } - ) + packages, relationships = create_build_packages_and_relationships(sbom, base_images_sbom_components) # merge newly created packages for build tools with existing packages sbom["packages"] = sbom.get("packages", []) + packages # merge newly created relationships of the build tools with existing relationships diff --git a/sbom-utility-scripts/scripts/base-images-sbom-script/app/test_base_images_sbom_script.py b/sbom-utility-scripts/scripts/base-images-sbom-script/app/test_base_images_sbom_script.py index 8a22f2b..c21cd23 100644 --- a/sbom-utility-scripts/scripts/base-images-sbom-script/app/test_base_images_sbom_script.py +++ b/sbom-utility-scripts/scripts/base-images-sbom-script/app/test_base_images_sbom_script.py @@ -520,7 +520,7 @@ def test_main_input_sbom_does_not_contain_formulation(tmp_path, mocker): @pytest.fixture def isodate(): with patch("datetime.datetime") as mock_datetime: - mock_datetime.now.return_value.isoformat.return_value = "2021-07-01T00:00:00Z" + mock_datetime.now.return_value.isoformat.return_value = "2021-07-01T00:00:00.000000" yield mock_datetime @@ -536,8 +536,20 @@ def test_main_input_sbom_spdx_minimal(tmp_path, mocker, isodate): "spdxVersion": "SPDX-2.3", "name": "MyProject", "documentNamespace": "http://example.com/uid-1234", - "packages": [], - "relationships": [] + "packages": [ + { + "SPDXID": "SPDXRef-DocumentRoot-Unknown-", + "name": "", + "downloadLocation": "NOASSERTION" + } + ], + "relationships": [ + { + "spdxElementId": "SPDXRef-Document", + "relatedSpdxElement": "SPDXRef-DocumentRoot-Unknown-", + "relationshipType": "DESCRIBES" + } + ] }""" ) @@ -568,7 +580,7 @@ def test_main_input_sbom_spdx_minimal(tmp_path, mocker, isodate): "name": "", }, { - "SPDXID": "SPDXRef-container-quay.io/mkosiarc_rhtap/single-container-app-" + "SPDXID": "SPDXRef-Image-quay.io/mkosiarc_rhtap/single-container-app-" "9520a72cbb69edfca5cac88ea2a9e0e09142ec934952b9420d686e77765f002c", "name": "quay.io/mkosiarc_rhtap/single-container-app", "downloadLocation": "NOASSERTION", @@ -583,7 +595,7 @@ def test_main_input_sbom_spdx_minimal(tmp_path, mocker, isodate): ], "annotations": [ { - "annotator": "Tool:konflux:jsonencoded", + "annotator": "Tool: konflux:jsonencoded", "annotationDate": "2021-07-01T00:00:00Z", "annotationType": "OTHER", "comment": '{"name":"konflux:container:is_builder_image:for_stage","value":"0"}', @@ -592,7 +604,7 @@ def test_main_input_sbom_spdx_minimal(tmp_path, mocker, isodate): }, { "name": "registry.access.redhat.com/ubi8/ubi", - "SPDXID": "SPDXRef-container-registry.access.redhat.com/ubi8/ubi-" + "SPDXID": "SPDXRef-Image-registry.access.redhat.com/ubi8/ubi-" "0f22256f634f8205fbd9c438c387ccf2d4859250e04104571c93fdb89a62bae1", "downloadLocation": "NOASSERTION", "externalRefs": [ @@ -606,7 +618,7 @@ def test_main_input_sbom_spdx_minimal(tmp_path, mocker, isodate): ], "annotations": [ { - "annotator": "Tool:konflux:jsonencoded", + "annotator": "Tool: konflux:jsonencoded", "annotationDate": "2021-07-01T00:00:00Z", "annotationType": "OTHER", "comment": '{"name":"konflux:container:is_base_image","value":"true"}', @@ -616,18 +628,196 @@ def test_main_input_sbom_spdx_minimal(tmp_path, mocker, isodate): ], "relationships": [ { - "relatedSpdxElement": "SPDXRef-DocumentRoot-Unknown-", - "relationshipType": "DESCRIBES", "spdxElementId": "SPDXRef-Document", + "relationshipType": "DESCRIBES", + "relatedSpdxElement": "SPDXRef-DocumentRoot-Unknown-", }, { + "spdxElementId": "SPDXRef-Image-quay.io/mkosiarc_rhtap/" + "single-container-app-9520a72cbb69edfca5cac88ea2a9e0e09142ec934952b9420d686e77765f002c", + "relationshipType": "BUILD_TOOL_OF", "relatedSpdxElement": "SPDXRef-DocumentRoot-Unknown-", + }, + { + "spdxElementId": "SPDXRef-Image-registry.access.redhat.com/" + "ubi8/ubi-0f22256f634f8205fbd9c438c387ccf2d4859250e04104571c93fdb89a62bae1", "relationshipType": "BUILD_TOOL_OF", - "spdxElementId": "SPDXRef-container-quay.io/mkosiarc_rhtap/" + "relatedSpdxElement": "SPDXRef-DocumentRoot-Unknown-", + }, + ], + } + + with sbom_file.open("r") as f: + sbom = json.load(f) + + assert expected_output["packages"] == sbom["packages"] + assert expected_output["relationships"] == sbom["relationships"] + + +def test_main_input_sbom_spdx_with_packages(tmp_path, mocker, isodate): + sbom_file = tmp_path / "sbom.json" + base_images_from_dockerfile_file = tmp_path / "base_images_from_dockerfile.txt" + base_images_digests_file = tmp_path / "base_images_digests.txt" + + # minimal input sbom file + sbom_file.write_text( + """{ + "SPDXID": "SPDXRef-Document", + "spdxVersion": "SPDX-2.3", + "name": "MyProject", + "documentNamespace": "http://example.com/uid-1234", + "packages": [ + { + "SPDXID": "SPDXRef-DocumentRoot-Unknown-", + "name": "", + "downloadLocation": "NOASSERTION" + }, + { + "name": "PyYAML", + "SPDXID": "SPDXRef-Package-python-PyYAML-696696f5e92f1b5e", + "versionInfo": "6.0", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from installed python package manifest file: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:pypi/pyyaml@6.0" + } + ] + } + ], + "relationships": [ + { + "spdxElementId": "SPDXRef-Document", + "relatedSpdxElement": "SPDXRef-DocumentRoot-Unknown-", + "relationshipType": "DESCRIBES" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-Unknown", + "relatedSpdxElement": "SPDXRef-Package-python-PyYAML-696696f5e92f1b5e", + "relationshipType": "CONTAINS" + } + ] + }""" + ) + + # one builder images and one base image + base_images_from_dockerfile_file.write_text( + "quay.io/mkosiarc_rhtap/single-container-app:f2566ab\nregistry.access.redhat.com/ubi8/ubi:latest" + ) + base_images_digests_file.write_text( + "quay.io/mkosiarc_rhtap/single-container-app:f2566ab@sha256" + ":8f99627e843e931846855c5d899901bf093f5093e613a92745696a26b5420941\nregistry.access.redhat.com/ubi8/ubi" + ":latest@sha256:627867e53ad6846afba2dfbf5cef1d54c868a9025633ef0afd546278d4654eac " + ) + + # mock the parsed args, to avoid testing parse_args function + mock_args = MagicMock(sbom_type="spdx") + mock_args.sbom = sbom_file + mock_args.base_images_from_dockerfile = base_images_from_dockerfile_file + mock_args.base_images_digests = base_images_digests_file + mocker.patch("base_images_sbom_script.parse_args", return_value=mock_args) + + main() + + expected_output = { + "packages": [ + { + "SPDXID": "SPDXRef-DocumentRoot-Unknown-", + "downloadLocation": "NOASSERTION", + "name": "", + }, + { + "name": "PyYAML", + "SPDXID": "SPDXRef-Package-python-PyYAML-696696f5e92f1b5e", + "versionInfo": "6.0", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": False, + "sourceInfo": "acquired package info from installed python package manifest file: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:pypi/pyyaml@6.0", + } + ], + }, + { + "SPDXID": "SPDXRef-Image-quay.io/mkosiarc_rhtap/single-container-app-" + "9520a72cbb69edfca5cac88ea2a9e0e09142ec934952b9420d686e77765f002c", + "name": "quay.io/mkosiarc_rhtap/single-container-app", + "downloadLocation": "NOASSERTION", + "externalRefs": [ + { + "referenceType": "purl", + "referenceLocator": "pkg:oci/single-container-app@sha256" + ":8f99627e843e931846855c5d899901bf093f5093e613a92745696a26b5420941?repository_url" + "=quay.io/mkosiarc_rhtap/single-container-app", + "referenceCategory": "PACKAGE-MANAGER", + } + ], + "annotations": [ + { + "annotator": "Tool: konflux:jsonencoded", + "annotationDate": "2021-07-01T00:00:00Z", + "annotationType": "OTHER", + "comment": '{"name":"konflux:container:is_builder_image:for_stage","value":"0"}', + } + ], + }, + { + "name": "registry.access.redhat.com/ubi8/ubi", + "SPDXID": "SPDXRef-Image-registry.access.redhat.com/ubi8/ubi-" + "0f22256f634f8205fbd9c438c387ccf2d4859250e04104571c93fdb89a62bae1", + "downloadLocation": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:oci/ubi@sha256:" + "627867e53ad6846afba2dfbf5cef1d54c868a9025633ef0afd546278d4654eac" + "?repository_url=registry.access.redhat.com/ubi8/ubi", + } + ], + "annotations": [ + { + "annotator": "Tool: konflux:jsonencoded", + "annotationDate": "2021-07-01T00:00:00Z", + "annotationType": "OTHER", + "comment": '{"name":"konflux:container:is_base_image","value":"true"}', + } + ], + }, + ], + "relationships": [ + { + "spdxElementId": "SPDXRef-Document", + "relationshipType": "DESCRIBES", + "relatedSpdxElement": "SPDXRef-DocumentRoot-Unknown-", + }, + { + "relatedSpdxElement": "SPDXRef-Package-python-PyYAML-696696f5e92f1b5e", + "relationshipType": "CONTAINS", + "spdxElementId": "SPDXRef-DocumentRoot-Unknown", + }, + { + "spdxElementId": "SPDXRef-Image-quay.io/mkosiarc_rhtap/" "single-container-app-9520a72cbb69edfca5cac88ea2a9e0e09142ec934952b9420d686e77765f002c", + "relationshipType": "BUILD_TOOL_OF", + "relatedSpdxElement": "SPDXRef-DocumentRoot-Unknown-", }, { - "spdxElementId": "SPDXRef-container-registry.access.redhat.com/" + "spdxElementId": "SPDXRef-Image-registry.access.redhat.com/" "ubi8/ubi-0f22256f634f8205fbd9c438c387ccf2d4859250e04104571c93fdb89a62bae1", "relationshipType": "BUILD_TOOL_OF", "relatedSpdxElement": "SPDXRef-DocumentRoot-Unknown-", diff --git a/sbom-utility-scripts/scripts/base-images-sbom-script/app/tox.ini b/sbom-utility-scripts/scripts/base-images-sbom-script/app/tox.ini index 9b536d9..846a495 100644 --- a/sbom-utility-scripts/scripts/base-images-sbom-script/app/tox.ini +++ b/sbom-utility-scripts/scripts/base-images-sbom-script/app/tox.ini @@ -4,7 +4,7 @@ env_list = flake8,black,test [testenv:test] deps = -r requirements-test.txt -r requirements.txt -commands = pytest -vv test_base_images_sbom_script.py +commands = pytest test_base_images_sbom_script.py [testenv:flake8] deps = flake8 diff --git a/sbom-utility-scripts/scripts/create_purl_sbom_spdx.py b/sbom-utility-scripts/scripts/create_purl_sbom_spdx.py deleted file mode 100644 index 34d39ef..0000000 --- a/sbom-utility-scripts/scripts/create_purl_sbom_spdx.py +++ /dev/null @@ -1,15 +0,0 @@ -import json - -with open("./sbom-spdx.json") as f: - spdx_sbom = json.load(f) - -purls = [] -for package in spdx_sbom["packages"]: - for ref in package["externalRefs"]: - if ref["referenceType"] == "purl": - purls.append({"purl": ref["referenceLocator"]}) - -purl_content = {"image_contents": {"dependencies": purls}} - -with open("sbom-purl.json", "w") as output_file: - json.dump(purl_content, output_file, indent=4) diff --git a/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/merge_cachi2_sboms.py b/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/merge_cachi2_sboms.py index f81f62e..330afe6 100644 --- a/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/merge_cachi2_sboms.py +++ b/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/merge_cachi2_sboms.py @@ -389,46 +389,22 @@ def merge_annotations(annotations1, annotations2): def merge_relationships(relationships1, relationships2, packages): """Merge SPDX relationships.""" - def map_relationships(relationships): - """Map relationships of spdx element. - Method returns triplet containing root element, map of relations and inverse map of relations. - Root element is considered as element which is not listed as related document - in any of the relationships. Relationship map is dict of {key: value} where key is spdx - element and list of related elements is the value. - Inverse map is dict of {key: value} where key is related spdx element in the relation ship - and value is spdx element. - """ - relations_map = {} - relations_inverse_map = {} - - for relation in relationships: - relations_map.setdefault(relation["spdxElementId"], []).append(relation["relatedSpdxElement"]) - relations_inverse_map[relation["relatedSpdxElement"]] = relation["spdxElementId"] - - for parent_element in relations_map.keys(): - if parent_element not in relations_inverse_map: + def spdx_find_doc_and_root_package(relationships): + for relationship in relationships: + if relationship["relationshipType"] == "DESCRIBES": + root_package1 = relationship["relatedSpdxElement"] + doc = relationship["spdxElementId"] break - return parent_element, relations_map, relations_inverse_map - - def calculate_root_package(root_element, map, inverse_map): - """Calculate root package from relationship map. - Root package is considered as package which contains other packages and - is described by the document itself. - """ - root_package = None - for r, contains in map.items(): - if contains and inverse_map.get(r) == root_element: - root_package = r - return root_package + else: + raise ValueError("No DESCRIBES relationship found in the SBOM") + return root_package1, doc relationships = [] - root_element1, map1, inverse_map1 = map_relationships(relationships1) - root_element2, map2, inverse_map2 = map_relationships(relationships2) - package_ids = [package["SPDXID"] for package in packages] + root_package1, doc1 = spdx_find_doc_and_root_package(relationships1) + root_package2, doc2 = spdx_find_doc_and_root_package(relationships2) - root_package1 = calculate_root_package(root_element1, map1, inverse_map1) - root_package2 = calculate_root_package(root_element2, map2, inverse_map2) + package_ids = [package["SPDXID"] for package in packages] for relation in relationships2: _relation = relation.copy() @@ -436,29 +412,29 @@ def calculate_root_package(root_element, map, inverse_map): # If relations is Root decribes middle element, skip it if ( _relation["relatedSpdxElement"] == root_package2 - and _relation["spdxElementId"] == root_element2 + and _relation["spdxElementId"] == doc2 and _relation["relationshipType"] == "DESCRIBES" ): continue - # if spdxElementId is root_element2, replace it with root_element1 + # if spdxElementId is doc2, replace it with doc1 # if not and relatedSpdxElement is root_element2, replace it with root_element1 - if _relation["spdxElementId"] == root_element2: - _relation["spdxElementId"] = root_element1 - elif relation["relatedSpdxElement"] == root_element2: - _relation["relatedSpdxElement"] = root_element1 + if _relation["spdxElementId"] == doc2: + _relation["spdxElementId"] = doc1 + elif relation["relatedSpdxElement"] == doc2: + _relation["relatedSpdxElement"] = doc1 if _relation["spdxElementId"] == root_package2: _relation["spdxElementId"] = root_package1 if _relation["relatedSpdxElement"] == root_package2: _relation["relatedSpdxElement"] = root_package1 # include only relations to packages which exists in merged packages. - if _relation["relatedSpdxElement"] in package_ids: - relationships.append(_relation) - elif _relation["spdxElementId"] in package_ids: + if _relation["relatedSpdxElement"] in package_ids or _relation["spdxElementId"] in package_ids: relationships.append(_relation) for relation in relationships1: _relation = relation.copy() + # Here we process only relatedSpdxElement as spdxElementId could point to the root package + # which would lead to including also relationships to removed packages if relation["relatedSpdxElement"] in package_ids: relationships.append(_relation) return relationships diff --git a/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_data/cachi2.bom.spdx.json b/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_data/cachi2.bom.spdx.json index 99a9afb..9cb18f5 100644 --- a/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_data/cachi2.bom.spdx.json +++ b/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_data/cachi2.bom.spdx.json @@ -23,6 +23,26 @@ "licenseDeclared": "NOASSERTION", "primaryPackagePurpose": "OTHER" }, + { + "SPDXID": "SPDXRef-Image-quay.io/mkosiarc_rhtap/single-container-app-9520a72cbb69edfca5cac88ea2a9e0e09142ec934952b9420d686e77765f002c", + "name": "quay.io/mkosiarc_rhtap/single-container-app", + "downloadLocation": "NOASSERTION", + "externalRefs": [ + { + "referenceType": "purl", + "referenceLocator": "pkg:oci/single-container-app@sha256:8f99627e843e931846855c5d899901bf093f5093e613a92745696a26b5420941?repository_url=quay.io/mkosiarc_rhtap/single-container-app", + "referenceCategory": "PACKAGE-MANAGER" + } + ], + "annotations": [ + { + "annotator": "Tool: konflux:jsonencoded", + "annotationDate": "2021-07-01T00:00:00Z", + "annotationType": "OTHER", + "comment": "{\"name\":\"konflux:container:is_builder_image:for_stage\",\"value\":\"0\"}" + } + ] + }, { "name": "PyYAML", "SPDXID": "SPDXRef-Package-python-PyYAML-696696f5e92f1b5e", @@ -321,6 +341,11 @@ } ], "relationships": [ + { + "spdxElementId": "SPDXRef-Image-quay.io/mkosiarc_rhtap/single-container-app-9520a72cbb69edfca5cac88ea2a9e0e09142ec934952b9420d686e77765f002c", + "relationshipType": "BUILD_TOOL_OF", + "relatedSpdxElement": "SPDXRef-DocumentRoot-Unknown-" + }, { "spdxElementId": "SPDXRef-DocumentRoot-Unknown-", "relatedSpdxElement": "SPDXRef-Package-python-PyYAML-696696f5e92f1b5e", diff --git a/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_data/merged.bom.spdx.json b/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_data/merged.bom.spdx.json index 94a92aa..ba982b3 100644 --- a/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_data/merged.bom.spdx.json +++ b/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_data/merged.bom.spdx.json @@ -1 +1,720 @@ -{"spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "/var/lib/containers/storage/vfs/dir/517aef0ffe20db360d19aa475dbbfbe03f452f53403881a31f9a475c83af788b", "documentNamespace": "https://anchore.com/syft/file/var/lib/containers/storage/vfs/dir/517aef0ffe20db360d19aa475dbbfbe03f452f53403881a31f9a475c83af788b-8efaed6f-2f42-453b-b9dd-3fb60491d7cf", "creationInfo": {"licenseListVersion": "3.24", "creators": ["Organization: Anchore, Inc", "Tool: syft-0.100.0", "Organization: Anchore, Inc", "Tool: cachi2-"], "created": "2024-09-12T14:07:12Z"}, "packages": [{"name": "", "SPDXID": "SPDXRef-DocumentRoot-File-", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "primaryPackagePurpose": "FILE"}, {"name": "bash", "SPDXID": "SPDXRef-Package-rpm-bash-1a6619bdab5f8a2d", "versionInfo": "4.4.20-4.el8_6", "supplier": "Organization: Red Hat, Inc.", "originator": "Organization: Red Hat, Inc.", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from RPM DB: var/lib/rpm/Packages", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:redhat:bash:4.4.20-4.el8_6:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:bash:bash:4.4.20-4.el8_6:*:*:*:*:*:*:*"}, {"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:rpm/rhel/bash@4.4.20-4.el8_6?arch=x86_64&upstream=bash-4.4.20-4.el8_6.src.rpm&distro=rhel-8.7"}]}, {"name": "rhel", "SPDXID": "SPDXRef-Package-rhel", "versionInfo": "8.7", "description": "Red Hat Enterprise Linux 8.7 (Ootpa)", "externalRefs": [{"referenceCategory": "SECURITY", "referenceType": "cpe22Type", "referenceLocator": "cpe:/o:redhat:enterprise_linux:8::baseos"}, {"referenceCategory": "SECURITY", "referenceType": "swid", "referenceLocator": "cpe:2.3:o:redhat:enterprise_linux:8::baseos:*:*:*:*:*:*:*"}, {"referenceCategory": "OTHER", "referenceType": "issue-tracker", "referenceLocator": "https://bugzilla.redhat.com/"}, {"referenceCategory": "OTHER", "referenceType": "website", "referenceLocator": "https://www.redhat.com/"}]}, {"name": "PyYAML", "SPDXID": "SPDXRef-Package-python-PyYAML-696696f5e92f1b5e", "versionInfo": "6.0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from installed python package manifest file: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:pypi/pyyaml@6.0"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:PyYAML:PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:PyYAML:python-PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:PyYAML:python_PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:kirill_simonov:PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:kirill_simonov:python-PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:kirill_simonov:python_PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python-PyYAML:PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python-PyYAML:python-PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python-PyYAML:python_PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python:PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python:python-PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python:python_PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python_PyYAML:PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python_PyYAML:python-PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python_PyYAML:python_PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:xi:PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:xi:python-PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:xi:python_PyYAML:6.0:*:*:*:*:*:*:*"}], "annotations": []}, {"name": "aiowsgi", "SPDXID": "SPDXRef-Package-python-aiowsgi-78716bdabf6daae1", "versionInfo": "0.8", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from installed python package manifest file: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:pypi/aiowsgi@0.8"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:aiowsgi:aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:aiowsgi:python-aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:aiowsgi:python_aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:gael:aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:gael:python-aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:gael:python_aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:gael_pasgrimaud:aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:gael_pasgrimaud:python-aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:gael_pasgrimaud:python_aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python-aiowsgi:aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python-aiowsgi:python-aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python-aiowsgi:python_aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python:aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python:python-aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python:python_aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python_aiowsgi:aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python_aiowsgi:python-aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python_aiowsgi:python_aiowsgi:0.8:*:*:*:*:*:*:*"}], "annotations": []}, {"name": "appr", "SPDXID": "SPDXRef-Package-python-appr-d869da81f0adbece", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from installed python package manifest file: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:pypi/appr?checksum=sha256:ee6a0a38bed8cff46a562ed3620bc453141a02262ab0c8dd055824af2829ee5c&download_url=https://github.com/quay/appr/archive/37ff9a487a54ad41b59855ecd76ee092fe206a84.zip"}]}, {"name": "archive/tar", "SPDXID": "SPDXRef-Package-go-module-archive-tar-1ce4dbb5cf96f1c7", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from go module information: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/archive/tar?type=package"}]}, {"name": "cachi2", "SPDXID": "SPDXRef-Package-python-cachi2-865cdb2c6f0ff5c5", "versionInfo": "0.0.1", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from installed python package manifest file: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:pypi/cachi2@0.0.1?vcs_url=git%2Bssh://git%40github.com/containerbuildsystem/cachi2%40fc0d6079c2dc9b2a491c0848e550ad3509986110"}]}, {"name": "cachito-npm-without-deps", "SPDXID": "SPDXRef-Package-npm-cachito-npm-without-deps-563e3658e3eb288e", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from installed node module manifest file: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/cachito-npm-without-deps?vcs_url=git%2Bhttps://github.com/cachito-testing/cachito-npm-without-deps.git%402f0ce1d7b1f8b35572d919428b965285a69583f6"}]}, {"name": "code.gitea.io/sdk/gitea", "SPDXID": "SPDXRef-Package-go-module-code.gitea.io-sdk-gitea-cdc94d3a9074a69b", "versionInfo": "v0.15.1", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from go module information: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/code.gitea.io/sdk/gitea@v0.15.1?type=module"}, {"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/code.gitea.io/sdk/gitea@v0.15.1?type=package"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:sdk:gitea:v0.15.1:*:*:*:*:*:*:*"}], "annotations": []}, {"name": "fecha", "SPDXID": "SPDXRef-Package-npm-fecha-874399c7dda48850", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from installed node module manifest file: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/fecha?checksum=sha512:8ae71e98d68e38e1f6e4c629187684dd85e4dc96647c7219b1dd189598ea52865e947f0ad94a7001fa8fb5eccf58467fe34ad10066e831af3374120134604bd5&download_url=https://github.com/taylorhakes/fecha/archive/91680e4db1415fea33eac878cfd889c80a7b55c7.tar.gz"}]}, {"name": "github.com/cachito-testing/gomod-pandemonium/terminaltor", "SPDXID": "SPDXRef-Package-go-module-github.com-cachito-testing-gomod-pandemonium-terminaltor-d85aa69f7b0304e3", "versionInfo": "v1.0.0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from go module information: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/github.com/cachito-testing/gomod-pandemonium/terminaltor@v1.0.0?type=module"}, {"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/github.com/cachito-testing/gomod-pandemonium/terminaltor@v1.0.0?type=package"}]}, {"name": "github.com/docker/cli", "SPDXID": "SPDXRef-Package-go-module-github.com-docker-cli-ea403731821a081e", "versionInfo": "v23.0.0-rc.3+incompatible", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from go module information: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/github.com/docker/cli@v23.0.0-rc.3%2Bincompatible?type=module"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:docker:cli:v23.0.0-rc.3\\+incompatible:*:*:*:*:*:*:*"}], "annotations": []}, {"name": "github.com/docker/cli/cli/config", "SPDXID": "SPDXRef-Package-go-module-github.com-docker-cli-cli-config-73cc4b7b8f510817", "versionInfo": "v23.0.0-rc.3+incompatible", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from go module information: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/github.com/docker/cli/cli/config@v23.0.0-rc.3%2Bincompatible?type=package"}]}, {"name": "github.com/redhat-appstudio/build-service", "SPDXID": "SPDXRef-Package-go-module-github.com-redhat-appstudio-build-service-574d786c89acf613", "versionInfo": "v0.0.0-20230503110830-d1a9e858489d", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from go module information: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/github.com/redhat-appstudio/build-service@v0.0.0-20230503110830-d1a9e858489d?type=module"}, {"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/github.com/redhat-appstudio/build-service@v0.0.0-20230503110830-d1a9e858489d?type=package"}]}, {"name": "knative.dev/pkg", "SPDXID": "SPDXRef-Package-go-module-knative.dev-pkg-0a00bf33a820e7f1", "versionInfo": "v0.0.0-20230125083639-408ad0773f47", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from go module information: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/knative.dev/pkg@v0.0.0-20230125083639-408ad0773f47?type=module"}], "annotations": []}, {"name": "knative.dev/pkg/metrics", "SPDXID": "SPDXRef-Package-go-module-knative.dev-pkg-metrics-c613be23287c5dc4", "versionInfo": "v0.0.0-20230125083639-408ad0773f47", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from go module information: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/knative.dev/pkg/metrics@v0.0.0-20230125083639-408ad0773f47?type=package"}]}, {"name": "test_package_cachi2", "SPDXID": "SPDXRef-Package-python-test-package-cachi2-bdec7caf7aac75f3", "versionInfo": "1.0.0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from installed python package manifest file: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:pypi/test-package-cachi2@1.0.0?vcs_url=git%2Bssh://git%40github.com/brunoapimentel/pip-e2e-test.git%40294df352deed835cf703ae8a799926418ae5fd3b"}]}], "relationships": [{"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-python-PyYAML-696696f5e92f1b5e", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-python-aiowsgi-78716bdabf6daae1", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-python-appr-d869da81f0adbece", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-go-module-archive-tar-1ce4dbb5cf96f1c7", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-python-cachi2-865cdb2c6f0ff5c5", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-npm-cachito-npm-without-deps-563e3658e3eb288e", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-go-module-code.gitea.io-sdk-gitea-cdc94d3a9074a69b", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-npm-fecha-874399c7dda48850", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-go-module-github.com-cachito-testing-gomod-pandemonium-terminaltor-d85aa69f7b0304e3", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-go-module-github.com-docker-cli-ea403731821a081e", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-go-module-github.com-docker-cli-cli-config-73cc4b7b8f510817", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-go-module-github.com-redhat-appstudio-build-service-574d786c89acf613", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-go-module-knative.dev-pkg-0a00bf33a820e7f1", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-go-module-knative.dev-pkg-metrics-c613be23287c5dc4", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-python-test-package-cachi2-bdec7caf7aac75f3", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-rpm-bash-1a6619bdab5f8a2d", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-rhel", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-DocumentRoot-File-", "relationshipType": "DESCRIBES"}]} \ No newline at end of file +{ + "spdxVersion": "SPDX-2.3", + "dataLicense": "CC0-1.0", + "SPDXID": "SPDXRef-DOCUMENT", + "name": "/var/lib/containers/storage/vfs/dir/517aef0ffe20db360d19aa475dbbfbe03f452f53403881a31f9a475c83af788b", + "documentNamespace": "https://anchore.com/syft/file/var/lib/containers/storage/vfs/dir/517aef0ffe20db360d19aa475dbbfbe03f452f53403881a31f9a475c83af788b-8efaed6f-2f42-453b-b9dd-3fb60491d7cf", + "creationInfo": { + "licenseListVersion": "3.24", + "creators": [ + "Organization: Anchore, Inc", + "Tool: syft-0.100.0", + "Organization: Anchore, Inc", + "Tool: cachi2-" + ], + "created": "2024-09-12T14:07:12Z" + }, + "packages": [ + { + "name": "", + "SPDXID": "SPDXRef-DocumentRoot-File-", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "primaryPackagePurpose": "FILE" + }, + { + "name": "registry.access.redhat.com/ubi8/ubi", + "SPDXID": "SPDXRef-Image-registry.access.redhat.com/ubi8/ubi-0f22256f634f8205fbd9c438c387ccf2d4859250e04104571c93fdb89a62bae1", + "downloadLocation": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:oci/ubi@sha256:627867e53ad6846afba2dfbf5cef1d54c868a9025633ef0afd546278d4654eac?repository_url=registry.access.redhat.com/ubi8/ubi" + } + ], + "annotations": [ + { + "annotator": "Tool: konflux:jsonencoded", + "annotationDate": "2021-07-01T00:00:00Z", + "annotationType": "OTHER", + "comment": "{\"name\":\"konflux:container:is_base_image\",\"value\":\"true\"}" + } + ] + }, + { + "name": "bash", + "SPDXID": "SPDXRef-Package-rpm-bash-1a6619bdab5f8a2d", + "versionInfo": "4.4.20-4.el8_6", + "supplier": "Organization: Red Hat, Inc.", + "originator": "Organization: Red Hat, Inc.", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from RPM DB: var/lib/rpm/Packages", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:redhat:bash:4.4.20-4.el8_6:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:bash:bash:4.4.20-4.el8_6:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:rpm/rhel/bash@4.4.20-4.el8_6?arch=x86_64&upstream=bash-4.4.20-4.el8_6.src.rpm&distro=rhel-8.7" + } + ] + }, + { + "name": "rhel", + "SPDXID": "SPDXRef-Package-rhel", + "versionInfo": "8.7", + "description": "Red Hat Enterprise Linux 8.7 (Ootpa)", + "externalRefs": [ + { + "referenceCategory": "SECURITY", + "referenceType": "cpe22Type", + "referenceLocator": "cpe:/o:redhat:enterprise_linux:8::baseos" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "swid", + "referenceLocator": "cpe:2.3:o:redhat:enterprise_linux:8::baseos:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "OTHER", + "referenceType": "issue-tracker", + "referenceLocator": "https://bugzilla.redhat.com/" + }, + { + "referenceCategory": "OTHER", + "referenceType": "website", + "referenceLocator": "https://www.redhat.com/" + } + ] + }, + { + "SPDXID": "SPDXRef-Image-quay.io/mkosiarc_rhtap/single-container-app-9520a72cbb69edfca5cac88ea2a9e0e09142ec934952b9420d686e77765f002c", + "name": "quay.io/mkosiarc_rhtap/single-container-app", + "downloadLocation": "NOASSERTION", + "externalRefs": [ + { + "referenceType": "purl", + "referenceLocator": "pkg:oci/single-container-app@sha256:8f99627e843e931846855c5d899901bf093f5093e613a92745696a26b5420941?repository_url=quay.io/mkosiarc_rhtap/single-container-app", + "referenceCategory": "PACKAGE-MANAGER" + } + ], + "annotations": [ + { + "annotator": "Tool: konflux:jsonencoded", + "annotationDate": "2021-07-01T00:00:00Z", + "annotationType": "OTHER", + "comment": "{\"name\":\"konflux:container:is_builder_image:for_stage\",\"value\":\"0\"}" + } + ] + }, + { + "name": "PyYAML", + "SPDXID": "SPDXRef-Package-python-PyYAML-696696f5e92f1b5e", + "versionInfo": "6.0", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from installed python package manifest file: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:pypi/pyyaml@6.0" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:PyYAML:PyYAML:6.0:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:PyYAML:python-PyYAML:6.0:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:PyYAML:python_PyYAML:6.0:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:kirill_simonov:PyYAML:6.0:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:kirill_simonov:python-PyYAML:6.0:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:kirill_simonov:python_PyYAML:6.0:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python-PyYAML:PyYAML:6.0:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python-PyYAML:python-PyYAML:6.0:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python-PyYAML:python_PyYAML:6.0:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python:PyYAML:6.0:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python:python-PyYAML:6.0:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python:python_PyYAML:6.0:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python_PyYAML:PyYAML:6.0:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python_PyYAML:python-PyYAML:6.0:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python_PyYAML:python_PyYAML:6.0:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:xi:PyYAML:6.0:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:xi:python-PyYAML:6.0:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:xi:python_PyYAML:6.0:*:*:*:*:*:*:*" + } + ], + "annotations": [] + }, + { + "name": "aiowsgi", + "SPDXID": "SPDXRef-Package-python-aiowsgi-78716bdabf6daae1", + "versionInfo": "0.8", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from installed python package manifest file: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:pypi/aiowsgi@0.8" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:aiowsgi:aiowsgi:0.8:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:aiowsgi:python-aiowsgi:0.8:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:aiowsgi:python_aiowsgi:0.8:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:gael:aiowsgi:0.8:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:gael:python-aiowsgi:0.8:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:gael:python_aiowsgi:0.8:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:gael_pasgrimaud:aiowsgi:0.8:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:gael_pasgrimaud:python-aiowsgi:0.8:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:gael_pasgrimaud:python_aiowsgi:0.8:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python-aiowsgi:aiowsgi:0.8:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python-aiowsgi:python-aiowsgi:0.8:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python-aiowsgi:python_aiowsgi:0.8:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python:aiowsgi:0.8:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python:python-aiowsgi:0.8:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python:python_aiowsgi:0.8:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python_aiowsgi:aiowsgi:0.8:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python_aiowsgi:python-aiowsgi:0.8:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python_aiowsgi:python_aiowsgi:0.8:*:*:*:*:*:*:*" + } + ], + "annotations": [] + }, + { + "name": "appr", + "SPDXID": "SPDXRef-Package-python-appr-d869da81f0adbece", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from installed python package manifest file: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:pypi/appr?checksum=sha256:ee6a0a38bed8cff46a562ed3620bc453141a02262ab0c8dd055824af2829ee5c&download_url=https://github.com/quay/appr/archive/37ff9a487a54ad41b59855ecd76ee092fe206a84.zip" + } + ] + }, + { + "name": "archive/tar", + "SPDXID": "SPDXRef-Package-go-module-archive-tar-1ce4dbb5cf96f1c7", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from go module information: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:golang/archive/tar?type=package" + } + ] + }, + { + "name": "cachi2", + "SPDXID": "SPDXRef-Package-python-cachi2-865cdb2c6f0ff5c5", + "versionInfo": "0.0.1", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from installed python package manifest file: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:pypi/cachi2@0.0.1?vcs_url=git%2Bssh://git%40github.com/containerbuildsystem/cachi2%40fc0d6079c2dc9b2a491c0848e550ad3509986110" + } + ] + }, + { + "name": "cachito-npm-without-deps", + "SPDXID": "SPDXRef-Package-npm-cachito-npm-without-deps-563e3658e3eb288e", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from installed node module manifest file: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:npm/cachito-npm-without-deps?vcs_url=git%2Bhttps://github.com/cachito-testing/cachito-npm-without-deps.git%402f0ce1d7b1f8b35572d919428b965285a69583f6" + } + ] + }, + { + "name": "code.gitea.io/sdk/gitea", + "SPDXID": "SPDXRef-Package-go-module-code.gitea.io-sdk-gitea-cdc94d3a9074a69b", + "versionInfo": "v0.15.1", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from go module information: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:golang/code.gitea.io/sdk/gitea@v0.15.1?type=module" + }, + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:golang/code.gitea.io/sdk/gitea@v0.15.1?type=package" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:sdk:gitea:v0.15.1:*:*:*:*:*:*:*" + } + ], + "annotations": [] + }, + { + "name": "fecha", + "SPDXID": "SPDXRef-Package-npm-fecha-874399c7dda48850", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from installed node module manifest file: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:npm/fecha?checksum=sha512:8ae71e98d68e38e1f6e4c629187684dd85e4dc96647c7219b1dd189598ea52865e947f0ad94a7001fa8fb5eccf58467fe34ad10066e831af3374120134604bd5&download_url=https://github.com/taylorhakes/fecha/archive/91680e4db1415fea33eac878cfd889c80a7b55c7.tar.gz" + } + ] + }, + { + "name": "github.com/cachito-testing/gomod-pandemonium/terminaltor", + "SPDXID": "SPDXRef-Package-go-module-github.com-cachito-testing-gomod-pandemonium-terminaltor-d85aa69f7b0304e3", + "versionInfo": "v1.0.0", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from go module information: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:golang/github.com/cachito-testing/gomod-pandemonium/terminaltor@v1.0.0?type=module" + }, + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:golang/github.com/cachito-testing/gomod-pandemonium/terminaltor@v1.0.0?type=package" + } + ] + }, + { + "name": "github.com/docker/cli", + "SPDXID": "SPDXRef-Package-go-module-github.com-docker-cli-ea403731821a081e", + "versionInfo": "v23.0.0-rc.3+incompatible", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from go module information: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:golang/github.com/docker/cli@v23.0.0-rc.3%2Bincompatible?type=module" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:docker:cli:v23.0.0-rc.3\\+incompatible:*:*:*:*:*:*:*" + } + ], + "annotations": [] + }, + { + "name": "github.com/docker/cli/cli/config", + "SPDXID": "SPDXRef-Package-go-module-github.com-docker-cli-cli-config-73cc4b7b8f510817", + "versionInfo": "v23.0.0-rc.3+incompatible", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from go module information: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:golang/github.com/docker/cli/cli/config@v23.0.0-rc.3%2Bincompatible?type=package" + } + ] + }, + { + "name": "github.com/redhat-appstudio/build-service", + "SPDXID": "SPDXRef-Package-go-module-github.com-redhat-appstudio-build-service-574d786c89acf613", + "versionInfo": "v0.0.0-20230503110830-d1a9e858489d", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from go module information: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:golang/github.com/redhat-appstudio/build-service@v0.0.0-20230503110830-d1a9e858489d?type=module" + }, + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:golang/github.com/redhat-appstudio/build-service@v0.0.0-20230503110830-d1a9e858489d?type=package" + } + ] + }, + { + "name": "knative.dev/pkg", + "SPDXID": "SPDXRef-Package-go-module-knative.dev-pkg-0a00bf33a820e7f1", + "versionInfo": "v0.0.0-20230125083639-408ad0773f47", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from go module information: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:golang/knative.dev/pkg@v0.0.0-20230125083639-408ad0773f47?type=module" + } + ], + "annotations": [] + }, + { + "name": "knative.dev/pkg/metrics", + "SPDXID": "SPDXRef-Package-go-module-knative.dev-pkg-metrics-c613be23287c5dc4", + "versionInfo": "v0.0.0-20230125083639-408ad0773f47", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from go module information: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:golang/knative.dev/pkg/metrics@v0.0.0-20230125083639-408ad0773f47?type=package" + } + ] + }, + { + "name": "test_package_cachi2", + "SPDXID": "SPDXRef-Package-python-test-package-cachi2-bdec7caf7aac75f3", + "versionInfo": "1.0.0", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from installed python package manifest file: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:pypi/test-package-cachi2@1.0.0?vcs_url=git%2Bssh://git%40github.com/brunoapimentel/pip-e2e-test.git%40294df352deed835cf703ae8a799926418ae5fd3b" + } + ] + } + ], + "relationships": [ + { + "relatedSpdxElement": "SPDXRef-DocumentRoot-File-", + "relationshipType": "BUILD_TOOL_OF", + "spdxElementId": "SPDXRef-Image-quay.io/mkosiarc_rhtap/single-container-app-9520a72cbb69edfca5cac88ea2a9e0e09142ec934952b9420d686e77765f002c" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-File-", + "relatedSpdxElement": "SPDXRef-Package-python-PyYAML-696696f5e92f1b5e", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-File-", + "relatedSpdxElement": "SPDXRef-Package-python-aiowsgi-78716bdabf6daae1", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-File-", + "relatedSpdxElement": "SPDXRef-Package-python-appr-d869da81f0adbece", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-File-", + "relatedSpdxElement": "SPDXRef-Package-go-module-archive-tar-1ce4dbb5cf96f1c7", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-File-", + "relatedSpdxElement": "SPDXRef-Package-python-cachi2-865cdb2c6f0ff5c5", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-File-", + "relatedSpdxElement": "SPDXRef-Package-npm-cachito-npm-without-deps-563e3658e3eb288e", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-File-", + "relatedSpdxElement": "SPDXRef-Package-go-module-code.gitea.io-sdk-gitea-cdc94d3a9074a69b", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-File-", + "relatedSpdxElement": "SPDXRef-Package-npm-fecha-874399c7dda48850", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-File-", + "relatedSpdxElement": "SPDXRef-Package-go-module-github.com-cachito-testing-gomod-pandemonium-terminaltor-d85aa69f7b0304e3", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-File-", + "relatedSpdxElement": "SPDXRef-Package-go-module-github.com-docker-cli-ea403731821a081e", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-File-", + "relatedSpdxElement": "SPDXRef-Package-go-module-github.com-docker-cli-cli-config-73cc4b7b8f510817", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-File-", + "relatedSpdxElement": "SPDXRef-Package-go-module-github.com-redhat-appstudio-build-service-574d786c89acf613", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-File-", + "relatedSpdxElement": "SPDXRef-Package-go-module-knative.dev-pkg-0a00bf33a820e7f1", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-File-", + "relatedSpdxElement": "SPDXRef-Package-go-module-knative.dev-pkg-metrics-c613be23287c5dc4", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-File-", + "relatedSpdxElement": "SPDXRef-Package-python-test-package-cachi2-bdec7caf7aac75f3", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-File-", + "relatedSpdxElement": "SPDXRef-Package-rpm-bash-1a6619bdab5f8a2d", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-File-", + "relatedSpdxElement": "SPDXRef-Package-rhel", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-Image-registry.access.redhat.com/ubi8/ubi-0f22256f634f8205fbd9c438c387ccf2d4859250e04104571c93fdb89a62bae1", + "relationshipType": "BUILD_TOOL_OF", + "relatedSpdxElement": "SPDXRef-DocumentRoot-File-" + }, + { + "spdxElementId": "SPDXRef-DOCUMENT", + "relatedSpdxElement": "SPDXRef-DocumentRoot-File-", + "relationshipType": "DESCRIBES" + } + ] +} diff --git a/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_data/syft.bom.spdx.json b/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_data/syft.bom.spdx.json index f250ed5..760e20d 100644 --- a/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_data/syft.bom.spdx.json +++ b/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_data/syft.bom.spdx.json @@ -23,6 +23,26 @@ "licenseDeclared": "NOASSERTION", "primaryPackagePurpose": "FILE" }, + { + "name": "registry.access.redhat.com/ubi8/ubi", + "SPDXID": "SPDXRef-Image-registry.access.redhat.com/ubi8/ubi-0f22256f634f8205fbd9c438c387ccf2d4859250e04104571c93fdb89a62bae1", + "downloadLocation": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:oci/ubi@sha256:627867e53ad6846afba2dfbf5cef1d54c868a9025633ef0afd546278d4654eac?repository_url=registry.access.redhat.com/ubi8/ubi" + } + ], + "annotations": [ + { + "annotator": "Tool: konflux:jsonencoded", + "annotationDate": "2021-07-01T00:00:00Z", + "annotationType": "OTHER", + "comment": "{\"name\":\"konflux:container:is_base_image\",\"value\":\"true\"}" + } + ] + }, { "name": "./terminaltor", "SPDXID": "SPDXRef-Package-go-module-.-terminaltor-1b79094a8c283d88", @@ -876,6 +896,11 @@ "relatedSpdxElement": "SPDXRef-Package-rhel", "relationshipType": "CONTAINS" }, + { + "spdxElementId": "SPDXRef-Image-registry.access.redhat.com/ubi8/ubi-0f22256f634f8205fbd9c438c387ccf2d4859250e04104571c93fdb89a62bae1", + "relationshipType": "BUILD_TOOL_OF", + "relatedSpdxElement": "SPDXRef-DocumentRoot-File-" + }, { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-DocumentRoot-File-", diff --git a/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_merge_cachi2_sboms.py b/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_merge_cachi2_sboms.py index 3de069c..bd4b1e9 100644 --- a/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_merge_cachi2_sboms.py +++ b/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_merge_cachi2_sboms.py @@ -68,12 +68,19 @@ def test_merge_both_formats_equal(data_dir: Path, isodate: Generator) -> None: result_cdx = json.loads(merge_sboms(f"{data_dir}/cachi2.bom.json", f"{data_dir}/syft.bom.json")) result_spdx = json.loads(merge_sboms(f"{data_dir}/cachi2.bom.spdx.json", f"{data_dir}/syft.bom.spdx.json")) cdx_components = [] + build_relationships = [] + for relationship in result_spdx["relationships"]: + if relationship["relationshipType"] == "BUILD_TOOL_OF": + build_relationships.append(relationship["spdxElementId"]) + for component in result_cdx["components"]: cdx_components.append( {"name": component["name"], "version": component.get("version"), "purl": component.get("purl")} ) spdx_packages = [] for package in result_spdx["packages"]: + if package["SPDXID"] in build_relationships: + continue purl = "" purl = None for ref in package.get("externalRefs", []):