diff --git a/sbom-utility-scripts/scripts/base-images-sbom-script/app/base_images_sbom_script.py b/sbom-utility-scripts/scripts/base-images-sbom-script/app/base_images_sbom_script.py index da747f93..eb2ce912 100644 --- a/sbom-utility-scripts/scripts/base-images-sbom-script/app/base_images_sbom_script.py +++ b/sbom-utility-scripts/scripts/base-images-sbom-script/app/base_images_sbom_script.py @@ -97,18 +97,12 @@ def detect_sbom_format(sbom): else: raise ValueError("Unknown SBOM format") + def parse_args(): parser = argparse.ArgumentParser( description="Updates the sbom file with base images data based on the provided files" ) parser.add_argument("--sbom", type=pathlib.Path, help="Path to the sbom file", required=True) - parser.add_argument( - "--sbom-type", - choices=["spdx", "cyclonedx"], - default="cyclonedx", - help="Type of the sbom file", - required=True, - ) parser.add_argument( "--base-images-from-dockerfile", type=pathlib.Path, @@ -129,28 +123,93 @@ def parse_args(): return args -def map_relationships(relationships): - """Map relationships of spdx element. - Method returns triplet containing root element, map of relations and inverse map of relations. - Root element is considered as element which is not listed as related document - in any of the relationships. Relationship map is dict of {key: value} where key is spdx - element and list of related elements is the value. - Inverse map is dict of {key: value} where key is related spdx element in the relation ship - and value is spdx element. - """ +def spdx_find_doc_and_root_package(relationships): + """Find SPDX root package and document in the SBOM - relations_map = {} - relations_inverse_map = {} + :param relationships: (List) - List of relationships in the SBOM - for relation in relationships: - relations_map.setdefault(relation["spdxElementId"], []).append(relation["relatedSpdxElement"]) - relations_inverse_map[relation["relatedSpdxElement"]] = relation["spdxElementId"] + Method scans relationships for relationshipType "DESCRIBES" and returns + relatedSpdxElement and spdxElementId which are SPDX root package and document. + In the case there's no relationship with relationshipType "DESCRIBES" ValueError is raised. + """ - parent_element = None - for parent_element in relations_map.keys(): - if parent_element not in relations_inverse_map: + for relationship in relationships: + if relationship["relationshipType"] == "DESCRIBES": + root_package1 = relationship["relatedSpdxElement"] + doc = relationship["spdxElementId"] break - return parent_element, relations_map, relations_inverse_map + else: + raise ValueError("No DESCRIBES relationship found in the SBOM") + return root_package1, doc + + +def spdx_create_dependency_package(component, annotation_date): + """Create SPDX package for the base image component.""" + + # Calculate unique identifier SPDXID based on the component name and purl + # See: https://github.com/konflux-ci/architecture/blob/main/ADR/0044-spdx-support.md + SPDXID = f"SPDXRef-Image-{component['name']}-" + f"{hashlib.sha256(component['purl'].encode()).hexdigest()}" + package = { + "SPDXID": SPDXID, + "name": component["name"], + "downloadLocation": "NOASSERTION", + # See more info about external refs here: + # https://spdx.github.io/spdx-spec/v2.3/package-information/#7211-description + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": component["purl"], + } + ], + # Annotations are used to provide cyclonedx custom properties + # as json string + # See: https://github.com/konflux-ci/architecture/blob/main/ADR/0044-spdx-support.md + "annotations": [ + { + "annotator": "Tool: konflux:jsonencoded", + "annotationDate": annotation_date, + "annotationType": "OTHER", + "comment": json.dumps( + {"name": property["name"], "value": property["value"]}, + separators=(",", ":"), + ), + } + for property in component["properties"] + ], + } + return package, SPDXID + + +def create_build_relationship(SPDXID, root_package1): + return { + "spdxElementId": SPDXID, + "relatedSpdxElement": root_package1, + "relationshipType": "BUILD_TOOL_OF", + } + + +def create_build_packages_and_relationships(sbom, base_images_sbom_components): + """Create SPDX packages and relationships for base images components. + + :param sbom: (Dict) - SBOM data + :param base_images_sbom_components: (List) - List of base images components + + Method creates SPDX packages for base images components and relationships + """ + + packages = [] + relationships = [] + root_package, doc = spdx_find_doc_and_root_package(sbom["relationships"]) + annotation_date = datetime.datetime.now().isoformat()[:-7] + "Z" + for component in base_images_sbom_components: + # create dependency package for each base image + package, SPDXID = spdx_create_dependency_package(component, annotation_date) + + packages.append(package) + # Add relationship for parsed base image components and root package + relationships.append(create_build_relationship(SPDXID, root_package)) + return packages, relationships def main(): @@ -174,86 +233,7 @@ def main(): else: sbom.update({"formulation": [{"components": base_images_sbom_components}]}) else: - root_element1, map1, inverse_map1 = map_relationships(sbom["relationships"]) - - packages = [] - relationships = [] - - # Try to calculate root package represeting the container image or directory, which was - # used to build the SBOM, based on the relationships maps. - # SPDX has relationsship ROOT-ID DESCRIBES MIDDLE-ID which express the fact the SBOM documents - # describes container image or directory represented by MIDDLE-ID package. - root_package1 = None - for r, contains in map1.items(): - # root package is the one which contains another elements and is in relationship with - # the document element where it stand as relatedSpdxElement - if contains and inverse_map1.get(r) == root_element1: - root_package1 = r - # If not root package is found then create one with ID "Uknown" as source for the SBOM - # is not known. - if not root_package1: - root_package1 = "SPDXRef-DocumentRoot-Unknown-" - packages.append( - { - "SPDXID": "SPDXRef-DocumentRoot-Unknown-", - "name": "", - "downloadLocation": "NOASSERTION", - } - ) - relationships.append( - { - "spdxElementId": root_element1 or sbom["SPDXID"], - "relatedSpdxElement": "SPDXRef-DocumentRoot-Unknown-", - "relationshipType": "DESCRIBES", - } - ) - - annotation_date = datetime.datetime.now().isoformat() - for component in base_images_sbom_components: - # Calculate unique identifier SPDXID based on the component name and purl - SPDXID = ( - f"SPDXRef-{component['type']}-{component['name']}-" - + f"{hashlib.sha256(component['purl'].encode()).hexdigest()}" - ) - packages.append( - { - "SPDXID": SPDXID, - "name": component["name"], - "downloadLocation": "NOASSERTION", - # See more info about external refs here: - # https://spdx.github.io/spdx-spec/v2.3/package-information/#7211-description - "externalRefs": [ - { - "referenceCategory": "PACKAGE-MANAGER", - "referenceType": "purl", - "referenceLocator": component["purl"], - } - ], - # Annotations are used to provide cyclonedx custom properties - # as json string - "annotations": [ - { - "annotator": "Tool:konflux:jsonencoded", - "annotationDate": annotation_date, - "annotationType": "OTHER", - "comment": json.dumps( - {"name": property["name"], "value": property["value"]}, - separators=(",", ":"), - ), - } - for property in component["properties"] - ], - } - ) - # Add relationship for parsed base image components and "middle" element which wraps - # all spdx packages, but it's not spdx document itself. - relationships.append( - { - "spdxElementId": SPDXID, - "relatedSpdxElement": root_package1, - "relationshipType": "BUILD_TOOL_OF", - } - ) + packages, relationships = create_build_packages_and_relationships(sbom, base_images_sbom_components) # merge newly created packages for build tools with existing packages sbom["packages"] = sbom.get("packages", []) + packages # merge newly created relationships of the build tools with existing relationships diff --git a/sbom-utility-scripts/scripts/base-images-sbom-script/app/test_base_images_sbom_script.py b/sbom-utility-scripts/scripts/base-images-sbom-script/app/test_base_images_sbom_script.py index 8a22f2b5..c21cd233 100644 --- a/sbom-utility-scripts/scripts/base-images-sbom-script/app/test_base_images_sbom_script.py +++ b/sbom-utility-scripts/scripts/base-images-sbom-script/app/test_base_images_sbom_script.py @@ -520,7 +520,7 @@ def test_main_input_sbom_does_not_contain_formulation(tmp_path, mocker): @pytest.fixture def isodate(): with patch("datetime.datetime") as mock_datetime: - mock_datetime.now.return_value.isoformat.return_value = "2021-07-01T00:00:00Z" + mock_datetime.now.return_value.isoformat.return_value = "2021-07-01T00:00:00.000000" yield mock_datetime @@ -536,8 +536,20 @@ def test_main_input_sbom_spdx_minimal(tmp_path, mocker, isodate): "spdxVersion": "SPDX-2.3", "name": "MyProject", "documentNamespace": "http://example.com/uid-1234", - "packages": [], - "relationships": [] + "packages": [ + { + "SPDXID": "SPDXRef-DocumentRoot-Unknown-", + "name": "", + "downloadLocation": "NOASSERTION" + } + ], + "relationships": [ + { + "spdxElementId": "SPDXRef-Document", + "relatedSpdxElement": "SPDXRef-DocumentRoot-Unknown-", + "relationshipType": "DESCRIBES" + } + ] }""" ) @@ -568,7 +580,7 @@ def test_main_input_sbom_spdx_minimal(tmp_path, mocker, isodate): "name": "", }, { - "SPDXID": "SPDXRef-container-quay.io/mkosiarc_rhtap/single-container-app-" + "SPDXID": "SPDXRef-Image-quay.io/mkosiarc_rhtap/single-container-app-" "9520a72cbb69edfca5cac88ea2a9e0e09142ec934952b9420d686e77765f002c", "name": "quay.io/mkosiarc_rhtap/single-container-app", "downloadLocation": "NOASSERTION", @@ -583,7 +595,7 @@ def test_main_input_sbom_spdx_minimal(tmp_path, mocker, isodate): ], "annotations": [ { - "annotator": "Tool:konflux:jsonencoded", + "annotator": "Tool: konflux:jsonencoded", "annotationDate": "2021-07-01T00:00:00Z", "annotationType": "OTHER", "comment": '{"name":"konflux:container:is_builder_image:for_stage","value":"0"}', @@ -592,7 +604,7 @@ def test_main_input_sbom_spdx_minimal(tmp_path, mocker, isodate): }, { "name": "registry.access.redhat.com/ubi8/ubi", - "SPDXID": "SPDXRef-container-registry.access.redhat.com/ubi8/ubi-" + "SPDXID": "SPDXRef-Image-registry.access.redhat.com/ubi8/ubi-" "0f22256f634f8205fbd9c438c387ccf2d4859250e04104571c93fdb89a62bae1", "downloadLocation": "NOASSERTION", "externalRefs": [ @@ -606,7 +618,7 @@ def test_main_input_sbom_spdx_minimal(tmp_path, mocker, isodate): ], "annotations": [ { - "annotator": "Tool:konflux:jsonencoded", + "annotator": "Tool: konflux:jsonencoded", "annotationDate": "2021-07-01T00:00:00Z", "annotationType": "OTHER", "comment": '{"name":"konflux:container:is_base_image","value":"true"}', @@ -616,18 +628,196 @@ def test_main_input_sbom_spdx_minimal(tmp_path, mocker, isodate): ], "relationships": [ { - "relatedSpdxElement": "SPDXRef-DocumentRoot-Unknown-", - "relationshipType": "DESCRIBES", "spdxElementId": "SPDXRef-Document", + "relationshipType": "DESCRIBES", + "relatedSpdxElement": "SPDXRef-DocumentRoot-Unknown-", }, { + "spdxElementId": "SPDXRef-Image-quay.io/mkosiarc_rhtap/" + "single-container-app-9520a72cbb69edfca5cac88ea2a9e0e09142ec934952b9420d686e77765f002c", + "relationshipType": "BUILD_TOOL_OF", "relatedSpdxElement": "SPDXRef-DocumentRoot-Unknown-", + }, + { + "spdxElementId": "SPDXRef-Image-registry.access.redhat.com/" + "ubi8/ubi-0f22256f634f8205fbd9c438c387ccf2d4859250e04104571c93fdb89a62bae1", "relationshipType": "BUILD_TOOL_OF", - "spdxElementId": "SPDXRef-container-quay.io/mkosiarc_rhtap/" + "relatedSpdxElement": "SPDXRef-DocumentRoot-Unknown-", + }, + ], + } + + with sbom_file.open("r") as f: + sbom = json.load(f) + + assert expected_output["packages"] == sbom["packages"] + assert expected_output["relationships"] == sbom["relationships"] + + +def test_main_input_sbom_spdx_with_packages(tmp_path, mocker, isodate): + sbom_file = tmp_path / "sbom.json" + base_images_from_dockerfile_file = tmp_path / "base_images_from_dockerfile.txt" + base_images_digests_file = tmp_path / "base_images_digests.txt" + + # minimal input sbom file + sbom_file.write_text( + """{ + "SPDXID": "SPDXRef-Document", + "spdxVersion": "SPDX-2.3", + "name": "MyProject", + "documentNamespace": "http://example.com/uid-1234", + "packages": [ + { + "SPDXID": "SPDXRef-DocumentRoot-Unknown-", + "name": "", + "downloadLocation": "NOASSERTION" + }, + { + "name": "PyYAML", + "SPDXID": "SPDXRef-Package-python-PyYAML-696696f5e92f1b5e", + "versionInfo": "6.0", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from installed python package manifest file: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:pypi/pyyaml@6.0" + } + ] + } + ], + "relationships": [ + { + "spdxElementId": "SPDXRef-Document", + "relatedSpdxElement": "SPDXRef-DocumentRoot-Unknown-", + "relationshipType": "DESCRIBES" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-Unknown", + "relatedSpdxElement": "SPDXRef-Package-python-PyYAML-696696f5e92f1b5e", + "relationshipType": "CONTAINS" + } + ] + }""" + ) + + # one builder images and one base image + base_images_from_dockerfile_file.write_text( + "quay.io/mkosiarc_rhtap/single-container-app:f2566ab\nregistry.access.redhat.com/ubi8/ubi:latest" + ) + base_images_digests_file.write_text( + "quay.io/mkosiarc_rhtap/single-container-app:f2566ab@sha256" + ":8f99627e843e931846855c5d899901bf093f5093e613a92745696a26b5420941\nregistry.access.redhat.com/ubi8/ubi" + ":latest@sha256:627867e53ad6846afba2dfbf5cef1d54c868a9025633ef0afd546278d4654eac " + ) + + # mock the parsed args, to avoid testing parse_args function + mock_args = MagicMock(sbom_type="spdx") + mock_args.sbom = sbom_file + mock_args.base_images_from_dockerfile = base_images_from_dockerfile_file + mock_args.base_images_digests = base_images_digests_file + mocker.patch("base_images_sbom_script.parse_args", return_value=mock_args) + + main() + + expected_output = { + "packages": [ + { + "SPDXID": "SPDXRef-DocumentRoot-Unknown-", + "downloadLocation": "NOASSERTION", + "name": "", + }, + { + "name": "PyYAML", + "SPDXID": "SPDXRef-Package-python-PyYAML-696696f5e92f1b5e", + "versionInfo": "6.0", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": False, + "sourceInfo": "acquired package info from installed python package manifest file: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:pypi/pyyaml@6.0", + } + ], + }, + { + "SPDXID": "SPDXRef-Image-quay.io/mkosiarc_rhtap/single-container-app-" + "9520a72cbb69edfca5cac88ea2a9e0e09142ec934952b9420d686e77765f002c", + "name": "quay.io/mkosiarc_rhtap/single-container-app", + "downloadLocation": "NOASSERTION", + "externalRefs": [ + { + "referenceType": "purl", + "referenceLocator": "pkg:oci/single-container-app@sha256" + ":8f99627e843e931846855c5d899901bf093f5093e613a92745696a26b5420941?repository_url" + "=quay.io/mkosiarc_rhtap/single-container-app", + "referenceCategory": "PACKAGE-MANAGER", + } + ], + "annotations": [ + { + "annotator": "Tool: konflux:jsonencoded", + "annotationDate": "2021-07-01T00:00:00Z", + "annotationType": "OTHER", + "comment": '{"name":"konflux:container:is_builder_image:for_stage","value":"0"}', + } + ], + }, + { + "name": "registry.access.redhat.com/ubi8/ubi", + "SPDXID": "SPDXRef-Image-registry.access.redhat.com/ubi8/ubi-" + "0f22256f634f8205fbd9c438c387ccf2d4859250e04104571c93fdb89a62bae1", + "downloadLocation": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:oci/ubi@sha256:" + "627867e53ad6846afba2dfbf5cef1d54c868a9025633ef0afd546278d4654eac" + "?repository_url=registry.access.redhat.com/ubi8/ubi", + } + ], + "annotations": [ + { + "annotator": "Tool: konflux:jsonencoded", + "annotationDate": "2021-07-01T00:00:00Z", + "annotationType": "OTHER", + "comment": '{"name":"konflux:container:is_base_image","value":"true"}', + } + ], + }, + ], + "relationships": [ + { + "spdxElementId": "SPDXRef-Document", + "relationshipType": "DESCRIBES", + "relatedSpdxElement": "SPDXRef-DocumentRoot-Unknown-", + }, + { + "relatedSpdxElement": "SPDXRef-Package-python-PyYAML-696696f5e92f1b5e", + "relationshipType": "CONTAINS", + "spdxElementId": "SPDXRef-DocumentRoot-Unknown", + }, + { + "spdxElementId": "SPDXRef-Image-quay.io/mkosiarc_rhtap/" "single-container-app-9520a72cbb69edfca5cac88ea2a9e0e09142ec934952b9420d686e77765f002c", + "relationshipType": "BUILD_TOOL_OF", + "relatedSpdxElement": "SPDXRef-DocumentRoot-Unknown-", }, { - "spdxElementId": "SPDXRef-container-registry.access.redhat.com/" + "spdxElementId": "SPDXRef-Image-registry.access.redhat.com/" "ubi8/ubi-0f22256f634f8205fbd9c438c387ccf2d4859250e04104571c93fdb89a62bae1", "relationshipType": "BUILD_TOOL_OF", "relatedSpdxElement": "SPDXRef-DocumentRoot-Unknown-", diff --git a/sbom-utility-scripts/scripts/create_purl_sbom_spdx.py b/sbom-utility-scripts/scripts/create_purl_sbom_spdx.py deleted file mode 100644 index 34d39ef8..00000000 --- a/sbom-utility-scripts/scripts/create_purl_sbom_spdx.py +++ /dev/null @@ -1,15 +0,0 @@ -import json - -with open("./sbom-spdx.json") as f: - spdx_sbom = json.load(f) - -purls = [] -for package in spdx_sbom["packages"]: - for ref in package["externalRefs"]: - if ref["referenceType"] == "purl": - purls.append({"purl": ref["referenceLocator"]}) - -purl_content = {"image_contents": {"dependencies": purls}} - -with open("sbom-purl.json", "w") as output_file: - json.dump(purl_content, output_file, indent=4) diff --git a/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/merge_cachi2_sboms.py b/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/merge_cachi2_sboms.py index f81f62e1..ebcb9908 100644 --- a/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/merge_cachi2_sboms.py +++ b/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/merge_cachi2_sboms.py @@ -389,46 +389,22 @@ def merge_annotations(annotations1, annotations2): def merge_relationships(relationships1, relationships2, packages): """Merge SPDX relationships.""" - def map_relationships(relationships): - """Map relationships of spdx element. - Method returns triplet containing root element, map of relations and inverse map of relations. - Root element is considered as element which is not listed as related document - in any of the relationships. Relationship map is dict of {key: value} where key is spdx - element and list of related elements is the value. - Inverse map is dict of {key: value} where key is related spdx element in the relation ship - and value is spdx element. - """ - relations_map = {} - relations_inverse_map = {} - - for relation in relationships: - relations_map.setdefault(relation["spdxElementId"], []).append(relation["relatedSpdxElement"]) - relations_inverse_map[relation["relatedSpdxElement"]] = relation["spdxElementId"] - - for parent_element in relations_map.keys(): - if parent_element not in relations_inverse_map: + def spdx_find_doc_and_root_package(relationships): + for relationship in relationships: + if relationship["relationshipType"] == "DESCRIBES": + root_package1 = relationship["relatedSpdxElement"] + doc = relationship["spdxElementId"] break - return parent_element, relations_map, relations_inverse_map - - def calculate_root_package(root_element, map, inverse_map): - """Calculate root package from relationship map. - Root package is considered as package which contains other packages and - is described by the document itself. - """ - root_package = None - for r, contains in map.items(): - if contains and inverse_map.get(r) == root_element: - root_package = r - return root_package + else: + raise ValueError("No DESCRIBES relationship found in the SBOM") + return root_package1, doc relationships = [] - root_element1, map1, inverse_map1 = map_relationships(relationships1) - root_element2, map2, inverse_map2 = map_relationships(relationships2) - package_ids = [package["SPDXID"] for package in packages] + root_package1, doc1 = spdx_find_doc_and_root_package(relationships1) + root_package2, doc2 = spdx_find_doc_and_root_package(relationships2) - root_package1 = calculate_root_package(root_element1, map1, inverse_map1) - root_package2 = calculate_root_package(root_element2, map2, inverse_map2) + package_ids = [package["SPDXID"] for package in packages] for relation in relationships2: _relation = relation.copy() @@ -436,16 +412,16 @@ def calculate_root_package(root_element, map, inverse_map): # If relations is Root decribes middle element, skip it if ( _relation["relatedSpdxElement"] == root_package2 - and _relation["spdxElementId"] == root_element2 + and _relation["spdxElementId"] == doc2 and _relation["relationshipType"] == "DESCRIBES" ): continue - # if spdxElementId is root_element2, replace it with root_element1 + # if spdxElementId is doc2, replace it with doc1 # if not and relatedSpdxElement is root_element2, replace it with root_element1 - if _relation["spdxElementId"] == root_element2: - _relation["spdxElementId"] = root_element1 - elif relation["relatedSpdxElement"] == root_element2: - _relation["relatedSpdxElement"] = root_element1 + if _relation["spdxElementId"] == doc2: + _relation["spdxElementId"] = doc1 + elif relation["relatedSpdxElement"] == doc2: + _relation["relatedSpdxElement"] = doc1 if _relation["spdxElementId"] == root_package2: _relation["spdxElementId"] = root_package1 if _relation["relatedSpdxElement"] == root_package2: @@ -459,6 +435,8 @@ def calculate_root_package(root_element, map, inverse_map): for relation in relationships1: _relation = relation.copy() + # Here we process only relatedSpdxElement as spdxElementId could point to the root package + # which would lead to including also relationships to removed packages if relation["relatedSpdxElement"] in package_ids: relationships.append(_relation) return relationships diff --git a/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_data/cachi2.bom.spdx.json b/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_data/cachi2.bom.spdx.json index 99a9afb4..9cb18f54 100644 --- a/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_data/cachi2.bom.spdx.json +++ b/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_data/cachi2.bom.spdx.json @@ -23,6 +23,26 @@ "licenseDeclared": "NOASSERTION", "primaryPackagePurpose": "OTHER" }, + { + "SPDXID": "SPDXRef-Image-quay.io/mkosiarc_rhtap/single-container-app-9520a72cbb69edfca5cac88ea2a9e0e09142ec934952b9420d686e77765f002c", + "name": "quay.io/mkosiarc_rhtap/single-container-app", + "downloadLocation": "NOASSERTION", + "externalRefs": [ + { + "referenceType": "purl", + "referenceLocator": "pkg:oci/single-container-app@sha256:8f99627e843e931846855c5d899901bf093f5093e613a92745696a26b5420941?repository_url=quay.io/mkosiarc_rhtap/single-container-app", + "referenceCategory": "PACKAGE-MANAGER" + } + ], + "annotations": [ + { + "annotator": "Tool: konflux:jsonencoded", + "annotationDate": "2021-07-01T00:00:00Z", + "annotationType": "OTHER", + "comment": "{\"name\":\"konflux:container:is_builder_image:for_stage\",\"value\":\"0\"}" + } + ] + }, { "name": "PyYAML", "SPDXID": "SPDXRef-Package-python-PyYAML-696696f5e92f1b5e", @@ -321,6 +341,11 @@ } ], "relationships": [ + { + "spdxElementId": "SPDXRef-Image-quay.io/mkosiarc_rhtap/single-container-app-9520a72cbb69edfca5cac88ea2a9e0e09142ec934952b9420d686e77765f002c", + "relationshipType": "BUILD_TOOL_OF", + "relatedSpdxElement": "SPDXRef-DocumentRoot-Unknown-" + }, { "spdxElementId": "SPDXRef-DocumentRoot-Unknown-", "relatedSpdxElement": "SPDXRef-Package-python-PyYAML-696696f5e92f1b5e", diff --git a/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_data/merged.bom.spdx.json b/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_data/merged.bom.spdx.json index 94a92aa5..ba982b35 100644 --- a/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_data/merged.bom.spdx.json +++ b/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_data/merged.bom.spdx.json @@ -1 +1,720 @@ -{"spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "SPDXID": "SPDXRef-DOCUMENT", "name": "/var/lib/containers/storage/vfs/dir/517aef0ffe20db360d19aa475dbbfbe03f452f53403881a31f9a475c83af788b", "documentNamespace": "https://anchore.com/syft/file/var/lib/containers/storage/vfs/dir/517aef0ffe20db360d19aa475dbbfbe03f452f53403881a31f9a475c83af788b-8efaed6f-2f42-453b-b9dd-3fb60491d7cf", "creationInfo": {"licenseListVersion": "3.24", "creators": ["Organization: Anchore, Inc", "Tool: syft-0.100.0", "Organization: Anchore, Inc", "Tool: cachi2-"], "created": "2024-09-12T14:07:12Z"}, "packages": [{"name": "", "SPDXID": "SPDXRef-DocumentRoot-File-", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "primaryPackagePurpose": "FILE"}, {"name": "bash", "SPDXID": "SPDXRef-Package-rpm-bash-1a6619bdab5f8a2d", "versionInfo": "4.4.20-4.el8_6", "supplier": "Organization: Red Hat, Inc.", "originator": "Organization: Red Hat, Inc.", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from RPM DB: var/lib/rpm/Packages", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:redhat:bash:4.4.20-4.el8_6:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:bash:bash:4.4.20-4.el8_6:*:*:*:*:*:*:*"}, {"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:rpm/rhel/bash@4.4.20-4.el8_6?arch=x86_64&upstream=bash-4.4.20-4.el8_6.src.rpm&distro=rhel-8.7"}]}, {"name": "rhel", "SPDXID": "SPDXRef-Package-rhel", "versionInfo": "8.7", "description": "Red Hat Enterprise Linux 8.7 (Ootpa)", "externalRefs": [{"referenceCategory": "SECURITY", "referenceType": "cpe22Type", "referenceLocator": "cpe:/o:redhat:enterprise_linux:8::baseos"}, {"referenceCategory": "SECURITY", "referenceType": "swid", "referenceLocator": "cpe:2.3:o:redhat:enterprise_linux:8::baseos:*:*:*:*:*:*:*"}, {"referenceCategory": "OTHER", "referenceType": "issue-tracker", "referenceLocator": "https://bugzilla.redhat.com/"}, {"referenceCategory": "OTHER", "referenceType": "website", "referenceLocator": "https://www.redhat.com/"}]}, {"name": "PyYAML", "SPDXID": "SPDXRef-Package-python-PyYAML-696696f5e92f1b5e", "versionInfo": "6.0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from installed python package manifest file: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:pypi/pyyaml@6.0"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:PyYAML:PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:PyYAML:python-PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:PyYAML:python_PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:kirill_simonov:PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:kirill_simonov:python-PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:kirill_simonov:python_PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python-PyYAML:PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python-PyYAML:python-PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python-PyYAML:python_PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python:PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python:python-PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python:python_PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python_PyYAML:PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python_PyYAML:python-PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python_PyYAML:python_PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:xi:PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:xi:python-PyYAML:6.0:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:xi:python_PyYAML:6.0:*:*:*:*:*:*:*"}], "annotations": []}, {"name": "aiowsgi", "SPDXID": "SPDXRef-Package-python-aiowsgi-78716bdabf6daae1", "versionInfo": "0.8", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from installed python package manifest file: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:pypi/aiowsgi@0.8"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:aiowsgi:aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:aiowsgi:python-aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:aiowsgi:python_aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:gael:aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:gael:python-aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:gael:python_aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:gael_pasgrimaud:aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:gael_pasgrimaud:python-aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:gael_pasgrimaud:python_aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python-aiowsgi:aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python-aiowsgi:python-aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python-aiowsgi:python_aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python:aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python:python-aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python:python_aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python_aiowsgi:aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python_aiowsgi:python-aiowsgi:0.8:*:*:*:*:*:*:*"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:python_aiowsgi:python_aiowsgi:0.8:*:*:*:*:*:*:*"}], "annotations": []}, {"name": "appr", "SPDXID": "SPDXRef-Package-python-appr-d869da81f0adbece", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from installed python package manifest file: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:pypi/appr?checksum=sha256:ee6a0a38bed8cff46a562ed3620bc453141a02262ab0c8dd055824af2829ee5c&download_url=https://github.com/quay/appr/archive/37ff9a487a54ad41b59855ecd76ee092fe206a84.zip"}]}, {"name": "archive/tar", "SPDXID": "SPDXRef-Package-go-module-archive-tar-1ce4dbb5cf96f1c7", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from go module information: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/archive/tar?type=package"}]}, {"name": "cachi2", "SPDXID": "SPDXRef-Package-python-cachi2-865cdb2c6f0ff5c5", "versionInfo": "0.0.1", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from installed python package manifest file: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:pypi/cachi2@0.0.1?vcs_url=git%2Bssh://git%40github.com/containerbuildsystem/cachi2%40fc0d6079c2dc9b2a491c0848e550ad3509986110"}]}, {"name": "cachito-npm-without-deps", "SPDXID": "SPDXRef-Package-npm-cachito-npm-without-deps-563e3658e3eb288e", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from installed node module manifest file: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/cachito-npm-without-deps?vcs_url=git%2Bhttps://github.com/cachito-testing/cachito-npm-without-deps.git%402f0ce1d7b1f8b35572d919428b965285a69583f6"}]}, {"name": "code.gitea.io/sdk/gitea", "SPDXID": "SPDXRef-Package-go-module-code.gitea.io-sdk-gitea-cdc94d3a9074a69b", "versionInfo": "v0.15.1", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from go module information: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/code.gitea.io/sdk/gitea@v0.15.1?type=module"}, {"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/code.gitea.io/sdk/gitea@v0.15.1?type=package"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:sdk:gitea:v0.15.1:*:*:*:*:*:*:*"}], "annotations": []}, {"name": "fecha", "SPDXID": "SPDXRef-Package-npm-fecha-874399c7dda48850", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from installed node module manifest file: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:npm/fecha?checksum=sha512:8ae71e98d68e38e1f6e4c629187684dd85e4dc96647c7219b1dd189598ea52865e947f0ad94a7001fa8fb5eccf58467fe34ad10066e831af3374120134604bd5&download_url=https://github.com/taylorhakes/fecha/archive/91680e4db1415fea33eac878cfd889c80a7b55c7.tar.gz"}]}, {"name": "github.com/cachito-testing/gomod-pandemonium/terminaltor", "SPDXID": "SPDXRef-Package-go-module-github.com-cachito-testing-gomod-pandemonium-terminaltor-d85aa69f7b0304e3", "versionInfo": "v1.0.0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from go module information: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/github.com/cachito-testing/gomod-pandemonium/terminaltor@v1.0.0?type=module"}, {"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/github.com/cachito-testing/gomod-pandemonium/terminaltor@v1.0.0?type=package"}]}, {"name": "github.com/docker/cli", "SPDXID": "SPDXRef-Package-go-module-github.com-docker-cli-ea403731821a081e", "versionInfo": "v23.0.0-rc.3+incompatible", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from go module information: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/github.com/docker/cli@v23.0.0-rc.3%2Bincompatible?type=module"}, {"referenceCategory": "SECURITY", "referenceType": "cpe23Type", "referenceLocator": "cpe:2.3:a:docker:cli:v23.0.0-rc.3\\+incompatible:*:*:*:*:*:*:*"}], "annotations": []}, {"name": "github.com/docker/cli/cli/config", "SPDXID": "SPDXRef-Package-go-module-github.com-docker-cli-cli-config-73cc4b7b8f510817", "versionInfo": "v23.0.0-rc.3+incompatible", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from go module information: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/github.com/docker/cli/cli/config@v23.0.0-rc.3%2Bincompatible?type=package"}]}, {"name": "github.com/redhat-appstudio/build-service", "SPDXID": "SPDXRef-Package-go-module-github.com-redhat-appstudio-build-service-574d786c89acf613", "versionInfo": "v0.0.0-20230503110830-d1a9e858489d", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from go module information: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/github.com/redhat-appstudio/build-service@v0.0.0-20230503110830-d1a9e858489d?type=module"}, {"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/github.com/redhat-appstudio/build-service@v0.0.0-20230503110830-d1a9e858489d?type=package"}]}, {"name": "knative.dev/pkg", "SPDXID": "SPDXRef-Package-go-module-knative.dev-pkg-0a00bf33a820e7f1", "versionInfo": "v0.0.0-20230125083639-408ad0773f47", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from go module information: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/knative.dev/pkg@v0.0.0-20230125083639-408ad0773f47?type=module"}], "annotations": []}, {"name": "knative.dev/pkg/metrics", "SPDXID": "SPDXRef-Package-go-module-knative.dev-pkg-metrics-c613be23287c5dc4", "versionInfo": "v0.0.0-20230125083639-408ad0773f47", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from go module information: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:golang/knative.dev/pkg/metrics@v0.0.0-20230125083639-408ad0773f47?type=package"}]}, {"name": "test_package_cachi2", "SPDXID": "SPDXRef-Package-python-test-package-cachi2-bdec7caf7aac75f3", "versionInfo": "1.0.0", "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from installed python package manifest file: ", "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION", "copyrightText": "NOASSERTION", "externalRefs": [{"referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:pypi/test-package-cachi2@1.0.0?vcs_url=git%2Bssh://git%40github.com/brunoapimentel/pip-e2e-test.git%40294df352deed835cf703ae8a799926418ae5fd3b"}]}], "relationships": [{"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-python-PyYAML-696696f5e92f1b5e", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-python-aiowsgi-78716bdabf6daae1", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-python-appr-d869da81f0adbece", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-go-module-archive-tar-1ce4dbb5cf96f1c7", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-python-cachi2-865cdb2c6f0ff5c5", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-npm-cachito-npm-without-deps-563e3658e3eb288e", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-go-module-code.gitea.io-sdk-gitea-cdc94d3a9074a69b", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-npm-fecha-874399c7dda48850", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-go-module-github.com-cachito-testing-gomod-pandemonium-terminaltor-d85aa69f7b0304e3", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-go-module-github.com-docker-cli-ea403731821a081e", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-go-module-github.com-docker-cli-cli-config-73cc4b7b8f510817", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-go-module-github.com-redhat-appstudio-build-service-574d786c89acf613", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-go-module-knative.dev-pkg-0a00bf33a820e7f1", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-go-module-knative.dev-pkg-metrics-c613be23287c5dc4", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-python-test-package-cachi2-bdec7caf7aac75f3", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-rpm-bash-1a6619bdab5f8a2d", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DocumentRoot-File-", "relatedSpdxElement": "SPDXRef-Package-rhel", "relationshipType": "CONTAINS"}, {"spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-DocumentRoot-File-", "relationshipType": "DESCRIBES"}]} \ No newline at end of file +{ + "spdxVersion": "SPDX-2.3", + "dataLicense": "CC0-1.0", + "SPDXID": "SPDXRef-DOCUMENT", + "name": "/var/lib/containers/storage/vfs/dir/517aef0ffe20db360d19aa475dbbfbe03f452f53403881a31f9a475c83af788b", + "documentNamespace": "https://anchore.com/syft/file/var/lib/containers/storage/vfs/dir/517aef0ffe20db360d19aa475dbbfbe03f452f53403881a31f9a475c83af788b-8efaed6f-2f42-453b-b9dd-3fb60491d7cf", + "creationInfo": { + "licenseListVersion": "3.24", + "creators": [ + "Organization: Anchore, Inc", + "Tool: syft-0.100.0", + "Organization: Anchore, Inc", + "Tool: cachi2-" + ], + "created": "2024-09-12T14:07:12Z" + }, + "packages": [ + { + "name": "", + "SPDXID": "SPDXRef-DocumentRoot-File-", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "primaryPackagePurpose": "FILE" + }, + { + "name": "registry.access.redhat.com/ubi8/ubi", + "SPDXID": "SPDXRef-Image-registry.access.redhat.com/ubi8/ubi-0f22256f634f8205fbd9c438c387ccf2d4859250e04104571c93fdb89a62bae1", + "downloadLocation": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:oci/ubi@sha256:627867e53ad6846afba2dfbf5cef1d54c868a9025633ef0afd546278d4654eac?repository_url=registry.access.redhat.com/ubi8/ubi" + } + ], + "annotations": [ + { + "annotator": "Tool: konflux:jsonencoded", + "annotationDate": "2021-07-01T00:00:00Z", + "annotationType": "OTHER", + "comment": "{\"name\":\"konflux:container:is_base_image\",\"value\":\"true\"}" + } + ] + }, + { + "name": "bash", + "SPDXID": "SPDXRef-Package-rpm-bash-1a6619bdab5f8a2d", + "versionInfo": "4.4.20-4.el8_6", + "supplier": "Organization: Red Hat, Inc.", + "originator": "Organization: Red Hat, Inc.", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from RPM DB: var/lib/rpm/Packages", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:redhat:bash:4.4.20-4.el8_6:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:bash:bash:4.4.20-4.el8_6:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:rpm/rhel/bash@4.4.20-4.el8_6?arch=x86_64&upstream=bash-4.4.20-4.el8_6.src.rpm&distro=rhel-8.7" + } + ] + }, + { + "name": "rhel", + "SPDXID": "SPDXRef-Package-rhel", + "versionInfo": "8.7", + "description": "Red Hat Enterprise Linux 8.7 (Ootpa)", + "externalRefs": [ + { + "referenceCategory": "SECURITY", + "referenceType": "cpe22Type", + "referenceLocator": "cpe:/o:redhat:enterprise_linux:8::baseos" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "swid", + "referenceLocator": "cpe:2.3:o:redhat:enterprise_linux:8::baseos:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "OTHER", + "referenceType": "issue-tracker", + "referenceLocator": "https://bugzilla.redhat.com/" + }, + { + "referenceCategory": "OTHER", + "referenceType": "website", + "referenceLocator": "https://www.redhat.com/" + } + ] + }, + { + "SPDXID": "SPDXRef-Image-quay.io/mkosiarc_rhtap/single-container-app-9520a72cbb69edfca5cac88ea2a9e0e09142ec934952b9420d686e77765f002c", + "name": "quay.io/mkosiarc_rhtap/single-container-app", + "downloadLocation": "NOASSERTION", + "externalRefs": [ + { + "referenceType": "purl", + "referenceLocator": "pkg:oci/single-container-app@sha256:8f99627e843e931846855c5d899901bf093f5093e613a92745696a26b5420941?repository_url=quay.io/mkosiarc_rhtap/single-container-app", + "referenceCategory": "PACKAGE-MANAGER" + } + ], + "annotations": [ + { + "annotator": "Tool: konflux:jsonencoded", + "annotationDate": "2021-07-01T00:00:00Z", + "annotationType": "OTHER", + "comment": "{\"name\":\"konflux:container:is_builder_image:for_stage\",\"value\":\"0\"}" + } + ] + }, + { + "name": "PyYAML", + "SPDXID": "SPDXRef-Package-python-PyYAML-696696f5e92f1b5e", + "versionInfo": "6.0", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from installed python package manifest file: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:pypi/pyyaml@6.0" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:PyYAML:PyYAML:6.0:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:PyYAML:python-PyYAML:6.0:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:PyYAML:python_PyYAML:6.0:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:kirill_simonov:PyYAML:6.0:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:kirill_simonov:python-PyYAML:6.0:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:kirill_simonov:python_PyYAML:6.0:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python-PyYAML:PyYAML:6.0:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python-PyYAML:python-PyYAML:6.0:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python-PyYAML:python_PyYAML:6.0:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python:PyYAML:6.0:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python:python-PyYAML:6.0:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python:python_PyYAML:6.0:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python_PyYAML:PyYAML:6.0:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python_PyYAML:python-PyYAML:6.0:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python_PyYAML:python_PyYAML:6.0:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:xi:PyYAML:6.0:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:xi:python-PyYAML:6.0:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:xi:python_PyYAML:6.0:*:*:*:*:*:*:*" + } + ], + "annotations": [] + }, + { + "name": "aiowsgi", + "SPDXID": "SPDXRef-Package-python-aiowsgi-78716bdabf6daae1", + "versionInfo": "0.8", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from installed python package manifest file: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:pypi/aiowsgi@0.8" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:aiowsgi:aiowsgi:0.8:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:aiowsgi:python-aiowsgi:0.8:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:aiowsgi:python_aiowsgi:0.8:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:gael:aiowsgi:0.8:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:gael:python-aiowsgi:0.8:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:gael:python_aiowsgi:0.8:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:gael_pasgrimaud:aiowsgi:0.8:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:gael_pasgrimaud:python-aiowsgi:0.8:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:gael_pasgrimaud:python_aiowsgi:0.8:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python-aiowsgi:aiowsgi:0.8:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python-aiowsgi:python-aiowsgi:0.8:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python-aiowsgi:python_aiowsgi:0.8:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python:aiowsgi:0.8:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python:python-aiowsgi:0.8:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python:python_aiowsgi:0.8:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python_aiowsgi:aiowsgi:0.8:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python_aiowsgi:python-aiowsgi:0.8:*:*:*:*:*:*:*" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:python_aiowsgi:python_aiowsgi:0.8:*:*:*:*:*:*:*" + } + ], + "annotations": [] + }, + { + "name": "appr", + "SPDXID": "SPDXRef-Package-python-appr-d869da81f0adbece", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from installed python package manifest file: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:pypi/appr?checksum=sha256:ee6a0a38bed8cff46a562ed3620bc453141a02262ab0c8dd055824af2829ee5c&download_url=https://github.com/quay/appr/archive/37ff9a487a54ad41b59855ecd76ee092fe206a84.zip" + } + ] + }, + { + "name": "archive/tar", + "SPDXID": "SPDXRef-Package-go-module-archive-tar-1ce4dbb5cf96f1c7", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from go module information: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:golang/archive/tar?type=package" + } + ] + }, + { + "name": "cachi2", + "SPDXID": "SPDXRef-Package-python-cachi2-865cdb2c6f0ff5c5", + "versionInfo": "0.0.1", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from installed python package manifest file: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:pypi/cachi2@0.0.1?vcs_url=git%2Bssh://git%40github.com/containerbuildsystem/cachi2%40fc0d6079c2dc9b2a491c0848e550ad3509986110" + } + ] + }, + { + "name": "cachito-npm-without-deps", + "SPDXID": "SPDXRef-Package-npm-cachito-npm-without-deps-563e3658e3eb288e", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from installed node module manifest file: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:npm/cachito-npm-without-deps?vcs_url=git%2Bhttps://github.com/cachito-testing/cachito-npm-without-deps.git%402f0ce1d7b1f8b35572d919428b965285a69583f6" + } + ] + }, + { + "name": "code.gitea.io/sdk/gitea", + "SPDXID": "SPDXRef-Package-go-module-code.gitea.io-sdk-gitea-cdc94d3a9074a69b", + "versionInfo": "v0.15.1", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from go module information: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:golang/code.gitea.io/sdk/gitea@v0.15.1?type=module" + }, + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:golang/code.gitea.io/sdk/gitea@v0.15.1?type=package" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:sdk:gitea:v0.15.1:*:*:*:*:*:*:*" + } + ], + "annotations": [] + }, + { + "name": "fecha", + "SPDXID": "SPDXRef-Package-npm-fecha-874399c7dda48850", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from installed node module manifest file: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:npm/fecha?checksum=sha512:8ae71e98d68e38e1f6e4c629187684dd85e4dc96647c7219b1dd189598ea52865e947f0ad94a7001fa8fb5eccf58467fe34ad10066e831af3374120134604bd5&download_url=https://github.com/taylorhakes/fecha/archive/91680e4db1415fea33eac878cfd889c80a7b55c7.tar.gz" + } + ] + }, + { + "name": "github.com/cachito-testing/gomod-pandemonium/terminaltor", + "SPDXID": "SPDXRef-Package-go-module-github.com-cachito-testing-gomod-pandemonium-terminaltor-d85aa69f7b0304e3", + "versionInfo": "v1.0.0", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from go module information: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:golang/github.com/cachito-testing/gomod-pandemonium/terminaltor@v1.0.0?type=module" + }, + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:golang/github.com/cachito-testing/gomod-pandemonium/terminaltor@v1.0.0?type=package" + } + ] + }, + { + "name": "github.com/docker/cli", + "SPDXID": "SPDXRef-Package-go-module-github.com-docker-cli-ea403731821a081e", + "versionInfo": "v23.0.0-rc.3+incompatible", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from go module information: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:golang/github.com/docker/cli@v23.0.0-rc.3%2Bincompatible?type=module" + }, + { + "referenceCategory": "SECURITY", + "referenceType": "cpe23Type", + "referenceLocator": "cpe:2.3:a:docker:cli:v23.0.0-rc.3\\+incompatible:*:*:*:*:*:*:*" + } + ], + "annotations": [] + }, + { + "name": "github.com/docker/cli/cli/config", + "SPDXID": "SPDXRef-Package-go-module-github.com-docker-cli-cli-config-73cc4b7b8f510817", + "versionInfo": "v23.0.0-rc.3+incompatible", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from go module information: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:golang/github.com/docker/cli/cli/config@v23.0.0-rc.3%2Bincompatible?type=package" + } + ] + }, + { + "name": "github.com/redhat-appstudio/build-service", + "SPDXID": "SPDXRef-Package-go-module-github.com-redhat-appstudio-build-service-574d786c89acf613", + "versionInfo": "v0.0.0-20230503110830-d1a9e858489d", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from go module information: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:golang/github.com/redhat-appstudio/build-service@v0.0.0-20230503110830-d1a9e858489d?type=module" + }, + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:golang/github.com/redhat-appstudio/build-service@v0.0.0-20230503110830-d1a9e858489d?type=package" + } + ] + }, + { + "name": "knative.dev/pkg", + "SPDXID": "SPDXRef-Package-go-module-knative.dev-pkg-0a00bf33a820e7f1", + "versionInfo": "v0.0.0-20230125083639-408ad0773f47", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from go module information: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:golang/knative.dev/pkg@v0.0.0-20230125083639-408ad0773f47?type=module" + } + ], + "annotations": [] + }, + { + "name": "knative.dev/pkg/metrics", + "SPDXID": "SPDXRef-Package-go-module-knative.dev-pkg-metrics-c613be23287c5dc4", + "versionInfo": "v0.0.0-20230125083639-408ad0773f47", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from go module information: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:golang/knative.dev/pkg/metrics@v0.0.0-20230125083639-408ad0773f47?type=package" + } + ] + }, + { + "name": "test_package_cachi2", + "SPDXID": "SPDXRef-Package-python-test-package-cachi2-bdec7caf7aac75f3", + "versionInfo": "1.0.0", + "supplier": "NOASSERTION", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "sourceInfo": "acquired package info from installed python package manifest file: ", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:pypi/test-package-cachi2@1.0.0?vcs_url=git%2Bssh://git%40github.com/brunoapimentel/pip-e2e-test.git%40294df352deed835cf703ae8a799926418ae5fd3b" + } + ] + } + ], + "relationships": [ + { + "relatedSpdxElement": "SPDXRef-DocumentRoot-File-", + "relationshipType": "BUILD_TOOL_OF", + "spdxElementId": "SPDXRef-Image-quay.io/mkosiarc_rhtap/single-container-app-9520a72cbb69edfca5cac88ea2a9e0e09142ec934952b9420d686e77765f002c" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-File-", + "relatedSpdxElement": "SPDXRef-Package-python-PyYAML-696696f5e92f1b5e", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-File-", + "relatedSpdxElement": "SPDXRef-Package-python-aiowsgi-78716bdabf6daae1", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-File-", + "relatedSpdxElement": "SPDXRef-Package-python-appr-d869da81f0adbece", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-File-", + "relatedSpdxElement": "SPDXRef-Package-go-module-archive-tar-1ce4dbb5cf96f1c7", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-File-", + "relatedSpdxElement": "SPDXRef-Package-python-cachi2-865cdb2c6f0ff5c5", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-File-", + "relatedSpdxElement": "SPDXRef-Package-npm-cachito-npm-without-deps-563e3658e3eb288e", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-File-", + "relatedSpdxElement": "SPDXRef-Package-go-module-code.gitea.io-sdk-gitea-cdc94d3a9074a69b", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-File-", + "relatedSpdxElement": "SPDXRef-Package-npm-fecha-874399c7dda48850", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-File-", + "relatedSpdxElement": "SPDXRef-Package-go-module-github.com-cachito-testing-gomod-pandemonium-terminaltor-d85aa69f7b0304e3", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-File-", + "relatedSpdxElement": "SPDXRef-Package-go-module-github.com-docker-cli-ea403731821a081e", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-File-", + "relatedSpdxElement": "SPDXRef-Package-go-module-github.com-docker-cli-cli-config-73cc4b7b8f510817", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-File-", + "relatedSpdxElement": "SPDXRef-Package-go-module-github.com-redhat-appstudio-build-service-574d786c89acf613", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-File-", + "relatedSpdxElement": "SPDXRef-Package-go-module-knative.dev-pkg-0a00bf33a820e7f1", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-File-", + "relatedSpdxElement": "SPDXRef-Package-go-module-knative.dev-pkg-metrics-c613be23287c5dc4", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-File-", + "relatedSpdxElement": "SPDXRef-Package-python-test-package-cachi2-bdec7caf7aac75f3", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-File-", + "relatedSpdxElement": "SPDXRef-Package-rpm-bash-1a6619bdab5f8a2d", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-DocumentRoot-File-", + "relatedSpdxElement": "SPDXRef-Package-rhel", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-Image-registry.access.redhat.com/ubi8/ubi-0f22256f634f8205fbd9c438c387ccf2d4859250e04104571c93fdb89a62bae1", + "relationshipType": "BUILD_TOOL_OF", + "relatedSpdxElement": "SPDXRef-DocumentRoot-File-" + }, + { + "spdxElementId": "SPDXRef-DOCUMENT", + "relatedSpdxElement": "SPDXRef-DocumentRoot-File-", + "relationshipType": "DESCRIBES" + } + ] +} diff --git a/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_data/syft.bom.spdx.json b/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_data/syft.bom.spdx.json index f250ed5b..760e20d3 100644 --- a/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_data/syft.bom.spdx.json +++ b/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_data/syft.bom.spdx.json @@ -23,6 +23,26 @@ "licenseDeclared": "NOASSERTION", "primaryPackagePurpose": "FILE" }, + { + "name": "registry.access.redhat.com/ubi8/ubi", + "SPDXID": "SPDXRef-Image-registry.access.redhat.com/ubi8/ubi-0f22256f634f8205fbd9c438c387ccf2d4859250e04104571c93fdb89a62bae1", + "downloadLocation": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:oci/ubi@sha256:627867e53ad6846afba2dfbf5cef1d54c868a9025633ef0afd546278d4654eac?repository_url=registry.access.redhat.com/ubi8/ubi" + } + ], + "annotations": [ + { + "annotator": "Tool: konflux:jsonencoded", + "annotationDate": "2021-07-01T00:00:00Z", + "annotationType": "OTHER", + "comment": "{\"name\":\"konflux:container:is_base_image\",\"value\":\"true\"}" + } + ] + }, { "name": "./terminaltor", "SPDXID": "SPDXRef-Package-go-module-.-terminaltor-1b79094a8c283d88", @@ -876,6 +896,11 @@ "relatedSpdxElement": "SPDXRef-Package-rhel", "relationshipType": "CONTAINS" }, + { + "spdxElementId": "SPDXRef-Image-registry.access.redhat.com/ubi8/ubi-0f22256f634f8205fbd9c438c387ccf2d4859250e04104571c93fdb89a62bae1", + "relationshipType": "BUILD_TOOL_OF", + "relatedSpdxElement": "SPDXRef-DocumentRoot-File-" + }, { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-DocumentRoot-File-", diff --git a/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_merge_cachi2_sboms.py b/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_merge_cachi2_sboms.py index 3de069c7..bd4b1e9e 100644 --- a/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_merge_cachi2_sboms.py +++ b/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/test_merge_cachi2_sboms.py @@ -68,12 +68,19 @@ def test_merge_both_formats_equal(data_dir: Path, isodate: Generator) -> None: result_cdx = json.loads(merge_sboms(f"{data_dir}/cachi2.bom.json", f"{data_dir}/syft.bom.json")) result_spdx = json.loads(merge_sboms(f"{data_dir}/cachi2.bom.spdx.json", f"{data_dir}/syft.bom.spdx.json")) cdx_components = [] + build_relationships = [] + for relationship in result_spdx["relationships"]: + if relationship["relationshipType"] == "BUILD_TOOL_OF": + build_relationships.append(relationship["spdxElementId"]) + for component in result_cdx["components"]: cdx_components.append( {"name": component["name"], "version": component.get("version"), "purl": component.get("purl")} ) spdx_packages = [] for package in result_spdx["packages"]: + if package["SPDXID"] in build_relationships: + continue purl = "" purl = None for ref in package.get("externalRefs", []): diff --git a/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/tox.ini b/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/tox.ini index db6ddad6..308bcfd9 100644 --- a/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/tox.ini +++ b/sbom-utility-scripts/scripts/merge-cachi2-sboms-script/tox.ini @@ -3,7 +3,7 @@ env_list = flake8,black,test [testenv:test] deps = -r requirements-test.txt -commands = pytest test_merge_cachi2_sboms.py +commands = pytest -vv test_merge_cachi2_sboms.py [testenv:flake8] deps = flake8