diff --git a/sbom-utility-scripts/scripts/index-image-sbom-script/index_image_sbom_script.py b/sbom-utility-scripts/scripts/index-image-sbom-script/index_image_sbom_script.py index 262b5a0d..83cd999a 100644 --- a/sbom-utility-scripts/scripts/index-image-sbom-script/index_image_sbom_script.py +++ b/sbom-utility-scripts/scripts/index-image-sbom-script/index_image_sbom_script.py @@ -55,33 +55,26 @@ def digest_hex_val(self) -> str: _, val = self.digest.split(":") return val - def purls(self, index_digest: Optional[str] = None) -> list[str]: - ans = [] - if index_digest and self.arch: - ans.append( - PackageURL( - type="oci", - name=self.name, - version=index_digest, - qualifiers={"arch": self.arch, "repository_url": self.repository}, - ).to_string() - ) - ans.append( - PackageURL( - type="oci", - name=self.name, - version=self.digest, - qualifiers={"repository_url": self.repository}, - ).to_string() - ) - return ans + def purl(self) -> str: + qualifiers = {"repository_url": self.repository} + if self.arch is not None: + qualifiers["arch"] = self.arch + + purl = PackageURL( + type="oci", + name=self.name, + version=self.digest, + qualifiers=qualifiers, + ).to_string() + + return purl def propose_spdx_id(self) -> str: - purl_hex_digest = hashlib.sha256(self.purls()[0].encode()).hexdigest() + purl_hex_digest = hashlib.sha256(self.purl().encode()).hexdigest() return f"SPDXRef-image-{self.name}-{purl_hex_digest}" -def create_package(image: Image, spdxid: Optional[str] = None, image_index_digest: Optional[str] = None) -> dict: +def create_package(image: Image, spdxid: Optional[str] = None) -> dict: return { "SPDXID": image.propose_spdx_id() if not spdxid else spdxid, "name": image.name if not image.arch else f"{image.name}_{image.arch}", @@ -93,9 +86,8 @@ def create_package(image: Image, spdxid: Optional[str] = None, image_index_diges { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", - "referenceLocator": purl, + "referenceLocator": image.purl(), } - for purl in image.purls(image_index_digest) ], "checksums": [ { @@ -125,7 +117,7 @@ def create_sbom( image_index_obj = Image.from_image_index_url_and_digest(image_index_url, image_index_digest) sbom_name = f"{image_index_obj.repository}@{image_index_obj.digest}" - packages = [create_package(image_index_obj, "SPDXRef-image-index")] + packages = [create_package(image_index_obj, spdxid="SPDXRef-image-index")] relationships = [ { "spdxElementId": "SPDXRef-DOCUMENT", @@ -141,11 +133,11 @@ def create_sbom( arch_image = Image( arch=manifest.get("platform", {}).get("architecture"), name=image_index_obj.name, - digest=manifest.get("digest"), + digest=image_index_digest, tag=image_index_obj.tag, repository=image_index_obj.repository, ) - packages.append(create_package(arch_image, image_index_digest=image_index_obj.digest)) + packages.append(create_package(arch_image)) relationships.append(get_relationship(arch_image.propose_spdx_id(), "SPDXRef-image-index")) sbom = { diff --git a/sbom-utility-scripts/scripts/index-image-sbom-script/test_image_index_sbom_script.py b/sbom-utility-scripts/scripts/index-image-sbom-script/test_image_index_sbom_script.py index 64e48906..564b9cee 100644 --- a/sbom-utility-scripts/scripts/index-image-sbom-script/test_image_index_sbom_script.py +++ b/sbom-utility-scripts/scripts/index-image-sbom-script/test_image_index_sbom_script.py @@ -106,7 +106,7 @@ ], }, { - "SPDXID": "SPDXRef-image-ubi9-micro-container-8358c7002e15f219c861227e97919d537e888874e7ca2b349979bc745f903195", + "SPDXID": "SPDXRef-image-ubi9-micro-container-d57d132860ab3ff4eb64267c33897a8bf246ae1515df7d17cdf6e408c9f36b36", "name": "ubi9-micro-container_ppc64le", "versionInfo": "9.4-6.1716471860", "supplier": "NOASSERTION", @@ -118,16 +118,11 @@ "referenceType": "purl", "referenceLocator": "pkg:oci/ubi9-micro-container@sha256:1c8483e0fda0e990175eb9855a5f15e0910d2038dd397d9e2b357630f0321e6d?arch=ppc64le&repository_url=quay.io/ubi9-micro-container", }, - { - "referenceCategory": "PACKAGE-MANAGER", - "referenceType": "purl", - "referenceLocator": "pkg:oci/ubi9-micro-container@sha256:f08722139c4da653b870272a192fac700960a3315baa1f79f83a4712a436d4?repository_url=quay.io/ubi9-micro-container", - }, ], "checksums": [ { "algorithm": "SHA256", - "checksumValue": "f08722139c4da653b870272a192fac700960a3315baa1f79f83a4712a436d4", + "checksumValue": "1c8483e0fda0e990175eb9855a5f15e0910d2038dd397d9e2b357630f0321e6d", } ], }, @@ -139,7 +134,7 @@ "relatedSpdxElement": "SPDXRef-image-index", }, { - "spdxElementId": "SPDXRef-image-ubi9-micro-container-8358c7002e15f219c861227e97919d537e888874e7ca2b349979bc745f903195", + "spdxElementId": "SPDXRef-image-ubi9-micro-container-d57d132860ab3ff4eb64267c33897a8bf246ae1515df7d17cdf6e408c9f36b36", "relationshipType": "VARIANT_OF", "relatedSpdxElement": "SPDXRef-image-index", }, @@ -239,7 +234,7 @@ def test_main( "checksums": [{"algorithm": "SHA256", "checksumValue": "456"}], }, { - "SPDXID": "SPDXRef-image-bar-9adebc2aa46e921bcd2ff839697cf543a898d9b66e1cbf6dfc0626cf2845f716", + "SPDXID": "SPDXRef-image-bar-c621206f7eb4159018ebf3fc192df8d270b15121bcdc653b468df1fe131860b1", "name": "bar_arm64", "versionInfo": "v1", "supplier": "NOASSERTION", @@ -251,13 +246,8 @@ def test_main( "referenceType": "purl", "referenceLocator": "pkg:oci/bar@sha256:456?arch=arm64&repository_url=quay.io/foo/bar", }, - { - "referenceCategory": "PACKAGE-MANAGER", - "referenceType": "purl", - "referenceLocator": "pkg:oci/bar@sha256:123?repository_url=quay.io/foo/bar", - }, ], - "checksums": [{"algorithm": "SHA256", "checksumValue": "123"}], + "checksums": [{"algorithm": "SHA256", "checksumValue": "456"}], }, ], "relationships": [ @@ -267,7 +257,7 @@ def test_main( "relatedSpdxElement": "SPDXRef-image-index", }, { - "spdxElementId": "SPDXRef-image-bar-9adebc2aa46e921bcd2ff839697cf543a898d9b66e1cbf6dfc0626cf2845f716", + "spdxElementId": "SPDXRef-image-bar-c621206f7eb4159018ebf3fc192df8d270b15121bcdc653b468df1fe131860b1", "relationshipType": "VARIANT_OF", "relatedSpdxElement": "SPDXRef-image-index", },