Skip to content

Commit

Permalink
fix(sbom): fix error when parent of SPDX Relationships is not a packa…
Browse files Browse the repository at this point in the history
…ge. (#6399)
  • Loading branch information
DmitriyLewen authored Mar 27, 2024
1 parent 258d153 commit 5f69937
Show file tree
Hide file tree
Showing 4 changed files with 78 additions and 3 deletions.
10 changes: 9 additions & 1 deletion pkg/sbom/core/bom.go
Original file line number Diff line number Diff line change
Expand Up @@ -238,12 +238,20 @@ func (b *BOM) AddComponent(c *Component) {
}

func (b *BOM) AddRelationship(parent, child *Component, relationshipType RelationshipType) {
// Check the wrong parent to avoid `panic`
if parent == nil {
return
}
if parent.id == uuid.Nil {
b.AddComponent(parent)
}

if child == nil {
b.relationships[parent.id] = nil // Meaning no dependencies
// It is possible that `relationships` already contains this parent.
// Check this to avoid overwriting.
if _, ok := b.relationships[parent.id]; !ok {
b.relationships[parent.id] = nil // Meaning no dependencies
}
return
}

Expand Down
54 changes: 54 additions & 0 deletions pkg/sbom/spdx/testdata/happy/with-file-as-relationship-parent.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
{
"files": [
{
"fileName": "./Modules/Microsoft.PowerShell.PSResourceGet/_manifest/spdx_2.2/manifest.spdx.json",
"SPDXID": "SPDXRef-File--Modules-Microsoft.PowerShell.PSResourceGet--manifest-spdx-2.2-manifest.spdx.json-2B9FB98F5CA97DC84FD382A8F8E68F663C003362",
"checksums": [
{
"algorithm": "SHA256",
"checksumValue": "4201b0989938842ef8c11a006184e0b1466bd7f9bb2af61d89a4c8318d43466e"
},
{
"algorithm": "SHA1",
"checksumValue": "2b9fb98f5ca97dc84fd382a8f8e68f663c003362"
}
],
"licenseConcluded": "NOASSERTION",
"licenseInfoInFiles": [
"NOASSERTION"
],
"copyrightText": "NOASSERTION",
"fileTypes": [
"SPDX"
]
}
],
"externalDocumentRefs": [],
"relationships": [
{
"relationshipType": "DESCRIBES",
"relatedSpdxElement": "SPDXRef-RootPackage",
"spdxElementId": "SPDXRef-DOCUMENT"
},
{
"relationshipType": "DESCRIBED_BY",
"relatedSpdxElement": "SPDXRef-DOCUMENT",
"spdxElementId": "SPDXRef-File--Modules-Microsoft.PowerShell.PSResourceGet--manifest-spdx-2.2-manifest.spdx.json-2B9FB98F5CA97DC84FD382A8F8E68F663C003362"
}
],
"spdxVersion": "SPDX-2.2",
"dataLicense": "CC0-1.0",
"SPDXID": "SPDXRef-DOCUMENT",
"name": "PowerShell Linux Arm32 7.5.0-preview.2",
"documentNamespace": "https://sbom.microsoft/1:2QSF7qZlbE-F7QrUJlEo7g:pHp_nUFvDUijZ4LrJ4RhoQ/696:458654/PowerShell%20Linux%20Arm32:7.5.0-preview.2:pDkyTHXmgUOdzSXIq9CiqA",
"creationInfo": {
"created": "2024-02-22T00:43:53Z",
"creators": [
"Organization: Microsoft",
"Tool: Microsoft.SBOMTool-2.2.3"
]
},
"documentDescribes": [
"SPDXRef-RootPackage"
]
}
12 changes: 10 additions & 2 deletions pkg/sbom/spdx/unmarshal.go
Original file line number Diff line number Diff line change
Expand Up @@ -87,8 +87,16 @@ func (s *SPDX) unmarshal(spdxDocument *spdx.Document) error {
continue
}

compA := components[rel.RefA.ElementRefID]
compB := components[rel.RefB.ElementRefID]
compA, ok := components[rel.RefA.ElementRefID]
if !ok { // Skip if parent is not Package
continue
}

compB, ok := components[rel.RefB.ElementRefID]
if !ok { // Skip if child is not Package
continue
}

s.BOM.AddRelationship(compA, compB, s.parseRelationshipType(rel.Relationship))
}

Expand Down
5 changes: 5 additions & 0 deletions pkg/sbom/spdx/unmarshal_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -314,6 +314,11 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
},
},
},
{
name: "happy path with file as parent of relationship",
inputFile: "testdata/happy/with-file-as-relationship-parent.json",
want: types.SBOM{},
},
{
name: "happy path only os component",
inputFile: "testdata/happy/os-only-bom.json",
Expand Down

0 comments on commit 5f69937

Please sign in to comment.