feat: add SPDX field

aquasecurity · Jun 26, 2024 · 68abc78 · 68abc78
1 parent a9fe388
commit 68abc78
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 3 deletions.
diff --git a/pkg/fanal/types/package.go b/pkg/fanal/types/package.go
@@ -56,7 +56,8 @@ func (r *Relationship) UnmarshalJSON(data []byte) error {
 type PkgIdentifier struct {
 	UID    string                 `json:",omitempty"` // Calculated by the package struct
 	PURL   *packageurl.PackageURL `json:"-"`
-	BOMRef string                 `json:",omitempty"` // From SBOM file: `component.BOMRef` or `package.SPDXID`
+	BOMRef string                 `json:",omitempty"` // For CycloneDX
+	SPDXID string                 `json:",omitempty"` // For SPDX
 }
 
 // MarshalJSON customizes the JSON encoding of PkgIdentifier.

diff --git a/pkg/sbom/core/bom.go b/pkg/sbom/core/bom.go
@@ -133,6 +133,9 @@ type Component struct {
 	//   SPDX: package.externalRefs.referenceLocator
 	// BOMRef:
 	//   CycloneDX: component.bom-ref
+	//   SPDX: N/A
+	// SPDXID:
+	//   CycloneDX: N/A
 	//   SPDX: package.SPDXID
 	PkgIdentifier ftypes.PkgIdentifier
 

diff --git a/pkg/sbom/io/decode.go b/pkg/sbom/io/decode.go
@@ -152,7 +152,12 @@ func (m *Decoder) selectOS(osComponents []*core.Component, sbom *types.SBOM) {
 		if numberOfIPkgs != numberOfJPkgs {
 			return numberOfIPkgs < numberOfJPkgs
 		}
-		return osComponents[i].PkgIdentifier.BOMRef < osComponents[j].PkgIdentifier.BOMRef
+		// For CycloneDX
+		if osComponents[i].PkgIdentifier.BOMRef != "" || osComponents[j].PkgIdentifier.BOMRef != "" {
+			return osComponents[i].PkgIdentifier.BOMRef < osComponents[j].PkgIdentifier.BOMRef
+		}
+		// For SPDX
+		return osComponents[i].PkgIdentifier.SPDXID < osComponents[j].PkgIdentifier.SPDXID
 	})
 
 	if len(osComponents) > 1 {
@@ -244,6 +249,7 @@ func (m *Decoder) decodeLibrary(c *core.Component) (*ftypes.Package, error) {
 	}
 
 	pkg.Identifier.BOMRef = c.PkgIdentifier.BOMRef
+	pkg.Identifier.SPDXID = c.PkgIdentifier.SPDXID
 	pkg.Licenses = c.Licenses
 
 	for _, f := range c.Files {

diff --git a/pkg/sbom/spdx/unmarshal.go b/pkg/sbom/spdx/unmarshal.go
@@ -166,7 +166,7 @@ func (s *SPDX) parsePackage(spdxPkg spdx.Package) (*core.Component, error) {
 		Name:    spdxPkg.PackageName,
 		Version: spdxPkg.PackageVersion,
 		PkgIdentifier: types.PkgIdentifier{
-			BOMRef: string(spdxPkg.PackageSPDXIdentifier),
+			SPDXID: string(spdxPkg.PackageSPDXIdentifier),
 		},
 	}