refactor: use PkgIdentifier.BOMRef for SPDXID

aquasecurity · Jul 4, 2024 · 964f16a · 964f16a
1 parent a2ceb4b
commit 964f16a
Show file tree

Hide file tree

Showing 8 changed files with 37 additions and 47 deletions.
diff --git a/integration/sbom_test.go b/integration/sbom_test.go
@@ -104,9 +104,9 @@ func TestSBOM(t *testing.T) {
 				want.Results[0].Target = "testdata/fixtures/sbom/centos-7-spdx.txt (centos 7.6.1810)"
 
 				require.Len(t, got.Results[0].Vulnerabilities, 3)
-				want.Results[0].Vulnerabilities[0].PkgIdentifier.SPDXID = "Package-5a18334f22149877"
-				want.Results[0].Vulnerabilities[1].PkgIdentifier.SPDXID = "Package-e16b1cbaa5186199"
-				want.Results[0].Vulnerabilities[2].PkgIdentifier.SPDXID = "Package-e16b1cbaa5186199"
+				want.Results[0].Vulnerabilities[0].PkgIdentifier.BOMRef = "Package-5a18334f22149877"
+				want.Results[0].Vulnerabilities[1].PkgIdentifier.BOMRef = "Package-e16b1cbaa5186199"
+				want.Results[0].Vulnerabilities[2].PkgIdentifier.BOMRef = "Package-e16b1cbaa5186199"
 			},
 		},
 		{
@@ -125,9 +125,9 @@ func TestSBOM(t *testing.T) {
 				want.Results[0].Target = "testdata/fixtures/sbom/centos-7-spdx.json (centos 7.6.1810)"
 
 				require.Len(t, got.Results[0].Vulnerabilities, 3)
-				want.Results[0].Vulnerabilities[0].PkgIdentifier.SPDXID = "Package-5a18334f22149877"
-				want.Results[0].Vulnerabilities[1].PkgIdentifier.SPDXID = "Package-e16b1cbaa5186199"
-				want.Results[0].Vulnerabilities[2].PkgIdentifier.SPDXID = "Package-e16b1cbaa5186199"
+				want.Results[0].Vulnerabilities[0].PkgIdentifier.BOMRef = "Package-5a18334f22149877"
+				want.Results[0].Vulnerabilities[1].PkgIdentifier.BOMRef = "Package-e16b1cbaa5186199"
+				want.Results[0].Vulnerabilities[2].PkgIdentifier.BOMRef = "Package-e16b1cbaa5186199"
 			},
 		},
 		{

diff --git a/integration/testdata/multiple-os.json.golden b/integration/testdata/multiple-os.json.golden
@@ -30,8 +30,8 @@
           "Name": "libmd0",
           "Identifier": {
             "PURL": "pkg:deb/debian/[email protected]?arch=arm64\u0026distro=debian-12.5",
-            "UID": "1a40caf90922a802",
-            "SPDXID": "Package-gnrtd175"
+            "UID": "bd94e402741d3988",
+            "BOMRef": "Package-gnrtd175"
           },
           "Version": "1.0.4-2",
           "Arch": "arm64",
@@ -48,8 +48,8 @@
           "Name": "libmount1",
           "Identifier": {
             "PURL": "pkg:deb/debian/[email protected]%2Bdeb12u1?arch=arm64\u0026distro=debian-12.5",
-            "UID": "f5f492c064df8ae2",
-            "SPDXID": "Package-gnrtd259"
+            "UID": "ae2f6c69df04ce11",
+            "BOMRef": "Package-gnrtd259"
           },
           "Version": "2.38.1-5+deb12u1",
           "Arch": "arm64",

diff --git a/pkg/fanal/analyzer/sbom/sbom_test.go b/pkg/fanal/analyzer/sbom/sbom_test.go
@@ -42,7 +42,7 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
 										Name:      "apm-agent",
 										Version:   "1.36.0",
 									},
-									SPDXID: "Package-f0db45781e6813a1",
+									BOMRef: "Package-f0db45781e6813a1",
 								},
 							},
 							{
@@ -57,7 +57,7 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
 										Name:      "apm-agent-cached-lookup-key",
 										Version:   "1.36.0",
 									},
-									SPDXID: "Package-efe22bf5916f985f",
+									BOMRef: "Package-efe22bf5916f985f",
 								},
 							},
 							{
@@ -72,7 +72,7 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
 										Name:      "apm-agent-common",
 										Version:   "1.36.0",
 									},
-									SPDXID: "Package-33d86d2d11abe114",
+									BOMRef: "Package-33d86d2d11abe114",
 								},
 							},
 							{
@@ -87,7 +87,7 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
 										Name:      "apm-agent-core",
 										Version:   "1.36.0",
 									},
-									SPDXID: "Package-b905fcf69ca61281",
+									BOMRef: "Package-b905fcf69ca61281",
 								},
 							},
 						},
@@ -114,7 +114,7 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
 											},
 										},
 									},
-									SPDXID: "elasticsearch",
+									BOMRef: "elasticsearch",
 								},
 							},
 						},
@@ -189,7 +189,7 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
 										Name:    "gdal",
 										Version: "3.7.1",
 									},
-									SPDXID: "gdal",
+									BOMRef: "gdal",
 								},
 							},
 							{
@@ -203,7 +203,7 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
 										Name:    "geos",
 										Version: "3.8.3",
 									},
-									SPDXID: "geos",
+									BOMRef: "geos",
 								},
 							},
 							{
@@ -217,7 +217,7 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
 										Name:    "postgresql",
 										Version: "15.3.0",
 									},
-									SPDXID: "postgresql",
+									BOMRef: "postgresql",
 								},
 								DependsOn: []string{
 									"[email protected]",
@@ -236,7 +236,7 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
 										Name:    "proj",
 										Version: "6.3.2",
 									},
-									SPDXID: "proj",
+									BOMRef: "proj",
 								},
 							},
 						},

diff --git a/pkg/fanal/types/package.go b/pkg/fanal/types/package.go
@@ -56,8 +56,7 @@ func (r *Relationship) UnmarshalJSON(data []byte) error {
 type PkgIdentifier struct {
 	UID    string                 `json:",omitempty"` // Calculated by the package struct
 	PURL   *packageurl.PackageURL `json:"-"`
-	BOMRef string                 `json:",omitempty"` // For CycloneDX
-	SPDXID string                 `json:",omitempty"` // For SPDX
+	BOMRef string                 `json:",omitempty"` // Taken from `BOMRef` for CycloneDX or from `SPDXID` for SPDX.
 }
 
 // MarshalJSON customizes the JSON encoding of PkgIdentifier.

diff --git a/pkg/sbom/core/bom.go b/pkg/sbom/core/bom.go
@@ -133,9 +133,6 @@ type Component struct {
 	//   SPDX: package.externalRefs.referenceLocator
 	// BOMRef:
 	//   CycloneDX: component.bom-ref
-	//   SPDX: N/A
-	// SPDXID:
-	//   CycloneDX: N/A
 	//   SPDX: package.SPDXID
 	PkgIdentifier ftypes.PkgIdentifier
 

diff --git a/pkg/sbom/io/decode.go b/pkg/sbom/io/decode.go
@@ -153,12 +153,7 @@ func (m *Decoder) selectOS(ctx context.Context, osComponents []*core.Component,
 		if numberOfIPkgs != numberOfJPkgs {
 			return numberOfIPkgs > numberOfJPkgs
 		}
-		// For CycloneDX
-		if osComponents[i].PkgIdentifier.BOMRef != "" || osComponents[j].PkgIdentifier.BOMRef != "" {
-			return osComponents[i].PkgIdentifier.BOMRef < osComponents[j].PkgIdentifier.BOMRef
-		}
-		// For SPDX
-		return osComponents[i].PkgIdentifier.SPDXID < osComponents[j].PkgIdentifier.SPDXID
+		return osComponents[i].PkgIdentifier.BOMRef < osComponents[j].PkgIdentifier.BOMRef
 	})
 
 	if len(osComponents) > 1 {
@@ -263,7 +258,6 @@ func (m *Decoder) decodeLibrary(ctx context.Context, c *core.Component) (*ftypes
 	}
 
 	pkg.Identifier.BOMRef = c.PkgIdentifier.BOMRef
-	pkg.Identifier.SPDXID = c.PkgIdentifier.SPDXID
 	pkg.Licenses = c.Licenses
 
 	for _, f := range c.Files {

diff --git a/pkg/sbom/spdx/unmarshal.go b/pkg/sbom/spdx/unmarshal.go
@@ -166,7 +166,7 @@ func (s *SPDX) parsePackage(spdxPkg spdx.Package) (*core.Component, error) {
 		Name:    spdxPkg.PackageName,
 		Version: spdxPkg.PackageVersion,
 		PkgIdentifier: types.PkgIdentifier{
-			SPDXID: string(spdxPkg.PackageSPDXIdentifier),
+			BOMRef: string(spdxPkg.PackageSPDXIdentifier),
 		},
 	}
 

diff --git a/pkg/sbom/spdx/unmarshal_test.go b/pkg/sbom/spdx/unmarshal_test.go
@@ -66,7 +66,7 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 											},
 										},
 									},
-									SPDXID: "Package-b7ebaf0233f1ef7b",
+									BOMRef: "Package-b7ebaf0233f1ef7b",
 								},
 								Layer: ftypes.Layer{
 									DiffID: "sha256:dd565ff850e7003356e2b252758f9bdc1ff2803f61e995e24c7844f6297f8fc3",
@@ -91,7 +91,7 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 										Name:      "log",
 										Version:   "1.13.1",
 									},
-									SPDXID: "Package-2906575950df652b",
+									BOMRef: "Package-2906575950df652b",
 								},
 								Layer: ftypes.Layer{
 									DiffID: "sha256:3c79e832b1b4891a1cb4a326ef8524e0bd14a2537150ac0e203a5677176c1ca1",
@@ -108,7 +108,7 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 										Name:      "pear_exception",
 										Version:   "v1.0.0",
 									},
-									SPDXID: "Package-5e2e255ac76747ef",
+									BOMRef: "Package-5e2e255ac76747ef",
 								},
 								Layer: ftypes.Layer{
 									DiffID: "sha256:3c79e832b1b4891a1cb4a326ef8524e0bd14a2537150ac0e203a5677176c1ca1",
@@ -131,7 +131,7 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 										Name:      "packageurl-go",
 										Version:   "v0.1.1-0.20220203205134-d70459300c8a",
 									},
-									SPDXID: "Package-84ebffe38343d949",
+									BOMRef: "Package-84ebffe38343d949",
 								},
 								Layer: ftypes.Layer{
 									DiffID: "sha256:3c79e832b1b4891a1cb4a326ef8524e0bd14a2537150ac0e203a5677176c1ca1",
@@ -152,7 +152,7 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 										Name:      "child-project",
 										Version:   "1.0",
 									},
-									SPDXID: "Package-2a53baa495b9ddaf",
+									BOMRef: "Package-2a53baa495b9ddaf",
 								},
 								Version: "1.0",
 								Layer: ftypes.Layer{
@@ -174,7 +174,7 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 										Name:    "bootstrap",
 										Version: "5.0.2",
 									},
-									SPDXID: "Package-5f1dbaff8de5eb06",
+									BOMRef: "Package-5f1dbaff8de5eb06",
 								},
 								Licenses: []string{"MIT"},
 								Layer: ftypes.Layer{
@@ -205,7 +205,7 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 										Name:    "yargs-parser",
 										Version: "21.1.1",
 									},
-									SPDXID: "Package-c3508825bf3861d8",
+									BOMRef: "Package-c3508825bf3861d8",
 								},
 								FilePath: "node_modules/yargs-parser/package.json",
 							},
@@ -233,7 +233,7 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 										Name:    "yargs-parser",
 										Version: "21.1.1",
 									},
-									SPDXID: "Package-c3508825bf3861d8",
+									BOMRef: "Package-c3508825bf3861d8",
 								},
 								FilePath: "node_modules/yargs-parser/package.json",
 							},
@@ -262,7 +262,7 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 										Name:      "log",
 										Version:   "1.13.1",
 									},
-									SPDXID: "Package-2906575950df652b",
+									BOMRef: "Package-2906575950df652b",
 								},
 							},
 							{
@@ -276,7 +276,7 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 										Name:      "pear_exception",
 										Version:   "v1.0.0",
 									},
-									SPDXID: "Package-5e2e255ac76747ef",
+									BOMRef: "Package-5e2e255ac76747ef",
 								},
 							},
 						},
@@ -304,7 +304,7 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 										Name:      "apm-agent",
 										Version:   "1.36.0",
 									},
-									SPDXID: "Package-d6465ccdd5385c16",
+									BOMRef: "Package-d6465ccdd5385c16",
 								},
 							},
 							{
@@ -319,7 +319,7 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 										Name:      "apm-agent-cached-lookup-key",
 										Version:   "1.36.0",
 									},
-									SPDXID: "Package-8e3a2cf58d7bd790",
+									BOMRef: "Package-8e3a2cf58d7bd790",
 								},
 							},
 						},
@@ -366,7 +366,7 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 											},
 										},
 									},
-									SPDXID: "Package-gnrtd175",
+									BOMRef: "Package-gnrtd175",
 								},
 							},
 							{
@@ -395,7 +395,7 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 											},
 										},
 									},
-									SPDXID: "Package-gnrtd259",
+									BOMRef: "Package-gnrtd259",
 								},
 							},
 						},
@@ -442,7 +442,7 @@ func TestUnmarshaler_Unmarshal(t *testing.T) {
 											},
 										},
 									},
-									SPDXID: "Package-gnrtd7",
+									BOMRef: "Package-gnrtd7",
 								},
 							},
 						},