Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Correct SPDX ID, add package field
Browse files Browse the repository at this point in the history
SPDX ID should not contain underscore characters.
Packages are required to have a declared license
and license info from files field.

Ref
* https://spdx.github.io/spdx-spec/v2.2.2/file-information/#821-description
* https://spdx.github.io/spdx-spec/v2.2.2/package-information/
kstribrnAmzn committed Dec 20, 2023
1 parent 4fe6122 commit 458613f
Showing 1 changed file with 5 additions and 3 deletions.
8 changes: 5 additions & 3 deletions sbom-generator/sbom_utils.py
Original file line number Diff line number Diff line change
@@ -22,20 +22,22 @@ def package_hash(file_list: str) -> str:

def file_writer(output, filepath: str, sha1: str, license: str, copyright='NOASSERTION', comment='NOASSERTION'):
output.write('FileName: .'+ filepath + '\n')
output.write('SPDXID: SPDXRef-File'+ filepath.replace('/', '-') + '\n')
output.write('SPDXID: SPDXRef-File'+ filepath.replace('/', '-').replace('_', '') + '\n')
output.write('FileChecksum: SHA1: '+ sha1 + '\n')
output.write('LicenseConcluded: '+ license + '\n')
output.write('FileCopyrightText: '+ copyright + '\n')
output.write('FileComment: '+ comment + '\n')
output.write('\n')

def package_writer(output, packageName: str, version: str, url: str, license: str, ver_code: str, file_analyzed=True,
copyright='NOASSERTION', summary='NOASSERTION', description='NOASSERTION'):
copyright='NOASSERTION', summary='NOASSERTION', description='NOASSERTION', file_licenses='NOASSERTION'):
output.write('PackageName: '+ packageName + '\n')
output.write('SPDXID: SPDXRef-Package-'+ packageName + '\n')
output.write('PackageVersion: '+ version + '\n')
output.write('PackageDownloadLocation: '+ url + '\n')
output.write('PackageLicenseDeclared: ' + license + '\n')
output.write('PackageLicenseConcluded: '+ license + '\n')
output.write('PackageLicenseInfoFromFiles: '+ file_licenses + '\n')
output.write('FilesAnalyzed: '+ str(file_analyzed) + '\n')
output.write('PackageVerificationCode: '+ ver_code + '\n')
output.write('PackageCopyrightText: '+ copyright + '\n')
@@ -52,7 +54,7 @@ def doc_writer(output, version: str, name: str, creator_comment='NOASSERTION',
output.write('SPDXID: SPDXRef-DOCUMENT\n')
output.write('DocumentName: ' + name + '\n')
output.write('DocumentNamespace: ' + namespace + '\n')
output.write('Creator: ' + CREATOR + '\n')
output.write('Creator: Organization:' + CREATOR + '\n')
output.write('Created: ' + today.isoformat()[:-7] + 'Z\n')
output.write('CreatorComment: ' + creator_comment + '\n')
output.write('DocumentComment: ' + doc_comment + '\n')

0 comments on commit 458613f

Please sign in to comment.