From 61a2c24e7831dc2924776ea9d6d49065b97b862c Mon Sep 17 00:00:00 2001 From: "Jose D. Gomez R" Date: Mon, 18 Nov 2024 17:45:54 +0100 Subject: [PATCH 1/7] Remove `go` prefix from go version strings The leading `go` does not match the regex used by trivy scanner [0]. [0]: https://github.com/aquasecurity/go-version/blob/1951e80d786fea151973e7cba69562b35c42e77b/pkg/version/version.go#L20-L25 --- Build/IntrospectGolang.pm | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Build/IntrospectGolang.pm b/Build/IntrospectGolang.pm index c4cc0f65..f361e5e3 100644 --- a/Build/IntrospectGolang.pm +++ b/Build/IntrospectGolang.pm @@ -168,6 +168,8 @@ sub buildinfo { my ($fh) = @_; my ($vers, $mod) = rawbuildinfo($fh); return undef unless defined $vers; + $vers =~ s/^go(.*)/\1/; + my $buildinfo = { 'goversion' => $vers }; my $lastmod; for my $l (split("\n", $mod || '')) { From c304ab0095320b5d4863d648ceb51e58723cc710 Mon Sep 17 00:00:00 2001 From: "Jose D. Gomez R" Date: Mon, 18 Nov 2024 17:47:18 +0100 Subject: [PATCH 2/7] Encode the current $dist as a package in the SPDX report --- generate_sbom | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/generate_sbom b/generate_sbom index a698dadd..274f29a2 100755 --- a/generate_sbom +++ b/generate_sbom @@ -857,8 +857,13 @@ sub spdx_encode_pkg { } $spdx->{'copyrightText'} = $p->{'COPYRIGHTTEXT'} ? $p->{'COPYRIGHTTEXT'} : 'NOASSERTION'; $spdx->{'homepage'} = $p->{'URL'} if $p->{'URL'}; - my $purlurl = gen_purl($p, $distro, $pkgtype); - push @{$spdx->{'externalRefs'}}, { 'referenceCategory' => 'PACKAGE-MANAGER', 'referenceType' => 'purl', 'referenceLocator', $purlurl } if $purlurl; + + # Let the caller control the presence of external refs + if($p->{'external_refs'} // 1) { + my $purlurl = gen_purl($p, $distro, $pkgtype); + push @{$spdx->{'externalRefs'}}, { 'referenceCategory' => 'PACKAGE-MANAGER', 'referenceType' => 'purl', 'referenceLocator', $purlurl } if $purlurl; + } + if (!$p->{'spdx_id'}) { my $spdxtype = "Package-$pkgtype"; $spdxtype = "Package-go-module" if $pkgtype eq 'golang'; @@ -935,6 +940,17 @@ sub spdx_encode_header { return $spdx; } +sub spdx_encode_dist { + my ($dist) = @_; + + return spdx_encode_pkg({ + NAME => $dist->{id}, + VERSION => $dist->{version_id}, + spdx_id => sprintf('SPDXRef-OperatingSystem-%s', gen_pkg_id($dist)), + external_refs => 0 + }, undef, undef, {}); + +} ################################################################################################## # @@ -1170,6 +1186,9 @@ if ($format eq 'spdx') { push @{$doc->{'files'}}, spdx_encode_file($f); } } + + push @{$doc->{'packages'}}, spdx_encode_dist($dist); + for (sort keys %unknown_spdx_licenses) { push @{$doc->{'hasExtractedLicensingInfos'}}, spdx_encode_extracted_license($unknown_spdx_licenses{$_}); } From 2272252d0a59f9b33163dc49cf7cb8ce85371ab7 Mon Sep 17 00:00:00 2001 From: "Jose D. Gomez R" Date: Mon, 18 Nov 2024 17:45:54 +0100 Subject: [PATCH 3/7] Remove leading `go` from `purl` locators The leading `go` does not match the regex used by trivy scanner [0]. [0]: https://github.com/aquasecurity/go-version/blob/1951e80d786fea151973e7cba69562b35c42e77b/pkg/version/version.go#L20-L25 --- generate_sbom | 1 + 1 file changed, 1 insertion(+) diff --git a/generate_sbom b/generate_sbom index 274f29a2..5d875be5 100755 --- a/generate_sbom +++ b/generate_sbom @@ -618,6 +618,7 @@ sub gen_purl { my ($p, $distro, $pkgtype) = @_; my $name = $p->{'NAME'}; my $vr = $p->{'VERSION'}; + $vr =~ s/^go//; my $purltype = $pkgtype eq 'rust' ? 'cargo' : $pkgtype; my $subpath; if ($pkgtype eq 'golang' && $name =~ /\A([^\/]+\/[^\/]+\/[^\/]+)\/(.+)/s) { From 489ec5cf29efaad9b004f825e64d2ad530d0937a Mon Sep 17 00:00:00 2001 From: "Jose D. Gomez R" Date: Thu, 21 Nov 2024 15:15:16 +0100 Subject: [PATCH 4/7] Encode `primaryPackagePurpose` attribute in the OS package object --- generate_sbom | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/generate_sbom b/generate_sbom index 5d875be5..6c9d4ba6 100755 --- a/generate_sbom +++ b/generate_sbom @@ -860,11 +860,13 @@ sub spdx_encode_pkg { $spdx->{'homepage'} = $p->{'URL'} if $p->{'URL'}; # Let the caller control the presence of external refs - if($p->{'external_refs'} // 1) { + if(!$p->{'skip_external_refs'}) { my $purlurl = gen_purl($p, $distro, $pkgtype); push @{$spdx->{'externalRefs'}}, { 'referenceCategory' => 'PACKAGE-MANAGER', 'referenceType' => 'purl', 'referenceLocator', $purlurl } if $purlurl; } + $spdx->{'primaryPackagePurpose'} = $p->{'primaryPackagePurpose'} if $p->{'primaryPackagePurpose'}; + if (!$p->{'spdx_id'}) { my $spdxtype = "Package-$pkgtype"; $spdxtype = "Package-go-module" if $pkgtype eq 'golang'; @@ -948,7 +950,8 @@ sub spdx_encode_dist { NAME => $dist->{id}, VERSION => $dist->{version_id}, spdx_id => sprintf('SPDXRef-OperatingSystem-%s', gen_pkg_id($dist)), - external_refs => 0 + primaryPackagePurpose => 'OPERATING-SYSTEM', + skip_external_refs => 1 }, undef, undef, {}); } From de4875b049229d1e7a81c0e5bf4dde39c68251a1 Mon Sep 17 00:00:00 2001 From: "Jose D. Gomez R" Date: Thu, 21 Nov 2024 15:34:12 +0100 Subject: [PATCH 5/7] Perl-ify regex on IntrospectGolang.pm --- Build/IntrospectGolang.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Build/IntrospectGolang.pm b/Build/IntrospectGolang.pm index f361e5e3..467558e8 100644 --- a/Build/IntrospectGolang.pm +++ b/Build/IntrospectGolang.pm @@ -168,7 +168,7 @@ sub buildinfo { my ($fh) = @_; my ($vers, $mod) = rawbuildinfo($fh); return undef unless defined $vers; - $vers =~ s/^go(.*)/\1/; + $vers =~ s/^go(.*)/$1/; my $buildinfo = { 'goversion' => $vers }; my $lastmod; From 537b21aabb0d20355f6ea3016ed53d71354f1b8a Mon Sep 17 00:00:00 2001 From: "Jose D. Gomez R" Date: Fri, 22 Nov 2024 17:50:34 +0100 Subject: [PATCH 6/7] Don't touch the version on gen_purl --- generate_sbom | 1 - 1 file changed, 1 deletion(-) diff --git a/generate_sbom b/generate_sbom index 6c9d4ba6..8bfc1118 100755 --- a/generate_sbom +++ b/generate_sbom @@ -618,7 +618,6 @@ sub gen_purl { my ($p, $distro, $pkgtype) = @_; my $name = $p->{'NAME'}; my $vr = $p->{'VERSION'}; - $vr =~ s/^go//; my $purltype = $pkgtype eq 'rust' ? 'cargo' : $pkgtype; my $subpath; if ($pkgtype eq 'golang' && $name =~ /\A([^\/]+\/[^\/]+\/[^\/]+)\/(.+)/s) { From 542b23b1a3e962dc6db75b1acee3ee648d70fb78 Mon Sep 17 00:00:00 2001 From: "Jose D. Gomez R" <1josegomezr@gmail.com> Date: Wed, 27 Nov 2024 17:05:03 +0100 Subject: [PATCH 7/7] Move version correction to gen_purl subroutine --- Build/IntrospectGolang.pm | 2 -- generate_sbom | 1 + 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/Build/IntrospectGolang.pm b/Build/IntrospectGolang.pm index 467558e8..c4cc0f65 100644 --- a/Build/IntrospectGolang.pm +++ b/Build/IntrospectGolang.pm @@ -168,8 +168,6 @@ sub buildinfo { my ($fh) = @_; my ($vers, $mod) = rawbuildinfo($fh); return undef unless defined $vers; - $vers =~ s/^go(.*)/$1/; - my $buildinfo = { 'goversion' => $vers }; my $lastmod; for my $l (split("\n", $mod || '')) { diff --git a/generate_sbom b/generate_sbom index 8bfc1118..ffeeb523 100755 --- a/generate_sbom +++ b/generate_sbom @@ -618,6 +618,7 @@ sub gen_purl { my ($p, $distro, $pkgtype) = @_; my $name = $p->{'NAME'}; my $vr = $p->{'VERSION'}; + $vr =~ s/^go// if $pkgtype eq 'golang' && $name eq 'stdlib'; my $purltype = $pkgtype eq 'rust' ? 'cargo' : $pkgtype; my $subpath; if ($pkgtype eq 'golang' && $name =~ /\A([^\/]+\/[^\/]+\/[^\/]+)\/(.+)/s) {