feat: use originator logic to fill supplier (#1980)

* feat: use Originator to fill supplier for NTIA minimum --------- Signed-off-by: Christopher Phillips <[email protected]>
anchore · Aug 1, 2023 · 8e893df · 8e893df
1 parent 756d0f2
commit 8e893df
Show file tree

Hide file tree

Showing 11 changed files with 59 additions and 4 deletions.
diff --git a/syft/formats/common/spdxhelpers/to_format_model.go b/syft/formats/common/spdxhelpers/to_format_model.go
@@ -240,9 +240,11 @@ func toRootPackage(s source.Description) *spdx.Package {
 		PackageSPDXIdentifier:     spdx.ElementID(SanitizeElementID(fmt.Sprintf("DocumentRoot-%s-%s", prefix, name))),
 		PackageVersion:            version,
 		PackageChecksums:          checksums,
-		PackageSupplier:           nil,
 		PackageExternalReferences: nil,
 		PrimaryPackagePurpose:     purpose,
+		PackageSupplier: &spdx.Supplier{
+			Supplier: NOASSERTION,
+		},
 	}
 
 	if purl != nil {
@@ -357,7 +359,7 @@ func toPackages(catalog *pkg.Collection, sbom sbom.SBOM) (results []*spdx.Packag
 			// 7.6: Package Originator: may have single result for either Person or Organization,
 			//                          or NOASSERTION
 			// Cardinality: optional, one
-			PackageSupplier: nil,
+			PackageSupplier: toPackageSupplier(p),
 
 			PackageOriginator: toPackageOriginator(p),
 
@@ -514,6 +516,21 @@ func toPackageOriginator(p pkg.Package) *spdx.Originator {
 	}
 }
 
+func toPackageSupplier(p pkg.Package) *spdx.Supplier {
+	// this uses the Originator function for now until
+	// a better distinction can be made for supplier
+	kind, supplier := Originator(p)
+	if kind == "" || supplier == "" {
+		return &spdx.Supplier{
+			Supplier: NOASSERTION,
+		}
+	}
+	return &spdx.Supplier{
+		Supplier:     supplier,
+		SupplierType: kind,
+	}
+}
+
 func formatSPDXExternalRefs(p pkg.Package) (refs []*spdx.PackageExternalReference) {
 	for _, ref := range ExternalRefs(p) {
 		refs = append(refs, &spdx.PackageExternalReference{

diff --git a/syft/formats/common/spdxhelpers/to_format_model_test.go b/syft/formats/common/spdxhelpers/to_format_model_test.go
@@ -51,12 +51,14 @@ func Test_toFormatModel(t *testing.T) {
 				SPDXVersion:    spdx.Version,
 				DataLicense:    spdx.DataLicense,
 				DocumentName:   "alpine",
-
 				Packages: []*spdx.Package{
 					{
 						PackageSPDXIdentifier: "Package-pkg-1-pkg-1",
 						PackageName:           "pkg-1",
 						PackageVersion:        "version-1",
+						PackageSupplier: &spdx.Supplier{
+							Supplier: "NOASSERTION",
+						},
 					},
 					{
 						PackageSPDXIdentifier: "DocumentRoot-Image-alpine",
@@ -71,6 +73,9 @@ func Test_toFormatModel(t *testing.T) {
 								Locator:  "pkg:oci/alpine@sha256:d34db33f?arch=&tag=latest",
 							},
 						},
+						PackageSupplier: &spdx.Supplier{
+							Supplier: "NOASSERTION",
+						},
 					},
 				},
 				Relationships: []*spdx.Relationship{
@@ -122,12 +127,18 @@ func Test_toFormatModel(t *testing.T) {
 						PackageSPDXIdentifier: "Package-pkg-1-pkg-1",
 						PackageName:           "pkg-1",
 						PackageVersion:        "version-1",
+						PackageSupplier: &spdx.Supplier{
+							Supplier: "NOASSERTION",
+						},
 					},
 					{
 						PackageSPDXIdentifier: "DocumentRoot-Directory-some-directory",
 						PackageName:           "some/directory",
 						PackageVersion:        "",
 						PrimaryPackagePurpose: "FILE",
+						PackageSupplier: &spdx.Supplier{
+							Supplier: "NOASSERTION",
+						},
 					},
 				},
 				Relationships: []*spdx.Relationship{
@@ -180,19 +191,24 @@ func Test_toFormatModel(t *testing.T) {
 				SPDXVersion:    spdx.Version,
 				DataLicense:    spdx.DataLicense,
 				DocumentName:   "path/to/some.file",
-
 				Packages: []*spdx.Package{
 					{
 						PackageSPDXIdentifier: "Package-pkg-1-pkg-1",
 						PackageName:           "pkg-1",
 						PackageVersion:        "version-1",
+						PackageSupplier: &spdx.Supplier{
+							Supplier: "NOASSERTION",
+						},
 					},
 					{
 						PackageSPDXIdentifier: "DocumentRoot-File-path-to-some.file",
 						PackageName:           "path/to/some.file",
 						PackageVersion:        "sha256:d34db33f",
 						PrimaryPackagePurpose: "FILE",
 						PackageChecksums:      []spdx.Checksum{{Algorithm: "SHA256", Value: "d34db33f"}},
+						PackageSupplier: &spdx.Supplier{
+							Supplier: "NOASSERTION",
+						},
 					},
 				},
 				Relationships: []*spdx.Relationship{

diff --git a/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden b/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden
@@ -17,6 +17,7 @@
    "name": "package-1",
    "SPDXID": "SPDXRef-Package-python-package-1-9265397e5e15168a",
    "versionInfo": "1.0.1",
+   "supplier": "NOASSERTION",
    "downloadLocation": "NOASSERTION",
    "filesAnalyzed": false,
    "sourceInfo": "acquired package info from installed python package manifest file: /some/path/pkg1",
@@ -40,6 +41,7 @@
    "name": "package-2",
    "SPDXID": "SPDXRef-Package-deb-package-2-db4abfe497c180d3",
    "versionInfo": "2.0.1",
+   "supplier": "NOASSERTION",
    "downloadLocation": "NOASSERTION",
    "filesAnalyzed": false,
    "sourceInfo": "acquired package info from DPKG DB: /some/path/pkg1",
@@ -62,6 +64,7 @@
   {
    "name": "some/path",
    "SPDXID": "SPDXRef-DocumentRoot-Directory-some-path",
+   "supplier": "NOASSERTION",
    "downloadLocation": "",
    "filesAnalyzed": false,
    "primaryPackagePurpose": "FILE"

diff --git a/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden b/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden
@@ -17,6 +17,7 @@
    "name": "package-1",
    "SPDXID": "SPDXRef-Package-python-package-1-125840abc1c66dd7",
    "versionInfo": "1.0.1",
+   "supplier": "NOASSERTION",
    "downloadLocation": "NOASSERTION",
    "filesAnalyzed": false,
    "sourceInfo": "acquired package info from installed python package manifest file: /somefile-1.txt",
@@ -40,6 +41,7 @@
    "name": "package-2",
    "SPDXID": "SPDXRef-Package-deb-package-2-958443e2d9304af4",
    "versionInfo": "2.0.1",
+   "supplier": "NOASSERTION",
    "downloadLocation": "NOASSERTION",
    "filesAnalyzed": false,
    "sourceInfo": "acquired package info from DPKG DB: /somefile-2.txt",
@@ -63,6 +65,7 @@
    "name": "user-image-input",
    "SPDXID": "SPDXRef-DocumentRoot-Image-user-image-input",
    "versionInfo": "sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368",
+   "supplier": "NOASSERTION",
    "downloadLocation": "",
    "filesAnalyzed": false,
    "checksums": [

diff --git a/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden b/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden
@@ -17,6 +17,7 @@
    "name": "package-1",
    "SPDXID": "SPDXRef-Package-python-package-1-125840abc1c66dd7",
    "versionInfo": "1.0.1",
+   "supplier": "NOASSERTION",
    "downloadLocation": "NOASSERTION",
    "filesAnalyzed": false,
    "sourceInfo": "acquired package info from installed python package manifest file: /somefile-1.txt",
@@ -40,6 +41,7 @@
    "name": "package-2",
    "SPDXID": "SPDXRef-Package-deb-package-2-958443e2d9304af4",
    "versionInfo": "2.0.1",
+   "supplier": "NOASSERTION",
    "downloadLocation": "NOASSERTION",
    "filesAnalyzed": false,
    "sourceInfo": "acquired package info from DPKG DB: /somefile-2.txt",
@@ -63,6 +65,7 @@
    "name": "user-image-input",
    "SPDXID": "SPDXRef-DocumentRoot-Image-user-image-input",
    "versionInfo": "sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368",
+   "supplier": "NOASSERTION",
    "downloadLocation": "",
    "filesAnalyzed": false,
    "checksums": [

diff --git a/syft/formats/spdxjson/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden b/syft/formats/spdxjson/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden
diff --git a/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden b/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden
@@ -12,13 +12,15 @@ Created: redacted
 
 PackageName: foobar/baz
 SPDXID: SPDXRef-DocumentRoot-Directory-foobar-baz
+PackageSupplier: NOASSERTION
 PrimaryPackagePurpose: FILE
 FilesAnalyzed: false
 
 ##### Package: @at-sign
 
 PackageName: @at-sign
 SPDXID: SPDXRef-Package--at-sign-3732f7a5679bdec4
+PackageSupplier: NOASSERTION
 PackageDownloadLocation: NOASSERTION
 FilesAnalyzed: false
 PackageSourceInfo: acquired package info from the following paths: 
@@ -30,6 +32,7 @@ PackageCopyrightText: NOASSERTION
 
 PackageName: some/slashes
 SPDXID: SPDXRef-Package-some-slashes-1345166d4801153b
+PackageSupplier: NOASSERTION
 PackageDownloadLocation: NOASSERTION
 FilesAnalyzed: false
 PackageSourceInfo: acquired package info from the following paths: 
@@ -41,6 +44,7 @@ PackageCopyrightText: NOASSERTION
 
 PackageName: under_scores
 SPDXID: SPDXRef-Package-under-scores-290d5c77210978c1
+PackageSupplier: NOASSERTION
 PackageDownloadLocation: NOASSERTION
 FilesAnalyzed: false
 PackageSourceInfo: acquired package info from the following paths: 

diff --git a/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden b/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden
@@ -51,6 +51,7 @@ LicenseConcluded: NOASSERTION
 PackageName: user-image-input
 SPDXID: SPDXRef-DocumentRoot-Image-user-image-input
 PackageVersion: sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368
+PackageSupplier: NOASSERTION
 PrimaryPackagePurpose: CONTAINER
 FilesAnalyzed: false
 PackageChecksum: SHA256: 2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368
@@ -61,6 +62,7 @@ ExternalRef: PACKAGE-MANAGER purl pkg:oci/user-image-input@sha256:2731251dc34951
 PackageName: package-2
 SPDXID: SPDXRef-Package-deb-package-2-958443e2d9304af4
 PackageVersion: 2.0.1
+PackageSupplier: NOASSERTION
 PackageDownloadLocation: NOASSERTION
 FilesAnalyzed: false
 PackageSourceInfo: acquired package info from DPKG DB: /somefile-2.txt
@@ -75,6 +77,7 @@ ExternalRef: PACKAGE-MANAGER purl pkg:deb/debian/[email protected]
 PackageName: package-1
 SPDXID: SPDXRef-Package-python-package-1-125840abc1c66dd7
 PackageVersion: 1.0.1
+PackageSupplier: NOASSERTION
 PackageDownloadLocation: NOASSERTION
 FilesAnalyzed: false
 PackageSourceInfo: acquired package info from installed python package manifest file: /somefile-1.txt

diff --git a/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden b/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden
@@ -12,6 +12,7 @@ Created: redacted
 
 PackageName: some/path
 SPDXID: SPDXRef-DocumentRoot-Directory-some-path
+PackageSupplier: NOASSERTION
 PrimaryPackagePurpose: FILE
 FilesAnalyzed: false
 
@@ -20,6 +21,7 @@ FilesAnalyzed: false
 PackageName: package-2
 SPDXID: SPDXRef-Package-deb-package-2-db4abfe497c180d3
 PackageVersion: 2.0.1
+PackageSupplier: NOASSERTION
 PackageDownloadLocation: NOASSERTION
 FilesAnalyzed: false
 PackageSourceInfo: acquired package info from DPKG DB: /some/path/pkg1
@@ -34,6 +36,7 @@ ExternalRef: PACKAGE-MANAGER purl pkg:deb/debian/[email protected]
 PackageName: package-1
 SPDXID: SPDXRef-Package-python-package-1-9265397e5e15168a
 PackageVersion: 1.0.1
+PackageSupplier: NOASSERTION
 PackageDownloadLocation: NOASSERTION
 FilesAnalyzed: false
 PackageSourceInfo: acquired package info from installed python package manifest file: /some/path/pkg1

diff --git a/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden b/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden
@@ -13,6 +13,7 @@ Created: redacted
 PackageName: user-image-input
 SPDXID: SPDXRef-DocumentRoot-Image-user-image-input
 PackageVersion: sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368
+PackageSupplier: NOASSERTION
 PrimaryPackagePurpose: CONTAINER
 FilesAnalyzed: false
 PackageChecksum: SHA256: 2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368
@@ -23,6 +24,7 @@ ExternalRef: PACKAGE-MANAGER purl pkg:oci/user-image-input@sha256:2731251dc34951
 PackageName: package-2
 SPDXID: SPDXRef-Package-deb-package-2-958443e2d9304af4
 PackageVersion: 2.0.1
+PackageSupplier: NOASSERTION
 PackageDownloadLocation: NOASSERTION
 FilesAnalyzed: false
 PackageSourceInfo: acquired package info from DPKG DB: /somefile-2.txt
@@ -37,6 +39,7 @@ ExternalRef: PACKAGE-MANAGER purl pkg:deb/debian/[email protected]
 PackageName: package-1
 SPDXID: SPDXRef-Package-python-package-1-125840abc1c66dd7
 PackageVersion: 1.0.1
+PackageSupplier: NOASSERTION
 PackageDownloadLocation: NOASSERTION
 FilesAnalyzed: false
 PackageSourceInfo: acquired package info from installed python package manifest file: /somefile-1.txt

diff --git a/syft/formats/spdxtagvalue/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden b/syft/formats/spdxtagvalue/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden