diff --git a/syft/formats/common/spdxhelpers/to_format_model.go b/syft/formats/common/spdxhelpers/to_format_model.go index 459f5b72872..9ad5a2d858a 100644 --- a/syft/formats/common/spdxhelpers/to_format_model.go +++ b/syft/formats/common/spdxhelpers/to_format_model.go @@ -240,9 +240,11 @@ func toRootPackage(s source.Description) *spdx.Package { PackageSPDXIdentifier: spdx.ElementID(SanitizeElementID(fmt.Sprintf("DocumentRoot-%s-%s", prefix, name))), PackageVersion: version, PackageChecksums: checksums, - PackageSupplier: nil, PackageExternalReferences: nil, PrimaryPackagePurpose: purpose, + PackageSupplier: &spdx.Supplier{ + Supplier: NOASSERTION, + }, } if purl != nil { @@ -357,7 +359,7 @@ func toPackages(catalog *pkg.Collection, sbom sbom.SBOM) (results []*spdx.Packag // 7.6: Package Originator: may have single result for either Person or Organization, // or NOASSERTION // Cardinality: optional, one - PackageSupplier: nil, + PackageSupplier: toPackageSupplier(p), PackageOriginator: toPackageOriginator(p), @@ -514,6 +516,21 @@ func toPackageOriginator(p pkg.Package) *spdx.Originator { } } +func toPackageSupplier(p pkg.Package) *spdx.Supplier { + // this uses the Originator function for now until + // a better distinction can be made for supplier + kind, supplier := Originator(p) + if kind == "" || supplier == "" { + return &spdx.Supplier{ + Supplier: NOASSERTION, + } + } + return &spdx.Supplier{ + Supplier: supplier, + SupplierType: kind, + } +} + func formatSPDXExternalRefs(p pkg.Package) (refs []*spdx.PackageExternalReference) { for _, ref := range ExternalRefs(p) { refs = append(refs, &spdx.PackageExternalReference{ diff --git a/syft/formats/common/spdxhelpers/to_format_model_test.go b/syft/formats/common/spdxhelpers/to_format_model_test.go index 2ca5809507e..311cd5c41ab 100644 --- a/syft/formats/common/spdxhelpers/to_format_model_test.go +++ b/syft/formats/common/spdxhelpers/to_format_model_test.go @@ -51,12 +51,14 @@ func Test_toFormatModel(t *testing.T) { SPDXVersion: spdx.Version, DataLicense: spdx.DataLicense, DocumentName: "alpine", - Packages: []*spdx.Package{ { PackageSPDXIdentifier: "Package-pkg-1-pkg-1", PackageName: "pkg-1", PackageVersion: "version-1", + PackageSupplier: &spdx.Supplier{ + Supplier: "NOASSERTION", + }, }, { PackageSPDXIdentifier: "DocumentRoot-Image-alpine", @@ -71,6 +73,9 @@ func Test_toFormatModel(t *testing.T) { Locator: "pkg:oci/alpine@sha256:d34db33f?arch=&tag=latest", }, }, + PackageSupplier: &spdx.Supplier{ + Supplier: "NOASSERTION", + }, }, }, Relationships: []*spdx.Relationship{ @@ -122,12 +127,18 @@ func Test_toFormatModel(t *testing.T) { PackageSPDXIdentifier: "Package-pkg-1-pkg-1", PackageName: "pkg-1", PackageVersion: "version-1", + PackageSupplier: &spdx.Supplier{ + Supplier: "NOASSERTION", + }, }, { PackageSPDXIdentifier: "DocumentRoot-Directory-some-directory", PackageName: "some/directory", PackageVersion: "", PrimaryPackagePurpose: "FILE", + PackageSupplier: &spdx.Supplier{ + Supplier: "NOASSERTION", + }, }, }, Relationships: []*spdx.Relationship{ @@ -180,12 +191,14 @@ func Test_toFormatModel(t *testing.T) { SPDXVersion: spdx.Version, DataLicense: spdx.DataLicense, DocumentName: "path/to/some.file", - Packages: []*spdx.Package{ { PackageSPDXIdentifier: "Package-pkg-1-pkg-1", PackageName: "pkg-1", PackageVersion: "version-1", + PackageSupplier: &spdx.Supplier{ + Supplier: "NOASSERTION", + }, }, { PackageSPDXIdentifier: "DocumentRoot-File-path-to-some.file", @@ -193,6 +206,9 @@ func Test_toFormatModel(t *testing.T) { PackageVersion: "sha256:d34db33f", PrimaryPackagePurpose: "FILE", PackageChecksums: []spdx.Checksum{{Algorithm: "SHA256", Value: "d34db33f"}}, + PackageSupplier: &spdx.Supplier{ + Supplier: "NOASSERTION", + }, }, }, Relationships: []*spdx.Relationship{ diff --git a/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden b/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden index d51b754ce11..7107f906ded 100644 --- a/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden +++ b/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden @@ -17,6 +17,7 @@ "name": "package-1", "SPDXID": "SPDXRef-Package-python-package-1-9265397e5e15168a", "versionInfo": "1.0.1", + "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from installed python package manifest file: /some/path/pkg1", @@ -40,6 +41,7 @@ "name": "package-2", "SPDXID": "SPDXRef-Package-deb-package-2-db4abfe497c180d3", "versionInfo": "2.0.1", + "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from DPKG DB: /some/path/pkg1", @@ -62,6 +64,7 @@ { "name": "some/path", "SPDXID": "SPDXRef-DocumentRoot-Directory-some-path", + "supplier": "NOASSERTION", "downloadLocation": "", "filesAnalyzed": false, "primaryPackagePurpose": "FILE" diff --git a/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden b/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden index 49466ae7d44..955d910a63b 100644 --- a/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden +++ b/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden @@ -17,6 +17,7 @@ "name": "package-1", "SPDXID": "SPDXRef-Package-python-package-1-125840abc1c66dd7", "versionInfo": "1.0.1", + "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from installed python package manifest file: /somefile-1.txt", @@ -40,6 +41,7 @@ "name": "package-2", "SPDXID": "SPDXRef-Package-deb-package-2-958443e2d9304af4", "versionInfo": "2.0.1", + "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from DPKG DB: /somefile-2.txt", @@ -63,6 +65,7 @@ "name": "user-image-input", "SPDXID": "SPDXRef-DocumentRoot-Image-user-image-input", "versionInfo": "sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368", + "supplier": "NOASSERTION", "downloadLocation": "", "filesAnalyzed": false, "checksums": [ diff --git a/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden b/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden index 6ee33b0f41e..d6fff364e37 100644 --- a/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden +++ b/syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden @@ -17,6 +17,7 @@ "name": "package-1", "SPDXID": "SPDXRef-Package-python-package-1-125840abc1c66dd7", "versionInfo": "1.0.1", + "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from installed python package manifest file: /somefile-1.txt", @@ -40,6 +41,7 @@ "name": "package-2", "SPDXID": "SPDXRef-Package-deb-package-2-958443e2d9304af4", "versionInfo": "2.0.1", + "supplier": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "sourceInfo": "acquired package info from DPKG DB: /somefile-2.txt", @@ -63,6 +65,7 @@ "name": "user-image-input", "SPDXID": "SPDXRef-DocumentRoot-Image-user-image-input", "versionInfo": "sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368", + "supplier": "NOASSERTION", "downloadLocation": "", "filesAnalyzed": false, "checksums": [ diff --git a/syft/formats/spdxjson/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden b/syft/formats/spdxjson/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden index c799acd2481..d7e3532665c 100644 Binary files a/syft/formats/spdxjson/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden and b/syft/formats/spdxjson/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden differ diff --git a/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden b/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden index 960fdc8ac49..2916b240f00 100644 --- a/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden +++ b/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden @@ -12,6 +12,7 @@ Created: redacted PackageName: foobar/baz SPDXID: SPDXRef-DocumentRoot-Directory-foobar-baz +PackageSupplier: NOASSERTION PrimaryPackagePurpose: FILE FilesAnalyzed: false @@ -19,6 +20,7 @@ FilesAnalyzed: false PackageName: @at-sign SPDXID: SPDXRef-Package--at-sign-3732f7a5679bdec4 +PackageSupplier: NOASSERTION PackageDownloadLocation: NOASSERTION FilesAnalyzed: false PackageSourceInfo: acquired package info from the following paths: @@ -30,6 +32,7 @@ PackageCopyrightText: NOASSERTION PackageName: some/slashes SPDXID: SPDXRef-Package-some-slashes-1345166d4801153b +PackageSupplier: NOASSERTION PackageDownloadLocation: NOASSERTION FilesAnalyzed: false PackageSourceInfo: acquired package info from the following paths: @@ -41,6 +44,7 @@ PackageCopyrightText: NOASSERTION PackageName: under_scores SPDXID: SPDXRef-Package-under-scores-290d5c77210978c1 +PackageSupplier: NOASSERTION PackageDownloadLocation: NOASSERTION FilesAnalyzed: false PackageSourceInfo: acquired package info from the following paths: diff --git a/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden b/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden index e7bf336a6a2..ceda8d5eaf7 100644 --- a/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden +++ b/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden @@ -51,6 +51,7 @@ LicenseConcluded: NOASSERTION PackageName: user-image-input SPDXID: SPDXRef-DocumentRoot-Image-user-image-input PackageVersion: sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368 +PackageSupplier: NOASSERTION PrimaryPackagePurpose: CONTAINER FilesAnalyzed: false PackageChecksum: SHA256: 2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368 @@ -61,6 +62,7 @@ ExternalRef: PACKAGE-MANAGER purl pkg:oci/user-image-input@sha256:2731251dc34951 PackageName: package-2 SPDXID: SPDXRef-Package-deb-package-2-958443e2d9304af4 PackageVersion: 2.0.1 +PackageSupplier: NOASSERTION PackageDownloadLocation: NOASSERTION FilesAnalyzed: false PackageSourceInfo: acquired package info from DPKG DB: /somefile-2.txt @@ -75,6 +77,7 @@ ExternalRef: PACKAGE-MANAGER purl pkg:deb/debian/package-2@2.0.1 PackageName: package-1 SPDXID: SPDXRef-Package-python-package-1-125840abc1c66dd7 PackageVersion: 1.0.1 +PackageSupplier: NOASSERTION PackageDownloadLocation: NOASSERTION FilesAnalyzed: false PackageSourceInfo: acquired package info from installed python package manifest file: /somefile-1.txt diff --git a/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden b/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden index 117f3c53b98..ff168e71fbb 100644 --- a/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden +++ b/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden @@ -12,6 +12,7 @@ Created: redacted PackageName: some/path SPDXID: SPDXRef-DocumentRoot-Directory-some-path +PackageSupplier: NOASSERTION PrimaryPackagePurpose: FILE FilesAnalyzed: false @@ -20,6 +21,7 @@ FilesAnalyzed: false PackageName: package-2 SPDXID: SPDXRef-Package-deb-package-2-db4abfe497c180d3 PackageVersion: 2.0.1 +PackageSupplier: NOASSERTION PackageDownloadLocation: NOASSERTION FilesAnalyzed: false PackageSourceInfo: acquired package info from DPKG DB: /some/path/pkg1 @@ -34,6 +36,7 @@ ExternalRef: PACKAGE-MANAGER purl pkg:deb/debian/package-2@2.0.1 PackageName: package-1 SPDXID: SPDXRef-Package-python-package-1-9265397e5e15168a PackageVersion: 1.0.1 +PackageSupplier: NOASSERTION PackageDownloadLocation: NOASSERTION FilesAnalyzed: false PackageSourceInfo: acquired package info from installed python package manifest file: /some/path/pkg1 diff --git a/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden b/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden index ae1be5286b9..34d428afcd9 100644 --- a/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden +++ b/syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden @@ -13,6 +13,7 @@ Created: redacted PackageName: user-image-input SPDXID: SPDXRef-DocumentRoot-Image-user-image-input PackageVersion: sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368 +PackageSupplier: NOASSERTION PrimaryPackagePurpose: CONTAINER FilesAnalyzed: false PackageChecksum: SHA256: 2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368 @@ -23,6 +24,7 @@ ExternalRef: PACKAGE-MANAGER purl pkg:oci/user-image-input@sha256:2731251dc34951 PackageName: package-2 SPDXID: SPDXRef-Package-deb-package-2-958443e2d9304af4 PackageVersion: 2.0.1 +PackageSupplier: NOASSERTION PackageDownloadLocation: NOASSERTION FilesAnalyzed: false PackageSourceInfo: acquired package info from DPKG DB: /somefile-2.txt @@ -37,6 +39,7 @@ ExternalRef: PACKAGE-MANAGER purl pkg:deb/debian/package-2@2.0.1 PackageName: package-1 SPDXID: SPDXRef-Package-python-package-1-125840abc1c66dd7 PackageVersion: 1.0.1 +PackageSupplier: NOASSERTION PackageDownloadLocation: NOASSERTION FilesAnalyzed: false PackageSourceInfo: acquired package info from installed python package manifest file: /somefile-1.txt diff --git a/syft/formats/spdxtagvalue/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden b/syft/formats/spdxtagvalue/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden index f4aa1e7bb74..d7e3532665c 100644 Binary files a/syft/formats/spdxtagvalue/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden and b/syft/formats/spdxtagvalue/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden differ