Update spdx_parser.py to handle spdx file parsing logic to generate correct key value pair of dictionary

[ravi-mishra-10]

Problem statement:

Showing same software b/w two SPDX file as diff and generating result with same product removed then later added back.

If spdx file [1] contains:

#### Package: cloud.google.com/go/networksecurity

PackageName: cloud.google.com/go/networksecurity
SPDXID: SPDXRef-Pkg-cloud.google.com-go-networksecurity-v0.6.0-5311591
PackageVersion: v0.6.0
PackageSupplier: Organization: go:cloud.google.com/go/networksecurity
PackageHomePage: https://pkg.go.dev/cloud.google.com/go/networksecurity
PackageDownloadLocation: NOASSERTION
PackageLicenseConcluded: Apache-2.0
PackageLicenseDeclared: Apache-2.0
PackageCopyrightText: NOASSERTION
FilesAnalyzed: False
ExternalRef: PACKAGE-MANAGER purl pkg:golang/cloud.google.com/go/[email protected]

If spdx file [2] contains:

#### Package: networksecurity

PackageName: networksecurity
SPDXID: SPDXRef-Pkg-cloud.google.com-go-networksecurity-v0.5.0-5311454
PackageVersion: v0.5.0
PackageSupplier: Organization: go:cloud.google.com/go/networksecurity
PackageHomePage: https://pkg.go.dev/cloud.google.com/go/networksecurity
PackageDownloadLocation: NOASSERTION
PackageLicenseConcluded: Apache-2.0
PackageLicenseDeclared: Apache-2.0
PackageCopyrightText: NOASSERTION
FilesAnalyzed: False
ExternalRef: PACKAGE-MANAGER purl pkg:golang/cloud.google.com/go/[email protected]

Command used to generate report:

#python ./cli.py --sbom spdx -o sbom_diff_reports.txt -f text file1.spdx file2.spdx
#echo $?
#1

cat sbom_diff_reports.txt

[REMOVED] networksecurity: (Version v0.5.0)
[ADDED  ] cloud.google.com/go/networksecurity: (Version v0.6.0) (License Apache-2.0)
Summary
-------
Version changes:  0
License changes:  0
Removed packages: 1
New packages:     1

Solution:

Addition regex logic will help to find right delta between two SPDX file. Without this fix sometime ProductName getting recorded incorrectly as "v2" or "without full path of software" this enhancement will help to detect same product name b/w two spdx file(s).

With fix report contains will be like:

cat sbom_diff_reports.txt

[REMOVED] networksecurity: (Version v0.5.0)
[ADDED  ] cloud.google.com/go/networksecurity: (Version v0.5.0) (License Apache-2.0)
Summary
-------
Version changes:  1
License changes:  0
Removed packages: 0
New packages:     0

Reviewers:

@anthonyharrison @briancaine

[ravi-mishra-10]

@anthonyharrison kindly start the review.

[anthonyharrison]

I am not convinced that this is a valid or complete change.

[anthonyharrison]

This is not appropriate as this only works for Go packages. sbomdiff needs to be generic for all SBOMs and languages

[ravi-mishra-10]

Agree I will add some check to do this only for GO libs.

[ravi-mishra-10]

Could you suggest how to find packages for other language like java, python etc.

[anthonyharrison]

Could you suggest how to find packages for other language like java, python etc.

I don't think this is a valid change,

The differences in package name is due to the differences in the SBOM generator. Comparing SBOMs from different generators is a valid use case and I can see how useful it is to detect that the generators are creating different names for the same package. Trying to make sbomdiff cater for different generators and establish that the different package names are actually the same package is beyond the scope of sbomdiff as it is not viable to accommodate the approaches adopted by all the different SBOM generators for generating package names.

[anthonyharrison]

If we add this check,we also need to do a corresponding check for all formats of SBOMs not just SPDX tag value SBOMs.

[ravi-mishra-10]

Yes I will add same check for json, xml, yaml and rdf.
Thanks @anthonyharrison