Correct SPDX ID, add package field

SPDX ID should not contain underscore characters. Packages are required to have a declared license and license info from files field. Ref * https://spdx.github.io/spdx-spec/v2.2.2/file-information/#821-description * https://spdx.github.io/spdx-spec/v2.2.2/package-information/
kstribrnAmzn · Dec 20, 2023 · 458613f · 458613f
1 parent 4fe6122
commit 458613f
Showing 1 changed file with 5 additions and 3 deletions.
diff --git a/sbom-generator/sbom_utils.py b/sbom-generator/sbom_utils.py
@@ -22,20 +22,22 @@ def package_hash(file_list: str) -> str:
 
 def file_writer(output, filepath: str, sha1: str, license: str, copyright='NOASSERTION', comment='NOASSERTION'):
     output.write('FileName: .'+ filepath + '\n')
-    output.write('SPDXID: SPDXRef-File'+ filepath.replace('/', '-') + '\n')
+    output.write('SPDXID: SPDXRef-File'+ filepath.replace('/', '-').replace('_', '') + '\n')
     output.write('FileChecksum: SHA1: '+ sha1 + '\n')
     output.write('LicenseConcluded: '+ license + '\n')
     output.write('FileCopyrightText: '+ copyright + '\n')
     output.write('FileComment: '+ comment + '\n')
     output.write('\n')
 
 def package_writer(output, packageName: str, version: str, url: str, license: str, ver_code: str, file_analyzed=True,
-                   copyright='NOASSERTION', summary='NOASSERTION', description='NOASSERTION'):
+                   copyright='NOASSERTION', summary='NOASSERTION', description='NOASSERTION', file_licenses='NOASSERTION'):
     output.write('PackageName: '+ packageName + '\n')
     output.write('SPDXID: SPDXRef-Package-'+ packageName + '\n')
     output.write('PackageVersion: '+ version + '\n')
     output.write('PackageDownloadLocation: '+ url + '\n')
+    output.write('PackageLicenseDeclared: ' + license + '\n')
     output.write('PackageLicenseConcluded: '+ license + '\n')
+    output.write('PackageLicenseInfoFromFiles: '+ file_licenses + '\n')
     output.write('FilesAnalyzed: '+ str(file_analyzed) + '\n')
     output.write('PackageVerificationCode: '+ ver_code + '\n')
     output.write('PackageCopyrightText: '+ copyright + '\n')
@@ -52,7 +54,7 @@ def doc_writer(output, version: str, name: str, creator_comment='NOASSERTION',
     output.write('SPDXID: SPDXRef-DOCUMENT\n')
     output.write('DocumentName: ' + name + '\n')
     output.write('DocumentNamespace: ' + namespace + '\n')
-    output.write('Creator: ' + CREATOR + '\n')
+    output.write('Creator: Organization:' + CREATOR + '\n')
     output.write('Created: ' + today.isoformat()[:-7] + 'Z\n')
     output.write('CreatorComment: ' + creator_comment + '\n')
     output.write('DocumentComment: ' + doc_comment + '\n')