From 458613f220837eb1ecb5c45de3ee6d642d398213 Mon Sep 17 00:00:00 2001
From: Kody Stribrny <kstribrn@amazon.com>
Date: Wed, 20 Dec 2023 14:19:20 -0800
Subject: [PATCH] Correct SPDX ID, add package field

SPDX ID should not contain underscore characters.
Packages are required to have a declared license
and license info from files field.

Ref
* https://spdx.github.io/spdx-spec/v2.2.2/file-information/#821-description
* https://spdx.github.io/spdx-spec/v2.2.2/package-information/
---
 sbom-generator/sbom_utils.py | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/sbom-generator/sbom_utils.py b/sbom-generator/sbom_utils.py
index a19f1c1..bb35d72 100644
--- a/sbom-generator/sbom_utils.py
+++ b/sbom-generator/sbom_utils.py
@@ -22,7 +22,7 @@ def package_hash(file_list: str) -> str:
 
 def file_writer(output, filepath: str, sha1: str, license: str, copyright='NOASSERTION', comment='NOASSERTION'):
     output.write('FileName: .'+ filepath + '\n')
-    output.write('SPDXID: SPDXRef-File'+ filepath.replace('/', '-') + '\n')
+    output.write('SPDXID: SPDXRef-File'+ filepath.replace('/', '-').replace('_', '') + '\n')
     output.write('FileChecksum: SHA1: '+ sha1 + '\n')
     output.write('LicenseConcluded: '+ license + '\n')
     output.write('FileCopyrightText: '+ copyright + '\n')
@@ -30,12 +30,14 @@ def file_writer(output, filepath: str, sha1: str, license: str, copyright='NOASS
     output.write('\n')
 
 def package_writer(output, packageName: str, version: str, url: str, license: str, ver_code: str, file_analyzed=True,
-                   copyright='NOASSERTION', summary='NOASSERTION', description='NOASSERTION'):
+                   copyright='NOASSERTION', summary='NOASSERTION', description='NOASSERTION', file_licenses='NOASSERTION'):
     output.write('PackageName: '+ packageName + '\n')
     output.write('SPDXID: SPDXRef-Package-'+ packageName + '\n')
     output.write('PackageVersion: '+ version + '\n')
     output.write('PackageDownloadLocation: '+ url + '\n')
+    output.write('PackageLicenseDeclared: ' + license + '\n')
     output.write('PackageLicenseConcluded: '+ license + '\n')
+    output.write('PackageLicenseInfoFromFiles: '+ file_licenses + '\n')
     output.write('FilesAnalyzed: '+ str(file_analyzed) + '\n')
     output.write('PackageVerificationCode: '+ ver_code + '\n')
     output.write('PackageCopyrightText: '+ copyright + '\n')
@@ -52,7 +54,7 @@ def doc_writer(output, version: str, name: str, creator_comment='NOASSERTION',
     output.write('SPDXID: SPDXRef-DOCUMENT\n')
     output.write('DocumentName: ' + name + '\n')
     output.write('DocumentNamespace: ' + namespace + '\n')
-    output.write('Creator: ' + CREATOR + '\n')
+    output.write('Creator: Organization:' + CREATOR + '\n')
     output.write('Created: ' + today.isoformat()[:-7] + 'Z\n')
     output.write('CreatorComment: ' + creator_comment + '\n')
     output.write('DocumentComment: ' + doc_comment + '\n')