Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 2c33ef8c authored by Wei Li's avatar Wei Li Committed by Automerger Merge Worker
Browse files

Merge "Fix the calculation of package verification code which should not...

Merge "Fix the calculation of package verification code which should not include algorithm information." into main am: fb55377c am: a4fb2d0b am: f9726a74

Original change: https://android-review.googlesource.com/c/platform/build/+/2688227



Change-Id: I8cc8bfa0f6f875e89ed0ca48c9c47b7e6846364b
Signed-off-by: default avatarAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
parents aea84178 f9726a74
Loading
Loading
Loading
Loading
+22 −0
Original line number Diff line number Diff line
@@ -53,5 +53,27 @@ python_test_host {
    libs: [
        "sbom_lib",
    ],
    version: {
        py3: {
            embedded_launcher: true,
        },
    },
    test_suites: ["general-tests"],
}

python_test_host {
    name: "sbom_data_test",
    main: "sbom_data_test.py",
    srcs: [
        "sbom_data_test.py",
    ],
    libs: [
        "sbom_lib",
    ],
    version: {
        py3: {
            embedded_launcher: true,
        },
    },
    test_suites: ["general-tests"],
}
+1 −1
Original line number Diff line number Diff line
@@ -133,7 +133,7 @@ class Document:
      checksums = []
      for file in self.files:
        if file.id in package.file_ids:
          checksums.append(file.checksum)
          checksums.append(file.checksum.split(': ')[1])
      checksums.sort()
      h = hashlib.sha1()
      h.update(''.join(checksums).encode(encoding='utf-8'))
+139 −0
Original line number Diff line number Diff line
#!/usr/bin/env python3
#
# Copyright (C) 2023 The Android Open Source Project
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

import hashlib
import unittest
import sbom_data

BUILD_FINGER_PRINT = 'build_finger_print'
SUPPLIER_GOOGLE = 'Organization: Google'
SUPPLIER_UPSTREAM = 'Organization: upstream'

SPDXID_PREBUILT_PACKAGE1 = 'SPDXRef-PREBUILT-package1'
SPDXID_SOURCE_PACKAGE1 = 'SPDXRef-SOURCE-package1'
SPDXID_UPSTREAM_PACKAGE1 = 'SPDXRef-UPSTREAM-package1'

SPDXID_FILE1 = 'SPDXRef-file1'
SPDXID_FILE2 = 'SPDXRef-file2'
SPDXID_FILE3 = 'SPDXRef-file3'
SPDXID_FILE4 = 'SPDXRef-file4'


class SBOMDataTest(unittest.TestCase):

  def setUp(self):
    # SBOM of a product
    self.sbom_doc = sbom_data.Document(name='test doc',
                                       namespace='http://www.google.com/sbom/spdx/android',
                                       creators=[SUPPLIER_GOOGLE],
                                       created='2023-03-31T22:17:58Z',
                                       describes=sbom_data.SPDXID_PRODUCT)
    self.sbom_doc.add_external_ref(
        sbom_data.DocumentExternalReference(id='DocumentRef-external_doc_ref',
                                            uri='external_doc_uri',
                                            checksum='SHA1: 1234567890'))
    self.sbom_doc.add_package(
        sbom_data.Package(id=sbom_data.SPDXID_PRODUCT,
                          name=sbom_data.PACKAGE_NAME_PRODUCT,
                          download_location=sbom_data.VALUE_NONE,
                          supplier=SUPPLIER_GOOGLE,
                          version=BUILD_FINGER_PRINT,
                          files_analyzed=True,
                          verification_code='',
                          file_ids=[SPDXID_FILE1, SPDXID_FILE2, SPDXID_FILE3, SPDXID_FILE4]))

    self.sbom_doc.add_package(
        sbom_data.Package(id=sbom_data.SPDXID_PLATFORM,
                          name=sbom_data.PACKAGE_NAME_PLATFORM,
                          download_location=sbom_data.VALUE_NONE,
                          supplier=SUPPLIER_GOOGLE,
                          version=BUILD_FINGER_PRINT,
                          ))

    self.sbom_doc.add_package(
        sbom_data.Package(id=SPDXID_PREBUILT_PACKAGE1,
                          name='Prebuilt package1',
                          download_location=sbom_data.VALUE_NONE,
                          supplier=SUPPLIER_GOOGLE,
                          version=BUILD_FINGER_PRINT,
                          ))

    self.sbom_doc.add_package(
        sbom_data.Package(id=SPDXID_SOURCE_PACKAGE1,
                          name='Source package1',
                          download_location=sbom_data.VALUE_NONE,
                          supplier=SUPPLIER_GOOGLE,
                          version=BUILD_FINGER_PRINT,
                          external_refs=[sbom_data.PackageExternalRef(
                              category=sbom_data.PackageExternalRefCategory.SECURITY,
                              type=sbom_data.PackageExternalRefType.cpe22Type,
                              locator='cpe:/a:jsoncpp_project:jsoncpp:1.9.4')]
                          ))

    self.sbom_doc.add_package(
        sbom_data.Package(id=SPDXID_UPSTREAM_PACKAGE1,
                          name='Upstream package1',
                          supplier=SUPPLIER_UPSTREAM,
                          version='1.1',
                          ))

    self.sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_SOURCE_PACKAGE1,
                                                          relationship=sbom_data.RelationshipType.VARIANT_OF,
                                                          id2=SPDXID_UPSTREAM_PACKAGE1))

    self.sbom_doc.files.append(
        sbom_data.File(id=SPDXID_FILE1, name='/bin/file1',
                       checksum='SHA1: 356a192b7913b04c54574d18c28d46e6395428ab'))  # sha1 hash of 1
    self.sbom_doc.files.append(
        sbom_data.File(id=SPDXID_FILE2, name='/bin/file2',
                       checksum='SHA1: da4b9237bacccdf19c0760cab7aec4a8359010b0'))  # sha1 hash of 2
    self.sbom_doc.files.append(
        sbom_data.File(id=SPDXID_FILE3, name='/bin/file3',
                       checksum='SHA1: 77de68daecd823babbb58edb1c8e14d7106e83bb'))  # sha1 hash of 3
    self.sbom_doc.files.append(
        sbom_data.File(id=SPDXID_FILE4, name='file4.a',
                       checksum='SHA1: 1b6453892473a467d07372d45eb05abc2031647a'))  # sha1 of 4

    self.sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_FILE1,
                                                          relationship=sbom_data.RelationshipType.GENERATED_FROM,
                                                          id2=sbom_data.SPDXID_PLATFORM))
    self.sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_FILE2,
                                                          relationship=sbom_data.RelationshipType.GENERATED_FROM,
                                                          id2=SPDXID_PREBUILT_PACKAGE1))
    self.sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_FILE3,
                                                          relationship=sbom_data.RelationshipType.GENERATED_FROM,
                                                          id2=SPDXID_SOURCE_PACKAGE1
                                                          ))
    self.sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_FILE1,
                                                          relationship=sbom_data.RelationshipType.STATIC_LINK,
                                                          id2=SPDXID_FILE4
                                                          ))

  def test_package_verification_code(self):
    checksums = []
    for file in self.sbom_doc.files:
      checksums.append(file.checksum.split(': ')[1])
      checksums.sort()
    h = hashlib.sha1()
    h.update(''.join(checksums).encode(encoding='utf-8'))
    expected_package_verification_code = h.hexdigest()

    self.sbom_doc.generate_packages_verification_code()
    self.assertEqual(expected_package_verification_code, self.sbom_doc.packages[0].verification_code)


if __name__ == '__main__':
  unittest.main(verbosity=2)