Merge "Fix the following issues mentioned in Pixel SBOM review." am:... (d6ff8ca1) · Commits · e / os / android_build

tools/sbom/generate-sbom.py

+5 −1

Original line number	Diff line number	Diff line
		@@ -279,12 +279,13 @@ def get_sbom_fragments(installed_file_metadata, metadata_file_path):
		name, external_refs = get_source_package_info(installed_file_metadata, metadata_file_path)
		source_package_id = new_package_id(name, PKG_SOURCE)
		source_package = sbom_data.Package(id=source_package_id, name=name, version=args.build_version,
		download_location=sbom_data.VALUE_NONE,
		supplier='Organization: ' + args.product_mfr,
		external_refs=external_refs)

		upstream_package_id = new_package_id(name, PKG_UPSTREAM)
		upstream_package = sbom_data.Package(id=upstream_package_id, name=name, version=version,
		supplier='Organization: ' + homepage if homepage else None,
		supplier=('Organization: ' + homepage) if homepage else sbom_data.VALUE_NOASSERTION,
		download_location=download_location)
		packages += [source_package, upstream_package]
		relationships.append(sbom_data.Relationship(id1=source_package_id,
		@@ -296,6 +297,7 @@ def get_sbom_fragments(installed_file_metadata, metadata_file_path):
		prebuilt_package_id = new_package_id(name, PKG_PREBUILT)
		prebuilt_package = sbom_data.Package(id=prebuilt_package_id,
		name=name,
		download_location=sbom_data.VALUE_NONE,
		version=args.build_version,
		supplier='Organization: ' + args.product_mfr)
		packages.append(prebuilt_package)
		@@ -438,6 +440,7 @@ def main():

		product_package = sbom_data.Package(id=sbom_data.SPDXID_PRODUCT,
		name=sbom_data.PACKAGE_NAME_PRODUCT,
		download_location=sbom_data.VALUE_NONE,
		version=args.build_version,
		supplier='Organization: ' + args.product_mfr,
		files_analyzed=True)
		@@ -445,6 +448,7 @@ def main():

		doc.packages.append(sbom_data.Package(id=sbom_data.SPDXID_PLATFORM,
		name=sbom_data.PACKAGE_NAME_PLATFORM,
		download_location=sbom_data.VALUE_NONE,
		version=args.build_version,
		supplier='Organization: ' + args.product_mfr))

tools/sbom/sbom_data.py

+3 −0

Original line number	Diff line number	Diff line
		@@ -33,6 +33,9 @@ SPDXID_PLATFORM = 'SPDXRef-PLATFORM'
		PACKAGE_NAME_PRODUCT = 'PRODUCT'
		PACKAGE_NAME_PLATFORM = 'PLATFORM'

		VALUE_NOASSERTION = 'NOASSERTION'
		VALUE_NONE = 'NONE'


		class PackageExternalRefCategory:
		SECURITY = 'SECURITY'

tools/sbom/sbom_writers.py

+2 −2

Original line number	Diff line number	Diff line
		@@ -86,7 +86,7 @@ class TagValueWriter:

		@staticmethod
		def marshal_package(package):
		download_location = 'NONE'
		download_location = sbom_data.VALUE_NOASSERTION
		if package.download_location:
		download_location = package.download_location
		tagvalues = [
		@@ -296,7 +296,7 @@ class JSONWriter:
		package = {
		PropNames.NAME: p.name,
		PropNames.SPDXID: p.id,
		PropNames.PACKAGE_DOWNLOAD_LOCATION: p.download_location if p.download_location else 'NONE',
		PropNames.PACKAGE_DOWNLOAD_LOCATION: p.download_location if p.download_location else sbom_data.VALUE_NOASSERTION,
		PropNames.FILES_ANALYZED: p.files_analyzed
		}
		if p.version:

tools/sbom/sbom_writers_test.py

+5 −0

Original line number	Diff line number	Diff line
		@@ -49,6 +49,7 @@ class SBOMWritersTest(unittest.TestCase):
		self.sbom_doc.add_package(
		sbom_data.Package(id=sbom_data.SPDXID_PRODUCT,
		name=sbom_data.PACKAGE_NAME_PRODUCT,
		download_location=sbom_data.VALUE_NONE,
		supplier=SUPPLIER_GOOGLE,
		version=BUILD_FINGER_PRINT,
		files_analyzed=True,
		@@ -58,6 +59,7 @@ class SBOMWritersTest(unittest.TestCase):
		self.sbom_doc.add_package(
		sbom_data.Package(id=sbom_data.SPDXID_PLATFORM,
		name=sbom_data.PACKAGE_NAME_PLATFORM,
		download_location=sbom_data.VALUE_NONE,
		supplier=SUPPLIER_GOOGLE,
		version=BUILD_FINGER_PRINT,
		))
		@@ -65,6 +67,7 @@ class SBOMWritersTest(unittest.TestCase):
		self.sbom_doc.add_package(
		sbom_data.Package(id=SPDXID_PREBUILT_PACKAGE1,
		name='Prebuilt package1',
		download_location=sbom_data.VALUE_NONE,
		supplier=SUPPLIER_GOOGLE,
		version=BUILD_FINGER_PRINT,
		))
		@@ -72,6 +75,7 @@ class SBOMWritersTest(unittest.TestCase):
		self.sbom_doc.add_package(
		sbom_data.Package(id=SPDXID_SOURCE_PACKAGE1,
		name='Source package1',
		download_location=sbom_data.VALUE_NONE,
		supplier=SUPPLIER_GOOGLE,
		version=BUILD_FINGER_PRINT,
		external_refs=[sbom_data.PackageExternalRef(
		@@ -121,6 +125,7 @@ class SBOMWritersTest(unittest.TestCase):
		self.unbundled_sbom_doc.add_package(
		sbom_data.Package(id=SPDXID_SOURCE_PACKAGE1,
		name='Unbundled apk package',
		download_location=sbom_data.VALUE_NONE,
		supplier=SUPPLIER_GOOGLE,
		version=BUILD_FINGER_PRINT))
		self.unbundled_sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_FILE1,

tools/sbom/testdata/expected_json_sbom.spdx.json

+1 −1

Original line number	Diff line number	Diff line
		@@ -74,7 +74,7 @@
		{
		"name": "Upstream package1",
		"SPDXID": "SPDXRef-UPSTREAM-package1",
		"downloadLocation": "NONE",
		"downloadLocation": "NOASSERTION",
		"filesAnalyzed": false,
		"versionInfo": "1.1",
		"supplier": "Organization: upstream"