Fix the calculation of package verification code which should not include algorithm information. (f99db997) · Commits · e / os / android_build

tools/sbom/Android.bp

+22 −0

Original line number	Diff line number	Diff line
		@@ -53,5 +53,27 @@ python_test_host {
		libs: [
		"sbom_lib",
		],
		version: {
		py3: {
		embedded_launcher: true,
		},
		},
		test_suites: ["general-tests"],
		}

		python_test_host {
		name: "sbom_data_test",
		main: "sbom_data_test.py",
		srcs: [
		"sbom_data_test.py",
		],
		libs: [
		"sbom_lib",
		],
		version: {
		py3: {
		embedded_launcher: true,
		},
		},
		test_suites: ["general-tests"],
		}

tools/sbom/sbom_data.py

+1 −1

Original line number	Diff line number	Diff line
		@@ -133,7 +133,7 @@ class Document:
		checksums = []
		for file in self.files:
		if file.id in package.file_ids:
		checksums.append(file.checksum)
		checksums.append(file.checksum.split(': ')[1])
		checksums.sort()
		h = hashlib.sha1()
		h.update(''.join(checksums).encode(encoding='utf-8'))

tools/sbom/sbom_data_test.py

0 → 100644

+139 −0

Original line number	Diff line number	Diff line
		#!/usr/bin/env python3
		#
		# Copyright (C) 2023 The Android Open Source Project
		#
		# Licensed under the Apache License, Version 2.0 (the "License");
		# you may not use this file except in compliance with the License.
		# You may obtain a copy of the License at
		#
		# http://www.apache.org/licenses/LICENSE-2.0
		#
		# Unless required by applicable law or agreed to in writing, software
		# distributed under the License is distributed on an "AS IS" BASIS,
		# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
		# See the License for the specific language governing permissions and
		# limitations under the License.

		import hashlib
		import unittest
		import sbom_data

		BUILD_FINGER_PRINT = 'build_finger_print'
		SUPPLIER_GOOGLE = 'Organization: Google'
		SUPPLIER_UPSTREAM = 'Organization: upstream'

		SPDXID_PREBUILT_PACKAGE1 = 'SPDXRef-PREBUILT-package1'
		SPDXID_SOURCE_PACKAGE1 = 'SPDXRef-SOURCE-package1'
		SPDXID_UPSTREAM_PACKAGE1 = 'SPDXRef-UPSTREAM-package1'

		SPDXID_FILE1 = 'SPDXRef-file1'
		SPDXID_FILE2 = 'SPDXRef-file2'
		SPDXID_FILE3 = 'SPDXRef-file3'
		SPDXID_FILE4 = 'SPDXRef-file4'


		class SBOMDataTest(unittest.TestCase):

		def setUp(self):
		# SBOM of a product
		self.sbom_doc = sbom_data.Document(name='test doc',
		namespace='http://www.google.com/sbom/spdx/android',
		creators=[SUPPLIER_GOOGLE],
		created='2023-03-31T22:17:58Z',
		describes=sbom_data.SPDXID_PRODUCT)
		self.sbom_doc.add_external_ref(
		sbom_data.DocumentExternalReference(id='DocumentRef-external_doc_ref',
		uri='external_doc_uri',
		checksum='SHA1: 1234567890'))
		self.sbom_doc.add_package(
		sbom_data.Package(id=sbom_data.SPDXID_PRODUCT,
		name=sbom_data.PACKAGE_NAME_PRODUCT,
		download_location=sbom_data.VALUE_NONE,
		supplier=SUPPLIER_GOOGLE,
		version=BUILD_FINGER_PRINT,
		files_analyzed=True,
		verification_code='',
		file_ids=[SPDXID_FILE1, SPDXID_FILE2, SPDXID_FILE3, SPDXID_FILE4]))

		self.sbom_doc.add_package(
		sbom_data.Package(id=sbom_data.SPDXID_PLATFORM,
		name=sbom_data.PACKAGE_NAME_PLATFORM,
		download_location=sbom_data.VALUE_NONE,
		supplier=SUPPLIER_GOOGLE,
		version=BUILD_FINGER_PRINT,
		))

		self.sbom_doc.add_package(
		sbom_data.Package(id=SPDXID_PREBUILT_PACKAGE1,
		name='Prebuilt package1',
		download_location=sbom_data.VALUE_NONE,
		supplier=SUPPLIER_GOOGLE,
		version=BUILD_FINGER_PRINT,
		))

		self.sbom_doc.add_package(
		sbom_data.Package(id=SPDXID_SOURCE_PACKAGE1,
		name='Source package1',
		download_location=sbom_data.VALUE_NONE,
		supplier=SUPPLIER_GOOGLE,
		version=BUILD_FINGER_PRINT,
		external_refs=[sbom_data.PackageExternalRef(
		category=sbom_data.PackageExternalRefCategory.SECURITY,
		type=sbom_data.PackageExternalRefType.cpe22Type,
		locator='cpe:/a:jsoncpp_project:jsoncpp:1.9.4')]
		))

		self.sbom_doc.add_package(
		sbom_data.Package(id=SPDXID_UPSTREAM_PACKAGE1,
		name='Upstream package1',
		supplier=SUPPLIER_UPSTREAM,
		version='1.1',
		))

		self.sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_SOURCE_PACKAGE1,
		relationship=sbom_data.RelationshipType.VARIANT_OF,
		id2=SPDXID_UPSTREAM_PACKAGE1))

		self.sbom_doc.files.append(
		sbom_data.File(id=SPDXID_FILE1, name='/bin/file1',
		checksum='SHA1: 356a192b7913b04c54574d18c28d46e6395428ab')) # sha1 hash of 1
		self.sbom_doc.files.append(
		sbom_data.File(id=SPDXID_FILE2, name='/bin/file2',
		checksum='SHA1: da4b9237bacccdf19c0760cab7aec4a8359010b0')) # sha1 hash of 2
		self.sbom_doc.files.append(
		sbom_data.File(id=SPDXID_FILE3, name='/bin/file3',
		checksum='SHA1: 77de68daecd823babbb58edb1c8e14d7106e83bb')) # sha1 hash of 3
		self.sbom_doc.files.append(
		sbom_data.File(id=SPDXID_FILE4, name='file4.a',
		checksum='SHA1: 1b6453892473a467d07372d45eb05abc2031647a')) # sha1 of 4

		self.sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_FILE1,
		relationship=sbom_data.RelationshipType.GENERATED_FROM,
		id2=sbom_data.SPDXID_PLATFORM))
		self.sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_FILE2,
		relationship=sbom_data.RelationshipType.GENERATED_FROM,
		id2=SPDXID_PREBUILT_PACKAGE1))
		self.sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_FILE3,
		relationship=sbom_data.RelationshipType.GENERATED_FROM,
		id2=SPDXID_SOURCE_PACKAGE1
		))
		self.sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_FILE1,
		relationship=sbom_data.RelationshipType.STATIC_LINK,
		id2=SPDXID_FILE4
		))

		def test_package_verification_code(self):
		checksums = []
		for file in self.sbom_doc.files:
		checksums.append(file.checksum.split(': ')[1])
		checksums.sort()
		h = hashlib.sha1()
		h.update(''.join(checksums).encode(encoding='utf-8'))
		expected_package_verification_code = h.hexdigest()

		self.sbom_doc.generate_packages_verification_code()
		self.assertEqual(expected_package_verification_code, self.sbom_doc.packages[0].verification_code)


		if __name__ == '__main__':
		unittest.main(verbosity=2)