Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f99db997 authored by Wei Li's avatar Wei Li
Browse files

Fix the calculation of package verification code which should not include algorithm information.

Bug: 293304694
Test: atest --host sbom_data_test
Test: build/soong/tests/sbom_test.sh
Change-Id: I94ea42284a9a6b5cc787a3489bfa575aa7663282
parent 9997fdba
Loading
Loading
Loading
Loading
+22 −0
Original line number Diff line number Diff line
@@ -53,5 +53,27 @@ python_test_host {
    libs: [
        "sbom_lib",
    ],
    version: {
        py3: {
            embedded_launcher: true,
        },
    },
    test_suites: ["general-tests"],
}

python_test_host {
    name: "sbom_data_test",
    main: "sbom_data_test.py",
    srcs: [
        "sbom_data_test.py",
    ],
    libs: [
        "sbom_lib",
    ],
    version: {
        py3: {
            embedded_launcher: true,
        },
    },
    test_suites: ["general-tests"],
}
+1 −1
Original line number Diff line number Diff line
@@ -133,7 +133,7 @@ class Document:
      checksums = []
      for file in self.files:
        if file.id in package.file_ids:
          checksums.append(file.checksum)
          checksums.append(file.checksum.split(': ')[1])
      checksums.sort()
      h = hashlib.sha1()
      h.update(''.join(checksums).encode(encoding='utf-8'))
+139 −0
Original line number Diff line number Diff line
#!/usr/bin/env python3
#
# Copyright (C) 2023 The Android Open Source Project
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

import hashlib
import unittest
import sbom_data

BUILD_FINGER_PRINT = 'build_finger_print'
SUPPLIER_GOOGLE = 'Organization: Google'
SUPPLIER_UPSTREAM = 'Organization: upstream'

SPDXID_PREBUILT_PACKAGE1 = 'SPDXRef-PREBUILT-package1'
SPDXID_SOURCE_PACKAGE1 = 'SPDXRef-SOURCE-package1'
SPDXID_UPSTREAM_PACKAGE1 = 'SPDXRef-UPSTREAM-package1'

SPDXID_FILE1 = 'SPDXRef-file1'
SPDXID_FILE2 = 'SPDXRef-file2'
SPDXID_FILE3 = 'SPDXRef-file3'
SPDXID_FILE4 = 'SPDXRef-file4'


class SBOMDataTest(unittest.TestCase):

  def setUp(self):
    # SBOM of a product
    self.sbom_doc = sbom_data.Document(name='test doc',
                                       namespace='http://www.google.com/sbom/spdx/android',
                                       creators=[SUPPLIER_GOOGLE],
                                       created='2023-03-31T22:17:58Z',
                                       describes=sbom_data.SPDXID_PRODUCT)
    self.sbom_doc.add_external_ref(
        sbom_data.DocumentExternalReference(id='DocumentRef-external_doc_ref',
                                            uri='external_doc_uri',
                                            checksum='SHA1: 1234567890'))
    self.sbom_doc.add_package(
        sbom_data.Package(id=sbom_data.SPDXID_PRODUCT,
                          name=sbom_data.PACKAGE_NAME_PRODUCT,
                          download_location=sbom_data.VALUE_NONE,
                          supplier=SUPPLIER_GOOGLE,
                          version=BUILD_FINGER_PRINT,
                          files_analyzed=True,
                          verification_code='',
                          file_ids=[SPDXID_FILE1, SPDXID_FILE2, SPDXID_FILE3, SPDXID_FILE4]))

    self.sbom_doc.add_package(
        sbom_data.Package(id=sbom_data.SPDXID_PLATFORM,
                          name=sbom_data.PACKAGE_NAME_PLATFORM,
                          download_location=sbom_data.VALUE_NONE,
                          supplier=SUPPLIER_GOOGLE,
                          version=BUILD_FINGER_PRINT,
                          ))

    self.sbom_doc.add_package(
        sbom_data.Package(id=SPDXID_PREBUILT_PACKAGE1,
                          name='Prebuilt package1',
                          download_location=sbom_data.VALUE_NONE,
                          supplier=SUPPLIER_GOOGLE,
                          version=BUILD_FINGER_PRINT,
                          ))

    self.sbom_doc.add_package(
        sbom_data.Package(id=SPDXID_SOURCE_PACKAGE1,
                          name='Source package1',
                          download_location=sbom_data.VALUE_NONE,
                          supplier=SUPPLIER_GOOGLE,
                          version=BUILD_FINGER_PRINT,
                          external_refs=[sbom_data.PackageExternalRef(
                              category=sbom_data.PackageExternalRefCategory.SECURITY,
                              type=sbom_data.PackageExternalRefType.cpe22Type,
                              locator='cpe:/a:jsoncpp_project:jsoncpp:1.9.4')]
                          ))

    self.sbom_doc.add_package(
        sbom_data.Package(id=SPDXID_UPSTREAM_PACKAGE1,
                          name='Upstream package1',
                          supplier=SUPPLIER_UPSTREAM,
                          version='1.1',
                          ))

    self.sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_SOURCE_PACKAGE1,
                                                          relationship=sbom_data.RelationshipType.VARIANT_OF,
                                                          id2=SPDXID_UPSTREAM_PACKAGE1))

    self.sbom_doc.files.append(
        sbom_data.File(id=SPDXID_FILE1, name='/bin/file1',
                       checksum='SHA1: 356a192b7913b04c54574d18c28d46e6395428ab'))  # sha1 hash of 1
    self.sbom_doc.files.append(
        sbom_data.File(id=SPDXID_FILE2, name='/bin/file2',
                       checksum='SHA1: da4b9237bacccdf19c0760cab7aec4a8359010b0'))  # sha1 hash of 2
    self.sbom_doc.files.append(
        sbom_data.File(id=SPDXID_FILE3, name='/bin/file3',
                       checksum='SHA1: 77de68daecd823babbb58edb1c8e14d7106e83bb'))  # sha1 hash of 3
    self.sbom_doc.files.append(
        sbom_data.File(id=SPDXID_FILE4, name='file4.a',
                       checksum='SHA1: 1b6453892473a467d07372d45eb05abc2031647a'))  # sha1 of 4

    self.sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_FILE1,
                                                          relationship=sbom_data.RelationshipType.GENERATED_FROM,
                                                          id2=sbom_data.SPDXID_PLATFORM))
    self.sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_FILE2,
                                                          relationship=sbom_data.RelationshipType.GENERATED_FROM,
                                                          id2=SPDXID_PREBUILT_PACKAGE1))
    self.sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_FILE3,
                                                          relationship=sbom_data.RelationshipType.GENERATED_FROM,
                                                          id2=SPDXID_SOURCE_PACKAGE1
                                                          ))
    self.sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_FILE1,
                                                          relationship=sbom_data.RelationshipType.STATIC_LINK,
                                                          id2=SPDXID_FILE4
                                                          ))

  def test_package_verification_code(self):
    checksums = []
    for file in self.sbom_doc.files:
      checksums.append(file.checksum.split(': ')[1])
      checksums.sort()
    h = hashlib.sha1()
    h.update(''.join(checksums).encode(encoding='utf-8'))
    expected_package_verification_code = h.hexdigest()

    self.sbom_doc.generate_packages_verification_code()
    self.assertEqual(expected_package_verification_code, self.sbom_doc.packages[0].verification_code)


if __name__ == '__main__':
  unittest.main(verbosity=2)