Merge pull request #14 from RedHatProductSecurity/container-sbom-fixes

Fixes for container image SBOMs
RedHatProductSecurity · Aug 15, 2024 · 1a38449 · 1a38449
2 parents c517dae + 77a6ad3
commit 1a38449
Show file tree

Hide file tree

Showing 10 changed files with 21 additions and 7 deletions.
diff --git a/sbom/examples/container_image/from_catalog.py b/sbom/examples/container_image/from_catalog.py
@@ -60,6 +60,7 @@ def create_sbom(doc_id, image_id, root_package, packages, rel_type):
             ],
         },
         "name": image_id,
+        "documentNamespace": f"https://www.redhat.com/{image_id}.spdx.json",
         "packages": [root_package] + packages,
         "relationships": relationships,
     }
@@ -113,9 +114,13 @@ def generate_sboms_for_image(image_nvr):
 
         # Get license information from labels if it is set
         image_license = "NOASSERTION"
+        spdx_license_ids = {
+            "Apache License 2.0": "Apache-2.0",
+        }
         for label in image["parsed_data"]["labels"]:
             if label["name"].lower() == "license":
                 image_license = label["value"]
+                image_license = spdx_license_ids.get(image_license, image_license)
 
         # Create an index image object, but since all arch-specific images are descendents of one
         # and the same index image, we only have to create it once. Its SBOM is created at the

diff --git a/sbom/examples/container_image/kernel-module-management-operator-container-1.1.2-25.spdx.json b/sbom/examples/container_image/kernel-module-management-operator-container-1.1.2-25.spdx.json
@@ -9,14 +9,15 @@
     ]
   },
   "name": "kernel-module-management-operator-container-1.1.2-25",
+  "documentNamespace": "https://www.redhat.com/kernel-module-management-operator-container-1.1.2-25.spdx.json",
   "packages": [
     {
       "SPDXID": "SPDXRef-image-index",
       "name": "kernel-module-management-operator-container",
       "versionInfo": "1.1.2-25",
       "supplier": "Organization: Red Hat",
       "downloadLocation": "NOASSERTION",
-      "licenseDeclared": "Apache License 2.0",
+      "licenseDeclared": "Apache-2.0",
       "externalRefs": [
         {
           "referenceCategory": "PACKAGE-MANAGER",
@@ -37,7 +38,7 @@
       "versionInfo": "1.1.2-25",
       "supplier": "Organization: Red Hat",
       "downloadLocation": "NOASSERTION",
-      "licenseDeclared": "Apache License 2.0",
+      "licenseDeclared": "Apache-2.0",
       "externalRefs": [
         {
           "referenceCategory": "PACKAGE-MANAGER",
@@ -58,7 +59,7 @@
       "versionInfo": "1.1.2-25",
       "supplier": "Organization: Red Hat",
       "downloadLocation": "NOASSERTION",
-      "licenseDeclared": "Apache License 2.0",
+      "licenseDeclared": "Apache-2.0",
       "externalRefs": [
         {
           "referenceCategory": "PACKAGE-MANAGER",
@@ -79,7 +80,7 @@
       "versionInfo": "1.1.2-25",
       "supplier": "Organization: Red Hat",
       "downloadLocation": "NOASSERTION",
-      "licenseDeclared": "Apache License 2.0",
+      "licenseDeclared": "Apache-2.0",
       "externalRefs": [
         {
           "referenceCategory": "PACKAGE-MANAGER",

diff --git a/...ples/container_image/kernel-module-management-operator-container-1.1.2-25_amd64.spdx.json b/...ples/container_image/kernel-module-management-operator-container-1.1.2-25_amd64.spdx.json
@@ -9,14 +9,15 @@
     ]
   },
   "name": "kernel-module-management-operator-container-1.1.2-25_amd64",
+  "documentNamespace": "https://www.redhat.com/kernel-module-management-operator-container-1.1.2-25_amd64.spdx.json",
   "packages": [
     {
       "SPDXID": "SPDXRef-kernel-module-management-operator-container-amd64",
       "name": "kernel-module-management-operator-container_amd64",
       "versionInfo": "1.1.2-25",
       "supplier": "Organization: Red Hat",
       "downloadLocation": "NOASSERTION",
-      "licenseDeclared": "Apache License 2.0",
+      "licenseDeclared": "Apache-2.0",
       "externalRefs": [
         {
           "referenceCategory": "PACKAGE-MANAGER",

diff --git a/...ples/container_image/kernel-module-management-operator-container-1.1.2-25_arm64.spdx.json b/...ples/container_image/kernel-module-management-operator-container-1.1.2-25_arm64.spdx.json
@@ -9,14 +9,15 @@
     ]
   },
   "name": "kernel-module-management-operator-container-1.1.2-25_arm64",
+  "documentNamespace": "https://www.redhat.com/kernel-module-management-operator-container-1.1.2-25_arm64.spdx.json",
   "packages": [
     {
       "SPDXID": "SPDXRef-kernel-module-management-operator-container-arm64",
       "name": "kernel-module-management-operator-container_arm64",
       "versionInfo": "1.1.2-25",
       "supplier": "Organization: Red Hat",
       "downloadLocation": "NOASSERTION",
-      "licenseDeclared": "Apache License 2.0",
+      "licenseDeclared": "Apache-2.0",
       "externalRefs": [
         {
           "referenceCategory": "PACKAGE-MANAGER",

diff --git a/...es/container_image/kernel-module-management-operator-container-1.1.2-25_ppc64le.spdx.json b/...es/container_image/kernel-module-management-operator-container-1.1.2-25_ppc64le.spdx.json
@@ -9,14 +9,15 @@
     ]
   },
   "name": "kernel-module-management-operator-container-1.1.2-25_ppc64le",
+  "documentNamespace": "https://www.redhat.com/kernel-module-management-operator-container-1.1.2-25_ppc64le.spdx.json",
   "packages": [
     {
       "SPDXID": "SPDXRef-kernel-module-management-operator-container-ppc64le",
       "name": "kernel-module-management-operator-container_ppc64le",
       "versionInfo": "1.1.2-25",
       "supplier": "Organization: Red Hat",
       "downloadLocation": "NOASSERTION",
-      "licenseDeclared": "Apache License 2.0",
+      "licenseDeclared": "Apache-2.0",
       "externalRefs": [
         {
           "referenceCategory": "PACKAGE-MANAGER",

diff --git a/sbom/examples/container_image/ubi9-micro-container-9.4-6.1716471860.spdx.json b/sbom/examples/container_image/ubi9-micro-container-9.4-6.1716471860.spdx.json
@@ -9,6 +9,7 @@
     ]
   },
   "name": "ubi9-micro-container-9.4-6.1716471860",
+  "documentNamespace": "https://www.redhat.com/ubi9-micro-container-9.4-6.1716471860.spdx.json",
   "packages": [
     {
       "SPDXID": "SPDXRef-image-index",

diff --git a/sbom/examples/container_image/ubi9-micro-container-9.4-6.1716471860_amd64.spdx.json b/sbom/examples/container_image/ubi9-micro-container-9.4-6.1716471860_amd64.spdx.json
@@ -9,6 +9,7 @@
     ]
   },
   "name": "ubi9-micro-container-9.4-6.1716471860_amd64",
+  "documentNamespace": "https://www.redhat.com/ubi9-micro-container-9.4-6.1716471860_amd64.spdx.json",
   "packages": [
     {
       "SPDXID": "SPDXRef-ubi9-micro-container-amd64",

diff --git a/sbom/examples/container_image/ubi9-micro-container-9.4-6.1716471860_arm64.spdx.json b/sbom/examples/container_image/ubi9-micro-container-9.4-6.1716471860_arm64.spdx.json
@@ -9,6 +9,7 @@
     ]
   },
   "name": "ubi9-micro-container-9.4-6.1716471860_arm64",
+  "documentNamespace": "https://www.redhat.com/ubi9-micro-container-9.4-6.1716471860_arm64.spdx.json",
   "packages": [
     {
       "SPDXID": "SPDXRef-ubi9-micro-container-arm64",

diff --git a/sbom/examples/container_image/ubi9-micro-container-9.4-6.1716471860_ppc64le.spdx.json b/sbom/examples/container_image/ubi9-micro-container-9.4-6.1716471860_ppc64le.spdx.json
@@ -9,6 +9,7 @@
     ]
   },
   "name": "ubi9-micro-container-9.4-6.1716471860_ppc64le",
+  "documentNamespace": "https://www.redhat.com/ubi9-micro-container-9.4-6.1716471860_ppc64le.spdx.json",
   "packages": [
     {
       "SPDXID": "SPDXRef-ubi9-micro-container-ppc64le",

diff --git a/sbom/examples/container_image/ubi9-micro-container-9.4-6.1716471860_s390x.spdx.json b/sbom/examples/container_image/ubi9-micro-container-9.4-6.1716471860_s390x.spdx.json
@@ -9,6 +9,7 @@
     ]
   },
   "name": "ubi9-micro-container-9.4-6.1716471860_s390x",
+  "documentNamespace": "https://www.redhat.com/ubi9-micro-container-9.4-6.1716471860_s390x.spdx.json",
   "packages": [
     {
       "SPDXID": "SPDXRef-ubi9-micro-container-s390x",