add distgit url to sources if upstream not found

RedHatProductSecurity · Oct 11, 2024 · 78d88fc · 78d88fc
1 parent 153cb16
commit 78d88fc
Show file tree

Hide file tree

Showing 4 changed files with 119 additions and 25 deletions.
diff --git a/sbom/examples/rpm/build/from-koji.py b/sbom/examples/rpm/build/from-koji.py
@@ -177,7 +177,7 @@ def mock_openssl_midstream(sfn, source, sname, sver):
     return url
 
 
-def handle_srpm(filename, name):
+def handle_srpm(filename, name, build_source):
     with TemporaryDirectory(dir=os.getcwd()) as srcdir:
         subprocess.run(
             check=True,
@@ -262,7 +262,15 @@ def handle_srpm(filename, name):
                     sha256.update(data)
 
             if url is None or ":" not in url:
-                url = "NOASSERTION"
+                # Use the internal source repository url because we couldn't determine the upstream
+                build_source_parts = build_source.rsplit("#", 1)
+                # Hide the actual internal source repository url
+                build_source_name = re.sub(
+                    r"(git\+https://).*redhat.com(.*)",
+                    r"\g<1>internal.com\g<2>",
+                    build_source_parts[0]
+                )
+                url = f"{build_source_name}#{build_source_parts[-1]}"
 
             sref = f"SPDXRef-{source}"
             digest = sha256.hexdigest()
@@ -281,15 +289,15 @@ def handle_srpm(filename, name):
             }
             if not sver:
                 del spackage["versioninfo"]
-            if url != "NOASSERTION":
-                purl = f"pkg:generic/{name}@{version}?download_url={url}"
-                spackage["externalRefs"] = [
-                    {
-                        "referenceCategory": "PACKAGE-MANAGER",
-                        "referenceType": "purl",
-                        "referenceLocator": purl,
-                    }
-                ]
+
+            purl = f"pkg:generic/{name}@{version}?download_url={url}"
+            spackage["externalRefs"] = [
+                {
+                    "referenceCategory": "PACKAGE-MANAGER",
+                    "referenceType": "purl",
+                    "referenceLocator": purl,
+                }
+            ]
             pkgs_by_arch.setdefault(arch, []).append(spackage)
 
             relationships.append(
@@ -373,7 +381,7 @@ def handle_srpm(filename, name):
                 "relatedSpdxElement": spdxid,
             }
         )
-        handle_srpm(filename, name)
+        handle_srpm(filename, name, build["source"])
     else:
         relationships.append(
             {

diff --git a/sbom/examples/rpm/build/openshift-pipelines-client-1.14.3-11352.el8.spdx.json b/sbom/examples/rpm/build/openshift-pipelines-client-1.14.3-11352.el8.spdx.json
@@ -18714,39 +18714,60 @@
       "SPDXID": "SPDXRef-Source0",
       "name": "tektoncd-cli",
       "versionInfo": "4854f37a16f947b763bdd9dbdc5bca259a24141e",
-      "downloadLocation": "NOASSERTION",
+      "downloadLocation": "git+https://internal.com/git/rpms/tektoncd-cli#bbc151c8acc1fb97c053c976dcf69c7fd2e67442",
       "packageFileName": "tektoncd-cli-4854f37a16f947b763bdd9dbdc5bca259a24141e.tar.gz",
       "checksums": [
         {
           "algorithm": "SHA256",
           "checksumValue": "aabc96f5ad3ca2cd8a87f02cfd8a7faff79f98e3e3f065b56cce3e57374a1ad5"
         }
+      ],
+      "externalRefs": [
+        {
+          "referenceCategory": "PACKAGE-MANAGER",
+          "referenceType": "purl",
+          "referenceLocator": "pkg:generic/[email protected]?download_url=git+https://internal.com/git/rpms/tektoncd-cli#bbc151c8acc1fb97c053c976dcf69c7fd2e67442"
+        }
       ]
     },
     {
       "SPDXID": "SPDXRef-Source1",
       "name": "pipelines-as-code",
       "versionInfo": "f08a73c1bddd041b57577b47e72d98387e0b939b",
-      "downloadLocation": "NOASSERTION",
+      "downloadLocation": "git+https://internal.com/git/rpms/tektoncd-cli#bbc151c8acc1fb97c053c976dcf69c7fd2e67442",
       "packageFileName": "pipelines-as-code-f08a73c1bddd041b57577b47e72d98387e0b939b.tar.gz",
       "checksums": [
         {
           "algorithm": "SHA256",
           "checksumValue": "7ff2b20e48203607d160198a9e4820a48fd7ed18ac44973c078b48a4f5ab7888"
         }
+      ],
+      "externalRefs": [
+        {
+          "referenceCategory": "PACKAGE-MANAGER",
+          "referenceType": "purl",
+          "referenceLocator": "pkg:generic/[email protected]?download_url=git+https://internal.com/git/rpms/tektoncd-cli#bbc151c8acc1fb97c053c976dcf69c7fd2e67442"
+        }
       ]
     },
     {
       "SPDXID": "SPDXRef-Source2",
       "name": "openshift-pipelines-opc",
       "versionInfo": "5c8cced44956893695bac7666ffe6bb3642f8aef",
-      "downloadLocation": "NOASSERTION",
+      "downloadLocation": "git+https://internal.com/git/rpms/tektoncd-cli#bbc151c8acc1fb97c053c976dcf69c7fd2e67442",
       "packageFileName": "openshift-pipelines-opc-5c8cced44956893695bac7666ffe6bb3642f8aef.tar.gz",
       "checksums": [
         {
           "algorithm": "SHA256",
           "checksumValue": "0fb52748f4b2868782fab0f3a3c680d238c061c164b8854a89681c99b357cf33"
         }
+      ],
+      "externalRefs": [
+        {
+          "referenceCategory": "PACKAGE-MANAGER",
+          "referenceType": "purl",
+          "referenceLocator": "pkg:generic/[email protected]?download_url=git+https://internal.com/git/rpms/tektoncd-cli#bbc151c8acc1fb97c053c976dcf69c7fd2e67442"
+        }
       ]
     },
     {
@@ -18994,10 +19015,17 @@
     {
       "fileName": "/go.mod",
       "SPDXID": "SPDXRef-File-go.mod-3fc5a8d3d86e9790",
+      "fileTypes": [
+        "TEXT"
+      ],
       "checksums": [
         {
           "algorithm": "SHA1",
-          "checksumValue": "0000000000000000000000000000000000000000"
+          "checksumValue": "61e310ee28d636ae56f3bd5b58308385cb4be6e5"
+        },
+        {
+          "algorithm": "SHA256",
+          "checksumValue": "e8545aa76ef2e12ae5217094aec34a484a89e2a03b6fbd2a462cc8fd95912c07"
         }
       ],
       "licenseConcluded": "NOASSERTION",
@@ -19009,10 +19037,17 @@
     {
       "fileName": "/tools/go.mod",
       "SPDXID": "SPDXRef-File-tools-go.mod-9a8d257e44c7907a",
+      "fileTypes": [
+        "TEXT"
+      ],
       "checksums": [
         {
           "algorithm": "SHA1",
-          "checksumValue": "0000000000000000000000000000000000000000"
+          "checksumValue": "1f22db3942a1f6f65156bd3fe1d7bf977c7277a8"
+        },
+        {
+          "algorithm": "SHA256",
+          "checksumValue": "a1d0f7714175923c352600d162681cf6ed1d5a100a2f05d4953354f5d6bc51c8"
         }
       ],
       "licenseConcluded": "NOASSERTION",
@@ -19024,10 +19059,17 @@
     {
       "fileName": "/vendor/github.com/theupdateframework/go-tuf/requirements-test.txt",
       "SPDXID": "SPDXRef-File-...go-tuf-requirements-test.txt-8c7951abcf93b096",
+      "fileTypes": [
+        "TEXT"
+      ],
       "checksums": [
         {
           "algorithm": "SHA1",
-          "checksumValue": "0000000000000000000000000000000000000000"
+          "checksumValue": "e165e5712c8c96df7c42b3abdcadf405a6934819"
+        },
+        {
+          "algorithm": "SHA256",
+          "checksumValue": "4c3e2e90d140cef32beb9c97a8ef711e7655da767648d2b2844f4a6979872ff3"
         }
       ],
       "licenseConcluded": "NOASSERTION",
@@ -19039,10 +19081,17 @@
     {
       "fileName": "/vendor/go.opentelemetry.io/otel/requirements.txt",
       "SPDXID": "SPDXRef-File-...otel-requirements.txt-b69fd806af1e91ad",
+      "fileTypes": [
+        "TEXT"
+      ],
       "checksums": [
         {
           "algorithm": "SHA1",
-          "checksumValue": "0000000000000000000000000000000000000000"
+          "checksumValue": "68bdb1034b31d05232669762f2be7f56fff5d849"
+        },
+        {
+          "algorithm": "SHA256",
+          "checksumValue": "1ed38028659fda92b4f34d11c83bc4f8669526f84ef6f4fbc6c24f03b2c42ead"
         }
       ],
       "licenseConcluded": "NOASSERTION",
@@ -19054,10 +19103,17 @@
     {
       "fileName": "/go.mod",
       "SPDXID": "SPDXRef-File-go.mod-3fc5a8d3d86e9790",
+      "fileTypes": [
+        "TEXT"
+      ],
       "checksums": [
         {
           "algorithm": "SHA1",
-          "checksumValue": "0000000000000000000000000000000000000000"
+          "checksumValue": "61e119e3ec020c03afca7138b9a716c954726032"
+        },
+        {
+          "algorithm": "SHA256",
+          "checksumValue": "86eae4213ebf7a97720650b7753ac0db444c9669d5849741ad568e134e35c255"
         }
       ],
       "licenseConcluded": "NOASSERTION",
@@ -19069,10 +19125,17 @@
     {
       "fileName": "/go.mod",
       "SPDXID": "SPDXRef-File-go.mod-3fc5a8d3d86e9790",
+      "fileTypes": [
+        "TEXT"
+      ],
       "checksums": [
         {
           "algorithm": "SHA1",
-          "checksumValue": "0000000000000000000000000000000000000000"
+          "checksumValue": "96208d53013a00d87da290fb15f29ff76621bb8f"
+        },
+        {
+          "algorithm": "SHA256",
+          "checksumValue": "2af9d1fe8ad92c27ab71c0a1195800e5fc9f990ea14cb5c6278963bb1856eab9"
         }
       ],
       "licenseConcluded": "NOASSERTION",
@@ -19084,10 +19147,17 @@
     {
       "fileName": "/vendor/github.com/theupdateframework/go-tuf/requirements-test.txt",
       "SPDXID": "SPDXRef-File-...go-tuf-requirements-test.txt-8c7951abcf93b096",
+      "fileTypes": [
+        "TEXT"
+      ],
       "checksums": [
         {
           "algorithm": "SHA1",
-          "checksumValue": "0000000000000000000000000000000000000000"
+          "checksumValue": "e165e5712c8c96df7c42b3abdcadf405a6934819"
+        },
+        {
+          "algorithm": "SHA256",
+          "checksumValue": "4c3e2e90d140cef32beb9c97a8ef711e7655da767648d2b2844f4a6979872ff3"
         }
       ],
       "licenseConcluded": "NOASSERTION",
@@ -19099,10 +19169,17 @@
     {
       "fileName": "/vendor/go.opentelemetry.io/otel/requirements.txt",
       "SPDXID": "SPDXRef-File-...otel-requirements.txt-b69fd806af1e91ad",
+      "fileTypes": [
+        "TEXT"
+      ],
       "checksums": [
         {
           "algorithm": "SHA1",
-          "checksumValue": "0000000000000000000000000000000000000000"
+          "checksumValue": "68bdb1034b31d05232669762f2be7f56fff5d849"
+        },
+        {
+          "algorithm": "SHA256",
+          "checksumValue": "1ed38028659fda92b4f34d11c83bc4f8669526f84ef6f4fbc6c24f03b2c42ead"
         }
       ],
       "licenseConcluded": "NOASSERTION",

diff --git a/sbom/examples/rpm/build/openssl-3.0.7-18.el9_2.spdx.json b/sbom/examples/rpm/build/openssl-3.0.7-18.el9_2.spdx.json
@@ -57,7 +57,9 @@
         {
           "referenceCategory": "PACKAGE-MANAGER",
           "referenceType": "purl",
-          "referenceLocator": "pkg:generic/[email protected]?download_url=https://openssl.org/source/openssl-3.0.7.tar.gz&checksum=sha256:83049d042a260e696f62406ac5c08bf706fd84383f945cf21bd61e9ed95c396e"
+          "referenceLocator": [
+            "pkg:generic/[email protected]?download_url=https://openssl.org/source/openssl-3.0.7.tar.gz&checksum=sha256:83049d042a260e696f62406ac5c08bf706fd84383f945cf21bd61e9ed95c396e"
+          ]
         }
       ]
     },

diff --git a/sbom/examples/rpm/build/poppler-21.01.0-19.el9.spdx.json b/sbom/examples/rpm/build/poppler-21.01.0-19.el9.spdx.json
@@ -65,13 +65,20 @@
       "SPDXID": "SPDXRef-Source1",
       "name": "poppler-test",
       "versionInfo": "2021-06-14",
-      "downloadLocation": "NOASSERTION",
+      "downloadLocation": "git+https://internal.com/git/rpms/poppler#6ed06c877cd332127601017554e4c8c243ce3ba9",
       "packageFileName": "poppler-test-2021-06-14.tar.xz",
       "checksums": [
         {
           "algorithm": "SHA256",
           "checksumValue": "f811f0ae9bef8cd2430e024073134a68ddb05aa04e69635fb814f87f6acbd4a3"
         }
+      ],
+      "externalRefs": [
+        {
+          "referenceCategory": "PACKAGE-MANAGER",
+          "referenceType": "purl",
+          "referenceLocator": "pkg:generic/[email protected]?download_url=git+https://internal.com/git/rpms/poppler#6ed06c877cd332127601017554e4c8c243ce3ba9"
+        }
       ]
     },
     {