add cpe data to srpms

RedHatProductSecurity · Oct 17, 2024 · 8bb2243 · 8bb2243
1 parent 303e577
commit 8bb2243
Show file tree

Hide file tree

Showing 4 changed files with 268 additions and 0 deletions.
diff --git a/sbom/examples/rpm/release/add_release_data.py b/sbom/examples/rpm/release/add_release_data.py
@@ -3,6 +3,124 @@
 
 from packageurl import PackageURL
 
+# With help from https://security.access.redhat.com/data/meta/v1/repository-to-cpe.json
+product_map = {
+    "openshift-pipelines-client-1.14.3-11352.el8": [
+        {
+            "SPDXID": "SPDXRef-OpenShift-Pipelines-1.15-RHEL-8",
+            "name": "Red Hat OpenShift Pipelines",
+            "versionInfo": "1.15-RHEL-8",
+            "supplier": "Organization: Red Hat",
+            "downloadLocation": "NOASSERTION",
+            "licenseConcluded": "NOASSERTION",
+            "externalRefs": [
+              {
+                "referenceCategory": "SECURITY",
+                "referenceLocator": "cpe:/a:redhat:openshift_pipelines:1.15::el8",
+                "referenceType": "cpe22Type"
+              }
+            ]
+        }
+    ],
+    "openssl-3.0.7-18.el9_2": [
+        # product_versions/1884/variants/4138
+        {
+            "SPDXID": "SPDXRef-AppStream-9.2.0.Z.EUS",
+            "name": "Red Hat Enterprise Linux",
+            "versionInfo": "9.2.0.Z.EUS",
+            "supplier": "Organization: Red Hat",
+            "downloadLocation": "NOASSERTION",
+            "licenseConcluded": "NOASSERTION",
+            "externalRefs": [
+              {
+                "referenceCategory": "SECURITY",
+                "referenceLocator": "cpe:/a:redhat:rhel_eus:9.2::appstream",
+                "referenceType": "cpe22Type"
+              }
+            ]
+        },
+        {
+            "SPDXID": "SPDXRef-BaseOS-9.2.0.Z.EUS",
+            "name": "Red Hat Enterprise Linux",
+            "versionInfo": "9.2.0.Z.EUS",
+            "supplier": "Organization: Red Hat",
+            "downloadLocation": "NOASSERTION",
+            "licenseConcluded": "NOASSERTION",
+            "externalRefs": [
+              {
+                "referenceCategory": "SECURITY",
+                "referenceLocator": "cpe:/o:redhat:rhel_eus:9.2::baseos",
+                "referenceType": "cpe22Type"
+              }
+            ]
+        },
+        {
+            "SPDXID": "SPDXRef-BaseOS-9.2.0.Z.E4S",
+            "name": "Red Hat Enterprise Linux",
+            "versionInfo": "9.2.0.Z.E4S",
+            "supplier": "Organization: Red Hat",
+            "downloadLocation": "NOASSERTION",
+            "licenseConcluded": "NOASSERTION",
+            "externalRefs": [
+              {
+                "referenceCategory": "SECURITY",
+                "referenceLocator": "cpe:/o:redhat:rhel_e4s:9.2::baseos",
+                "referenceType": "cpe22Type"
+              }
+            ]
+        }
+    ],
+    "poppler-21.01.0-19.el9": [
+        # product_versions/2063/variants/4424
+        {
+            "SPDXID": "SPDXRef-AppStream-9.4.0.GA",
+            "name": "Red Hat Enterprise Linux",
+            "versionInfo": "9.4.0.GA",
+            "supplier": "Organization: Red Hat",
+            "downloadLocation": "NOASSERTION",
+            "licenseConcluded": "NOASSERTION",
+            "externalRefs": [
+                {
+                    "referenceCategory": "SECURITY",
+                    "referenceLocator": "cpe:/a:redhat:enterprise_linux:9::appstream",
+                    "referenceType": "cpe22Type"
+                }
+            ]
+        },
+        {
+            "SPDXID": "SPDXRef-CRB-9.4.0.GA",
+            "name": "Red Hat Enterprise Linux",
+            "versionInfo": "9.4.0.GA",
+            "supplier": "Organization: Red Hat",
+            "downloadLocation": "NOASSERTION",
+            "licenseConcluded": "NOASSERTION",
+            "externalRefs": [
+                {
+                    "referenceCategory": "SECURITY",
+                    "referenceLocator": "cpe:/a:redhat:enterprise_linux:9::crb",
+                    "referenceType": "cpe22Type"
+                }
+            ]
+        },
+        {
+            "SPDXID": "SPDXRef-AppStream-9.4.0.Z.EUS",
+            "name": "Red Hat Enterprise Linux",
+            "versionInfo": "9.4.0.Z.EUS",
+            "supplier": "Organization: Red Hat",
+            "downloadLocation": "NOASSERTION",
+            "licenseConcluded": "NOASSERTION",
+            "externalRefs": [
+                {
+                    "referenceCategory": "SECURITY",
+                    "referenceLocator": "cpe:/a:redhat:rhel_eus:9.4::appstream",
+                    "referenceType": "cpe22Type"
+                }
+            ]
+        }
+    ],
+}
+
+
 repo_id_map = {
     # https://access.redhat.com/downloads/content/openshift-pipelines-client/1.15.0-11496.el8/x86_64/fd431d51/package
     "openshift-pipelines-client-1.14.3-11352.el8": ["pipelines-1.14-for-rhel-8-{arch}-rpms"],
@@ -82,6 +200,16 @@ def get_rpm_purl(ext_refs):
 
     pkg["externalRefs"] = sorted(new_refs, key=lambda ref: ref["referenceLocator"])
 
+if sbom_name in product_map:
+    sbom["packages"].extend(product_map[sbom_name])
+    product_spdxids = set()
+    for product_package in product_map[sbom_name]:
+        sbom["relationships"].append({
+            "spdxElementId": "SPDXRef-SRPM",
+            "relationshipType": "PACKAGE_OF",
+            "relatedSpdxElement": product_package["SPDXID"]
+        })
+
 with open(f"{sbom_name}.spdx.json", "w") as fp:
     # Add an extra newline at the end since a lot of editors add one when you save a file,
     # and these files get opened and read in editors a lot.

diff --git a/sbom/examples/rpm/release/openshift-pipelines-client-1.14.3-11352.el8.spdx.json b/sbom/examples/rpm/release/openshift-pipelines-client-1.14.3-11352.el8.spdx.json
@@ -19003,6 +19003,21 @@
           "comment": "sigmd5: 20369982b93b4710c630a5032a887938"
         }
       ]
+    },
+    {
+      "SPDXID": "SPDXRef-OpenShift-Pipelines-1.15-RHEL-8",
+      "name": "Red Hat OpenShift Pipelines",
+      "versionInfo": "1.15-RHEL-8",
+      "supplier": "Organization: Red Hat",
+      "downloadLocation": "NOASSERTION",
+      "licenseConcluded": "NOASSERTION",
+      "externalRefs": [
+        {
+          "referenceCategory": "SECURITY",
+          "referenceLocator": "cpe:/a:redhat:openshift_pipelines:1.15::el8",
+          "referenceType": "cpe22Type"
+        }
+      ]
     }
   ],
   "files": [
@@ -24107,6 +24122,11 @@
       "spdxElementId": "SPDXRef-aarch64-openshift-pipelines-client-redistributable",
       "relationshipType": "GENERATED_FROM",
       "relatedSpdxElement": "SPDXRef-SRPM"
+    },
+    {
+      "spdxElementId": "SPDXRef-SRPM",
+      "relationshipType": "PACKAGE_OF",
+      "relatedSpdxElement": "SPDXRef-OpenShift-Pipelines-1.15-RHEL-8"
     }
   ]
 }
diff --git a/sbom/examples/rpm/release/openssl-3.0.7-18.el9_2.spdx.json b/sbom/examples/rpm/release/openssl-3.0.7-18.el9_2.spdx.json
@@ -1550,6 +1550,51 @@
           "comment": "sigmd5: 879e4c4ba7c890c9fba001534ea552b5"
         }
       ]
+    },
+    {
+      "SPDXID": "SPDXRef-AppStream-9.2.0.Z.EUS",
+      "name": "Red Hat Enterprise Linux",
+      "versionInfo": "9.2.0.Z.EUS",
+      "supplier": "Organization: Red Hat",
+      "downloadLocation": "NOASSERTION",
+      "licenseConcluded": "NOASSERTION",
+      "externalRefs": [
+        {
+          "referenceCategory": "SECURITY",
+          "referenceLocator": "cpe:/a:redhat:rhel_eus:9.2::appstream",
+          "referenceType": "cpe22Type"
+        }
+      ]
+    },
+    {
+      "SPDXID": "SPDXRef-BaseOS-9.2.0.Z.EUS",
+      "name": "Red Hat Enterprise Linux",
+      "versionInfo": "9.2.0.Z.EUS",
+      "supplier": "Organization: Red Hat",
+      "downloadLocation": "NOASSERTION",
+      "licenseConcluded": "NOASSERTION",
+      "externalRefs": [
+        {
+          "referenceCategory": "SECURITY",
+          "referenceLocator": "cpe:/o:redhat:rhel_eus:9.2::baseos",
+          "referenceType": "cpe22Type"
+        }
+      ]
+    },
+    {
+      "SPDXID": "SPDXRef-BaseOS-9.2.0.Z.E4S",
+      "name": "Red Hat Enterprise Linux",
+      "versionInfo": "9.2.0.Z.E4S",
+      "supplier": "Organization: Red Hat",
+      "downloadLocation": "NOASSERTION",
+      "licenseConcluded": "NOASSERTION",
+      "externalRefs": [
+        {
+          "referenceCategory": "SECURITY",
+          "referenceLocator": "cpe:/o:redhat:rhel_e4s:9.2::baseos",
+          "referenceType": "cpe22Type"
+        }
+      ]
     }
   ],
   "files": [],
@@ -1743,6 +1788,21 @@
       "spdxElementId": "SPDXRef-s390x-openssl-perl",
       "relationshipType": "GENERATED_FROM",
       "relatedSpdxElement": "SPDXRef-SRPM"
+    },
+    {
+      "spdxElementId": "SPDXRef-SRPM",
+      "relationshipType": "PACKAGE_OF",
+      "relatedSpdxElement": "SPDXRef-AppStream-9.2.0.Z.EUS"
+    },
+    {
+      "spdxElementId": "SPDXRef-SRPM",
+      "relationshipType": "PACKAGE_OF",
+      "relatedSpdxElement": "SPDXRef-BaseOS-9.2.0.Z.EUS"
+    },
+    {
+      "spdxElementId": "SPDXRef-SRPM",
+      "relationshipType": "PACKAGE_OF",
+      "relatedSpdxElement": "SPDXRef-BaseOS-9.2.0.Z.E4S"
     }
   ]
 }
diff --git a/sbom/examples/rpm/release/poppler-21.01.0-19.el9.spdx.json b/sbom/examples/rpm/release/poppler-21.01.0-19.el9.spdx.json
@@ -3608,6 +3608,51 @@
           "comment": "sigmd5: bbd4e69a12e039eb005a3d85b6c88aae"
         }
       ]
+    },
+    {
+      "SPDXID": "SPDXRef-AppStream-9.4.0.GA",
+      "name": "Red Hat Enterprise Linux",
+      "versionInfo": "9.4.0.GA",
+      "supplier": "Organization: Red Hat",
+      "downloadLocation": "NOASSERTION",
+      "licenseConcluded": "NOASSERTION",
+      "externalRefs": [
+        {
+          "referenceCategory": "SECURITY",
+          "referenceLocator": "cpe:/a:redhat:enterprise_linux:9::appstream",
+          "referenceType": "cpe22Type"
+        }
+      ]
+    },
+    {
+      "SPDXID": "SPDXRef-CRB-9.4.0.GA",
+      "name": "Red Hat Enterprise Linux",
+      "versionInfo": "9.4.0.GA",
+      "supplier": "Organization: Red Hat",
+      "downloadLocation": "NOASSERTION",
+      "licenseConcluded": "NOASSERTION",
+      "externalRefs": [
+        {
+          "referenceCategory": "SECURITY",
+          "referenceLocator": "cpe:/a:redhat:enterprise_linux:9::crb",
+          "referenceType": "cpe22Type"
+        }
+      ]
+    },
+    {
+      "SPDXID": "SPDXRef-AppStream-9.4.0.Z.EUS",
+      "name": "Red Hat Enterprise Linux",
+      "versionInfo": "9.4.0.Z.EUS",
+      "supplier": "Organization: Red Hat",
+      "downloadLocation": "NOASSERTION",
+      "licenseConcluded": "NOASSERTION",
+      "externalRefs": [
+        {
+          "referenceCategory": "SECURITY",
+          "referenceLocator": "cpe:/a:redhat:rhel_eus:9.4::appstream",
+          "referenceType": "cpe22Type"
+        }
+      ]
     }
   ],
   "files": [],
@@ -4006,6 +4051,21 @@
       "spdxElementId": "SPDXRef-s390x-poppler-glib",
       "relationshipType": "GENERATED_FROM",
       "relatedSpdxElement": "SPDXRef-SRPM"
+    },
+    {
+      "spdxElementId": "SPDXRef-SRPM",
+      "relationshipType": "PACKAGE_OF",
+      "relatedSpdxElement": "SPDXRef-AppStream-9.4.0.GA"
+    },
+    {
+      "spdxElementId": "SPDXRef-SRPM",
+      "relationshipType": "PACKAGE_OF",
+      "relatedSpdxElement": "SPDXRef-CRB-9.4.0.GA"
+    },
+    {
+      "spdxElementId": "SPDXRef-SRPM",
+      "relationshipType": "PACKAGE_OF",
+      "relatedSpdxElement": "SPDXRef-AppStream-9.4.0.Z.EUS"
     }
   ]
 }