diff --git a/sbom/examples/rpm/release/add_release_data.py b/sbom/examples/rpm/release/add_release_data.py old mode 100644 new mode 100755 index a265e13..e90af6a --- a/sbom/examples/rpm/release/add_release_data.py +++ b/sbom/examples/rpm/release/add_release_data.py @@ -3,6 +3,124 @@ from packageurl import PackageURL +# With help from https://security.access.redhat.com/data/meta/v1/repository-to-cpe.json +product_map = { + "openshift-pipelines-client-1.14.3-11352.el8": [ + { + "SPDXID": "SPDXRef-OpenShift-Pipelines-1.15-RHEL-8", + "name": "Red Hat OpenShift Pipelines", + "versionInfo": "1.15-RHEL-8", + "supplier": "Organization: Red Hat", + "downloadLocation": "NOASSERTION", + "licenseConcluded": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:/a:redhat:openshift_pipelines:1.15::el8", + "referenceType": "cpe22Type" + } + ] + } + ], + "openssl-3.0.7-18.el9_2": [ + # product_versions/1884/variants/4138 + { + "SPDXID": "SPDXRef-AppStream-9.2.0.Z.EUS", + "name": "Red Hat Enterprise Linux", + "versionInfo": "9.2.0.Z.EUS", + "supplier": "Organization: Red Hat", + "downloadLocation": "NOASSERTION", + "licenseConcluded": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:/a:redhat:rhel_eus:9.2::appstream", + "referenceType": "cpe22Type" + } + ] + }, + { + "SPDXID": "SPDXRef-BaseOS-9.2.0.Z.EUS", + "name": "Red Hat Enterprise Linux", + "versionInfo": "9.2.0.Z.EUS", + "supplier": "Organization: Red Hat", + "downloadLocation": "NOASSERTION", + "licenseConcluded": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:/o:redhat:rhel_eus:9.2::baseos", + "referenceType": "cpe22Type" + } + ] + }, + { + "SPDXID": "SPDXRef-BaseOS-9.2.0.Z.E4S", + "name": "Red Hat Enterprise Linux", + "versionInfo": "9.2.0.Z.E4S", + "supplier": "Organization: Red Hat", + "downloadLocation": "NOASSERTION", + "licenseConcluded": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:/o:redhat:rhel_e4s:9.2::baseos", + "referenceType": "cpe22Type" + } + ] + } + ], + "poppler-21.01.0-19.el9": [ + # product_versions/2063/variants/4424 + { + "SPDXID": "SPDXRef-AppStream-9.4.0.GA", + "name": "Red Hat Enterprise Linux", + "versionInfo": "9.4.0.GA", + "supplier": "Organization: Red Hat", + "downloadLocation": "NOASSERTION", + "licenseConcluded": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:/a:redhat:enterprise_linux:9::appstream", + "referenceType": "cpe22Type" + } + ] + }, + { + "SPDXID": "SPDXRef-CRB-9.4.0.GA", + "name": "Red Hat Enterprise Linux", + "versionInfo": "9.4.0.GA", + "supplier": "Organization: Red Hat", + "downloadLocation": "NOASSERTION", + "licenseConcluded": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:/a:redhat:enterprise_linux:9::crb", + "referenceType": "cpe22Type" + } + ] + }, + { + "SPDXID": "SPDXRef-AppStream-9.4.0.Z.EUS", + "name": "Red Hat Enterprise Linux", + "versionInfo": "9.4.0.Z.EUS", + "supplier": "Organization: Red Hat", + "downloadLocation": "NOASSERTION", + "licenseConcluded": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:/a:redhat:rhel_eus:9.4::appstream", + "referenceType": "cpe22Type" + } + ] + } + ], +} + + repo_id_map = { # https://access.redhat.com/downloads/content/openshift-pipelines-client/1.15.0-11496.el8/x86_64/fd431d51/package "openshift-pipelines-client-1.14.3-11352.el8": ["pipelines-1.14-for-rhel-8-{arch}-rpms"], @@ -82,6 +200,16 @@ def get_rpm_purl(ext_refs): pkg["externalRefs"] = sorted(new_refs, key=lambda ref: ref["referenceLocator"]) +if sbom_name in product_map: + sbom["packages"].extend(product_map[sbom_name]) + product_spdxids = set() + for product_package in product_map[sbom_name]: + sbom["relationships"].append({ + "spdxElementId": "SPDXRef-SRPM", + "relationshipType": "PACKAGE_OF", + "relatedSpdxElement": product_package["SPDXID"] + }) + with open(f"{sbom_name}.spdx.json", "w") as fp: # Add an extra newline at the end since a lot of editors add one when you save a file, # and these files get opened and read in editors a lot. diff --git a/sbom/examples/rpm/release/openshift-pipelines-client-1.14.3-11352.el8.spdx.json b/sbom/examples/rpm/release/openshift-pipelines-client-1.14.3-11352.el8.spdx.json index 4999993..ff2c99c 100644 --- a/sbom/examples/rpm/release/openshift-pipelines-client-1.14.3-11352.el8.spdx.json +++ b/sbom/examples/rpm/release/openshift-pipelines-client-1.14.3-11352.el8.spdx.json @@ -19003,6 +19003,21 @@ "comment": "sigmd5: 20369982b93b4710c630a5032a887938" } ] + }, + { + "SPDXID": "SPDXRef-OpenShift-Pipelines-1.15-RHEL-8", + "name": "Red Hat OpenShift Pipelines", + "versionInfo": "1.15-RHEL-8", + "supplier": "Organization: Red Hat", + "downloadLocation": "NOASSERTION", + "licenseConcluded": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:/a:redhat:openshift_pipelines:1.15::el8", + "referenceType": "cpe22Type" + } + ] } ], "files": [ @@ -24107,6 +24122,11 @@ "spdxElementId": "SPDXRef-aarch64-openshift-pipelines-client-redistributable", "relationshipType": "GENERATED_FROM", "relatedSpdxElement": "SPDXRef-SRPM" + }, + { + "spdxElementId": "SPDXRef-SRPM", + "relationshipType": "PACKAGE_OF", + "relatedSpdxElement": "SPDXRef-OpenShift-Pipelines-1.15-RHEL-8" } ] } diff --git a/sbom/examples/rpm/release/openssl-3.0.7-18.el9_2.spdx.json b/sbom/examples/rpm/release/openssl-3.0.7-18.el9_2.spdx.json index 9d1a908..8951bb7 100644 --- a/sbom/examples/rpm/release/openssl-3.0.7-18.el9_2.spdx.json +++ b/sbom/examples/rpm/release/openssl-3.0.7-18.el9_2.spdx.json @@ -1550,6 +1550,51 @@ "comment": "sigmd5: 879e4c4ba7c890c9fba001534ea552b5" } ] + }, + { + "SPDXID": "SPDXRef-AppStream-9.2.0.Z.EUS", + "name": "Red Hat Enterprise Linux", + "versionInfo": "9.2.0.Z.EUS", + "supplier": "Organization: Red Hat", + "downloadLocation": "NOASSERTION", + "licenseConcluded": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:/a:redhat:rhel_eus:9.2::appstream", + "referenceType": "cpe22Type" + } + ] + }, + { + "SPDXID": "SPDXRef-BaseOS-9.2.0.Z.EUS", + "name": "Red Hat Enterprise Linux", + "versionInfo": "9.2.0.Z.EUS", + "supplier": "Organization: Red Hat", + "downloadLocation": "NOASSERTION", + "licenseConcluded": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:/o:redhat:rhel_eus:9.2::baseos", + "referenceType": "cpe22Type" + } + ] + }, + { + "SPDXID": "SPDXRef-BaseOS-9.2.0.Z.E4S", + "name": "Red Hat Enterprise Linux", + "versionInfo": "9.2.0.Z.E4S", + "supplier": "Organization: Red Hat", + "downloadLocation": "NOASSERTION", + "licenseConcluded": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:/o:redhat:rhel_e4s:9.2::baseos", + "referenceType": "cpe22Type" + } + ] } ], "files": [], @@ -1743,6 +1788,21 @@ "spdxElementId": "SPDXRef-s390x-openssl-perl", "relationshipType": "GENERATED_FROM", "relatedSpdxElement": "SPDXRef-SRPM" + }, + { + "spdxElementId": "SPDXRef-SRPM", + "relationshipType": "PACKAGE_OF", + "relatedSpdxElement": "SPDXRef-AppStream-9.2.0.Z.EUS" + }, + { + "spdxElementId": "SPDXRef-SRPM", + "relationshipType": "PACKAGE_OF", + "relatedSpdxElement": "SPDXRef-BaseOS-9.2.0.Z.EUS" + }, + { + "spdxElementId": "SPDXRef-SRPM", + "relationshipType": "PACKAGE_OF", + "relatedSpdxElement": "SPDXRef-BaseOS-9.2.0.Z.E4S" } ] } diff --git a/sbom/examples/rpm/release/poppler-21.01.0-19.el9.spdx.json b/sbom/examples/rpm/release/poppler-21.01.0-19.el9.spdx.json index e98b5bb..07acda8 100644 --- a/sbom/examples/rpm/release/poppler-21.01.0-19.el9.spdx.json +++ b/sbom/examples/rpm/release/poppler-21.01.0-19.el9.spdx.json @@ -3608,6 +3608,51 @@ "comment": "sigmd5: bbd4e69a12e039eb005a3d85b6c88aae" } ] + }, + { + "SPDXID": "SPDXRef-AppStream-9.4.0.GA", + "name": "Red Hat Enterprise Linux", + "versionInfo": "9.4.0.GA", + "supplier": "Organization: Red Hat", + "downloadLocation": "NOASSERTION", + "licenseConcluded": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:/a:redhat:enterprise_linux:9::appstream", + "referenceType": "cpe22Type" + } + ] + }, + { + "SPDXID": "SPDXRef-CRB-9.4.0.GA", + "name": "Red Hat Enterprise Linux", + "versionInfo": "9.4.0.GA", + "supplier": "Organization: Red Hat", + "downloadLocation": "NOASSERTION", + "licenseConcluded": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:/a:redhat:enterprise_linux:9::crb", + "referenceType": "cpe22Type" + } + ] + }, + { + "SPDXID": "SPDXRef-AppStream-9.4.0.Z.EUS", + "name": "Red Hat Enterprise Linux", + "versionInfo": "9.4.0.Z.EUS", + "supplier": "Organization: Red Hat", + "downloadLocation": "NOASSERTION", + "licenseConcluded": "NOASSERTION", + "externalRefs": [ + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:/a:redhat:rhel_eus:9.4::appstream", + "referenceType": "cpe22Type" + } + ] } ], "files": [], @@ -4006,6 +4051,21 @@ "spdxElementId": "SPDXRef-s390x-poppler-glib", "relationshipType": "GENERATED_FROM", "relatedSpdxElement": "SPDXRef-SRPM" + }, + { + "spdxElementId": "SPDXRef-SRPM", + "relationshipType": "PACKAGE_OF", + "relatedSpdxElement": "SPDXRef-AppStream-9.4.0.GA" + }, + { + "spdxElementId": "SPDXRef-SRPM", + "relationshipType": "PACKAGE_OF", + "relatedSpdxElement": "SPDXRef-CRB-9.4.0.GA" + }, + { + "spdxElementId": "SPDXRef-SRPM", + "relationshipType": "PACKAGE_OF", + "relatedSpdxElement": "SPDXRef-AppStream-9.4.0.Z.EUS" } ] }