diff --git a/sbom/examples/rpm/build/from-koji.py b/sbom/examples/rpm/build/from-koji.py index 25b9958..686a6b9 100755 --- a/sbom/examples/rpm/build/from-koji.py +++ b/sbom/examples/rpm/build/from-koji.py @@ -156,9 +156,8 @@ def mock_openssl_midstream(sfn, source, sname, sver): { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", - "referenceLocator": ( + "referenceLocator": f"pkg:generic/{sname}@{sver}?download_url={url}&checksum=sha256:{digest}", - ), } ], } diff --git a/sbom/examples/rpm/build/openssl-3.0.7-18.el9_2.spdx.json b/sbom/examples/rpm/build/openssl-3.0.7-18.el9_2.spdx.json index 31ff7c3..2e57478 100644 --- a/sbom/examples/rpm/build/openssl-3.0.7-18.el9_2.spdx.json +++ b/sbom/examples/rpm/build/openssl-3.0.7-18.el9_2.spdx.json @@ -57,9 +57,7 @@ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", - "referenceLocator": [ - "pkg:generic/openssl@3.0.7?download_url=https://openssl.org/source/openssl-3.0.7.tar.gz&checksum=sha256:83049d042a260e696f62406ac5c08bf706fd84383f945cf21bd61e9ed95c396e" - ] + "referenceLocator": "pkg:generic/openssl@3.0.7?download_url=https://openssl.org/source/openssl-3.0.7.tar.gz&checksum=sha256:83049d042a260e696f62406ac5c08bf706fd84383f945cf21bd61e9ed95c396e" } ] }, diff --git a/sbom/examples/rpm/release/openshift-pipelines-client-1.14.3-11352.el8.spdx.json b/sbom/examples/rpm/release/openshift-pipelines-client-1.14.3-11352.el8.spdx.json index ff2c99c..74f2879 100644 --- a/sbom/examples/rpm/release/openshift-pipelines-client-1.14.3-11352.el8.spdx.json +++ b/sbom/examples/rpm/release/openshift-pipelines-client-1.14.3-11352.el8.spdx.json @@ -18689,6 +18689,11 @@ "packageFileName": "openshift-pipelines-client-1.14.3-11352.el8.src.rpm", "licenseConcluded": "Apache-2.0", "externalRefs": [ + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:/a:redhat:openshift_pipelines:1.15::el8", + "referenceType": "cpe22Type" + }, { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", @@ -18729,39 +18734,60 @@ "SPDXID": "SPDXRef-Source0", "name": "tektoncd-cli", "versionInfo": "4854f37a16f947b763bdd9dbdc5bca259a24141e", - "downloadLocation": "NOASSERTION", + "downloadLocation": "git+https://internal.com/git/rpms/tektoncd-cli#bbc151c8acc1fb97c053c976dcf69c7fd2e67442", "packageFileName": "tektoncd-cli-4854f37a16f947b763bdd9dbdc5bca259a24141e.tar.gz", "checksums": [ { "algorithm": "SHA256", "checksumValue": "aabc96f5ad3ca2cd8a87f02cfd8a7faff79f98e3e3f065b56cce3e57374a1ad5" } + ], + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:generic/openshift-pipelines-client@1.14.3?download_url=git+https://internal.com/git/rpms/tektoncd-cli#bbc151c8acc1fb97c053c976dcf69c7fd2e67442" + } ] }, { "SPDXID": "SPDXRef-Source1", "name": "pipelines-as-code", "versionInfo": "f08a73c1bddd041b57577b47e72d98387e0b939b", - "downloadLocation": "NOASSERTION", + "downloadLocation": "git+https://internal.com/git/rpms/tektoncd-cli#bbc151c8acc1fb97c053c976dcf69c7fd2e67442", "packageFileName": "pipelines-as-code-f08a73c1bddd041b57577b47e72d98387e0b939b.tar.gz", "checksums": [ { "algorithm": "SHA256", "checksumValue": "7ff2b20e48203607d160198a9e4820a48fd7ed18ac44973c078b48a4f5ab7888" } + ], + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:generic/openshift-pipelines-client@1.14.3?download_url=git+https://internal.com/git/rpms/tektoncd-cli#bbc151c8acc1fb97c053c976dcf69c7fd2e67442" + } ] }, { "SPDXID": "SPDXRef-Source2", "name": "openshift-pipelines-opc", "versionInfo": "5c8cced44956893695bac7666ffe6bb3642f8aef", - "downloadLocation": "NOASSERTION", + "downloadLocation": "git+https://internal.com/git/rpms/tektoncd-cli#bbc151c8acc1fb97c053c976dcf69c7fd2e67442", "packageFileName": "openshift-pipelines-opc-5c8cced44956893695bac7666ffe6bb3642f8aef.tar.gz", "checksums": [ { "algorithm": "SHA256", "checksumValue": "0fb52748f4b2868782fab0f3a3c680d238c061c164b8854a89681c99b357cf33" } + ], + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:generic/openshift-pipelines-client@1.14.3?download_url=git+https://internal.com/git/rpms/tektoncd-cli#bbc151c8acc1fb97c053c976dcf69c7fd2e67442" + } ] }, { @@ -19024,10 +19050,17 @@ { "fileName": "/go.mod", "SPDXID": "SPDXRef-File-go.mod-3fc5a8d3d86e9790", + "fileTypes": [ + "TEXT" + ], "checksums": [ { "algorithm": "SHA1", - "checksumValue": "0000000000000000000000000000000000000000" + "checksumValue": "61e310ee28d636ae56f3bd5b58308385cb4be6e5" + }, + { + "algorithm": "SHA256", + "checksumValue": "e8545aa76ef2e12ae5217094aec34a484a89e2a03b6fbd2a462cc8fd95912c07" } ], "licenseConcluded": "NOASSERTION", @@ -19039,10 +19072,17 @@ { "fileName": "/tools/go.mod", "SPDXID": "SPDXRef-File-tools-go.mod-9a8d257e44c7907a", + "fileTypes": [ + "TEXT" + ], "checksums": [ { "algorithm": "SHA1", - "checksumValue": "0000000000000000000000000000000000000000" + "checksumValue": "1f22db3942a1f6f65156bd3fe1d7bf977c7277a8" + }, + { + "algorithm": "SHA256", + "checksumValue": "a1d0f7714175923c352600d162681cf6ed1d5a100a2f05d4953354f5d6bc51c8" } ], "licenseConcluded": "NOASSERTION", @@ -19054,10 +19094,17 @@ { "fileName": "/vendor/github.com/theupdateframework/go-tuf/requirements-test.txt", "SPDXID": "SPDXRef-File-...go-tuf-requirements-test.txt-8c7951abcf93b096", + "fileTypes": [ + "TEXT" + ], "checksums": [ { "algorithm": "SHA1", - "checksumValue": "0000000000000000000000000000000000000000" + "checksumValue": "e165e5712c8c96df7c42b3abdcadf405a6934819" + }, + { + "algorithm": "SHA256", + "checksumValue": "4c3e2e90d140cef32beb9c97a8ef711e7655da767648d2b2844f4a6979872ff3" } ], "licenseConcluded": "NOASSERTION", @@ -19069,10 +19116,17 @@ { "fileName": "/vendor/go.opentelemetry.io/otel/requirements.txt", "SPDXID": "SPDXRef-File-...otel-requirements.txt-b69fd806af1e91ad", + "fileTypes": [ + "TEXT" + ], "checksums": [ { "algorithm": "SHA1", - "checksumValue": "0000000000000000000000000000000000000000" + "checksumValue": "68bdb1034b31d05232669762f2be7f56fff5d849" + }, + { + "algorithm": "SHA256", + "checksumValue": "1ed38028659fda92b4f34d11c83bc4f8669526f84ef6f4fbc6c24f03b2c42ead" } ], "licenseConcluded": "NOASSERTION", @@ -19084,10 +19138,17 @@ { "fileName": "/go.mod", "SPDXID": "SPDXRef-File-go.mod-3fc5a8d3d86e9790", + "fileTypes": [ + "TEXT" + ], "checksums": [ { "algorithm": "SHA1", - "checksumValue": "0000000000000000000000000000000000000000" + "checksumValue": "61e119e3ec020c03afca7138b9a716c954726032" + }, + { + "algorithm": "SHA256", + "checksumValue": "86eae4213ebf7a97720650b7753ac0db444c9669d5849741ad568e134e35c255" } ], "licenseConcluded": "NOASSERTION", @@ -19099,10 +19160,17 @@ { "fileName": "/go.mod", "SPDXID": "SPDXRef-File-go.mod-3fc5a8d3d86e9790", + "fileTypes": [ + "TEXT" + ], "checksums": [ { "algorithm": "SHA1", - "checksumValue": "0000000000000000000000000000000000000000" + "checksumValue": "96208d53013a00d87da290fb15f29ff76621bb8f" + }, + { + "algorithm": "SHA256", + "checksumValue": "2af9d1fe8ad92c27ab71c0a1195800e5fc9f990ea14cb5c6278963bb1856eab9" } ], "licenseConcluded": "NOASSERTION", @@ -19114,10 +19182,17 @@ { "fileName": "/vendor/github.com/theupdateframework/go-tuf/requirements-test.txt", "SPDXID": "SPDXRef-File-...go-tuf-requirements-test.txt-8c7951abcf93b096", + "fileTypes": [ + "TEXT" + ], "checksums": [ { "algorithm": "SHA1", - "checksumValue": "0000000000000000000000000000000000000000" + "checksumValue": "e165e5712c8c96df7c42b3abdcadf405a6934819" + }, + { + "algorithm": "SHA256", + "checksumValue": "4c3e2e90d140cef32beb9c97a8ef711e7655da767648d2b2844f4a6979872ff3" } ], "licenseConcluded": "NOASSERTION", @@ -19129,10 +19204,17 @@ { "fileName": "/vendor/go.opentelemetry.io/otel/requirements.txt", "SPDXID": "SPDXRef-File-...otel-requirements.txt-b69fd806af1e91ad", + "fileTypes": [ + "TEXT" + ], "checksums": [ { "algorithm": "SHA1", - "checksumValue": "0000000000000000000000000000000000000000" + "checksumValue": "68bdb1034b31d05232669762f2be7f56fff5d849" + }, + { + "algorithm": "SHA256", + "checksumValue": "1ed38028659fda92b4f34d11c83bc4f8669526f84ef6f4fbc6c24f03b2c42ead" } ], "licenseConcluded": "NOASSERTION", diff --git a/sbom/examples/rpm/release/openssl-3.0.7-18.el9_2.spdx.json b/sbom/examples/rpm/release/openssl-3.0.7-18.el9_2.spdx.json index 8951bb7..8d234b9 100644 --- a/sbom/examples/rpm/release/openssl-3.0.7-18.el9_2.spdx.json +++ b/sbom/examples/rpm/release/openssl-3.0.7-18.el9_2.spdx.json @@ -20,6 +20,16 @@ "packageFileName": "openssl-3.0.7-18.el9_2.src.rpm", "licenseConcluded": "Apache-2.0", "externalRefs": [ + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:/a:redhat:rhel_eus:9.2::appstream", + "referenceType": "cpe22Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:/o:redhat:rhel_eus:9.2::baseoscpe:/o:redhat:rhel_e4s:9.2::baseos", + "referenceType": "cpe22Type" + }, { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", diff --git a/sbom/examples/rpm/release/poppler-21.01.0-19.el9.spdx.json b/sbom/examples/rpm/release/poppler-21.01.0-19.el9.spdx.json index 07acda8..592341c 100644 --- a/sbom/examples/rpm/release/poppler-21.01.0-19.el9.spdx.json +++ b/sbom/examples/rpm/release/poppler-21.01.0-19.el9.spdx.json @@ -20,6 +20,21 @@ "packageFileName": "poppler-21.01.0-19.el9.src.rpm", "licenseConcluded": "(GPLv2 OR GPLv3) AND GPLv2+ AND LGPLv2+ AND MIT", "externalRefs": [ + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:/a:redhat:enterprise_linux:9::appstream", + "referenceType": "cpe22Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:/a:redhat:enterprise_linux:9::crb", + "referenceType": "cpe22Type" + }, + { + "referenceCategory": "SECURITY", + "referenceLocator": "cpe:/a:redhat:rhel_eus:9.4::appstream", + "referenceType": "cpe22Type" + }, { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", @@ -180,13 +195,20 @@ "SPDXID": "SPDXRef-Source1", "name": "poppler-test", "versionInfo": "2021-06-14", - "downloadLocation": "NOASSERTION", + "downloadLocation": "git+https://internal.com/git/rpms/poppler#6ed06c877cd332127601017554e4c8c243ce3ba9", "packageFileName": "poppler-test-2021-06-14.tar.xz", "checksums": [ { "algorithm": "SHA256", "checksumValue": "f811f0ae9bef8cd2430e024073134a68ddb05aa04e69635fb814f87f6acbd4a3" } + ], + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:generic/poppler@21.01.0?download_url=git+https://internal.com/git/rpms/poppler#6ed06c877cd332127601017554e4c8c243ce3ba9" + } ] }, {