add extra examples of midstream urls

RedHatProductSecurity · Oct 29, 2024 · f454aca · f454aca
1 parent c0fc972
commit f454aca
Show file tree

Hide file tree

Showing 5 changed files with 302 additions and 38 deletions.
diff --git a/sbom/examples/rpm/build/from-koji.py b/sbom/examples/rpm/build/from-koji.py
@@ -134,34 +134,31 @@ def run_syft(builddir):
     relationships.extend(filtered_rels)
 
 
-def mock_openssl_midstream(sfn, source, sname, sver):
+def mock_midstream(digest, alg, source, sname, sver, url, ext):
     # Model a midstream repository for this.
-    ext = re.sub(r".*-hobbled\.", "", sfn)
-    url = f"https://openssl.org/source/openssl-{sver}.{ext}"
     # Hard-code example value for 3.0.7
-    digest = "83049d042a260e696f62406ac5c08bf706fd84383f945cf21bd61e9ed95c396e"
     upackage = {
         "SPDXID": f"SPDXRef-{source}-origin",
         "name": sname,
         "versionInfo": sver,
         "downloadLocation": url,
-        "packageFileName": f"{sname}-{sver}.{ext}",
         "checksums": [
             {
-                "algorithm": "SHA256",
+                "algorithm": alg,
                 "checksumValue": digest,
             },
         ],
         "externalRefs": [
             {
                 "referenceCategory": "PACKAGE-MANAGER",
                 "referenceType": "purl",
-                "referenceLocator": (
-                    f"pkg:generic/{sname}@{sver}?download_url={url}&checksum=sha256:{digest}",
-                ),
+                "referenceLocator":
+                    f"pkg:generic/{sname}@{sver}?download_url={url}&checksum={alg}:{digest}",
             }
         ],
     }
+    if ext:
+        upackage["packageFileName"] = f"{sname}-{sver}.{ext}"
 
     pkgs_by_arch.setdefault(arch, []).append(upackage)
     relationships.append(
@@ -173,7 +170,9 @@ def mock_openssl_midstream(sfn, source, sname, sver):
     )
 
     # Construct the URL for the sourceN package
-    url = f"https://github.com/(RH openssl midstream repo)/archive/refs/tags/{sver}.{ext}"
+    url = f"https://github.com/(RH {sname} midstream repo)/archive/refs/tags/{sver}"
+    if ext:
+        url = f"{url}.{ext}"
     return url
 
 
@@ -248,9 +247,36 @@ def handle_srpm(filename, name):
 
             (sname, sver) = tarball_re.match(sfn).groups()
 
-            # Special case to fix up example for openssl
+            # See Component Registry for a full worked example of unpacking sources
+            # https://github.com/RedHatProductSecurity/component-registry/blob/
+            #   c05d571ee37fde97a0bf109bcba23e3255df3964/corgi/tasks/sca.py#L296
             if sname == "openssl":
-                url = mock_openssl_midstream(sfn, source, sname, sver)
+                digest = "83049d042a260e696f62406ac5c08bf706fd84383f945cf21bd61e9ed95c396e"
+                alg = "SHA256"
+                ext = re.sub(r".*-hobbled\.", "", sfn)
+                upstream_url = f"https://openssl.org/source/openssl-{sver}.{ext}"
+                url = mock_midstream(digest, alg, source, sname, sver, upstream_url, ext)
+
+            # From distgit rpms/tektoncd-cli/tree/source-repos
+            #   ?h=pipelines-1.15-rhel-8&id=c30abfafca5c2865129111a8b7b3e96499d6dbbf
+            elif sname == "tektoncd-cli":
+                digest = "f8b6dc07a0f51f93a138c287ccdc81fbef410554"
+                alg = "SHA1"
+                upstream_url = "https://github.com/tektoncd/cli"
+                url = mock_midstream(digest, alg, source, sname, sver, upstream_url, "")
+
+            elif sname == "pipeline-as-code":
+                digest = "cfdf86bdbf1cdfbeadad20747a77294da4bc8c90"
+                alg = "SHA1"
+                upstream_url = "github.com/openshift-pipelines/pipelines-as-code"
+                url = mock_midstream(digest, alg, source, sname, sver, upstream_url, "")
+
+            elif sname == "openshift-pipelines-opc":
+                digest = "c5d28fe15a4a8f6d483cdb984bc25d720d9c6631"
+                alg = "SHA1"
+                upstream_url = "github.com/openshift-pipelines/opc"
+                url = mock_midstream(digest, alg, source, sname, sver, upstream_url, "")
+
 
             # Calculate checksum
             sha256 = hashlib.sha256()
@@ -281,6 +307,7 @@ def handle_srpm(filename, name):
             }
             if not sver:
                 del spackage["versioninfo"]
+
             if url != "NOASSERTION":
                 purl = f"pkg:generic/{name}@{version}?download_url={url}"
                 spackage["externalRefs"] = [
@@ -290,6 +317,7 @@ def handle_srpm(filename, name):
                         "referenceLocator": purl,
                     }
                 ]
+
             pkgs_by_arch.setdefault(arch, []).append(spackage)
 
             relationships.append(

diff --git a/sbom/examples/rpm/build/openshift-pipelines-client-1.14.3-11352.el8.spdx.json b/sbom/examples/rpm/build/openshift-pipelines-client-1.14.3-11352.el8.spdx.json
@@ -18710,17 +18710,43 @@
         }
       ]
     },
+    {
+      "SPDXID": "SPDXRef-Source0-origin",
+      "name": "tektoncd-cli",
+      "versionInfo": "4854f37a16f947b763bdd9dbdc5bca259a24141e",
+      "downloadLocation": "https://github.com/tektoncd/cli",
+      "checksums": [
+        {
+          "algorithm": "SHA1",
+          "checksumValue": "f8b6dc07a0f51f93a138c287ccdc81fbef410554"
+        }
+      ],
+      "externalRefs": [
+        {
+          "referenceCategory": "PACKAGE-MANAGER",
+          "referenceType": "purl",
+          "referenceLocator": "pkg:generic/tektoncd-cli@4854f37a16f947b763bdd9dbdc5bca259a24141e?download_url=https://github.com/tektoncd/cli&checksum=SHA1:f8b6dc07a0f51f93a138c287ccdc81fbef410554"
+        }
+      ]
+    },
     {
       "SPDXID": "SPDXRef-Source0",
       "name": "tektoncd-cli",
       "versionInfo": "4854f37a16f947b763bdd9dbdc5bca259a24141e",
-      "downloadLocation": "NOASSERTION",
+      "downloadLocation": "https://github.com/(RH tektoncd-cli midstream repo)/archive/refs/tags/4854f37a16f947b763bdd9dbdc5bca259a24141e",
       "packageFileName": "tektoncd-cli-4854f37a16f947b763bdd9dbdc5bca259a24141e.tar.gz",
       "checksums": [
         {
           "algorithm": "SHA256",
           "checksumValue": "aabc96f5ad3ca2cd8a87f02cfd8a7faff79f98e3e3f065b56cce3e57374a1ad5"
         }
+      ],
+      "externalRefs": [
+        {
+          "referenceCategory": "PACKAGE-MANAGER",
+          "referenceType": "purl",
+          "referenceLocator": "pkg:generic/[email protected]?download_url=https://github.com/(RH tektoncd-cli midstream repo)/archive/refs/tags/4854f37a16f947b763bdd9dbdc5bca259a24141e"
+        }
       ]
     },
     {
@@ -18736,17 +18762,43 @@
         }
       ]
     },
+    {
+      "SPDXID": "SPDXRef-Source2-origin",
+      "name": "openshift-pipelines-opc",
+      "versionInfo": "5c8cced44956893695bac7666ffe6bb3642f8aef",
+      "downloadLocation": "github.com/openshift-pipelines/opc",
+      "checksums": [
+        {
+          "algorithm": "SHA1",
+          "checksumValue": "c5d28fe15a4a8f6d483cdb984bc25d720d9c6631"
+        }
+      ],
+      "externalRefs": [
+        {
+          "referenceCategory": "PACKAGE-MANAGER",
+          "referenceType": "purl",
+          "referenceLocator": "pkg:generic/openshift-pipelines-opc@5c8cced44956893695bac7666ffe6bb3642f8aef?download_url=github.com/openshift-pipelines/opc&checksum=SHA1:c5d28fe15a4a8f6d483cdb984bc25d720d9c6631"
+        }
+      ]
+    },
     {
       "SPDXID": "SPDXRef-Source2",
       "name": "openshift-pipelines-opc",
       "versionInfo": "5c8cced44956893695bac7666ffe6bb3642f8aef",
-      "downloadLocation": "NOASSERTION",
+      "downloadLocation": "https://github.com/(RH openshift-pipelines-opc midstream repo)/archive/refs/tags/5c8cced44956893695bac7666ffe6bb3642f8aef",
       "packageFileName": "openshift-pipelines-opc-5c8cced44956893695bac7666ffe6bb3642f8aef.tar.gz",
       "checksums": [
         {
           "algorithm": "SHA256",
           "checksumValue": "0fb52748f4b2868782fab0f3a3c680d238c061c164b8854a89681c99b357cf33"
         }
+      ],
+      "externalRefs": [
+        {
+          "referenceCategory": "PACKAGE-MANAGER",
+          "referenceType": "purl",
+          "referenceLocator": "pkg:generic/[email protected]?download_url=https://github.com/(RH openshift-pipelines-opc midstream repo)/archive/refs/tags/5c8cced44956893695bac7666ffe6bb3642f8aef"
+        }
       ]
     },
     {
@@ -18994,10 +19046,17 @@
     {
       "fileName": "/go.mod",
       "SPDXID": "SPDXRef-File-go.mod-3fc5a8d3d86e9790",
+      "fileTypes": [
+        "TEXT"
+      ],
       "checksums": [
         {
           "algorithm": "SHA1",
-          "checksumValue": "0000000000000000000000000000000000000000"
+          "checksumValue": "61e310ee28d636ae56f3bd5b58308385cb4be6e5"
+        },
+        {
+          "algorithm": "SHA256",
+          "checksumValue": "e8545aa76ef2e12ae5217094aec34a484a89e2a03b6fbd2a462cc8fd95912c07"
         }
       ],
       "licenseConcluded": "NOASSERTION",
@@ -19009,10 +19068,17 @@
     {
       "fileName": "/tools/go.mod",
       "SPDXID": "SPDXRef-File-tools-go.mod-9a8d257e44c7907a",
+      "fileTypes": [
+        "TEXT"
+      ],
       "checksums": [
         {
           "algorithm": "SHA1",
-          "checksumValue": "0000000000000000000000000000000000000000"
+          "checksumValue": "1f22db3942a1f6f65156bd3fe1d7bf977c7277a8"
+        },
+        {
+          "algorithm": "SHA256",
+          "checksumValue": "a1d0f7714175923c352600d162681cf6ed1d5a100a2f05d4953354f5d6bc51c8"
         }
       ],
       "licenseConcluded": "NOASSERTION",
@@ -19024,10 +19090,17 @@
     {
       "fileName": "/vendor/github.com/theupdateframework/go-tuf/requirements-test.txt",
       "SPDXID": "SPDXRef-File-...go-tuf-requirements-test.txt-8c7951abcf93b096",
+      "fileTypes": [
+        "TEXT"
+      ],
       "checksums": [
         {
           "algorithm": "SHA1",
-          "checksumValue": "0000000000000000000000000000000000000000"
+          "checksumValue": "e165e5712c8c96df7c42b3abdcadf405a6934819"
+        },
+        {
+          "algorithm": "SHA256",
+          "checksumValue": "4c3e2e90d140cef32beb9c97a8ef711e7655da767648d2b2844f4a6979872ff3"
         }
       ],
       "licenseConcluded": "NOASSERTION",
@@ -19039,10 +19112,17 @@
     {
       "fileName": "/vendor/go.opentelemetry.io/otel/requirements.txt",
       "SPDXID": "SPDXRef-File-...otel-requirements.txt-b69fd806af1e91ad",
+      "fileTypes": [
+        "TEXT"
+      ],
       "checksums": [
         {
           "algorithm": "SHA1",
-          "checksumValue": "0000000000000000000000000000000000000000"
+          "checksumValue": "68bdb1034b31d05232669762f2be7f56fff5d849"
+        },
+        {
+          "algorithm": "SHA256",
+          "checksumValue": "1ed38028659fda92b4f34d11c83bc4f8669526f84ef6f4fbc6c24f03b2c42ead"
         }
       ],
       "licenseConcluded": "NOASSERTION",
@@ -19054,10 +19134,17 @@
     {
       "fileName": "/go.mod",
       "SPDXID": "SPDXRef-File-go.mod-3fc5a8d3d86e9790",
+      "fileTypes": [
+        "TEXT"
+      ],
       "checksums": [
         {
           "algorithm": "SHA1",
-          "checksumValue": "0000000000000000000000000000000000000000"
+          "checksumValue": "61e119e3ec020c03afca7138b9a716c954726032"
+        },
+        {
+          "algorithm": "SHA256",
+          "checksumValue": "86eae4213ebf7a97720650b7753ac0db444c9669d5849741ad568e134e35c255"
         }
       ],
       "licenseConcluded": "NOASSERTION",
@@ -19069,10 +19156,17 @@
     {
       "fileName": "/go.mod",
       "SPDXID": "SPDXRef-File-go.mod-3fc5a8d3d86e9790",
+      "fileTypes": [
+        "TEXT"
+      ],
       "checksums": [
         {
           "algorithm": "SHA1",
-          "checksumValue": "0000000000000000000000000000000000000000"
+          "checksumValue": "96208d53013a00d87da290fb15f29ff76621bb8f"
+        },
+        {
+          "algorithm": "SHA256",
+          "checksumValue": "2af9d1fe8ad92c27ab71c0a1195800e5fc9f990ea14cb5c6278963bb1856eab9"
         }
       ],
       "licenseConcluded": "NOASSERTION",
@@ -19084,10 +19178,17 @@
     {
       "fileName": "/vendor/github.com/theupdateframework/go-tuf/requirements-test.txt",
       "SPDXID": "SPDXRef-File-...go-tuf-requirements-test.txt-8c7951abcf93b096",
+      "fileTypes": [
+        "TEXT"
+      ],
       "checksums": [
         {
           "algorithm": "SHA1",
-          "checksumValue": "0000000000000000000000000000000000000000"
+          "checksumValue": "e165e5712c8c96df7c42b3abdcadf405a6934819"
+        },
+        {
+          "algorithm": "SHA256",
+          "checksumValue": "4c3e2e90d140cef32beb9c97a8ef711e7655da767648d2b2844f4a6979872ff3"
         }
       ],
       "licenseConcluded": "NOASSERTION",
@@ -19099,10 +19200,17 @@
     {
       "fileName": "/vendor/go.opentelemetry.io/otel/requirements.txt",
       "SPDXID": "SPDXRef-File-...otel-requirements.txt-b69fd806af1e91ad",
+      "fileTypes": [
+        "TEXT"
+      ],
       "checksums": [
         {
           "algorithm": "SHA1",
-          "checksumValue": "0000000000000000000000000000000000000000"
+          "checksumValue": "68bdb1034b31d05232669762f2be7f56fff5d849"
+        },
+        {
+          "algorithm": "SHA256",
+          "checksumValue": "1ed38028659fda92b4f34d11c83bc4f8669526f84ef6f4fbc6c24f03b2c42ead"
         }
       ],
       "licenseConcluded": "NOASSERTION",
@@ -24038,6 +24146,11 @@
       "relatedSpdxElement": "SPDXRef-DocumentRoot-Directory-openshift-pipelines-opc-5c8cced44956893695bac7666ffe6bb3642f8aef",
       "relationshipType": "CONTAINS"
     },
+    {
+      "spdxElementId": "SPDXRef-Source0",
+      "relationshipType": "GENERATED_FROM",
+      "relatedSpdxElement": "SPDXRef-Source0-origin"
+    },
     {
       "spdxElementId": "SPDXRef-SRPM",
       "relationshipType": "CONTAINS",
@@ -24048,6 +24161,11 @@
       "relationshipType": "CONTAINS",
       "relatedSpdxElement": "SPDXRef-Source1"
     },
+    {
+      "spdxElementId": "SPDXRef-Source2",
+      "relationshipType": "GENERATED_FROM",
+      "relatedSpdxElement": "SPDXRef-Source2-origin"
+    },
     {
       "spdxElementId": "SPDXRef-SRPM",
       "relationshipType": "CONTAINS",

diff --git a/sbom/examples/rpm/build/openssl-3.0.7-18.el9_2.spdx.json b/sbom/examples/rpm/build/openssl-3.0.7-18.el9_2.spdx.json
@@ -46,7 +46,6 @@
       "name": "openssl",
       "versionInfo": "3.0.7",
       "downloadLocation": "https://openssl.org/source/openssl-3.0.7.tar.gz",
-      "packageFileName": "openssl-3.0.7.tar.gz",
       "checksums": [
         {
           "algorithm": "SHA256",
@@ -57,9 +56,10 @@
         {
           "referenceCategory": "PACKAGE-MANAGER",
           "referenceType": "purl",
-          "referenceLocator": "pkg:generic/[email protected]?download_url=https://openssl.org/source/openssl-3.0.7.tar.gz&checksum=sha256:83049d042a260e696f62406ac5c08bf706fd84383f945cf21bd61e9ed95c396e"
+          "referenceLocator": "pkg:generic/[email protected]?download_url=https://openssl.org/source/openssl-3.0.7.tar.gz&checksum=SHA256:83049d042a260e696f62406ac5c08bf706fd84383f945cf21bd61e9ed95c396e"
         }
-      ]
+      ],
+      "packageFileName": "openssl-3.0.7.tar.gz"
     },
     {
       "SPDXID": "SPDXRef-Source0",