diff --git a/sbom/examples/rpm/build/from-koji.py b/sbom/examples/rpm/build/from-koji.py index dc7ea41..638ef79 100755 --- a/sbom/examples/rpm/build/from-koji.py +++ b/sbom/examples/rpm/build/from-koji.py @@ -134,21 +134,17 @@ def run_syft(builddir): relationships.extend(filtered_rels) -def mock_openssl_midstream(sfn, source, sname, sver): +def mock_midstream(digest, alg, source, sname, sver, url, ext): # Model a midstream repository for this. - ext = re.sub(r".*-hobbled\.", "", sfn) - url = f"https://openssl.org/source/openssl-{sver}.{ext}" # Hard-code example value for 3.0.7 - digest = "83049d042a260e696f62406ac5c08bf706fd84383f945cf21bd61e9ed95c396e" upackage = { "SPDXID": f"SPDXRef-{source}-origin", "name": sname, "versionInfo": sver, "downloadLocation": url, - "packageFileName": f"{sname}-{sver}.{ext}", "checksums": [ { - "algorithm": "SHA256", + "algorithm": alg, "checksumValue": digest, }, ], @@ -156,12 +152,13 @@ def mock_openssl_midstream(sfn, source, sname, sver): { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", - "referenceLocator": ( - f"pkg:generic/{sname}@{sver}?download_url={url}&checksum=sha256:{digest}", - ), + "referenceLocator": + f"pkg:generic/{sname}@{sver}?download_url={url}&checksum={alg}:{digest}", } ], } + if ext: + upackage["packageFileName"] = f"{sname}-{sver}.{ext}" pkgs_by_arch.setdefault(arch, []).append(upackage) relationships.append( @@ -173,7 +170,9 @@ def mock_openssl_midstream(sfn, source, sname, sver): ) # Construct the URL for the sourceN package - url = f"https://github.com/(RH openssl midstream repo)/archive/refs/tags/{sver}.{ext}" + url = f"https://github.com/(RH {sname} midstream repo)/archive/refs/tags/{sver}" + if ext: + url = f"{url}.{ext}" return url @@ -248,9 +247,36 @@ def handle_srpm(filename, name): (sname, sver) = tarball_re.match(sfn).groups() - # Special case to fix up example for openssl + # See Component Registry for a full worked example of unpacking sources + # https://github.com/RedHatProductSecurity/component-registry/blob/ + # c05d571ee37fde97a0bf109bcba23e3255df3964/corgi/tasks/sca.py#L296 if sname == "openssl": - url = mock_openssl_midstream(sfn, source, sname, sver) + digest = "83049d042a260e696f62406ac5c08bf706fd84383f945cf21bd61e9ed95c396e" + alg = "SHA256" + ext = re.sub(r".*-hobbled\.", "", sfn) + upstream_url = f"https://openssl.org/source/openssl-{sver}.{ext}" + url = mock_midstream(digest, alg, source, sname, sver, upstream_url, ext) + + # From distgit rpms/tektoncd-cli/tree/source-repos + # ?h=pipelines-1.15-rhel-8&id=c30abfafca5c2865129111a8b7b3e96499d6dbbf + elif sname == "tektoncd-cli": + digest = "f8b6dc07a0f51f93a138c287ccdc81fbef410554" + alg = "SHA1" + upstream_url = "https://github.com/tektoncd/cli" + url = mock_midstream(digest, alg, source, sname, sver, upstream_url, "") + + elif sname == "pipeline-as-code": + digest = "cfdf86bdbf1cdfbeadad20747a77294da4bc8c90" + alg = "SHA1" + upstream_url = "github.com/openshift-pipelines/pipelines-as-code" + url = mock_midstream(digest, alg, source, sname, sver, upstream_url, "") + + elif sname == "openshift-pipelines-opc": + digest = "c5d28fe15a4a8f6d483cdb984bc25d720d9c6631" + alg = "SHA1" + upstream_url = "github.com/openshift-pipelines/opc" + url = mock_midstream(digest, alg, source, sname, sver, upstream_url, "") + # Calculate checksum sha256 = hashlib.sha256() @@ -281,6 +307,7 @@ def handle_srpm(filename, name): } if not sver: del spackage["versioninfo"] + if url != "NOASSERTION": purl = f"pkg:generic/{name}@{version}?download_url={url}" spackage["externalRefs"] = [ @@ -290,6 +317,7 @@ def handle_srpm(filename, name): "referenceLocator": purl, } ] + pkgs_by_arch.setdefault(arch, []).append(spackage) relationships.append( diff --git a/sbom/examples/rpm/build/openshift-pipelines-client-1.14.3-11352.el8.spdx.json b/sbom/examples/rpm/build/openshift-pipelines-client-1.14.3-11352.el8.spdx.json index c3e4c9c..6b9d7c0 100644 --- a/sbom/examples/rpm/build/openshift-pipelines-client-1.14.3-11352.el8.spdx.json +++ b/sbom/examples/rpm/build/openshift-pipelines-client-1.14.3-11352.el8.spdx.json @@ -18710,17 +18710,43 @@ } ] }, + { + "SPDXID": "SPDXRef-Source0-origin", + "name": "tektoncd-cli", + "versionInfo": "4854f37a16f947b763bdd9dbdc5bca259a24141e", + "downloadLocation": "https://github.com/tektoncd/cli", + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "f8b6dc07a0f51f93a138c287ccdc81fbef410554" + } + ], + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:generic/tektoncd-cli@4854f37a16f947b763bdd9dbdc5bca259a24141e?download_url=https://github.com/tektoncd/cli&checksum=SHA1:f8b6dc07a0f51f93a138c287ccdc81fbef410554" + } + ] + }, { "SPDXID": "SPDXRef-Source0", "name": "tektoncd-cli", "versionInfo": "4854f37a16f947b763bdd9dbdc5bca259a24141e", - "downloadLocation": "NOASSERTION", + "downloadLocation": "https://github.com/(RH tektoncd-cli midstream repo)/archive/refs/tags/4854f37a16f947b763bdd9dbdc5bca259a24141e", "packageFileName": "tektoncd-cli-4854f37a16f947b763bdd9dbdc5bca259a24141e.tar.gz", "checksums": [ { "algorithm": "SHA256", "checksumValue": "aabc96f5ad3ca2cd8a87f02cfd8a7faff79f98e3e3f065b56cce3e57374a1ad5" } + ], + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:generic/openshift-pipelines-client@1.14.3?download_url=https://github.com/(RH tektoncd-cli midstream repo)/archive/refs/tags/4854f37a16f947b763bdd9dbdc5bca259a24141e" + } ] }, { @@ -18736,17 +18762,43 @@ } ] }, + { + "SPDXID": "SPDXRef-Source2-origin", + "name": "openshift-pipelines-opc", + "versionInfo": "5c8cced44956893695bac7666ffe6bb3642f8aef", + "downloadLocation": "github.com/openshift-pipelines/opc", + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "c5d28fe15a4a8f6d483cdb984bc25d720d9c6631" + } + ], + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:generic/openshift-pipelines-opc@5c8cced44956893695bac7666ffe6bb3642f8aef?download_url=github.com/openshift-pipelines/opc&checksum=SHA1:c5d28fe15a4a8f6d483cdb984bc25d720d9c6631" + } + ] + }, { "SPDXID": "SPDXRef-Source2", "name": "openshift-pipelines-opc", "versionInfo": "5c8cced44956893695bac7666ffe6bb3642f8aef", - "downloadLocation": "NOASSERTION", + "downloadLocation": "https://github.com/(RH openshift-pipelines-opc midstream repo)/archive/refs/tags/5c8cced44956893695bac7666ffe6bb3642f8aef", "packageFileName": "openshift-pipelines-opc-5c8cced44956893695bac7666ffe6bb3642f8aef.tar.gz", "checksums": [ { "algorithm": "SHA256", "checksumValue": "0fb52748f4b2868782fab0f3a3c680d238c061c164b8854a89681c99b357cf33" } + ], + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:generic/openshift-pipelines-client@1.14.3?download_url=https://github.com/(RH openshift-pipelines-opc midstream repo)/archive/refs/tags/5c8cced44956893695bac7666ffe6bb3642f8aef" + } ] }, { @@ -18994,10 +19046,17 @@ { "fileName": "/go.mod", "SPDXID": "SPDXRef-File-go.mod-3fc5a8d3d86e9790", + "fileTypes": [ + "TEXT" + ], "checksums": [ { "algorithm": "SHA1", - "checksumValue": "0000000000000000000000000000000000000000" + "checksumValue": "61e310ee28d636ae56f3bd5b58308385cb4be6e5" + }, + { + "algorithm": "SHA256", + "checksumValue": "e8545aa76ef2e12ae5217094aec34a484a89e2a03b6fbd2a462cc8fd95912c07" } ], "licenseConcluded": "NOASSERTION", @@ -19009,10 +19068,17 @@ { "fileName": "/tools/go.mod", "SPDXID": "SPDXRef-File-tools-go.mod-9a8d257e44c7907a", + "fileTypes": [ + "TEXT" + ], "checksums": [ { "algorithm": "SHA1", - "checksumValue": "0000000000000000000000000000000000000000" + "checksumValue": "1f22db3942a1f6f65156bd3fe1d7bf977c7277a8" + }, + { + "algorithm": "SHA256", + "checksumValue": "a1d0f7714175923c352600d162681cf6ed1d5a100a2f05d4953354f5d6bc51c8" } ], "licenseConcluded": "NOASSERTION", @@ -19024,10 +19090,17 @@ { "fileName": "/vendor/github.com/theupdateframework/go-tuf/requirements-test.txt", "SPDXID": "SPDXRef-File-...go-tuf-requirements-test.txt-8c7951abcf93b096", + "fileTypes": [ + "TEXT" + ], "checksums": [ { "algorithm": "SHA1", - "checksumValue": "0000000000000000000000000000000000000000" + "checksumValue": "e165e5712c8c96df7c42b3abdcadf405a6934819" + }, + { + "algorithm": "SHA256", + "checksumValue": "4c3e2e90d140cef32beb9c97a8ef711e7655da767648d2b2844f4a6979872ff3" } ], "licenseConcluded": "NOASSERTION", @@ -19039,10 +19112,17 @@ { "fileName": "/vendor/go.opentelemetry.io/otel/requirements.txt", "SPDXID": "SPDXRef-File-...otel-requirements.txt-b69fd806af1e91ad", + "fileTypes": [ + "TEXT" + ], "checksums": [ { "algorithm": "SHA1", - "checksumValue": "0000000000000000000000000000000000000000" + "checksumValue": "68bdb1034b31d05232669762f2be7f56fff5d849" + }, + { + "algorithm": "SHA256", + "checksumValue": "1ed38028659fda92b4f34d11c83bc4f8669526f84ef6f4fbc6c24f03b2c42ead" } ], "licenseConcluded": "NOASSERTION", @@ -19054,10 +19134,17 @@ { "fileName": "/go.mod", "SPDXID": "SPDXRef-File-go.mod-3fc5a8d3d86e9790", + "fileTypes": [ + "TEXT" + ], "checksums": [ { "algorithm": "SHA1", - "checksumValue": "0000000000000000000000000000000000000000" + "checksumValue": "61e119e3ec020c03afca7138b9a716c954726032" + }, + { + "algorithm": "SHA256", + "checksumValue": "86eae4213ebf7a97720650b7753ac0db444c9669d5849741ad568e134e35c255" } ], "licenseConcluded": "NOASSERTION", @@ -19069,10 +19156,17 @@ { "fileName": "/go.mod", "SPDXID": "SPDXRef-File-go.mod-3fc5a8d3d86e9790", + "fileTypes": [ + "TEXT" + ], "checksums": [ { "algorithm": "SHA1", - "checksumValue": "0000000000000000000000000000000000000000" + "checksumValue": "96208d53013a00d87da290fb15f29ff76621bb8f" + }, + { + "algorithm": "SHA256", + "checksumValue": "2af9d1fe8ad92c27ab71c0a1195800e5fc9f990ea14cb5c6278963bb1856eab9" } ], "licenseConcluded": "NOASSERTION", @@ -19084,10 +19178,17 @@ { "fileName": "/vendor/github.com/theupdateframework/go-tuf/requirements-test.txt", "SPDXID": "SPDXRef-File-...go-tuf-requirements-test.txt-8c7951abcf93b096", + "fileTypes": [ + "TEXT" + ], "checksums": [ { "algorithm": "SHA1", - "checksumValue": "0000000000000000000000000000000000000000" + "checksumValue": "e165e5712c8c96df7c42b3abdcadf405a6934819" + }, + { + "algorithm": "SHA256", + "checksumValue": "4c3e2e90d140cef32beb9c97a8ef711e7655da767648d2b2844f4a6979872ff3" } ], "licenseConcluded": "NOASSERTION", @@ -19099,10 +19200,17 @@ { "fileName": "/vendor/go.opentelemetry.io/otel/requirements.txt", "SPDXID": "SPDXRef-File-...otel-requirements.txt-b69fd806af1e91ad", + "fileTypes": [ + "TEXT" + ], "checksums": [ { "algorithm": "SHA1", - "checksumValue": "0000000000000000000000000000000000000000" + "checksumValue": "68bdb1034b31d05232669762f2be7f56fff5d849" + }, + { + "algorithm": "SHA256", + "checksumValue": "1ed38028659fda92b4f34d11c83bc4f8669526f84ef6f4fbc6c24f03b2c42ead" } ], "licenseConcluded": "NOASSERTION", @@ -24038,6 +24146,11 @@ "relatedSpdxElement": "SPDXRef-DocumentRoot-Directory-openshift-pipelines-opc-5c8cced44956893695bac7666ffe6bb3642f8aef", "relationshipType": "CONTAINS" }, + { + "spdxElementId": "SPDXRef-Source0", + "relationshipType": "GENERATED_FROM", + "relatedSpdxElement": "SPDXRef-Source0-origin" + }, { "spdxElementId": "SPDXRef-SRPM", "relationshipType": "CONTAINS", @@ -24048,6 +24161,11 @@ "relationshipType": "CONTAINS", "relatedSpdxElement": "SPDXRef-Source1" }, + { + "spdxElementId": "SPDXRef-Source2", + "relationshipType": "GENERATED_FROM", + "relatedSpdxElement": "SPDXRef-Source2-origin" + }, { "spdxElementId": "SPDXRef-SRPM", "relationshipType": "CONTAINS", diff --git a/sbom/examples/rpm/build/openssl-3.0.7-18.el9_2.spdx.json b/sbom/examples/rpm/build/openssl-3.0.7-18.el9_2.spdx.json index 2e57478..2531e7c 100644 --- a/sbom/examples/rpm/build/openssl-3.0.7-18.el9_2.spdx.json +++ b/sbom/examples/rpm/build/openssl-3.0.7-18.el9_2.spdx.json @@ -46,7 +46,6 @@ "name": "openssl", "versionInfo": "3.0.7", "downloadLocation": "https://openssl.org/source/openssl-3.0.7.tar.gz", - "packageFileName": "openssl-3.0.7.tar.gz", "checksums": [ { "algorithm": "SHA256", @@ -57,9 +56,10 @@ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", - "referenceLocator": "pkg:generic/openssl@3.0.7?download_url=https://openssl.org/source/openssl-3.0.7.tar.gz&checksum=sha256:83049d042a260e696f62406ac5c08bf706fd84383f945cf21bd61e9ed95c396e" + "referenceLocator": "pkg:generic/openssl@3.0.7?download_url=https://openssl.org/source/openssl-3.0.7.tar.gz&checksum=SHA256:83049d042a260e696f62406ac5c08bf706fd84383f945cf21bd61e9ed95c396e" } - ] + ], + "packageFileName": "openssl-3.0.7.tar.gz" }, { "SPDXID": "SPDXRef-Source0", diff --git a/sbom/examples/rpm/release/openshift-pipelines-client-1.14.3-11352.el8.spdx.json b/sbom/examples/rpm/release/openshift-pipelines-client-1.14.3-11352.el8.spdx.json index 4999993..84412f3 100644 --- a/sbom/examples/rpm/release/openshift-pipelines-client-1.14.3-11352.el8.spdx.json +++ b/sbom/examples/rpm/release/openshift-pipelines-client-1.14.3-11352.el8.spdx.json @@ -18725,17 +18725,43 @@ } ] }, + { + "SPDXID": "SPDXRef-Source0-origin", + "name": "tektoncd-cli", + "versionInfo": "4854f37a16f947b763bdd9dbdc5bca259a24141e", + "downloadLocation": "https://github.com/tektoncd/cli", + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "f8b6dc07a0f51f93a138c287ccdc81fbef410554" + } + ], + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:generic/tektoncd-cli@4854f37a16f947b763bdd9dbdc5bca259a24141e?download_url=https://github.com/tektoncd/cli&checksum=SHA1:f8b6dc07a0f51f93a138c287ccdc81fbef410554" + } + ] + }, { "SPDXID": "SPDXRef-Source0", "name": "tektoncd-cli", "versionInfo": "4854f37a16f947b763bdd9dbdc5bca259a24141e", - "downloadLocation": "NOASSERTION", + "downloadLocation": "https://github.com/(RH tektoncd-cli midstream repo)/archive/refs/tags/4854f37a16f947b763bdd9dbdc5bca259a24141e.", "packageFileName": "tektoncd-cli-4854f37a16f947b763bdd9dbdc5bca259a24141e.tar.gz", "checksums": [ { "algorithm": "SHA256", "checksumValue": "aabc96f5ad3ca2cd8a87f02cfd8a7faff79f98e3e3f065b56cce3e57374a1ad5" } + ], + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:generic/openshift-pipelines-client@1.14.3?download_url=https://github.com/(RH tektoncd-cli midstream repo)/archive/refs/tags/4854f37a16f947b763bdd9dbdc5bca259a24141e." + } ] }, { @@ -18751,17 +18777,43 @@ } ] }, + { + "SPDXID": "SPDXRef-Source2-origin", + "name": "openshift-pipelines-opc", + "versionInfo": "5c8cced44956893695bac7666ffe6bb3642f8aef", + "downloadLocation": "github.com/openshift-pipelines/opc", + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "c5d28fe15a4a8f6d483cdb984bc25d720d9c6631" + } + ], + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:generic/openshift-pipelines-opc@5c8cced44956893695bac7666ffe6bb3642f8aef?download_url=github.com/openshift-pipelines/opc&checksum=SHA1:c5d28fe15a4a8f6d483cdb984bc25d720d9c6631" + } + ] + }, { "SPDXID": "SPDXRef-Source2", "name": "openshift-pipelines-opc", "versionInfo": "5c8cced44956893695bac7666ffe6bb3642f8aef", - "downloadLocation": "NOASSERTION", + "downloadLocation": "https://github.com/(RH openshift-pipelines-opc midstream repo)/archive/refs/tags/5c8cced44956893695bac7666ffe6bb3642f8aef.", "packageFileName": "openshift-pipelines-opc-5c8cced44956893695bac7666ffe6bb3642f8aef.tar.gz", "checksums": [ { "algorithm": "SHA256", "checksumValue": "0fb52748f4b2868782fab0f3a3c680d238c061c164b8854a89681c99b357cf33" } + ], + "externalRefs": [ + { + "referenceCategory": "PACKAGE-MANAGER", + "referenceType": "purl", + "referenceLocator": "pkg:generic/openshift-pipelines-client@1.14.3?download_url=https://github.com/(RH openshift-pipelines-opc midstream repo)/archive/refs/tags/5c8cced44956893695bac7666ffe6bb3642f8aef." + } ] }, { @@ -19009,10 +19061,17 @@ { "fileName": "/go.mod", "SPDXID": "SPDXRef-File-go.mod-3fc5a8d3d86e9790", + "fileTypes": [ + "TEXT" + ], "checksums": [ { "algorithm": "SHA1", - "checksumValue": "0000000000000000000000000000000000000000" + "checksumValue": "61e310ee28d636ae56f3bd5b58308385cb4be6e5" + }, + { + "algorithm": "SHA256", + "checksumValue": "e8545aa76ef2e12ae5217094aec34a484a89e2a03b6fbd2a462cc8fd95912c07" } ], "licenseConcluded": "NOASSERTION", @@ -19024,10 +19083,17 @@ { "fileName": "/tools/go.mod", "SPDXID": "SPDXRef-File-tools-go.mod-9a8d257e44c7907a", + "fileTypes": [ + "TEXT" + ], "checksums": [ { "algorithm": "SHA1", - "checksumValue": "0000000000000000000000000000000000000000" + "checksumValue": "1f22db3942a1f6f65156bd3fe1d7bf977c7277a8" + }, + { + "algorithm": "SHA256", + "checksumValue": "a1d0f7714175923c352600d162681cf6ed1d5a100a2f05d4953354f5d6bc51c8" } ], "licenseConcluded": "NOASSERTION", @@ -19039,10 +19105,17 @@ { "fileName": "/vendor/github.com/theupdateframework/go-tuf/requirements-test.txt", "SPDXID": "SPDXRef-File-...go-tuf-requirements-test.txt-8c7951abcf93b096", + "fileTypes": [ + "TEXT" + ], "checksums": [ { "algorithm": "SHA1", - "checksumValue": "0000000000000000000000000000000000000000" + "checksumValue": "e165e5712c8c96df7c42b3abdcadf405a6934819" + }, + { + "algorithm": "SHA256", + "checksumValue": "4c3e2e90d140cef32beb9c97a8ef711e7655da767648d2b2844f4a6979872ff3" } ], "licenseConcluded": "NOASSERTION", @@ -19054,10 +19127,17 @@ { "fileName": "/vendor/go.opentelemetry.io/otel/requirements.txt", "SPDXID": "SPDXRef-File-...otel-requirements.txt-b69fd806af1e91ad", + "fileTypes": [ + "TEXT" + ], "checksums": [ { "algorithm": "SHA1", - "checksumValue": "0000000000000000000000000000000000000000" + "checksumValue": "68bdb1034b31d05232669762f2be7f56fff5d849" + }, + { + "algorithm": "SHA256", + "checksumValue": "1ed38028659fda92b4f34d11c83bc4f8669526f84ef6f4fbc6c24f03b2c42ead" } ], "licenseConcluded": "NOASSERTION", @@ -19069,10 +19149,17 @@ { "fileName": "/go.mod", "SPDXID": "SPDXRef-File-go.mod-3fc5a8d3d86e9790", + "fileTypes": [ + "TEXT" + ], "checksums": [ { "algorithm": "SHA1", - "checksumValue": "0000000000000000000000000000000000000000" + "checksumValue": "61e119e3ec020c03afca7138b9a716c954726032" + }, + { + "algorithm": "SHA256", + "checksumValue": "86eae4213ebf7a97720650b7753ac0db444c9669d5849741ad568e134e35c255" } ], "licenseConcluded": "NOASSERTION", @@ -19084,10 +19171,17 @@ { "fileName": "/go.mod", "SPDXID": "SPDXRef-File-go.mod-3fc5a8d3d86e9790", + "fileTypes": [ + "TEXT" + ], "checksums": [ { "algorithm": "SHA1", - "checksumValue": "0000000000000000000000000000000000000000" + "checksumValue": "96208d53013a00d87da290fb15f29ff76621bb8f" + }, + { + "algorithm": "SHA256", + "checksumValue": "2af9d1fe8ad92c27ab71c0a1195800e5fc9f990ea14cb5c6278963bb1856eab9" } ], "licenseConcluded": "NOASSERTION", @@ -19099,10 +19193,17 @@ { "fileName": "/vendor/github.com/theupdateframework/go-tuf/requirements-test.txt", "SPDXID": "SPDXRef-File-...go-tuf-requirements-test.txt-8c7951abcf93b096", + "fileTypes": [ + "TEXT" + ], "checksums": [ { "algorithm": "SHA1", - "checksumValue": "0000000000000000000000000000000000000000" + "checksumValue": "e165e5712c8c96df7c42b3abdcadf405a6934819" + }, + { + "algorithm": "SHA256", + "checksumValue": "4c3e2e90d140cef32beb9c97a8ef711e7655da767648d2b2844f4a6979872ff3" } ], "licenseConcluded": "NOASSERTION", @@ -19114,10 +19215,17 @@ { "fileName": "/vendor/go.opentelemetry.io/otel/requirements.txt", "SPDXID": "SPDXRef-File-...otel-requirements.txt-b69fd806af1e91ad", + "fileTypes": [ + "TEXT" + ], "checksums": [ { "algorithm": "SHA1", - "checksumValue": "0000000000000000000000000000000000000000" + "checksumValue": "68bdb1034b31d05232669762f2be7f56fff5d849" + }, + { + "algorithm": "SHA256", + "checksumValue": "1ed38028659fda92b4f34d11c83bc4f8669526f84ef6f4fbc6c24f03b2c42ead" } ], "licenseConcluded": "NOASSERTION", @@ -24053,6 +24161,11 @@ "relatedSpdxElement": "SPDXRef-DocumentRoot-Directory-openshift-pipelines-opc-5c8cced44956893695bac7666ffe6bb3642f8aef", "relationshipType": "CONTAINS" }, + { + "spdxElementId": "SPDXRef-Source0", + "relationshipType": "GENERATED_FROM", + "relatedSpdxElement": "SPDXRef-Source0-origin" + }, { "spdxElementId": "SPDXRef-SRPM", "relationshipType": "CONTAINS", @@ -24063,6 +24176,11 @@ "relationshipType": "CONTAINS", "relatedSpdxElement": "SPDXRef-Source1" }, + { + "spdxElementId": "SPDXRef-Source2", + "relationshipType": "GENERATED_FROM", + "relatedSpdxElement": "SPDXRef-Source2-origin" + }, { "spdxElementId": "SPDXRef-SRPM", "relationshipType": "CONTAINS", diff --git a/sbom/examples/rpm/release/openssl-3.0.7-18.el9_2.spdx.json b/sbom/examples/rpm/release/openssl-3.0.7-18.el9_2.spdx.json index 9d1a908..8e1b076 100644 --- a/sbom/examples/rpm/release/openssl-3.0.7-18.el9_2.spdx.json +++ b/sbom/examples/rpm/release/openssl-3.0.7-18.el9_2.spdx.json @@ -116,7 +116,6 @@ "name": "openssl", "versionInfo": "3.0.7", "downloadLocation": "https://openssl.org/source/openssl-3.0.7.tar.gz", - "packageFileName": "openssl-3.0.7.tar.gz", "checksums": [ { "algorithm": "SHA256", @@ -127,9 +126,10 @@ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", - "referenceLocator": "pkg:generic/openssl@3.0.7?download_url=https://openssl.org/source/openssl-3.0.7.tar.gz&checksum=sha256:83049d042a260e696f62406ac5c08bf706fd84383f945cf21bd61e9ed95c396e" + "referenceLocator": "pkg:generic/openssl@3.0.7?download_url=https://openssl.org/source/openssl-3.0.7.tar.gz&checksum=SHA256:83049d042a260e696f62406ac5c08bf706fd84383f945cf21bd61e9ed95c396e" } - ] + ], + "packageFileName": "openssl-3.0.7.tar.gz" }, { "SPDXID": "SPDXRef-Source0",