Fix RPM missing checksum reporting

This patch fixes the property that is added to the SBOM component indicating that an RPM file had its checksum missing in a processed lockfile to point to the actual lockfile path, instead of the RPM filename. Signed-off-by: Bruno Pimentel <[email protected]>
containerbuildsystem · Apr 23, 2024 · 3c6b69b · 3c6b69b
1 parent 239ef25
commit 3c6b69b
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 9 deletions.
diff --git a/cachi2/core/package_managers/rpm/main.py b/cachi2/core/package_managers/rpm/main.py
@@ -88,7 +88,9 @@ def _resolve_rpm_project(source_dir: RootedPath, output_dir: RootedPath) -> list
         package_dir = output_dir.join_within_root(DEFAULT_PACKAGE_DIR)
         metadata = _download(redhat_rpms_lock, package_dir.path)
         _verify_downloaded(metadata)
-        return _generate_sbom_components(metadata)
+
+        lockfile_relative_path = (source_dir.subpath_from_root / DEFAULT_LOCKFILE_NAME).name
+        return _generate_sbom_components(metadata, lockfile_relative_path)
 
 
 def _download(lockfile: RedhatRpmsLock, output_dir: Path) -> dict[Path, Any]:
@@ -167,7 +169,9 @@ def raise_exception(message: str) -> None:
                 raise_exception(f"Unmatched checksum of '{file_path}' != '{digest}'")
 
 
-def _generate_sbom_components(files_metadata: dict[Path, Any]) -> list[Component]:
+def _generate_sbom_components(
+    files_metadata: dict[Path, Any], lockfile_path: str
+) -> list[Component]:
     """Fill the component list with the package records."""
     components: list[Component] = []
     for file_path, file_metadata in files_metadata.items():
@@ -208,8 +212,7 @@ def _generate_sbom_components(files_metadata: dict[Path, Any]) -> list[Component
         )
 
         if file_metadata["checksum"] is None:
-            missing_hash_in_file = file_path.name
-            properties = [Property(name="cachi2:missing_hash:in_file", value=missing_hash_in_file)]
+            properties = [Property(name="cachi2:missing_hash:in_file", value=lockfile_path)]
         else:
             properties = []
 

diff --git a/tests/unit/package_managers/test_rpm.py b/tests/unit/package_managers/test_rpm.py
@@ -283,10 +283,13 @@ def test_resolve_rpm_project(
     output_dir.join_within_root.return_value.path = mock_package_dir_path
     mock_download.return_value = {}
 
-    _resolve_rpm_project(mock.Mock(), output_dir)
+    source_dir = mock.Mock()
+    source_dir.subpath_from_root = Path()
+
+    _resolve_rpm_project(source_dir, output_dir)
     mock_download.assert_called_once_with(mock_model_validate.return_value, mock_package_dir_path)
     mock_verify_downloaded.assert_called_once_with({})
-    mock_generate_sbom_components.assert_called_once_with({})
+    mock_generate_sbom_components.assert_called_once_with({}, "rpms.lock.yaml")
 
 
 @mock.patch("cachi2.core.package_managers.rpm.main.run_cmd")
@@ -345,7 +348,7 @@ def test_generate_sbom_components(mock_run_cmd: mock.Mock) -> None:
             "checksum": "sha256:21bb2a09852e75a693d277435c162e1a910835c53c3cee7636dd552d450ed0f1",
         }
     }
-    components = _generate_sbom_components(files_metadata)
+    components = _generate_sbom_components(files_metadata, "rpms.lock.yaml")
     assert components == [
         Component(
             name=name,
@@ -374,14 +377,14 @@ def test_generate_sbom_components_missing_checksum(mock_run_cmd: mock.Mock) -> N
             "checksum": None,
         }
     }
-    components = _generate_sbom_components(files_metadata)
+    components = _generate_sbom_components(files_metadata, "rpms.lock.yaml")
     assert components == [
         Component(
             name=name,
             version=version,
             purl=f"pkg:rpm/{vendor}/{name}@{version}-{release}?arch={arch}&download_url={quote(url)}",
             properties=[
-                Property(name="cachi2:missing_hash:in_file", value="foo-1.0-2.fc39.x86_64.rpm"),
+                Property(name="cachi2:missing_hash:in_file", value="rpms.lock.yaml"),
             ],
         )
     ]