Skip to content

Commit

Permalink
SPDX Parser: ingest CPE from externalRefs (guacsec#1347)
Browse files Browse the repository at this point in the history
* SPDX Parser: ingest CPE from externalRefs

Signed-off-by: mrizzi <[email protected]>

* SPDX Parser: HasMetadata to ingest CPE from externalRefs

Signed-off-by: mrizzi <[email protected]>

---------

Signed-off-by: mrizzi <[email protected]>
  • Loading branch information
mrizzi authored Oct 9, 2023
1 parent 9254f32 commit 542f03f
Show file tree
Hide file tree
Showing 3 changed files with 125 additions and 0 deletions.
96 changes: 96 additions & 0 deletions internal/testing/testdata/testdata.go
Original file line number Diff line number Diff line change
Expand Up @@ -799,10 +799,102 @@ var (
},
}

SpdxHasMetadata = []assembler.HasMetadataIngest{
{
Pkg: baselayoutPack,
PkgMatchFlag: model.MatchFlags{Pkg: model.PkgMatchTypeSpecificVersion},
HasMetadata: &model.HasMetadataInputSpec{
Key: "cpe",
Value: "cpe:2.3:a:alpine-baselayout:alpine-baselayout:3.2.0-r22:*:*:*:*:*:*:*",
Justification: "spdx cpe external reference",
Origin: "GUAC SPDX",
Collector: "GUAC",
},
},
{
Pkg: baselayoutPack,
PkgMatchFlag: model.MatchFlags{Pkg: model.PkgMatchTypeSpecificVersion},
HasMetadata: &model.HasMetadataInputSpec{
Key: "cpe",
Value: "cpe:2.3:a:alpine-baselayout:alpine_baselayout:3.2.0-r22:*:*:*:*:*:*:*",
Justification: "spdx cpe external reference",
Origin: "GUAC SPDX",
Collector: "GUAC",
},
},
{
Pkg: baselayoutdataPack,
PkgMatchFlag: model.MatchFlags{Pkg: model.PkgMatchTypeSpecificVersion},
HasMetadata: &model.HasMetadataInputSpec{
Key: "cpe",
Value: "cpe:2.3:a:alpine-baselayout-data:alpine-baselayout-data:3.2.0-r22:*:*:*:*:*:*:*",
Justification: "spdx cpe external reference",
Origin: "GUAC SPDX",
Collector: "GUAC",
},
},
{
Pkg: baselayoutdataPack,
PkgMatchFlag: model.MatchFlags{Pkg: model.PkgMatchTypeSpecificVersion},
HasMetadata: &model.HasMetadataInputSpec{
Key: "cpe",
Value: "cpe:2.3:a:alpine-baselayout-data:alpine_baselayout_data:3.2.0-r22:*:*:*:*:*:*:*",
Justification: "spdx cpe external reference",
Origin: "GUAC SPDX",
Collector: "GUAC",
},
},
{
Pkg: keysPack,
PkgMatchFlag: model.MatchFlags{Pkg: model.PkgMatchTypeSpecificVersion},
HasMetadata: &model.HasMetadataInputSpec{
Key: "cpe",
Value: "cpe:2.3:a:alpine-keys:alpine-keys:2.4-r1:*:*:*:*:*:*:*",
Justification: "spdx cpe external reference",
Origin: "GUAC SPDX",
Collector: "GUAC",
},
},
{
Pkg: keysPack,
PkgMatchFlag: model.MatchFlags{Pkg: model.PkgMatchTypeSpecificVersion},
HasMetadata: &model.HasMetadataInputSpec{
Key: "cpe",
Value: "cpe:2.3:a:alpine-keys:alpine_keys:2.4-r1:*:*:*:*:*:*:*",
Justification: "spdx cpe external reference",
Origin: "GUAC SPDX",
Collector: "GUAC",
},
},
{
Pkg: keysPack,
PkgMatchFlag: model.MatchFlags{Pkg: model.PkgMatchTypeSpecificVersion},
HasMetadata: &model.HasMetadataInputSpec{
Key: "cpe",
Value: "cpe:2.3:a:alpine:alpine-keys:2.4-r1:*:*:*:*:*:*:*",
Justification: "spdx cpe external reference",
Origin: "GUAC SPDX",
Collector: "GUAC",
},
},
{
Pkg: keysPack,
PkgMatchFlag: model.MatchFlags{Pkg: model.PkgMatchTypeSpecificVersion},
HasMetadata: &model.HasMetadataInputSpec{
Key: "cpe",
Value: "cpe:2.3:a:alpine:alpine_keys:2.4-r1:*:*:*:*:*:*:*",
Justification: "spdx cpe external reference",
Origin: "GUAC SPDX",
Collector: "GUAC",
},
},
}

SpdxIngestionPredicates = assembler.IngestPredicates{
IsDependency: SpdxDeps,
IsOccurrence: SpdxOccurences,
HasSBOM: SpdxHasSBOM,
HasMetadata: SpdxHasMetadata,
CertifyLegal: SpdxCertifyLegal,
}

Expand Down Expand Up @@ -2807,6 +2899,7 @@ var IngestPredicatesCmpOpts = []cmp.Option{
cmpopts.SortSlices(slsaPredicateInputSpecLess),
cmpopts.SortSlices(certifyLegalInputSpecLess),
cmpopts.SortSlices(licenseInputSpecLess),
cmpopts.SortSlices(hasMetadataLess),
}

func certifyScorecardLess(e1, e2 assembler.CertifyScorecardIngest) bool {
Expand Down Expand Up @@ -2840,6 +2933,9 @@ func certifyLegalInputSpecLess(e1, e2 assembler.CertifyLegalIngest) bool {
func licenseInputSpecLess(e1, e2 generated.LicenseInputSpec) bool {
return gLess(e1, e2)
}
func hasMetadataLess(e1, e2 assembler.HasMetadataIngest) bool {
return gLess(e1, e2)
}

func gLess(e1, e2 any) bool {
s1, _ := json.Marshal(e1)
Expand Down
25 changes: 25 additions & 0 deletions pkg/ingestor/parser/spdx/parse_spdx.go
Original file line number Diff line number Diff line change
Expand Up @@ -360,6 +360,31 @@ func (s *spdxParser) GetPredicates(ctx context.Context) *assembler.IngestPredica
}
}

for _, pkg := range s.spdxDoc.Packages {
pkgInputSpecs := s.getPackageElement(string(pkg.PackageSPDXIdentifier))
for _, extRef := range pkg.PackageExternalReferences {
if extRef.Category == spdx_common.CategorySecurity {
locator := extRef.Locator
metadataInputSpec := &model.HasMetadataInputSpec{
Key: "cpe",
Value: locator,
Timestamp: time.Now().UTC(),
Justification: "spdx cpe external reference",
Origin: "GUAC SPDX",
Collector: "GUAC",
}
for i := range pkgInputSpecs {
hasMetadata := assembler.HasMetadataIngest{
Pkg: pkgInputSpecs[i],
PkgMatchFlag: model.MatchFlags{Pkg: generated.PkgMatchTypeSpecificVersion},
HasMetadata: metadataInputSpec,
}
preds.HasMetadata = append(preds.HasMetadata, hasMetadata)
}
}
}
}

return preds
}

Expand Down
4 changes: 4 additions & 0 deletions pkg/ingestor/parser/spdx/parse_spdx_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,10 @@ func Test_spdxParser(t *testing.T) {
}{
{
name: "valid big SPDX document",
additionalOpts: []cmp.Option{
cmpopts.IgnoreFields(generated.HasMetadataInputSpec{},
"Timestamp"),
},
doc: &processor.Document{
Blob: testdata.SpdxExampleAlpine,
Format: processor.FormatJSON,
Expand Down

0 comments on commit 542f03f

Please sign in to comment.