Add package supplier info to SPDX reports

This commit adds `pkg_supplier` attribute values as `PackageSupplier` field values in Tag Value and JSON SPDX documents . Resolves #1205 Signed-off-by: Rose Judge <[email protected]>
tern-tools · Feb 8, 2023 · ede4645 · ede4645
1 parent bb2a724
commit ede4645
Show file tree

Hide file tree

Showing 7 changed files with 15 additions and 1 deletion.
diff --git a/tern/formats/spdx/spdx.py b/tern/formats/spdx/spdx.py
@@ -21,7 +21,8 @@ def package(self):
                 'copyright': 'PackageCopyrightText',
                 'download_url': 'PackageDownloadLocation',
                 'src_name': 'SourcePackageName',
-                'src_version': 'SourcePackageVersion'}
+                'src_version': 'SourcePackageVersion',
+                'pkg_supplier': 'PackageSupplier'}
 
     def image_layer(self):
         return {'tar_file': 'PackageFileName'}

diff --git a/tern/formats/spdx/spdxjson/image_helpers.py b/tern/formats/spdx/spdxjson/image_helpers.py
@@ -84,6 +84,7 @@ def get_image_dict(image_obj, template):
         'name': mapping['PackageName'],
         'SPDXID': spdx_common.get_image_spdxref(image_obj),
         'versionInfo': mapping['PackageVersion'],
+        'supplier': 'NOASSERTION',  # always NOASSERTION
         'downloadLocation': 'NOASSERTION',  # always NOASSERTION
         'filesAnalyzed': False,  # always false
         'licenseConcluded': 'NOASSERTION',  # always NOASSERTION

diff --git a/tern/formats/spdx/spdxjson/layer_helpers.py b/tern/formats/spdx/spdxjson/layer_helpers.py
@@ -150,6 +150,7 @@ def get_layer_dict(layer_obj):
         'name': os.path.basename(layer_obj.tar_file),
         'SPDXID': spdx_common.get_layer_spdxref(layer_obj),
         'versionInfo': layer_obj.layer_index,
+        'supplier': 'NOASSERTION', # always NOASSERTION
         'packageFileName': layer_obj.tar_file,
         'downloadLocation': 'NONE',
         'filesAnalyzed': bool(layer_obj.files_analyzed),

diff --git a/tern/formats/spdx/spdxjson/package_helpers.py b/tern/formats/spdx/spdxjson/package_helpers.py
@@ -58,12 +58,14 @@ def get_package_dict(package, template):
     JSON dictionary representation of the package. The analyzed files will
     go in a separate dictionary for the JSON document.'''
     mapping = package.to_dict(template)
+    supplier_str = 'Organization: ' + mapping['PackageSupplier']
     pkg_ref, _ = spdx_common.get_package_spdxref(package)
     package_dict = {
         'name': mapping['PackageName'],
         'SPDXID': pkg_ref,
         'versionInfo': mapping['PackageVersion'] if mapping['PackageVersion']
         else 'NOASSERTION',
+        'supplier': supplier_str if mapping['PackageSupplier'] else 'NOASSERTION', 
         'downloadLocation': mapping['PackageDownloadLocation'] if
         mapping['PackageDownloadLocation'] else 'NOASSERTION',
         'filesAnalyzed': False,  # always false for packages

diff --git a/tern/formats/spdx/spdxtagvalue/image_helpers.py b/tern/formats/spdx/spdxtagvalue/image_helpers.py
@@ -101,6 +101,8 @@ def get_image_block(image_obj, template):
     block += 'SPDXID: {}\n'.format(spdx_common.get_image_spdxref(image_obj))
     # Package Version
     block += 'PackageVersion: {}\n'.format(mapping['PackageVersion'])
+    # Package Supplier (always NOASSERTION)
+    block += 'PackageSupplier: NOASSERTION\n'
     # Package Download Location (always NOASSERTION)
     block += 'PackageDownloadLocation: NOASSERTION\n'
     # Files Analyzed (always false)

diff --git a/tern/formats/spdx/spdxtagvalue/layer_helpers.py b/tern/formats/spdx/spdxtagvalue/layer_helpers.py
@@ -117,6 +117,8 @@ def get_layer_block(layer_obj, template):
     block += 'SPDXID: {}\n'.format(spdx_common.get_layer_spdxref(layer_obj))
     # Package Version. For Layer objects, this is just the layer_index
     block += 'PackageVersion: {}\n'.format(layer_obj.layer_index)
+    # Package Supplier (always NOASSERTION)
+    block += 'PackageSupplier: NOASSERTION\n'
     # Package File Name
     block += 'PackageFileName: {}\n'.format(layer_obj.tar_file)
     # Package Download Location (always NONE for layers)

diff --git a/tern/formats/spdx/spdxtagvalue/package_helpers.py b/tern/formats/spdx/spdxtagvalue/package_helpers.py
@@ -86,6 +86,11 @@ def get_package_block(package_obj, template):
     # Package Version
     if mapping['PackageVersion']:
         block += 'PackageVersion: {}\n'.format(mapping['PackageVersion'])
+    # Package Supplier
+    if mapping['PackageSupplier']:
+        block += 'PackageSupplier: Organization: {}\n'.format(mapping['PackageSupplier'])
+    else:
+        block += 'PackageSupplier: NOASSERTION\n'
     # Package Download Location
     if mapping['PackageDownloadLocation']:
         block += 'PackageDownloadLoaction: {}\n'.format(