add Version field in PacakgeNode (guacsec#164)

* add Version field in PacakgeNode Signed-off-by: Brandon Lum <[email protected]> * add cdx root level version Signed-off-by: Brandon Lum <[email protected]> Signed-off-by: Brandon Lum <[email protected]>
trantdai · Oct 18, 2022 · b51f492 · b51f492
1 parent 9decb01
commit b51f492
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 24 deletions.
diff --git a/internal/testing/ingestor/testdata/testdata.go b/internal/testing/ingestor/testdata/testdata.go
@@ -191,7 +191,7 @@ var (
 		},
 	}
 
-	// SDPX Testdata
+	// SPDX Testdata
 
 	topLevelPack = assembler.PackageNode{
 		Name:   "gcr.io/google-containers/alpine-latest",
@@ -208,9 +208,10 @@ var (
 	}
 
 	baselayoutPack = assembler.PackageNode{
-		Name:   "alpine-baselayout",
-		Digest: nil,
-		Purl:   "pkg:alpine/[email protected]?arch=x86_64&upstream=alpine-baselayout&distro=alpine-3.16.2",
+		Name:    "alpine-baselayout",
+		Digest:  nil,
+		Purl:    "pkg:alpine/[email protected]?arch=x86_64&upstream=alpine-baselayout&distro=alpine-3.16.2",
+		Version: "3.2.0-r22",
 		CPEs: []string{
 			"cpe:2.3:a:alpine-baselayout:alpine-baselayout:3.2.0-r22:*:*:*:*:*:*:*",
 			"cpe:2.3:a:alpine-baselayout:alpine_baselayout:3.2.0-r22:*:*:*:*:*:*:*",
@@ -224,9 +225,10 @@ var (
 	}
 
 	keysPack = assembler.PackageNode{
-		Name:   "alpine-keys",
-		Digest: nil,
-		Purl:   "pkg:alpine/[email protected]?arch=x86_64&upstream=alpine-keys&distro=alpine-3.16.2",
+		Name:    "alpine-keys",
+		Digest:  nil,
+		Purl:    "pkg:alpine/[email protected]?arch=x86_64&upstream=alpine-keys&distro=alpine-3.16.2",
+		Version: "2.4-r1",
 		CPEs: []string{
 			"cpe:2.3:a:alpine-keys:alpine-keys:2.4-r1:*:*:*:*:*:*:*",
 			"cpe:2.3:a:alpine-keys:alpine_keys:2.4-r1:*:*:*:*:*:*:*",
@@ -242,9 +244,10 @@ var (
 	}
 
 	baselayoutdataPack = assembler.PackageNode{
-		Name:   "alpine-baselayout-data",
-		Digest: nil,
-		Purl:   "pkg:alpine/[email protected]?arch=x86_64&upstream=alpine-baselayout&distro=alpine-3.16.2",
+		Name:    "alpine-baselayout-data",
+		Digest:  nil,
+		Purl:    "pkg:alpine/[email protected]?arch=x86_64&upstream=alpine-baselayout&distro=alpine-3.16.2",
+		Version: "3.2.0-r22",
 		CPEs: []string{
 			"cpe:2.3:a:alpine-baselayout-data:alpine-baselayout-data:3.2.0-r22:*:*:*:*:*:*:*",
 			"cpe:2.3:a:alpine-baselayout-data:alpine_baselayout_data:3.2.0-r22:*:*:*:*:*:*:*",
@@ -353,10 +356,11 @@ var (
 	// CycloneDX Testdata
 
 	cdxTopLevelPack = assembler.PackageNode{
-		Name:   "gcr.io/distroless/static:nonroot",
-		Digest: []string{"sha256:6ad5b696af3ca05a048bd29bf0f623040462638cb0b29c8d702cbb2805687388"},
-		Purl:   "pkg:oci/static:nonroot?repository_url=gcr.io/distroless",
-		CPEs:   nil,
+		Name:    "gcr.io/distroless/static:nonroot",
+		Digest:  []string{"sha256:6ad5b696af3ca05a048bd29bf0f623040462638cb0b29c8d702cbb2805687388"},
+		Version: "sha256:6ad5b696af3ca05a048bd29bf0f623040462638cb0b29c8d702cbb2805687388",
+		Purl:    "pkg:oci/static:nonroot?repository_url=gcr.io/distroless",
+		CPEs:    nil,
 		NodeData: *assembler.NewObjectMetadata(
 			processor.SourceInformation{
 				Collector: "TestCollector",
@@ -366,9 +370,10 @@ var (
 	}
 
 	cdxTzdataPack = assembler.PackageNode{
-		Name:   "tzdata",
-		Digest: nil,
-		Purl:   "pkg:deb/debian/tzdata@2021a-1+deb11u6?arch=all&distro=debian-11",
+		Name:    "tzdata",
+		Digest:  nil,
+		Version: "2021a-1+deb11u6",
+		Purl:    "pkg:deb/debian/tzdata@2021a-1+deb11u6?arch=all&distro=debian-11",
 		CPEs: []string{
 			"cpe:2.3:a:tzdata:tzdata:2021a-1\\+deb11u6:*:*:*:*:*:*:*"},
 		NodeData: *assembler.NewObjectMetadata(
@@ -380,9 +385,10 @@ var (
 	}
 
 	cdxNetbasePack = assembler.PackageNode{
-		Name:   "netbase",
-		Digest: nil,
-		Purl:   "pkg:deb/debian/[email protected]?arch=all&distro=debian-11",
+		Name:    "netbase",
+		Digest:  nil,
+		Version: "6.3",
+		Purl:    "pkg:deb/debian/[email protected]?arch=all&distro=debian-11",
 		CPEs: []string{
 			"cpe:2.3:a:netbase:netbase:6.3:*:*:*:*:*:*:*"},
 		NodeData: *assembler.NewObjectMetadata(
@@ -394,9 +400,10 @@ var (
 	}
 
 	cdxBasefilesPack = assembler.PackageNode{
-		Name:   "base-files",
-		Digest: nil,
-		Purl:   "pkg:deb/debian/[email protected]+deb11u5?arch=amd64&distro=debian-11",
+		Name:    "base-files",
+		Digest:  nil,
+		Version: "11.1+deb11u5",
+		Purl:    "pkg:deb/debian/[email protected]+deb11u5?arch=amd64&distro=debian-11",
 		CPEs: []string{
 			"cpe:2.3:a:base-files:base-files:11.1\\+deb11u5:*:*:*:*:*:*:*"},
 		NodeData: *assembler.NewObjectMetadata(

diff --git a/pkg/assembler/nodes.go b/pkg/assembler/nodes.go
@@ -53,6 +53,7 @@ func (an ArtifactNode) IdentifiablePropertyNames() []string {
 type PackageNode struct {
 	Name     string
 	Digest   []string
+	Version  string
 	Purl     string
 	CPEs     []string
 	Tags     []string
@@ -67,6 +68,7 @@ func (pn PackageNode) Properties() map[string]interface{} {
 	properties := make(map[string]interface{})
 	properties["name"] = pn.Name
 	properties["purl"] = pn.Purl
+	properties["version"] = pn.Version
 	properties["cpes"] = pn.CPEs
 	properties["digest"] = toLower(pn.Digest...)
 	properties["tags"] = pn.Tags
@@ -75,7 +77,7 @@ func (pn PackageNode) Properties() map[string]interface{} {
 }
 
 func (pn PackageNode) PropertyNames() []string {
-	fields := []string{"name", "digest", "purl", "cpes", "tags"}
+	fields := []string{"name", "digest", "purl", "cpes", "tags", "version"}
 	fields = append(fields, pn.NodeData.getProperties()...)
 	return fields
 }

diff --git a/pkg/ingestor/parser/cyclonedx/parser_cyclonedx.go b/pkg/ingestor/parser/cyclonedx/parser_cyclonedx.go
@@ -99,6 +99,7 @@ func (c *cyclonedxParser) addRootPackage(cdxBom *cdx.BOM) {
 		rootPackage := assembler.PackageNode{}
 		rootPackage.Purl = "pkg:oci/" + splitImage[2] + "?repository_url=" + splitImage[0] + "/" + splitImage[1]
 		rootPackage.Name = cdxBom.Metadata.Component.Name
+		rootPackage.Version = cdxBom.Metadata.Component.Version
 		rootPackage.Digest = append(rootPackage.Digest, cdxBom.Metadata.Component.Version)
 		rootPackage.NodeData = *assembler.NewObjectMetadata(c.doc.SourceInformation)
 		c.rootPackage = parentPackages{
@@ -114,6 +115,7 @@ func (c *cyclonedxParser) addPackages(cdxBom *cdx.BOM) {
 			Name: comp.Name,
 			// Digest: []string{comp.Version},
 			Purl:     comp.PackageURL,
+			Version:  comp.Version,
 			CPEs:     []string{comp.CPE},
 			NodeData: *assembler.NewObjectMetadata(c.doc.SourceInformation),
 		}

diff --git a/pkg/ingestor/parser/spdx/parse_spdx.go b/pkg/ingestor/parser/spdx/parse_spdx.go
@@ -84,6 +84,7 @@ func (s *spdxParser) getPackages() {
 		currentPackage := assembler.PackageNode{}
 		currentPackage.Name = pac.PackageName
 		currentPackage.NodeData = *assembler.NewObjectMetadata(s.doc.SourceInformation)
+		currentPackage.Version = pac.PackageVersion
 		for _, ext := range pac.PackageExternalReferences {
 			if strings.HasPrefix(ext.RefType, "cpe") {
 				currentPackage.CPEs = append(currentPackage.CPEs, ext.Locator)