| skipped 7 lines |
8 | 8 | | "strings" |
9 | 9 | | "time" |
10 | 10 | | |
11 | | - | "github.com/spdx/tools-golang/spdx/common" |
12 | | - | spdx "github.com/spdx/tools-golang/spdx/v2_3" |
| 11 | + | "github.com/spdx/tools-golang/spdx" |
13 | 12 | | |
14 | 13 | | "github.com/anchore/syft/internal" |
15 | 14 | | "github.com/anchore/syft/internal/log" |
| skipped 7 lines |
23 | 22 | | ) |
24 | 23 | | |
25 | 24 | | const ( |
26 | | - | spdxVersion = "SPDX-2.3" |
27 | 25 | | noAssertion = "NOASSERTION" |
28 | 26 | | ) |
29 | 27 | | |
| skipped 10 lines |
40 | 38 | | // for the primary package purpose field: |
41 | 39 | | // https://spdx.github.io/spdx-spec/v2.3/package-information/#724-primary-package-purpose-field |
42 | 40 | | documentDescribesRelationship := &spdx.Relationship{ |
43 | | - | RefA: common.DocElementID{ |
| 41 | + | RefA: spdx.DocElementID{ |
44 | 42 | | ElementRefID: "DOCUMENT", |
45 | 43 | | }, |
46 | 44 | | Relationship: string(DescribesRelationship), |
47 | | - | RefB: common.DocElementID{ |
| 45 | + | RefB: spdx.DocElementID{ |
48 | 46 | | ElementRefID: "DOCUMENT", |
49 | 47 | | }, |
50 | 48 | | RelationshipComment: "", |
| skipped 4 lines |
55 | 53 | | return &spdx.Document{ |
56 | 54 | | // 6.1: SPDX Version; should be in the format "SPDX-x.x" |
57 | 55 | | // Cardinality: mandatory, one |
58 | | - | SPDXVersion: spdxVersion, |
| 56 | + | SPDXVersion: spdx.Version, |
59 | 57 | | |
60 | 58 | | // 6.2: Data License; should be "CC0-1.0" |
61 | 59 | | // Cardinality: mandatory, one |
62 | | - | DataLicense: "CC0-1.0", |
| 60 | + | DataLicense: spdx.DataLicense, |
63 | 61 | | |
64 | 62 | | // 6.3: SPDX Identifier; should be "DOCUMENT" to represent mandatory identifier of SPDXRef-DOCUMENT |
65 | 63 | | // Cardinality: mandatory, one |
| skipped 38 lines |
104 | 102 | | // 6.8: Creators: may have multiple keys for Person, Organization |
105 | 103 | | // and/or Tool |
106 | 104 | | // Cardinality: mandatory, one or many |
107 | | - | Creators: []common.Creator{ |
| 105 | + | Creators: []spdx.Creator{ |
108 | 106 | | { |
109 | 107 | | Creator: "Anchore, Inc", |
110 | 108 | | CreatorType: "Organization", |
| skipped 18 lines |
129 | 127 | | } |
130 | 128 | | } |
131 | 129 | | |
132 | | - | func toSPDXID(identifiable artifact.Identifiable) common.ElementID { |
| 130 | + | func toSPDXID(identifiable artifact.Identifiable) spdx.ElementID { |
133 | 131 | | id := "" |
134 | 132 | | if p, ok := identifiable.(pkg.Package); ok { |
135 | 133 | | id = SanitizeElementID(fmt.Sprintf("Package-%+v-%s-%s", p.Type, p.Name, p.ID())) |
| skipped 1 lines |
137 | 135 | | id = string(identifiable.ID()) |
138 | 136 | | } |
139 | 137 | | // NOTE: the spdx libraries prepend SPDXRef-, so we don't do it here |
140 | | - | return common.ElementID(id) |
| 138 | + | return spdx.ElementID(id) |
141 | 139 | | } |
142 | 140 | | |
143 | 141 | | // packages populates all Package Information from the package Catalog (see https://spdx.github.io/spdx-spec/3-package-information/) |
| skipped 169 lines |
313 | 311 | | return results |
314 | 312 | | } |
315 | 313 | | |
316 | | - | func toPackageChecksums(p pkg.Package) ([]common.Checksum, bool) { |
| 314 | + | func toPackageChecksums(p pkg.Package) ([]spdx.Checksum, bool) { |
317 | 315 | | filesAnalyzed := false |
318 | | - | var checksums []common.Checksum |
| 316 | + | var checksums []spdx.Checksum |
319 | 317 | | switch meta := p.Metadata.(type) { |
320 | 318 | | // we generate digest for some Java packages |
321 | 319 | | // spdx.github.io/spdx-spec/package-information/#710-package-checksum-field |
| skipped 3 lines |
325 | 323 | | filesAnalyzed = true |
326 | 324 | | for _, digest := range meta.ArchiveDigests { |
327 | 325 | | algo := strings.ToUpper(digest.Algorithm) |
328 | | - | checksums = append(checksums, common.Checksum{ |
329 | | - | Algorithm: common.ChecksumAlgorithm(algo), |
| 326 | + | checksums = append(checksums, spdx.Checksum{ |
| 327 | + | Algorithm: spdx.ChecksumAlgorithm(algo), |
330 | 328 | | Value: digest.Value, |
331 | 329 | | }) |
332 | 330 | | } |
| skipped 6 lines |
339 | 337 | | break |
340 | 338 | | } |
341 | 339 | | algo = strings.ToUpper(algo) |
342 | | - | checksums = append(checksums, common.Checksum{ |
343 | | - | Algorithm: common.ChecksumAlgorithm(algo), |
| 340 | + | checksums = append(checksums, spdx.Checksum{ |
| 341 | + | Algorithm: spdx.ChecksumAlgorithm(algo), |
344 | 342 | | Value: hexStr, |
345 | 343 | | }) |
346 | 344 | | } |
347 | 345 | | return checksums, filesAnalyzed |
348 | 346 | | } |
349 | 347 | | |
350 | | - | func toPackageOriginator(p pkg.Package) *common.Originator { |
| 348 | + | func toPackageOriginator(p pkg.Package) *spdx.Originator { |
351 | 349 | | kind, originator := Originator(p) |
352 | 350 | | if kind == "" || originator == "" { |
353 | 351 | | return nil |
354 | 352 | | } |
355 | | - | return &common.Originator{ |
| 353 | + | return &spdx.Originator{ |
356 | 354 | | Originator: originator, |
357 | 355 | | OriginatorType: kind, |
358 | 356 | | } |
| skipped 27 lines |
386 | 384 | | } |
387 | 385 | | |
388 | 386 | | result = append(result, &spdx.Relationship{ |
389 | | - | RefA: common.DocElementID{ |
| 387 | + | RefA: spdx.DocElementID{ |
390 | 388 | | ElementRefID: toSPDXID(r.From), |
391 | 389 | | }, |
392 | 390 | | Relationship: string(relationshipType), |
393 | | - | RefB: common.DocElementID{ |
| 391 | + | RefB: spdx.DocElementID{ |
394 | 392 | | ElementRefID: toSPDXID(r.To), |
395 | 393 | | }, |
396 | 394 | | RelationshipComment: comment, |
| skipped 65 lines |
462 | 460 | | return results |
463 | 461 | | } |
464 | 462 | | |
465 | | - | func toFileChecksums(digests []file.Digest) (checksums []common.Checksum) { |
466 | | - | checksums = make([]common.Checksum, 0, len(digests)) |
| 463 | + | func toFileChecksums(digests []file.Digest) (checksums []spdx.Checksum) { |
| 464 | + | checksums = make([]spdx.Checksum, 0, len(digests)) |
467 | 465 | | for _, digest := range digests { |
468 | | - | checksums = append(checksums, common.Checksum{ |
| 466 | + | checksums = append(checksums, spdx.Checksum{ |
469 | 467 | | Algorithm: toChecksumAlgorithm(digest.Algorithm), |
470 | 468 | | Value: digest.Value, |
471 | 469 | | }) |
| skipped 1 lines |
473 | 471 | | return checksums |
474 | 472 | | } |
475 | 473 | | |
476 | | - | func toChecksumAlgorithm(algorithm string) common.ChecksumAlgorithm { |
| 474 | + | func toChecksumAlgorithm(algorithm string) spdx.ChecksumAlgorithm { |
477 | 475 | | // this needs to be an uppercase version of our algorithm |
478 | | - | return common.ChecksumAlgorithm(strings.ToUpper(algorithm)) |
| 476 | + | return spdx.ChecksumAlgorithm(strings.ToUpper(algorithm)) |
479 | 477 | | } |
480 | 478 | | |
481 | 479 | | func toFileTypes(metadata *source.FileMetadata) (ty []string) { |
| skipped 35 lines |
517 | 515 | | // f file is an "excludes" file, skip it /* exclude SPDX analysis file(s) */ |
518 | 516 | | // see: https://spdx.github.io/spdx-spec/v2.3/package-information/#79-package-verification-code-field |
519 | 517 | | // the above link contains the SPDX algorithm for a package verification code |
520 | | - | func newPackageVerificationCode(p pkg.Package, sbom sbom.SBOM) *common.PackageVerificationCode { |
| 518 | + | func newPackageVerificationCode(p pkg.Package, sbom sbom.SBOM) *spdx.PackageVerificationCode { |
521 | 519 | | // key off of the contains relationship; |
522 | 520 | | // spdx validator will fail if a package claims to contain a file but no sha1 provided |
523 | 521 | | // if a sha1 for a file is provided then the validator will fail if the package does not have |
| skipped 34 lines |
558 | 556 | | //nolint:gosec |
559 | 557 | | hasher := sha1.New() |
560 | 558 | | _, _ = hasher.Write([]byte(b.String())) |
561 | | - | return &common.PackageVerificationCode{ |
| 559 | + | return &spdx.PackageVerificationCode{ |
562 | 560 | | // 7.9.1: Package Verification Code Value |
563 | 561 | | // Cardinality: mandatory, one |
564 | 562 | | Value: fmt.Sprintf("%+x", hasher.Sum(nil)), |
| skipped 3 lines |