STRLCPY/syft

■ ■ ■ ■ ■ ■

syft/formats/common/spdxhelpers/to_format_model.go

		skipped 3 lines
4	4		import (
5	5		"crypto/sha1"
6	6		"fmt"
	7	+	"path"
7	8		"sort"
8	9		"strings"
9	10		"time"
		skipped 121 lines
131	132		}
132	133
133	134		func toSPDXID(identifiable artifact.Identifiable) spdx.ElementID {
	135	+	maxLen := 40
134	136		id := ""
135		-	if p, ok := identifiable.(pkg.Package); ok {
136		-	id = SanitizeElementID(fmt.Sprintf("Package-%+v-%s-%s", p.Type, p.Name, p.ID()))
137		-	} else {
	137	+	switch it := identifiable.(type) {
	138	+	case pkg.Package:
	139	+	id = SanitizeElementID(fmt.Sprintf("Package-%s-%s-%s", it.Type, it.Name, it.ID()))
	140	+	case source.Coordinates:
	141	+	p := ""
	142	+	parts := strings.Split(it.RealPath, "/")
	143	+	for i := len(parts); i > 0; i-- {
	144	+	part := parts[i-1]
	145	+	if len(part) == 0 {
	146	+	continue
	147	+	}
	148	+	if i < len(parts) && len(p)+len(part)+3 > maxLen {
	149	+	p = "..." + p
	150	+	break
	151	+	}
	152	+	p = path.Join(part, p)
	153	+	}
	154	+	id = SanitizeElementID(fmt.Sprintf("File-%s-%s", p, it.ID()))
	155	+	default:
138	156		id = string(identifiable.ID())
139	157		}
140		-	// NOTE: the spdx libraries prepend SPDXRef-, so we don't do it here
	158	+	// NOTE: the spdx library prepend SPDXRef-, so we don't do it here
141	159		return spdx.ElementID(id)
142	160		}
143	161
		skipped 453 lines

■ ■ ■ ■ ■ ■

syft/formats/common/spdxhelpers/to_format_model_test.go

		skipped 1 lines
2	2
3	3		import (
4	4		"fmt"
	5	+	"regexp"
5	6		"testing"
6	7
7	8		"github.com/spdx/tools-golang/spdx"
		skipped 494 lines
502	503		}
503	504		}
504	505
	506	+	func Test_toSPDXID(t *testing.T) {
	507	+	tests := []struct {
	508	+	name string
	509	+	it artifact.Identifiable
	510	+	expected string
	511	+	}{
	512	+	{
	513	+	name: "short filename",
	514	+	it: source.Coordinates{
	515	+	RealPath: "/short/path/file.txt",
	516	+	},
	517	+	expected: "File-short-path-file.txt",
	518	+	},
	519	+	{
	520	+	name: "long filename",
	521	+	it: source.Coordinates{
	522	+	RealPath: "/some/long/path/with/a/lot/of-text/that-contains-a/file.txt",
	523	+	},
	524	+	expected: "File-...a-lot-of-text-that-contains-a-file.txt",
	525	+	},
	526	+	{
	527	+	name: "package",
	528	+	it: pkg.Package{
	529	+	Type: pkg.NpmPkg,
	530	+	Name: "some-package",
	531	+	},
	532	+	expected: "Package-npm-some-package",
	533	+	},
	534	+	}
	535	+
	536	+	for _, test := range tests {
	537	+	t.Run(test.name, func(t *testing.T) {
	538	+	got := string(toSPDXID(test.it))
	539	+	// trim the hash
	540	+	got = regexp.MustCompile(`-[a-z0-9]*$`).ReplaceAllString(got, "")
	541	+	require.Equal(t, test.expected, got)
	542	+	})
	543	+	}
	544	+	}
	545	+

■ ■ ■ ■ ■ ■

syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden

		skipped 2 lines
3	3		"dataLicense": "CC0-1.0",
4	4		"SPDXID": "SPDXRef-DOCUMENT",
5	5		"name": "/some/path",
6		-	"documentNamespace": "https://anchore.com/syft/dir/some/path-1fe34646-a616-48c7-974b-3d1e27d406e3",
	6	+	"documentNamespace": "https://anchore.com/syft/dir/some/path-4029b5ec-6d70-4c0c-aedf-b61c8f5ea93c",
7	7		"creationInfo": {
8		-	"licenseListVersion": "3.19",
	8	+	"licenseListVersion": "3.20",
9	9		"creators": [
10	10		"Organization: Anchore, Inc",
11	11		"Tool: syft-v0.42.0-bogus"
12	12		],
13		-	"created": "2023-01-20T21:41:03Z"
	13	+	"created": "2023-05-02T18:24:17Z"
14	14		},
15	15		"packages": [
16	16		{
		skipped 53 lines

■ ■ ■ ■ ■ ■

syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden

		skipped 2 lines
3	3		"dataLicense": "CC0-1.0",
4	4		"SPDXID": "SPDXRef-DOCUMENT",
5	5		"name": "user-image-input",
6		-	"documentNamespace": "https://anchore.com/syft/image/user-image-input-33759ac3-6006-4f2c-bdc4-f40b9287a7f0",
	6	+	"documentNamespace": "https://anchore.com/syft/image/user-image-input-6b0c6ff8-0f5f-4d95-8c1b-eb966d400804",
7	7		"creationInfo": {
8		-	"licenseListVersion": "3.19",
	8	+	"licenseListVersion": "3.20",
9	9		"creators": [
10	10		"Organization: Anchore, Inc",
11	11		"Tool: syft-v0.42.0-bogus"
12	12		],
13		-	"created": "2023-01-20T21:41:03Z"
	13	+	"created": "2023-05-02T18:24:18Z"
14	14		},
15	15		"packages": [
16	16		{
		skipped 53 lines

■ ■ ■ ■ ■ ■

syft/formats/spdxjson/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden

		skipped 2 lines
3	3		"dataLicense": "CC0-1.0",
4	4		"SPDXID": "SPDXRef-DOCUMENT",
5	5		"name": "user-image-input",
6		-	"documentNamespace": "https://anchore.com/syft/image/user-image-input-ce98f51f-b483-4e93-9a15-5a8a16d35de6",
	6	+	"documentNamespace": "https://anchore.com/syft/image/user-image-input-ec2f9b25-22ca-46b8-b7f4-484994fe126c",
7	7		"creationInfo": {
8		-	"licenseListVersion": "3.19",
	8	+	"licenseListVersion": "3.20",
9	9		"creators": [
10	10		"Organization: Anchore, Inc",
11	11		"Tool: syft-v0.42.0-bogus"
12	12		],
13		-	"created": "2023-01-20T21:41:03Z"
	13	+	"created": "2023-05-02T18:24:18Z"
14	14		},
15	15		"packages": [
16	16		{
		skipped 44 lines
61	61		"files": [
62	62		{
63	63		"fileName": "/a1/f6",
64		-	"SPDXID": "SPDXRef-9c2f7510199b17f6",
	64	+	"SPDXID": "SPDXRef-File-a1-f6-9c2f7510199b17f6",
65	65		"fileTypes": [
66	66		"OTHER"
67	67		],
		skipped 8 lines
76	76		},
77	77		{
78	78		"fileName": "/d1/f3",
79		-	"SPDXID": "SPDXRef-c6f5b29dca12661f",
	79	+	"SPDXID": "SPDXRef-File-d1-f3-c6f5b29dca12661f",
80	80		"fileTypes": [
81	81		"OTHER"
82	82		],
		skipped 8 lines
91	91		},
92	92		{
93	93		"fileName": "/d2/f4",
94		-	"SPDXID": "SPDXRef-c641caa71518099f",
	94	+	"SPDXID": "SPDXRef-File-d2-f4-c641caa71518099f",
95	95		"fileTypes": [
96	96		"OTHER"
97	97		],
		skipped 8 lines
106	106		},
107	107		{
108	108		"fileName": "/f1",
109		-	"SPDXID": "SPDXRef-5265a4dde3edbf7c",
	109	+	"SPDXID": "SPDXRef-File-f1-5265a4dde3edbf7c",
110	110		"fileTypes": [
111	111		"OTHER"
112	112		],
		skipped 8 lines
121	121		},
122	122		{
123	123		"fileName": "/f2",
124		-	"SPDXID": "SPDXRef-f9e49132a4b96ccd",
	124	+	"SPDXID": "SPDXRef-File-f2-f9e49132a4b96ccd",
125	125		"fileTypes": [
126	126		"OTHER"
127	127		],
		skipped 8 lines
136	136		},
137	137		{
138	138		"fileName": "/z1/f5",
139		-	"SPDXID": "SPDXRef-839d99ee67d9d174",
	139	+	"SPDXID": "SPDXRef-File-z1-f5-839d99ee67d9d174",
140	140		"fileTypes": [
141	141		"OTHER"
142	142		],
		skipped 10 lines
153	153		"relationships": [
154	154		{
155	155		"spdxElementId": "SPDXRef-Package-python-package-1-66ba429119b8bec6",
156		-	"relatedSpdxElement": "SPDXRef-5265a4dde3edbf7c",
	156	+	"relatedSpdxElement": "SPDXRef-File-f1-5265a4dde3edbf7c",
157	157		"relationshipType": "CONTAINS"
158	158		},
159	159		{
160	160		"spdxElementId": "SPDXRef-Package-python-package-1-66ba429119b8bec6",
161		-	"relatedSpdxElement": "SPDXRef-839d99ee67d9d174",
	161	+	"relatedSpdxElement": "SPDXRef-File-z1-f5-839d99ee67d9d174",
162	162		"relationshipType": "CONTAINS"
163	163		},
164	164		{
165	165		"spdxElementId": "SPDXRef-Package-python-package-1-66ba429119b8bec6",
166		-	"relatedSpdxElement": "SPDXRef-9c2f7510199b17f6",
	166	+	"relatedSpdxElement": "SPDXRef-File-a1-f6-9c2f7510199b17f6",
167	167		"relationshipType": "CONTAINS"
168	168		},
169	169		{
170	170		"spdxElementId": "SPDXRef-Package-python-package-1-66ba429119b8bec6",
171		-	"relatedSpdxElement": "SPDXRef-c641caa71518099f",
	171	+	"relatedSpdxElement": "SPDXRef-File-d2-f4-c641caa71518099f",
172	172		"relationshipType": "CONTAINS"
173	173		},
174	174		{
175	175		"spdxElementId": "SPDXRef-Package-python-package-1-66ba429119b8bec6",
176		-	"relatedSpdxElement": "SPDXRef-c6f5b29dca12661f",
	176	+	"relatedSpdxElement": "SPDXRef-File-d1-f3-c6f5b29dca12661f",
177	177		"relationshipType": "CONTAINS"
178	178		},
179	179		{
180	180		"spdxElementId": "SPDXRef-Package-python-package-1-66ba429119b8bec6",
181		-	"relatedSpdxElement": "SPDXRef-f9e49132a4b96ccd",
	181	+	"relatedSpdxElement": "SPDXRef-File-f2-f9e49132a4b96ccd",
182	182		"relationshipType": "CONTAINS"
183	183		},
184	184		{
		skipped 7 lines

■ ■ ■ ■ ■ ■

syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden

		skipped 1 lines
2	2		DataLicense: CC0-1.0
3	3		SPDXID: SPDXRef-DOCUMENT
4	4		DocumentName: foobar/baz
5		-	DocumentNamespace: https://anchore.com/syft/dir/foobar/baz-478e410d-7fad-472c-b4e9-a4068ef28160
6		-	LicenseListVersion: 3.19
	5	+	DocumentNamespace: https://anchore.com/syft/dir/foobar/baz-9c1f31fb-7c72-40a6-8c81-3a08590000a2
	6	+	LicenseListVersion: 3.20
7	7		Creator: Organization: Anchore, Inc
8	8		Creator: Tool: syft-v0.42.0-bogus
9		-	Created: 2022-12-21T03:39:05Z
	9	+	Created: 2023-05-02T18:24:33Z
10	10
11	11		##### Package: @at-sign
12	12
		skipped 36 lines

■ ■ ■ ■ ■ ■

syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden

		skipped 1 lines
2	2		DataLicense: CC0-1.0
3	3		SPDXID: SPDXRef-DOCUMENT
4	4		DocumentName: user-image-input
5		-	DocumentNamespace: https://anchore.com/syft/image/user-image-input-73433e8c-364f-42b6-b5b7-9a4da8799868
6		-	LicenseListVersion: 3.19
	5	+	DocumentNamespace: https://anchore.com/syft/image/user-image-input-5be37b11-b99a-47ff-8725-3984e323d129
	6	+	LicenseListVersion: 3.20
7	7		Creator: Organization: Anchore, Inc
8	8		Creator: Tool: syft-v0.42.0-bogus
9		-	Created: 2022-12-21T03:39:05Z
	9	+	Created: 2023-05-02T18:24:33Z
10	10
11	11		##### Unpackaged files
12	12
13		-	FileName: /f1
14		-	SPDXID: SPDXRef-5265a4dde3edbf7c
	13	+	FileName: /a1/f6
	14	+	SPDXID: SPDXRef-File-a1-f6-9c2f7510199b17f6
15	15		FileType: OTHER
16	16		FileChecksum: SHA1: 0000000000000000000000000000000000000000
17	17		LicenseConcluded: NOASSERTION
18	18
19		-	FileName: /z1/f5
20		-	SPDXID: SPDXRef-839d99ee67d9d174
	19	+	FileName: /d1/f3
	20	+	SPDXID: SPDXRef-File-d1-f3-c6f5b29dca12661f
21	21		FileType: OTHER
22	22		FileChecksum: SHA1: 0000000000000000000000000000000000000000
23	23		LicenseConcluded: NOASSERTION
24	24
25		-	FileName: /a1/f6
26		-	SPDXID: SPDXRef-9c2f7510199b17f6
	25	+	FileName: /d2/f4
	26	+	SPDXID: SPDXRef-File-d2-f4-c641caa71518099f
27	27		FileType: OTHER
28	28		FileChecksum: SHA1: 0000000000000000000000000000000000000000
29	29		LicenseConcluded: NOASSERTION
30	30
31		-	FileName: /d2/f4
32		-	SPDXID: SPDXRef-c641caa71518099f
	31	+	FileName: /f1
	32	+	SPDXID: SPDXRef-File-f1-5265a4dde3edbf7c
33	33		FileType: OTHER
34	34		FileChecksum: SHA1: 0000000000000000000000000000000000000000
35	35		LicenseConcluded: NOASSERTION
36	36
37		-	FileName: /d1/f3
38		-	SPDXID: SPDXRef-c6f5b29dca12661f
	37	+	FileName: /f2
	38	+	SPDXID: SPDXRef-File-f2-f9e49132a4b96ccd
39	39		FileType: OTHER
40	40		FileChecksum: SHA1: 0000000000000000000000000000000000000000
41	41		LicenseConcluded: NOASSERTION
42	42
43		-	FileName: /f2
44		-	SPDXID: SPDXRef-f9e49132a4b96ccd
	43	+	FileName: /z1/f5
	44	+	SPDXID: SPDXRef-File-z1-f5-839d99ee67d9d174
45	45		FileType: OTHER
46	46		FileChecksum: SHA1: 0000000000000000000000000000000000000000
47	47		LicenseConcluded: NOASSERTION
		skipped 28 lines
76	76
77	77		##### Relationships
78	78
79		-	Relationship: SPDXRef-Package-python-package-1-66ba429119b8bec6 CONTAINS SPDXRef-5265a4dde3edbf7c
80		-	Relationship: SPDXRef-Package-python-package-1-66ba429119b8bec6 CONTAINS SPDXRef-839d99ee67d9d174
81		-	Relationship: SPDXRef-Package-python-package-1-66ba429119b8bec6 CONTAINS SPDXRef-9c2f7510199b17f6
82		-	Relationship: SPDXRef-Package-python-package-1-66ba429119b8bec6 CONTAINS SPDXRef-c641caa71518099f
83		-	Relationship: SPDXRef-Package-python-package-1-66ba429119b8bec6 CONTAINS SPDXRef-c6f5b29dca12661f
84		-	Relationship: SPDXRef-Package-python-package-1-66ba429119b8bec6 CONTAINS SPDXRef-f9e49132a4b96ccd
	79	+	Relationship: SPDXRef-Package-python-package-1-66ba429119b8bec6 CONTAINS SPDXRef-File-f1-5265a4dde3edbf7c
	80	+	Relationship: SPDXRef-Package-python-package-1-66ba429119b8bec6 CONTAINS SPDXRef-File-z1-f5-839d99ee67d9d174
	81	+	Relationship: SPDXRef-Package-python-package-1-66ba429119b8bec6 CONTAINS SPDXRef-File-a1-f6-9c2f7510199b17f6
	82	+	Relationship: SPDXRef-Package-python-package-1-66ba429119b8bec6 CONTAINS SPDXRef-File-d2-f4-c641caa71518099f
	83	+	Relationship: SPDXRef-Package-python-package-1-66ba429119b8bec6 CONTAINS SPDXRef-File-d1-f3-c6f5b29dca12661f
	84	+	Relationship: SPDXRef-Package-python-package-1-66ba429119b8bec6 CONTAINS SPDXRef-File-f2-f9e49132a4b96ccd
85	85		Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-DOCUMENT
86	86
87	87

■ ■ ■ ■ ■ ■

syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden

		skipped 1 lines
2	2		DataLicense: CC0-1.0
3	3		SPDXID: SPDXRef-DOCUMENT
4	4		DocumentName: /some/path
5		-	DocumentNamespace: https://anchore.com/syft/dir/some/path-1d303762-46d2-47b5-9c81-defa91387275
6		-	LicenseListVersion: 3.19
	5	+	DocumentNamespace: https://anchore.com/syft/dir/some/path-0f346656-6d10-4dec-b549-a256468cbd35
	6	+	LicenseListVersion: 3.20
7	7		Creator: Organization: Anchore, Inc
8	8		Creator: Tool: syft-v0.42.0-bogus
9		-	Created: 2022-12-21T03:39:05Z
	9	+	Created: 2023-05-02T18:24:33Z
10	10
11	11		##### Package: package-2
12	12
		skipped 31 lines

■ ■ ■ ■ ■ ■

syft/formats/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden

		skipped 1 lines
2	2		DataLicense: CC0-1.0
3	3		SPDXID: SPDXRef-DOCUMENT
4	4		DocumentName: user-image-input
5		-	DocumentNamespace: https://anchore.com/syft/image/user-image-input-559af225-63af-4bc0-94fb-bce94913bcfa
6		-	LicenseListVersion: 3.19
	5	+	DocumentNamespace: https://anchore.com/syft/image/user-image-input-4ce1e7c7-642f-4428-bb44-1b48b8edf74d
	6	+	LicenseListVersion: 3.20
7	7		Creator: Organization: Anchore, Inc
8	8		Creator: Tool: syft-v0.42.0-bogus
9		-	Created: 2022-12-21T03:39:05Z
	9	+	Created: 2023-05-02T18:24:33Z
10	10
11	11		##### Package: package-2
12	12
		skipped 31 lines

chore: add more detail on SPDX file IDs (#1769)