Skip to content

Commit

Permalink
Merge pull request #41 from RedHatProductSecurity/sanitize-spdx-ids
Browse files Browse the repository at this point in the history
Ensure all SPDXRef IDs are valid
  • Loading branch information
mprpic authored Nov 19, 2024
2 parents 4913b75 + 58d9d4b commit 9aa907b
Show file tree
Hide file tree
Showing 15 changed files with 33,080 additions and 8,000 deletions.

Large diffs are not rendered by default.

Original file line number Diff line number Diff line change
Expand Up @@ -1353,7 +1353,7 @@
]
},
{
"SPDXID": "SPDXRef-aarch64-libcom_err",
"SPDXID": "SPDXRef-aarch64-libcom-err",
"name": "libcom_err",
"versionInfo": "1.46.5",
"supplier": "Organization: Red Hat",
Expand Down Expand Up @@ -2035,7 +2035,7 @@
]
},
{
"SPDXID": "SPDXRef-aarch64-libstdc++",
"SPDXID": "SPDXRef-aarch64-libstdc",
"name": "libstdc++",
"versionInfo": "11.3.1",
"supplier": "Organization: Red Hat",
Expand Down Expand Up @@ -4354,7 +4354,7 @@
{
"spdxElementId": "SPDXRef-kernel-module-management-operator-container-arm64",
"relationshipType": "CONTAINS",
"relatedSpdxElement": "SPDXRef-aarch64-libcom_err"
"relatedSpdxElement": "SPDXRef-aarch64-libcom-err"
},
{
"spdxElementId": "SPDXRef-kernel-module-management-operator-container-arm64",
Expand Down Expand Up @@ -4509,7 +4509,7 @@
{
"spdxElementId": "SPDXRef-kernel-module-management-operator-container-arm64",
"relationshipType": "CONTAINS",
"relatedSpdxElement": "SPDXRef-aarch64-libstdc++"
"relatedSpdxElement": "SPDXRef-aarch64-libstdc"
},
{
"spdxElementId": "SPDXRef-kernel-module-management-operator-container-arm64",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -1331,7 +1331,7 @@
]
},
{
"SPDXID": "SPDXRef-ppc64le-libcom_err",
"SPDXID": "SPDXRef-ppc64le-libcom-err",
"name": "libcom_err",
"versionInfo": "1.46.5",
"supplier": "Organization: Red Hat",
Expand Down Expand Up @@ -2035,7 +2035,7 @@
]
},
{
"SPDXID": "SPDXRef-ppc64le-libstdc++",
"SPDXID": "SPDXRef-ppc64le-libstdc",
"name": "libstdc++",
"versionInfo": "11.3.1",
"supplier": "Organization: Red Hat",
Expand Down Expand Up @@ -4349,7 +4349,7 @@
{
"spdxElementId": "SPDXRef-kernel-module-management-operator-container-ppc64le",
"relationshipType": "CONTAINS",
"relatedSpdxElement": "SPDXRef-ppc64le-libcom_err"
"relatedSpdxElement": "SPDXRef-ppc64le-libcom-err"
},
{
"spdxElementId": "SPDXRef-kernel-module-management-operator-container-ppc64le",
Expand Down Expand Up @@ -4509,7 +4509,7 @@
{
"spdxElementId": "SPDXRef-kernel-module-management-operator-container-ppc64le",
"relationshipType": "CONTAINS",
"relatedSpdxElement": "SPDXRef-ppc64le-libstdc++"
"relatedSpdxElement": "SPDXRef-ppc64le-libstdc"
},
{
"spdxElementId": "SPDXRef-kernel-module-management-operator-container-ppc64le",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@
]
},
{
"SPDXID": "SPDXRef-x86_64-bash",
"SPDXID": "SPDXRef-x86-64-bash",
"name": "bash",
"versionInfo": "5.1.8",
"supplier": "Organization: Red Hat",
Expand All @@ -82,7 +82,7 @@
]
},
{
"SPDXID": "SPDXRef-x86_64-coreutils-single",
"SPDXID": "SPDXRef-x86-64-coreutils-single",
"name": "coreutils-single",
"versionInfo": "8.32",
"supplier": "Organization: Red Hat",
Expand All @@ -104,7 +104,7 @@
]
},
{
"SPDXID": "SPDXRef-x86_64-filesystem",
"SPDXID": "SPDXRef-x86-64-filesystem",
"name": "filesystem",
"versionInfo": "3.16",
"supplier": "Organization: Red Hat",
Expand All @@ -126,7 +126,7 @@
]
},
{
"SPDXID": "SPDXRef-x86_64-glibc",
"SPDXID": "SPDXRef-x86-64-glibc",
"name": "glibc",
"versionInfo": "2.34",
"supplier": "Organization: Red Hat",
Expand All @@ -148,7 +148,7 @@
]
},
{
"SPDXID": "SPDXRef-x86_64-glibc-common",
"SPDXID": "SPDXRef-x86-64-glibc-common",
"name": "glibc-common",
"versionInfo": "2.34",
"supplier": "Organization: Red Hat",
Expand All @@ -170,7 +170,7 @@
]
},
{
"SPDXID": "SPDXRef-x86_64-glibc-minimal-langpack",
"SPDXID": "SPDXRef-x86-64-glibc-minimal-langpack",
"name": "glibc-minimal-langpack",
"versionInfo": "2.34",
"supplier": "Organization: Red Hat",
Expand All @@ -192,7 +192,7 @@
]
},
{
"SPDXID": "SPDXRef-x86_64-libacl",
"SPDXID": "SPDXRef-x86-64-libacl",
"name": "libacl",
"versionInfo": "2.3.1",
"supplier": "Organization: Red Hat",
Expand All @@ -214,7 +214,7 @@
]
},
{
"SPDXID": "SPDXRef-x86_64-libattr",
"SPDXID": "SPDXRef-x86-64-libattr",
"name": "libattr",
"versionInfo": "2.5.1",
"supplier": "Organization: Red Hat",
Expand All @@ -236,7 +236,7 @@
]
},
{
"SPDXID": "SPDXRef-x86_64-libcap",
"SPDXID": "SPDXRef-x86-64-libcap",
"name": "libcap",
"versionInfo": "2.48",
"supplier": "Organization: Red Hat",
Expand All @@ -258,7 +258,7 @@
]
},
{
"SPDXID": "SPDXRef-x86_64-libgcc",
"SPDXID": "SPDXRef-x86-64-libgcc",
"name": "libgcc",
"versionInfo": "11.4.1",
"supplier": "Organization: Red Hat",
Expand All @@ -280,7 +280,7 @@
]
},
{
"SPDXID": "SPDXRef-x86_64-libselinux",
"SPDXID": "SPDXRef-x86-64-libselinux",
"name": "libselinux",
"versionInfo": "3.6",
"supplier": "Organization: Red Hat",
Expand All @@ -302,7 +302,7 @@
]
},
{
"SPDXID": "SPDXRef-x86_64-libsepol",
"SPDXID": "SPDXRef-x86-64-libsepol",
"name": "libsepol",
"versionInfo": "3.6",
"supplier": "Organization: Red Hat",
Expand Down Expand Up @@ -346,7 +346,7 @@
]
},
{
"SPDXID": "SPDXRef-x86_64-ncurses-libs",
"SPDXID": "SPDXRef-x86-64-ncurses-libs",
"name": "ncurses-libs",
"versionInfo": "6.2",
"supplier": "Organization: Red Hat",
Expand All @@ -368,7 +368,7 @@
]
},
{
"SPDXID": "SPDXRef-x86_64-pcre2",
"SPDXID": "SPDXRef-x86-64-pcre2",
"name": "pcre2",
"versionInfo": "10.40",
"supplier": "Organization: Red Hat",
Expand Down Expand Up @@ -412,7 +412,7 @@
]
},
{
"SPDXID": "SPDXRef-x86_64-redhat-release",
"SPDXID": "SPDXRef-x86-64-redhat-release",
"name": "redhat-release",
"versionInfo": "9.4",
"supplier": "Organization: Red Hat",
Expand Down Expand Up @@ -518,62 +518,62 @@
{
"spdxElementId": "SPDXRef-ubi9-micro-container-amd64",
"relationshipType": "CONTAINS",
"relatedSpdxElement": "SPDXRef-x86_64-bash"
"relatedSpdxElement": "SPDXRef-x86-64-bash"
},
{
"spdxElementId": "SPDXRef-ubi9-micro-container-amd64",
"relationshipType": "CONTAINS",
"relatedSpdxElement": "SPDXRef-x86_64-coreutils-single"
"relatedSpdxElement": "SPDXRef-x86-64-coreutils-single"
},
{
"spdxElementId": "SPDXRef-ubi9-micro-container-amd64",
"relationshipType": "CONTAINS",
"relatedSpdxElement": "SPDXRef-x86_64-filesystem"
"relatedSpdxElement": "SPDXRef-x86-64-filesystem"
},
{
"spdxElementId": "SPDXRef-ubi9-micro-container-amd64",
"relationshipType": "CONTAINS",
"relatedSpdxElement": "SPDXRef-x86_64-glibc"
"relatedSpdxElement": "SPDXRef-x86-64-glibc"
},
{
"spdxElementId": "SPDXRef-ubi9-micro-container-amd64",
"relationshipType": "CONTAINS",
"relatedSpdxElement": "SPDXRef-x86_64-glibc-common"
"relatedSpdxElement": "SPDXRef-x86-64-glibc-common"
},
{
"spdxElementId": "SPDXRef-ubi9-micro-container-amd64",
"relationshipType": "CONTAINS",
"relatedSpdxElement": "SPDXRef-x86_64-glibc-minimal-langpack"
"relatedSpdxElement": "SPDXRef-x86-64-glibc-minimal-langpack"
},
{
"spdxElementId": "SPDXRef-ubi9-micro-container-amd64",
"relationshipType": "CONTAINS",
"relatedSpdxElement": "SPDXRef-x86_64-libacl"
"relatedSpdxElement": "SPDXRef-x86-64-libacl"
},
{
"spdxElementId": "SPDXRef-ubi9-micro-container-amd64",
"relationshipType": "CONTAINS",
"relatedSpdxElement": "SPDXRef-x86_64-libattr"
"relatedSpdxElement": "SPDXRef-x86-64-libattr"
},
{
"spdxElementId": "SPDXRef-ubi9-micro-container-amd64",
"relationshipType": "CONTAINS",
"relatedSpdxElement": "SPDXRef-x86_64-libcap"
"relatedSpdxElement": "SPDXRef-x86-64-libcap"
},
{
"spdxElementId": "SPDXRef-ubi9-micro-container-amd64",
"relationshipType": "CONTAINS",
"relatedSpdxElement": "SPDXRef-x86_64-libgcc"
"relatedSpdxElement": "SPDXRef-x86-64-libgcc"
},
{
"spdxElementId": "SPDXRef-ubi9-micro-container-amd64",
"relationshipType": "CONTAINS",
"relatedSpdxElement": "SPDXRef-x86_64-libselinux"
"relatedSpdxElement": "SPDXRef-x86-64-libselinux"
},
{
"spdxElementId": "SPDXRef-ubi9-micro-container-amd64",
"relationshipType": "CONTAINS",
"relatedSpdxElement": "SPDXRef-x86_64-libsepol"
"relatedSpdxElement": "SPDXRef-x86-64-libsepol"
},
{
"spdxElementId": "SPDXRef-ubi9-micro-container-amd64",
Expand All @@ -583,12 +583,12 @@
{
"spdxElementId": "SPDXRef-ubi9-micro-container-amd64",
"relationshipType": "CONTAINS",
"relatedSpdxElement": "SPDXRef-x86_64-ncurses-libs"
"relatedSpdxElement": "SPDXRef-x86-64-ncurses-libs"
},
{
"spdxElementId": "SPDXRef-ubi9-micro-container-amd64",
"relationshipType": "CONTAINS",
"relatedSpdxElement": "SPDXRef-x86_64-pcre2"
"relatedSpdxElement": "SPDXRef-x86-64-pcre2"
},
{
"spdxElementId": "SPDXRef-ubi9-micro-container-amd64",
Expand All @@ -598,7 +598,7 @@
{
"spdxElementId": "SPDXRef-ubi9-micro-container-amd64",
"relationshipType": "CONTAINS",
"relatedSpdxElement": "SPDXRef-x86_64-redhat-release"
"relatedSpdxElement": "SPDXRef-x86-64-redhat-release"
},
{
"spdxElementId": "SPDXRef-ubi9-micro-container-amd64",
Expand Down
18 changes: 15 additions & 3 deletions sbom/examples/container_image/release/from_catalog.py
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
import json
import re
import sys

import koji
Expand All @@ -19,6 +20,17 @@
koji_session = koji.ClientSession(profile.config.server)


def sanitize_spdxid(value):
""" "Emit a valid SPDXRef-"[idstring]"
where [idstring] is a unique string containing letters, numbers, ., and/or -.
"""
value = value.replace("_", "-") # Replace underscores with dashes to retain readability
# Remove everything else (yes, there is a minor chance for conflicting IDs, but this is an
# example script with minimal examples; do not use this in production).
return re.sub(r"[^a-zA-Z0-9.-]", "", value)


def get_image_data(image_nvr):
response = requests.get(nvr_api + image_nvr)
response.raise_for_status()
Expand Down Expand Up @@ -165,7 +177,7 @@ def generate_sboms_for_image(image_nvr):
image_index_pkg["externalRefs"].append(ref)

arch = image["architecture"]
spdx_image_id = f"SPDXRef-{image_nvr_name}-{arch}"
spdx_image_id = sanitize_spdxid(f"SPDXRef-{image_nvr_name}-{arch}")
image_pkg = {
"SPDXID": spdx_image_id,
"name": f"{image_nvr_name}_{arch}",
Expand Down Expand Up @@ -229,7 +241,7 @@ def generate_sboms_for_image(image_nvr):
registry += "/" + namespace

registry_q = f"&repository_url={registry}" if use_registry else ""
parent_spdx_id = f"SPDXRef-parent-image-{index}-{arch}"
parent_spdx_id = sanitize_spdxid(f"SPDXRef-parent-image-{index}-{arch}")
purl = f"pkg:oci/{name}{version}?tag={tag}{registry_q}"

parent_pkg = {
Expand Down Expand Up @@ -281,7 +293,7 @@ def generate_sboms_for_image(image_nvr):
# lockfiles or other means eventually).
f"arch={rpm['architecture']}&repository_id={content_sets[0]}"
)
spdx_rpm_id = f"SPDXRef-{rpm['architecture']}-{rpm['name']}"
spdx_rpm_id = sanitize_spdxid(f"SPDXRef-{rpm['architecture']}-{rpm['name']}")
rpm_pkg = {
"SPDXID": spdx_rpm_id,
"name": rpm["name"],
Expand Down
Loading

0 comments on commit 9aa907b

Please sign in to comment.