RedHatProductSecurity · mprpic · Aug 19, 2024 · Aug 16, 2024
diff --git a/requirements/dev-requirements.in b/requirements/dev-requirements.in
@@ -1,3 +1,4 @@
 black
 check-jsonschema
+packageurl-python
 ruff
diff --git a/requirements/dev-requirements.txt b/requirements/dev-requirements.txt
@@ -156,6 +156,10 @@ mypy-extensions==1.0.0 \
     --hash=sha256:4392f6c0eb8a5668a69e23d168ffa70f0be9ccfd32b5cc2d26a34ae5b844552d \
     --hash=sha256:75dbf8955dc00442a438fc4d0666508a9a97b6bd41aa2f0ffe9d2f2725af0782
     # via black
+packageurl-python==0.15.6 \
+    --hash=sha256:a40210652c89022772a6c8340d6066f7d5dc67132141e5284a4db7a27d0a8ab0 \
+    --hash=sha256:cbc89afd15d5f4d05db4f1b61297e5b97a43f61f28799f6d282aff467ed2ee96
+    # via -r requirements/dev-requirements.in
 packaging==24.1 \
     --hash=sha256:026ed72c8ed3fcce5bf8950572258698927fd1dbda10a5e981cdf0ac37f4f002 \
     --hash=sha256:5b8f2217dbdbd2f7f384c41c628544e6d52f2d0f53c6d0c3ea61aa5d1d7ff124

diff --git a/sbom/examples/product/rhel-9.2-eus.spdx.json b/sbom/examples/product/rhel-9.2-eus.spdx.json
@@ -38,17 +38,77 @@
         {
           "referenceCategory": "PACKAGE-MANAGER",
           "referenceType": "purl",
-          "referenceLocator": "pkg:rpm/redhat/[email protected]_2?arch=src&repository_id=rhel-9-for-x86_64-baseos-eus-rpms"
+          "referenceLocator": "pkg:rpm/redhat/[email protected]_2?arch=src&repository_id=rhel-9-for-aarch64-baseos-eus-source-rpms"
         },
         {
           "referenceCategory": "PACKAGE-MANAGER",
           "referenceType": "purl",
-          "referenceLocator": "pkg:rpm/redhat/[email protected]_2?arch=src&repository_id=rhel-9-for-x86_64-baseos-aus-rpms"
+          "referenceLocator": "pkg:rpm/redhat/[email protected]_2?arch=src&repository_id=rhel-9-for-s390x-baseos-eus-source-rpms"
         },
         {
           "referenceCategory": "PACKAGE-MANAGER",
           "referenceType": "purl",
-          "referenceLocator": "pkg:rpm/redhat/[email protected]_2?arch=src&repository_id=rhel-9-for-x86_64-baseos-e4s-rpms"
+          "referenceLocator": "pkg:rpm/redhat/[email protected]_2?arch=src&repository_id=rhel-9-for-ppc64le-baseos-eus-source-rpms"
+        },
+        {
+          "referenceCategory": "PACKAGE-MANAGER",
+          "referenceType": "purl",
+          "referenceLocator": "pkg:rpm/redhat/[email protected]_2?arch=src&repository_id=rhel-9-for-i686-baseos-eus-source-rpms"
+        },
+        {
+          "referenceCategory": "PACKAGE-MANAGER",
+          "referenceType": "purl",
+          "referenceLocator": "pkg:rpm/redhat/[email protected]_2?arch=src&repository_id=rhel-9-for-x86_64-baseos-eus-source-rpms"
+        },
+        {
+          "referenceCategory": "PACKAGE-MANAGER",
+          "referenceType": "purl",
+          "referenceLocator": "pkg:rpm/redhat/[email protected]_2?arch=src&repository_id=rhel-9-for-aarch64-baseos-aus-source-rpms"
+        },
+        {
+          "referenceCategory": "PACKAGE-MANAGER",
+          "referenceType": "purl",
+          "referenceLocator": "pkg:rpm/redhat/[email protected]_2?arch=src&repository_id=rhel-9-for-s390x-baseos-aus-source-rpms"
+        },
+        {
+          "referenceCategory": "PACKAGE-MANAGER",
+          "referenceType": "purl",
+          "referenceLocator": "pkg:rpm/redhat/[email protected]_2?arch=src&repository_id=rhel-9-for-ppc64le-baseos-aus-source-rpms"
+        },
+        {
+          "referenceCategory": "PACKAGE-MANAGER",
+          "referenceType": "purl",
+          "referenceLocator": "pkg:rpm/redhat/[email protected]_2?arch=src&repository_id=rhel-9-for-i686-baseos-aus-source-rpms"
+        },
+        {
+          "referenceCategory": "PACKAGE-MANAGER",
+          "referenceType": "purl",
+          "referenceLocator": "pkg:rpm/redhat/[email protected]_2?arch=src&repository_id=rhel-9-for-x86_64-baseos-aus-source-rpms"
+        },
+        {
+          "referenceCategory": "PACKAGE-MANAGER",
+          "referenceType": "purl",
+          "referenceLocator": "pkg:rpm/redhat/[email protected]_2?arch=src&repository_id=rhel-9-for-aarch64-baseos-e4s-source-rpms"
+        },
+        {
+          "referenceCategory": "PACKAGE-MANAGER",
+          "referenceType": "purl",
+          "referenceLocator": "pkg:rpm/redhat/[email protected]_2?arch=src&repository_id=rhel-9-for-s390x-baseos-e4s-source-rpms"
+        },
+        {
+          "referenceCategory": "PACKAGE-MANAGER",
+          "referenceType": "purl",
+          "referenceLocator": "pkg:rpm/redhat/[email protected]_2?arch=src&repository_id=rhel-9-for-ppc64le-baseos-e4s-source-rpms"
+        },
+        {
+          "referenceCategory": "PACKAGE-MANAGER",
+          "referenceType": "purl",
+          "referenceLocator": "pkg:rpm/redhat/[email protected]_2?arch=src&repository_id=rhel-9-for-i686-baseos-e4s-source-rpms"
+        },
+        {
+          "referenceCategory": "PACKAGE-MANAGER",
+          "referenceType": "purl",
+          "referenceLocator": "pkg:rpm/redhat/[email protected]_2?arch=src&repository_id=rhel-9-for-x86_64-baseos-e4s-source-rpms"
         }
       ],
       "checksums": [

diff --git a/sbom/examples/rpm/README.md → sbom/examples/rpm/build/README.md b/sbom/examples/rpm/README.md → sbom/examples/rpm/build/README.md
diff --git a/sbom/examples/rpm/from-koji.py → sbom/examples/rpm/build/from-koji.py b/sbom/examples/rpm/from-koji.py → sbom/examples/rpm/build/from-koji.py
diff --git a/...pelines-client-1.14.3-11352.el8.spdx.json → ...pelines-client-1.14.3-11352.el8.spdx.json b/...pelines-client-1.14.3-11352.el8.spdx.json → ...pelines-client-1.14.3-11352.el8.spdx.json
diff --git a/...ples/rpm/openssl-3.0.7-18.el9_2.spdx.json → ...pm/build/openssl-3.0.7-18.el9_2.spdx.json b/...ples/rpm/openssl-3.0.7-18.el9_2.spdx.json → ...pm/build/openssl-3.0.7-18.el9_2.spdx.json
diff --git a/...ples/rpm/poppler-21.01.0-19.el9.spdx.json → ...pm/build/poppler-21.01.0-19.el9.spdx.json b/...ples/rpm/poppler-21.01.0-19.el9.spdx.json → ...pm/build/poppler-21.01.0-19.el9.spdx.json
diff --git a/sbom/examples/rpm/build/regenerate.sh b/sbom/examples/rpm/build/regenerate.sh
@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+
+for example in *.json; do
+    python3 from-koji.py "$@" "${example%.spdx.json}"
+done
diff --git a/sbom/examples/rpm/regenerate.sh b/sbom/examples/rpm/regenerate.sh
diff --git a/sbom/examples/rpm/release/add_release_data.py b/sbom/examples/rpm/release/add_release_data.py
@@ -0,0 +1,85 @@
+import json
+import sys
+
+from packageurl import PackageURL
+
+repo_id_map = {
+    # https://access.redhat.com/downloads/content/openshift-pipelines-client/1.15.0-11496.el8/x86_64/fd431d51/package
+    "openshift-pipelines-client-1.14.3-11352.el8": ["pipelines-1.14-for-rhel-8-{arch}-rpms"],
+    # https://access.redhat.com/downloads/content/openssl/3.0.7-18.el9_2/x86_64/fd431d51/package
+    "openssl-3.0.7-18.el9_2": [
+        "rhel-9-for-{arch}-baseos-eus-rpms",
+        "rhel-9-for-{arch}-baseos-aus-rpms",
+        "rhel-9-for-{arch}-baseos-e4s-rpms",
+    ],
+    # https://access.redhat.com/downloads/content/poppler/21.01.0-19.el9/x86_64/fd431d51/package
+    "poppler-21.01.0-19.el9": [
+        "rhel-9-for-{arch}-appstream-rpms",
+        "rhel-9-for-{arch}-baseos-eus-rpms",
+        "rhel-9-for-{arch}-baseos-aus-rpms",
+        "rhel-9-for-{arch}-baseos-e4s-rpms",
+    ],
+}
+
+
+def get_rpm_purl(ext_refs):
+    purl_str = next(
+        (ref["referenceLocator"] for ref in ext_refs if ref["referenceType"] == "purl"),
+        None,
+    )
+    if purl_str is None or (not purl_str.startswith("pkg:rpm/redhat")):
+        return None
+    return PackageURL.from_string(purl_str)
+
+
+sbom_file = sys.argv[1]
+sbom_name = sbom_file.rsplit("/", 1)[-1].removesuffix(".spdx.json")
+
+if sbom_name not in repo_id_map:
+    print(f"ERROR: Repo ID mapping for {sbom_name} not defined!")
+    sys.exit(1)
+
+with open(sbom_file) as fp:
+    sbom = json.load(fp)
+
+all_arches = set()
+for pkg in sbom["packages"]:
+    purl = get_rpm_purl(pkg.get("externalRefs", []))
+    if purl is not None and purl.qualifiers["arch"] != "src":
+        all_arches.add(purl.qualifiers["arch"])
+
+for pkg in sbom["packages"]:
+    purl = get_rpm_purl(pkg.get("externalRefs", []))
+    if purl is None:
+        continue
+
+    new_refs = []
+    for repo_id in repo_id_map[sbom_name]:
+        if purl.qualifiers["arch"] == "src":
+            for arch in all_arches:
+                purl.qualifiers["repository_id"] = (
+                    repo_id.format(arch=arch).removesuffix("-rpms") + "-source-rpms"
+                )
+                release_ref = {
+                    "referenceCategory": "PACKAGE-MANAGER",
+                    "referenceType": "purl",
+                    "referenceLocator": purl.to_string(),
+                }
+                new_refs.append(release_ref)
+        else:
+            if purl.name.endswith("-debugsource"):
+                repo_id = repo_id.removesuffix("-rpms") + "-source-rpms"
+            elif purl.name.endswith("-debuginfo"):
+                repo_id = repo_id.replace("-rpms", "-debug-rpms")
+            purl.qualifiers["repository_id"] = repo_id.format(arch=purl.qualifiers["arch"])
+            release_ref = {
+                "referenceCategory": "PACKAGE-MANAGER",
+                "referenceType": "purl",
+                "referenceLocator": purl.to_string(),
+            }
+            new_refs.append(release_ref)
+
+    pkg["externalRefs"] = new_refs
+
+with open(f"{sbom_name}.spdx.json", "w") as fp:
+    json.dump(sbom, fp, indent=2)