diff --git a/integration/testdata/conda-spdx.json.golden b/integration/testdata/conda-spdx.json.golden index c11f52eeca1b..6feb18b5d65c 100644 --- a/integration/testdata/conda-spdx.json.golden +++ b/integration/testdata/conda-spdx.json.golden @@ -14,7 +14,7 @@ "packages": [ { "name": "openssl", - "SPDXID": "SPDXRef-Package-22a178da112ac20a", + "SPDXID": "SPDXRef-Package-d8a5e692df746bd2", "versionInfo": "1.1.1q", "supplier": "NOASSERTION", "downloadLocation": "NONE", @@ -43,7 +43,7 @@ }, { "name": "pip", - "SPDXID": "SPDXRef-Package-c22b9ee9a601ba6", + "SPDXID": "SPDXRef-Package-d8a5e692df746bd3", "versionInfo": "22.2.2", "supplier": "NOASSERTION", "downloadLocation": "NONE", @@ -72,7 +72,7 @@ }, { "name": "testdata/fixtures/repo/conda", - "SPDXID": "SPDXRef-Filesystem-2e2426fd0f2580ef", + "SPDXID": "SPDXRef-Filesystem-d8a5e692df746bd1", "downloadLocation": "NONE", "filesAnalyzed": false, "primaryPackagePurpose": "SOURCE", @@ -113,26 +113,26 @@ "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", - "relatedSpdxElement": "SPDXRef-Filesystem-2e2426fd0f2580ef", + "relatedSpdxElement": "SPDXRef-Filesystem-d8a5e692df746bd1", "relationshipType": "DESCRIBES" }, { - "spdxElementId": "SPDXRef-Filesystem-2e2426fd0f2580ef", - "relatedSpdxElement": "SPDXRef-Package-22a178da112ac20a", + "spdxElementId": "SPDXRef-Filesystem-d8a5e692df746bd1", + "relatedSpdxElement": "SPDXRef-Package-d8a5e692df746bd2", "relationshipType": "CONTAINS" }, { - "spdxElementId": "SPDXRef-Filesystem-2e2426fd0f2580ef", - "relatedSpdxElement": "SPDXRef-Package-c22b9ee9a601ba6", + "spdxElementId": "SPDXRef-Filesystem-d8a5e692df746bd1", + "relatedSpdxElement": "SPDXRef-Package-d8a5e692df746bd3", "relationshipType": "CONTAINS" }, { - "spdxElementId": "SPDXRef-Package-22a178da112ac20a", + "spdxElementId": "SPDXRef-Package-d8a5e692df746bd2", "relatedSpdxElement": "SPDXRef-File-600e5e0110a84891", "relationshipType": "CONTAINS" }, { - "spdxElementId": "SPDXRef-Package-c22b9ee9a601ba6", + "spdxElementId": "SPDXRef-Package-d8a5e692df746bd3", "relatedSpdxElement": "SPDXRef-File-7eb62e2a3edddc0a", "relationshipType": "CONTAINS" } diff --git a/integration/testdata/julia-spdx.json.golden b/integration/testdata/julia-spdx.json.golden index a770765dd849..ab4189b76a20 100644 --- a/integration/testdata/julia-spdx.json.golden +++ b/integration/testdata/julia-spdx.json.golden @@ -14,7 +14,7 @@ "packages": [ { "name": "Manifest.toml", - "SPDXID": "SPDXRef-Application-18fc3597717a3e56", + "SPDXID": "SPDXRef-Application-d8a5e692df746bd2", "downloadLocation": "NONE", "filesAnalyzed": false, "primaryPackagePurpose": "APPLICATION", @@ -35,7 +35,7 @@ }, { "name": "A", - "SPDXID": "SPDXRef-Package-7784b00da0cb0cb0", + "SPDXID": "SPDXRef-Package-d8a5e692df746bd3", "versionInfo": "1.9.0", "supplier": "NOASSERTION", "downloadLocation": "NONE", @@ -68,7 +68,7 @@ }, { "name": "B", - "SPDXID": "SPDXRef-Package-960543ac5c5f7e10", + "SPDXID": "SPDXRef-Package-d8a5e692df746bd4", "versionInfo": "1.9.0", "supplier": "NOASSERTION", "downloadLocation": "NONE", @@ -80,7 +80,7 @@ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", - "referenceLocator": "pkg:julia/B@1.9.0?uuid=f41f7b98-334e-11e9-1257-49272045fb24" + "referenceLocator": "pkg:julia/B@1.9.0?uuid=edca9bc6-334e-11e9-3554-9595dbb4349c" } ], "primaryPackagePurpose": "LIBRARY", @@ -89,7 +89,7 @@ "annotator": "Tool: trivy-dev", "annotationDate": "2021-08-25T12:20:30Z", "annotationType": "OTHER", - "comment": "PkgID: f41f7b98-334e-11e9-1257-49272045fb24" + "comment": "PkgID: edca9bc6-334e-11e9-3554-9595dbb4349c" }, { "annotator": "Tool: trivy-dev", @@ -101,7 +101,7 @@ }, { "name": "B", - "SPDXID": "SPDXRef-Package-a4705eb108e4f15c", + "SPDXID": "SPDXRef-Package-d8a5e692df746bd5", "versionInfo": "1.9.0", "supplier": "NOASSERTION", "downloadLocation": "NONE", @@ -113,7 +113,7 @@ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", - "referenceLocator": "pkg:julia/B@1.9.0?uuid=edca9bc6-334e-11e9-3554-9595dbb4349c" + "referenceLocator": "pkg:julia/B@1.9.0?uuid=f41f7b98-334e-11e9-1257-49272045fb24" } ], "primaryPackagePurpose": "LIBRARY", @@ -122,7 +122,7 @@ "annotator": "Tool: trivy-dev", "annotationDate": "2021-08-25T12:20:30Z", "annotationType": "OTHER", - "comment": "PkgID: edca9bc6-334e-11e9-3554-9595dbb4349c" + "comment": "PkgID: f41f7b98-334e-11e9-1257-49272045fb24" }, { "annotator": "Tool: trivy-dev", @@ -134,7 +134,7 @@ }, { "name": "testdata/fixtures/repo/julia", - "SPDXID": "SPDXRef-Filesystem-1be792dd0077c431", + "SPDXID": "SPDXRef-Filesystem-d8a5e692df746bd1", "downloadLocation": "NONE", "filesAnalyzed": false, "primaryPackagePurpose": "SOURCE", @@ -150,33 +150,33 @@ ], "relationships": [ { - "spdxElementId": "SPDXRef-Application-18fc3597717a3e56", - "relatedSpdxElement": "SPDXRef-Package-7784b00da0cb0cb0", + "spdxElementId": "SPDXRef-Application-d8a5e692df746bd2", + "relatedSpdxElement": "SPDXRef-Package-d8a5e692df746bd3", "relationshipType": "CONTAINS" }, { - "spdxElementId": "SPDXRef-Application-18fc3597717a3e56", - "relatedSpdxElement": "SPDXRef-Package-960543ac5c5f7e10", + "spdxElementId": "SPDXRef-Application-d8a5e692df746bd2", + "relatedSpdxElement": "SPDXRef-Package-d8a5e692df746bd4", "relationshipType": "CONTAINS" }, { - "spdxElementId": "SPDXRef-Application-18fc3597717a3e56", - "relatedSpdxElement": "SPDXRef-Package-a4705eb108e4f15c", + "spdxElementId": "SPDXRef-Application-d8a5e692df746bd2", + "relatedSpdxElement": "SPDXRef-Package-d8a5e692df746bd5", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-DOCUMENT", - "relatedSpdxElement": "SPDXRef-Filesystem-1be792dd0077c431", + "relatedSpdxElement": "SPDXRef-Filesystem-d8a5e692df746bd1", "relationshipType": "DESCRIBES" }, { - "spdxElementId": "SPDXRef-Filesystem-1be792dd0077c431", - "relatedSpdxElement": "SPDXRef-Application-18fc3597717a3e56", + "spdxElementId": "SPDXRef-Filesystem-d8a5e692df746bd1", + "relatedSpdxElement": "SPDXRef-Application-d8a5e692df746bd2", "relationshipType": "CONTAINS" }, { - "spdxElementId": "SPDXRef-Package-7784b00da0cb0cb0", - "relatedSpdxElement": "SPDXRef-Package-960543ac5c5f7e10", + "spdxElementId": "SPDXRef-Package-d8a5e692df746bd3", + "relatedSpdxElement": "SPDXRef-Package-d8a5e692df746bd5", "relationshipType": "DEPENDS_ON" } ] diff --git a/pkg/sbom/spdx/marshal.go b/pkg/sbom/spdx/marshal.go index 51f9144f682d..51deae6e30e7 100644 --- a/pkg/sbom/spdx/marshal.go +++ b/pkg/sbom/spdx/marshal.go @@ -3,12 +3,12 @@ package spdx import ( "context" "fmt" + "hash/fnv" "slices" "sort" "strings" "time" - "github.com/mitchellh/hashstructure/v2" "github.com/package-url/packageurl-go" "github.com/samber/lo" "github.com/spdx/tools-golang/spdx" @@ -80,31 +80,15 @@ var duplicateProperties = []string{ type Marshaler struct { format spdx.Document - hasher Hash appVersion string // Trivy version. It needed for `creator` field } -type Hash func(v any, format hashstructure.Format, opts *hashstructure.HashOptions) (uint64, error) - -type marshalOption func(*Marshaler) - -func WithHasher(hasher Hash) marshalOption { - return func(opts *Marshaler) { - opts.hasher = hasher - } -} - -func NewMarshaler(version string, opts ...marshalOption) *Marshaler { +func NewMarshaler(version string) *Marshaler { m := &Marshaler{ format: spdx.Document{}, - hasher: hashstructure.Hash, appVersion: version, } - for _, opt := range opts { - opt(m) - } - return m } @@ -249,7 +233,7 @@ func (m *Marshaler) rootSPDXPackage(root *core.Component, timeNow, pkgDownloadLo externalReferences = append(externalReferences, m.purlExternalReference(root.PkgIdentifier.PURL.String())) } - pkgID, err := calcPkgID(m.hasher, fmt.Sprintf("%s-%s", root.Name, root.Type)) + pkgID, err := calcPkgID(root.ID().String()) if err != nil { return nil, xerrors.Errorf("failed to get %s package ID: %w", pkgID, err) } @@ -301,7 +285,7 @@ func (m *Marshaler) advisoryExternalReference(primaryURL string) *spdx.PackageEx } func (m *Marshaler) spdxPackage(c *core.Component, timeNow, pkgDownloadLocation string) (spdx.Package, error) { - pkgID, err := calcPkgID(m.hasher, c) + pkgID, err := calcPkgID(c.ID().String()) if err != nil { return spdx.Package{}, xerrors.Errorf("failed to get os metadata package ID: %w", err) } @@ -435,7 +419,7 @@ func (m *Marshaler) spdxFiles(c *core.Component) ([]*spdx.File, error) { } func (m *Marshaler) spdxFile(filePath string, digests []digest.Digest) (*spdx.File, error) { - pkgID, err := calcPkgID(m.hasher, filePath) + pkgID, err := calcPkgID(filePath) if err != nil { return nil, xerrors.Errorf("failed to get %s package ID: %w", filePath, err) } @@ -518,16 +502,14 @@ func getDocumentNamespace(root *core.Component) string { ) } -func calcPkgID(h Hash, v any) (string, error) { - f, err := h(v, hashstructure.FormatV2, &hashstructure.HashOptions{ - ZeroNil: true, - SlicesAsSets: true, - }) +func calcPkgID(s string) (string, error) { + h := fnv.New64() + _, err := h.Write([]byte(s)) if err != nil { - return "", xerrors.Errorf("could not build package ID for %+v: %w", v, err) + return "", xerrors.Errorf("could not build package ID for %q: %w", s, err) } - return fmt.Sprintf("%x", f), nil + return fmt.Sprintf("%x", h.Sum64()), nil } func camelCase(inputUnderScoreStr string) (camelCase string) { diff --git a/pkg/sbom/spdx/marshal_test.go b/pkg/sbom/spdx/marshal_test.go index 4d9d33c013a7..4bc81a8223d1 100644 --- a/pkg/sbom/spdx/marshal_test.go +++ b/pkg/sbom/spdx/marshal_test.go @@ -2,12 +2,10 @@ package spdx_test import ( "context" - "hash/fnv" "testing" "time" v1 "github.com/google/go-containerregistry/pkg/v1" - "github.com/mitchellh/hashstructure/v2" "github.com/package-url/packageurl-go" "github.com/spdx/tools-golang/spdx" "github.com/spdx/tools-golang/spdx/v2/common" @@ -19,7 +17,6 @@ import ( "github.com/aquasecurity/trivy/pkg/fanal/artifact" ftypes "github.com/aquasecurity/trivy/pkg/fanal/types" "github.com/aquasecurity/trivy/pkg/report" - "github.com/aquasecurity/trivy/pkg/sbom/core" tspdx "github.com/aquasecurity/trivy/pkg/sbom/spdx" "github.com/aquasecurity/trivy/pkg/types" "github.com/aquasecurity/trivy/pkg/uuid" @@ -186,7 +183,7 @@ func TestMarshaler_Marshal(t *testing.T) { }, Packages: []*spdx.Package{ { - PackageSPDXIdentifier: spdx.ElementID("Application-9f48cdd13858abaf"), + PackageSPDXIdentifier: spdx.ElementID("Application-d8a5e692df746bd7"), PackageDownloadLocation: "NONE", PackageName: "app/Gemfile.lock", PrimaryPackagePurpose: tspdx.PackagePurposeApplication, @@ -196,7 +193,7 @@ func TestMarshaler_Marshal(t *testing.T) { }, }, { - PackageSPDXIdentifier: spdx.ElementID("Application-692290f4b2235359"), + PackageSPDXIdentifier: spdx.ElementID("Application-d8a5e692df746bd4"), PackageDownloadLocation: "NONE", PackageName: "app/subproject/Gemfile.lock", PrimaryPackagePurpose: tspdx.PackagePurposeApplication, @@ -206,7 +203,7 @@ func TestMarshaler_Marshal(t *testing.T) { }, }, { - PackageSPDXIdentifier: spdx.ElementID("ContainerImage-9396d894cd0cb6cb"), + PackageSPDXIdentifier: spdx.ElementID("ContainerImage-d8a5e692df746bd1"), PackageDownloadLocation: "NONE", PackageName: "rails:latest", PackageExternalReferences: []*spdx.PackageExternalReference{ @@ -228,7 +225,7 @@ func TestMarshaler_Marshal(t *testing.T) { PrimaryPackagePurpose: tspdx.PackagePurposeContainer, }, { - PackageSPDXIdentifier: spdx.ElementID("Package-b8d4663e6d412e7"), + PackageSPDXIdentifier: spdx.ElementID("Package-d8a5e692df746bd6"), PackageDownloadLocation: "NONE", PackageName: "actioncontroller", PackageVersion: "7.0.1", @@ -249,7 +246,7 @@ func TestMarshaler_Marshal(t *testing.T) { PackageSourceInfo: "package found in: app/subproject/Gemfile.lock", }, { - PackageSPDXIdentifier: spdx.ElementID("Package-3b51e821f6796568"), + PackageSPDXIdentifier: spdx.ElementID("Package-d8a5e692df746bd5"), PackageDownloadLocation: "NONE", PackageName: "actionpack", PackageVersion: "7.0.1", @@ -270,7 +267,7 @@ func TestMarshaler_Marshal(t *testing.T) { PackageSourceInfo: "package found in: app/subproject/Gemfile.lock", }, { - PackageSPDXIdentifier: spdx.ElementID("Package-fb5630bc7d55a21c"), + PackageSPDXIdentifier: spdx.ElementID("Package-d8a5e692df746bd8"), PackageDownloadLocation: "NONE", PackageName: "actionpack", PackageVersion: "7.0.1", @@ -291,7 +288,7 @@ func TestMarshaler_Marshal(t *testing.T) { PackageSourceInfo: "package found in: app/Gemfile.lock", }, { - PackageSPDXIdentifier: spdx.ElementID("Package-5d43902b18ed2e2c"), + PackageSPDXIdentifier: spdx.ElementID("Package-d8a5e692df746bd3"), PackageDownloadLocation: "NONE", PackageName: "binutils", PackageVersion: "2.30-93.el8", @@ -321,7 +318,7 @@ func TestMarshaler_Marshal(t *testing.T) { }, }, { - PackageSPDXIdentifier: spdx.ElementID("OperatingSystem-20f7fa3049cc748c"), + PackageSPDXIdentifier: spdx.ElementID("OperatingSystem-d8a5e692df746bd2"), PackageDownloadLocation: "NONE", PackageName: "centos", PackageVersion: "8.3.2011", @@ -334,43 +331,43 @@ func TestMarshaler_Marshal(t *testing.T) { }, Relationships: []*spdx.Relationship{ { - RefA: spdx.DocElementID{ElementRefID: "Application-692290f4b2235359"}, - RefB: spdx.DocElementID{ElementRefID: "Package-3b51e821f6796568"}, + RefA: spdx.DocElementID{ElementRefID: "Application-d8a5e692df746bd4"}, + RefB: spdx.DocElementID{ElementRefID: "Package-d8a5e692df746bd5"}, Relationship: "CONTAINS", }, { - RefA: spdx.DocElementID{ElementRefID: "Application-692290f4b2235359"}, - RefB: spdx.DocElementID{ElementRefID: "Package-b8d4663e6d412e7"}, + RefA: spdx.DocElementID{ElementRefID: "Application-d8a5e692df746bd4"}, + RefB: spdx.DocElementID{ElementRefID: "Package-d8a5e692df746bd6"}, Relationship: "CONTAINS", }, { - RefA: spdx.DocElementID{ElementRefID: "Application-9f48cdd13858abaf"}, - RefB: spdx.DocElementID{ElementRefID: "Package-fb5630bc7d55a21c"}, + RefA: spdx.DocElementID{ElementRefID: "Application-d8a5e692df746bd7"}, + RefB: spdx.DocElementID{ElementRefID: "Package-d8a5e692df746bd8"}, Relationship: "CONTAINS", }, { - RefA: spdx.DocElementID{ElementRefID: "ContainerImage-9396d894cd0cb6cb"}, - RefB: spdx.DocElementID{ElementRefID: "Application-692290f4b2235359"}, + RefA: spdx.DocElementID{ElementRefID: "ContainerImage-d8a5e692df746bd1"}, + RefB: spdx.DocElementID{ElementRefID: "Application-d8a5e692df746bd4"}, Relationship: "CONTAINS", }, { - RefA: spdx.DocElementID{ElementRefID: "ContainerImage-9396d894cd0cb6cb"}, - RefB: spdx.DocElementID{ElementRefID: "Application-9f48cdd13858abaf"}, + RefA: spdx.DocElementID{ElementRefID: "ContainerImage-d8a5e692df746bd1"}, + RefB: spdx.DocElementID{ElementRefID: "Application-d8a5e692df746bd7"}, Relationship: "CONTAINS", }, { - RefA: spdx.DocElementID{ElementRefID: "ContainerImage-9396d894cd0cb6cb"}, - RefB: spdx.DocElementID{ElementRefID: "OperatingSystem-20f7fa3049cc748c"}, + RefA: spdx.DocElementID{ElementRefID: "ContainerImage-d8a5e692df746bd1"}, + RefB: spdx.DocElementID{ElementRefID: "OperatingSystem-d8a5e692df746bd2"}, Relationship: "CONTAINS", }, { RefA: spdx.DocElementID{ElementRefID: "DOCUMENT"}, - RefB: spdx.DocElementID{ElementRefID: "ContainerImage-9396d894cd0cb6cb"}, + RefB: spdx.DocElementID{ElementRefID: "ContainerImage-d8a5e692df746bd1"}, Relationship: "DESCRIBES", }, { - RefA: spdx.DocElementID{ElementRefID: "OperatingSystem-20f7fa3049cc748c"}, - RefB: spdx.DocElementID{ElementRefID: "Package-5d43902b18ed2e2c"}, + RefA: spdx.DocElementID{ElementRefID: "OperatingSystem-d8a5e692df746bd2"}, + RefB: spdx.DocElementID{ElementRefID: "Package-d8a5e692df746bd3"}, Relationship: "CONTAINS", }, }, @@ -509,7 +506,7 @@ func TestMarshaler_Marshal(t *testing.T) { Packages: []*spdx.Package{ { PackageName: "centos:latest", - PackageSPDXIdentifier: "ContainerImage-413bfede37ad01fc", + PackageSPDXIdentifier: "ContainerImage-d8a5e692df746bd1", PackageDownloadLocation: "NONE", Annotations: []spdx.Annotation{ annotation(t, "ImageID: sha256:5d0da3dc976460b72c77d94c8a1ad043720b0416bfc16c52c45d4847e53fadb6"), @@ -520,7 +517,7 @@ func TestMarshaler_Marshal(t *testing.T) { PrimaryPackagePurpose: tspdx.PackagePurposeContainer, }, { - PackageSPDXIdentifier: spdx.ElementID("Package-40c4059fe08523bf"), + PackageSPDXIdentifier: spdx.ElementID("Package-d8a5e692df746bd3"), PackageDownloadLocation: "NONE", PackageName: "acl", PackageVersion: "1:2.2.53-1.el8", @@ -547,7 +544,7 @@ func TestMarshaler_Marshal(t *testing.T) { }, }, { - PackageSPDXIdentifier: spdx.ElementID("Package-69f68dd639314edd"), + PackageSPDXIdentifier: spdx.ElementID("Package-d8a5e692df746bd4"), PackageDownloadLocation: "NONE", PackageName: "actionpack", PackageVersion: "7.0.1", @@ -568,11 +565,11 @@ func TestMarshaler_Marshal(t *testing.T) { PackageSupplier: &spdx.Supplier{Supplier: tspdx.PackageSupplierNoAssertion}, FilesAnalyzed: true, PackageVerificationCode: &spdx.PackageVerificationCode{ - Value: "688d98e7e5660b879fd1fc548af8c0df3b7d785a", + Value: "c7526b18eaaeb410e82cb0da9288dd02b38ea171", }, }, { - PackageSPDXIdentifier: spdx.ElementID("Package-da2cda24d2ecbfe6"), + PackageSPDXIdentifier: spdx.ElementID("Package-d8a5e692df746bd5"), PackageDownloadLocation: "NONE", PackageName: "actionpack", PackageVersion: "7.0.1", @@ -593,11 +590,11 @@ func TestMarshaler_Marshal(t *testing.T) { PackageSupplier: &spdx.Supplier{Supplier: tspdx.PackageSupplierNoAssertion}, FilesAnalyzed: true, PackageVerificationCode: &spdx.PackageVerificationCode{ - Value: "c7526b18eaaeb410e82cb0da9288dd02b38ea171", + Value: "688d98e7e5660b879fd1fc548af8c0df3b7d785a", }, }, { - PackageSPDXIdentifier: spdx.ElementID("OperatingSystem-20f7fa3049cc748c"), + PackageSPDXIdentifier: spdx.ElementID("OperatingSystem-d8a5e692df746bd2"), PackageDownloadLocation: "NONE", PackageName: "centos", PackageVersion: "8.3.2011", @@ -632,38 +629,38 @@ func TestMarshaler_Marshal(t *testing.T) { }, Relationships: []*spdx.Relationship{ { - RefA: spdx.DocElementID{ElementRefID: "ContainerImage-413bfede37ad01fc"}, - RefB: spdx.DocElementID{ElementRefID: "OperatingSystem-20f7fa3049cc748c"}, + RefA: spdx.DocElementID{ElementRefID: "ContainerImage-d8a5e692df746bd1"}, + RefB: spdx.DocElementID{ElementRefID: "OperatingSystem-d8a5e692df746bd2"}, Relationship: "CONTAINS", }, { - RefA: spdx.DocElementID{ElementRefID: "ContainerImage-413bfede37ad01fc"}, - RefB: spdx.DocElementID{ElementRefID: "Package-69f68dd639314edd"}, + RefA: spdx.DocElementID{ElementRefID: "ContainerImage-d8a5e692df746bd1"}, + RefB: spdx.DocElementID{ElementRefID: "Package-d8a5e692df746bd4"}, Relationship: "CONTAINS", }, { - RefA: spdx.DocElementID{ElementRefID: "ContainerImage-413bfede37ad01fc"}, - RefB: spdx.DocElementID{ElementRefID: "Package-da2cda24d2ecbfe6"}, + RefA: spdx.DocElementID{ElementRefID: "ContainerImage-d8a5e692df746bd1"}, + RefB: spdx.DocElementID{ElementRefID: "Package-d8a5e692df746bd5"}, Relationship: "CONTAINS", }, { RefA: spdx.DocElementID{ElementRefID: "DOCUMENT"}, - RefB: spdx.DocElementID{ElementRefID: "ContainerImage-413bfede37ad01fc"}, + RefB: spdx.DocElementID{ElementRefID: "ContainerImage-d8a5e692df746bd1"}, Relationship: "DESCRIBES", }, { - RefA: spdx.DocElementID{ElementRefID: "OperatingSystem-20f7fa3049cc748c"}, - RefB: spdx.DocElementID{ElementRefID: "Package-40c4059fe08523bf"}, + RefA: spdx.DocElementID{ElementRefID: "OperatingSystem-d8a5e692df746bd2"}, + RefB: spdx.DocElementID{ElementRefID: "Package-d8a5e692df746bd3"}, Relationship: "CONTAINS", }, { - RefA: spdx.DocElementID{ElementRefID: "Package-69f68dd639314edd"}, - RefB: spdx.DocElementID{ElementRefID: "File-fa42187221d0d0a8"}, + RefA: spdx.DocElementID{ElementRefID: "Package-d8a5e692df746bd4"}, + RefB: spdx.DocElementID{ElementRefID: "File-6a540784b0dc6d55"}, Relationship: "CONTAINS", }, { - RefA: spdx.DocElementID{ElementRefID: "Package-da2cda24d2ecbfe6"}, - RefB: spdx.DocElementID{ElementRefID: "File-6a540784b0dc6d55"}, + RefA: spdx.DocElementID{ElementRefID: "Package-d8a5e692df746bd5"}, + RefB: spdx.DocElementID{ElementRefID: "File-fa42187221d0d0a8"}, Relationship: "CONTAINS", }, }, @@ -741,7 +738,7 @@ func TestMarshaler_Marshal(t *testing.T) { }, Packages: []*spdx.Package{ { - PackageSPDXIdentifier: spdx.ElementID("Application-ed046c4a6b4da30f"), + PackageSPDXIdentifier: spdx.ElementID("Application-d8a5e692df746bd2"), PackageDownloadLocation: "NONE", PackageName: "Gemfile.lock", PrimaryPackagePurpose: tspdx.PackagePurposeApplication, @@ -751,7 +748,7 @@ func TestMarshaler_Marshal(t *testing.T) { }, }, { - PackageSPDXIdentifier: spdx.ElementID("Application-800d9e6e0f88ab3a"), + PackageSPDXIdentifier: spdx.ElementID("Application-d8a5e692df746bd4"), PackageDownloadLocation: "NONE", PackageName: "pom.xml", PrimaryPackagePurpose: tspdx.PackagePurposeApplication, @@ -761,7 +758,7 @@ func TestMarshaler_Marshal(t *testing.T) { }, }, { - PackageSPDXIdentifier: spdx.ElementID("Package-e78eaf94802a53dc"), + PackageSPDXIdentifier: spdx.ElementID("Package-d8a5e692df746bd3"), PackageDownloadLocation: "NONE", PackageName: "actioncable", PackageVersion: "6.1.4.1", @@ -782,7 +779,7 @@ func TestMarshaler_Marshal(t *testing.T) { }, }, { - PackageSPDXIdentifier: spdx.ElementID("Package-69cd7625c68537c7"), + PackageSPDXIdentifier: spdx.ElementID("Package-d8a5e692df746bd5"), PackageDownloadLocation: "NONE", PackageName: "com.example:example", PackageVersion: "1.0.0", @@ -804,7 +801,7 @@ func TestMarshaler_Marshal(t *testing.T) { }, }, { - PackageSPDXIdentifier: spdx.ElementID("Filesystem-5af0f1f08c20909a"), + PackageSPDXIdentifier: spdx.ElementID("Filesystem-d8a5e692df746bd1"), PackageDownloadLocation: "NONE", PackageName: "masahiro331/CVE-2021-41098", Annotations: []spdx.Annotation{ @@ -815,28 +812,28 @@ func TestMarshaler_Marshal(t *testing.T) { }, Relationships: []*spdx.Relationship{ { - RefA: spdx.DocElementID{ElementRefID: "Application-800d9e6e0f88ab3a"}, - RefB: spdx.DocElementID{ElementRefID: "Package-69cd7625c68537c7"}, + RefA: spdx.DocElementID{ElementRefID: "Application-d8a5e692df746bd2"}, + RefB: spdx.DocElementID{ElementRefID: "Package-d8a5e692df746bd3"}, Relationship: "CONTAINS", }, { - RefA: spdx.DocElementID{ElementRefID: "Application-ed046c4a6b4da30f"}, - RefB: spdx.DocElementID{ElementRefID: "Package-e78eaf94802a53dc"}, + RefA: spdx.DocElementID{ElementRefID: "Application-d8a5e692df746bd4"}, + RefB: spdx.DocElementID{ElementRefID: "Package-d8a5e692df746bd5"}, Relationship: "CONTAINS", }, { RefA: spdx.DocElementID{ElementRefID: "DOCUMENT"}, - RefB: spdx.DocElementID{ElementRefID: "Filesystem-5af0f1f08c20909a"}, + RefB: spdx.DocElementID{ElementRefID: "Filesystem-d8a5e692df746bd1"}, Relationship: "DESCRIBES", }, { - RefA: spdx.DocElementID{ElementRefID: "Filesystem-5af0f1f08c20909a"}, - RefB: spdx.DocElementID{ElementRefID: "Application-800d9e6e0f88ab3a"}, + RefA: spdx.DocElementID{ElementRefID: "Filesystem-d8a5e692df746bd1"}, + RefB: spdx.DocElementID{ElementRefID: "Application-d8a5e692df746bd2"}, Relationship: "CONTAINS", }, { - RefA: spdx.DocElementID{ElementRefID: "Filesystem-5af0f1f08c20909a"}, - RefB: spdx.DocElementID{ElementRefID: "Application-ed046c4a6b4da30f"}, + RefA: spdx.DocElementID{ElementRefID: "Filesystem-d8a5e692df746bd1"}, + RefB: spdx.DocElementID{ElementRefID: "Application-d8a5e692df746bd4"}, Relationship: "CONTAINS", }, }, @@ -900,7 +897,7 @@ func TestMarshaler_Marshal(t *testing.T) { }, Packages: []*spdx.Package{ { - PackageSPDXIdentifier: spdx.ElementID("Package-4ee6f197f4811213"), + PackageSPDXIdentifier: spdx.ElementID("Package-d8a5e692df746bd2"), PackageDownloadLocation: "NONE", PackageName: "org.apache.logging.log4j:log4j-core", PackageVersion: "2.17.0", @@ -925,7 +922,7 @@ func TestMarshaler_Marshal(t *testing.T) { }, }, { - PackageSPDXIdentifier: spdx.ElementID("Filesystem-121e7e7a43f02ab"), + PackageSPDXIdentifier: spdx.ElementID("Filesystem-d8a5e692df746bd1"), PackageDownloadLocation: "NONE", PackageName: "log4j-core-2.17.0.jar", Annotations: []spdx.Annotation{ @@ -937,12 +934,12 @@ func TestMarshaler_Marshal(t *testing.T) { Relationships: []*spdx.Relationship{ { RefA: spdx.DocElementID{ElementRefID: "DOCUMENT"}, - RefB: spdx.DocElementID{ElementRefID: "Filesystem-121e7e7a43f02ab"}, + RefB: spdx.DocElementID{ElementRefID: "Filesystem-d8a5e692df746bd1"}, Relationship: "DESCRIBES", }, { - RefA: spdx.DocElementID{ElementRefID: "Filesystem-121e7e7a43f02ab"}, - RefB: spdx.DocElementID{ElementRefID: "Package-4ee6f197f4811213"}, + RefA: spdx.DocElementID{ElementRefID: "Filesystem-d8a5e692df746bd1"}, + RefB: spdx.DocElementID{ElementRefID: "Package-d8a5e692df746bd2"}, Relationship: "CONTAINS", }, }, @@ -1002,7 +999,7 @@ func TestMarshaler_Marshal(t *testing.T) { }, Packages: []*spdx.Package{ { - PackageSPDXIdentifier: spdx.ElementID("Package-52b8e939bac2d133"), + PackageSPDXIdentifier: spdx.ElementID("Package-d8a5e692df746bd2"), PackageDownloadLocation: "git+http://test-aggregate", PackageName: "ruby-typeprof", PackageVersion: "0.20.1", @@ -1027,7 +1024,7 @@ func TestMarshaler_Marshal(t *testing.T) { }, }, { - PackageSPDXIdentifier: "Repository-1a78857c1a6a759e", + PackageSPDXIdentifier: "Repository-d8a5e692df746bd1", PackageName: "http://test-aggregate", PackageDownloadLocation: "git+http://test-aggregate", Annotations: []spdx.Annotation{ @@ -1051,17 +1048,17 @@ func TestMarshaler_Marshal(t *testing.T) { Relationships: []*spdx.Relationship{ { RefA: spdx.DocElementID{ElementRefID: "DOCUMENT"}, - RefB: spdx.DocElementID{ElementRefID: "Repository-1a78857c1a6a759e"}, + RefB: spdx.DocElementID{ElementRefID: "Repository-d8a5e692df746bd1"}, Relationship: "DESCRIBES", }, { - RefA: spdx.DocElementID{ElementRefID: "Package-52b8e939bac2d133"}, + RefA: spdx.DocElementID{ElementRefID: "Package-d8a5e692df746bd2"}, RefB: spdx.DocElementID{ElementRefID: "File-a52825a3e5bc6dfe"}, Relationship: "CONTAINS", }, { - RefA: spdx.DocElementID{ElementRefID: "Repository-1a78857c1a6a759e"}, - RefB: spdx.DocElementID{ElementRefID: "Package-52b8e939bac2d133"}, + RefA: spdx.DocElementID{ElementRefID: "Repository-d8a5e692df746bd1"}, + RefB: spdx.DocElementID{ElementRefID: "Package-d8a5e692df746bd2"}, Relationship: "CONTAINS", }, }, @@ -1098,7 +1095,7 @@ func TestMarshaler_Marshal(t *testing.T) { Packages: []*spdx.Package{ { PackageName: "empty/path", - PackageSPDXIdentifier: "Filesystem-70f34983067dba86", + PackageSPDXIdentifier: "Filesystem-d8a5e692df746bd1", PackageDownloadLocation: "NONE", Annotations: []spdx.Annotation{ annotation(t, "SchemaVersion: 2"), @@ -1109,7 +1106,7 @@ func TestMarshaler_Marshal(t *testing.T) { Relationships: []*spdx.Relationship{ { RefA: spdx.DocElementID{ElementRefID: "DOCUMENT"}, - RefB: spdx.DocElementID{ElementRefID: "Filesystem-70f34983067dba86"}, + RefB: spdx.DocElementID{ElementRefID: "Filesystem-d8a5e692df746bd1"}, Relationship: "DESCRIBES", }, }, @@ -1160,7 +1157,7 @@ func TestMarshaler_Marshal(t *testing.T) { Packages: []*spdx.Package{ { PackageName: "secret", - PackageSPDXIdentifier: "Filesystem-5c08d34162a2c5d3", + PackageSPDXIdentifier: "Filesystem-d8a5e692df746bd1", PackageDownloadLocation: "NONE", Annotations: []spdx.Annotation{ annotation(t, "SchemaVersion: 2"), @@ -1171,7 +1168,7 @@ func TestMarshaler_Marshal(t *testing.T) { Relationships: []*spdx.Relationship{ { RefA: spdx.DocElementID{ElementRefID: "DOCUMENT"}, - RefB: spdx.DocElementID{ElementRefID: "Filesystem-5c08d34162a2c5d3"}, + RefB: spdx.DocElementID{ElementRefID: "Filesystem-d8a5e692df746bd1"}, Relationship: "DESCRIBES", }, }, @@ -1231,7 +1228,7 @@ func TestMarshaler_Marshal(t *testing.T) { }, Packages: []*spdx.Package{ { - PackageSPDXIdentifier: spdx.ElementID("Application-aab0f4e8cf174c67"), + PackageSPDXIdentifier: spdx.ElementID("Application-d8a5e692df746bd2"), PackageDownloadLocation: "NONE", PackageName: "/usr/local/bin/test", PrimaryPackagePurpose: tspdx.PackagePurposeApplication, @@ -1241,7 +1238,7 @@ func TestMarshaler_Marshal(t *testing.T) { }, }, { - PackageSPDXIdentifier: spdx.ElementID("Package-b1c3b9e2363f5ff7"), + PackageSPDXIdentifier: spdx.ElementID("Package-d8a5e692df746bd3"), PackageDownloadLocation: "NONE", PackageName: "./private_repos/cnrm.googlesource.com/cnrm/", PackageLicenseConcluded: "NOASSERTION", @@ -1254,7 +1251,7 @@ func TestMarshaler_Marshal(t *testing.T) { }, }, { - PackageSPDXIdentifier: spdx.ElementID("Package-b9b7ae633941e083"), + PackageSPDXIdentifier: spdx.ElementID("Package-d8a5e692df746bd4"), PackageDownloadLocation: "NONE", PackageName: "golang.org/x/crypto", PackageVersion: "v0.0.1", @@ -1276,7 +1273,7 @@ func TestMarshaler_Marshal(t *testing.T) { }, { PackageName: "go-artifact", - PackageSPDXIdentifier: "Filesystem-e340f27468b382be", + PackageSPDXIdentifier: "Filesystem-d8a5e692df746bd1", PackageDownloadLocation: "NONE", Annotations: []spdx.Annotation{ annotation(t, "SchemaVersion: 2"), @@ -1286,23 +1283,23 @@ func TestMarshaler_Marshal(t *testing.T) { }, Relationships: []*spdx.Relationship{ { - RefA: spdx.DocElementID{ElementRefID: "Application-aab0f4e8cf174c67"}, - RefB: spdx.DocElementID{ElementRefID: "Package-b1c3b9e2363f5ff7"}, + RefA: spdx.DocElementID{ElementRefID: "Application-d8a5e692df746bd2"}, + RefB: spdx.DocElementID{ElementRefID: "Package-d8a5e692df746bd3"}, Relationship: "CONTAINS", }, { - RefA: spdx.DocElementID{ElementRefID: "Application-aab0f4e8cf174c67"}, - RefB: spdx.DocElementID{ElementRefID: "Package-b9b7ae633941e083"}, + RefA: spdx.DocElementID{ElementRefID: "Application-d8a5e692df746bd2"}, + RefB: spdx.DocElementID{ElementRefID: "Package-d8a5e692df746bd4"}, Relationship: "CONTAINS", }, { RefA: spdx.DocElementID{ElementRefID: "DOCUMENT"}, - RefB: spdx.DocElementID{ElementRefID: "Filesystem-e340f27468b382be"}, + RefB: spdx.DocElementID{ElementRefID: "Filesystem-d8a5e692df746bd1"}, Relationship: "DESCRIBES", }, { - RefA: spdx.DocElementID{ElementRefID: "Filesystem-e340f27468b382be"}, - RefB: spdx.DocElementID{ElementRefID: "Application-aab0f4e8cf174c67"}, + RefA: spdx.DocElementID{ElementRefID: "Filesystem-d8a5e692df746bd1"}, + RefB: spdx.DocElementID{ElementRefID: "Application-d8a5e692df746bd2"}, Relationship: "CONTAINS", }, }, @@ -1312,35 +1309,10 @@ func TestMarshaler_Marshal(t *testing.T) { for _, tc := range testCases { t.Run(tc.name, func(t *testing.T) { - // Fake function calculating the hash value - h := fnv.New64() - hasher := func(v any, format hashstructure.Format, opts *hashstructure.HashOptions) (uint64, error) { - h.Reset() - - var str string - switch vv := v.(type) { - case *core.Component: - str = vv.Name + vv.Version + vv.SrcFile - for _, f := range vv.Files { - str += f.Path - } - case string: - str = vv - default: - require.Failf(t, "unknown type", "%T", v) - } - - if _, err := h.Write([]byte(str)); err != nil { - return 0, err - } - - return h.Sum64(), nil - } - ctx := clock.With(context.Background(), time.Date(2021, 8, 25, 12, 20, 30, 5, time.UTC)) uuid.SetFakeUUID(t, "3ff14136-e09f-4df9-80ea-%012d") - marshaler := tspdx.NewMarshaler("0.56.2", tspdx.WithHasher(hasher)) + marshaler := tspdx.NewMarshaler("0.56.2") spdxDoc, err := marshaler.MarshalReport(ctx, tc.inputReport) require.NoError(t, err)