def generate_layer(self, layer): """Generate an SPDX document containing package and file information at container build time""" logger.debug("Generating SPDX JSON document...") template = SPDX() report = get_document_dict_snapshot(layer, template) return json.dumps(report)
def generate(self, image_obj_list, print_inclusive=False): '''Generate an SPDX document WARNING: This assumes that the list consists of one image or the base image and a stub image, in which case, the information in the stub image is not applicable in the SPDX case as it is an empty image object with no metadata as nothing got built. The whole document should be stored in a dictionary which can be converted to JSON and dumped to a file using the write_report function in report.py. For the sake of SPDX, an image is a 'Package' which 'CONTAINS' each layer which is also a 'Package' which 'CONTAINS' the real Packages''' logger.debug("Generating SPDX JSON document...") # we still don't know how SPDX documents could represent multiple # images. Hence we will assume only one image is analyzed and the # input is a list of length 1 image_obj = image_obj_list[0] template = SPDX() report = get_document_dict(image_obj, template) return json.dumps(report)
def generate(self, image_obj_list): '''Generate an SPDX document WARNING: This assumes that the list consists of one image or the base image and a stub image, in which case, the information in the stub image is not applicable in the SPDX case as it is an empty image object with no metadata as nothing got built. The whole document should be stored in a string which can be written to a file using the write_report function in report.py First convert the image object into a dictionary. The dictionary should be in this form: image:{ origins: [...] layers: [ {origins: [...], packages: [ {origins: [...], package1: {...}}, {origins: [...], package2: {...}}...]}, ...]} Then convert this into a flat format starting from top to bottom So: ## image List all the tag-values here make a PackageComment: <text> </text> ## relationships spdx-ref CONTAINS layer1 spdx-ref CONTAINS layer2 ... ## layer1 List all the tag-values here make a PackageComment here # relationships spdx-ref CONTAINS package1 spdx-ref CONTAINS package2 .... # layer2 tag-values PackageComment # relationships spdx-ref HAS_PREREQUISITE layer1 spdx-ref CONTAINS package3 spdx-ref CONTAINS package4 .... # package1 tag-values PackageComment # package2 # package3 # package4 Everything in Origins can be in a tag-value format as PackageComment: <text> </text> For the sake of SPDX, an image is a 'Package' which 'CONTAINS' each layer which is also a 'Package' which 'CONTAINS' the real Package''' report = '' licenses_found = [] # This is needed for unrecognized license strings image_obj = image_obj_list[0] template = SPDX() # first part is the document tag-value # this doesn't change at all report = report + get_document_block(image_obj) + '\n' # this part is the image part and needs # the image object report = report + get_main_block(image_obj.to_dict(template), image_obj.origins.origins, SPDXID=get_image_spdxref(image_obj), PackageLicenseDeclared='NOASSERTION', PackageLicenseConcluded='NOASSERTION', PackageCopyrightText='NOASSERTION', FilesAnalyzed='false') + '\n' # Add image relationships report = report + get_image_relationships(image_obj) + '\n' # Add the layer part for each layer for index, layer_obj in enumerate(image_obj.layers): # this is the main block for the layer report = report + get_main_block( layer_obj.to_dict(template), layer_obj.origins.origins, SPDXID=get_layer_spdxref(layer_obj), PackageDownloadLocation='NOASSERTION', PackageLicenseDeclared='NOASSERTION', PackageLicenseConcluded='NOASSERTION', PackageCopyrightText='NOASSERTION', FilesAnalyzed='false') + '\n' # Add layer relationships if index == 0: report = report + get_layer_relationships(layer_obj) + '\n' else: # block should contain previous layer dependency report = report + get_layer_relationships( layer_obj, get_layer_spdxref(image_obj.layers[index - 1]))\ + '\n' # Add the package part for each package # There are no relationships to be listed here for layer_obj in image_obj.layers: for package_obj in layer_obj.packages: package_dict = package_obj.to_dict(template) # update the PackageLicenseDeclared with a LicenseRef string # only if the license data exists if ('PackageLicenseDeclared' in package_dict.keys() and package_obj.pkg_license): package_dict['PackageLicenseDeclared'] = \ get_license_ref(package_obj.pkg_license) if ('PackageCopyrightText' in package_dict.keys() and package_obj.copyright): package_dict['PackageCopyrightText'] = \ spdx_formats.block_text.format( message=package_obj.copyright) # collect all the individual licenses if package_obj.pkg_license and package_obj.pkg_license \ not in licenses_found: licenses_found.append(package_obj.pkg_license) report = report + get_main_block( package_dict, package_obj.origins.origins, SPDXID=get_package_spdxref(package_obj), PackageLicenseConcluded='NOASSERTION', FilesAnalyzed='false') + '\n' return report + get_license_block(licenses_found)
def generate(self, image_obj_list, print_inclusive=False): '''Generate an SPDX document WARNING: This assumes that the list consists of one image or the base image and a stub image, in which case, the information in the stub image is not applicable in the SPDX case as it is an empty image object with no metadata as nothing got built. The whole document should be stored in a string which can be written to a file using the write_report function in report.py First convert the image object into a dictionary. The dictionary should be in this form: image:{ origins: [...] layers: [ {origins: [...], packages: [ {name: package1,..origins: [...]}, {name: package2,..origins: [...]},..], files: [ {name: file1,..origins: [...]}, {name: file2,..origins: [...]},..]} ...]} Then convert this into a flat format starting from top to bottom So: ## image List all the tag-values here make a PackageComment: <text> </text> ## relationships spdx-ref CONTAINS layer1 spdx-ref CONTAINS layer2 ... ## layer1 List all the tag-values here make a PackageComment here ## if layer1 has files analyzed ### extra package info here ### file level information here ## if not then package relationships spdx-ref CONTAINS package1 spdx-ref CONTAINS package2 .... # layer2 tag-values PackageComment # relationships spdx-ref HAS_PREREQUISITE layer1 spdx-ref CONTAINS package3 spdx-ref CONTAINS package4 .... # package1 tag-values PackageComment # package2 # package3 # package4 Everything in Origins can be in a tag-value format as PackageComment: <text> </text> For the sake of SPDX, an image is a 'Package' which 'CONTAINS' each layer which is also a 'Package' which 'CONTAINS' the real Package''' logger.debug("Generating SPDX document...") report = '' # we still don't know how SPDX documents could represent multiple # images. Hence we will assume only one image is analyzed and the # input is a list of length 1 image_obj = image_obj_list[0] template = SPDX() # first part is the document tag-value # this doesn't change at all report += get_document_block(image_obj) + '\n' # this is the image part # this will bring in layer and package information report += mhelpers.get_image_block(image_obj, template) + '\n' return report