def get_layer_prereq(curr_layer, prev_layer): '''Given the current layer and the previous layer, return the relationship between the current and previous layer. This should look like this: curr_layer HAS_PREREQUISITE prev_layer''' return spdx_formats.prereq.format( after=spdx_common.get_layer_spdxref(curr_layer), before=spdx_common.get_layer_spdxref(prev_layer))
def get_image_layer_relationships(image_obj): '''Given an image object, return a list of dictionaries describing the relationship between each layer "package" and the image "package". For SPDX JSON format this will typically look like: { "spdxElementId" : "SPDXRef-image", "relatedSpdxElement" : "SPDXRef-layer", "relationshipType" : "CONTAINS" }''' layer_relationships = [] image_ref = spdx_common.get_image_spdxref(image_obj) for index, layer in enumerate(image_obj.layers): layer_ref = spdx_common.get_layer_spdxref(layer) # Create a list of dictionaries. # First, add dictionaries for the layer relationship to the image layer_relationships.append( json_formats.get_relationship_dict(image_ref, layer_ref, 'CONTAINS')) # Next, add dictionary of the layer relationship to other layers if index != 0: prev_layer_ref = spdx_common.get_layer_spdxref( image_obj.layers[index - 1]) layer_relationships.append( json_formats.get_relationship_dict(prev_layer_ref, layer_ref, 'HAS_PREREQUISITE')) return layer_relationships
def get_layer_dict(layer_obj): '''Given an layer object, return a SPDX JSON/dictionary representation of the layer. An image layer in SPDX behaves like a Package. The analyzed files will go in a separate dictionary for the JSON document.''' layer_dict = { 'name': os.path.basename(layer_obj.tar_file), 'SPDXID': spdx_common.get_layer_spdxref(layer_obj), 'packageFileName': layer_obj.tar_file, 'downloadLocation': 'NONE', 'filesAnalyzed': bool(layer_obj.files_analyzed), 'checksums': [{ 'algorithm': spdx_common.get_layer_checksum(layer_obj).split(': ', maxsplit=1)[0], 'checksumValue': spdx_common.get_layer_checksum(layer_obj).split(': ')[1] }], 'licenseConcluded': 'NOASSERTION', # always NOASSERTION 'licenseDeclared': 'NOASSERTION', # always NOASSERTION 'copyrightText': 'NOASSERTION', # always NOASSERTION } # Only include layer file information if file data is available if layer_obj.files_analyzed: layer_dict['hasFiles'] = get_layer_file_data_list(layer_obj) # packageVerificationCode must be omitted if filesAnalyzed is false if layer_obj.files_analyzed: layer_dict['packageVerificationCode'] = { 'packageVerificationCodeValue': spdx_common.get_layer_verification_code(layer_obj) } # Include layer package comment only if it exists layer_pkg_comment = get_layer_package_comment(layer_obj) if layer_pkg_comment: layer_dict['comment'] = layer_pkg_comment # Include layer licenses from files only if they exist # List will be blank if no filedata information exists layer_licenses = spdx_common.get_layer_licenses(layer_obj) layer_license_refs = [] if layer_licenses: # Use the layer LicenseRef in the list instead of license expression for lic in layer_licenses: layer_license_refs.append(spdx_common.get_license_ref(lic)) layer_dict['licenseInfoFromFiles'] = layer_license_refs return layer_dict
def get_image_layer_relationships(image_obj): '''Given an image object, return a list of dictionaries describing the relationship between each layer "package" and the image and packages related to it. For SPDX JSON format this will typically look like: { "spdxElementId" : "SPDXRef-image", "relatedSpdxElement" : "SPDXRef-layer", "relationshipType" : "CONTAINS" }''' layer_relationships = [] image_ref = spdx_common.get_image_spdxref(image_obj) # Required - DOCUMENT_DESCRIBES relationship layer_relationships.append( json_formats.get_relationship_dict(json_formats.spdx_id, image_ref, 'DESCRIBES')) for index, layer in enumerate(image_obj.layers): layer_ref = spdx_common.get_layer_spdxref(layer) # Create a list of dictionaries. # First, add dictionaries for the layer relationship to the image layer_relationships.append( json_formats.get_relationship_dict(image_ref, layer_ref, 'CONTAINS')) # Next, add dictionary of the layer relationship to other layers if index != 0: prev_layer_ref = spdx_common.get_layer_spdxref( image_obj.layers[index - 1]) layer_relationships.append( json_formats.get_relationship_dict(prev_layer_ref, layer_ref, 'HAS_PREREQUISITE')) # Finally, add package releationships for the layer if layer.packages: for package in layer.packages: pkg_ref, src_ref = spdx_common.get_package_spdxref(package) layer_relationships.append( json_formats.get_relationship_dict(layer_ref, pkg_ref, 'CONTAINS')) if src_ref: layer_relationships.append( json_formats.get_relationship_dict( pkg_ref, src_ref, 'GENERATED_FROM')) return layer_relationships
def get_layer_package_relationships(layer_obj): '''Given a layer object, return the relationships of the layer objects to packages. This is usually of the form: layer SPDXIP CONTAINS package SPDXID''' block = '' layer_reference = spdx_common.get_layer_spdxref(layer_obj) for package in layer_obj.packages: block = block + spdx_formats.contains.format( outer=layer_reference, inner=spdx_common.get_package_spdxref(package)) + '\n' return block
def get_layer_package_relationships(layer_obj): '''Given a layer object, return the relationships of the layer objects to packages. This is usually of the form: layer SPDXID CONTAINS package SPDXID-binary_pkg. Additionally, this includes: SPDXID-binary_pkg GENERATED_FROM SPDXID-src_pkg''' block = '' layer_reference = spdx_common.get_layer_spdxref(layer_obj) for package in layer_obj.packages: binary_ref, src_ref = spdx_common.get_package_spdxref(package) block = block + spdx_formats.contains.format(outer=layer_reference, inner=binary_ref) + '\n' if src_ref: block = block + spdx_formats.generates.format( pkg_ref=binary_ref, src_ref=src_ref) + '\n' return block
def get_layer_block(layer_obj, template): '''Given a layer object and its SPDX template mapping, return a SPDX document block for the layer. An image layer in SPDX behaves like a Package with relationships to the Packages within it. If the files are analyzed though, we just list the files in the block. The mapping should have keys: PackageFileName''' block = '' # Package Name block += 'PackageName: {}\n'.format(os.path.basename(layer_obj.tar_file)) # Package SPDXID block += 'SPDXID: {}\n'.format(spdx_common.get_layer_spdxref(layer_obj)) # Package File Name block += 'PackageFileName: {}\n'.format(layer_obj.tar_file) # Package Download Location (always NONE for layers) block += 'PackageDownloadLocation: NOASSERTION\n' # Files Analyzed if layer_obj.files_analyzed: # we need a package verification code block += 'FilesAnalyzed: true\n' block += 'PackageVerificationCode: {}\n'.format( spdx_common.get_layer_verification_code(layer_obj)) else: block += 'FilesAnalyzed: false\n' # Package Checksum block += 'PackageChecksum: {}\n'.format( spdx_common.get_layer_checksum(layer_obj)) # Package License Concluded (always NOASSERTION) block += 'PackageLicenseConcluded: NOASSERTION\n' # All licenses info from files if files_analyzed is true block += get_package_license_info_block(layer_obj) # Package License Declared (always NOASSERTION) block += 'PackageLicenseDeclared: NOASSERTION\n' # Package Copyright (always NOASSERTION) block += 'PackageCopyrightText: NOASSERTION\n' # Package comments if any block += get_layer_comment(layer_obj) + '\n' # put the file data here if files_analyzed is true block += get_layer_file_data_block(layer_obj, template) return block