def get_layer_prereq(curr_layer, prev_layer):
'''Given the current layer and the previous layer, return the relationship
between the current and previous layer. This should look like this:
curr_layer HAS_PREREQUISITE prev_layer'''
return spdx_formats.prereq.format(
after=spdx_common.get_layer_spdxref(curr_layer),
before=spdx_common.get_layer_spdxref(prev_layer))
def get_image_layer_relationships(image_obj):
'''Given an image object, return a list of dictionaries describing the
relationship between each layer "package" and the image "package".
For SPDX JSON format this will typically look like:
{
"spdxElementId" : "SPDXRef-image",
"relatedSpdxElement" : "SPDXRef-layer",
"relationshipType" : "CONTAINS"
}'''
layer_relationships = []
image_ref = spdx_common.get_image_spdxref(image_obj)
for index, layer in enumerate(image_obj.layers):
layer_ref = spdx_common.get_layer_spdxref(layer)
# Create a list of dictionaries.
# First, add dictionaries for the layer relationship to the image
layer_relationships.append(
json_formats.get_relationship_dict(image_ref, layer_ref,
'CONTAINS'))
# Next, add dictionary of the layer relationship to other layers
if index != 0:
prev_layer_ref = spdx_common.get_layer_spdxref(
image_obj.layers[index - 1])
layer_relationships.append(
json_formats.get_relationship_dict(prev_layer_ref, layer_ref,
'HAS_PREREQUISITE'))
return layer_relationships
def get_layer_dict(layer_obj):
'''Given an layer object, return a SPDX JSON/dictionary representation
of the layer. An image layer in SPDX behaves like a Package. The analyzed
files will go in a separate dictionary for the JSON document.'''
layer_dict = {
'name':
os.path.basename(layer_obj.tar_file),
'SPDXID':
spdx_common.get_layer_spdxref(layer_obj),
'packageFileName':
layer_obj.tar_file,
'downloadLocation':
'NONE',
'filesAnalyzed':
bool(layer_obj.files_analyzed),
'checksums': [{
'algorithm':
spdx_common.get_layer_checksum(layer_obj).split(': ',
maxsplit=1)[0],
'checksumValue':
spdx_common.get_layer_checksum(layer_obj).split(': ')[1]
}],
'licenseConcluded':
'NOASSERTION', # always NOASSERTION
'licenseDeclared':
'NOASSERTION', # always NOASSERTION
'copyrightText':
'NOASSERTION', # always NOASSERTION
}
# Only include layer file information if file data is available
if layer_obj.files_analyzed:
layer_dict['hasFiles'] = get_layer_file_data_list(layer_obj)
# packageVerificationCode must be omitted if filesAnalyzed is false
if layer_obj.files_analyzed:
layer_dict['packageVerificationCode'] = {
'packageVerificationCodeValue':
spdx_common.get_layer_verification_code(layer_obj)
}
# Include layer package comment only if it exists
layer_pkg_comment = get_layer_package_comment(layer_obj)
if layer_pkg_comment:
layer_dict['comment'] = layer_pkg_comment
# Include layer licenses from files only if they exist
# List will be blank if no filedata information exists
layer_licenses = spdx_common.get_layer_licenses(layer_obj)
layer_license_refs = []
if layer_licenses:
# Use the layer LicenseRef in the list instead of license expression
for lic in layer_licenses:
layer_license_refs.append(spdx_common.get_license_ref(lic))
layer_dict['licenseInfoFromFiles'] = layer_license_refs
return layer_dict
def get_image_layer_relationships(image_obj):
'''Given an image object, return a list of dictionaries describing the
relationship between each layer "package" and the image and packages
related to it.
For SPDX JSON format this will typically look like:
{
"spdxElementId" : "SPDXRef-image",
"relatedSpdxElement" : "SPDXRef-layer",
"relationshipType" : "CONTAINS"
}'''
layer_relationships = []
image_ref = spdx_common.get_image_spdxref(image_obj)
# Required - DOCUMENT_DESCRIBES relationship
layer_relationships.append(
json_formats.get_relationship_dict(json_formats.spdx_id, image_ref,
'DESCRIBES'))
for index, layer in enumerate(image_obj.layers):
layer_ref = spdx_common.get_layer_spdxref(layer)
# Create a list of dictionaries.
# First, add dictionaries for the layer relationship to the image
layer_relationships.append(
json_formats.get_relationship_dict(image_ref, layer_ref,
'CONTAINS'))
# Next, add dictionary of the layer relationship to other layers
if index != 0:
prev_layer_ref = spdx_common.get_layer_spdxref(
image_obj.layers[index - 1])
layer_relationships.append(
json_formats.get_relationship_dict(prev_layer_ref, layer_ref,
'HAS_PREREQUISITE'))
# Finally, add package releationships for the layer
if layer.packages:
for package in layer.packages:
pkg_ref, src_ref = spdx_common.get_package_spdxref(package)
layer_relationships.append(
json_formats.get_relationship_dict(layer_ref, pkg_ref,
'CONTAINS'))
if src_ref:
layer_relationships.append(
json_formats.get_relationship_dict(
pkg_ref, src_ref, 'GENERATED_FROM'))
return layer_relationships
def get_layer_package_relationships(layer_obj):
'''Given a layer object, return the relationships of the layer
objects to packages. This is usually of the form:
layer SPDXIP CONTAINS package SPDXID'''
block = ''
layer_reference = spdx_common.get_layer_spdxref(layer_obj)
for package in layer_obj.packages:
block = block + spdx_formats.contains.format(
outer=layer_reference,
inner=spdx_common.get_package_spdxref(package)) + '\n'
return block
def get_layer_package_relationships(layer_obj):
'''Given a layer object, return the relationships of the layer
objects to packages. This is usually of the form:
layer SPDXID CONTAINS package SPDXID-binary_pkg.
Additionally, this includes:
SPDXID-binary_pkg GENERATED_FROM SPDXID-src_pkg'''
block = ''
layer_reference = spdx_common.get_layer_spdxref(layer_obj)
for package in layer_obj.packages:
binary_ref, src_ref = spdx_common.get_package_spdxref(package)
block = block + spdx_formats.contains.format(outer=layer_reference,
inner=binary_ref) + '\n'
if src_ref:
block = block + spdx_formats.generates.format(
pkg_ref=binary_ref, src_ref=src_ref) + '\n'
return block
def get_layer_block(layer_obj, template):
'''Given a layer object and its SPDX template mapping, return a SPDX
document block for the layer. An image layer in SPDX behaves like a
Package with relationships to the Packages within it. If the files
are analyzed though, we just list the files in the block. The mapping
should have keys:
PackageFileName'''
block = ''
# Package Name
block += 'PackageName: {}\n'.format(os.path.basename(layer_obj.tar_file))
# Package SPDXID
block += 'SPDXID: {}\n'.format(spdx_common.get_layer_spdxref(layer_obj))
# Package File Name
block += 'PackageFileName: {}\n'.format(layer_obj.tar_file)
# Package Download Location (always NONE for layers)
block += 'PackageDownloadLocation: NOASSERTION\n'
# Files Analyzed
if layer_obj.files_analyzed:
# we need a package verification code
block += 'FilesAnalyzed: true\n'
block += 'PackageVerificationCode: {}\n'.format(
spdx_common.get_layer_verification_code(layer_obj))
else:
block += 'FilesAnalyzed: false\n'
# Package Checksum
block += 'PackageChecksum: {}\n'.format(
spdx_common.get_layer_checksum(layer_obj))
# Package License Concluded (always NOASSERTION)
block += 'PackageLicenseConcluded: NOASSERTION\n'
# All licenses info from files if files_analyzed is true
block += get_package_license_info_block(layer_obj)
# Package License Declared (always NOASSERTION)
block += 'PackageLicenseDeclared: NOASSERTION\n'
# Package Copyright (always NOASSERTION)
block += 'PackageCopyrightText: NOASSERTION\n'
# Package comments if any
block += get_layer_comment(layer_obj) + '\n'
# put the file data here if files_analyzed is true
block += get_layer_file_data_block(layer_obj, template)
return block
