def get_package_dict(package, template):
'''''Given a package object and its SPDX template mapping, return a SPDX
JSON dictionary representation of the package. The analyzed files will
go in a separate dictionary for the JSON document.'''
mapping = package.to_dict(template)
package_dict = {
'name':
mapping['PackageName'],
'SPDXID':
spdx_common.get_package_spdxref(package),
'versionInfo':
mapping['PackageVersion']
if mapping['PackageVersion'] else 'NOASSERTION',
'downloadLocation':
mapping['PackageDownloadLocation']
if mapping['PackageDownloadLocation'] else 'NONE',
'filesAnalyzed':
'false', # always false for packages
'licenseConcluded':
'NOASSERTION', # always NOASSERTION
'licenseDeclared':
spdx_common.get_license_ref(mapping['PackageLicenseDeclared'])
if mapping['PackageLicenseDeclared'] else 'NONE',
'copyrightText':
mapping['PackageCopyrightText']
if mapping['PackageCopyrightText'] else 'NONE',
'comment':
get_package_comment(package)
}
return package_dict
def get_layer_package_relationships(layer_obj):
'''Given a layer object, return the relationships of the layer
objects to packages. This is usually of the form:
layer SPDXIP CONTAINS package SPDXID'''
block = ''
layer_reference = spdx_common.get_layer_spdxref(layer_obj)
for package in layer_obj.packages:
block = block + spdx_formats.contains.format(
outer=layer_reference,
inner=spdx_common.get_package_spdxref(package)) + '\n'
return block
def get_image_packages_block(image_obj, template):
'''Given the image object and its template, return the list of packages
in the image in SPDX format. The spec requires unique package references
to identify each package found in the image.'''
block = ''
package_refs = set()
for layer in image_obj.layers:
for package in layer.packages:
pkg_ref = spdx_common.get_package_spdxref(package)
if pkg_ref not in package_refs:
block += phelpers.get_package_block(package, template) + '\n'
package_refs.add(pkg_ref)
return block
def get_layer_packages_list(layer, template):
"""Given a layer object and a SPDX template object, return a list
of SPDX dictionary representations for each of the packages in the layer
and their package references"""
package_dicts = []
package_refs = set()
for package in layer.packages:
# Create a list of dictionaries. Each dictionary represents
# one package object in the image
pkg_ref = spdx_common.get_package_spdxref(package)
if pkg_ref not in package_refs:
package_dicts.append(get_package_dict(package, template))
package_refs.add(pkg_ref)
return package_dicts, list(package_refs)
def get_layer_snapshot_relationships(layer_obj, docref):
"""Given a layer object, and the SPDX ref of the document, return a list
of dictionaries describing the relationship between the snapshot document
and the packages listed therein"""
relationships = []
# document level DESCRIBES
relationships.append(
json_formats.get_relationship_dict(json_formats.spdx_id, docref,
'DESCRIBES'))
# package relationships
for package in layer_obj.packages:
pkg_ref, _ = spdx_common.get_package_spdxref(package)
relationships.append(
json_formats.get_relationship_dict(docref, pkg_ref, 'CONTAINS'))
return relationships
def get_layer_package_relationships(layer_obj):
'''Given a layer object, return the relationships of the layer
objects to packages. This is usually of the form:
layer SPDXID CONTAINS package SPDXID-binary_pkg.
Additionally, this includes:
SPDXID-binary_pkg GENERATED_FROM SPDXID-src_pkg'''
block = ''
layer_reference = spdx_common.get_layer_spdxref(layer_obj)
for package in layer_obj.packages:
binary_ref, src_ref = spdx_common.get_package_spdxref(package)
block = block + spdx_formats.contains.format(outer=layer_reference,
inner=binary_ref) + '\n'
if src_ref:
block = block + spdx_formats.generates.format(
pkg_ref=binary_ref, src_ref=src_ref) + '\n'
return block
def get_image_layer_relationships(image_obj):
'''Given an image object, return a list of dictionaries describing the
relationship between each layer "package" and the image and packages
related to it.
For SPDX JSON format this will typically look like:
{
"spdxElementId" : "SPDXRef-image",
"relatedSpdxElement" : "SPDXRef-layer",
"relationshipType" : "CONTAINS"
}'''
layer_relationships = []
image_ref = spdx_common.get_image_spdxref(image_obj)
# Required - DOCUMENT_DESCRIBES relationship
layer_relationships.append(
json_formats.get_relationship_dict(json_formats.spdx_id, image_ref,
'DESCRIBES'))
for index, layer in enumerate(image_obj.layers):
layer_ref = spdx_common.get_layer_spdxref(layer)
# Create a list of dictionaries.
# First, add dictionaries for the layer relationship to the image
layer_relationships.append(
json_formats.get_relationship_dict(image_ref, layer_ref,
'CONTAINS'))
# Next, add dictionary of the layer relationship to other layers
if index != 0:
prev_layer_ref = spdx_common.get_layer_spdxref(
image_obj.layers[index - 1])
layer_relationships.append(
json_formats.get_relationship_dict(prev_layer_ref, layer_ref,
'HAS_PREREQUISITE'))
# Finally, add package releationships for the layer
if layer.packages:
for package in layer.packages:
pkg_ref, src_ref = spdx_common.get_package_spdxref(package)
layer_relationships.append(
json_formats.get_relationship_dict(layer_ref, pkg_ref,
'CONTAINS'))
if src_ref:
layer_relationships.append(
json_formats.get_relationship_dict(
pkg_ref, src_ref, 'GENERATED_FROM'))
return layer_relationships
def get_source_package_block(package_obj, template):
'''Given a package object and its SPDX template mapping, return a SPDX
document block for the corresponding source package.
The mapping should have keys:
SourcePackageName
SourcePackageVersion
PackageLicenseDeclared
PackageCopyrightText
PackageDownloadLocation'''
block = ''
mapping = package_obj.to_dict(template)
# Source Package Name
block += 'PackageName: {}\n'.format(mapping['SourcePackageName'])
# Source SPDXID
_, spdx_ref_src = spdx_common.get_package_spdxref(package_obj)
block += 'SPDXID: {}\n'.format(spdx_ref_src)
# Source Package Version
if mapping['SourcePackageVersion']:
block += 'PackageVersion: {}\n'.format(mapping['SourcePackageVersion'])
# Package Download Location (Same as binary)
if mapping['PackageDownloadLocation']:
block += 'PackageDownloadLoaction: {}\n'.format(
mapping['PackageDownloadLocation'])
else:
block += 'PackageDownloadLocation: NOASSERTION\n'
# Files Analyzed (always false for packages)
block += 'FilesAnalyzed: false\n'
# Package License Concluded (always NOASSERTION)
block += 'PackageLicenseConcluded: NOASSERTION\n'
# Package License Declared (use the license ref for this)
if mapping['PackageLicenseDeclared']:
block += 'PackageLicenseDeclared: {}\n'.format(
spdx_common.get_license_ref(mapping['PackageLicenseDeclared']))
else:
block += 'PackageLicenseDeclared: NONE\n'
# Package Copyright Text
if mapping['PackageCopyrightText']:
block += 'PackageCopyrightText:' + spdx_formats.block_text.format(
message=mapping['PackageCopyrightText']) + '\n'
else:
block += 'PackageCopyrightText: NONE\n'
# Package Comments
block += spdx_formats.source_comment
return block
def get_packages_list(image_obj, template):
'''Given an image object and the template object for SPDX, return a list
of SPDX dictionary representations for each of the packages in the image.
The SPDX JSON spec for packages requires:
name
versionInfo
downloadLocation'''
package_dicts = []
package_refs = set()
for layer in image_obj.layers:
for package in layer.packages:
# Create a list of dictionaries. Each dictionary represents
# one package object in the image
pkg_ref = spdx_common.get_package_spdxref(package)
if pkg_ref not in package_refs:
package_dicts.append(get_package_dict(package, template))
package_refs.add(pkg_ref)
return package_dicts
def get_image_packages_block(image_obj, template):
'''Given the image object and its template, return the list of packages
in the image in SPDX format. The spec requires unique package references
to identify each package found in the image.'''
block = ''
package_refs = set()
for layer in image_obj.layers:
for package in layer.packages:
pkg_ref, src_ref = spdx_common.get_package_spdxref(package)
if pkg_ref not in package_refs:
block += phelpers.get_package_block(package, template) + '\n'
package_refs.add(pkg_ref)
# Only include src package info if it exists and hasn't already
# been reported by another binary package
if src_ref and src_ref not in package_refs:
block += phelpers.get_source_package_block(package,
template) + '\n'
package_refs.add(src_ref)
return block
