def get_package_dict(package, template): '''''Given a package object and its SPDX template mapping, return a SPDX JSON dictionary representation of the package. The analyzed files will go in a separate dictionary for the JSON document.''' mapping = package.to_dict(template) package_dict = { 'name': mapping['PackageName'], 'SPDXID': spdx_common.get_package_spdxref(package), 'versionInfo': mapping['PackageVersion'] if mapping['PackageVersion'] else 'NOASSERTION', 'downloadLocation': mapping['PackageDownloadLocation'] if mapping['PackageDownloadLocation'] else 'NONE', 'filesAnalyzed': 'false', # always false for packages 'licenseConcluded': 'NOASSERTION', # always NOASSERTION 'licenseDeclared': spdx_common.get_license_ref(mapping['PackageLicenseDeclared']) if mapping['PackageLicenseDeclared'] else 'NONE', 'copyrightText': mapping['PackageCopyrightText'] if mapping['PackageCopyrightText'] else 'NONE', 'comment': get_package_comment(package) } return package_dict
def get_layer_package_relationships(layer_obj): '''Given a layer object, return the relationships of the layer objects to packages. This is usually of the form: layer SPDXIP CONTAINS package SPDXID''' block = '' layer_reference = spdx_common.get_layer_spdxref(layer_obj) for package in layer_obj.packages: block = block + spdx_formats.contains.format( outer=layer_reference, inner=spdx_common.get_package_spdxref(package)) + '\n' return block
def get_image_packages_block(image_obj, template): '''Given the image object and its template, return the list of packages in the image in SPDX format. The spec requires unique package references to identify each package found in the image.''' block = '' package_refs = set() for layer in image_obj.layers: for package in layer.packages: pkg_ref = spdx_common.get_package_spdxref(package) if pkg_ref not in package_refs: block += phelpers.get_package_block(package, template) + '\n' package_refs.add(pkg_ref) return block
def get_layer_packages_list(layer, template): """Given a layer object and a SPDX template object, return a list of SPDX dictionary representations for each of the packages in the layer and their package references""" package_dicts = [] package_refs = set() for package in layer.packages: # Create a list of dictionaries. Each dictionary represents # one package object in the image pkg_ref = spdx_common.get_package_spdxref(package) if pkg_ref not in package_refs: package_dicts.append(get_package_dict(package, template)) package_refs.add(pkg_ref) return package_dicts, list(package_refs)
def get_layer_snapshot_relationships(layer_obj, docref): """Given a layer object, and the SPDX ref of the document, return a list of dictionaries describing the relationship between the snapshot document and the packages listed therein""" relationships = [] # document level DESCRIBES relationships.append( json_formats.get_relationship_dict(json_formats.spdx_id, docref, 'DESCRIBES')) # package relationships for package in layer_obj.packages: pkg_ref, _ = spdx_common.get_package_spdxref(package) relationships.append( json_formats.get_relationship_dict(docref, pkg_ref, 'CONTAINS')) return relationships
def get_layer_package_relationships(layer_obj): '''Given a layer object, return the relationships of the layer objects to packages. This is usually of the form: layer SPDXID CONTAINS package SPDXID-binary_pkg. Additionally, this includes: SPDXID-binary_pkg GENERATED_FROM SPDXID-src_pkg''' block = '' layer_reference = spdx_common.get_layer_spdxref(layer_obj) for package in layer_obj.packages: binary_ref, src_ref = spdx_common.get_package_spdxref(package) block = block + spdx_formats.contains.format(outer=layer_reference, inner=binary_ref) + '\n' if src_ref: block = block + spdx_formats.generates.format( pkg_ref=binary_ref, src_ref=src_ref) + '\n' return block
def get_image_layer_relationships(image_obj): '''Given an image object, return a list of dictionaries describing the relationship between each layer "package" and the image and packages related to it. For SPDX JSON format this will typically look like: { "spdxElementId" : "SPDXRef-image", "relatedSpdxElement" : "SPDXRef-layer", "relationshipType" : "CONTAINS" }''' layer_relationships = [] image_ref = spdx_common.get_image_spdxref(image_obj) # Required - DOCUMENT_DESCRIBES relationship layer_relationships.append( json_formats.get_relationship_dict(json_formats.spdx_id, image_ref, 'DESCRIBES')) for index, layer in enumerate(image_obj.layers): layer_ref = spdx_common.get_layer_spdxref(layer) # Create a list of dictionaries. # First, add dictionaries for the layer relationship to the image layer_relationships.append( json_formats.get_relationship_dict(image_ref, layer_ref, 'CONTAINS')) # Next, add dictionary of the layer relationship to other layers if index != 0: prev_layer_ref = spdx_common.get_layer_spdxref( image_obj.layers[index - 1]) layer_relationships.append( json_formats.get_relationship_dict(prev_layer_ref, layer_ref, 'HAS_PREREQUISITE')) # Finally, add package releationships for the layer if layer.packages: for package in layer.packages: pkg_ref, src_ref = spdx_common.get_package_spdxref(package) layer_relationships.append( json_formats.get_relationship_dict(layer_ref, pkg_ref, 'CONTAINS')) if src_ref: layer_relationships.append( json_formats.get_relationship_dict( pkg_ref, src_ref, 'GENERATED_FROM')) return layer_relationships
def get_source_package_block(package_obj, template): '''Given a package object and its SPDX template mapping, return a SPDX document block for the corresponding source package. The mapping should have keys: SourcePackageName SourcePackageVersion PackageLicenseDeclared PackageCopyrightText PackageDownloadLocation''' block = '' mapping = package_obj.to_dict(template) # Source Package Name block += 'PackageName: {}\n'.format(mapping['SourcePackageName']) # Source SPDXID _, spdx_ref_src = spdx_common.get_package_spdxref(package_obj) block += 'SPDXID: {}\n'.format(spdx_ref_src) # Source Package Version if mapping['SourcePackageVersion']: block += 'PackageVersion: {}\n'.format(mapping['SourcePackageVersion']) # Package Download Location (Same as binary) if mapping['PackageDownloadLocation']: block += 'PackageDownloadLoaction: {}\n'.format( mapping['PackageDownloadLocation']) else: block += 'PackageDownloadLocation: NOASSERTION\n' # Files Analyzed (always false for packages) block += 'FilesAnalyzed: false\n' # Package License Concluded (always NOASSERTION) block += 'PackageLicenseConcluded: NOASSERTION\n' # Package License Declared (use the license ref for this) if mapping['PackageLicenseDeclared']: block += 'PackageLicenseDeclared: {}\n'.format( spdx_common.get_license_ref(mapping['PackageLicenseDeclared'])) else: block += 'PackageLicenseDeclared: NONE\n' # Package Copyright Text if mapping['PackageCopyrightText']: block += 'PackageCopyrightText:' + spdx_formats.block_text.format( message=mapping['PackageCopyrightText']) + '\n' else: block += 'PackageCopyrightText: NONE\n' # Package Comments block += spdx_formats.source_comment return block
def get_packages_list(image_obj, template): '''Given an image object and the template object for SPDX, return a list of SPDX dictionary representations for each of the packages in the image. The SPDX JSON spec for packages requires: name versionInfo downloadLocation''' package_dicts = [] package_refs = set() for layer in image_obj.layers: for package in layer.packages: # Create a list of dictionaries. Each dictionary represents # one package object in the image pkg_ref = spdx_common.get_package_spdxref(package) if pkg_ref not in package_refs: package_dicts.append(get_package_dict(package, template)) package_refs.add(pkg_ref) return package_dicts
def get_image_packages_block(image_obj, template): '''Given the image object and its template, return the list of packages in the image in SPDX format. The spec requires unique package references to identify each package found in the image.''' block = '' package_refs = set() for layer in image_obj.layers: for package in layer.packages: pkg_ref, src_ref = spdx_common.get_package_spdxref(package) if pkg_ref not in package_refs: block += phelpers.get_package_block(package, template) + '\n' package_refs.add(pkg_ref) # Only include src package info if it exists and hasn't already # been reported by another binary package if src_ref and src_ref not in package_refs: block += phelpers.get_source_package_block(package, template) + '\n' package_refs.add(src_ref) return block