def generate_layer(self, layer):
"""Generate an SPDX document containing package and file information
at container build time"""
logger.debug("Generating SPDX JSON document...")
template = SPDX()
report = get_document_dict_snapshot(layer, template)
return json.dumps(report)
def generate(self, image_obj_list, print_inclusive=False):
'''Generate an SPDX document
WARNING: This assumes that the list consists of one image or the base
image and a stub image, in which case, the information in the stub
image is not applicable in the SPDX case as it is an empty image
object with no metadata as nothing got built.
The whole document should be stored in a dictionary which can be
converted to JSON and dumped to a file using the write_report function
in report.py.
For the sake of SPDX, an image is a 'Package' which 'CONTAINS' each
layer which is also a 'Package' which 'CONTAINS' the real Packages'''
logger.debug("Generating SPDX JSON document...")
# we still don't know how SPDX documents could represent multiple
# images. Hence we will assume only one image is analyzed and the
# input is a list of length 1
image_obj = image_obj_list[0]
template = SPDX()
report = get_document_dict(image_obj, template)
return json.dumps(report)
def generate(self, image_obj_list):
'''Generate an SPDX document
WARNING: This assumes that the list consists of one image or the base
image and a stub image, in which case, the information in the stub
image is not applicable in the SPDX case as it is an empty image
object with no metadata as nothing got built.
The whole document should be stored in a string which can be written
to a file using the write_report function in report.py
First convert the image object into a dictionary. The dictionary
should be in this form:
image:{
origins: [...]
layers: [
{origins: [...],
packages: [
{origins: [...], package1: {...}},
{origins: [...], package2: {...}}...]}, ...]}
Then convert this into a flat format starting from top to bottom
So:
## image
List all the tag-values here
make a PackageComment: <text> </text>
## relationships
spdx-ref CONTAINS layer1
spdx-ref CONTAINS layer2
...
## layer1
List all the tag-values here
make a PackageComment here
# relationships
spdx-ref CONTAINS package1
spdx-ref CONTAINS package2
....
# layer2
tag-values
PackageComment
# relationships
spdx-ref HAS_PREREQUISITE layer1
spdx-ref CONTAINS package3
spdx-ref CONTAINS package4
....
# package1
tag-values
PackageComment
# package2
# package3
# package4
Everything in Origins can be in a tag-value format as
PackageComment: <text> </text>
For the sake of SPDX, an image is a 'Package' which 'CONTAINS' each
layer which is also a 'Package' which 'CONTAINS' the real Package'''
report = ''
licenses_found = [] # This is needed for unrecognized license strings
image_obj = image_obj_list[0]
template = SPDX()
# first part is the document tag-value
# this doesn't change at all
report = report + get_document_block(image_obj) + '\n'
# this part is the image part and needs
# the image object
report = report + get_main_block(image_obj.to_dict(template),
image_obj.origins.origins,
SPDXID=get_image_spdxref(image_obj),
PackageLicenseDeclared='NOASSERTION',
PackageLicenseConcluded='NOASSERTION',
PackageCopyrightText='NOASSERTION',
FilesAnalyzed='false') + '\n'
# Add image relationships
report = report + get_image_relationships(image_obj) + '\n'
# Add the layer part for each layer
for index, layer_obj in enumerate(image_obj.layers):
# this is the main block for the layer
report = report + get_main_block(
layer_obj.to_dict(template),
layer_obj.origins.origins,
SPDXID=get_layer_spdxref(layer_obj),
PackageDownloadLocation='NOASSERTION',
PackageLicenseDeclared='NOASSERTION',
PackageLicenseConcluded='NOASSERTION',
PackageCopyrightText='NOASSERTION',
FilesAnalyzed='false') + '\n'
# Add layer relationships
if index == 0:
report = report + get_layer_relationships(layer_obj) + '\n'
else:
# block should contain previous layer dependency
report = report + get_layer_relationships(
layer_obj, get_layer_spdxref(image_obj.layers[index - 1]))\
+ '\n'
# Add the package part for each package
# There are no relationships to be listed here
for layer_obj in image_obj.layers:
for package_obj in layer_obj.packages:
package_dict = package_obj.to_dict(template)
# update the PackageLicenseDeclared with a LicenseRef string
# only if the license data exists
if ('PackageLicenseDeclared' in package_dict.keys()
and package_obj.pkg_license):
package_dict['PackageLicenseDeclared'] = \
get_license_ref(package_obj.pkg_license)
if ('PackageCopyrightText' in package_dict.keys()
and package_obj.copyright):
package_dict['PackageCopyrightText'] = \
spdx_formats.block_text.format(
message=package_obj.copyright)
# collect all the individual licenses
if package_obj.pkg_license and package_obj.pkg_license \
not in licenses_found:
licenses_found.append(package_obj.pkg_license)
report = report + get_main_block(
package_dict,
package_obj.origins.origins,
SPDXID=get_package_spdxref(package_obj),
PackageLicenseConcluded='NOASSERTION',
FilesAnalyzed='false') + '\n'
return report + get_license_block(licenses_found)
def generate(self, image_obj_list, print_inclusive=False):
'''Generate an SPDX document
WARNING: This assumes that the list consists of one image or the base
image and a stub image, in which case, the information in the stub
image is not applicable in the SPDX case as it is an empty image
object with no metadata as nothing got built.
The whole document should be stored in a string which can be written
to a file using the write_report function in report.py
First convert the image object into a dictionary. The dictionary
should be in this form:
image:{
origins: [...]
layers: [
{origins: [...],
packages: [
{name: package1,..origins: [...]},
{name: package2,..origins: [...]},..],
files: [
{name: file1,..origins: [...]},
{name: file2,..origins: [...]},..]}
...]}
Then convert this into a flat format starting from top to bottom
So:
## image
List all the tag-values here
make a PackageComment: <text> </text>
## relationships
spdx-ref CONTAINS layer1
spdx-ref CONTAINS layer2
...
## layer1
List all the tag-values here
make a PackageComment here
## if layer1 has files analyzed
### extra package info here
### file level information here
## if not then package relationships
spdx-ref CONTAINS package1
spdx-ref CONTAINS package2
....
# layer2
tag-values
PackageComment
# relationships
spdx-ref HAS_PREREQUISITE layer1
spdx-ref CONTAINS package3
spdx-ref CONTAINS package4
....
# package1
tag-values
PackageComment
# package2
# package3
# package4
Everything in Origins can be in a tag-value format as
PackageComment: <text> </text>
For the sake of SPDX, an image is a 'Package' which 'CONTAINS' each
layer which is also a 'Package' which 'CONTAINS' the real Package'''
logger.debug("Generating SPDX document...")
report = ''
# we still don't know how SPDX documents could represent multiple
# images. Hence we will assume only one image is analyzed and the
# input is a list of length 1
image_obj = image_obj_list[0]
template = SPDX()
# first part is the document tag-value
# this doesn't change at all
report += get_document_block(image_obj) + '\n'
# this is the image part
# this will bring in layer and package information
report += mhelpers.get_image_block(image_obj, template) + '\n'
return report