Merge "Fix the following issues mentioned in Pixel SBOM review."
diff --git a/tools/sbom/generate-sbom.py b/tools/sbom/generate-sbom.py
index 0c5deb2..192061e 100755
--- a/tools/sbom/generate-sbom.py
+++ b/tools/sbom/generate-sbom.py
@@ -279,12 +279,13 @@
name, external_refs = get_source_package_info(installed_file_metadata, metadata_file_path)
source_package_id = new_package_id(name, PKG_SOURCE)
source_package = sbom_data.Package(id=source_package_id, name=name, version=args.build_version,
+ download_location=sbom_data.VALUE_NONE,
supplier='Organization: ' + args.product_mfr,
external_refs=external_refs)
upstream_package_id = new_package_id(name, PKG_UPSTREAM)
upstream_package = sbom_data.Package(id=upstream_package_id, name=name, version=version,
- supplier='Organization: ' + homepage if homepage else None,
+ supplier=('Organization: ' + homepage) if homepage else sbom_data.VALUE_NOASSERTION,
download_location=download_location)
packages += [source_package, upstream_package]
relationships.append(sbom_data.Relationship(id1=source_package_id,
@@ -296,6 +297,7 @@
prebuilt_package_id = new_package_id(name, PKG_PREBUILT)
prebuilt_package = sbom_data.Package(id=prebuilt_package_id,
name=name,
+ download_location=sbom_data.VALUE_NONE,
version=args.build_version,
supplier='Organization: ' + args.product_mfr)
packages.append(prebuilt_package)
@@ -438,6 +440,7 @@
product_package = sbom_data.Package(id=sbom_data.SPDXID_PRODUCT,
name=sbom_data.PACKAGE_NAME_PRODUCT,
+ download_location=sbom_data.VALUE_NONE,
version=args.build_version,
supplier='Organization: ' + args.product_mfr,
files_analyzed=True)
@@ -445,6 +448,7 @@
doc.packages.append(sbom_data.Package(id=sbom_data.SPDXID_PLATFORM,
name=sbom_data.PACKAGE_NAME_PLATFORM,
+ download_location=sbom_data.VALUE_NONE,
version=args.build_version,
supplier='Organization: ' + args.product_mfr))
diff --git a/tools/sbom/sbom_data.py b/tools/sbom/sbom_data.py
index 0c380f6..d2ef48d 100644
--- a/tools/sbom/sbom_data.py
+++ b/tools/sbom/sbom_data.py
@@ -33,6 +33,9 @@
PACKAGE_NAME_PRODUCT = 'PRODUCT'
PACKAGE_NAME_PLATFORM = 'PLATFORM'
+VALUE_NOASSERTION = 'NOASSERTION'
+VALUE_NONE = 'NONE'
+
class PackageExternalRefCategory:
SECURITY = 'SECURITY'
diff --git a/tools/sbom/sbom_writers.py b/tools/sbom/sbom_writers.py
index 66aa6b4..b1c66c5 100644
--- a/tools/sbom/sbom_writers.py
+++ b/tools/sbom/sbom_writers.py
@@ -86,7 +86,7 @@
@staticmethod
def marshal_package(package):
- download_location = 'NONE'
+ download_location = sbom_data.VALUE_NOASSERTION
if package.download_location:
download_location = package.download_location
tagvalues = [
@@ -296,7 +296,7 @@
package = {
PropNames.NAME: p.name,
PropNames.SPDXID: p.id,
- PropNames.PACKAGE_DOWNLOAD_LOCATION: p.download_location if p.download_location else 'NONE',
+ PropNames.PACKAGE_DOWNLOAD_LOCATION: p.download_location if p.download_location else sbom_data.VALUE_NOASSERTION,
PropNames.FILES_ANALYZED: p.files_analyzed
}
if p.version:
diff --git a/tools/sbom/sbom_writers_test.py b/tools/sbom/sbom_writers_test.py
index 4db2bb7..361dae6 100644
--- a/tools/sbom/sbom_writers_test.py
+++ b/tools/sbom/sbom_writers_test.py
@@ -49,6 +49,7 @@
self.sbom_doc.add_package(
sbom_data.Package(id=sbom_data.SPDXID_PRODUCT,
name=sbom_data.PACKAGE_NAME_PRODUCT,
+ download_location=sbom_data.VALUE_NONE,
supplier=SUPPLIER_GOOGLE,
version=BUILD_FINGER_PRINT,
files_analyzed=True,
@@ -58,6 +59,7 @@
self.sbom_doc.add_package(
sbom_data.Package(id=sbom_data.SPDXID_PLATFORM,
name=sbom_data.PACKAGE_NAME_PLATFORM,
+ download_location=sbom_data.VALUE_NONE,
supplier=SUPPLIER_GOOGLE,
version=BUILD_FINGER_PRINT,
))
@@ -65,6 +67,7 @@
self.sbom_doc.add_package(
sbom_data.Package(id=SPDXID_PREBUILT_PACKAGE1,
name='Prebuilt package1',
+ download_location=sbom_data.VALUE_NONE,
supplier=SUPPLIER_GOOGLE,
version=BUILD_FINGER_PRINT,
))
@@ -72,6 +75,7 @@
self.sbom_doc.add_package(
sbom_data.Package(id=SPDXID_SOURCE_PACKAGE1,
name='Source package1',
+ download_location=sbom_data.VALUE_NONE,
supplier=SUPPLIER_GOOGLE,
version=BUILD_FINGER_PRINT,
external_refs=[sbom_data.PackageExternalRef(
@@ -121,6 +125,7 @@
self.unbundled_sbom_doc.add_package(
sbom_data.Package(id=SPDXID_SOURCE_PACKAGE1,
name='Unbundled apk package',
+ download_location=sbom_data.VALUE_NONE,
supplier=SUPPLIER_GOOGLE,
version=BUILD_FINGER_PRINT))
self.unbundled_sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_FILE1,
diff --git a/tools/sbom/testdata/expected_json_sbom.spdx.json b/tools/sbom/testdata/expected_json_sbom.spdx.json
index 628615f..32715a5 100644
--- a/tools/sbom/testdata/expected_json_sbom.spdx.json
+++ b/tools/sbom/testdata/expected_json_sbom.spdx.json
@@ -74,7 +74,7 @@
{
"name": "Upstream package1",
"SPDXID": "SPDXRef-UPSTREAM-package1",
- "downloadLocation": "NONE",
+ "downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"versionInfo": "1.1",
"supplier": "Organization: upstream"
diff --git a/tools/sbom/testdata/expected_tagvalue_sbom.spdx b/tools/sbom/testdata/expected_tagvalue_sbom.spdx
index 0f1c6f8..ee39e82 100644
--- a/tools/sbom/testdata/expected_tagvalue_sbom.spdx
+++ b/tools/sbom/testdata/expected_tagvalue_sbom.spdx
@@ -53,7 +53,7 @@
PackageName: Upstream package1
SPDXID: SPDXRef-UPSTREAM-package1
-PackageDownloadLocation: NONE
+PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageVersion: 1.1
PackageSupplier: Organization: upstream