Support third_party.identifier in METADATA files of external packages. Bug: 303688820 Test: CIs Test: "m sbom" after lunch Change-Id: Ic329d87cdcfbe4152b0fe6a8fd71c4867593b674

commit: 427dacb239d041d38b1504518d9e4eefe7f015b7 [log] [tgz]
author: Wei Li <weiwli@google.com> Wed Oct 18 16:45:31 2023 -0700
committer: Wei Li <weiwli@google.com> Wed Oct 18 16:45:31 2023 -0700
tree: d8c900f3bee6ba05cb049b3d86e8d6bfc92b850d
parent: d1aa0735ee1b5857ce5fe9054bb798f6441e8295 [diff] [blame]
diff --git a/tools/sbom/generate-sbom.py b/tools/sbom/generate-sbom.py
index b19be87..0a8f10a 100755
--- a/tools/sbom/generate-sbom.py
+++ b/tools/sbom/generate-sbom.py

@@ -82,6 +82,46 @@
   'vndk_prebuilt_shared',
 ]
 
+THIRD_PARTY_IDENTIFIER_TYPES = [
+    # Types defined in metadata_file.proto
+    'Git',
+    'SVN',
+    'Hg',
+    'Darcs',
+    'VCS',
+    'Archive',
+    'PrebuiltByAlphabet',
+    'LocalSource',
+    'Other',
+    # OSV ecosystems defined at https://ossf.github.io/osv-schema/#affectedpackage-field.
+    'Go',
+    'npm',
+    'OSS-Fuzz',
+    'PyPI',
+    'RubyGems',
+    'crates.io',
+    'Hackage',
+    'GHC',
+    'Packagist',
+    'Maven',
+    'NuGet',
+    'Linux',
+    'Debian',
+    'Alpine',
+    'Hex',
+    'Android',
+    'GitHub Actions',
+    'Pub',
+    'ConanCenter',
+    'Rocky Linux',
+    'AlmaLinux',
+    'Bitnami',
+    'Photon OS',
+    'CRAN',
+    'Bioconductor',
+    'SwiftURL'
+]
+
 
 def get_args():
   parser = argparse.ArgumentParser()
@@ -360,6 +400,20 @@
   return True
 
 
+# Validate identifiers in a package's METADATA.
+# 1) Only known identifier type is allowed
+# 2) Only one identifier's primary_source can be true
+def validate_package_metadata(metadata_file_path, package_metadata):
+  primary_source_found = False
+  for identifier in package_metadata.third_party.identifier:
+    if identifier.type not in THIRD_PARTY_IDENTIFIER_TYPES:
+      sys.exit(f'Unknown value of third_party.identifier.type in {metadata_file_path}/METADATA: {identifier.type}.')
+    if primary_source_found and identifier.primary_source:
+      sys.exit(
+        f'Field "primary_source" is set to true in multiple third_party.identifier in {metadata_file_path}/METADATA.')
+    primary_source_found = identifier.primary_source
+
+
 def report_metadata_file(metadata_file_path, installed_file_metadata, report):
   if metadata_file_path:
     report[INFO_METADATA_FOUND_FOR_PACKAGE].append(
@@ -372,6 +426,8 @@
     with open(metadata_file_path + '/METADATA', 'rt') as f:
       text_format.Parse(f.read(), package_metadata)
 
+    validate_package_metadata(metadata_file_path, package_metadata)
+
     if not metadata_file_path in metadata_file_protos:
       metadata_file_protos[metadata_file_path] = package_metadata
       if not package_metadata.name:
commit	427dacb239d041d38b1504518d9e4eefe7f015b7	[log] [tgz]
author	Wei Li <weiwli@google.com>	Wed Oct 18 16:45:31 2023 -0700
committer	Wei Li <weiwli@google.com>	Wed Oct 18 16:45:31 2023 -0700
tree	d8c900f3bee6ba05cb049b3d86e8d6bfc92b850d
parent	d1aa0735ee1b5857ce5fe9054bb798f6441e8295 [diff] [blame]