Fix the following issues mentioned in Pixel SBOM review.
1) PackageSupplier should be NOASSERTION if there is no homepage
information in METADATA file of source packages
2) PackageDownloadLocation of upstream packages should be NOASSERTION if
there is no code repository URL in METADATA file of source packages
Test: CIs
Test: atest --host sbom_writers_test
Change-Id: I8a0298b7bacc2f96555f9d7dde0d21ada8c6b564
diff --git a/tools/sbom/sbom_writers_test.py b/tools/sbom/sbom_writers_test.py
index 4db2bb7..361dae6 100644
--- a/tools/sbom/sbom_writers_test.py
+++ b/tools/sbom/sbom_writers_test.py
@@ -49,6 +49,7 @@
self.sbom_doc.add_package(
sbom_data.Package(id=sbom_data.SPDXID_PRODUCT,
name=sbom_data.PACKAGE_NAME_PRODUCT,
+ download_location=sbom_data.VALUE_NONE,
supplier=SUPPLIER_GOOGLE,
version=BUILD_FINGER_PRINT,
files_analyzed=True,
@@ -58,6 +59,7 @@
self.sbom_doc.add_package(
sbom_data.Package(id=sbom_data.SPDXID_PLATFORM,
name=sbom_data.PACKAGE_NAME_PLATFORM,
+ download_location=sbom_data.VALUE_NONE,
supplier=SUPPLIER_GOOGLE,
version=BUILD_FINGER_PRINT,
))
@@ -65,6 +67,7 @@
self.sbom_doc.add_package(
sbom_data.Package(id=SPDXID_PREBUILT_PACKAGE1,
name='Prebuilt package1',
+ download_location=sbom_data.VALUE_NONE,
supplier=SUPPLIER_GOOGLE,
version=BUILD_FINGER_PRINT,
))
@@ -72,6 +75,7 @@
self.sbom_doc.add_package(
sbom_data.Package(id=SPDXID_SOURCE_PACKAGE1,
name='Source package1',
+ download_location=sbom_data.VALUE_NONE,
supplier=SUPPLIER_GOOGLE,
version=BUILD_FINGER_PRINT,
external_refs=[sbom_data.PackageExternalRef(
@@ -121,6 +125,7 @@
self.unbundled_sbom_doc.add_package(
sbom_data.Package(id=SPDXID_SOURCE_PACKAGE1,
name='Unbundled apk package',
+ download_location=sbom_data.VALUE_NONE,
supplier=SUPPLIER_GOOGLE,
version=BUILD_FINGER_PRINT))
self.unbundled_sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_FILE1,