Skip to content

feat: use originator logic to fill supplier#1980

Merged
spiffcs merged 4 commits into
mainfrom
update-supplier-field
Aug 1, 2023
Merged

feat: use originator logic to fill supplier#1980
spiffcs merged 4 commits into
mainfrom
update-supplier-field

Conversation

@spiffcs
Copy link
Copy Markdown
Contributor

@spiffcs spiffcs commented Jul 31, 2023
edited
Loading

Summary

Syft should be filling in the supplier information to meet NTIA minimum standards for SPDX sbom generated by the tool.

Partially Addressing #1961

There are additional refinements we can make where supplier can get it's own function when we determine a good fence for when one field should specify one value vs another:

A good example:

The SPDX document identifies the package as [glibc](https://www.gnu.org/software/libc/) 
and the Package Supplier as [Red Hat](https://www.redhat.com/), 
but the [Free Software Foundation](http://www.fsf.org/) is the Package Originator.

Supplier

Identify the actual distribution source for the package/directory identified in the SPDX document. 
This might or might not be different from the originating distribution source for the package. 
The name of the Package Supplier shall be an organization or recognized author and not a web site.

Originator

If the package identified in the SPDX document originated from a different person or organization than identified as Package Supplier (see [7.5](https://spdx.github.io/spdx-spec/v2-draft/package-information/#7.5) above)

This field identifies from where or whom the package originally came. 
In some cases, a package may be created and originally distributed by a different third party than the Package Supplier of the package.

In this case NOASSERTION is returned when:

the SPDX document creator has attempted to but cannot reach a reasonable objective determination

@spiffcs
feat: use Originator to fill supplier for NTIA minimum
c4fc637 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Jul 31, 2023
edited
Loading

Benchmark Test Results

Benchmark results from the latest changes vs base branch 
goos: linux%0Agoarch: amd64%0Apkg: github.com/anchore/syft/test/integration%0Acpu: Intel(R) Xeon(R) Platinum 8171M CPU @ 2.60GHz%0A                                                              │ ./.tmp/benchmark-367f914.txt │%0A                                                              │            sec/op            │%0AImagePackageCatalogers/alpmdb-cataloger-2                                       14.08m ±  2%25%0AImagePackageCatalogers/apkdb-cataloger-2                                        827.1µ ±  1%25%0AImagePackageCatalogers/binary-cataloger-2                                       232.6µ ±  2%25%0AImagePackageCatalogers/dpkgdb-cataloger-2                                       693.1µ ±  3%25%0AImagePackageCatalogers/dotnet-portable-executable-cataloger-2                   25.92µ ±  4%25%0AImagePackageCatalogers/go-module-binary-cataloger-2                             106.2µ ±  6%25%0AImagePackageCatalogers/java-cataloger-2                                         16.26m ±  4%25%0AImagePackageCatalogers/graalvm-native-image-cataloger-2                         103.8µ ±  3%25%0AImagePackageCatalogers/javascript-package-cataloger-2                           442.0µ ±  2%25%0AImagePackageCatalogers/nix-store-cataloger-2                                    322.1µ ±  3%25%0AImagePackageCatalogers/php-composer-installed-cataloger-2                       941.5µ ±  3%25%0AImagePackageCatalogers/portage-cataloger-2                                      589.3µ ± 14%25%0AImagePackageCatalogers/python-package-cataloger-2                               3.899m ±  4%25%0AImagePackageCatalogers/r-package-cataloger-2                                    238.8µ ±  2%25%0AImagePackageCatalogers/rpm-db-cataloger-2                                       632.4µ ±  2%25%0AImagePackageCatalogers/ruby-gemspec-cataloger-2                                 1.073m ±  1%25%0AImagePackageCatalogers/sbom-cataloger-2                                         136.4µ ±  1%25%0Ageomean                                                                         564.1µ%0A%0A                                                              │ ./.tmp/benchmark-367f914.txt │%0A                                                              │             B/op             │%0AImagePackageCatalogers/alpmdb-cataloger-2                                       5.119Mi ± 0%25%0AImagePackageCatalogers/apkdb-cataloger-2                                        204.8Ki ± 0%25%0AImagePackageCatalogers/binary-cataloger-2                                       30.23Ki ± 0%25%0AImagePackageCatalogers/dpkgdb-cataloger-2                                       168.9Ki ± 0%25%0AImagePackageCatalogers/dotnet-portable-executable-cataloger-2                   3.696Ki ± 0%25%0AImagePackageCatalogers/go-module-binary-cataloger-2                             9.906Ki ± 0%25%0AImagePackageCatalogers/java-cataloger-2                                         2.840Mi ± 0%25%0AImagePackageCatalogers/graalvm-native-image-cataloger-2                         8.594Ki ± 0%25%0AImagePackageCatalogers/javascript-package-cataloger-2                           94.26Ki ± 0%25%0AImagePackageCatalogers/nix-store-cataloger-2                                    49.14Ki ± 0%25%0AImagePackageCatalogers/php-composer-installed-cataloger-2                       186.8Ki ± 0%25%0AImagePackageCatalogers/portage-cataloger-2                                      119.9Ki ± 0%25%0AImagePackageCatalogers/python-package-cataloger-2                               1.003Mi ± 0%25%0AImagePackageCatalogers/r-package-cataloger-2                                    53.30Ki ± 0%25%0AImagePackageCatalogers/rpm-db-cataloger-2                                       180.9Ki ± 0%25%0AImagePackageCatalogers/ruby-gemspec-cataloger-2                                 144.0Ki ± 0%25%0AImagePackageCatalogers/sbom-cataloger-2                                         14.20Ki ± 0%25%0Ageomean                                                                         100.3Ki%0A%0A                                                              │ ./.tmp/benchmark-367f914.txt │%0A                                                              │          allocs/op           │%0AImagePackageCatalogers/alpmdb-cataloger-2                                        87.74k ± 0%25%0AImagePackageCatalogers/apkdb-cataloger-2                                         4.181k ± 0%25%0AImagePackageCatalogers/binary-cataloger-2                                         830.0 ± 0%25%0AImagePackageCatalogers/dpkgdb-cataloger-2                                        3.002k ± 0%25%0AImagePackageCatalogers/dotnet-portable-executable-cataloger-2                     132.0 ± 0%25%0AImagePackageCatalogers/go-module-binary-cataloger-2                               281.0 ± 0%25%0AImagePackageCatalogers/java-cataloger-2                                          40.19k ± 0%25%0AImagePackageCatalogers/graalvm-native-image-cataloger-2                           228.0 ± 0%25%0AImagePackageCatalogers/javascript-package-cataloger-2                            1.342k ± 0%25%0AImagePackageCatalogers/nix-store-cataloger-2                                      895.0 ± 0%25%0AImagePackageCatalogers/php-composer-installed-cataloger-2                        4.079k ± 0%25%0AImagePackageCatalogers/portage-cataloger-2                                       2.268k ± 0%25%0AImagePackageCatalogers/python-package-cataloger-2                                16.44k ± 0%25%0AImagePackageCatalogers/r-package-cataloger-2                                      929.0 ± 0%25%0AImagePackageCatalogers/rpm-db-cataloger-2                                        3.989k ± 0%25%0AImagePackageCatalogers/ruby-gemspec-cataloger-2                                  2.447k ± 0%25%0AImagePackageCatalogers/sbom-cataloger-2                                           394.0 ± 0%25%0Ageomean                                                                          2.052k

spiffcs added 2 commits July 31, 2023 14:36
@spiffcs
chore: use correct method
5aed0f5 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@spiffcs
test: update unit testing
3adf4a9 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@spiffcs spiffcs marked this pull request as ready for review July 31, 2023 19:01
@spiffcs spiffcs requested a review from a team July 31, 2023 19:14
kzantow
kzantow reviewed Jul 31, 2023
View reviewed changes
Comment thread syft/formats/common/spdxhelpers/to_format_model.go
@spiffcs spiffcs mentioned this pull request Aug 1, 2023
Open
@spiffcs spiffcs added the enhancement New feature or request label Aug 1, 2023
@spiffcs
Copy link
Copy Markdown
Contributor Author

spiffcs commented Aug 1, 2023

Update the root package to have supplier as noassertion since this is a manually synthesized package as part of the source object

wagoodman
wagoodman reviewed Aug 1, 2023
View reviewed changes
Comment thread syft/formats/spdxtagvalue/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden
Copy link
Copy Markdown
Contributor

@wagoodman wagoodman Aug 1, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

was this updated intentionally?

kzantow
kzantow approved these changes Aug 1, 2023
View reviewed changes
Copy link
Copy Markdown
Contributor

@kzantow kzantow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 -- per discussion, just add a NOASSERTION supplier to the root package

@spiffcs
fix: add supplier to top level package
57084c1 
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
@spiffcs spiffcs merged commit 8e893df into main Aug 1, 2023
@spiffcs spiffcs deleted the update-supplier-field branch August 1, 2023 21:19
This was referenced Aug 15, 2023
Closed
Merged
Closed
Closed
Closed
Open
Closed
Closed
Closed
This was referenced Aug 28, 2023
Closed
Closed
Closed
GijsCalis pushed a commit to GijsCalis/syft that referenced this pull request Feb 19, 2024
@spiffcs
feat: use originator logic to fill supplier (anchore#1980)
f0c5c2e 
* feat: use Originator to fill supplier for NTIA minimum
---------
Signed-off-by: Christopher Phillips <christopher.phillips@anchore.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wagoodman wagoodman wagoodman left review comments

@kzantow kzantow kzantow approved these changes

Assignees

No one assigned

Labels

enhancement New feature or request

Projects

None yet

Milestone

Meet NTIA Minimum SBOM Requirements

Development

Successfully merging this pull request may close these issues.

3 participants

@spiffcs @wagoodman @kzantow