From 2836e1804fd435c512df3109bf3cc6406fb14b09 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maximilian=20Comb=C3=BCchen?= Date: Thu, 24 Oct 2024 14:32:06 +0200 Subject: [PATCH] feat: add supplier to SPDX documents When enriching with ecosyste.ms, add the supplier of a package to an SPDX document. Closes #76. Co-authored-by: Gary O'Neall --- lib/ecosystems/enrich_spdx.go | 16 ++++++++++++++++ lib/ecosystems/enrich_spdx_test.go | 7 +++++++ 2 files changed, 23 insertions(+) diff --git a/lib/ecosystems/enrich_spdx.go b/lib/ecosystems/enrich_spdx.go index d5e0426..d2106e6 100644 --- a/lib/ecosystems/enrich_spdx.go +++ b/lib/ecosystems/enrich_spdx.go @@ -24,6 +24,7 @@ import ( "github.com/package-url/packageurl-go" "github.com/rs/zerolog" "github.com/spdx/tools-golang/spdx" + "github.com/spdx/tools-golang/spdx/v2/common" "github.com/spdx/tools-golang/spdx/v2/v2_3" "github.com/snyk/parlay/ecosystems/packages" @@ -53,6 +54,7 @@ func enrichSPDX(bom *spdx.Document, logger *zerolog.Logger) { enrichSPDXDescription(pkg, pkgData) enrichSPDXLicense(pkg, pkgData) enrichSPDXHomepage(pkg, pkgData) + enrichSPDXSupplier(pkg, pkgData) } } @@ -70,6 +72,20 @@ func extractPurl(pkg *v2_3.Package) (*packageurl.PackageURL, error) { return nil, errors.New("no purl found on SPDX package") } +func enrichSPDXSupplier(pkg *v2_3.Package, data *packages.Package) { + if data.RepoMetadata != nil { + meta := *data.RepoMetadata + if ownerRecord, ok := meta["owner_record"].(map[string]interface{}); ok { + if name, ok := ownerRecord["name"].(string); ok { + pkg.PackageSupplier = &common.Supplier{ + SupplierType: "Organization", + Supplier: name, + } + } + } + } +} + func enrichSPDXLicense(pkg *v2_3.Package, data *packages.Package) { if len(data.NormalizedLicenses) == 1 { pkg.PackageLicenseConcluded = data.NormalizedLicenses[0] diff --git a/lib/ecosystems/enrich_spdx_test.go b/lib/ecosystems/enrich_spdx_test.go index 76f7497..523895d 100644 --- a/lib/ecosystems/enrich_spdx_test.go +++ b/lib/ecosystems/enrich_spdx_test.go @@ -41,6 +41,11 @@ func TestEnrichSBOM_SPDX(t *testing.T) { "BSD-3-Clause", }, "homepage": "https://github.com/spdx/tools-golang", + "repo_metadata": map[string]interface{}{ + "owner_record": map[string]interface{}{ + "name": "Acme Corp", + }, + }, }) }) @@ -70,6 +75,8 @@ func TestEnrichSBOM_SPDX(t *testing.T) { assert.Equal(t, "description", pkgs[0].PackageDescription) assert.Equal(t, "BSD-3-Clause", pkgs[0].PackageLicenseConcluded) assert.Equal(t, "https://github.com/spdx/tools-golang", pkgs[0].PackageHomePage) + assert.Equal(t, "Organization", pkgs[0].PackageSupplier.SupplierType) + assert.Equal(t, "Acme Corp", pkgs[0].PackageSupplier.Supplier) httpmock.GetTotalCallCount() calls := httpmock.GetCallCountInfo()