Migrate SPDX-JSON relationships to SBOM model (#634)

* remove power-user document shape Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * add power-user specific fields to syft-json format Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * port remaining spdx-json relationships to sbom model Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * add coordinate set Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * add SBOM file path helper Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * use internal mimetype helper in go binary cataloger Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * add new package-of relationship Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * update json schema to v2 Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * replace power-user presenter with syft-json format Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * fix tests and linting Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * remove "package-of" relationship (in favor of "contains") Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * add tests for spdx22json format encoding enhancements Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * update TODO and log entries Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * introduce sbom.Descriptor Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
anchore · Nov 23, 2021 · bd9007f · bd9007f
1 parent e3b3481
commit bd9007f
Show file tree

Hide file tree

Showing 41 changed files with 2,238 additions and 718 deletions.
diff --git a/cmd/packages.go b/cmd/packages.go
@@ -13,6 +13,7 @@ import (
 	"github.com/anchore/syft/internal/formats"
 	"github.com/anchore/syft/internal/log"
 	"github.com/anchore/syft/internal/ui"
+	"github.com/anchore/syft/internal/version"
 	"github.com/anchore/syft/syft/artifact"
 	"github.com/anchore/syft/syft/event"
 	"github.com/anchore/syft/syft/format"
@@ -263,6 +264,11 @@ func packagesExecWorker(userInput string) <-chan error {
 
 		s := sbom.SBOM{
 			Source: src.Metadata,
+			Descriptor: sbom.Descriptor{
+				Name:          internal.ApplicationName,
+				Version:       version.FromBuild().Version,
+				Configuration: appConfig,
+			},
 		}
 
 		var relationships []<-chan artifact.Relationship

diff --git a/cmd/power_user.go b/cmd/power_user.go
@@ -4,19 +4,18 @@ import (
 	"fmt"
 	"os"
 
-	"github.com/anchore/syft/syft/artifact"
-	"github.com/gookit/color"
-
-	"github.com/anchore/syft/syft/sbom"
-
 	"github.com/anchore/stereoscope"
 	"github.com/anchore/syft/internal"
 	"github.com/anchore/syft/internal/bus"
+	"github.com/anchore/syft/internal/formats/syftjson"
 	"github.com/anchore/syft/internal/log"
-	"github.com/anchore/syft/internal/presenter/poweruser"
 	"github.com/anchore/syft/internal/ui"
+	"github.com/anchore/syft/internal/version"
+	"github.com/anchore/syft/syft/artifact"
 	"github.com/anchore/syft/syft/event"
+	"github.com/anchore/syft/syft/sbom"
 	"github.com/anchore/syft/syft/source"
+	"github.com/gookit/color"
 	"github.com/pkg/profile"
 	"github.com/spf13/cobra"
 	"github.com/wagoodman/go-partybus"
@@ -125,6 +124,11 @@ func powerUserExecWorker(userInput string) <-chan error {
 
 		s := sbom.SBOM{
 			Source: src.Metadata,
+			Descriptor: sbom.Descriptor{
+				Name:          internal.ApplicationName,
+				Version:       version.FromBuild().Version,
+				Configuration: appConfig,
+			},
 		}
 
 		var relationships []<-chan artifact.Relationship
@@ -139,7 +143,7 @@ func powerUserExecWorker(userInput string) <-chan error {
 
 		bus.Publish(partybus.Event{
 			Type:  event.PresenterReady,
-			Value: poweruser.NewJSONPresenter(s, *appConfig),
+			Value: syftjson.Format().Presenter(s),
 		})
 	}()
 

diff --git a/internal/config/application.go b/internal/config/application.go
@@ -163,6 +163,10 @@ func (cfg *Application) parseLogLevelOption() error {
 		}
 	}
 
+	if cfg.Log.Level == "" {
+		cfg.Log.Level = cfg.Log.LevelOpt.String()
+	}
+
 	return nil
 }
 

diff --git a/internal/constants.go b/internal/constants.go
@@ -6,5 +6,5 @@ const (
 
 	// JSONSchemaVersion is the current schema version output by the JSON presenter
 	// This is roughly following the "SchemaVer" guidelines for versioning the JSON schema. Please see schema/json/README.md for details on how to increment.
-	JSONSchemaVersion = "1.1.0"
+	JSONSchemaVersion = "2.0.0"
 )
diff --git a/internal/formats/common/spdxhelpers/files.go b/internal/formats/common/spdxhelpers/files.go
diff --git a/internal/formats/common/testutils/utils.go b/internal/formats/common/testutils/utils.go
@@ -124,6 +124,15 @@ func ImageInput(t testing.TB, testImage string, options ...ImageOption) sbom.SBO
 			Distro:         &dist,
 		},
 		Source: src.Metadata,
+		Descriptor: sbom.Descriptor{
+			Name:    "syft",
+			Version: "v0.42.0-bogus",
+			// the application configuration should be persisted here, however, we do not want to import
+			// the application configuration in this package (it's reserved only for ingestion by the cmd package)
+			Configuration: map[string]string{
+				"config-key": "config-value",
+			},
+		},
 	}
 }
 
@@ -187,6 +196,15 @@ func DirectoryInput(t testing.TB) sbom.SBOM {
 			Distro:         &dist,
 		},
 		Source: src.Metadata,
+		Descriptor: sbom.Descriptor{
+			Name:    "syft",
+			Version: "v0.42.0-bogus",
+			// the application configuration should be persisted here, however, we do not want to import
+			// the application configuration in this package (it's reserved only for ingestion by the cmd package)
+			Configuration: map[string]string{
+				"config-key": "config-value",
+			},
+		},
 	}
 }
 

diff --git a/internal/formats/spdx22json/model/file.go b/internal/formats/spdx22json/model/file.go
@@ -3,17 +3,17 @@ package model
 type FileType string
 
 const (
-	DocumentationFileType FileType = "DOCUMENTATION"
-	ImageFileType         FileType = "IMAGE"
-	VideoFileType         FileType = "VIDEO"
-	ArchiveFileType       FileType = "ARCHIVE"
-	SpdxFileType          FileType = "SPDX"
-	ApplicationFileType   FileType = "APPLICATION"
-	SourceFileType        FileType = "SOURCE"
-	BinaryFileType        FileType = "BINARY"
-	TextFileType          FileType = "TEXT"
-	AudioFileType         FileType = "AUDIO"
-	OtherFileType         FileType = "OTHER"
+	DocumentationFileType FileType = "DOCUMENTATION" // if the file serves as documentation
+	ImageFileType         FileType = "IMAGE"         // if the file is associated with a picture image file (MIME type of image/*, e.g., .jpg, .gif)
+	VideoFileType         FileType = "VIDEO"         // if the file is associated with a video file type (MIME type of video/*)
+	ArchiveFileType       FileType = "ARCHIVE"       // if the file represents an archive (.tar, .jar, etc.)
+	SpdxFileType          FileType = "SPDX"          // if the file is an SPDX document
+	ApplicationFileType   FileType = "APPLICATION"   // if the file is associated with a specific application type (MIME type of application/*)
+	SourceFileType        FileType = "SOURCE"        // if the file is human readable source code (.c, .html, etc.)
+	BinaryFileType        FileType = "BINARY"        // if the file is a compiled object, target image or binary executable (.o, .a, etc.)
+	TextFileType          FileType = "TEXT"          // if the file is human readable text file (MIME type of text/*)
+	AudioFileType         FileType = "AUDIO"         // if the file is associated with an audio file (MIME type of audio/* , e.g. .mp3)
+	OtherFileType         FileType = "OTHER"         // if the file doesn't fit into the above categories (generated artifacts, data files, etc.)
 )
 
 type File struct {
@@ -36,6 +36,6 @@ type File struct {
 	// Indicates the project in which the SpdxElement originated. Tools must preserve doap:homepage and doap:name
 	// properties and the URI (if one is known) of doap:Project resources that are values of this property. All other
 	// properties of doap:Projects are not directly supported by SPDX and may be dropped when translating to or
-	// from some SPDX formats(deprecated).
+	// from some SPDX formats (deprecated).
 	ArtifactOf []string `json:"artifactOf,omitempty"`
 }
diff --git a/internal/formats/spdx22json/test-fixtures/snapshot/TestSPDXJSONDirectoryPresenter.golden b/internal/formats/spdx22json/test-fixtures/snapshot/TestSPDXJSONDirectoryPresenter.golden
@@ -3,18 +3,18 @@
  "name": "/some/path",
  "spdxVersion": "SPDX-2.2",
  "creationInfo": {
-  "created": "2021-10-29T16:26:08.995826Z",
+  "created": "2021-11-17T19:35:54.834877Z",
   "creators": [
    "Organization: Anchore, Inc",
    "Tool: syft-[not provided]"
   ],
-  "licenseListVersion": "3.14"
+  "licenseListVersion": "3.15"
  },
  "dataLicense": "CC0-1.0",
- "documentNamespace": "https:/anchore.com/syft/dir/some/path-5362d380-914a-458f-b059-d8d27899574c",
+ "documentNamespace": "https:/anchore.com/syft/dir/some/path-65e2226e-a61e-4ed1-81bb-56022e1ff1eb",
  "packages": [
   {
-   "SPDXID": "SPDXRef-Package-python-package-1-1.0.1",
+   "SPDXID": "SPDXRef-2a115ac97d018a0e",
    "name": "package-1",
    "licenseConcluded": "MIT",
    "downloadLocation": "NOASSERTION",
@@ -31,15 +31,12 @@
     }
    ],
    "filesAnalyzed": false,
-   "hasFiles": [
-    "SPDXRef-File-package-1-efae7fecc76ca25da40f79d7ef5b8933510434914835832c7976f3e866aa756a"
-   ],
    "licenseDeclared": "MIT",
    "sourceInfo": "acquired package info from installed python package manifest file: /some/path/pkg1",
    "versionInfo": "1.0.1"
   },
   {
-   "SPDXID": "SPDXRef-Package-deb-package-2-2.0.1",
+   "SPDXID": "SPDXRef-5e920b2bece2c3ae",
    "name": "package-2",
    "licenseConcluded": "NONE",
    "downloadLocation": "NOASSERTION",
@@ -60,20 +57,5 @@
    "sourceInfo": "acquired package info from DPKG DB: /some/path/pkg1",
    "versionInfo": "2.0.1"
   }
- ],
- "files": [
-  {
-   "SPDXID": "SPDXRef-File-package-1-efae7fecc76ca25da40f79d7ef5b8933510434914835832c7976f3e866aa756a",
-   "name": "foo",
-   "licenseConcluded": "",
-   "fileName": "/some/path/pkg1/dependencies/foo"
-  }
- ],
- "relationships": [
-  {
-   "spdxElementId": "SPDXRef-Package-python-package-1-1.0.1",
-   "relationshipType": "CONTAINS",
-   "relatedSpdxElement": "SPDXRef-File-package-1-efae7fecc76ca25da40f79d7ef5b8933510434914835832c7976f3e866aa756a"
-  }
  ]
 }
diff --git a/internal/formats/spdx22json/test-fixtures/snapshot/TestSPDXJSONImagePresenter.golden b/internal/formats/spdx22json/test-fixtures/snapshot/TestSPDXJSONImagePresenter.golden
@@ -3,18 +3,18 @@
  "name": "user-image-input",
  "spdxVersion": "SPDX-2.2",
  "creationInfo": {
-  "created": "2021-10-29T16:26:09.001799Z",
+  "created": "2021-11-17T19:35:57.761372Z",
   "creators": [
    "Organization: Anchore, Inc",
    "Tool: syft-[not provided]"
   ],
-  "licenseListVersion": "3.14"
+  "licenseListVersion": "3.15"
  },
  "dataLicense": "CC0-1.0",
- "documentNamespace": "https:/anchore.com/syft/image/user-image-input-3ad8571c-513f-4fce-944e-5125353c3186",
+ "documentNamespace": "https:/anchore.com/syft/image/user-image-input-5383918f-ec96-4aa9-b756-ad16e1ada31e",
  "packages": [
   {
-   "SPDXID": "SPDXRef-Package-python-package-1-1.0.1",
+   "SPDXID": "SPDXRef-888661d4f0362f02",
    "name": "package-1",
    "licenseConcluded": "MIT",
    "downloadLocation": "NOASSERTION",
@@ -36,7 +36,7 @@
    "versionInfo": "1.0.1"
   },
   {
-   "SPDXID": "SPDXRef-Package-deb-package-2-2.0.1",
+   "SPDXID": "SPDXRef-4068ff5e8926b305",
    "name": "package-2",
    "licenseConcluded": "NONE",
    "downloadLocation": "NOASSERTION",