fix(spdx): add PkgDownloadLocation field (#3879)

DmitriyLewen · web-flow · commit 6e9c2c36dadc · 2023-03-21T16:11:38.000+02:00
diff --git a/integration/testdata/conda-spdx.json.golden b/integration/testdata/conda-spdx.json.golden
@@ -26,12 +26,14 @@
 	"packages": [
 		{
 			"SPDXID": "SPDXRef-Application-ee5ef1aa4ac89125",
+			"downloadLocation": "NONE",
 			"filesAnalyzed": false,
 			"name": "conda-pkg",
 			"sourceInfo": "Conda"
 		},
 		{
 			"SPDXID": "SPDXRef-Filesystem-6e0ac6a0fab50ab4",
+			"downloadLocation": "NONE",
 			"attributionTexts": [
 				"SchemaVersion: 2"
 			],
@@ -40,6 +42,7 @@
 		},
 		{
 			"SPDXID": "SPDXRef-Package-2984084f02572600",
+			"downloadLocation": "NONE",
 			"externalRefs": [
 				{
 					"referenceCategory": "PACKAGE-MANAGER",
@@ -58,6 +61,7 @@
 		},
 		{
 			"SPDXID": "SPDXRef-Package-ac33eb699b3aa81d",
+			"downloadLocation": "NONE",
 			"externalRefs": [
 				{
 					"referenceCategory": "PACKAGE-MANAGER",
diff --git a/pkg/sbom/spdx/marshal.go b/pkg/sbom/spdx/marshal.go
@@ -29,6 +29,7 @@ const (
 	DocumentNamespace   = "http://aquasecurity.github.io/trivy"
 	CreatorOrganization = "aquasecurity"
 	CreatorTool         = "trivy"
+	noneField           = "NONE"
 )
 
 const (
@@ -114,9 +115,10 @@ func NewMarshaler(version string, opts ...marshalOption) *Marshaler {
 func (m *Marshaler) Marshal(r types.Report) (*spdx.Document2_2, error) {
 	var relationShips []*spdx.Relationship2_2
 	packages := make(map[spdx.ElementID]*spdx.Package2_2)
+	pkgDownloadLocation := getPackageDownloadLocation(r.ArtifactType, r.ArtifactName)
 
 	// Root package contains OS, OS packages, language-specific packages and so on.
-	rootPkg, err := m.rootPackage(r)
+	rootPkg, err := m.rootPackage(r, pkgDownloadLocation)
 	if err != nil {
 		return nil, xerrors.Errorf("failed to generate a root package: %w", err)
 	}
@@ -126,7 +128,7 @@ func (m *Marshaler) Marshal(r types.Report) (*spdx.Document2_2, error) {
 	)
 
 	for _, result := range r.Results {
-		parentPackage, err := m.resultToSpdxPackage(result, r.Metadata.OS)
+		parentPackage, err := m.resultToSpdxPackage(result, r.Metadata.OS, pkgDownloadLocation)
 		if err != nil {
 			return nil, xerrors.Errorf("failed to parse result: %w", err)
 		}
@@ -136,7 +138,7 @@ func (m *Marshaler) Marshal(r types.Report) (*spdx.Document2_2, error) {
 		)
 
 		for _, pkg := range result.Packages {
-			spdxPackage, err := m.pkgToSpdxPackage(result.Type, result.Class, r.Metadata, pkg)
+			spdxPackage, err := m.pkgToSpdxPackage(result.Type, pkgDownloadLocation, result.Class, r.Metadata, pkg)
 			if err != nil {
 				return nil, xerrors.Errorf("failed to parse package: %w", err)
 			}
@@ -163,16 +165,16 @@ func (m *Marshaler) Marshal(r types.Report) (*spdx.Document2_2, error) {
 	}, nil
 }
 
-func (m *Marshaler) resultToSpdxPackage(result types.Result, os *ftypes.OS) (spdx.Package2_2, error) {
+func (m *Marshaler) resultToSpdxPackage(result types.Result, os *ftypes.OS, pkgDownloadLocation string) (spdx.Package2_2, error) {
 	switch result.Class {
 	case types.ClassOSPkg:
-		osPkg, err := m.osPackage(os)
+		osPkg, err := m.osPackage(os, pkgDownloadLocation)
 		if err != nil {
 			return spdx.Package2_2{}, xerrors.Errorf("failed to parse operating system package: %w", err)
 		}
 		return osPkg, nil
 	case types.ClassLangPkg:
-		langPkg, err := m.langPackage(result.Target, result.Type)
+		langPkg, err := m.langPackage(result.Target, result.Type, pkgDownloadLocation)
 		if err != nil {
 			return spdx.Package2_2{}, xerrors.Errorf("failed to parse application package: %w", err)
 		}
@@ -195,7 +197,7 @@ func (m *Marshaler) parseFile(filePath string) (spdx.File2_2, error) {
 	return file, nil
 }
 
-func (m *Marshaler) rootPackage(r types.Report) (*spdx.Package2_2, error) {
+func (m *Marshaler) rootPackage(r types.Report, pkgDownloadLocation string) (*spdx.Package2_2, error) {
 	var externalReferences []*spdx.PackageExternalReference2_2
 	attributionTexts := []string{attributionText(PropertySchemaVersion, strconv.Itoa(r.SchemaVersion))}
 
@@ -231,12 +233,13 @@ func (m *Marshaler) rootPackage(r types.Report) (*spdx.Package2_2, error) {
 	return &spdx.Package2_2{
 		PackageName:               r.ArtifactName,
 		PackageSPDXIdentifier:     elementID(camelCase(string(r.ArtifactType)), pkgID),
+		PackageDownloadLocation:   pkgDownloadLocation,
 		PackageAttributionTexts:   attributionTexts,
 		PackageExternalReferences: externalReferences,
 	}, nil
 }
 
-func (m *Marshaler) osPackage(osFound *ftypes.OS) (spdx.Package2_2, error) {
+func (m *Marshaler) osPackage(osFound *ftypes.OS, pkgDownloadLocation string) (spdx.Package2_2, error) {
 	if osFound == nil {
 		return spdx.Package2_2{}, nil
 	}
@@ -247,26 +250,28 @@ func (m *Marshaler) osPackage(osFound *ftypes.OS) (spdx.Package2_2, error) {
 	}
 
 	return spdx.Package2_2{
-		PackageName:           osFound.Family,
-		PackageVersion:        osFound.Name,
-		PackageSPDXIdentifier: elementID(ElementOperatingSystem, pkgID),
+		PackageName:             osFound.Family,
+		PackageVersion:          osFound.Name,
+		PackageSPDXIdentifier:   elementID(ElementOperatingSystem, pkgID),
+		PackageDownloadLocation: pkgDownloadLocation,
 	}, nil
 }
 
-func (m *Marshaler) langPackage(target, appType string) (spdx.Package2_2, error) {
+func (m *Marshaler) langPackage(target, appType, pkgDownloadLocation string) (spdx.Package2_2, error) {
 	pkgID, err := calcPkgID(m.hasher, fmt.Sprintf("%s-%s", target, appType))
 	if err != nil {
 		return spdx.Package2_2{}, xerrors.Errorf("failed to get %s package ID: %w", target, err)
 	}
 
 	return spdx.Package2_2{
-		PackageName:           appType,
-		PackageSourceInfo:     target, // TODO: Files seems better
-		PackageSPDXIdentifier: elementID(ElementApplication, pkgID),
+		PackageName:             appType,
+		PackageSourceInfo:       target, // TODO: Files seems better
+		PackageSPDXIdentifier:   elementID(ElementApplication, pkgID),
+		PackageDownloadLocation: pkgDownloadLocation,
 	}, nil
 }
 
-func (m *Marshaler) pkgToSpdxPackage(t string, class types.ResultClass, metadata types.Metadata, pkg ftypes.Package) (spdx.Package2_2, error) {
+func (m *Marshaler) pkgToSpdxPackage(t, pkgDownloadLocation string, class types.ResultClass, metadata types.Metadata, pkg ftypes.Package) (spdx.Package2_2, error) {
 	license := GetLicense(pkg)
 
 	pkgID, err := calcPkgID(m.hasher, pkg)
@@ -296,10 +301,11 @@ func (m *Marshaler) pkgToSpdxPackage(t string, class types.ResultClass, metadata
 	}
 
 	return spdx.Package2_2{
-		PackageName:           pkg.Name,
-		PackageVersion:        pkg.Version,
-		PackageSPDXIdentifier: elementID(ElementPackage, pkgID),
-		PackageSourceInfo:     pkgSrcInfo,
+		PackageName:             pkg.Name,
+		PackageVersion:          pkg.Version,
+		PackageSPDXIdentifier:   elementID(ElementPackage, pkgID),
+		PackageDownloadLocation: pkgDownloadLocation,
+		PackageSourceInfo:       pkgSrcInfo,
 
 		// The Declared License is what the authors of a project believe govern the package
 		PackageLicenseConcluded: license,
@@ -361,7 +367,7 @@ func purlExternalReference(packageURL string) *spdx.PackageExternalReference2_2
 
 func GetLicense(p ftypes.Package) string {
 	if len(p.Licenses) == 0 {
-		return "NONE"
+		return noneField
 	}
 
 	license := strings.Join(lo.Map(p.Licenses, func(license string, index int) string {
@@ -384,7 +390,7 @@ func getDocumentNamespace(r types.Report, m *Marshaler) string {
 	return fmt.Sprintf("%s/%s/%s-%s",
 		DocumentNamespace,
 		string(r.ArtifactType),
-		r.ArtifactName,
+		strings.ReplaceAll(strings.ReplaceAll(r.ArtifactName, "https://", ""), "http://", ""), // remove http(s):// prefix when scanning repos
 		m.newUUID().String(),
 	)
 }
@@ -421,3 +427,16 @@ func camelCase(inputUnderScoreStr string) (camelCase string) {
 	}
 	return
 }
+
+func getPackageDownloadLocation(t ftypes.ArtifactType, artifactName string) string {
+	location := noneField
+	// this field is used for git/mercurial/subversion/bazaar:
+	// https://spdx.github.io/spdx-spec/v2.2.2/package-information/#77-package-download-location-field
+	if t == ftypes.ArtifactRemoteRepository {
+		// Trivy currently only supports git repositories. Format examples:
+		// git+https://git.myproject.org/MyProject.git
+		// git+http://git.myproject.org/MyProject
+		location = fmt.Sprintf("git+%s", artifactName)
+	}
+	return location
+}
diff --git a/pkg/sbom/spdx/marshal_test.go b/pkg/sbom/spdx/marshal_test.go

Original file line number	Diff line number	Diff line change
`@@ -26,12 +26,14 @@`
`26`	`26`	`"packages": [`
`27`	`27`	`{`
`28`	`28`	`"SPDXID": "SPDXRef-Application-ee5ef1aa4ac89125",`
	`29`	`+ "downloadLocation": "NONE",`
`29`	`30`	`"filesAnalyzed": false,`
`30`	`31`	`"name": "conda-pkg",`
`31`	`32`	`"sourceInfo": "Conda"`
`32`	`33`	`},`
`33`	`34`	`{`
`34`	`35`	`"SPDXID": "SPDXRef-Filesystem-6e0ac6a0fab50ab4",`
	`36`	`+ "downloadLocation": "NONE",`
`35`	`37`	`"attributionTexts": [`
`36`	`38`	`"SchemaVersion: 2"`
`37`	`39`	`],`
`@@ -40,6 +42,7 @@`
`40`	`42`	`},`
`41`	`43`	`{`
`42`	`44`	`"SPDXID": "SPDXRef-Package-2984084f02572600",`
	`45`	`+ "downloadLocation": "NONE",`
`43`	`46`	`"externalRefs": [`
`44`	`47`	`{`
`45`	`48`	`"referenceCategory": "PACKAGE-MANAGER",`
`@@ -58,6 +61,7 @@`
`58`	`61`	`},`
`59`	`62`	`{`
`60`	`63`	`"SPDXID": "SPDXRef-Package-ac33eb699b3aa81d",`
	`64`	`+ "downloadLocation": "NONE",`
`61`	`65`	`"externalRefs": [`
`62`	`66`	`{`
`63`	`67`	`"referenceCategory": "PACKAGE-MANAGER",`