sbomdiff icon indicating copy to clipboard operation
sbomdiff copied to clipboard
verified publisher icon anthonyharrison

Update spdx_parser.py to handle spdx file parsing logic to generate correct key value pair of dictionary

Open ravi-mishra-10 opened this issue 1 year ago • 1 comments

Problem statement:

Showing same software b/w two SPDX file as diff and generating result with same product removed then later added back.

If spdx file [1] contains:

#### Package: cloud.google.com/go/networksecurity

PackageName: cloud.google.com/go/networksecurity
SPDXID: SPDXRef-Pkg-cloud.google.com-go-networksecurity-v0.6.0-5311591
PackageVersion: v0.6.0
PackageSupplier: Organization: go:cloud.google.com/go/networksecurity
PackageHomePage: https://pkg.go.dev/cloud.google.com/go/networksecurity
PackageDownloadLocation: NOASSERTION
PackageLicenseConcluded: Apache-2.0
PackageLicenseDeclared: Apache-2.0
PackageCopyrightText: NOASSERTION
FilesAnalyzed: False
ExternalRef: PACKAGE-MANAGER purl pkg:golang/cloud.google.com/go/[email protected]

If spdx file [2] contains:

#### Package: networksecurity

PackageName: networksecurity
SPDXID: SPDXRef-Pkg-cloud.google.com-go-networksecurity-v0.5.0-5311454
PackageVersion: v0.5.0
PackageSupplier: Organization: go:cloud.google.com/go/networksecurity
PackageHomePage: https://pkg.go.dev/cloud.google.com/go/networksecurity
PackageDownloadLocation: NOASSERTION
PackageLicenseConcluded: Apache-2.0
PackageLicenseDeclared: Apache-2.0
PackageCopyrightText: NOASSERTION
FilesAnalyzed: False
ExternalRef: PACKAGE-MANAGER purl pkg:golang/cloud.google.com/go/[email protected]

Command used to generate report:

#python ./cli.py --sbom spdx -o sbom_diff_reports.txt -f text file1.spdx file2.spdx #echo $? #1

cat sbom_diff_reports.txt

[REMOVED] networksecurity: (Version v0.5.0)
[ADDED  ] cloud.google.com/go/networksecurity: (Version v0.6.0) (License Apache-2.0)
Summary
-------
Version changes:  0
License changes:  0
Removed packages: 1
New packages:     1

Solution:

Addition regex logic will help to find right delta between two SPDX file. Without this fix sometime ProductName getting recorded incorrectly as "v2" or "without full path of software" this enhancement will help to detect same product name b/w two spdx file(s).

With fix report contains will be like:

cat sbom_diff_reports.txt

[REMOVED] networksecurity: (Version v0.5.0)
[ADDED  ] cloud.google.com/go/networksecurity: (Version v0.5.0) (License Apache-2.0)
Summary
-------
Version changes:  1
License changes:  0
Removed packages: 0
New packages:     0

Reviewers:

@anthonyharrison @briancaine

ravi-mishra-10 avatar Aug 01 '24 15:08 ravi-mishra-10

@anthonyharrison kindly start the review.

ravi-mishra-10 avatar Aug 05 '24 08:08 ravi-mishra-10