fix: Add missing relationship and pkg external info for SBOMs (#3582)

viveksahu26 · web-flow · commit b52ed30f5720 · 2025-05-31T14:52:54.000-04:00
diff --git a/github/dependency_graph.go b/github/dependency_graph.go
@@ -28,12 +28,52 @@ type CreationInfo struct {
 type RepoDependencies struct {
 	SPDXID *string `json:"SPDXID,omitempty"`
 	// Package name
-	Name             *string `json:"name,omitempty"`
-	VersionInfo      *string `json:"versionInfo,omitempty"`
-	DownloadLocation *string `json:"downloadLocation,omitempty"`
-	FilesAnalyzed    *bool   `json:"filesAnalyzed,omitempty"`
-	LicenseConcluded *string `json:"licenseConcluded,omitempty"`
-	LicenseDeclared  *string `json:"licenseDeclared,omitempty"`
+	Name             *string               `json:"name,omitempty"`
+	VersionInfo      *string               `json:"versionInfo,omitempty"`
+	DownloadLocation *string               `json:"downloadLocation,omitempty"`
+	FilesAnalyzed    *bool                 `json:"filesAnalyzed,omitempty"`
+	LicenseConcluded *string               `json:"licenseConcluded,omitempty"`
+	LicenseDeclared  *string               `json:"licenseDeclared,omitempty"`
+	ExternalRefs     []*PackageExternalRef `json:"externalRefs,omitempty"`
+}
+
+// PackageExternalRef allows an Package to reference an external sources of additional information,
+// like asset identifiers, or downloadable content that are relevant to the package,
+// Example for identifiers (e.g., PURL/SWID/CPE) for a package in the SBOM.
+// https://spdx.github.io/spdx-spec/v2.3/package-information/#721-external-reference-field
+type PackageExternalRef struct {
+	// ReferenceCategory specifies the external reference categories such
+	// SECURITY", "PACKAGE-MANAGER", "PERSISTENT-ID", or "OTHER"
+	// Example: "PACKAGE-MANAGER"
+	ReferenceCategory string `json:"referenceCategory"`
+
+	// ReferenceType specifies the type of external reference.
+	// For PACKAGE-MANAGER, it could be "purl"; other types include "cpe22Type", "swid", etc.
+	ReferenceType string `json:"referenceType"`
+
+	// ReferenceLocator is the actual unique identifier or URI for the external reference.
+	// Example: "pkg:golang/github.com/spf13/cobra@1.8.1"
+	ReferenceLocator string `json:"referenceLocator"`
+}
+
+// SBOMRelationship provides information about the relationship between two SPDX elements.
+// Element could be packages or files in the SBOM.
+// For example, to represent a relationship between two different Files, between a Package and a File,
+// between two Packages, or between one SPDXDocument and another SPDXDocument.
+// https://spdx.github.io/spdx-spec/v2.3/relationships-between-SPDX-elements/
+type SBOMRelationship struct {
+	// SPDXElementID is the identifier of the SPDX element that has a relationship.
+	// Example: "SPDXRef-github-interlynk-io-sbomqs-main-f43c98"
+	SPDXElementID string `json:"spdxElementId"`
+
+	// RelatedSpdxElement is the identifier of the related SPDX element.
+	// Example: "SPDXRef-golang-github.comspf13-cobra-1.8.1-75c946"
+	RelatedSPDXElement string `json:"relatedSpdxElement"`
+
+	// RelationshipType describes the type of relationship between the two elements.
+	// Such as "DEPENDS_ON", "DESCRIBES", "CONTAINS", etc., as defined by SPDX 2.3.
+	// Example: "DEPENDS_ON", "CONTAINS", "DESCRIBES", etc.
+	RelationshipType string `json:"relationshipType"`
 }
 
 // SBOMInfo represents a software bill of materials (SBOM) using SPDX.
@@ -53,6 +93,9 @@ type SBOMInfo struct {
 
 	// List of packages dependencies
 	Packages []*RepoDependencies `json:"packages,omitempty"`
+
+	// List of relationships between packages
+	Relationships []*SBOMRelationship `json:"relationships,omitempty"`
 }
 
 func (s SBOM) String() string {
