feat: implement ingestion of SPDX and CDX external references

trustification · Feb 12, 2025 · c3120e2 · c3120e2
1 parent ba0af8f
commit c3120e2
Show file tree

Hide file tree

Showing 13 changed files with 813 additions and 19 deletions.
diff --git a/entity/src/sbom_external_node.rs b/entity/src/sbom_external_node.rs
@@ -12,8 +12,11 @@ pub struct Model {
     pub external_node_ref: String,
     pub external_type: ExternalType,
     pub target_sbom_id: Option<Uuid>,
+    pub discriminator_type: Option<DiscriminatorType>,
+    pub discriminator_value: Option<String>,
 }
 
+/// Type of the SBOM document discriminator, when using external references.
 #[derive(
     Debug,
     Clone,
@@ -28,7 +31,35 @@ pub struct Model {
 )]
 #[sea_orm(rs_type = "i32", db_type = "Integer")]
 #[serde(rename_all = "snake_case")]
+pub enum DiscriminatorType {
+    /// By using an SHA-256 digest
+    #[sea_orm(num_value = 0)]
+    Sha256,
+    /// By using an SHA-384 digest
+    #[sea_orm(num_value = 1)]
+    Sha384,
+    /// By using an SHA-512 digest
+    #[sea_orm(num_value = 2)]
+    Sha512,
+    /// By using an CycloneDX version
+    #[sea_orm(num_value = 3)]
+    CycloneDxVersion,
+}
 
+#[derive(
+    Debug,
+    Clone,
+    Copy,
+    PartialEq,
+    Eq,
+    EnumIter,
+    DeriveActiveEnum,
+    serde::Serialize,
+    serde::Deserialize,
+    DeepSizeOf,
+)]
+#[sea_orm(rs_type = "i32", db_type = "Integer")]
+#[serde(rename_all = "snake_case")]
 pub enum ExternalType {
     #[sea_orm(num_value = 0)]
     SPDX,

diff --git a/etc/test-data/spdx/simple-ext-a.json b/etc/test-data/spdx/simple-ext-a.json
@@ -0,0 +1,243 @@
+{
+  "SPDXID": "SPDXRef-DOCUMENT",
+  "creationInfo": {
+    "created": "1970-01-01T13:30:00Z",
+    "creators": [
+      "Trustify"
+    ],
+    "comment": "This is a simple example for an spdx SBOM with an external reference.",
+    "licenseListVersion": "3.8"
+  },
+  "externalDocumentRefs": [
+    {
+      "externalDocumentId": "DocumentRef-ext-b",
+      "spdxDocument": "uri:simple-ext-b",
+      "checksum": {
+        "algorithm": "SHA256",
+        "checksumValue": "60bf029859f5927eafba8dd02c73b9075e40a2089c92da9c1062b01dcd2b300c"
+      }
+    }
+  ],
+  "dataLicense": "CC0-1.0",
+  "documentNamespace": "uri:simple-ext-a",
+  "name": "simple-a",
+  "packages": [
+    {
+      "SPDXID": "SPDXRef-A",
+      "copyrightText": "NOASSERTION",
+      "downloadLocation": "foo",
+      "externalRefs": [
+        {
+          "referenceCategory": "PACKAGE-MANAGER",
+          "referenceLocator": "pkg:rpm/redhat/[email protected]?arch=src",
+          "referenceType": "purl"
+        },
+        {
+          "referenceCategory": "SECURITY",
+          "referenceLocator": "cpe:/a:redhat:simple:1::el9",
+          "referenceType": "cpe22Type"
+        }
+      ],
+      "filesAnalyzed": false,
+      "licenseComments": "Licensing information is automatically generated and may be incomplete or incorrect.",
+      "licenseConcluded": "NOASSERTION",
+      "licenseDeclared": "NOASSERTION",
+      "name": "A",
+      "originator": "NOASSERTION",
+      "packageFileName": "NOASSERTION",
+      "supplier": "Organization: Red Hat",
+      "versionInfo": "1"
+    },
+    {
+      "SPDXID": "SPDXRef-B",
+      "copyrightText": "NOASSERTION",
+      "downloadLocation": "foo",
+      "externalRefs": [
+        {
+          "referenceCategory": "PACKAGE-MANAGER",
+          "referenceLocator": "pkg:rpm/redhat/[email protected]",
+          "referenceType": "purl"
+        }
+      ],
+      "filesAnalyzed": false,
+      "licenseComments": "Licensing information is automatically generated and may be incomplete or incorrect.",
+      "licenseConcluded": "NOASSERTION",
+      "licenseDeclared": "NOASSERTION",
+      "name": "B",
+      "originator": "NOASSERTION",
+      "packageFileName": "NOASSERTION",
+      "supplier": "Organization: Red Hat",
+      "versionInfo": "1"
+    },
+    {
+      "SPDXID": "SPDXRef-AA",
+      "copyrightText": "NOASSERTION",
+      "downloadLocation": "foo",
+      "externalRefs": [
+        {
+          "referenceCategory": "PACKAGE-MANAGER",
+          "referenceLocator": "pkg:rpm/redhat/[email protected]?arch=src",
+          "referenceType": "purl"
+        },
+        {
+          "referenceCategory": "SECURITY",
+          "referenceLocator": "cpe:/a:redhat:simple:1::el9",
+          "referenceType": "cpe22Type"
+        }
+      ],
+      "filesAnalyzed": false,
+      "licenseComments": "Licensing information is automatically generated and may be incomplete or incorrect.",
+      "licenseConcluded": "NOASSERTION",
+      "licenseDeclared": "NOASSERTION",
+      "name": "AA",
+      "originator": "NOASSERTION",
+      "packageFileName": "NOASSERTION",
+      "supplier": "Organization: Red Hat",
+      "versionInfo": "1"
+    },
+    {
+      "SPDXID": "SPDXRef-BB",
+      "copyrightText": "NOASSERTION",
+      "downloadLocation": "foo",
+      "externalRefs": [
+        {
+          "referenceCategory": "PACKAGE-MANAGER",
+          "referenceLocator": "pkg:rpm/redhat/[email protected]",
+          "referenceType": "purl"
+        }
+      ],
+      "filesAnalyzed": false,
+      "licenseComments": "Licensing information is automatically generated and may be incomplete or incorrect.",
+      "licenseConcluded": "NOASSERTION",
+      "licenseDeclared": "NOASSERTION",
+      "name": "BB",
+      "originator": "NOASSERTION",
+      "packageFileName": "NOASSERTION",
+      "supplier": "Organization: Red Hat",
+      "versionInfo": "1"
+    },
+    {
+      "SPDXID": "SPDXRef-CC",
+      "copyrightText": "NOASSERTION",
+      "downloadLocation": "foo",
+      "externalRefs": [
+        {
+          "referenceCategory": "PACKAGE-MANAGER",
+          "referenceLocator": "pkg:rpm/redhat/[email protected]",
+          "referenceType": "purl"
+        }
+      ],
+      "filesAnalyzed": false,
+      "licenseComments": "Licensing information is automatically generated and may be incomplete or incorrect.",
+      "licenseConcluded": "NOASSERTION",
+      "licenseDeclared": "NOASSERTION",
+      "name": "CC",
+      "originator": "NOASSERTION",
+      "packageFileName": "NOASSERTION",
+      "supplier": "Organization: Red Hat",
+      "versionInfo": "1"
+    },
+    {
+      "SPDXID": "SPDXRef-DD",
+      "copyrightText": "NOASSERTION",
+      "downloadLocation": "foo",
+      "externalRefs": [
+        {
+          "referenceCategory": "PACKAGE-MANAGER",
+          "referenceLocator": "pkg:rpm/redhat/[email protected]",
+          "referenceType": "purl"
+        }
+      ],
+      "filesAnalyzed": false,
+      "licenseComments": "Licensing information is automatically generated and may be incomplete or incorrect.",
+      "licenseConcluded": "NOASSERTION",
+      "licenseDeclared": "NOASSERTION",
+      "name": "DD",
+      "originator": "NOASSERTION",
+      "packageFileName": "NOASSERTION",
+      "supplier": "Organization: Red Hat",
+      "versionInfo": "1"
+    },
+    {
+      "SPDXID": "SPDXRef-EE",
+      "copyrightText": "NOASSERTION",
+      "downloadLocation": "foo",
+      "externalRefs": [
+        {
+          "referenceCategory": "PACKAGE-MANAGER",
+          "referenceLocator": "pkg:rpm/redhat/[email protected]?arch=src",
+          "referenceType": "purl"
+        }
+      ],
+      "filesAnalyzed": false,
+      "licenseComments": "Licensing information is automatically generated and may be incomplete or incorrect.",
+      "licenseConcluded": "NOASSERTION",
+      "licenseDeclared": "NOASSERTION",
+      "name": "EE",
+      "originator": "NOASSERTION",
+      "packageFileName": "NOASSERTION",
+      "supplier": "Organization: Red Hat",
+      "versionInfo": "1"
+    },
+    {
+      "SPDXID": "SPDXRef-FF",
+      "copyrightText": "NOASSERTION",
+      "downloadLocation": "foo",
+      "externalRefs": [
+        {
+          "referenceCategory": "SECURITY",
+          "referenceLocator": "cpe:/a:redhat:a-FF:1:*:*:*:*:*",
+          "referenceType": "cpe22Type"
+        }
+      ],
+      "filesAnalyzed": false,
+      "licenseComments": "Licensing information is automatically generated and may be incomplete or incorrect.",
+      "licenseConcluded": "NOASSERTION",
+      "licenseDeclared": "NOASSERTION",
+      "name": "FF",
+      "originator": "NOASSERTION",
+      "packageFileName": "NOASSERTION",
+      "supplier": "Organization: Red Hat",
+      "versionInfo": "1"
+    }
+
+  ],
+  "relationships" : [
+    {
+      "spdxElementId" : "SPDXRef-B",
+      "relatedSpdxElement" : "SPDXRef-A",
+      "relationshipType" : "CONTAINED_BY"
+    },
+    {
+      "spdxElementId" : "SPDXRef-BB",
+      "relatedSpdxElement" : "SPDXRef-AA",
+      "relationshipType" : "CONTAINED_BY"
+    },
+    {
+      "spdxElementId" : "SPDXRef-CC",
+      "relatedSpdxElement" : "SPDXRef-BB",
+      "relationshipType" : "CONTAINED_BY"
+    },
+    {
+      "spdxElementId" : "SPDXRef-DD",
+      "relatedSpdxElement" : "SPDXRef-BB",
+      "relationshipType" : "CONTAINED_BY"
+    },
+    {
+      "spdxElementId" : "SPDXRef-FF",
+      "relatedSpdxElement" : "SPDXRef-DD",
+      "relationshipType" : "CONTAINED_BY"
+    },
+    {
+      "spdxElementId": "SPDXRef-DOCUMENT",
+      "relatedSpdxElement": "SPDXRef-A",
+      "relationshipType": "DESCRIBES"
+    },
+    {
+      "spdxElementId": "SPDXRef-A",
+      "relatedSpdxElement": "DocumentRef-ext-b:SPDXRef-A",
+      "relationshipType": "PACKAGE_OF"
+    }
+  ],
+  "spdxVersion": "SPDX-2.2"
+}