Denote relationship between Product SBOM and other SBOM from SPDX

[chirino]

This is a linked to https://issues.redhat.com/browse/TC-2049

Story

As develops, I want to be able to ingest spdx SBOM that relates back to their Product SBOM (when defined in a separate spdx SBOM).

This relationship should be traverseable via the REST-API/UX.

When spdx v2.3 component SBOM is encoded with a relationship, ingesting into trustify should establish a PACKAGE_OF trustify relationship.

{
  "spdxElementId": "SPDXRef-openssl-3.0.7-18.el9-2",
  "relationshipType": "PACKAGE_OF",
  "relatedSpdxElement": "SPDXRef-RHEL-9.2-EUS"
}

Alternatively, when spdx v2.3 product SBOM is encoded with an externalDocumentRefs, ingesting into trustify should establish a PACKAGE_OF trustify relationship.

{
  "SPDXID" : "example-product-sbom",
  "spdxVersion": "SPDX-2.3",
  "dataLicense": "CC0-1.0",
  "created": "2023-10-01T12:00:00Z",
  "externalDocumentRefs": [
    {
      "referenceDocumentIdentifier": "SPDXRef-other-sbom",
      "referenceCategory": "PACKAGE",
      "referenceType": "SPDX",
      "referenceLocator": "https://example.com/path/to/other-spdx-document.spdx"
    }
  ],
  ...
}

Acceptance Criteria:

• View this information on api/v1/sbom, api/v1/analysis/root-component and api/v1/analysis/dep endpoints
• List components for specific product (by CPE)
• Existing support for sorting and querying extended
• Expected Trustify internal relationship: pkg:oci/ose-cluster PACKAGE_OF cpe:/a:redhat:openshift

Search/Query

HTTP GET /api/v1/sbom
HTTP GET /api/v1/sbom?q={...}

{
  "id": "urn:uuid:01939af7-697e-7242-99d5-cbf11729fa79",
  "document_id": "https://www.redhat.com/comp.json",
  "published": "2006-08-14T02:34:56Z",
  "name": "kernel-module-management-operator-container-1.1.2-25",
  ...,

  "package_of": [
    {
      "id": "SPDXRef-image-index",
      "name": "kernel-module-management-product",
      "version": "1.1.2-25",
      "purl": [
        {
          "uuid": "2771e255-2ba5-5577-ab2c-3c43073f8841",
          "purl": "pkg:oci/kernel-module-management-product"
        }
      ],
      "cpe": []
    },
    ...
  ]
}

Expose PACKAGE_OF relationship information via other analysis graph endpoints.

HTTP GET /api/v1/analysis/root-component?q={...}
HTTP GET /api/v1/analysis/root-component/{purl|name}
HTTP GET /api/v1/analysis/dep?q={...}
HTTP GET /api/v1/analysis/dep/{purl|name}

{
  "sbom_id": "0193d5a4-a15c-76a0-8263-dc7334891dc8",
  "node_id": "SPDXRef-e32409d9-5f5f-416c-96e5-e8d7b53957f3",
  "purl": "...",
  "package_of": [
    {
      "purl": "..."
    },
    ...
  ],
  ...
}

Future/Other considerations

What happens when product SBOM refers to component SBOM that has yet to be ingested (or vice versa)?

It is out of scope to relate between different SBOM formats.

[chirino]

Where can I find an example "spdx SBOM" and "Product SBOM" that have this relationship?

[JimFuller-RedHat]

spdx examples should all be in existing unit test cases today

[chirino]

So, I think I'm looking for an SPDX example where the ingested SPDX SBOM relates back to a separate product SPDX SBOM.

[JimFuller-RedHat]

sorry, let me explain a bit more ... the spdx example for Product/Component is not provided by prodsec because we have no intention of generating it (eg. cdx 1.6 is how we are going here on out). We can do the equivalent with existing spdx relationship types ... we created this story for parity (though it is not on critical path for prodsec). I can help create them with you.