Skip to content

Commit 4f00e9e

Browse files
committed
sbom: Use layer digest for layer package version
Currently we use the base OS version for the layer version, which confusingly sets most image layers for Wolfi based packages to an old looking package version which doesn't really have much to do with the image layer. For the top level image, we use the image digest. This change duplicates that behavior for image layers.
1 parent 89f7c13 commit 4f00e9e

9 files changed

Lines changed: 97 additions & 10 deletions

pkg/sbom/generator/spdx/spdx.go

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -427,13 +427,13 @@ func (sx *SPDX) imagePackage(opts *options.Options) (p *Package) {
427427

428428
// LayerPackage returns a package describing the layer
429429
func (sx *SPDX) layerPackage(opts *options.Options, layer v1.Descriptor) *Package {
430-
layerPackageName := hashToString(layer.Digest)
431-
mainPkgID := stringToIdentifier(layerPackageName)
430+
layerDigest := hashToString(layer.Digest)
431+
mainPkgID := stringToIdentifier(layerDigest)
432432

433433
return &Package{
434434
ID: fmt.Sprintf("SPDXRef-Package-%s", mainPkgID),
435-
Name: layerPackageName,
436-
Version: opts.OS.Version,
435+
Name: layerDigest,
436+
Version: layerDigest,
437437
FilesAnalyzed: false,
438438
Description: "apko operating system layer",
439439
DownloadLocation: NOASSERTION,

pkg/sbom/generator/spdx/spdx_test.go

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -231,6 +231,33 @@ func TestSPDX_Generate(t *testing.T) {
231231
},
232232
},
233233
},
234+
{
235+
name: "layer-with-digest",
236+
opts: &options.Options{
237+
ImageInfo: options.ImageInfo{
238+
Layers: []v1.Descriptor{{
239+
Digest: v1.Hash{
240+
Algorithm: "sha256",
241+
Hex: "abc123def456",
242+
},
243+
}},
244+
},
245+
OS: options.OSInfo{
246+
Name: "unknown",
247+
ID: "unknown",
248+
Version: "3.0",
249+
},
250+
FileName: "sbom",
251+
Packages: []*apk.InstalledPackage{
252+
{
253+
Package: apk.Package{
254+
Name: "libattr1",
255+
Version: "2.5.1-r2",
256+
},
257+
},
258+
},
259+
},
260+
},
234261
}
235262

236263
for _, tt := range tests {

pkg/sbom/generator/spdx/testdata/expected_image_sboms/both-describes-methods.spdx.json

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,6 @@
1919
{
2020
"SPDXID": "SPDXRef-Package-",
2121
"name": "",
22-
"versionInfo": "3.0",
2322
"filesAnalyzed": false,
2423
"description": "apko operating system layer",
2524
"downloadLocation": "NOASSERTION",

pkg/sbom/generator/spdx/testdata/expected_image_sboms/custom-license.spdx.json

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,6 @@
1919
{
2020
"SPDXID": "SPDXRef-Package-",
2121
"name": "",
22-
"versionInfo": "3.0",
2322
"filesAnalyzed": false,
2423
"description": "apko operating system layer",
2524
"downloadLocation": "NOASSERTION",

pkg/sbom/generator/spdx/testdata/expected_image_sboms/describes-relationship.spdx.json

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,6 @@
1919
{
2020
"SPDXID": "SPDXRef-Package-",
2121
"name": "",
22-
"versionInfo": "3.0",
2322
"filesAnalyzed": false,
2423
"description": "apko operating system layer",
2524
"downloadLocation": "NOASSERTION",
Lines changed: 66 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,66 @@
1+
{
2+
"SPDXID": "SPDXRef-DOCUMENT",
3+
"name": "sbom-sha256:abc123def456",
4+
"spdxVersion": "SPDX-2.3",
5+
"creationInfo": {
6+
"created": "0001-01-01T00:00:00Z",
7+
"creators": [
8+
"Tool: apko (devel)",
9+
"Organization: Chainguard, Inc"
10+
],
11+
"licenseListVersion": "3.16"
12+
},
13+
"dataLicense": "CC0-1.0",
14+
"documentNamespace": "https://spdx.org/spdxdocs/apko/",
15+
"documentDescribes": [
16+
"SPDXRef-Package-sha256-abc123def456"
17+
],
18+
"packages": [
19+
{
20+
"SPDXID": "SPDXRef-Package-sha256-abc123def456",
21+
"name": "sha256:abc123def456",
22+
"versionInfo": "sha256:abc123def456",
23+
"filesAnalyzed": false,
24+
"description": "apko operating system layer",
25+
"downloadLocation": "NOASSERTION",
26+
"supplier": "Organization: unknown",
27+
"externalRefs": [
28+
{
29+
"referenceCategory": "PACKAGE-MANAGER",
30+
"referenceLocator": "pkg:oci/image@sha256%3Aabc123def456?mediaType=\u0026os=linux",
31+
"referenceType": "purl"
32+
}
33+
]
34+
},
35+
{
36+
"SPDXID": "SPDXRef-OperatingSystem-unknown",
37+
"name": "unknown",
38+
"versionInfo": "3.0",
39+
"filesAnalyzed": false,
40+
"description": "Operating System",
41+
"downloadLocation": "NOASSERTION",
42+
"supplier": "Organization: unknown",
43+
"primaryPackagePurpose": "OPERATING_SYSTEM"
44+
},
45+
{
46+
"SPDXID": "SPDXRef-Package-libattr1-2.5.1-r2",
47+
"name": "libattr1",
48+
"versionInfo": "2.5.1-r2",
49+
"filesAnalyzed": false,
50+
"licenseConcluded": "NOASSERTION",
51+
"licenseDeclared": "GPL-2.0-or-later",
52+
"downloadLocation": "NOASSERTION",
53+
"originator": "Organization: unknown",
54+
"supplier": "Organization: unknown",
55+
"copyrightText": "TODO\n",
56+
"externalRefs": [
57+
{
58+
"referenceCategory": "PACKAGE_MANAGER",
59+
"referenceLocator": "pkg:apk/wolfi/libattr1@2.5.1-r2?arch=x86_64",
60+
"referenceType": "purl"
61+
}
62+
]
63+
}
64+
],
65+
"relationships": []
66+
}

pkg/sbom/generator/spdx/testdata/expected_image_sboms/no-supplier.spdx.json

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,6 @@
1919
{
2020
"SPDXID": "SPDXRef-Package-",
2121
"name": "",
22-
"versionInfo": "3.0",
2322
"filesAnalyzed": false,
2423
"description": "apko operating system layer",
2524
"downloadLocation": "NOASSERTION",

pkg/sbom/generator/spdx/testdata/expected_image_sboms/package-deduplicating.spdx.json

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,6 @@
1919
{
2020
"SPDXID": "SPDXRef-Package-",
2121
"name": "",
22-
"versionInfo": "3.0",
2322
"filesAnalyzed": false,
2423
"description": "apko operating system layer",
2524
"downloadLocation": "NOASSERTION",

pkg/sbom/generator/spdx/testdata/expected_image_sboms/unbound-package-dedupe.spdx.json

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,6 @@
1919
{
2020
"SPDXID": "SPDXRef-Package-",
2121
"name": "",
22-
"versionInfo": "3.0",
2322
"filesAnalyzed": false,
2423
"description": "apko operating system layer",
2524
"downloadLocation": "NOASSERTION",

0 commit comments

Comments
 (0)