Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: 3098 add support for user to flag root package supplier and supplier inheritance #3646

Open
wants to merge 17 commits into
base: main
Choose a base branch
from
Open

feat: 3098 add support for user to flag root package supplier and supplier inheritance #3646

wants to merge 17 commits into from

Conversation

spiffcs
Copy link
Contributor

@spiffcs spiffcs commented Feb 5, 2025
edited
Loading

Description

This PR adds a new flag to syft called --source-supplier. This flag allows syft users to associate an optional supplier to the root component of the final document. It makes no determination about other packages cataloged by syft.

Formats updated

  • syft-json
  • spdx-json
  • cyclonedx-json
  • spdx
  • cyclonedx

The --source-supplier will be used to determine the supplier of the root component of the SBOM

This allows organizations generating SBOMs who want to produce NTIA compliant documents to assume the supplier field for software/containers they are producing.

Adds supplier to the following outputs:

spdx

go run cmd/syft/main.go -o spdx alpine:latest --source-supplier optional-supplier > test.json

##### Package: alpine

PackageName: alpine
SPDXID: SPDXRef-DocumentRoot-Image-alpine
PackageVersion: sha256:47badde288cf303fe43766ba3c0be01df313b84ad91480c1f21b7e907a7f2337
PackageSupplier: optional-supplier <-----------
PackageDownloadLocation: NOASSERTION
PrimaryPackagePurpose: CONTAINER
FilesAnalyzed: false
PackageChecksum: SHA256: 47badde288cf303fe43766ba3c0be01df313b84ad91480c1f21b7e907a7f2337
PackageLicenseConcluded: NOASSERTION
PackageLicenseDeclared: NOASSERTION
PackageCopyrightText: NOASSERTION
ExternalRef: PACKAGE-MANAGER purl pkg:oci/alpine@sha256%3A47badde288cf303fe43766ba3c0be01df313b84ad91480c1f21b7e907a7f2337?arch=arm64&tag=latest

spdx-json

go run cmd/syft/main.go -o spdx-json alpine:latest --supplier optional-supplier > test.json

  {
   "name": "alpine",
   "SPDXID": "SPDXRef-DocumentRoot-Image-alpine",
   "versionInfo": "sha256:47badde288cf303fe43766ba3c0be01df313b84ad91480c1f21b7e907a7f2337",
   "supplier": "Organization: optional-supplier", <-----------
   "downloadLocation": "NOASSERTION",
   "filesAnalyzed": false,
   "checksums": [
    {
     "algorithm": "SHA256",
     "checksumValue": "47badde288cf303fe43766ba3c0be01df313b84ad91480c1f21b7e907a7f2337"
    }
   ],
   "licenseConcluded": "NOASSERTION",
   "licenseDeclared": "NOASSERTION",
   "copyrightText": "NOASSERTION",
   "externalRefs": [
    {
     "referenceCategory": "PACKAGE-MANAGER",
     "referenceType": "purl",
     "referenceLocator": "pkg:oci/alpine@sha256%3A47badde288cf303fe43766ba3c0be01df313b84ad91480c1f21b7e907a7f2337?arch=arm64&tag=latest"
    }
   ],
   "primaryPackagePurpose": "CONTAINER"
  }

syft-json

go run cmd/syft/main.go -o json alpine:latest --supplier optional-supplier > test.json

 "source": {
  "id": "47badde288cf303fe43766ba3c0be01df313b84ad91480c1f21b7e907a7f2337",
  "name": "alpine",
  "version": "sha256:47badde288cf303fe43766ba3c0be01df313b84ad91480c1f21b7e907a7f2337",
  "supplier": "optional-supplier", <-----------
  "type": "image",
  "metadata": {
   "userInput": "alpine:latest",
   "imageID": "sha256:7ad00e65ee25911881c06b97a3e562675d255e1265ba4abadd3e906d266c1dcc",
   "manifestDigest": "sha256:47badde288cf303fe43766ba3c0be01df313b84ad91480c1f21b7e907a7f2337",
   "mediaType": "application/vnd.docker.distribution.manifest.v2+json",
   "tags": [
    "alpine:latest"
   ],
   "imageSize": 8169605,

cyclonedx-json

Note: for cyclonedx-json we're putting supplier in two spots that the format supports. One is the top level BOM description. The other is for the root component identified in the bom

- `metadata.supplier`
The organization that supplied the component that the BOM describes. 
The supplier may often be the manufacturer, but may also be a distributor or repackager.

- `metadata.component.supplier`
The organization that supplied the component. 
The supplier may often be the manufacturer, but may also be a distributor or repackager.

go run cmd/syft/main.go -o cyclonedx-json alpine:latest --supplier optional-supplier > test.json

  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:f6d124b0-c4ba-48dc-96a4-6b0e12d8eefe",
  "version": 1,
  "metadata": {
    "timestamp": "2025-02-07T12:54:04-05:00",
    "tools": {
      "components": [
        {
          "type": "application",
          "author": "anchore",
          "name": "syft",
          "version": "[not provided]"
        }
      ]
    },
    "component": {
      "bom-ref": "327aecd176f7b31f",
      "type": "container",
      "supplier": {
        "name": "optional-supplier" <------
      },
      "name": "alpine",
      "version": "sha256:47badde288cf303fe43766ba3c0be01df313b84ad91480c1f21b7e907a7f2337"
    },
    "supplier": {
      "name": "optional-supplier" <-------
    }
  },

cyclonedx

<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.6" serialNumber="urn:uuid:64f0a96d-319a-4faa-a13c-5deb1f46f8c9" version="1">
  <metadata>
    <timestamp>2025-02-07T12:59:47-05:00</timestamp>
    <tools>
      <components>
        <component type="application">
          <author>anchore</author>
          <name>syft</name>
          <version>[not provided]</version>
        </component>
      </components>
    </tools>
    <component bom-ref="327aecd176f7b31f" type="container">
      <supplier>
        <name>optional-supplier</name> <------
      </supplier>
      <name>alpine</name>
      <version>sha256:47badde288cf303fe43766ba3c0be01df313b84ad91480c1f21b7e907a7f2337</version>
    </component>
    <supplier>
      <name>optional-supplier</name> <-----
    </supplier>
  </metadata>
  <components>

Fixes

Type of change

  • New feature (non-breaking change which adds functionality)
  • Documentation (updates the documentation)

Checklist:

  • I have added unit tests that cover changed behavior
  • I have tested my code in common scenarios and confirmed there are no regressions
  • I have added comments to my code, particularly in hard-to-understand sections

@spiffcs
chore: add supplier field to the core syft document
7721188 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
feat: add supplier as flag for top level syft
1450d3e 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
feat: thread supplier field into create_sbom
8e2de41 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
feat: add supplier into format model and syft model paths
6f786e6 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
chore: update schema with syft-json tests
13f9b3c 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
question: unsure on location of supplier
58445ea 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
feat: thread supplier into spdx-json format
1b33456 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
feat: update tests and spdxjson to omit empty
64ff665 
Signed-off-by: Christopher Phillips <[email protected]>
@github-actions github-actions bot added the json-schema Changes the json schema label Feb 5, 2025
This was linked to issues Feb 6, 2025
Option to set PackageSupplier in root of SPDX document generated by CLI #3098
Open
Convert command should consider NTIA requirements #3067
Open
@spiffcs
Merge branch 'main' of https://github.com/anchore/syft into 1961-add-…
3acd0f7 
…suport-package-supplier

* 'main' of https://github.com/anchore/syft:
  chore(deps): bump github/codeql-action from 3.28.8 to 3.28.9 (#3648)
  feat: 3626 add option enable license content; disable by default (#3631)
@spiffcs
chore: test refactors and model updates
40a8d7d 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs
test: cyclonedx-test
60feed1 
Signed-off-by: Christopher Phillips <[email protected]>
@spiffcs spiffcs marked this pull request as ready for review February 7, 2025 18:01
@spiffcs spiffcs changed the title feat: 1961 add support for root package supplier feat: 3098 add support for root package supplier Feb 7, 2025
@spiffcs spiffcs changed the title feat: 3098 add support for root package supplier feat: 3098 add support for user to flag root package supplier Feb 7, 2025
@spiffcs spiffcs removed a link to an issue Feb 7, 2025
Convert command should consider NTIA requirements #3067
Open
@spiffcs spiffcs changed the title feat: 3098 add support for user to flag root package supplier feat: 3098 add support for user to flag root package supplier and supplier inheritance Feb 7, 2025
wagoodman
wagoodman reviewed Feb 10, 2025
View reviewed changes
syft/format/internal/cyclonedxutil/helpers/component.go
@@ -58,6 +59,16 @@ func EncodeComponent(p pkg.Package) cyclonedx.Component {
}
}

// TODO: we eventually want to update this so that we can read "supplier" from different syft metadata
func encodeSupplier(_ pkg.Package, sbomSupplier string) *cyclonedx.OrganizationalEntity {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the equivalent decoder support for this field I think is missing (getting supplier specified in a syft doc when decoding a cyclonedx one)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

might be worth updating the encoder-decoder cycle integration test to have a supplier specified in the source.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wagoodman wagoodman wagoodman left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
json-schema Changes the json schema
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Option to set PackageSupplier in root of SPDX document generated by CLI
2 participants
@spiffcs @wagoodman