Skip to content

Commit

Permalink
feat: reduce duplicate module processing
Browse files Browse the repository at this point in the history
  • Loading branch information
anthonyharrison committed Jul 31, 2024
1 parent 1bd9dbd commit 185d7fa
Showing 1 changed file with 70 additions and 61 deletions.
131 changes: 70 additions & 61 deletions sbom4python/scanner.py
Original file line number Diff line number Diff line change
Expand Up @@ -89,71 +89,81 @@ def process_module(self, module, parent="-"):
)
if self.debug:
print(f"Metadata for {module}\n{self.metadata}")

self.sbom_package.initialise()
package = self.get("Name").lower().replace("_", "-")
version = self.get("Version")
self.sbom_package.set_name(package)
self.sbom_package.set_property("language", "Python")
self.sbom_package.set_property("python_version", self.python_version)
self.sbom_package.set_version(version)
if parent == "-":
self.sbom_package.set_type("application")
self.sbom_package.set_filesanalysis(self.include_file)
license = self.license.find_license(self.get("License"))
# Report license as reported by metadata. If not valid SPDX, report NOASSERTION
if license != self.get("License"):
self.sbom_package.set_licensedeclared("NOASSERTION")
if (package, version) in self.sbom_packages:
if self.debug:
print(f"Already processed {package} {version}")
else:
self.sbom_package.set_licensedeclared(license)
# Report license if valid SPDX identifier
self.sbom_package.set_licenseconcluded(license)
# Add comment if metadata license was modified
license_comment = ""
if len(self.get("License")) > 0 and license != self.get("License"):
license_comment = f"{self.get('Name')} declares {self.get('License')} which is not currently a valid SPDX License identifier or expression."
# Report if license is deprecated
if self.license.deprecated(license):
deprecated_comment = f"{license} is now deprecated."
self.sbom_package.set_name(package)
self.sbom_package.set_property("language", "Python")
self.sbom_package.set_property("python_version", self.python_version)
self.sbom_package.set_version(version)
if parent == "-":
self.sbom_package.set_type("application")
self.sbom_package.set_filesanalysis(self.include_file)
license = self.license.find_license(self.get("License"))
# Report license as reported by metadata. If not valid SPDX, report NOASSERTION
if license != self.get("License"):
self.sbom_package.set_licensedeclared("NOASSERTION")
else:
self.sbom_package.set_licensedeclared(license)
# Report license if valid SPDX identifier
self.sbom_package.set_licenseconcluded(license)
# Add comment if metadata license was modified
license_comment = ""
if len(self.get("License")) > 0 and license != self.get("License"):
license_comment = f"{self.get('Name')} declares {self.get('License')} which is not currently a valid SPDX License identifier or expression."
# Report if license is deprecated
if self.license.deprecated(license):
deprecated_comment = f"{license} is now deprecated."
if len(license_comment) > 0:
license_comment = f"{license_comment} {deprecated_comment}"
else:
license_comment = deprecated_comment
if len(license_comment) > 0:
license_comment = f"{license_comment} {deprecated_comment}"
self.sbom_package.set_licensecomments(license_comment)
supplier = self.get("Author") + " " + self.get("Author-email")
if len(supplier.split()) > 3:
self.sbom_package.set_supplier(
"Organization", self._format_supplier(supplier)
)
elif len(supplier) > 1:
self.sbom_package.set_supplier(
"Person", self._format_supplier(supplier)
)
else:
license_comment = deprecated_comment
if len(license_comment) > 0:
self.sbom_package.set_licensecomments(license_comment)
supplier = self.get("Author") + " " + self.get("Author-email")
if len(supplier.split()) > 3:
self.sbom_package.set_supplier(
"Organization", self._format_supplier(supplier)
)
elif len(supplier) > 1:
self.sbom_package.set_supplier(
"Person", self._format_supplier(supplier)
self.sbom_package.set_supplier("UNKNOWN", "NOASSERTION")
if self.get("Home-page") != "":
self.sbom_package.set_homepage(self.get("Home-page"))
if self.get("Summary") != "":
self.sbom_package.set_summary(self.get("Summary"))
self.sbom_package.set_downloadlocation(
f'https://pypi.org/project/{self.get("Name")}/{version}'
)
else:
self.sbom_package.set_supplier("UNKNOWN", "NOASSERTION")
if self.get("Home-page") != "":
self.sbom_package.set_homepage(self.get("Home-page"))
if self.get("Summary") != "":
self.sbom_package.set_summary(self.get("Summary"))
self.sbom_package.set_downloadlocation(
f'https://pypi.org/project/{self.get("Name")}/{version}'
)
# External references
self.sbom_package.set_purl(f"pkg:pypi/{package}@{version}")
if len(supplier) > 1:
component_supplier = self._format_supplier(
supplier, include_email=False
)
cpe_version = version.replace(':','\\:')
self.sbom_package.set_cpe(f"cpe:2.3:a:{component_supplier.replace(' ', '_').lower()}:{package}:{cpe_version}:*:*:*:*:*:*:*")
self.package_metadata.get_package(package)
checksum = self.package_metadata.get_checksum(version=version)
if checksum is not None:
self.sbom_package.set_checksum("SHA1", checksum)
# Store package data
self.sbom_packages[
(self.sbom_package.get_name(), self.sbom_package.get_value("version"))
] = self.sbom_package.get_package()
# External references
self.sbom_package.set_purl(f"pkg:pypi/{package}@{version}")
if len(supplier) > 1:
component_supplier = self._format_supplier(
supplier, include_email=False
)
cpe_version = version.replace(":", "\\:")
self.sbom_package.set_cpe(
f"cpe:2.3:a:{component_supplier.replace(' ', '_').lower()}:{package}:{cpe_version}:*:*:*:*:*:*:*"
)
self.package_metadata.get_package(package)
checksum = self.package_metadata.get_checksum(version=version)
if checksum is not None:
self.sbom_package.set_checksum("SHA1", checksum)
# Store package data
self.sbom_packages[
(
self.sbom_package.get_name(),
self.sbom_package.get_value("version"),
)
] = self.sbom_package.get_package()
# Add relationship
self.sbom_relationship.initialise()
if parent != "-":
Expand Down Expand Up @@ -239,11 +249,10 @@ def process_system(self):
modules = []
# Ignore headers in output stream
for m in out[2:]:
modules.append(m.split(' ')[0])
modules.append(m.split(" ")[0])
if self.debug:
print (modules)
print(modules)
self.set_parent("system")
for module_name in modules:
if self.process_module(module_name):
self.analyze(self.get("Name"), self.get("Requires"))

0 comments on commit 185d7fa

Please sign in to comment.