Update spdx_parser.py to handle spdx file parsing logic to generate correct key value pair of dictionary #5
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -34,16 +34,31 @@ def parse_spdx_tag(self, sbom_file): | |
| packages = {} | ||
| package = "" | ||
| version = None | ||
| githubStr = "pkg.go.dev/" | ||
| for line in lines: | ||
| line_elements = line.split(":") | ||
| if line_elements[0] == "PackageName": | ||
| isProductNameWithOnlyVersionNumber = False | ||
| package = line_elements[1].strip().rstrip("\n") | ||
| productNameWithOnlyVersionNumber = re.compile(r'(/)') | ||
| if bool(productNameWithOnlyVersionNumber.search(package)) != True: | ||
| isProductNameWithOnlyVersionNumber = True | ||
| version = None | ||
| license = None | ||
| if line_elements[0] == "PackageVersion": | ||
| version = line[16:].strip().rstrip("\n") | ||
| if line_elements[0] == "PackageLicenseConcluded": | ||
| license = line_elements[1].strip().rstrip("\n") | ||
| if line_elements[0] == "PackageHomePage": | ||
|
There was a problem hiding this comment. If we add this check,we also need to do a corresponding check for all formats of SBOMs not just SPDX tag value SBOMs. There was a problem hiding this comment. Yes I will add same check for json, xml, yaml and rdf. |
||
| packageHomePage = line_elements[1].strip().rstrip("\n") | ||
| packageHomePageRemaining = "" | ||
| if len(line_elements) > 2 : | ||
| packageHomePageRemaining = line_elements[2].strip().rstrip("\n") | ||
| packageHomePage = packageHomePage + packageHomePageRemaining | ||
| if isProductNameWithOnlyVersionNumber: | ||
| tempArry = packageHomePage.split(githubStr) | ||
| if len(tempArry) == 2: | ||
| package = tempArry[1] | ||
| if package not in packages and version is not None and license is not None: | ||
| packages[package] = [version, license] | ||
|
|
||
|
|
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not appropriate as this only works for Go packages. sbomdiff needs to be generic for all SBOMs and languages
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree I will add some check to do this only for GO libs.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you suggest how to find packages for other language like java, python etc.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this is a valid change,
The differences in package name is due to the differences in the SBOM generator. Comparing SBOMs from different generators is a valid use case and I can see how useful it is to detect that the generators are creating different names for the same package. Trying to make sbomdiff cater for different generators and establish that the different package names are actually the same package is beyond the scope of sbomdiff as it is not viable to accommodate the approaches adopted by all the different SBOM generators for generating package names.