diff --git a/ntia_conformance_checker/sbom_checker.py b/ntia_conformance_checker/sbom_checker.py index 64c5db1..f2892ee 100644 --- a/ntia_conformance_checker/sbom_checker.py +++ b/ntia_conformance_checker/sbom_checker.py @@ -74,16 +74,19 @@ def get_components_without_names(self): components_without_names.append(package.spdx_id) return components_without_names - def get_components_without_versions(self): - """Retrieve SPDX ID of components without names.""" + def get_components_without_versions(self, return_tuples=False): + """Retrieve name and/or SPDX ID of components without versions.""" components_without_versions = [] for package in self.doc.packages: if not package.version: - components_without_versions.append(package.name) + if return_tuples: + components_without_versions.append((package.name, package.spdx_id)) + else: + components_without_versions.append(package.name) return components_without_versions - def get_components_without_suppliers(self): - """Retrieve name of components without suppliers.""" + def get_components_without_suppliers(self, return_tuples=False): + """Retrieve name and/or SPDX ID of components without suppliers.""" components_without_suppliers = [] for package in self.doc.packages: # both package supplier and package originator satisfy the "supplier" @@ -96,7 +99,10 @@ def get_components_without_suppliers(self): package.originator, SpdxNoAssertion ) if no_package_supplier and no_package_originator: - components_without_suppliers.append(package.name) + if return_tuples: + components_without_suppliers.append((package.name, package.spdx_id)) + else: + components_without_suppliers.append(package.name) return components_without_suppliers diff --git a/tests/data/other_tests/test_components_without_functions.spdx b/tests/data/other_tests/test_components_without_functions.spdx new file mode 100644 index 0000000..c82526a --- /dev/null +++ b/tests/data/other_tests/test_components_without_functions.spdx @@ -0,0 +1,259 @@ +## Document Information +SPDXVersion: SPDX-2.3 +DataLicense: CC0-1.0 +SPDXID: SPDXRef-DOCUMENT +DocumentName: SPDX-Tools-v2.0 +DocumentNamespace: http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301 +DocumentComment: This document was created using SPDX 2.0 using licenses from the web site. + +## Creation Information +LicenseListVersion: 3.17 +Creator: Tool: LicenseFind-1.0 +Creator: Organization: ExampleCodeInspect +Creator: Person: Jane Doe +Created: 2010-01-29T18:30:22Z +CreatorComment: This package has been shipped in source and binary form. +The binaries were created with gcc 4.5.1 and expect to link to +compatible system run time libraries. + +## Package Information +PackageName: glibc +SPDXID: SPDXRef-Package +PackageVersion: 2.4.57+dfsg-3+deb11u1 +PackageFileName: glibc-2.11.1.tar.gz +PackageSupplier: NOASSERTION +PackageOriginator: Organization: ExampleCodeInspect (contact@example.com) +PackageDownloadLocation: http://ftp.gnu.org/gnu/glibc/glibc-ports-2.15.tar.gz +FilesAnalyzed: true +PackageVerificationCode: d6a770ba38583ed4bb4525bd96e50461655d2758 (excludes: ./package.spdx) +PackageChecksum: MD5: 624c1abb3664f4b35547e7c73864ad24 +PackageChecksum: SHA1: 85ed0817af83a24ad8da68c2b5094de69833983c +PackageChecksum: SHA256: 11b6d3ee554eedf79299905a98f9b9a04e498210b59f15094c916c91d150efcd +PackageChecksum: BLAKE2b-384: aaabd89c926ab525c242e6621f2f5fa73aa4afe3d9e24aed727faaadd6af38b620bdb623dd2b4788b1c8086984af8706 +PackageHomePage: http://ftp.gnu.org/gnu/glibc +PackageSourceInfo: uses glibc-2_11-branch from git://sourceware.org/git/glibc.git. +PackageLicenseConcluded: LGPL-2.0-only OR LicenseRef-3 +PackageLicenseInfoFromFiles: GPL-2.0-only +PackageLicenseInfoFromFiles: LicenseRef-2 +PackageLicenseInfoFromFiles: LicenseRef-1 +PackageLicenseDeclared: LGPL-2.0-only AND LicenseRef-3 +PackageLicenseComments: The license for this project changed with the release of version x.y. The version of the project included here post-dates the license change. +PackageCopyrightText: Copyright 2008-2010 John Smith +PackageSummary: GNU C library. +PackageDescription: The GNU C Library defines functions that are specified by the ISO C standard, as well as additional features specific to POSIX and other derivatives of the Unix operating system, and extensions specific to GNU systems. +ExternalRef: SECURITY cpe23Type cpe:2.3:a:pivotal_software:spring_framework:4.1.0:*:*:*:*:*:*:* +ExternalRef: OTHER http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301#LocationRef-acmeforge acmecorp/acmenator/4.1.3-alpha +ExternalRefComment: This is the external ref for Acme +PackageAttributionText: The GNU C Library is free software. See the file COPYING.LIB for copying conditions, and LICENSES for notices about a few contributions that require these additional notices to be distributed. License copyright years may be listed using range notation, e.g., 1996-2015, indicating that every year in the range, inclusive, is a copyrightable year that would otherwise be listed individually. +PrimaryPackagePurpose: SOURCE +ReleaseDate: 2012-01-29T18:30:22Z +BuiltDate: 2011-01-29T18:30:22Z +ValidUntilDate: 2014-01-29T18:30:22Z + + +## Package Information without name +PackageName: +SPDXID: SPDXRef-Package1 +PackageVersion: 2.4.57+dfsg-3+deb11u1 +PackageFileName: glibc-2.11.1.tar.gz +PackageSupplier: NOASSERTION +PackageOriginator: Organization: ExampleCodeInspect (contact@example.com) +PackageDownloadLocation: http://ftp.gnu.org/gnu/glibc/glibc-ports-2.15.tar.gz +FilesAnalyzed: true +PackageVerificationCode: d6a770ba38583ed4bb4525bd96e50461655d2758 (excludes: ./package.spdx) +PackageChecksum: MD5: 624c1abb3664f4b35547e7c73864ad24 +PackageChecksum: SHA1: 85ed0817af83a24ad8da68c2b5094de69833983c +PackageChecksum: SHA256: 11b6d3ee554eedf79299905a98f9b9a04e498210b59f15094c916c91d150efcd +PackageChecksum: BLAKE2b-384: aaabd89c926ab525c242e6621f2f5fa73aa4afe3d9e24aed727faaadd6af38b620bdb623dd2b4788b1c8086984af8706 +PackageHomePage: http://ftp.gnu.org/gnu/glibc +PackageSourceInfo: uses glibc-2_11-branch from git://sourceware.org/git/glibc.git. +PackageLicenseConcluded: LGPL-2.0-only OR LicenseRef-3 +PackageLicenseInfoFromFiles: GPL-2.0-only +PackageLicenseInfoFromFiles: LicenseRef-2 +PackageLicenseInfoFromFiles: LicenseRef-1 +PackageLicenseDeclared: LGPL-2.0-only AND LicenseRef-3 +PackageLicenseComments: The license for this project changed with the release of version x.y. The version of the project included here post-dates the license change. +PackageCopyrightText: Copyright 2008-2010 John Smith +PackageSummary: GNU C library. +PackageDescription: The GNU C Library defines functions that are specified by the ISO C standard, as well as additional features specific to POSIX and other derivatives of the Unix operating system, and extensions specific to GNU systems. +ExternalRef: SECURITY cpe23Type cpe:2.3:a:pivotal_software:spring_framework:4.1.0:*:*:*:*:*:*:* +ExternalRef: OTHER http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301#LocationRef-acmeforge acmecorp/acmenator/4.1.3-alpha +ExternalRefComment: This is the external ref for Acme +PackageAttributionText: The GNU C Library is free software. See the file COPYING.LIB for copying conditions, and LICENSES for notices about a few contributions that require these additional notices to be distributed. License copyright years may be listed using range notation, e.g., 1996-2015, indicating that every year in the range, inclusive, is a copyrightable year that would otherwise be listed individually. +PrimaryPackagePurpose: SOURCE +ReleaseDate: 2012-01-29T18:30:22Z +BuiltDate: 2011-01-29T18:30:22Z +ValidUntilDate: 2014-01-29T18:30:22Z + +## Package Information without version +PackageName: glibc-no-version-1 +SPDXID: SPDXRef-Package2 +PackageFileName: glibc-2.11.1.tar.gz +PackageSupplier: NOASSERTION +PackageOriginator: Organization: ExampleCodeInspect (contact@example.com) +PackageDownloadLocation: http://ftp.gnu.org/gnu/glibc/glibc-ports-2.15.tar.gz +FilesAnalyzed: true +PackageVerificationCode: d6a770ba38583ed4bb4525bd96e50461655d2758 (excludes: ./package.spdx) +PackageChecksum: MD5: 624c1abb3664f4b35547e7c73864ad24 +PackageChecksum: SHA1: 85ed0817af83a24ad8da68c2b5094de69833983c +PackageChecksum: SHA256: 11b6d3ee554eedf79299905a98f9b9a04e498210b59f15094c916c91d150efcd +PackageChecksum: BLAKE2b-384: aaabd89c926ab525c242e6621f2f5fa73aa4afe3d9e24aed727faaadd6af38b620bdb623dd2b4788b1c8086984af8706 +PackageHomePage: http://ftp.gnu.org/gnu/glibc +PackageSourceInfo: uses glibc-2_11-branch from git://sourceware.org/git/glibc.git. +PackageLicenseConcluded: LGPL-2.0-only OR LicenseRef-3 +PackageLicenseInfoFromFiles: GPL-2.0-only +PackageLicenseInfoFromFiles: LicenseRef-2 +PackageLicenseInfoFromFiles: LicenseRef-1 +PackageLicenseDeclared: LGPL-2.0-only AND LicenseRef-3 +PackageLicenseComments: The license for this project changed with the release of version x.y. The version of the project included here post-dates the license change. +PackageCopyrightText: Copyright 2008-2010 John Smith +PackageSummary: GNU C library. +PackageDescription: The GNU C Library defines functions that are specified by the ISO C standard, as well as additional features specific to POSIX and other derivatives of the Unix operating system, and extensions specific to GNU systems. +ExternalRef: SECURITY cpe23Type cpe:2.3:a:pivotal_software:spring_framework:4.1.0:*:*:*:*:*:*:* +ExternalRef: OTHER http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301#LocationRef-acmeforge acmecorp/acmenator/4.1.3-alpha +ExternalRefComment: This is the external ref for Acme +PackageAttributionText: The GNU C Library is free software. See the file COPYING.LIB for copying conditions, and LICENSES for notices about a few contributions that require these additional notices to be distributed. License copyright years may be listed using range notation, e.g., 1996-2015, indicating that every year in the range, inclusive, is a copyrightable year that would otherwise be listed individually. +PrimaryPackagePurpose: SOURCE +ReleaseDate: 2012-01-29T18:30:22Z +BuiltDate: 2011-01-29T18:30:22Z +ValidUntilDate: 2014-01-29T18:30:22Z + +## Package Information without version +PackageName: glibc-no-version-2 +SPDXID: SPDXRef-Package3 +PackageFileName: glibc-2.11.1.tar.gz +PackageSupplier: NOASSERTION +PackageOriginator: Organization: ExampleCodeInspect (contact@example.com) +PackageDownloadLocation: http://ftp.gnu.org/gnu/glibc/glibc-ports-2.15.tar.gz +FilesAnalyzed: true +PackageVerificationCode: d6a770ba38583ed4bb4525bd96e50461655d2758 (excludes: ./package.spdx) +PackageChecksum: MD5: 624c1abb3664f4b35547e7c73864ad24 +PackageChecksum: SHA1: 85ed0817af83a24ad8da68c2b5094de69833983c +PackageChecksum: SHA256: 11b6d3ee554eedf79299905a98f9b9a04e498210b59f15094c916c91d150efcd +PackageChecksum: BLAKE2b-384: aaabd89c926ab525c242e6621f2f5fa73aa4afe3d9e24aed727faaadd6af38b620bdb623dd2b4788b1c8086984af8706 +PackageHomePage: http://ftp.gnu.org/gnu/glibc +PackageSourceInfo: uses glibc-2_11-branch from git://sourceware.org/git/glibc.git. +PackageLicenseConcluded: LGPL-2.0-only OR LicenseRef-3 +PackageLicenseInfoFromFiles: GPL-2.0-only +PackageLicenseInfoFromFiles: LicenseRef-2 +PackageLicenseInfoFromFiles: LicenseRef-1 +PackageLicenseDeclared: LGPL-2.0-only AND LicenseRef-3 +PackageLicenseComments: The license for this project changed with the release of version x.y. The version of the project included here post-dates the license change. +PackageCopyrightText: Copyright 2008-2010 John Smith +PackageSummary: GNU C library. +PackageDescription: The GNU C Library defines functions that are specified by the ISO C standard, as well as additional features specific to POSIX and other derivatives of the Unix operating system, and extensions specific to GNU systems. +ExternalRef: SECURITY cpe23Type cpe:2.3:a:pivotal_software:spring_framework:4.1.0:*:*:*:*:*:*:* +ExternalRef: OTHER http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301#LocationRef-acmeforge acmecorp/acmenator/4.1.3-alpha +ExternalRefComment: This is the external ref for Acme +PackageAttributionText: The GNU C Library is free software. See the file COPYING.LIB for copying conditions, and LICENSES for notices about a few contributions that require these additional notices to be distributed. License copyright years may be listed using range notation, e.g., 1996-2015, indicating that every year in the range, inclusive, is a copyrightable year that would otherwise be listed individually. +PrimaryPackagePurpose: SOURCE +ReleaseDate: 2012-01-29T18:30:22Z +BuiltDate: 2011-01-29T18:30:22Z +ValidUntilDate: 2014-01-29T18:30:22Z + +## Package Information without supplier +PackageName: glibc-no-supplier +SPDXID: SPDXRef-Package4 +PackageVersion: 2.4.57+dfsg-3+deb11u1 +PackageFileName: glibc-2.11.1.tar.gz +PackageDownloadLocation: http://ftp.gnu.org/gnu/glibc/glibc-ports-2.15.tar.gz +FilesAnalyzed: true +PackageVerificationCode: d6a770ba38583ed4bb4525bd96e50461655d2758 (excludes: ./package.spdx) +PackageChecksum: MD5: 624c1abb3664f4b35547e7c73864ad24 +PackageChecksum: SHA1: 85ed0817af83a24ad8da68c2b5094de69833983c +PackageChecksum: SHA256: 11b6d3ee554eedf79299905a98f9b9a04e498210b59f15094c916c91d150efcd +PackageChecksum: BLAKE2b-384: aaabd89c926ab525c242e6621f2f5fa73aa4afe3d9e24aed727faaadd6af38b620bdb623dd2b4788b1c8086984af8706 +PackageHomePage: http://ftp.gnu.org/gnu/glibc +PackageSourceInfo: uses glibc-2_11-branch from git://sourceware.org/git/glibc.git. +PackageLicenseConcluded: LGPL-2.0-only OR LicenseRef-3 +PackageLicenseInfoFromFiles: GPL-2.0-only +PackageLicenseInfoFromFiles: LicenseRef-2 +PackageLicenseInfoFromFiles: LicenseRef-1 +PackageLicenseDeclared: LGPL-2.0-only AND LicenseRef-3 +PackageLicenseComments: The license for this project changed with the release of version x.y. The version of the project included here post-dates the license change. +PackageCopyrightText: Copyright 2008-2010 John Smith +PackageSummary: GNU C library. +PackageDescription: The GNU C Library defines functions that are specified by the ISO C standard, as well as additional features specific to POSIX and other derivatives of the Unix operating system, and extensions specific to GNU systems. +ExternalRef: SECURITY cpe23Type cpe:2.3:a:pivotal_software:spring_framework:4.1.0:*:*:*:*:*:*:* +ExternalRef: OTHER http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301#LocationRef-acmeforge acmecorp/acmenator/4.1.3-alpha +ExternalRefComment: This is the external ref for Acme +PackageAttributionText: The GNU C Library is free software. See the file COPYING.LIB for copying conditions, and LICENSES for notices about a few contributions that require these additional notices to be distributed. License copyright years may be listed using range notation, e.g., 1996-2015, indicating that every year in the range, inclusive, is a copyrightable year that would otherwise be listed individually. +PrimaryPackagePurpose: SOURCE +ReleaseDate: 2012-01-29T18:30:22Z +BuiltDate: 2011-01-29T18:30:22Z +ValidUntilDate: 2014-01-29T18:30:22Z + +## Package Information without identiyer +PackageName: glibc-no-identifier +SPDXID: SPDXRef-Package5 +PackageVersion: 2.4.57+dfsg-3+deb11u1 +PackageFileName: glibc-2.11.1.tar.gz +PackageSupplier: NOASSERTION +PackageOriginator: Organization: ExampleCodeInspect (contact@example.com) +PackageDownloadLocation: http://ftp.gnu.org/gnu/glibc/glibc-ports-2.15.tar.gz +FilesAnalyzed: true +PackageVerificationCode: d6a770ba38583ed4bb4525bd96e50461655d2758 (excludes: ./package.spdx) +PackageChecksum: MD5: 624c1abb3664f4b35547e7c73864ad24 +PackageChecksum: SHA1: 85ed0817af83a24ad8da68c2b5094de69833983c +PackageChecksum: SHA256: 11b6d3ee554eedf79299905a98f9b9a04e498210b59f15094c916c91d150efcd +PackageChecksum: BLAKE2b-384: aaabd89c926ab525c242e6621f2f5fa73aa4afe3d9e24aed727faaadd6af38b620bdb623dd2b4788b1c8086984af8706 +PackageHomePage: http://ftp.gnu.org/gnu/glibc +PackageSourceInfo: uses glibc-2_11-branch from git://sourceware.org/git/glibc.git. +PackageLicenseConcluded: LGPL-2.0-only OR LicenseRef-3 +PackageLicenseInfoFromFiles: GPL-2.0-only +PackageLicenseInfoFromFiles: LicenseRef-2 +PackageLicenseInfoFromFiles: LicenseRef-1 +PackageLicenseDeclared: LGPL-2.0-only AND LicenseRef-3 +PackageLicenseComments: The license for this project changed with the release of version x.y. The version of the project included here post-dates the license change. +PackageCopyrightText: Copyright 2008-2010 John Smith +PackageSummary: GNU C library. +PackageDescription: The GNU C Library defines functions that are specified by the ISO C standard, as well as additional features specific to POSIX and other derivatives of the Unix operating system, and extensions specific to GNU systems. +ExternalRef: SECURITY cpe23Type cpe:2.3:a:pivotal_software:spring_framework:4.1.0:*:*:*:*:*:*:* +ExternalRef: OTHER http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301#LocationRef-acmeforge acmecorp/acmenator/4.1.3-alpha +ExternalRefComment: This is the external ref for Acme +PackageAttributionText: The GNU C Library is free software. See the file COPYING.LIB for copying conditions, and LICENSES for notices about a few contributions that require these additional notices to be distributed. License copyright years may be listed using range notation, e.g., 1996-2015, indicating that every year in the range, inclusive, is a copyrightable year that would otherwise be listed individually. +PrimaryPackagePurpose: SOURCE +ReleaseDate: 2012-01-29T18:30:22Z +BuiltDate: 2011-01-29T18:30:22Z +ValidUntilDate: 2014-01-29T18:30:22Z + + +## Relationships +Relationship: SPDXRef-DOCUMENT CONTAINS SPDXRef-Package +Relationship: SPDXRef-DOCUMENT COPY_OF DocumentRef-spdx-tool-1.2:SPDXRef-ToolsElement +Relationship: SPDXRef-CommonsLangSrc GENERATED_FROM NOASSERTION +Relationship: SPDXRef-JenaLib CONTAINS SPDXRef-Package +Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-File +Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Package + +## Annotations +Annotator: Person: Jane Doe +AnnotationDate: 2010-01-29T18:30:22Z +AnnotationType: OTHER +SPDXREF: SPDXRef-DOCUMENT +AnnotationComment: Document level annotation + +Annotator: Person: Joe Reviewer +AnnotationDate: 2010-02-10T00:00:00Z +AnnotationType: REVIEW +SPDXREF: SPDXRef-DOCUMENT +AnnotationComment: This is just an example. Some of the non-standard licenses look like they are actually BSD 3 clause licenses + +Annotator: Person: Suzanne Reviewer +AnnotationDate: 2011-03-13T00:00:00Z +AnnotationType: REVIEW +SPDXREF: SPDXRef-DOCUMENT +AnnotationComment: Another example reviewer. + +Annotator: Person: Package Commenter +AnnotationDate: 2011-01-29T18:30:22Z +AnnotationType: OTHER +SPDXREF: SPDXRef-Package +AnnotationComment: Package level annotation + +Annotator: Person: File Commenter +AnnotationDate: 2011-01-29T18:30:22Z +AnnotationType: OTHER +SPDXREF: SPDXRef-File +AnnotationComment: File level annotation + diff --git a/tests/test_checker.py b/tests/test_checker.py index 28e75d9..f379b5f 100644 --- a/tests/test_checker.py +++ b/tests/test_checker.py @@ -226,3 +226,30 @@ def test_sbomchecker_output_html(): ) assert got == expected + + +def test_components_without_functions(): + filepath = os.path.join( + os.path.dirname(__file__), + "data", + "other_tests", + "test_components_without_functions.spdx", + ) + sbom = sbom_checker.SbomChecker(filepath) + components = sbom.get_components_without_names() + assert components == ["SPDXRef-Package1"] + components = sbom.get_components_without_versions() + assert components == ["glibc-no-version-1", "glibc-no-version-2"] + components = sbom.get_components_without_versions(return_tuples=True) + assert components == [ + ("glibc-no-version-1", "SPDXRef-Package2"), + ("glibc-no-version-2", "SPDXRef-Package3"), + ] + components = sbom.get_components_without_suppliers() + assert components == ["glibc-no-supplier"] + components = sbom.get_components_without_suppliers(return_tuples=True) + assert components == [("glibc-no-supplier", "SPDXRef-Package4")] + # Not sure how to test this. If any package misses the SPDXID the whole file seems to be + # invalid. + # components = sbom.get_components_without_identifiers() + # assert components == ["glibc-no-identifier"]