Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix logic error in get_components_without_suppliers #176

Merged
merged 1 commit into from
Mar 23, 2024
Merged

Fix logic error in get_components_without_suppliers #176

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 2 additions & 8 deletions ntia_conformance_checker/sbom_checker.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,16 +89,10 @@ def get_components_without_suppliers(self, return_tuples=False):
"""Retrieve name and/or SPDX ID of components without suppliers."""
components_without_suppliers = []
for package in self.doc.packages:
# both package supplier and package originator satisfy the "supplier"
# requirement
# https://spdx.github.io/spdx-spec/v2.3/package-information/#76-package-originator-field
Comment on lines -92 to -94
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I removed this erroneous comment.

no_package_supplier = package.supplier is None or isinstance(
no_supplier = package.supplier is None or isinstance(
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I simplified the variable naming here, changing no_package_supplier to no_supplier

package.supplier, SpdxNoAssertion
)
no_package_originator = package.originator is None or isinstance(
package.originator, SpdxNoAssertion
)
Comment on lines -98 to -100
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the critical logic change.

if no_package_supplier and no_package_originator:
if no_supplier:
if return_tuples:
components_without_suppliers.append((package.name, package.spdx_id))
else:
Expand Down
4 changes: 2 additions & 2 deletions tests/data/missing_component_version/SPDXJSONExample-v2.3.spdx.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -101,7 +101,7 @@
"licenseDeclared" : "(LGPL-2.0-only AND LicenseRef-3)",
"licenseInfoFromFiles" : [ "GPL-2.0-only", "LicenseRef-2", "LicenseRef-1" ],
"name" : "glibc",
"originator" : "Organization: ExampleCodeInspect ([email protected])",
"originator" : "NOASSERTION",
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These changes exemplify the test suite changes I made over and over. I removed the originator value, changing it to "NOASSERTION" and did provide a value for supplier.

"packageFileName" : "glibc-2.11.1.tar.gz",
"packageVerificationCode" : {
"packageVerificationCodeExcludedFiles" : [ "./package.spdx" ],
Expand All @@ -112,7 +112,7 @@
"releaseDate" : "2012-01-29T18:30:22Z",
"sourceInfo" : "uses glibc-2_11-branch from git://sourceware.org/git/glibc.git.",
"summary" : "GNU C library.",
"supplier" : "NOASSERTION",
"supplier" : "Organization: ExampleCodeInspect ([email protected])",
"validUntilDate" : "2014-01-29T18:30:22Z"
}],
"files" : [ {
Expand Down
4 changes: 2 additions & 2 deletions tests/data/missing_component_version/SPDXRdfExample-v2.3.spdx.rdf.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -290,9 +290,9 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.</spdx:extractedText>
<spdx:downloadLocation>http://ftp.gnu.org/gnu/glibc/glibc-ports-2.15.tar.gz</spdx:downloadLocation>
<spdx:name>glibc</spdx:name>
<doap:homepage>http://ftp.gnu.org/gnu/glibc</doap:homepage>
<spdx:originator>Organization: ExampleCodeInspect ([email protected])</spdx:originator>
<spdx:originator>NOASSERTION</spdx:originator>
<spdx:builtDate>2011-01-29T18:30:22Z</spdx:builtDate>
<spdx:supplier>NOASSERTION</spdx:supplier>
<spdx:supplier>Organization: ExampleCodeInspect ([email protected])</spdx:supplier>
<spdx:licenseDeclared>
<spdx:ConjunctiveLicenseSet rdf:nodeID="Nab63afe52f1e4b309875af1ea705781f">
<spdx:member rdf:resource="http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301#LicenseRef-3"/>
Expand Down
4 changes: 2 additions & 2 deletions tests/data/missing_component_version/SPDXTagExample-v2.3.spdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,8 +46,8 @@ FileContributor: The Regents of the University of California
PackageName: glibc
SPDXID: SPDXRef-Package
PackageFileName: glibc-2.11.1.tar.gz
PackageSupplier: NOASSERTION
PackageOriginator: Organization: ExampleCodeInspect ([email protected])
PackageSupplier: Organization: ExampleCodeInspect ([email protected])
PackageOriginator: NOASSERTION
PackageDownloadLocation: http://ftp.gnu.org/gnu/glibc/glibc-ports-2.15.tar.gz
FilesAnalyzed: true
PackageVerificationCode: d6a770ba38583ed4bb4525bd96e50461655d2758 (excludes: ./package.spdx)
Expand Down
4 changes: 2 additions & 2 deletions tests/data/missing_component_version/SPDXXMLExample-v2.3.spdx.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -220,7 +220,7 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.</extractedText>
<licenseInfoFromFiles>LicenseRef-2</licenseInfoFromFiles>
<licenseInfoFromFiles>LicenseRef-1</licenseInfoFromFiles>
<name>glibc</name>
<originator>Organization: ExampleCodeInspect ([email protected])</originator>
<originator>NOASSERTION</originator>
<packageFileName>glibc-2.11.1.tar.gz</packageFileName>
<packageVerificationCode>
<packageVerificationCodeExcludedFiles>./package.spdx</packageVerificationCodeExcludedFiles>
Expand All @@ -230,7 +230,7 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.</extractedText>
<releaseDate>2012-01-29T18:30:22Z</releaseDate>
<sourceInfo>uses glibc-2_11-branch from git://sourceware.org/git/glibc.git.</sourceInfo>
<summary>GNU C library.</summary>
<supplier>NOASSERTION</supplier>
<supplier>Organization: ExampleCodeInspect ([email protected])</supplier>
<validUntilDate>2014-01-29T18:30:22Z</validUntilDate>
</packages>
<files>
Expand Down
4 changes: 2 additions & 2 deletions tests/data/missing_component_version/SPDXYAMLExample-v2.3.spdx.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -303,7 +303,7 @@ packages:
- LicenseRef-2
- LicenseRef-1
name: glibc
originator: 'Organization: ExampleCodeInspect ([email protected])'
originator: NOASSERTION
packageFileName: glibc-2.11.1.tar.gz
packageVerificationCode:
packageVerificationCodeExcludedFiles:
Expand All @@ -313,7 +313,7 @@ packages:
releaseDate: '2012-01-29T18:30:22Z'
sourceInfo: uses glibc-2_11-branch from git://sourceware.org/git/glibc.git.
summary: GNU C library.
supplier: NOASSERTION
supplier: 'Organization: ExampleCodeInspect ([email protected])'
validUntilDate: '2014-01-29T18:30:22Z'
relationships:
- relatedSpdxElement: SPDXRef-Package
Expand Down
4 changes: 2 additions & 2 deletions tests/data/missing_dependency_relationships/SPDXJSONExample-v2.3.spdx.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -100,7 +100,7 @@
"licenseDeclared" : "(LGPL-2.0-only AND LicenseRef-3)",
"licenseInfoFromFiles" : [ "GPL-2.0-only", "LicenseRef-2", "LicenseRef-1" ],
"name" : "glibc",
"originator" : "Organization: ExampleCodeInspect ([email protected])",
"originator" : "NOASSERTION",
"packageFileName" : "glibc-2.11.1.tar.gz",
"packageVerificationCode" : {
"packageVerificationCodeExcludedFiles" : [ "./package.spdx" ],
Expand All @@ -110,7 +110,7 @@
"releaseDate" : "2012-01-29T18:30:22Z",
"sourceInfo" : "uses glibc-2_11-branch from git://sourceware.org/git/glibc.git.",
"summary" : "GNU C library.",
"supplier" : "NOASSERTION",
"supplier" : "Organization: ExampleCodeInspect ([email protected])",
"validUntilDate" : "2014-01-29T18:30:22Z",
"versionInfo" : "2.11.1"
} ],
Expand Down
4 changes: 2 additions & 2 deletions tests/data/missing_dependency_relationships/SPDXTagExample-v2.3.spdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -112,8 +112,8 @@ PackageName: glibc
SPDXID: SPDXRef-Package
PackageVersion: 2.11.1
PackageFileName: glibc-2.11.1.tar.gz
PackageSupplier: NOASSERTION
PackageOriginator: Organization: ExampleCodeInspect ([email protected])
PackageSupplier: Organization: ExampleCodeInspect ([email protected])
PackageOriginator: NOASSERTION
PackageDownloadLocation: http://ftp.gnu.org/gnu/glibc/glibc-ports-2.15.tar.gz
FilesAnalyzed: true
PackageVerificationCode: d6a770ba38583ed4bb4525bd96e50461655d2758 (excludes: ./package.spdx)
Expand Down
4 changes: 2 additions & 2 deletions tests/data/missing_dependency_relationships/SPDXXMLExample-v2.3.spdx.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -220,7 +220,7 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.</extractedText>
<licenseInfoFromFiles>LicenseRef-2</licenseInfoFromFiles>
<licenseInfoFromFiles>LicenseRef-1</licenseInfoFromFiles>
<name>glibc</name>
<originator>Organization: ExampleCodeInspect ([email protected])</originator>
<originator>NOASSERTION</originator>
<packageFileName>glibc-2.11.1.tar.gz</packageFileName>
<packageVerificationCode>
<packageVerificationCodeExcludedFiles>./package.spdx</packageVerificationCodeExcludedFiles>
Expand All @@ -230,7 +230,7 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.</extractedText>
<releaseDate>2012-01-29T18:30:22Z</releaseDate>
<sourceInfo>uses glibc-2_11-branch from git://sourceware.org/git/glibc.git.</sourceInfo>
<summary>GNU C library.</summary>
<supplier>NOASSERTION</supplier>
<supplier>Organization: ExampleCodeInspect ([email protected])</supplier>
<validUntilDate>2014-01-29T18:30:22Z</validUntilDate>
<versionInfo>2.11.1</versionInfo>
</packages>
Expand Down
4 changes: 2 additions & 2 deletions tests/data/missing_dependency_relationships/SPDXYAMLExample-v2.3.spdx.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -303,7 +303,7 @@ packages:
- LicenseRef-2
- LicenseRef-1
name: glibc
originator: 'Organization: ExampleCodeInspect ([email protected])'
originator: NOASSERTION
packageFileName: glibc-2.11.1.tar.gz
packageVerificationCode:
packageVerificationCodeExcludedFiles:
Expand All @@ -313,7 +313,7 @@ packages:
releaseDate: '2012-01-29T18:30:22Z'
sourceInfo: uses glibc-2_11-branch from git://sourceware.org/git/glibc.git.
summary: GNU C library.
supplier: NOASSERTION
supplier: 'Organization: ExampleCodeInspect ([email protected])'
validUntilDate: '2014-01-29T18:30:22Z'
versionInfo: 2.11.1
snippets:
Expand Down
2 changes: 1 addition & 1 deletion tests/data/missing_supplier_name/SPDXJSONExample-v2.3.spdx.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -101,7 +101,7 @@
"licenseDeclared" : "(LGPL-2.0-only AND LicenseRef-3)",
"licenseInfoFromFiles" : [ "GPL-2.0-only", "LicenseRef-2", "LicenseRef-1" ],
"name" : "glibc",
"originator" : "Organization: ExampleCodeInspect ([email protected])",
"originator" : "NOASSERTION",
"packageFileName" : "glibc-2.11.1.tar.gz",
"packageVerificationCode" : {
"packageVerificationCodeExcludedFiles" : [ "./package.spdx" ],
Expand Down
2 changes: 1 addition & 1 deletion tests/data/missing_supplier_name/SPDXRdfExample-v2.3.spdx.rdf.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -304,7 +304,7 @@ under the Apache License 2.0 (see: StringUtils.containsWhitespace())</spdx:notic
</spdx:checksum>
<spdx:attributionText>The GNU C Library is free software. See the file COPYING.LIB for copying conditions, and LICENSES for notices about a few contributions that require these additional notices to be distributed. License copyright years may be listed using range notation, e.g., 1996-2015, indicating that every year in the range, inclusive, is a copyrightable year that would otherwise be listed individually.</spdx:attributionText>
<spdx:versionInfo>2.11.1</spdx:versionInfo>
<spdx:originator>Organization: ExampleCodeInspect ([email protected])</spdx:originator>
<spdx:originator>NOASSERTION</spdx:originator>
<spdx:licenseComments>The license for this project changed with the release of version x.y. The version of the project included here post-dates the license change.</spdx:licenseComments>
<spdx:validUntilDate>2014-01-29T18:30:22Z</spdx:validUntilDate>
<spdx:packageFileName>glibc-2.11.1.tar.gz</spdx:packageFileName>
Expand Down
2 changes: 1 addition & 1 deletion tests/data/missing_supplier_name/SPDXTagExample-v2.3.spdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ SPDXID: SPDXRef-Package
PackageVersion: 2.11.1
PackageFileName: glibc-2.11.1.tar.gz
PackageSupplier: NOASSERTION
PackageOriginator: Organization: ExampleCodeInspect ([email protected])
PackageOriginator: NOASSERTION
PackageDownloadLocation: http://ftp.gnu.org/gnu/glibc/glibc-ports-2.15.tar.gz
FilesAnalyzed: true
PackageVerificationCode: d6a770ba38583ed4bb4525bd96e50461655d2758 (excludes: ./package.spdx)
Expand Down
2 changes: 1 addition & 1 deletion tests/data/missing_supplier_name/SPDXXMLExample-v2.3.spdx.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -220,7 +220,7 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.</extractedText>
<licenseInfoFromFiles>LicenseRef-2</licenseInfoFromFiles>
<licenseInfoFromFiles>LicenseRef-1</licenseInfoFromFiles>
<name>glibc</name>
<originator>Organization: ExampleCodeInspect ([email protected])</originator>
<originator>NOASSERTION</originator>
<packageFileName>glibc-2.11.1.tar.gz</packageFileName>
<packageVerificationCode>
<packageVerificationCodeExcludedFiles>./package.spdx</packageVerificationCodeExcludedFiles>
Expand Down
2 changes: 1 addition & 1 deletion tests/data/missing_supplier_name/SPDXYAMLExample-v2.3.spdx.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -303,7 +303,7 @@ packages:
- LicenseRef-2
- LicenseRef-1
name: glibc
originator: 'Organization: ExampleCodeInspect ([email protected])'
originator: 'NOASSERTION'
packageFileName: glibc-2.11.1.tar.gz
packageVerificationCode:
packageVerificationCodeExcludedFiles:
Expand Down
4 changes: 2 additions & 2 deletions tests/data/no_elements_missing/SPDXJSONExample-v2.3.spdx.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -101,7 +101,7 @@
"licenseDeclared" : "(LGPL-2.0-only AND LicenseRef-3)",
"licenseInfoFromFiles" : [ "GPL-2.0-only", "LicenseRef-2", "LicenseRef-1" ],
"name" : "glibc",
"originator" : "Organization: ExampleCodeInspect ([email protected])",
"originator" : "NOASSERTION",
"packageFileName" : "glibc-2.11.1.tar.gz",
"packageVerificationCode" : {
"packageVerificationCodeExcludedFiles" : [ "./package.spdx" ],
Expand All @@ -112,7 +112,7 @@
"releaseDate" : "2012-01-29T18:30:22Z",
"sourceInfo" : "uses glibc-2_11-branch from git://sourceware.org/git/glibc.git.",
"summary" : "GNU C library.",
"supplier" : "NOASSERTION",
"supplier" : "Organization: ExampleCodeInspect ([email protected])",
"validUntilDate" : "2014-01-29T18:30:22Z",
"versionInfo" : "2.11.1"
} ],
Expand Down
4 changes: 2 additions & 2 deletions tests/data/no_elements_missing/SPDXRdfExample-v2.3.spdx.rdf.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -312,7 +312,7 @@ under the Apache License 2.0 (see: StringUtils.containsWhitespace())</spdx:notic
<spdx:referenceLocator>acmecorp/acmenator/4.1.3-alpha</spdx:referenceLocator>
</spdx:ExternalRef>
</spdx:externalRef>
<spdx:supplier>NOASSERTION</spdx:supplier>
<spdx:supplier>Organization: ExampleCodeInspect ([email protected])</spdx:supplier>
<spdx:checksum>
<spdx:Checksum rdf:nodeID="N98510266a7284a1686da4e459dd5e58b">
<spdx:checksumValue>aaabd89c926ab525c242e6621f2f5fa73aa4afe3d9e24aed727faaadd6af38b620bdb623dd2b4788b1c8086984af8706</spdx:checksumValue>
Expand Down Expand Up @@ -356,7 +356,7 @@ under the Apache License 2.0 (see: StringUtils.containsWhitespace())</spdx:notic
</spdx:PackageVerificationCode>
</spdx:packageVerificationCode>
<spdx:summary>GNU C library.</spdx:summary>
<spdx:originator>Organization: ExampleCodeInspect ([email protected])</spdx:originator>
<spdx:originator>NOASSERTION</spdx:originator>
<spdx:builtDate>2011-01-29T18:30:22Z</spdx:builtDate>
<spdx:licenseDeclared>
<spdx:ConjunctiveLicenseSet rdf:nodeID="N45c3c34ce93d4d769c3edee387495c95">
Expand Down
4 changes: 2 additions & 2 deletions tests/data/no_elements_missing/SPDXTagExample-v2.3.spdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,8 +47,8 @@ PackageName: glibc
SPDXID: SPDXRef-Package
PackageVersion: 2.11.1
PackageFileName: glibc-2.11.1.tar.gz
PackageSupplier: NOASSERTION
PackageOriginator: Organization: ExampleCodeInspect ([email protected])
PackageSupplier: Organization: ExampleCodeInspect ([email protected])
PackageOriginator: NOASSERTION
PackageDownloadLocation: http://ftp.gnu.org/gnu/glibc/glibc-ports-2.15.tar.gz
FilesAnalyzed: true
PackageVerificationCode: d6a770ba38583ed4bb4525bd96e50461655d2758 (excludes: ./package.spdx)
Expand Down
4 changes: 2 additions & 2 deletions tests/data/no_elements_missing/SPDXXMLExample-v2.3.spdx.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -220,7 +220,7 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.</extractedText>
<licenseInfoFromFiles>LicenseRef-2</licenseInfoFromFiles>
<licenseInfoFromFiles>LicenseRef-1</licenseInfoFromFiles>
<name>glibc</name>
<originator>Organization: ExampleCodeInspect ([email protected])</originator>
<originator>NOASSERTION</originator>
<packageFileName>glibc-2.11.1.tar.gz</packageFileName>
<packageVerificationCode>
<packageVerificationCodeExcludedFiles>./package.spdx</packageVerificationCodeExcludedFiles>
Expand All @@ -230,7 +230,7 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.</extractedText>
<releaseDate>2012-01-29T18:30:22Z</releaseDate>
<sourceInfo>uses glibc-2_11-branch from git://sourceware.org/git/glibc.git.</sourceInfo>
<summary>GNU C library.</summary>
<supplier>NOASSERTION</supplier>
<supplier>Organization: ExampleCodeInspect ([email protected])</supplier>
<validUntilDate>2014-01-29T18:30:22Z</validUntilDate>
<versionInfo>2.11.1</versionInfo>
</packages>
Expand Down
4 changes: 2 additions & 2 deletions tests/data/no_elements_missing/SPDXYAMLExample-v2.3.spdx.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -303,7 +303,7 @@ packages:
- LicenseRef-2
- LicenseRef-1
name: glibc
originator: 'Organization: ExampleCodeInspect ([email protected])'
originator: NOASSERTION
packageFileName: glibc-2.11.1.tar.gz
packageVerificationCode:
packageVerificationCodeExcludedFiles:
Expand All @@ -313,7 +313,7 @@ packages:
releaseDate: '2012-01-29T18:30:22Z'
sourceInfo: uses glibc-2_11-branch from git://sourceware.org/git/glibc.git.
summary: GNU C library.
supplier: NOASSERTION
supplier: 'Organization: ExampleCodeInspect ([email protected])'
validUntilDate: '2014-01-29T18:30:22Z'
versionInfo: 2.11.1
relationships:
Expand Down
20 changes: 10 additions & 10 deletions tests/data/other_tests/test_components_without_functions.spdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,8 @@ PackageName: glibc
SPDXID: SPDXRef-Package
PackageVersion: 2.4.57+dfsg-3+deb11u1
PackageFileName: glibc-2.11.1.tar.gz
PackageSupplier: NOASSERTION
PackageOriginator: Organization: ExampleCodeInspect ([email protected])
PackageSupplier: Organization: ExampleCodeInspect ([email protected])
PackageOriginator: NOASSERTION
PackageDownloadLocation: http://ftp.gnu.org/gnu/glibc/glibc-ports-2.15.tar.gz
FilesAnalyzed: true
PackageVerificationCode: d6a770ba38583ed4bb4525bd96e50461655d2758 (excludes: ./package.spdx)
Expand Down Expand Up @@ -56,8 +56,8 @@ PackageName:
SPDXID: SPDXRef-Package1
PackageVersion: 2.4.57+dfsg-3+deb11u1
PackageFileName: glibc-2.11.1.tar.gz
PackageSupplier: NOASSERTION
PackageOriginator: Organization: ExampleCodeInspect ([email protected])
PackageSupplier: Organization: ExampleCodeInspect ([email protected])
PackageOriginator: NOASSERTION
PackageDownloadLocation: http://ftp.gnu.org/gnu/glibc/glibc-ports-2.15.tar.gz
FilesAnalyzed: true
PackageVerificationCode: d6a770ba38583ed4bb4525bd96e50461655d2758 (excludes: ./package.spdx)
Expand Down Expand Up @@ -89,8 +89,8 @@ ValidUntilDate: 2014-01-29T18:30:22Z
PackageName: glibc-no-version-1
SPDXID: SPDXRef-Package2
PackageFileName: glibc-2.11.1.tar.gz
PackageSupplier: NOASSERTION
PackageOriginator: Organization: ExampleCodeInspect ([email protected])
PackageSupplier: Organization: ExampleCodeInspect ([email protected])
PackageOriginator: NOASSERTION
PackageDownloadLocation: http://ftp.gnu.org/gnu/glibc/glibc-ports-2.15.tar.gz
FilesAnalyzed: true
PackageVerificationCode: d6a770ba38583ed4bb4525bd96e50461655d2758 (excludes: ./package.spdx)
Expand Down Expand Up @@ -122,8 +122,8 @@ ValidUntilDate: 2014-01-29T18:30:22Z
PackageName: glibc-no-version-2
SPDXID: SPDXRef-Package3
PackageFileName: glibc-2.11.1.tar.gz
PackageSupplier: NOASSERTION
PackageOriginator: Organization: ExampleCodeInspect ([email protected])
PackageSupplier: Organization: ExampleCodeInspect ([email protected])
PackageOriginator: NOASSERTION
PackageDownloadLocation: http://ftp.gnu.org/gnu/glibc/glibc-ports-2.15.tar.gz
FilesAnalyzed: true
PackageVerificationCode: d6a770ba38583ed4bb4525bd96e50461655d2758 (excludes: ./package.spdx)
Expand Down Expand Up @@ -188,8 +188,8 @@ PackageName: glibc-no-identifier
SPDXID: SPDXRef-Package5
PackageVersion: 2.4.57+dfsg-3+deb11u1
PackageFileName: glibc-2.11.1.tar.gz
PackageSupplier: NOASSERTION
PackageOriginator: Organization: ExampleCodeInspect ([email protected])
PackageSupplier: Organization: ExampleCodeInspect ([email protected])
PackageOriginator: NOASSERTION
PackageDownloadLocation: http://ftp.gnu.org/gnu/glibc/glibc-ports-2.15.tar.gz
FilesAnalyzed: true
PackageVerificationCode: d6a770ba38583ed4bb4525bd96e50461655d2758 (excludes: ./package.spdx)
Expand Down
4 changes: 3 additions & 1 deletion tests/test_checker.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -116,7 +116,9 @@ def test_sbomchecker_missing_supplier_name(test_file):
assert sbom.dependency_relationships
assert not sbom.components_without_names
assert not sbom.components_without_versions
TestCase().assertCountEqual(sbom.components_without_suppliers, ["Jena", "Saxon"])
TestCase().assertCountEqual(
sbom.components_without_suppliers, ["glibc", "Jena", "Saxon"]
)
assert not sbom.components_without_identifiers
assert not sbom.ntia_minimum_elements_compliant

Expand Down
Loading