fix: add namespace and subpath support to Component to complete PackageURL Spec support

Signed-off-by: Paul Horton <[email protected]>

Author: madpah

cyclonedx/model/component.py

@@ -52,9 +52,11 @@ class Component:
     """
     _type: ComponentType
     _package_url_type: str
+    _namespace: str
     _name: str
     _version: str
     _qualifiers: str
+    _subpath: str
 
     _author: str = None
     _description: str = None
@@ -93,17 +95,21 @@ def for_file(absolute_file_path: str, path_for_bom: str = None):
             package_url_type='generic'
         )
 
-    def __init__(self, name: str, version: str, qualifiers: str = None, hashes: List[HashType] = None,
+    def __init__(self, name: str, version: str, namespace: str = None, qualifiers: str = None, subpath: str = None,
+                 hashes: List[HashType] = None,
                  component_type: ComponentType = ComponentType.LIBRARY, package_url_type: str = 'pypi'):
+        self._package_url_type = package_url_type
+        self._namespace = namespace
         self._name = name
         self._version = version
         self._type = component_type
         self._qualifiers = qualifiers
+        self._subpath = subpath
+
         self._hashes.clear()
         if hashes:
             self._hashes = hashes
         self._vulnerabilites.clear()
-        self._package_url_type = package_url_type
         self._external_references.clear()
 
     def add_external_reference(self, reference: ExternalReference):
@@ -193,21 +199,36 @@ def get_name(self) -> str:
         """
         return self._name
 
+    def get_namespace(self) -> str:
+        """
+        Get the namespace of this Component.
+
+        Returns:
+            Declared namespace of this Component as `str` if declared, else `None`.
+        """
+        return self._namespace
+
     def get_purl(self) -> str:
         """
         Get the PURL for this Component.
 
         Returns:
-            PackageURL that reflects this Component as `str`.
+            PackageURL or 'PURL' that reflects this Component as `str`.
         """
-        base_purl = 'pkg:{}/{}@{}'.format(self._package_url_type, self._name, self._version)
-        if self._qualifiers:
-            base_purl = '{}?{}'.format(base_purl, self._qualifiers)
-        return base_purl
+        return self.to_package_url().to_string()
 
     def get_pypi_url(self) -> str:
         return f'https://pypi.org/project/{self.get_name()}/{self.get_version()}'
 
+    def get_subpath(self) -> str:
+        """
+        Get the subpath of this Component.
+
+        Returns:
+            Declared subpath of this Component as `str` if declared, else `None`.
+        """
+        return self._subpath
+
     def get_type(self) -> ComponentType:
         """
         Get the type of this Component.
@@ -292,9 +313,11 @@ def to_package_url(self) -> PackageURL:
         """""
         return PackageURL(
             type=self._package_url_type,
+            namespace=self._namespace,
             name=self._name,
             version=self._version,
-            qualifiers=self._qualifiers
+            qualifiers=self._qualifiers,
+            subpath=self._subpath
         )
 
     def __eq__(self, other):

cyclonedx/output/json.py

@@ -53,6 +53,9 @@ def _get_component_as_dict(self, component: Component) -> dict:
             "purl": component.get_purl()
         }
 
+        if component.get_namespace():
+            c['group'] = component.get_namespace()
+
         if component.get_hashes():
             hashes = []
             for component_hash in component.get_hashes():

cyclonedx/output/xml.py

@@ -85,6 +85,10 @@ def _get_component_as_xml_element(self, component: Component) -> ElementTree.Ele
         if self.component_supports_author() and component.get_author() is not None:
             ElementTree.SubElement(component_element, 'author').text = component.get_author()
 
+        # group
+        if component.get_namespace():
+            ElementTree.SubElement(component_element, 'group').text = component.get_namespace()
+
         # name
         ElementTree.SubElement(component_element, 'name').text = component.get_name()
 
@@ -94,11 +98,6 @@ def _get_component_as_xml_element(self, component: Component) -> ElementTree.Ele
         # hashes
         if len(component.get_hashes()) > 0:
             Xml._add_hashes_to_element(hashes=component.get_hashes(), element=component_element)
-            # hashes_e = ElementTree.SubElement(component_element, 'hashes')
-            # for hash in component.get_hashes():
-            #     ElementTree.SubElement(
-            #         hashes_e, 'hash', {'alg': hash.get_algorithm().value}
-            #     ).text = hash.get_hash_value()
 
         # purl
         ElementTree.SubElement(component_element, 'purl').text = component.get_purl()

tests/test_component.py

@@ -37,6 +37,9 @@ def setUpClass(cls) -> None:
         cls._component_generic_file: Component = Component(
             name='/test.py', version='UNKNOWN', package_url_type='generic'
         )
+        cls._component_purl_spec_no_subpath: Component = Component(
+            namespace='name-space', name='setuptools', version='50.0.1', qualifiers='extension=whl'
+        )
 
     def test_purl_correct(self):
         self.assertEqual(
@@ -138,3 +141,10 @@ def test_get_component_by_purl_1(self):
             purl=TestComponent._component.get_purl()),
             TestComponent._component_2
         )
+
+    def test_full_purl_spec_no_subpath(self):
+        self.assertEqual(
+            TestComponent._component_purl_spec_no_subpath.get_purl(),
+            'pkg:pypi/name-space/[email protected]?extension=whl'
+        )
+        self.assertIsNone(TestComponent._component_purl_spec_no_subpath.get_subpath())