Use Project inputs as root elements that the SPDX document describes

Signed-off-by: tdruez <[email protected]>

Author: tdruez

scanpipe/models.py

@@ -1248,7 +1248,12 @@ def add_upload(self, uploaded_file, tag=""):
         adds the `input_source`.
         """
         self.write_input_file(uploaded_file)
-        self.add_input_source(filename=uploaded_file.name, is_uploaded=True, tag=tag)
+        input_source = self.add_input_source(
+            filename=uploaded_file.name,
+            is_uploaded=True,
+            tag=tag,
+        )
+        return input_source
 
     def add_uploads(self, uploads):
         """

scanpipe/pipes/output.py

@@ -25,6 +25,7 @@
 import io
 import json
 import re
+import uuid
 from operator import attrgetter
 from pathlib import Path
 
@@ -693,6 +694,25 @@ def get_dependency_as_spdx_relationship(dependency, document_spdx_id, packages_a
     return spdx_relationship
 
 
+def get_inputs_as_spdx_packages(project):
+    """Return the Project's inputs as SPDX package to be used as root elements."""
+    inputs_as_spdx_packages = []
+
+    for input_source in project.get_inputs_with_source():
+        input_uuid = input_source.get("uuid") or uuid.uuid4()
+
+        input_as_spdx_package = spdx.Package(
+            spdx_id=f"SPDXRef-scancodeio-input-{input_uuid}",
+            name=input_source.get("filename"),
+            filename=input_source.get("filename"),
+            download_location=input_source.get("download_url"),
+            files_analyzed=True,
+        )
+        inputs_as_spdx_packages.append(input_as_spdx_package)
+
+    return inputs_as_spdx_packages
+
+
 def to_spdx(project, include_files=False):
     """
     Generate output for the provided ``project`` in SPDX document format.
@@ -705,13 +725,31 @@ def to_spdx(project, include_files=False):
     discoveredpackage_qs = get_queryset(project, "discoveredpackage")
     discovereddependency_qs = get_queryset(project, "discovereddependency")
 
-    project_as_root_package = spdx.Package(
-        spdx_id=f"SPDXRef-scancodeio-project-{project.uuid}",
-        name=project.name,
-        files_analyzed=True,
-    )
+    project_inputs_as_spdx_packages = get_inputs_as_spdx_packages(project)
+
+    # Use the Project's input(s) as the root element(s) that the SPDX document
+    # describes.
+    # This ensures "documentDescribes" points only to the main subject of the SBOM,
+    # not to every dependency or file in the project.
+    # See https://github.com/spdx/spdx-spec/issues/395 and
+    # https://github.com/aboutcode-org/scancode.io/issues/564#issuecomment-3269296563
+    # for detailed context.
+    describes = [
+        input_as_spdx_package.spdx_id
+        for input_as_spdx_package in project_inputs_as_spdx_packages
+    ]
+    packages_as_spdx = project_inputs_as_spdx_packages
+
+    # Fallback to the Project as the SPDX root element for the "documentDescribes"
+    if not project_inputs_as_spdx_packages:
+        project_as_root_package = spdx.Package(
+            spdx_id=f"SPDXRef-scancodeio-project-{project.uuid}",
+            name=project.name,
+            files_analyzed=True,
+        )
+        packages_as_spdx = [project_as_root_package]
+        describes = [project_as_root_package.spdx_id]
 
-    packages_as_spdx = [project_as_root_package]
     license_expressions = []
     relationships = []
 
@@ -723,7 +761,7 @@ def to_spdx(project, include_files=False):
             license_expressions.append(license_expression)
 
         spdx_relationship = spdx.Relationship(
-            spdx_id=project_as_root_package.spdx_id,
+            spdx_id=describes[0],
             related_spdx_id=spdx_package.spdx_id,
             relationship="DEPENDS_ON",
         )
@@ -744,15 +782,6 @@ def to_spdx(project, include_files=False):
             for resource in get_queryset(project, "codebaseresource").files()
         ]
 
-    # Use the Project (top-level package) as the root element that the SPDX document
-    # describes.
-    # This ensures "documentDescribes" points only to the main subject of the SBOM,
-    # not to every dependency or file in the project.
-    # See https://github.com/spdx/spdx-spec/issues/395 and
-    # https://github.com/aboutcode-org/scancode.io/issues/564#issuecomment-3269296563
-    # for detailed context.
-    describes = [project_as_root_package.spdx_id]
-
     document = spdx.Document(
         spdx_id=document_spdx_id,
         name=f"scancodeio_{project.name}",

scanpipe/pipes/spdx.py

@@ -362,6 +362,7 @@ def as_dict(self):
 
         optional_data = {
             "versionInfo": self.version,
+            "packageFileName": self.filename,
             "licenseDeclared": self.license_declared,
             "supplier": self.supplier,
             "originator": self.originator,

scanpipe/tests/pipes/test_output.py

@@ -31,6 +31,7 @@
 from unittest import mock
 
 from django.conf import settings
+from django.core.files.uploadedfile import SimpleUploadedFile
 from django.core.management import call_command
 from django.test import TestCase
 
@@ -417,7 +418,7 @@ def test_scanpipe_pipes_outputs_to_spdx(self):
         call_command("loaddata", fixtures, **{"verbosity": 0})
         project = Project.objects.get(name="asgiref")
 
-        with self.assertNumQueries(8):
+        with self.assertNumQueries(9):
             output_file = output.to_spdx(project=project, include_files=True)
         self.assertIn(output_file.name, project.output_root)
 
@@ -520,6 +521,106 @@ def test_scanpipe_pipes_outputs_to_spdx_dependencies(self, mock_uuid4):
         expected_file = self.data / "spdx" / "dependencies.spdx.json"
         self.assertResultsEqual(expected_file, results)
 
+    @mock.patch("uuid.uuid4")
+    def test_scanpipe_pipes_outputs_to_spdx_get_inputs_as_spdx_packages(
+        self, mock_uuid4
+    ):
+        forced_uuid = "b74fe5df-e965-415e-ba65-f38421a0695d"
+        mock_uuid4.return_value = forced_uuid
+
+        # 1. Input manually copied to Project's inputs
+        project = make_project(name="Copied")
+        copied_input = project.input_path / "input_filename"
+        copied_input.touch()
+        inputs_as_spdx_packages = output.get_inputs_as_spdx_packages(project)
+        expected = [
+            {
+                "name": "input_filename",
+                "SPDXID": f"SPDXRef-scancodeio-input-{forced_uuid}",
+                "packageFileName": "input_filename",
+                "licenseConcluded": "NOASSERTION",
+                "copyrightText": "NOASSERTION",
+                "downloadLocation": "NOASSERTION",
+                "filesAnalyzed": True,
+                "licenseDeclared": "NOASSERTION",
+            }
+        ]
+        inputs_spdx_as_dict = [package.as_dict() for package in inputs_as_spdx_packages]
+        self.assertEqual(expected, inputs_spdx_as_dict)
+
+        # 2. Input uploaded to Project's inputs
+        project = make_project(name="Uploaded")
+        uploaded_file = SimpleUploadedFile("filename.ext", content=b"content")
+        input_source = project.add_upload(
+            uploaded_file=uploaded_file,
+        )
+        inputs_as_spdx_packages = output.get_inputs_as_spdx_packages(project)
+        expected = [
+            {
+                "name": "filename.ext",
+                "SPDXID": f"SPDXRef-scancodeio-input-{input_source.uuid}",
+                "packageFileName": "filename.ext",
+                "licenseConcluded": "NOASSERTION",
+                "copyrightText": "NOASSERTION",
+                "downloadLocation": "NOASSERTION",
+                "filesAnalyzed": True,
+                "licenseDeclared": "NOASSERTION",
+            }
+        ]
+        inputs_spdx_as_dict = [package.as_dict() for package in inputs_as_spdx_packages]
+        self.assertEqual(expected, inputs_spdx_as_dict)
+
+        # 3. Fetched (download_url, purl, docker, git, ...)
+        project = make_project(name="Fetched")
+        input_from_download_url = project.add_input_source(
+            download_url="https://download.url/archive.zip",
+            filename="archive.zip",
+        )
+        input_from_purl = project.add_input_source(
+            download_url="pkg:npm/[email protected]",
+            filename="dnd-core-7.0.2.tgz",
+        )
+        input_from_docker = project.add_input_source(
+            download_url="docker://registry.com/debian:10.9",
+            filename="debian_10.9.tar",
+        )
+        inputs_as_spdx_packages = output.get_inputs_as_spdx_packages(project)
+        inputs_spdx_as_dict = [package.as_dict() for package in inputs_as_spdx_packages]
+        self.maxDiff = None
+        expected = [
+            {
+                "name": "archive.zip",
+                "SPDXID": f"SPDXRef-scancodeio-input-{input_from_download_url.uuid}",
+                "downloadLocation": "https://download.url/archive.zip",
+                "licenseConcluded": "NOASSERTION",
+                "copyrightText": "NOASSERTION",
+                "filesAnalyzed": True,
+                "packageFileName": "archive.zip",
+                "licenseDeclared": "NOASSERTION",
+            },
+            {
+                "name": "debian_10.9.tar",
+                "SPDXID": f"SPDXRef-scancodeio-input-{input_from_docker.uuid}",
+                "downloadLocation": "docker://registry.com/debian:10.9",
+                "licenseConcluded": "NOASSERTION",
+                "copyrightText": "NOASSERTION",
+                "filesAnalyzed": True,
+                "packageFileName": "debian_10.9.tar",
+                "licenseDeclared": "NOASSERTION",
+            },
+            {
+                "name": "dnd-core-7.0.2.tgz",
+                "SPDXID": f"SPDXRef-scancodeio-input-{input_from_purl.uuid}",
+                "downloadLocation": "pkg:npm/[email protected]",
+                "licenseConcluded": "NOASSERTION",
+                "copyrightText": "NOASSERTION",
+                "filesAnalyzed": True,
+                "packageFileName": "dnd-core-7.0.2.tgz",
+                "licenseDeclared": "NOASSERTION",
+            },
+        ]
+        self.assertEqual(expected, inputs_spdx_as_dict)
+
     def test_scanpipe_pipes_outputs_make_unknown_license_object(self):
         licensing = get_licensing()
         parsed_expression = licensing.parse("some-unknown-license")