feat(ISV-5784): support multiple CPEs

jedinym · jedinym · commit c6ab369d1823 · 2025-04-24T09:52:41.000+02:00
Signed-off-by: Martin Jediny &lt;jedinym@proton.me&gt;
diff --git a/sbom/create_product_sbom.py b/sbom/create_product_sbom.py
@@ -10,7 +10,7 @@
 import uuid
 from datetime import datetime, timezone
 import argparse
-from typing import List
+from typing import List, Union
 from pathlib import Path
 import asyncio
 
@@ -42,7 +42,7 @@ class ReleaseNotes(pdc.BaseModel):
 
     product_name: str
     product_version: str
-    cpe: str
+    cpe: Union[str, List[str]] = pdc.Field(union_mode="left_to_right")
 
 
 class ReleaseData(pdc.BaseModel):
@@ -55,6 +55,19 @@ class ReleaseData(pdc.BaseModel):
 
 def create_product_package(product_elem_id: str, release_notes: ReleaseNotes) -> Package:
     """Create SPDX package corresponding to the product."""
+    if isinstance(release_notes.cpe, str):
+        cpes = [release_notes.cpe]
+    else:
+        cpes = release_notes.cpe
+
+    refs = [
+        ExternalPackageRef(
+            category=ExternalPackageRefCategory.SECURITY,
+            reference_type="cpe22Type",
+            locator=cpe,
+        )
+        for cpe in cpes
+    ]
 
     return Package(
         spdx_id=product_elem_id,
@@ -64,13 +77,7 @@ def create_product_package(product_elem_id: str, release_notes: ReleaseNotes) ->
         supplier=Actor(ActorType.ORGANIZATION, "Red Hat"),
         license_declared=SpdxNoAssertion(),
         files_analyzed=False,
-        external_references=[
-            ExternalPackageRef(
-                category=ExternalPackageRefCategory.SECURITY,
-                reference_type="cpe22Type",
-                locator=release_notes.cpe,
-            )
-        ],
+        external_references=refs,
     )
 
 
@@ -168,14 +175,18 @@ def create_sbom(release_notes: ReleaseNotes, snapshot: Snapshot) -> Document:
     )
 
 
-def main() -> None:
+def parse_release_notes(raw_json: str) -> ReleaseNotes:
+    return ReleaseData.model_validate_json(raw_json).release_notes
+
+
+def main() -> None:  # pragma: nocover
     """
     Script entrypoint.
     """
     parser = argparse.ArgumentParser(
         prog="create-product-sbom",
         description="Create product-level SBOM from merged data file"
-        "and mapped snapshot spec.",
+        " and mapped snapshot spec.",
     )
     parser.add_argument(
         "--data-path",
@@ -203,14 +214,15 @@ def main() -> None:
         snapshot = asyncio.run(sbomlib.make_snapshot(args.snapshot_path))
         with open(args.data_path, "r", encoding="utf-8") as fp:
             raw_json = fp.read()
-            release_notes = ReleaseData.model_validate_json(raw_json).release_notes
+            release_notes = parse_release_notes(raw_json)
 
             sbom = create_sbom(release_notes, snapshot)
 
         write_file(document=sbom, file_name=str(args.output_path), validate=True)
     except Exception:  # pylint: disable=broad-except
         logger.exception("Creation of the product-level SBOM failed.")
+        raise
 
 
-if __name__ == "__main__":
+if __name__ == "__main__":  # pragma: nocover
     main()
diff --git a/sbom/test_create_product_sbom.py b/sbom/test_create_product_sbom.py
@@ -1,13 +1,13 @@
 from io import StringIO
 import json
-from typing import List
+from typing import List, Union
 from collections import namedtuple
 
 import pytest
 from packageurl import PackageURL
 from spdx_tools.spdx.writer.json.json_writer import write_document_to_stream
 
-from sbom.create_product_sbom import ReleaseNotes, create_sbom
+from sbom.create_product_sbom import ReleaseNotes, create_sbom, parse_release_notes
 from sbom.sbomlib import Component, Image, IndexImage, Snapshot
 
 Digests = namedtuple("Digests", ["single_arch", "multi_arch"])
@@ -17,15 +17,59 @@
 )
 
 
-def verify_cpe(sbom, cpe: str) -> None:
+@pytest.mark.parametrize(
+    ["data", "expected_rn"],
+    [
+        pytest.param(
+            {
+                "unrelated": "field",
+                "releaseNotes": {
+                    "product_name": "Product",
+                    "product_version": "1.0",
+                    "cpe": "cpe",
+                },
+            },
+            ReleaseNotes(
+                product_name="Product",
+                product_version="1.0",
+                cpe="cpe",
+            ),
+            id="cpe-single",
+        ),
+        pytest.param(
+            {
+                "unrelated": "field",
+                "releaseNotes": {
+                    "product_name": "Product",
+                    "product_version": "1.0",
+                    "cpe": ["cpe1", "cpe2"],
+                },
+            },
+            ReleaseNotes(
+                product_name="Product",
+                product_version="1.0",
+                cpe=["cpe1", "cpe2"],
+            ),
+            id="cpe-list",
+        ),
+    ],
+)
+def test_parse_release_notes(data: dict, expected_rn: ReleaseNotes) -> None:
+    actual = parse_release_notes(json.dumps(data))
+    assert expected_rn == actual
+
+
+def verify_cpe(sbom, expected_cpe: Union[str, List[str]]) -> None:
     """
-    Verify that the CPE externalRef is in the first package.
+    Verify that all CPE externalRefs are in the first package.
     """
-    assert {
-        "referenceCategory": "SECURITY",
-        "referenceLocator": cpe,
-        "referenceType": "cpe22Type",
-    } in sbom["packages"][0]["externalRefs"]
+    all_cpes = expected_cpe if isinstance(expected_cpe, list) else [expected_cpe]
+    for cpe in all_cpes:
+        assert {
+            "referenceCategory": "SECURITY",
+            "referenceLocator": cpe,
+            "referenceType": "cpe22Type",
+        } in sbom["packages"][0]["externalRefs"]
 
 
 def verify_purls(sbom, expected: List[str]) -> None:
@@ -98,6 +142,19 @@ def verify_package_licenses(sbom) -> None:
         assert package["licenseDeclared"] == "NOASSERTION"
 
 
+@pytest.mark.parametrize(
+    "cpe",
+    [
+        pytest.param("cpe:/a:redhat:discovery:1.0::el9", id="cpe-single"),
+        pytest.param(
+            [
+                "cpe:/a:redhat:discovery:1.0::el9",
+                "cpe:/a:redhat:discovery:1.0::el10",
+            ],
+            id="cpe-list",
+        ),
+    ],
+)
 @pytest.mark.parametrize(
     ["snapshot", "purls"],
     [
@@ -176,12 +233,11 @@ def verify_package_licenses(sbom) -> None:
         ),
     ],
 )
-def test_create_sbom(snapshot, purls):
+def test_create_sbom(snapshot: Snapshot, purls: List[str], cpe: Union[str, List[str]]):
     """
     Create an SBOM from release notes and a snapshot and verify that the
     expected properties hold.
     """
-    cpe = "cpe:/a:redhat:discovery:1.0::el9"
     release_notes = ReleaseNotes(
         product_name="Product",
         product_version="1.0",
