Add purl information to SPDX reports

This commit adds a new function, `get_purl()` to spdx_common.py which
uses the packageurl library to generate purl strings for given package
objects. The namespace for certain purls is determined using the
/etc/os-release file information collected via the `pkg_suppliers` field
in base.yml.

This commit then adds purl strings as external references[1] to both
SPDX tag value and SPDX json reports.

[1]https://spdx.github.io/spdx-spec/v2.3/package-information/#721-external-reference-field

Resolves #1206

Signed-off-by: Rose Judge <[email protected]>
Signed-off-by: Ivana Atanasova <[email protected]>

Author: rnjudge

tern/formats/spdx/spdx_common.py

@@ -16,6 +16,7 @@
 from license_expression import get_spdx_licensing
 from tern.utils import constants
 from tern.formats.spdx.spdxtagvalue import formats as spdx_formats
+from packageurl import PackageURL
 
 # global logger
 logger = logging.getLogger(constants.logger_name)
@@ -210,3 +211,34 @@ def get_file_comment(filedata):
             comment = comment + \
                 '{}: {}'.format(notice.level, notice.message) + '\n'
     return comment
+
+
+#######################
+# Common PURL Helpers #
+#######################
+
+purl_types_with_namespaces = [
+    'deb',
+    'rpm',
+    'apk',
+    'alpm'
+]
+
+
+def get_purl(package_obj):
+    '''Return a purl string for a given package'''
+    purl_type = package_obj.pkg_format
+    purl_namespace = ''
+    if purl_type in purl_types_with_namespaces and package_obj.pkg_supplier:
+        # https://github.com/package-url/purl-spec/pull/214
+        if package_obj.pkg_supplier.split(' ')[0] == "VMware":
+            purl_namespace = package_obj.pkg_supplier.split(' ')[1].lower()
+        else:
+            purl_namespace = package_obj.pkg_supplier.split(' ')[0].lower()
+            # TODO- this might need adjusting for alpm. Currently can't test on M1 
+    purl = PackageURL(purl_type, purl_namespace, package_obj.name.lower(), package_obj.version,
+                      qualifiers={'arch': package_obj.arch if package_obj.arch else ''})
+    try:
+        return purl.to_string()
+    except ValueError:
+        return ''

tern/formats/spdx/spdxjson/package_helpers.py

@@ -74,9 +74,14 @@ def get_package_dict(package, template):
             mapping['PackageLicenseDeclared']),
         'copyrightText': mapping['PackageCopyrightText'] if
         mapping['PackageCopyrightText'] else 'NONE',
-        'comment': get_package_comment(package)
     }
-
+    # Only add package PURL if it exists
+    if spdx_common.get_purl(package):
+        package_dict['externalRefs'] = [{'referenceCategory': 'PACKAGE-MANAGER',
+                                         'referenceLocator': spdx_common.get_purl(package),
+                                         'referenceType': 'purl'}]
+    # Put package comment after any potential externalRefs
+    package_dict['comment'] = get_package_comment(package)
     return package_dict
 
 

tern/formats/spdx/spdxtagvalue/package_helpers.py

@@ -115,6 +115,10 @@ def get_package_block(package_obj, template):
             message=mapping['PackageCopyrightText']) + '\n'
     else:
         block += 'PackageCopyrightText: NONE\n'
+    # Package URL
+    if spdx_common.get_purl(package_obj):
+        block += 'ExternalRef: PACKAGE-MANAGER purl {}\n'.format(
+                spdx_common.get_purl(package_obj))
     # Package Comments
     block += get_package_comment(package_obj)
     return block