Add package supplier info to package objects

rnjudge · rnjudge · commit bb2a724357d1 · 2023-02-08T12:52:06.000-08:00
This commit adds package supplier information as an attribute in the package class for package objects. For some package managers (like PyPI), there is only one feasible supplier (PyPI) and this value is set as a constant string (PyPI). For others, like rpm, the string is determined using the /etc/os-release file based on the Linux Distro providing the packages. While this is not a perfect way to determine the distro/distributor, it is satisfactory to satisfty the NTIA minimum elements for the upcoming EO 14028. We decided to use the distro as the supplier based on conversations had on the SPDX mailing list[1]. [1] https://lists.spdx.org/g/Spdx-tech/message/4942 Works towards #1205 Signed-off-by: Rose Judge <rjudge@vmware.com>
diff --git a/tern/analyze/default/bundle.py b/tern/analyze/default/bundle.py
@@ -52,7 +52,8 @@ def convert_to_pkg_dicts(attr_lists):
                'pkg_licenses': 'pkg_licenses',
                'files': 'files',
                'src_name': 'source_names',
-               'src_version': 'source_versions'}
+               'src_version': 'source_versions',
+               'pkg_supplier': 'pkg_suppliers'}
     pkg_list = []
     len_names = len(attr_lists['names'])
     # make a list of keys that correspond with package property names
diff --git a/tern/analyze/default/command_lib/base.yml b/tern/analyze/default/command_lib/base.yml
@@ -88,6 +88,14 @@ dpkg:
         container:
           - "dpkg-query -W -f '${Version}\n'"
     delimiter: "\n"
+  pkg_suppliers:
+    invoke:
+      1:
+        container:
+          - "distro=`/bin/cat /etc/os-release | grep NAME | sed -n '2p' | cut -f 2 -d '=' | cut -d '\"' -f2`"
+          - "pkgs=`dpkg-query -W -f '${Package}\n'`"
+          - "for p in $pkgs; do echo $distro; done"
+    delimiter: "\n"
   source_names:
     invoke:
       1:
@@ -148,6 +156,13 @@ apk:
           - "pkgs=`apk info 2>/dev/null`"
           - "for p in $pkgs; do lic=`apk info $p 2>/dev/null | head -1 | awk '{print $1}'`; echo $lic | sed -e \"s/^$p-//\"; done"
     delimiter: "\n"
+  pkg_suppliers:
+    invoke:
+      1:
+        container:
+          - "pkgs=`apk info 2>/dev/null`"
+          - "for p in $pkgs; do echo 'Alpine Linux'; done"
+    delimiter: "\n"
   licenses:
     invoke:
       1:
@@ -192,6 +207,13 @@ pacman:
         container:
           - 'pacman -Q 2>/dev/null | cut -f 2 -d " "'
     delimiter: "\n"
+  pkg_suppliers:
+    invoke:
+      1:
+        container:
+          - 'pkgs=`pacman -Qq 2>/dev/null`'
+          - 'for p in $pkgs; do echo "Arch Linux"; done'
+    delimiter: "\n"
   licenses:
     invoke:
       1:
@@ -238,6 +260,14 @@ rpm:
         container:
           - 'rpm --query --all --queryformat "%{version}\n" 2>/dev/null'
     delimiter: "\n"
+  pkg_suppliers:
+    invoke:
+      1:
+        container:
+          - "distro=`/bin/cat /etc/os-release | grep NAME | sed -n '1p' | cut -f 2 -d '=' | cut -d '\"' -f2`"
+          - "pkgs=`rpm --query --all --queryformat \"%{name}\n\" 2>/dev/null`"
+          - "for p in $pkgs; do echo $distro; done"
+    delimiter: "\n"
   licenses:
     invoke:
       1:
@@ -302,6 +332,13 @@ pip:
           - "pkgs=`pip list --format=freeze 2> /dev/null | cut -f1 -d'='`"
           - "for p in $pkgs; do pip show $p 2> /dev/null | head -2 | tail -1 | cut -f2 -d' '; done"
     delimiter: "\n"
+  pkg_suppliers:
+    invoke:
+      1:
+        container:
+          - "pkgs=`pip list --format=freeze 2> /dev/null | cut -f1 -d'='`"
+          - "for p in $pkgs; do echo 'PyPI'; done"
+    delimiter: "\n"
   licenses:
     invoke:
       1:
@@ -345,6 +382,13 @@ pip3:
           - "pkgs=`pip3 list --format=freeze 2> /dev/null | cut -f1 -d'='`"
           - "for p in $pkgs; do pip3 show $p 2> /dev/null | head -2 | tail -1 | cut -f2 -d' '; done"
     delimiter: "\n"
+  pkg_suppliers:
+    invoke:
+      1:
+        container:
+          - "pkgs=`pip3 list --format=freeze 2> /dev/null | cut -f1 -d'='`"
+          - "for p in $pkgs; do echo 'PyPI'; done"
+    delimiter: "\n"
   licenses:
     invoke:
       1:
diff --git a/tern/analyze/default/command_lib/command_lib.py b/tern/analyze/default/command_lib/command_lib.py
@@ -37,9 +37,10 @@
     command_lib['snippets'] = yaml.safe_load(f)
 # list of package information keys that the command library can accomodate
 base_keys = {'names', 'versions', 'licenses', 'source_names',
-             'source_versions', 'copyrights', 'proj_urls', 'srcs', 'files'}
+             'source_versions', 'pkg_suppliers', 'copyrights',
+             'proj_urls', 'srcs', 'files'}
 package_keys = {'name', 'version', 'license', 'src_name', 'src_version',
-                'copyright', 'proj_url', 'src', 'files'}
+               'pkg_supplier', 'copyright', 'proj_url', 'src', 'files'}
 
 # global logger
 logger = logging.getLogger(constants.logger_name)
diff --git a/tern/classes/package.py b/tern/classes/package.py
@@ -24,6 +24,8 @@ class Package:
         pkg_licenses: all licenses found within a package
         src_name: the source package associated with the binary package
         src_version: the source package version
+        pkg_supplier: the package distributor according to SPDX 7.5;
+        required to create NTIA compliant SPDX docs
 
     methods:
         to_dict: returns a dict representation of the instance
@@ -47,6 +49,7 @@ def __init__(self, name):
         self.__pkg_format = ''
         self.__src_name = ''
         self.__src_version = ''
+        self.__pkg_supplier = ''
 
     @property
     def name(self):
@@ -144,6 +147,14 @@ def src_version(self):
     def src_version(self, src_version):
         self.__src_version = src_version
 
+    @property
+    def pkg_supplier(self):
+        return self.__pkg_supplier
+
+    @pkg_supplier.setter
+    def pkg_supplier(self, pkg_supplier):
+        self.__pkg_supplier = pkg_supplier
+
     def get_file_paths(self):
         """Return a list of paths of all the files in a package"""
         return [f.path for f in self.__files]
@@ -217,6 +228,7 @@ def fill(self, package_dict):
             files: <package files>
             src_name: <source package>
             src_ver: <source package version>
+            pkg_supplier: <package distributor/supplier>
         the way to use this method is to instantiate the class with the
         name and then give it a package dictionary to fill in the rest
         return true if package name is the same as the one used to instantiate
diff --git a/tests/test_class_package.py b/tests/test_class_package.py
@@ -25,6 +25,7 @@ def setUp(self):
         self.p1.pkg_format = 'deb'
         self.p1.src_name = 'p1src'
         self.p1.src_version = '1.0'
+        self.p1.pkg_supplier = 'VMware'
 
         self.p2 = Package('p2')
 
@@ -65,6 +66,8 @@ def testSetters(self):
                          ('a', '/usr/abc/a'))
         self.assertEqual((self.p2.files[1].name, self.p2.files[1].path),
                          ('b', '/usr/abc/b'))
+        self.p2.pkg_supplier = 'Linux Foundation'
+        self.assertEqual(self.p2.pkg_supplier, 'Linux Foundation')
 
     def testGetters(self):
         self.assertEqual(self.p1.name, 'p1')
@@ -78,6 +81,7 @@ def testGetters(self):
         self.assertEqual(self.p1.pkg_format, 'deb')
         self.assertEqual(self.p1.src_name, 'p1src')
         self.assertEqual(self.p1.src_version, '1.0')
+        self.assertEqual(self.p1.pkg_supplier, 'VMware')
 
     def testAddFile(self):
         p1 = Package('package')
@@ -130,6 +134,7 @@ def testToDict(self):
         self.assertEqual(a_dict['pkg_format'], 'deb')
         self.assertEqual(a_dict['src_name'], 'p1src')
         self.assertEqual(a_dict['src_version'], '1.0')
+        self.assertEqual(a_dict['pkg_supplier'], 'VMware')
 
     def testToDictTemplate(self):
         template1 = TestTemplate1()
@@ -175,7 +180,8 @@ def testFill(self):
                             {'name': 'b.txt', 'path': '/lib/b.txt'}],
                   'pkg_format': 'rpm',
                   'src_name': 'p1src',
-                  'src_version': '1.0'
+                  'src_version': '1.0',
+                  'pkg_supplier': 'VMware'
                   }
         p = Package('p1')
         p.fill(p_dict)
