| #!/usr/bin/env python3 |
| # |
| # Copyright (C) 2023 The Android Open Source Project |
| # |
| # Licensed under the Apache License, Version 2.0 (the "License"); |
| # you may not use this file except in compliance with the License. |
| # You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, software |
| # distributed under the License is distributed on an "AS IS" BASIS, |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| # See the License for the specific language governing permissions and |
| # limitations under the License. |
| |
| import hashlib |
| import unittest |
| import sbom_data |
| |
| BUILD_FINGER_PRINT = 'build_finger_print' |
| SUPPLIER_GOOGLE = 'Organization: Google' |
| SUPPLIER_UPSTREAM = 'Organization: upstream' |
| |
| SPDXID_PREBUILT_PACKAGE1 = 'SPDXRef-PREBUILT-package1' |
| SPDXID_SOURCE_PACKAGE1 = 'SPDXRef-SOURCE-package1' |
| SPDXID_UPSTREAM_PACKAGE1 = 'SPDXRef-UPSTREAM-package1' |
| |
| SPDXID_FILE1 = 'SPDXRef-file1' |
| SPDXID_FILE2 = 'SPDXRef-file2' |
| SPDXID_FILE3 = 'SPDXRef-file3' |
| SPDXID_FILE4 = 'SPDXRef-file4' |
| |
| |
| class SBOMDataTest(unittest.TestCase): |
| |
| def setUp(self): |
| # SBOM of a product |
| self.sbom_doc = sbom_data.Document(name='test doc', |
| namespace='http://www.google.com/sbom/spdx/android', |
| creators=[SUPPLIER_GOOGLE], |
| created='2023-03-31T22:17:58Z', |
| describes=sbom_data.SPDXID_PRODUCT) |
| self.sbom_doc.add_external_ref( |
| sbom_data.DocumentExternalReference(id='DocumentRef-external_doc_ref', |
| uri='external_doc_uri', |
| checksum='SHA1: 1234567890')) |
| self.sbom_doc.add_package( |
| sbom_data.Package(id=sbom_data.SPDXID_PRODUCT, |
| name=sbom_data.PACKAGE_NAME_PRODUCT, |
| download_location=sbom_data.VALUE_NONE, |
| supplier=SUPPLIER_GOOGLE, |
| version=BUILD_FINGER_PRINT, |
| files_analyzed=True, |
| verification_code='', |
| file_ids=[SPDXID_FILE1, SPDXID_FILE2, SPDXID_FILE3, SPDXID_FILE4])) |
| |
| self.sbom_doc.add_package( |
| sbom_data.Package(id=sbom_data.SPDXID_PLATFORM, |
| name=sbom_data.PACKAGE_NAME_PLATFORM, |
| download_location=sbom_data.VALUE_NONE, |
| supplier=SUPPLIER_GOOGLE, |
| version=BUILD_FINGER_PRINT, |
| )) |
| |
| self.sbom_doc.add_package( |
| sbom_data.Package(id=SPDXID_PREBUILT_PACKAGE1, |
| name='Prebuilt package1', |
| download_location=sbom_data.VALUE_NONE, |
| supplier=SUPPLIER_GOOGLE, |
| version=BUILD_FINGER_PRINT, |
| )) |
| |
| self.sbom_doc.add_package( |
| sbom_data.Package(id=SPDXID_SOURCE_PACKAGE1, |
| name='Source package1', |
| download_location=sbom_data.VALUE_NONE, |
| supplier=SUPPLIER_GOOGLE, |
| version=BUILD_FINGER_PRINT, |
| external_refs=[sbom_data.PackageExternalRef( |
| category=sbom_data.PackageExternalRefCategory.SECURITY, |
| type=sbom_data.PackageExternalRefType.cpe22Type, |
| locator='cpe:/a:jsoncpp_project:jsoncpp:1.9.4')] |
| )) |
| |
| self.sbom_doc.add_package( |
| sbom_data.Package(id=SPDXID_UPSTREAM_PACKAGE1, |
| name='Upstream package1', |
| supplier=SUPPLIER_UPSTREAM, |
| version='1.1', |
| )) |
| |
| self.sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_SOURCE_PACKAGE1, |
| relationship=sbom_data.RelationshipType.VARIANT_OF, |
| id2=SPDXID_UPSTREAM_PACKAGE1)) |
| |
| self.sbom_doc.files.append( |
| sbom_data.File(id=SPDXID_FILE1, name='/bin/file1', |
| checksum='SHA1: 356a192b7913b04c54574d18c28d46e6395428ab')) # sha1 hash of 1 |
| self.sbom_doc.files.append( |
| sbom_data.File(id=SPDXID_FILE2, name='/bin/file2', |
| checksum='SHA1: da4b9237bacccdf19c0760cab7aec4a8359010b0')) # sha1 hash of 2 |
| self.sbom_doc.files.append( |
| sbom_data.File(id=SPDXID_FILE3, name='/bin/file3', |
| checksum='SHA1: 77de68daecd823babbb58edb1c8e14d7106e83bb')) # sha1 hash of 3 |
| self.sbom_doc.files.append( |
| sbom_data.File(id=SPDXID_FILE4, name='file4.a', |
| checksum='SHA1: 1b6453892473a467d07372d45eb05abc2031647a')) # sha1 of 4 |
| |
| self.sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_FILE1, |
| relationship=sbom_data.RelationshipType.GENERATED_FROM, |
| id2=sbom_data.SPDXID_PLATFORM)) |
| self.sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_FILE2, |
| relationship=sbom_data.RelationshipType.GENERATED_FROM, |
| id2=SPDXID_PREBUILT_PACKAGE1)) |
| self.sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_FILE3, |
| relationship=sbom_data.RelationshipType.GENERATED_FROM, |
| id2=SPDXID_SOURCE_PACKAGE1 |
| )) |
| self.sbom_doc.add_relationship(sbom_data.Relationship(id1=SPDXID_FILE1, |
| relationship=sbom_data.RelationshipType.STATIC_LINK, |
| id2=SPDXID_FILE4 |
| )) |
| |
| def test_package_verification_code(self): |
| checksums = [] |
| for file in self.sbom_doc.files: |
| checksums.append(file.checksum.split(': ')[1]) |
| checksums.sort() |
| h = hashlib.sha1() |
| h.update(''.join(checksums).encode(encoding='utf-8')) |
| expected_package_verification_code = h.hexdigest() |
| |
| self.sbom_doc.generate_packages_verification_code() |
| self.assertEqual(expected_package_verification_code, self.sbom_doc.packages[0].verification_code) |
| |
| |
| if __name__ == '__main__': |
| unittest.main(verbosity=2) |
