[ISV-5787] Remove child digests from externalRefs

mavaras · mavaras · commit 2884148f7404 · 2025-04-03T09:38:30.000+02:00
- Updates build-time index SBOM creation script
- Udpates tests accordingly
diff --git a/sbom-utility-scripts/scripts/index-image-sbom-script/index_image_sbom_script.py b/sbom-utility-scripts/scripts/index-image-sbom-script/index_image_sbom_script.py
@@ -55,33 +55,26 @@ def digest_hex_val(self) -> str:
         _, val = self.digest.split(":")
         return val
 
-    def purls(self, index_digest: Optional[str] = None) -> list[str]:
-        ans = []
-        if index_digest and self.arch:
-            ans.append(
-                PackageURL(
-                    type="oci",
-                    name=self.name,
-                    version=index_digest,
-                    qualifiers={"arch": self.arch, "repository_url": self.repository},
-                ).to_string()
-            )
-        ans.append(
-            PackageURL(
-                type="oci",
-                name=self.name,
-                version=self.digest,
-                qualifiers={"repository_url": self.repository},
-            ).to_string()
-        )
-        return ans
+    def purl(self) -> str:
+        qualifiers = {"repository_url": self.repository}
+        if self.arch is not None:
+            qualifiers["arch"] = self.arch
+
+        purl = PackageURL(
+            type="oci",
+            name=self.name,
+            version=self.digest,
+            qualifiers=qualifiers,
+        ).to_string()
+
+        return purl
 
     def propose_spdx_id(self) -> str:
-        purl_hex_digest = hashlib.sha256(self.purls()[0].encode()).hexdigest()
+        purl_hex_digest = hashlib.sha256(self.purl().encode()).hexdigest()
         return f"SPDXRef-image-{self.name}-{purl_hex_digest}"
 
 
-def create_package(image: Image, spdxid: Optional[str] = None, image_index_digest: Optional[str] = None) -> dict:
+def create_package(image: Image, spdxid: Optional[str] = None) -> dict:
     return {
         "SPDXID": image.propose_spdx_id() if not spdxid else spdxid,
         "name": image.name if not image.arch else f"{image.name}_{image.arch}",
@@ -93,9 +86,8 @@ def create_package(image: Image, spdxid: Optional[str] = None, image_index_diges
             {
                 "referenceCategory": "PACKAGE-MANAGER",
                 "referenceType": "purl",
-                "referenceLocator": purl,
+                "referenceLocator": image.purl(),
             }
-            for purl in image.purls(image_index_digest)
         ],
         "checksums": [
             {
@@ -125,7 +117,7 @@ def create_sbom(
     image_index_obj = Image.from_image_index_url_and_digest(image_index_url, image_index_digest)
     sbom_name = f"{image_index_obj.repository}@{image_index_obj.digest}"
 
-    packages = [create_package(image_index_obj, "SPDXRef-image-index")]
+    packages = [create_package(image_index_obj, spdxid="SPDXRef-image-index")]
     relationships = [
         {
             "spdxElementId": "SPDXRef-DOCUMENT",
@@ -141,11 +133,11 @@ def create_sbom(
         arch_image = Image(
             arch=manifest.get("platform", {}).get("architecture"),
             name=image_index_obj.name,
-            digest=manifest.get("digest"),
+            digest=image_index_digest,
             tag=image_index_obj.tag,
             repository=image_index_obj.repository,
         )
-        packages.append(create_package(arch_image, image_index_digest=image_index_obj.digest))
+        packages.append(create_package(arch_image))
         relationships.append(get_relationship(arch_image.propose_spdx_id(), "SPDXRef-image-index"))
 
     sbom = {
diff --git a/sbom-utility-scripts/scripts/index-image-sbom-script/test_image_index_sbom_script.py b/sbom-utility-scripts/scripts/index-image-sbom-script/test_image_index_sbom_script.py
@@ -106,7 +106,7 @@
                         ],
                     },
                     {
-                        "SPDXID": "SPDXRef-image-ubi9-micro-container-8358c7002e15f219c861227e97919d537e888874e7ca2b349979bc745f903195",
+                        "SPDXID": "SPDXRef-image-ubi9-micro-container-d57d132860ab3ff4eb64267c33897a8bf246ae1515df7d17cdf6e408c9f36b36",
                         "name": "ubi9-micro-container_ppc64le",
                         "versionInfo": "9.4-6.1716471860",
                         "supplier": "NOASSERTION",
@@ -118,16 +118,11 @@
                                 "referenceType": "purl",
                                 "referenceLocator": "pkg:oci/ubi9-micro-container@sha256:1c8483e0fda0e990175eb9855a5f15e0910d2038dd397d9e2b357630f0321e6d?arch=ppc64le&repository_url=quay.io/ubi9-micro-container",
                             },
-                            {
-                                "referenceCategory": "PACKAGE-MANAGER",
-                                "referenceType": "purl",
-                                "referenceLocator": "pkg:oci/ubi9-micro-container@sha256:f08722139c4da653b870272a192fac700960a3315baa1f79f83a4712a436d4?repository_url=quay.io/ubi9-micro-container",
-                            },
                         ],
                         "checksums": [
                             {
                                 "algorithm": "SHA256",
-                                "checksumValue": "f08722139c4da653b870272a192fac700960a3315baa1f79f83a4712a436d4",
+                                "checksumValue": "1c8483e0fda0e990175eb9855a5f15e0910d2038dd397d9e2b357630f0321e6d",
                             }
                         ],
                     },
@@ -139,7 +134,7 @@
                         "relatedSpdxElement": "SPDXRef-image-index",
                     },
                     {
-                        "spdxElementId": "SPDXRef-image-ubi9-micro-container-8358c7002e15f219c861227e97919d537e888874e7ca2b349979bc745f903195",
+                        "spdxElementId": "SPDXRef-image-ubi9-micro-container-d57d132860ab3ff4eb64267c33897a8bf246ae1515df7d17cdf6e408c9f36b36",
                         "relationshipType": "VARIANT_OF",
                         "relatedSpdxElement": "SPDXRef-image-index",
                     },
@@ -239,7 +234,7 @@ def test_main(
                     "checksums": [{"algorithm": "SHA256", "checksumValue": "456"}],
                 },
                 {
-                    "SPDXID": "SPDXRef-image-bar-9adebc2aa46e921bcd2ff839697cf543a898d9b66e1cbf6dfc0626cf2845f716",
+                    "SPDXID": "SPDXRef-image-bar-c621206f7eb4159018ebf3fc192df8d270b15121bcdc653b468df1fe131860b1",
                     "name": "bar_arm64",
                     "versionInfo": "v1",
                     "supplier": "NOASSERTION",
@@ -251,13 +246,8 @@ def test_main(
                             "referenceType": "purl",
                             "referenceLocator": "pkg:oci/bar@sha256:456?arch=arm64&repository_url=quay.io/foo/bar",
                         },
-                        {
-                            "referenceCategory": "PACKAGE-MANAGER",
-                            "referenceType": "purl",
-                            "referenceLocator": "pkg:oci/bar@sha256:123?repository_url=quay.io/foo/bar",
-                        },
                     ],
-                    "checksums": [{"algorithm": "SHA256", "checksumValue": "123"}],
+                    "checksums": [{"algorithm": "SHA256", "checksumValue": "456"}],
                 },
             ],
             "relationships": [
@@ -267,7 +257,7 @@ def test_main(
                     "relatedSpdxElement": "SPDXRef-image-index",
                 },
                 {
-                    "spdxElementId": "SPDXRef-image-bar-9adebc2aa46e921bcd2ff839697cf543a898d9b66e1cbf6dfc0626cf2845f716",
+                    "spdxElementId": "SPDXRef-image-bar-c621206f7eb4159018ebf3fc192df8d270b15121bcdc653b468df1fe131860b1",
                     "relationshipType": "VARIANT_OF",
                     "relatedSpdxElement": "SPDXRef-image-index",
                 },
