[ISV-5787] Remove child digests from externalRefs

mavaras · mavaras · commit be51a5b730b5 · 2025-04-02T14:30:52.000+02:00
- Updates build-time index SBOM creation script
- Udpates tests accordingly
diff --git a/sbom-utility-scripts/scripts/index-image-sbom-script/index_image_sbom_script.py b/sbom-utility-scripts/scripts/index-image-sbom-script/index_image_sbom_script.py
@@ -55,33 +55,26 @@ def digest_hex_val(self) -> str:
         _, val = self.digest.split(":")
         return val
 
-    def purls(self, index_digest: Optional[str] = None) -> list[str]:
-        ans = []
-        if index_digest and self.arch:
-            ans.append(
-                PackageURL(
-                    type="oci",
-                    name=self.name,
-                    version=index_digest,
-                    qualifiers={"arch": self.arch, "repository_url": self.repository},
-                ).to_string()
-            )
-        ans.append(
-            PackageURL(
-                type="oci",
-                name=self.name,
-                version=self.digest,
-                qualifiers={"repository_url": self.repository},
-            ).to_string()
-        )
-        return ans
+    def purl(self) -> str:
+        qualifiers = {"repository_url": self.repository}
+        if self.arch is not None:
+            qualifiers["arch"] = self.arch
+
+        purl = PackageURL(
+            type="oci",
+            name=self.name,
+            version=self.digest,
+            qualifiers=qualifiers,
+        ).to_string()
+
+        return purl
 
     def propose_spdx_id(self) -> str:
-        purl_hex_digest = hashlib.sha256(self.purls()[0].encode()).hexdigest()
+        purl_hex_digest = hashlib.sha256(self.purl().encode()).hexdigest()
         return f"SPDXRef-image-{self.name}-{purl_hex_digest}"
 
 
-def create_package(image: Image, spdxid: Optional[str] = None, image_index_digest: Optional[str] = None) -> dict:
+def create_package(image: Image, spdxid: Optional[str] = None) -> dict:
     return {
         "SPDXID": image.propose_spdx_id() if not spdxid else spdxid,
         "name": image.name if not image.arch else f"{image.name}_{image.arch}",
@@ -93,9 +86,8 @@ def create_package(image: Image, spdxid: Optional[str] = None, image_index_diges
             {
                 "referenceCategory": "PACKAGE-MANAGER",
                 "referenceType": "purl",
-                "referenceLocator": purl,
+                "referenceLocator": image.purl(),
             }
-            for purl in image.purls(image_index_digest)
         ],
         "checksums": [
             {
@@ -125,7 +117,7 @@ def create_sbom(
     image_index_obj = Image.from_image_index_url_and_digest(image_index_url, image_index_digest)
     sbom_name = f"{image_index_obj.repository}@{image_index_obj.digest}"
 
-    packages = [create_package(image_index_obj, "SPDXRef-image-index")]
+    packages = [create_package(image_index_obj, spdxid="SPDXRef-image-index")]
     relationships = [
         {
             "spdxElementId": "SPDXRef-DOCUMENT",
@@ -145,7 +137,7 @@ def create_sbom(
             tag=image_index_obj.tag,
             repository=image_index_obj.repository,
         )
-        packages.append(create_package(arch_image, image_index_digest=image_index_obj.digest))
+        packages.append(create_package(arch_image))
         relationships.append(get_relationship(arch_image.propose_spdx_id(), "SPDXRef-image-index"))
 
     sbom = {
diff --git a/sbom-utility-scripts/scripts/index-image-sbom-script/test_image_index_sbom_script.py b/sbom-utility-scripts/scripts/index-image-sbom-script/test_image_index_sbom_script.py
@@ -118,11 +118,6 @@
                                 "referenceType": "purl",
                                 "referenceLocator": "pkg:oci/ubi9-micro-container@sha256:1c8483e0fda0e990175eb9855a5f15e0910d2038dd397d9e2b357630f0321e6d?arch=ppc64le&repository_url=quay.io/ubi9-micro-container",
                             },
-                            {
-                                "referenceCategory": "PACKAGE-MANAGER",
-                                "referenceType": "purl",
-                                "referenceLocator": "pkg:oci/ubi9-micro-container@sha256:f08722139c4da653b870272a192fac700960a3315baa1f79f83a4712a436d4?repository_url=quay.io/ubi9-micro-container",
-                            },
                         ],
                         "checksums": [
                             {
@@ -251,11 +246,6 @@ def test_main(
                             "referenceType": "purl",
                             "referenceLocator": "pkg:oci/bar@sha256:456?arch=arm64&repository_url=quay.io/foo/bar",
                         },
-                        {
-                            "referenceCategory": "PACKAGE-MANAGER",
-                            "referenceType": "purl",
-                            "referenceLocator": "pkg:oci/bar@sha256:123?repository_url=quay.io/foo/bar",
-                        },
                     ],
                     "checksums": [{"algorithm": "SHA256", "checksumValue": "123"}],
                 },
