-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathspdxReader.py
69 lines (65 loc) · 2.25 KB
/
spdxReader.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
#读取spdx格式的SBOM信息,仅用于scanDeb模块分析外部依赖的内部依赖后,筛查是否分析出有效的内部依赖(若无有效内部依赖则跳过查询CVE步骤)
import os
import sys
from loguru import logger as log
DIR=os.path.split(os.path.abspath(__file__))[0]
sys.path.insert(0,os.path.join(DIR,'..','src'))
import PackageInfo
import normalize
#def loadSpdxFile(fileName):
# res=[]
# with open(fileName,"r") as f:
# spdxObj=json.load(f)
# packages=spdxObj['packages']
# for package in packages:
# packageType=package['description']
# if packageType=='Deb' or packageType=='Rpm':
# purlStr=package['externalRefs'][0]['referenceLocator']
# res.append(PackageInfo.loadPurl(purlStr))
# return res
def parseSpdxObj(spdxObj,duplicate_removal=True):
res=[]
known_names=set()
packages=spdxObj['packages']
for package in packages:
packageType=package['description']
if 'sourceInfo' in package and package['sourceInfo']=="External Dependency" and (packageType.lower()=='deb' or packageType.lower()=='rpm'):
packageinfo=None
for externalRefs in package['externalRefs']:
if externalRefs['referenceCategory']!='PACKAGE_MANAGER':
continue
purlStr=package['externalRefs'][0]['referenceLocator']
purlStr=normalize.reNormalReplace(purlStr)
packageinfo=PackageInfo.loadPurl(purlStr)
if 'comment' in package:
packageinfo.gitLink=package['comment']
if packageinfo is not None:
if duplicate_removal is True:
name=packageinfo.name
if name in known_names:
continue
known_names.add(name)
res.append(packageinfo)
else:
res.append(packageinfo)
else:
log.warning('ERROR:spdxReader:cannot find PACKAGE_MANAGER infomation in externalRefs')
else:
spdxid=package['SPDXID']
if spdxid.startswith("SPDXRef-DocumentRoot-Directory"):
continue
name=package['name']
version=package['versionInfo']
packageinfo=PackageInfo.PackageInfo("maven","",name,version,None,None)
if duplicate_removal is True:
name=packageinfo.name
if name in known_names:
continue
known_names.add(name)
res.append(packageinfo)
else:
res.append(packageinfo)
res.append(packageinfo)
return res
#pl=loadSpdxFile("my_spdx_document.spdx.json")
#print(cveSolver.solve(pl))