Merge pull request #119 from crazy-max/fix-example-sbom-cataloger

example: fix sbom-cataloger
docker · Dec 11, 2024 · acfbc76 · acfbc76
2 parents 1743363 + 590f39f
commit acfbc76
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 66 deletions.
diff --git a/examples/sbom-cataloger/Dockerfile b/examples/sbom-cataloger/Dockerfile
@@ -14,8 +14,43 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM alpine:3.15@sha256:19b4bcc4f60e99dd5ebdca0cbce22c503bbcff197549d7e19dab4f22254dc864 AS base
+FROM scratch AS base
 ARG BUILDKIT_SBOM_SCAN_STAGE=true
+COPY <<EOF /var/share/sbom/foo.spdx.json
+{
+ "spdxVersion": "SPDX-2.3",
+ "dataLicense": "CC0-1.0",
+ "SPDXID": "SPDXRef-DOCUMENT",
+ "packages": [
+  {
+   "name": "foo",
+   "SPDXID": "SPDXRef-Package-foo-0d50d654eb648ebd",
+   "versionInfo": "1.0",
+   "supplier": "NOASSERTION",
+   "downloadLocation": "NOASSERTION",
+   "filesAnalyzed": true,
+   "packageVerificationCode": {
+    "packageVerificationCodeValue": "ee259e59ebc5bf49005492c1a393d32158491196"
+   },
+   "licenseConcluded": "NOASSERTION",
+   "licenseDeclared": "GPL-2.0-only AND GPL-2.0-or-later",
+   "copyrightText": "NOASSERTION",
+   "externalRefs": [
+    {
+     "referenceCategory": "SECURITY",
+     "referenceType": "cpe23Type",
+     "referenceLocator": "cpe:2.3:a:deb:deb:1.0:*:*:*:*:*:*:*"
+    },
+    {
+     "referenceCategory": "PACKAGE-MANAGER",
+     "referenceType": "purl",
+     "referenceLocator": "pkg:generic/[email protected]"
+    }
+   ]
+  }
+ ]
+}
+EOF
 COPY <<EOF /empty
 EOF
 

diff --git a/examples/sbom-cataloger/checks/sbom-base.spdx.json b/examples/sbom-cataloger/checks/sbom-base.spdx.json
@@ -14,58 +14,8 @@
     "name": "sbom-base",
     "packages": [
       {
-        "SPDXID": "SPDXRef-Package-apk-alpine-baselayout-5ede89861c73ee0f",
-        "copyrightText": "NOASSERTION",
-        "description": "Alpine base dir structure and init scripts",
-        "downloadLocation": "https://git.alpinelinux.org/cgit/aports/tree/main/alpine-baselayout",
-        "externalRefs": [
-          {
-            "referenceCategory": "SECURITY",
-            "referenceLocator": "cpe:2.3:a:alpine-baselayout:alpine-baselayout:3.2.0-r18:*:*:*:*:*:*:*",
-            "referenceType": "cpe23Type"
-          },
-          {
-            "referenceCategory": "SECURITY",
-            "referenceLocator": "cpe:2.3:a:alpine-baselayout:alpine_baselayout:3.2.0-r18:*:*:*:*:*:*:*",
-            "referenceType": "cpe23Type"
-          },
-          {
-            "referenceCategory": "SECURITY",
-            "referenceLocator": "cpe:2.3:a:alpine_baselayout:alpine-baselayout:3.2.0-r18:*:*:*:*:*:*:*",
-            "referenceType": "cpe23Type"
-          },
-          {
-            "referenceCategory": "SECURITY",
-            "referenceLocator": "cpe:2.3:a:alpine_baselayout:alpine_baselayout:3.2.0-r18:*:*:*:*:*:*:*",
-            "referenceType": "cpe23Type"
-          },
-          {
-            "referenceCategory": "SECURITY",
-            "referenceLocator": "cpe:2.3:a:alpine:alpine-baselayout:3.2.0-r18:*:*:*:*:*:*:*",
-            "referenceType": "cpe23Type"
-          },
-          {
-            "referenceCategory": "SECURITY",
-            "referenceLocator": "cpe:2.3:a:alpine:alpine_baselayout:3.2.0-r18:*:*:*:*:*:*:*",
-            "referenceType": "cpe23Type"
-          },
-          {
-            "referenceCategory": "PACKAGE-MANAGER",
-            "referenceLocator": "pkg:apk/alpine/[email protected]?arch=x86_64\u0026distro=alpine-3.15.11",
-            "referenceType": "purl"
-          }
-        ],
-        "filesAnalyzed": true,
-        "licenseConcluded": "NOASSERTION",
-        "licenseDeclared": "GPL-2.0-only",
-        "name": "alpine-baselayout",
-        "originator": "Person: Natanael Copa ([email protected])",
-        "packageVerificationCode": {
-          "packageVerificationCodeValue": "da39a3ee5e6b4b0d3255bfef95601890afd80709"
-        },
-        "sourceInfo": "acquired package info from APK DB: /lib/apk/db/installed",
-        "supplier": "Person: Natanael Copa ([email protected])",
-        "versionInfo": "3.2.0-r18"
+        "SPDXID": "=package",
+        "name": "foo"
       }
     ]
   }

diff --git a/examples/sbom-cataloger/checks/sbom.spdx.json b/examples/sbom-cataloger/checks/sbom.spdx.json
@@ -3,18 +3,6 @@
   "predicateType": "https://spdx.dev/Document",
   "predicate": {
     "SPDXID": "SPDXRef-DOCUMENT",
-    "name": "sbom",
-    "packages": [
-      {
-        "SPDXID": "SPDXRef-DocumentRoot-Directory-sbom",
-        "downloadLocation": "NOASSERTION",
-        "filesAnalyzed": false,
-        "licenseConcluded": "NOASSERTION",
-        "licenseDeclared": "NOASSERTION",
-        "name": "sbom",
-        "primaryPackagePurpose": "FILE",
-        "supplier": "NOASSERTION"
-      }
-    ]
+    "name": "sbom"
   }
 }