refactor(sbom): use intermediate representation for SPDX (#6310)

Signed-off-by: knqyf263 <[email protected]>
Co-authored-by: DmitriyLewen <[email protected]>

Author: knqyf263

integration/testdata/conda-spdx.json.golden

@@ -3,7 +3,7 @@
   "dataLicense": "CC0-1.0",
   "SPDXID": "SPDXRef-DOCUMENT",
   "name": "testdata/fixtures/repo/conda",
-  "documentNamespace": "http://aquasecurity.github.io/trivy/filesystem/testdata/fixtures/repo/conda-3ff14136-e09f-4df9-80ea-000000000001",
+  "documentNamespace": "http://aquasecurity.github.io/trivy/filesystem/testdata/fixtures/repo/conda-3ff14136-e09f-4df9-80ea-000000000004",
   "creationInfo": {
     "creators": [
       "Organization: aquasecurity",
@@ -12,17 +12,9 @@
     "created": "2021-08-25T12:20:30Z"
   },
   "packages": [
-    {
-      "name": "conda-pkg",
-      "SPDXID": "SPDXRef-Application-ee5ef1aa4ac89125",
-      "downloadLocation": "NONE",
-      "filesAnalyzed": false,
-      "sourceInfo": "Conda",
-      "primaryPackagePurpose": "APPLICATION"
-    },
     {
       "name": "openssl",
-      "SPDXID": "SPDXRef-Package-20b95c21bfbf9fc4",
+      "SPDXID": "SPDXRef-Package-b8061a5279413d55",
       "versionInfo": "1.1.1q",
       "supplier": "NOASSERTION",
       "downloadLocation": "NONE",
@@ -39,11 +31,14 @@
           "referenceLocator": "pkg:conda/[email protected]"
         }
       ],
+      "attributionTexts": [
+        "PkgType: conda-pkg"
+      ],
       "primaryPackagePurpose": "LIBRARY"
     },
     {
       "name": "pip",
-      "SPDXID": "SPDXRef-Package-11a429ec3bd01d80",
+      "SPDXID": "SPDXRef-Package-84198b3828050c11",
       "versionInfo": "22.2.2",
       "supplier": "NOASSERTION",
       "downloadLocation": "NONE",
@@ -60,6 +55,9 @@
           "referenceLocator": "pkg:conda/[email protected]"
         }
       ],
+      "attributionTexts": [
+        "PkgType: conda-pkg"
+      ],
       "primaryPackagePurpose": "LIBRARY"
     },
     {
@@ -105,27 +103,22 @@
     },
     {
       "spdxElementId": "SPDXRef-Filesystem-2e2426fd0f2580ef",
-      "relatedSpdxElement": "SPDXRef-Application-ee5ef1aa4ac89125",
+      "relatedSpdxElement": "SPDXRef-Package-84198b3828050c11",
       "relationshipType": "CONTAINS"
     },
     {
-      "spdxElementId": "SPDXRef-Application-ee5ef1aa4ac89125",
-      "relatedSpdxElement": "SPDXRef-Package-20b95c21bfbf9fc4",
-      "relationshipType": "CONTAINS"
-    },
-    {
-      "spdxElementId": "SPDXRef-Package-20b95c21bfbf9fc4",
-      "relatedSpdxElement": "SPDXRef-File-600e5e0110a84891",
+      "spdxElementId": "SPDXRef-Filesystem-2e2426fd0f2580ef",
+      "relatedSpdxElement": "SPDXRef-Package-b8061a5279413d55",
       "relationshipType": "CONTAINS"
     },
     {
-      "spdxElementId": "SPDXRef-Application-ee5ef1aa4ac89125",
-      "relatedSpdxElement": "SPDXRef-Package-11a429ec3bd01d80",
+      "spdxElementId": "SPDXRef-Package-84198b3828050c11",
+      "relatedSpdxElement": "SPDXRef-File-7eb62e2a3edddc0a",
       "relationshipType": "CONTAINS"
     },
     {
-      "spdxElementId": "SPDXRef-Package-11a429ec3bd01d80",
-      "relatedSpdxElement": "SPDXRef-File-7eb62e2a3edddc0a",
+      "spdxElementId": "SPDXRef-Package-b8061a5279413d55",
+      "relatedSpdxElement": "SPDXRef-File-600e5e0110a84891",
       "relationshipType": "CONTAINS"
     }
   ]

integration/testdata/fluentd-multiple-lockfiles.cdx.json.golden

@@ -286,7 +286,7 @@
       "bom-ref": "pkg:deb/debian/[email protected]?arch=amd64&distro=debian-10.2&epoch=1",
       "type": "library",
       "name": "bsdutils",
-      "version": "2.33.1-0.1",
+      "version": "1:2.33.1-0.1",
       "licenses": [
         {
           "license": {
@@ -628,7 +628,7 @@
       "bom-ref": "pkg:deb/debian/[email protected]?arch=amd64&distro=debian-10.2&epoch=1",
       "type": "library",
       "name": "diffutils",
-      "version": "3.7-3",
+      "version": "1:3.7-3",
       "licenses": [
         {
           "license": {
@@ -1338,7 +1338,7 @@
       "bom-ref": "pkg:deb/debian/[email protected]?arch=amd64&distro=debian-10.2&epoch=1",
       "type": "library",
       "name": "libattr1",
-      "version": "2.4.48-4",
+      "version": "1:2.4.48-4",
       "licenses": [
         {
           "license": {
@@ -1396,7 +1396,7 @@
       "bom-ref": "pkg:deb/debian/[email protected]?arch=all&distro=debian-10.2&epoch=1",
       "type": "library",
       "name": "libaudit-common",
-      "version": "2.8.4-3",
+      "version": "1:2.8.4-3",
       "licenses": [
         {
           "license": {
@@ -1454,7 +1454,7 @@
       "bom-ref": "pkg:deb/debian/[email protected]?arch=amd64&distro=debian-10.2&epoch=1",
       "type": "library",
       "name": "libaudit1",
-      "version": "2.8.4-3",
+      "version": "1:2.8.4-3",
       "licenses": [
         {
           "license": {
@@ -2091,7 +2091,7 @@
       "bom-ref": "pkg:deb/debian/[email protected]?arch=amd64&distro=debian-10.2&epoch=1",
       "type": "library",
       "name": "libgcc1",
-      "version": "8.3.0-6",
+      "version": "1:8.3.0-6",
       "purl": "pkg:deb/debian/[email protected]?arch=amd64&distro=debian-10.2&epoch=1",
       "properties": [
         {
@@ -2285,7 +2285,7 @@
       "bom-ref": "pkg:deb/debian/[email protected]%2Bdfsg-4?arch=amd64&distro=debian-10.2&epoch=2",
       "type": "library",
       "name": "libgmp10",
-      "version": "6.1.2+dfsg-4",
+      "version": "2:6.1.2+dfsg-4",
       "licenses": [
         {
           "license": {
@@ -3286,7 +3286,7 @@
       "bom-ref": "pkg:deb/debian/[email protected]?arch=amd64&distro=debian-10.2&epoch=2",
       "type": "library",
       "name": "libpcre3",
-      "version": "8.39-12",
+      "version": "2:8.39-12",
       "purl": "pkg:deb/debian/[email protected]?arch=amd64&distro=debian-10.2&epoch=2",
       "properties": [
         {
@@ -4450,7 +4450,7 @@
       "bom-ref": "pkg:deb/debian/[email protected]?arch=amd64&distro=debian-10.2&epoch=1",
       "type": "library",
       "name": "login",
-      "version": "4.5-1.1",
+      "version": "1:4.5-1.1",
       "licenses": [
         {
           "license": {
@@ -4742,7 +4742,7 @@
       "bom-ref": "pkg:deb/debian/[email protected]?arch=amd64&distro=debian-10.2&epoch=1",
       "type": "library",
       "name": "passwd",
-      "version": "4.5-1.1",
+      "version": "1:4.5-1.1",
       "licenses": [
         {
           "license": {
@@ -5338,7 +5338,7 @@
       "bom-ref": "pkg:deb/debian/[email protected]?arch=amd64&distro=debian-10.2&epoch=1",
       "type": "library",
       "name": "ruby",
-      "version": "2.5.1",
+      "version": "1:2.5.1",
       "licenses": [
         {
           "license": {
@@ -5690,7 +5690,7 @@
       "bom-ref": "pkg:deb/debian/[email protected]?arch=amd64&distro=debian-10.2&epoch=1",
       "type": "library",
       "name": "zlib1g",
-      "version": "1.2.11.dfsg-1",
+      "version": "1:1.2.11.dfsg-1",
       "licenses": [
         {
           "license": {

pkg/fanal/analyzer/sbom/sbom_test.go

@@ -31,6 +31,7 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
 						Type: types.Jar,
 						Libraries: types.Packages{
 							{
+								ID:       "co.elastic.apm:apm-agent:1.36.0",
 								Name:     "co.elastic.apm:apm-agent",
 								Version:  "1.36.0",
 								FilePath: "opt/bitnami/elasticsearch",
@@ -44,6 +45,7 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
 								},
 							},
 							{
+								ID:       "co.elastic.apm:apm-agent-cached-lookup-key:1.36.0",
 								Name:     "co.elastic.apm:apm-agent-cached-lookup-key",
 								Version:  "1.36.0",
 								FilePath: "opt/bitnami/elasticsearch",
@@ -57,6 +59,7 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
 								},
 							},
 							{
+								ID:       "co.elastic.apm:apm-agent-common:1.36.0",
 								Name:     "co.elastic.apm:apm-agent-common",
 								Version:  "1.36.0",
 								FilePath: "opt/bitnami/elasticsearch",
@@ -70,6 +73,7 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
 								},
 							},
 							{
+								ID:       "co.elastic.apm:apm-agent-core:1.36.0",
 								Name:     "co.elastic.apm:apm-agent-core",
 								Version:  "1.36.0",
 								FilePath: "opt/bitnami/elasticsearch",
@@ -89,7 +93,8 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
 						FilePath: "opt/bitnami/elasticsearch",
 						Libraries: types.Packages{
 							{
-								Name:     "elasticsearch",
+								ID:       "[email protected]",
+								Name:     "Elasticsearch",
 								Version:  "8.9.1",
 								Arch:     "arm64",
 								Licenses: []string{"Elastic-2.0"},
@@ -169,7 +174,8 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
 						FilePath: "opt/bitnami/postgresql",
 						Libraries: types.Packages{
 							{
-								Name:     "gdal",
+								ID:       "[email protected]",
+								Name:     "GDAL",
 								Version:  "3.7.1",
 								Licenses: []string{"MIT"},
 								Identifier: types.PkgIdentifier{
@@ -181,7 +187,8 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
 								},
 							},
 							{
-								Name:     "geos",
+								ID:       "[email protected]",
+								Name:     "GEOS",
 								Version:  "3.8.3",
 								Licenses: []string{"LGPL-2.1-only"},
 								Identifier: types.PkgIdentifier{
@@ -193,7 +200,8 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
 								},
 							},
 							{
-								Name:     "postgresql",
+								ID:       "[email protected]",
+								Name:     "PostgreSQL",
 								Version:  "15.3.0",
 								Licenses: []string{"PostgreSQL"},
 								Identifier: types.PkgIdentifier{
@@ -203,9 +211,15 @@ func Test_sbomAnalyzer_Analyze(t *testing.T) {
 										Version: "15.3.0",
 									},
 								},
+								DependsOn: []string{
+									"[email protected]",
+									"[email protected]",
+									"[email protected]",
+								},
 							},
 							{
-								Name:     "proj",
+								ID:       "[email protected]",
+								Name:     "Proj",
 								Version:  "6.3.2",
 								Licenses: []string{"MIT"},
 								Identifier: types.PkgIdentifier{

pkg/fanal/applier/docker.go

@@ -263,12 +263,9 @@ func newPURL(pkgType ftypes.TargetType, metadata types.Metadata, pkg ftypes.Pack
 func aggregate(detail *ftypes.ArtifactDetail) {
 	var apps []ftypes.Application
 
-	aggregatedApps := map[ftypes.LangType]*ftypes.Application{
-		ftypes.PythonPkg: {Type: ftypes.PythonPkg},
-		ftypes.CondaPkg:  {Type: ftypes.CondaPkg},
-		ftypes.GemSpec:   {Type: ftypes.GemSpec},
-		ftypes.NodePkg:   {Type: ftypes.NodePkg},
-		ftypes.Jar:       {Type: ftypes.Jar},
+	aggregatedApps := make(map[ftypes.LangType]*ftypes.Application)
+	for _, t := range ftypes.AggregatingTypes {
+		aggregatedApps[t] = &ftypes.Application{Type: t}
 	}
 
 	for _, app := range detail.Applications {

pkg/fanal/types/const.go

@@ -81,6 +81,14 @@ const (
 	OCP         LangType = "ocp" // Red Hat OpenShift Container Platform
 )
 
+var AggregatingTypes = []LangType{
+	PythonPkg,
+	CondaPkg,
+	GemSpec,
+	NodePkg,
+	Jar,
+}
+
 // Config files
 const (
 	JSON                  ConfigType = "json"

pkg/k8s/scanner/scanner.go

@@ -375,7 +375,9 @@ func (s *Scanner) clusterInfoToReportResources(allArtifact []*artifacts.Artifact
 		return nil, fmt.Errorf("failed to find node name")
 	}
 
-	kbom := core.NewBOM()
+	kbom := core.NewBOM(core.Options{
+		GenerateBOMRef: true,
+	})
 	for _, artifact := range allArtifact {
 		switch artifact.Kind {
 		case controlPlaneComponents:
@@ -413,7 +415,7 @@ func (s *Scanner) clusterInfoToReportResources(allArtifact []*artifacts.Artifact
 				}
 
 				imageComponent := &core.Component{
-					Type:    core.TypeContainer,
+					Type:    core.TypeContainerImage,
 					Name:    name,
 					Version: cDigest,
 					PkgID: core.PkgID{

pkg/k8s/scanner/scanner_test.go

@@ -155,7 +155,7 @@ func TestScanner_Scan(t *testing.T) {
 					},
 				},
 				{
-					Type:    core.TypeContainer,
+					Type:    core.TypeContainerImage,
 					Name:    "k8s.gcr.io/kube-apiserver",
 					Version: "sha256:18e61c783b41758dd391ab901366ec3546b26fae00eef7e223d1f94da808e02f",
 					PkgID: core.PkgID{

pkg/report/spdx/spdx.go

@@ -30,7 +30,7 @@ func NewWriter(output io.Writer, version string, spdxFormat types.Format) Writer
 }
 
 func (w Writer) Write(ctx context.Context, report types.Report) error {
-	spdxDoc, err := w.marshaler.Marshal(ctx, report)
+	spdxDoc, err := w.marshaler.MarshalReport(ctx, report)
 	if err != nil {
 		return xerrors.Errorf("failed to marshal spdx: %w", err)
 	}