Add rekor-cataloger parsing JSON SPDX document (#1235)

anchore · Oct 3, 2022 · ee946c0 · ee946c0
1 parent 282e859
commit ee946c0
Show file tree

Hide file tree

Showing 2 changed files with 60 additions and 7 deletions.
diff --git a/syft/rekor/utils.go b/syft/rekor/utils.go
@@ -11,6 +11,7 @@ import (
 	"github.com/anchore/syft/internal/log"
 	"github.com/in-toto/in-toto-golang/in_toto"
 	"github.com/sigstore/rekor/pkg/generated/models"
+	"github.com/spdx/tools-golang/jsonloader"
 	"github.com/spdx/tools-golang/spdx"
 	"github.com/spdx/tools-golang/tvloader"
 )
@@ -149,15 +150,29 @@ func parseAndValidateAttestation(entry *models.LogEntryAnon) (in_toto.Subject, s
 }
 
 func parseSbom(spdxBytes *[]byte) (*spdx.Document2_2, error) {
-	// remove all SHA512 hashes because spdx/tools-golang does not support
-	// PR fix is filed but not merged: https://github.com/spdx/tools-golang/pull/139
+	// Check format of SPDX document (for now assume either JSON or tag value)
+	isJSON := json.Valid(*spdxBytes)
+
+	var (
+		sbom *spdx.Document2_2
+		err  error
+	)
+	if isJSON {
+		sbom, err = jsonloader.Load2_2(bytes.NewReader(*spdxBytes))
+		if err != nil {
+			return nil, fmt.Errorf("error loading sbomBytes into spdx.Document2_2 type: %w", err)
+		}
+	} else {
+		// remove all SHA512 hashes because spdx/tools-golang does not support
+		// PR fix is filed but not merged: https://github.com/spdx/tools-golang/pull/139
 
-	regex := regexp.MustCompile("\n.*SHA512.*")
+		regex := regexp.MustCompile("\n.*SHA512.*")
 
-	modifiedSpdxBytes := regex.ReplaceAll(*spdxBytes, nil)
-	sbom, err := tvloader.Load2_2(bytes.NewReader(modifiedSpdxBytes))
-	if err != nil {
-		return nil, fmt.Errorf("error loading sbomBytes into spdx.Document2_2 type: %w", err)
+		modifiedSpdxBytes := regex.ReplaceAll(*spdxBytes, nil)
+		sbom, err = tvloader.Load2_2(bytes.NewReader(modifiedSpdxBytes))
+		if err != nil {
+			return nil, fmt.Errorf("error loading sbomBytes into spdx.Document2_2 type: %w", err)
+		}
 	}
 
 	return sbom, nil

diff --git a/syft/rekor/utils_test.go b/syft/rekor/utils_test.go
@@ -2,6 +2,7 @@ package rekor
 
 import (
 	"fmt"
+	"io/ioutil"
 	"os"
 	"testing"
 
@@ -99,4 +100,41 @@ func Test_parseAndValidateAttestation(t *testing.T) {
 	}
 }
 
+func Test_getSbom(t *testing.T) {
+
+	tests := []struct {
+		name      string
+		sbomFile  string
+		expectErr bool
+	}{
+		{
+			name:     "simple SPDX tag-value",
+			sbomFile: "test-fixtures/sboms/sbom-1.txt",
+		},
+		{
+			name:     "simple SPDX JSON",
+			sbomFile: "test-fixtures/sboms/sbom-4.json",
+		},
+		{
+			name:      "invalid SPDX file",
+			sbomFile:  "test-fixtures/sboms/sbom-invalid.txt",
+			expectErr: true,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			b, err := ioutil.ReadFile(tt.sbomFile)
+			if err != nil {
+				assert.FailNow(t, "error reading test data")
+			}
+
+			_, err = parseSbom(&b)
+			if (err != nil) != tt.expectErr {
+				assert.FailNow(t, "expected error: got %v, expected %v", err != nil, tt.expectErr)
+			}
+		})
+	}
+
+}
+
 // do validation of hash in subject