Skip to content

Make SPDX IDs stable for non-collisions #201

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Yhg1s merged 1 commit into from
Dec 3, 2024
Merged

Make SPDX IDs stable for non-collisions #201

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 9 additions & 4 deletions sbom.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -100,10 +100,15 @@
def spdx_id(value: LiteralString) -> str:
"""Encode a value into characters that are valid in an SPDX ID"""
value_as_spdx_id = re.sub(r"[^a-zA-Z0-9.\-]+", "-", value)
# To avoid collisions we append a hash suffix.
suffix = hashlib.sha256(value.encode()).hexdigest()[:8]
value_as_spdx_id = f"{value_as_spdx_id}-{suffix}"
assert _SPDX_IDS_TO_VALUES.setdefault(value_as_spdx_id, value) == value

# The happy path is there are no collisions.
# But collisions can happen, especially in file paths.
# We append a hash suffix in those cases.
if _SPDX_IDS_TO_VALUES.setdefault(value_as_spdx_id, value) != value:
suffix = hashlib.sha256(value.encode()).hexdigest()[:8]
value_as_spdx_id = f"{value_as_spdx_id}-{suffix}"
assert _SPDX_IDS_TO_VALUES.setdefault(value_as_spdx_id, value) == value

Check warning on line 110 in sbom.py

View check run for this annotation

Codecov / codecov/patch

sbom.py#L108-L110 

Added lines #L108 - L110 were not covered by tests

return value_as_spdx_id


Expand Down
4 changes: 2 additions & 2 deletions tests/sbom/sbom-with-pip-removed.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,9 @@
"packages": [],
"relationships": [
{
"relatedSpdxElement": "SPDXRef-FILE-Modules-expat-COPYING-497fb0c3",
"relatedSpdxElement": "SPDXRef-FILE-Modules-expat-COPYING",
"relationshipType": "CONTAINS",
"spdxElementId": "SPDXRef-PACKAGE-expat-83b93528"
"spdxElementId": "SPDXRef-PACKAGE-expat"
}
]
}
14 changes: 7 additions & 7 deletions tests/sbom/sbom-with-pip.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
"files": [],
"packages": [
{
"SPDXID": "SPDXRef-PACKAGE-pip-ced959c1",
"SPDXID": "SPDXRef-PACKAGE-pip",
"name": "pip",
"versionInfo": "24.0",
"licenseConcluded": "MIT",
Expand All @@ -38,19 +38,19 @@
],
"relationships": [
{
"relatedSpdxElement": "SPDXRef-FILE-Modules-expat-COPYING-497fb0c3",
"relatedSpdxElement": "SPDXRef-FILE-Modules-expat-COPYING",
"relationshipType": "CONTAINS",
"spdxElementId": "SPDXRef-PACKAGE-expat-83b93528"
"spdxElementId": "SPDXRef-PACKAGE-expat"
},
{
"relatedSpdxElement": "SPDXRef-PACKAGE-urllib3-b7a198af",
"relatedSpdxElement": "SPDXRef-PACKAGE-urllib3",
"relationshipType": "DEPENDS_ON",
"spdxElementId": "SPDXRef-PACKAGE-pip-ced959c1"
"spdxElementId": "SPDXRef-PACKAGE-pip"
},
{
"relatedSpdxElement": "SPDXRef-PACKAGE-pip-ced959c1",
"relatedSpdxElement": "SPDXRef-PACKAGE-pip",
"relationshipType": "DEPENDS_ON",
"spdxElementId": "SPDXRef-PACKAGE-cpython-608f998c"
"spdxElementId": "SPDXRef-PACKAGE-cpython"
}
]
}
10 changes: 5 additions & 5 deletions tests/test_sbom.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,11 +14,11 @@
@pytest.mark.parametrize(
["value", "expected"],
[
("abc", "abc-ba7816bf"),
Copy link
Member

@Yhg1s Yhg1s Dec 3, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As far as I can tell this doesn't actually exercise the unhappy hash path, would it make sense to add a collision to this set of parameters? I don't remember if pytest guarantees ordered execution of the test with parameters.

("def", "def-cb8379ac"),
("SPDXRef-PACKAGE-pip", "SPDXRef-PACKAGE-pip-ced959c1"),
("SPDXRef-PACKAGE-cpython", "SPDXRef-PACKAGE-cpython-79ab18d2"),
("SPDXRef-PACKAGE-urllib3", "SPDXRef-PACKAGE-urllib3-b8ab4751"),
("abc", "abc"),
("path/name", "path-name"),
("SPDXRef-PACKAGE-pip", "SPDXRef-PACKAGE-pip"),
("SPDXRef-PACKAGE-cpython", "SPDXRef-PACKAGE-cpython"),
("SPDXRef-PACKAGE-urllib3", "SPDXRef-PACKAGE-urllib3"),
],
)
def test_spdx_id(value: str, expected: str) -> None:
Expand Down
Loading