Defining and generating spdx 3.0 json elements

[pragnya17]

With the completion of this feature, we will be able to generate spdx 3.0 json elements which make up an SBOM document.
The goal is to generate spdx 3.0 elements in the format that is specified by the 3.0 spec - SPDX Specification 3.0.1

Specifically these are the changes that are introduced in this PR:

1. Entities - Define the different spdx 3.0 elements as classes under "Entities". Instances of these classes are used to represent spdx 3.0 json elements such as files, packages, etc.
2. Generator - Generate a json document using the spdx 3.0 elements instead of the spdx 2.0 elements.
3. Unit testing for the generation of all these spdx 3.0 elements

[alisonlomaka]

[heart] Alison Lomaka reacted to your message:

________________________________ From: Dave Tryon ***@***.***> Sent: Thursday, December 12, 2024 1:21:51 AM To: microsoft/sbom-tool ***@***.***> Cc: Alison Lomaka ***@***.***>; Comment ***@***.***> Subject: Re: [microsoft/sbom-tool] Defining and generating spdx 3.0 json elements (PR #830) @DaveTryon commented on this pull request.

________________________________ In src/Microsoft.Sbom.Parsers.Spdx30SbomParser/Entities/AnyLicenseInfo.cs<#830 (comment)>:

+// Copyright (c) Microsoft. All rights reserved.

+// Licensed under the MIT license. See LICENSE file in the project root for full license information. + +using System.Collections.Generic; +using System.Text.Json.Serialization; + +namespace Microsoft.Sbom.Parsers.Spdx30SbomParser.Entities; + +/// <summary> +/// Class defintion is based on: https://spdx.github.io/spdx-spec/v3.0.1/model/SimpleLicensing/Classes/AnyLicenseInfo/ +/// </summary> +public class AnyLicenseInfo : Element +{ + public AnyLicenseInfo() + { + Type = nameof(AnyLicenseInfo); This is way better than hardcoded strings, but we might be able to do even better. Since all of the types derive from Element, you could centralize the code that sets the Type property in the constructor of the Element class: Type = GetType().Name; For derived classes, this will provide the name of the derived class, not the base class. Looking at the code, I think the NoneElement is the only class that sets its type to a value that doesn't match the class. In that case. you can continue to set it in the constructor for NoneElement, since the base class constructor is called before the derived class constructor and the property will just get overwritten — Reply to this email directly, view it on GitHub<#830 (review)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AXRTARW7PUYC3YIPLAZ45TL2FDQK7AVCNFSM6AAAAABTOEMERKVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZDIOJXGM2TKOJSGA>. You are receiving this because you commented.Message ID: ***@***.***>

[alisonlomaka]

[like] Alison Lomaka reacted to your message:

________________________________ From: Dave Tryon ***@***.***> Sent: Thursday, December 12, 2024 1:18:34 AM To: microsoft/sbom-tool ***@***.***> Cc: Alison Lomaka ***@***.***>; Comment ***@***.***> Subject: Re: [microsoft/sbom-tool] Defining and generating spdx 3.0 json elements (PR #830) @DaveTryon commented on this pull request.

________________________________ In src/Microsoft.Sbom.Parsers.Spdx30SbomParser/Entities/Element.cs<#830 (comment)>:

@@ -0,0 +1,70 @@

+// Copyright (c) Microsoft. All rights reserved. +// Licensed under the MIT license. See LICENSE file in the project root for full license information. + +using System.Collections; +using System.Collections.Generic; +using System.Text.Json.Serialization; + +namespace Microsoft.Sbom.Parsers.Spdx30SbomParser.Entities; + +/// <summary> +/// Base domain class from which all other SPDX-3.0 domain classes derive. +/// https://spdx.github.io/spdx-spec/v3.0.1/model/Core/Classes/Element/ +/// </summary> +public class Element Should this be abstract? I'm not sure if we ever have just an Element that isn't a derived object. — Reply to this email directly, view it on GitHub<#830 (review)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AXRTARUK2UXZIHBKI5VOOLD2FDP6VAVCNFSM6AAAAABTOEMERKVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZDIOJXGM2TGMJTGY>. You are receiving this because you commented.Message ID: ***@***.***>

[alisonlomaka]

[like] Alison Lomaka reacted to your message:

________________________________ From: Pragnya ***@***.***> Sent: Wednesday, December 11, 2024 9:59:13 PM To: microsoft/sbom-tool ***@***.***> Cc: Alison Lomaka ***@***.***>; Comment ***@***.***> Subject: Re: [microsoft/sbom-tool] Defining and generating spdx 3.0 json elements (PR #830) @pragnya17 commented on this pull request.

________________________________ In src/Microsoft.Sbom.Parsers.Spdx30SbomParser/Generator.cs<#830 (comment)>:

+ {

+ Name = orgName, + }; + + var spdxTool = new Tool + { + Name = toolName, + }; + + spdxOrganization.AddSpdxId(); + spdxTool.AddSpdxId(); + + var spdxCreationInfo = new CreationInfo + { + Id = "_:creationinfo", + SpecVersion = Constants.SPDXVersion, In the 2.2 Generator it is also defined as just major.minor - https://github.com/microsoft/sbom-tool/blob/main/src/Microsoft.Sbom.Parsers.Spdx22SbomParser/Constants.cs. So I think this should be fine here as well — Reply to this email directly, view it on GitHub<#830 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AXRTARWUGUXB53OEDYV7UF32FCYTDAVCNFSM6AAAAABTOEMERKVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZDIOJXGEYDCNZQG4>. You are receiving this because you commented.Message ID: ***@***.***>

[alisonlomaka]

[like] Alison Lomaka reacted to your message:

________________________________ From: Pragnya ***@***.***> Sent: Wednesday, December 11, 2024 9:35:03 PM To: microsoft/sbom-tool ***@***.***> Cc: Alison Lomaka ***@***.***>; Comment ***@***.***> Subject: Re: [microsoft/sbom-tool] Defining and generating spdx 3.0 json elements (PR #830) @pragnya17 commented on this pull request.

________________________________ In src/Microsoft.Sbom.Parsers.Spdx30SbomParser/Generator.cs<#830 (comment)>:

+/// </summary>

+public class Generator : IManifestGenerator +{ + private static readonly Dictionary<AlgorithmName, HashAlgorithm> AlgorithmMap = new() + { + { AlgorithmName.SHA1, HashAlgorithm.sha1 }, + { AlgorithmName.SHA256, HashAlgorithm.sha256 }, + { AlgorithmName.SHA512, HashAlgorithm.sha512 }, + { AlgorithmName.MD5, HashAlgorithm.md5 } + }; + + public AlgorithmName[] RequiredHashAlgorithms => new[] { AlgorithmName.SHA256, AlgorithmName.SHA1 }; + + public string Version { get; set; } = string.Join("-", Constants.SPDXName, Constants.SPDXVersion); + + string IManifestGenerator.FilesArrayHeaderName => throw new NotImplementedException(); Yes that makes more sense, I wasn't aware of that before. Ideally, we wouldn't have these at all: string IManifestGenerator.FilesArrayHeaderName => throw new NotSupportedException(); string IManifestGenerator.PackagesArrayHeaderName => throw new NotSupportedException(); string IManifestGenerator.RelationshipsArrayHeaderName => throw new NotSupportedException(); string IManifestGenerator.ExternalDocumentRefArrayHeaderName => throw new NotSupportedException(); But they are required since this class should inherit from the IManifestGenerator - similar to what is done in the 2.2 generator. — Reply to this email directly, view it on GitHub<#830 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AXRTARW3JKIBRNORA2RYEPL2FCVYPAVCNFSM6AAAAABTOEMERKVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZDIOJXGA2TQOBVHE>. You are receiving this because you commented.Message ID: ***@***.***>

[DaveTryon]

LGTM

[alisonlomaka]

[like] Alison Lomaka reacted to your message:

________________________________ From: Pragnya ***@***.***> Sent: Monday, December 16, 2024 6:45:53 PM To: microsoft/sbom-tool ***@***.***> Cc: Alison Lomaka ***@***.***>; Comment ***@***.***> Subject: Re: [microsoft/sbom-tool] Defining and generating spdx 3.0 json elements (PR #830) @pragnya17 commented on this pull request.

________________________________ In src/Microsoft.Sbom.Parsers.Spdx30SbomParser/Generator.cs<#830 (comment)>:

+ /// <exception cref="MissingHashValueException"></exception>

+ public GenerationResult GenerateJsonDocument(ExternalDocumentReferenceInfo externalDocumentReferenceInfo) + { + if (externalDocumentReferenceInfo is null) + { + throw new ArgumentNullException(nameof(externalDocumentReferenceInfo)); + } + + if (externalDocumentReferenceInfo.Checksum is null) + { + throw new ArgumentNullException(nameof(externalDocumentReferenceInfo.Checksum)); + } + + var sha1Hash = externalDocumentReferenceInfo.Checksum.FirstOrDefault(h => h.Algorithm == AlgorithmName.SHA1) ?? + throw new MissingHashValueException( + $"The hash value for algorithm {AlgorithmName.SHA1} is missing from {nameof(externalDocumentReferenceInfo)}"); Talked to Rob and he confirmed that SHA1 was required. Will check with Adrian in the new year to get more context and document why it is required. — Reply to this email directly, view it on GitHub<#830 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AXRTARX4YBFUK3YE7UOXUUD2F4NWDAVCNFSM6AAAAABTOEMERKVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZDKMBWHE4TSOJRGY>. You are receiving this because you commented.Message ID: ***@***.***>

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 81.43526% with 119 lines in your changes missing coverage. Please review.

Project coverage is 46.47%. Comparing base (fd23d63) to head (abc57b9).

Files with missing lines	Patch %	Lines
...crosoft.Sbom.Parsers.Spdx30SbomParser/Generator.cs	84.15%	44 Missing and 20 partials ⚠️
...m.Parsers.Spdx30SbomParser/Utils/SPDXExtensions.cs	68.05%	15 Missing and 8 partials ⚠️
...SbomParser/Exceptions/MissingHashValueException.cs	0.00%	9 Missing ⚠️
...m.Parsers.Spdx30SbomParser/Entities/NoneElement.cs	0.00%	6 Missing ⚠️
src/Microsoft.Sbom.Common/GeneratorUtils.cs	61.53%	3 Missing and 2 partials ⚠️
...s.Spdx30SbomParser/Entities/FormatEnforcedSPDX3.cs	0.00%	4 Missing ⚠️
...crosoft.Sbom.Parsers.Spdx22SbomParser/Generator.cs	89.28%	2 Missing and 1 partial ⚠️
...ers.Spdx30SbomParser/Entities/ContentIdentifier.cs	0.00%	2 Missing ⚠️
...arsers.Spdx30SbomParser/Utils/ElementSerializer.cs	80.00%	2 Missing ⚠️
....Parsers.Spdx30SbomParser/Entities/CreationInfo.cs	83.33%	1 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff             @@
##             main     #830       +/-   ##
===========================================
- Coverage   69.98%   46.47%   -23.52%     
===========================================
  Files         277      355       +78     
  Lines        8700    14151     +5451     
  Branches     1014     1163      +149     
===========================================
+ Hits         6089     6577      +488     
- Misses       2091     7026     +4935     
- Partials      520      548       +28     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[pragnya17]

@pragnya17 please read the following Contributor License Agreement(CLA). If you agree with the CLA, please reply with the following information.

@microsoft-github-policy-service agree [company="{your company}"]

Options:

• (default - no company specified) I have sole ownership of intellectual property rights to my Submissions and I am not making Submissions in the course of work for my employer.

@microsoft-github-policy-service agree

• (when company given) I am making Submissions in the course of work for my employer (or my employer has intellectual property rights in my Submissions by contract or applicable law). I have permission from my employer to make Submissions and enter into this Agreement on behalf of my employer. By signing below, the defined term “You” includes me and my employer.

@microsoft-github-policy-service agree company="Microsoft"

Contributor License Agreement

@microsoft-github-policy-service agree [company="{Microsoft}"]

[pragnya17]

@microsoft-github-policy-service agree company="Microsoft"

[alisonlomaka]

[heart] Alison Lomaka reacted to your message:

…

________________________________ From: Pragnya ***@***.***> Sent: Monday, December 16, 2024 10:38:37 PM To: microsoft/sbom-tool ***@***.***> Cc: Alison Lomaka ***@***.***>; Comment ***@***.***> Subject: Re: [microsoft/sbom-tool] Defining and generating spdx 3.0 json elements (PR #830) Merged #830<#830> into main. — Reply to this email directly, view it on GitHub<#830 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AXRTART2DERVIPXJY672PDL2F5I63AVCNFSM6AAAAABTOEMERKVHI2DSMVQWIX3LMV45UABCJFZXG5LFIV3GK3TUJZXXI2LGNFRWC5DJN5XDWMJVGY3TOMZWGQ4TSNY>. You are receiving this because you commented.Message ID: ***@***.***>