/
package.go
231 lines (178 loc) · 7.21 KB
/
package.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
// SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
package v2_2
import (
"encoding/json"
"strings"
"github.com/spdx/tools-golang/json/marshal"
"github.com/spdx/tools-golang/spdx/v2/common"
)
// Package is a Package section of an SPDX Document for version 2.2 of the spec.
type Package struct {
// NOT PART OF SPEC
// flag: does this "package" contain files that were in fact "unpackaged",
// e.g. included directly in the Document without being in a Package?
IsUnpackaged bool `json:"-"`
// 7.1: Package Name
// Cardinality: mandatory, one
PackageName string `json:"name"`
// 7.2: Package SPDX Identifier: "SPDXRef-[idstring]"
// Cardinality: mandatory, one
PackageSPDXIdentifier common.ElementID `json:"SPDXID"`
// 7.3: Package Version
// Cardinality: optional, one
PackageVersion string `json:"versionInfo,omitempty"`
// 7.4: Package File Name
// Cardinality: optional, one
PackageFileName string `json:"packageFileName,omitempty"`
// 7.5: Package Supplier: may have single result for either Person or Organization,
// or NOASSERTION
// Cardinality: optional, one
PackageSupplier *common.Supplier `json:"supplier,omitempty"`
// 7.6: Package Originator: may have single result for either Person or Organization,
// or NOASSERTION
// Cardinality: optional, one
PackageOriginator *common.Originator `json:"originator,omitempty"`
// 7.7: Package Download Location
// Cardinality: mandatory, one
PackageDownloadLocation string `json:"downloadLocation"`
// 7.8: FilesAnalyzed
// Cardinality: optional, one; default value is "true" if omitted
FilesAnalyzed bool `json:"filesAnalyzed"`
// NOT PART OF SPEC: did FilesAnalyzed tag appear?
IsFilesAnalyzedTagPresent bool `json:"-"`
// 7.9: Package Verification Code
PackageVerificationCode common.PackageVerificationCode `json:"packageVerificationCode,omitempty"`
// 7.10: Package Checksum: may have keys for SHA1, SHA256, SHA512 and/or MD5
// Cardinality: optional, one or many
PackageChecksums []common.Checksum `json:"checksums,omitempty"`
// 7.11: Package Home Page
// Cardinality: optional, one
PackageHomePage string `json:"homepage,omitempty"`
// 7.12: Source Information
// Cardinality: optional, one
PackageSourceInfo string `json:"sourceInfo,omitempty"`
// 7.13: Concluded License: SPDX License Expression, "NONE" or "NOASSERTION"
// Cardinality: mandatory, one
PackageLicenseConcluded string `json:"licenseConcluded"`
// 7.14: All Licenses Info from Files: SPDX License Expression, "NONE" or "NOASSERTION"
// Cardinality: mandatory, one or many if filesAnalyzed is true / omitted;
// zero (must be omitted) if filesAnalyzed is false
PackageLicenseInfoFromFiles []string `json:"licenseInfoFromFiles,omitempty"`
// 7.15: Declared License: SPDX License Expression, "NONE" or "NOASSERTION"
// Cardinality: mandatory, one
PackageLicenseDeclared string `json:"licenseDeclared"`
// 7.16: Comments on License
// Cardinality: optional, one
PackageLicenseComments string `json:"licenseComments,omitempty"`
// 7.17: Copyright Text: copyright notice(s) text, "NONE" or "NOASSERTION"
// Cardinality: mandatory, one
PackageCopyrightText string `json:"copyrightText"`
// 7.18: Package Summary Description
// Cardinality: optional, one
PackageSummary string `json:"summary,omitempty"`
// 7.19: Package Detailed Description
// Cardinality: optional, one
PackageDescription string `json:"description,omitempty"`
// 7.20: Package Comment
// Cardinality: optional, one
PackageComment string `json:"comment,omitempty"`
// 7.21: Package External Reference
// Cardinality: optional, one or many
PackageExternalReferences []*PackageExternalReference `json:"externalRefs,omitempty"`
// 7.22: Package External Reference Comment
// Cardinality: conditional (optional, one) for each External Reference
// contained within PackageExternalReference struct, if present
// 7.23: Package Attribution Text
// Cardinality: optional, one or many
PackageAttributionTexts []string `json:"attributionTexts,omitempty"`
// Files contained in this Package
Files []*File `json:"files,omitempty"`
Annotations []Annotation `json:"annotations,omitempty"`
// this field is only used when decoding JSON to translate the hasFiles
// property to relationships
hasFiles []common.DocElementID
}
func (p Package) MarshalJSON() ([]byte, error) {
type pkg Package
p2 := pkg(p)
data, err := marshal.JSON(p2)
if err != nil {
return nil, err
}
// remove empty packageVerificationCode entries -- required by SPDX 2.2 but
// omitempty has no effect since it is a non-comparable struct and not a pointer, so we
// manually check to determine if there is a valid value to output and omit the field if not
// see: https://spdx.github.io/spdx-spec/v2.2.2/package-information/#79-package-verification-code-field
if p.PackageVerificationCode.Value == "" && p.PackageVerificationCode.ExcludedFiles == nil {
var values map[string]interface{}
err = json.Unmarshal(data, &values)
if err != nil {
return nil, err
}
delete(values, "packageVerificationCode")
return marshal.JSON(values)
}
return data, nil
}
func (p *Package) UnmarshalJSON(b []byte) error {
type pkg Package
type extras struct {
HasFiles []common.DocElementID `json:"hasFiles"`
FilesAnalyzed *bool `json:"filesAnalyzed"`
}
var p2 pkg
if err := json.Unmarshal(b, &p2); err != nil {
return err
}
var e extras
if err := json.Unmarshal(b, &e); err != nil {
return err
}
*p = Package(p2)
p.hasFiles = e.HasFiles
// FilesAnalyzed defaults to true if omitted
if e.FilesAnalyzed == nil {
p.FilesAnalyzed = true
} else {
p.IsFilesAnalyzedTagPresent = true
}
return nil
}
var _ json.Unmarshaler = (*Package)(nil)
var _ json.Marshaler = (*Package)(nil)
// PackageExternalReference is an External Reference to additional info
// about a Package, as defined in section 7.21 in version 2.2 of the spec.
type PackageExternalReference struct {
// category is "SECURITY", "PACKAGE-MANAGER" or "OTHER"
Category string `json:"referenceCategory"`
// type is an [idstring] as defined in Appendix VI;
// called RefType here due to "type" being a Golang keyword
RefType string `json:"referenceType"`
// locator is a unique string to access the package-specific
// info, metadata or content within the target location
Locator string `json:"referenceLocator"`
// 7.22: Package External Reference Comment
// Cardinality: conditional (optional, one) for each External Reference
ExternalRefComment string `json:"comment,omitempty"`
}
var _ json.Unmarshaler = (*PackageExternalReference)(nil)
func (r *PackageExternalReference) UnmarshalJSON(b []byte) error {
type ref PackageExternalReference
var rr ref
if err := json.Unmarshal(b, &rr); err != nil {
return err
}
*r = PackageExternalReference(rr)
r.Category = strings.ReplaceAll(r.Category, "_", "-")
return nil
}
var _ json.Marshaler = (*PackageExternalReference)(nil)
// We output as the JSON type enums since in v2.2.0 the JSON schema
// spec only had enums with _ (e.g. PACKAGE_MANAGER)
func (r *PackageExternalReference) MarshalJSON() ([]byte, error) {
type ref PackageExternalReference
var rr ref
rr = ref(*r)
rr.Category = strings.ReplaceAll(rr.Category, "-", "_")
return marshal.JSON(&rr)
}