-
Notifications
You must be signed in to change notification settings - Fork 20
/
base_checker.py
358 lines (299 loc) · 12.3 KB
/
base_checker.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
# SPDX-FileCopyrightText: 2024 SPDX contributors
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: Apache-2.0
"""Base checking functionality."""
import logging
import os
import sys
from abc import ABC, abstractmethod
from typing import Any, Dict, List, Optional, Tuple, Union, cast
from spdx_tools.spdx.model import Document
from spdx_tools.spdx.model.spdx_no_assertion import SpdxNoAssertion
from spdx_tools.spdx.parser import parse_anything
from spdx_tools.spdx.parser.error import SPDXParsingError
from spdx_tools.spdx.validation.document_validator import validate_full_spdx_document
# pylint: disable=too-many-instance-attributes
class BaseChecker(ABC):
"""Base class for all compliance checkers.
This base class contains methods for common tasks like file loading
and parsing.
Any class inheriting from BaseChecker must implement its abstract methods,
such as `check_compliance` and `output_json`.
"""
compliance_standard: str = ""
file: str = ""
doc: Optional[Document] = None
parsing_error: List[str] = []
validation_messages: Optional[List[str]] = None
sbom_name: str = ""
components_without_names: List[str] = []
components_without_versions: List[str] = []
components_without_suppliers: List[str] = []
components_without_identifiers: List[str] = []
components_without_concluded_licenses: List[str] = []
components_without_copyright_texts: List[str] = []
doc_version: bool = False
doc_author: bool = False
doc_timestamp: bool = False
dependency_relationships: bool = False
compliant: bool = False
# an alias of "compliant", for backward compatibility
ntia_minimum_elements_compliant: bool = compliant
@abstractmethod
def check_compliance(self) -> bool:
"""Abstract method to check compliance."""
@abstractmethod
def check_doc_version(self) -> bool:
"""Abstract method to check SBOM document version."""
@abstractmethod
def check_dependency_relationships(self) -> bool:
"""Abstract method to check dependency relationship requirements."""
@abstractmethod
def print_components_missing_info(self) -> None:
"""
Abstract method to print information about components that
are missing required details.
What is considered "missing" is determined by a compliance standard
and the method that implements this abstract method.
Returns:
None
"""
@abstractmethod
def print_table_output(self) -> None:
"""
Abstract method to print element-by-element result table.
Returns:
None
"""
@abstractmethod
def output_json(self) -> Dict[str, Any]:
"""
Abstract method to create a dict of results for outputting
to JSON.
"""
@abstractmethod
def output_html(self) -> str:
"""Abstract method to create a result in HTML format."""
def __init__(self, file, validate=True, compliance=""):
"""
Initialize the BaseChecker.
Args:
file (str): The file to be checked.
validate (bool): Whether to validate the file.
compliance (str): The compliance standard to be used. Defaults to "ntia".
"""
self.compliance_standard = compliance
self.file = file
self.doc = self.parse_file() # Document or None
if self.doc:
self.doc = cast(Document, self.doc)
if validate:
self.validation_messages = validate_full_spdx_document(self.doc)
self.components_without_names = self.get_components_without_names()
self.components_without_versions = self.get_components_without_versions()
self.components_without_suppliers = self.get_components_without_suppliers()
self.components_without_identifiers = (
self.get_components_without_identifiers()
)
self.components_without_concluded_licenses = (
self.get_components_without_concluded_licenses()
)
self.components_without_copyright_texts = (
self.get_components_without_copyright_texts()
)
def get_components_without_concluded_licenses(
self, return_tuples=False
) -> Union[List[str], List[Tuple[str, str]]]:
"""
Retrieve names and/or SPDX IDs of components without concluded licenses.
Args:
return_tuples (bool): If True, return a list of tuples with
component names and SPDX IDs.
If False, return a list of component names.
Returns:
Union[List[str], List[Tuple[str, str]]]: A list of component names
or a list of tuples with component names and SPDX IDs.
"""
# Note: concluded license is mandatory in SPDX-2.2 and SPDX-2.3
if not self.doc:
return []
if return_tuples:
components_name_id: List[Tuple[str, str]] = []
for package in self.doc.packages:
no_license = (
package.license_concluded is None
or isinstance(package.license_concluded, SpdxNoAssertion)
or (
isinstance(package.license_concluded, str)
and package.license_concluded.strip() == ""
)
)
if no_license:
components_name_id.append((package.name, package.spdx_id))
return components_name_id
components_name: List[str] = []
for package in self.doc.packages:
no_license = (
package.license_concluded is None
or isinstance(package.license_concluded, SpdxNoAssertion)
or (
isinstance(package.license_concluded, str)
and package.license_concluded.strip() == ""
)
)
if no_license:
components_name.append(package.name)
return components_name
def get_components_without_copyright_texts(
self, return_tuples=False
) -> Union[List[str], List[Tuple[str, str]]]:
"""
Retrieve names and/or SPDX IDs of components without copyright texts.
Args:
return_tuples (bool): If True, return a list of tuples with
component names and SPDX IDs.
If False, return a list of component names.
Returns:
Union[List[str], List[Tuple[str, str]]]: A list of component names
or a list of tuples with component names and SPDX IDs.
"""
if not self.doc:
return []
if return_tuples:
components_name_id: List[Tuple[str, str]] = []
for package in self.doc.packages:
no_license = (
package.copyright_text is None
or isinstance(package.copyright_text, SpdxNoAssertion)
or (
isinstance(package.copyright_text, str)
and package.copyright_text.strip() == ""
)
)
if no_license:
components_name_id.append((package.name, package.spdx_id))
return components_name_id
components_name: List[str] = []
for package in self.doc.packages:
no_license = (
package.copyright_text is None
or isinstance(package.copyright_text, SpdxNoAssertion)
or (
isinstance(package.copyright_text, str)
and package.copyright_text.strip() == ""
)
)
if no_license:
components_name.append(package.name)
return components_name
def get_components_without_identifiers(self) -> list[str]:
"""
Retrieve name of components without identifiers.
Returns:
List[str]: A list of component names that do not have identifiers.
"""
if not self.doc:
return []
return [package.name for package in self.doc.packages if not package.spdx_id]
def get_components_without_names(self) -> list[str]:
"""
Retrieve SPDX ID of components without names.
Args:
return_tuples (bool): If True, return a list of tuples with
component names and SPDX IDs.
If False, return a list of component names.
Returns:
Union[List[str], List[Tuple[str, str]]]: A list of component names
or a list of tuples with component names and SPDX IDs.
"""
if not self.doc:
return []
components_without_names = []
for package in self.doc.packages:
if not package.name:
components_without_names.append(package.spdx_id)
return components_without_names
def get_components_without_suppliers(
self, return_tuples=False
) -> Union[List[str], List[Tuple[str, str]]]:
"""
Retrieve names and/or SPDX IDs of components without suppliers.
Args:
return_tuples (bool): If True, return a list of tuples with
component names and SPDX IDs.
If False, return a list of component names.
Returns:
Union[List[str], List[Tuple[str, str]]]: A list of component names
or a list of tuples with component names and SPDX IDs.
"""
if not self.doc:
return []
if return_tuples:
components_name_id: List[Tuple[str, str]] = []
for package in self.doc.packages:
no_supplier = package.supplier is None or isinstance(
package.supplier, SpdxNoAssertion
)
if no_supplier:
components_name_id.append((package.name, package.spdx_id))
return components_name_id
components_name: List[str] = []
for package in self.doc.packages:
no_supplier = package.supplier is None or isinstance(
package.supplier, SpdxNoAssertion
)
if no_supplier:
components_name.append(package.name)
return components_name
def get_components_without_versions(
self, return_tuples=False
) -> Union[List[str], List[Tuple[str, str]]]:
"""
Retrieve name and/or SPDX ID of components without versions.
Args:
return_tuples (bool): If True, return a list of tuples with
component names and SPDX IDs.
If False, return a list of component names.
Returns:
Union[List[str], List[Tuple[str, str]]]: A list of component names
or a list of tuples with component names and SPDX IDs.
"""
if not self.doc:
return []
if return_tuples:
components_name_id: List[Tuple[str, str]] = []
for package in self.doc.packages:
if not package.version:
components_name_id.append((package.name, package.spdx_id))
return components_name_id
components_name: List[str] = []
for package in self.doc.packages:
if not package.version:
components_name.append(package.name)
return components_name
def get_total_number_components(self) -> int:
"""
Retrieve total number of components.
Returns:
int: The total number of components.
"""
if not self.doc:
return 0
return len(self.doc.packages)
def parse_file(self) -> Optional[Document]:
"""
Parse SBOM document.
Returns:
Optional[Document]: The parsed SBOM document if successful,
otherwise None.
"""
# check if file exists
if not os.path.exists(self.file):
logging.error("Filename %s not found.", self.file)
sys.exit(1)
try:
doc = parse_anything.parse_file(self.file)
except SPDXParsingError as err:
self.parsing_error.extend(err.get_messages())
return None
return cast(Document, doc)