fix(request.json): version with subpath

We cannot realibly determine if dependency was vendored from SBOM metdata. Keep it safe and export version including git od download URL with subpath. Signed-off-by: Martin Basti <mbasti@redhat.com>
containerbuildsystem · Dec 3, 2024 · 7018bb7 · 7018bb7
1 parent c8abb4e
commit 7018bb7
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 4 deletions.
diff --git a/atomic_reactor/utils/cachi2.py b/atomic_reactor/utils/cachi2.py
@@ -110,18 +110,25 @@ def gen_dependency_from_sbom_component(sbom_dep: Dict[str, Any]) -> Dict[str, Op
             heuristic_type = request_type
             break
 
+    pkg_dot_path = ("golang", "gem")
+
     version = (
         # for non-registry dependencies cachito uses URL as version
         purl.qualifiers.get("vcs_url") or
         purl.qualifiers.get("download_url") or
         # for local dependencies Cachito uses path as version
-        (f"./{purl.subpath}" if purl.subpath and purl.type == "golang" else None) or
-        (f"file:{purl.subpath}" if purl.subpath and purl.type != "golang" else None) or
+        (f"./{purl.subpath}" if purl.subpath and purl.type in pkg_dot_path else None) or
+        (f"file:{purl.subpath}" if purl.subpath and purl.type not in pkg_dot_path else None) or
         # version is mainly for dependencies from pkg registries
         sbom_dep.get("version")
         # returns None if version cannot be determined
     )
 
+    if version and purl.subpath and not version.endswith(purl.subpath):
+        # include subpath into vcs or download url to get exact location of dependency
+        # used mainly for vendored deps
+        version = f"{version}#{purl.subpath}"
+
     res = {
         "name": sbom_dep["name"],
         "replaces": None,  # it's always None, replacements aren't supported by cachi2

diff --git a/tests/utils/test_cachi2.py b/tests/utils/test_cachi2.py
@@ -291,7 +291,7 @@ def test_convert_SBOM_to_ICM(sbom, expected_icm):
             "type": "npm",
             "version": (
                 "git+https://github.com/cachito-testing/cachito-npm-without-deps.git@"
-                "2f0ce1d7b1f8b35572d919428b965285a69583f6"),
+                "2f0ce1d7b1f8b35572d919428b965285a69583f6#path"),
         },
         id="version_vsc_url"
     ),
@@ -308,7 +308,7 @@ def test_convert_SBOM_to_ICM(sbom, expected_icm):
             "name": "cachito-npm-without-deps",
             "replaces": None,
             "type": "npm",
-            "version": "https://example.com/pkg",
+            "version": "https://example.com/pkg#path",
         },
         id="version_download_url"
     ),
@@ -378,6 +378,21 @@ def test_convert_SBOM_to_ICM(sbom, expected_icm):
         },
         id="npm_dev"
     ),
+    pytest.param(
+        {
+            "name": "validate_url",
+            "version": "1.0.5",
+            "purl": "pkg:gem/validate_url#subpath",
+            "type": "library"
+        },
+        {
+            "name": "validate_url",
+            "replaces": None,
+            "type": "rubygems",
+            "version": "./subpath"
+        },
+        id="type_rubygem_subpath_only"
+    ),
 ])
 def test_gen_dependency_from_sbom_component(sbom_comp, expected):
     """Test generating request.json dependency from sbom component"""