sbom

package
v0.31.5 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 25, 2025 License: Apache-2.0 Imports: 16 Imported by: 0

Documentation

Overview

Package sbom captures the internal data model of the SBOMs melange produces into a private, generalized bill of materials model (with relationship data) designed to be converted to specific formats — for now, just SPDX.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Document added in v0.14.0 

type Document struct {
	CreatedTime time.Time
	Describes   *Package
	Packages    []Package

	// Relationships is a list of relationships between elements in the SBOM.
	//
	// We're using the SPDX relationship type for now out of convenience, but we can
	// decouple this from our internal SBOM types later if it becomes valuable.
	Relationships []spdx.Relationship

	// LicensingInfos is a map of instances of the `Copyright.License` field in the
	// described package's build configuration to the string content of the file
	// from its corresponding `Copyright.LicensePath` field. It should be set by the
	// consumer, using the value from calling `(config.Package).LicensingInfos` on
	// the package being set as this document's described package.
	LicensingInfos map[string]string
}

Document is a representation of an SBOM information provided by the build process. It is later converted to an SPDX document.

func NewDocument added in v0.14.0 

func NewDocument() *Document

NewDocument creates a new Document.

func (*Document) AddPackage added in v0.14.0 

func (d *Document) AddPackage(p *Package)

AddPackage adds a package to the document.

func (*Document) AddPackageAndSetDescribed added in v0.14.0 

func (d *Document) AddPackageAndSetDescribed(p *Package)

AddPackageAndSetDescribed adds a package to the document and sets it as the document's described package.

func (*Document) AddRelationship added in v0.14.0 

func (d *Document) AddRelationship(a, b Element, typ string)

AddRelationship adds a relationship between two elements in the SBOM.

func (Document) ToSPDX added in v0.14.0 

func (d Document) ToSPDX(ctx context.Context, releaseData *apko_build.ReleaseData) spdx.Document

ToSPDX returns the Document converted to its SPDX representation.

type Element added in v0.14.0 

type Element interface {
	// ID returns the unique identifier for this element.
	ID() string
}

Element represents any referenceable entity in an SBOM.

type Package added in v0.14.0 

type Package struct {
	// IDComponents lets the consumer specify additional bits of data that should be
	// included in the generation of the eventual SBOM package ID. By default, this
	// slice has a length of zero, in which case only the package's name and version
	// will be used. But sometimes it's necessary to include more bits of data to
	// ensure package IDs remain unique. If this slice's length is non-zero, only
	// these values will be used when producing the ID (via calling the ID method)
	// (i.e. name and version would need to be added explicitly to this slice).
	IDComponents []string

	// The name of the origin package, a subpackage, or any other kind of (e.g.
	// non-APK) package for inclusion in the SBOM.
	Name string

	// The version of the package. For APK packages, this should be the "full
	// version" (including the epoch).
	Version string

	// This is the copyright text in the SPDX package. It's usually left blank.
	Copyright string

	// SPDX license expression. Leaving this empty will result in NOASSERTION being
	// used as its value.
	LicenseDeclared string

	// Name of the distro/organization that produced the package. E.g. "wolfi".
	//
	// TODO: consider renaming this to avoid confusion from our other uses of
	//  "namespace", perhaps to "supplier" or "originator" (or have both), and signal
	//  that it's safe to leave this blank.
	Namespace string

	// The architecture of the package. E.g. "aarch64". This field isn't always
	// relevant, especially when describing material upstream of the built APK
	// package (e.g. source code or language ecosystem dependencies).
	Arch string

	// Checksums of the package. The keys are the checksum algorithms (e.g. "SHA-256"),
	// and the values are the checksums.
	Checksums map[string]string

	// The Package URL for this package, if any. If set, it will be added as the
	// only ExternalRef of type "purl" to the SPDX package. (A package
	// should have only one PURL external ref.)
	PURL *purl.PackageURL

	// The Download Location for this package, if any; It set this is generated
	// alongside the PackageURL from fetch/git-checkout pipelines for upstream
	// source locations; Leaving this empty will result in NOASSERTION being
	// used as its value.
	DownloadLocation string
}

Package is a representation of an SBOM package specified by the build process. It is later converted to an SPDX package, but it doesn't expose fields that are invariant in the SPDX output.

func (Package) ID added in v0.14.0 

func (p Package) ID() string

ID returns the unique identifier for this package. It implements the Element interface.

func (Package) ToSPDX added in v0.14.0 

func (p Package) ToSPDX(ctx context.Context) spdx.Package

ToSPDX returns the Package converted to its SPDX representation.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.