RedHatProductSecurity
diff --git a/‎.github/workflows/test.yml
Lines changed: 2 additions & 1 deletion b/‎.github/workflows/test.yml
Lines changed: 2 additions & 1 deletion
diff --git a/‎docs/sbom.md
Lines changed: 8 additions & 1 deletion b/‎docs/sbom.md
Lines changed: 8 additions & 1 deletion
diff --git a/‎requirements/dev-requirements.txt
Lines changed: 372 additions & 435 deletions b/‎requirements/dev-requirements.txt
Lines changed: 372 additions & 435 deletions
diff --git a/‎sbom/cyclonedx-1.5.schema.json
Lines changed: 0 additions & 3799 deletions b/‎sbom/cyclonedx-1.5.schema.json
Lines changed: 0 additions & 3799 deletions
diff --git a/‎sbom/examples/container_image/build/mandrel-for-jdk-21-rhel8-container-23.1-16_amd64.cdx.json
Lines changed: 113 additions & 0 deletions b/‎sbom/examples/container_image/build/mandrel-for-jdk-21-rhel8-container-23.1-16_amd64.cdx.json
Lines changed: 113 additions & 0 deletions
diff --git a/‎sbom/examples/product/create_product_sbom.py
Lines changed: 15 additions & 2 deletions b/‎sbom/examples/product/create_product_sbom.py
Lines changed: 15 additions & 2 deletions
diff --git a/‎sbom/examples/product/rhel-9.2-eus.cdx.json
Lines changed: 18 additions & 1 deletion b/‎sbom/examples/product/rhel-9.2-eus.cdx.json
Lines changed: 18 additions & 1 deletion
diff --git a/‎sbom/examples/product/rhel-9.2-eus.spdx.json
Lines changed: 1 addition & 1 deletion b/‎sbom/examples/product/rhel-9.2-eus.spdx.json
Lines changed: 1 addition & 1 deletion
@@ -18,7 +18,8 @@ jobs:
     - name: Run all envs
       uses: fedora-python/tox-github-action@main
       with:
-        tox_env: ${{ matrix.tox_env }}
+        # tox_env: ${{ matrix.tox_env }}
+        tox_env: py313
     strategy:
       matrix:
         tox_env: [black, ruff, spdx-schema, cdx-schema]
 
@@ -477,9 +477,16 @@ purl identifiers
     they should only ever differ in their qualifier values, not the main components such as package type, name, or
     version; multiple package objects should be used if those values differ.
 
+[`checksums`](https://spdx.github.io/spdx-spec/v2.3/package-information/#710-package-checksum-field)
+:   Minimally, the list of checksums must include the SHA256 checksum of the RPM file or source archive itself.
+    All other checksums should be specified as annotations (see below). 
+
 [`annotations`](https://spdx.github.io/spdx-spec/v2.3/annotations/)
 :   A list of annotations may provide additional information that is specific to the RPM format. In the example
-    above, the MD5 checksum the signed header of the RPM package is included.
+    above, two checksum values are included:
+    - The MD5 checksum of the signed header of the RPM package is included.
+    - The SHA256 checksum of the RPM header (this value does not change when an RPM is signed; unlike the file SHA256 \
+      checksum used in `checksums`).
 
 Each set of architecture-specific RPMs also have an associated source RPM (SRPM) that bundles all the source code
 that was used to build those RPMs. SRPMs should be represented as a separate package object in an SBOM, and their
 
@@ -0,0 +1,113 @@
+{
+  "bomFormat": "CycloneDX",
+  "serialNumber": "urn:uuid:930fffb2-c807-4b92-9029-228a5cf711aa",
+  "specVersion": "1.6",
+  "version": 1,
+  "metadata": {
+    "component": {
+      "name": "quarkus/mandrel-for-jdk-21-rhel8",
+      "publisher": "Red Hat",
+      "purl": "pkg:oci/mandrel-for-jdk-21-rhel8@sha256%3A65c139d16564a14b6832d1a393d18146e2fd921b8d263bf214df5720c1c79b19?arch=amd64&os=linux&tag=23.1-16",
+      "supplier": {
+        "name": "Red Hat",
+        "url": [
+          "https://www.redhat.com"
+        ]
+      },
+      "type": "container"
+    },
+    "timestamp": "2024-10-17T17:34:08Z"
+  },
+  "components": [
+    {
+      "bom-ref": "d9851388f78c0ae4",
+      "name": "quarkus/mandrel-for-jdk-21-rhel8",
+      "purl": "pkg:oci/mandrel-for-jdk-21-rhel8@sha256%3A65c139d16564a14b6832d1a393d18146e2fd921b8d263bf214df5720c1c79b19?arch=amd64&tag=23.1-16",
+      "type": "container",
+      "version": "sha256:65c139d16564a14b6832d1a393d18146e2fd921b8d263bf214df5720c1c79b19"
+    },
+    {
+      "bom-ref": "pkg:rpm/redhat/[email protected]?arch=noarch",
+      "licenses": [
+        {
+          "license": {
+            "name": "OFL"
+          }
+        }
+      ],
+      "name": "abattis-cantarell-fonts",
+      "properties": [
+        {
+          "name": "sbomer:package:type",
+          "value": "rpm"
+        },
+        {
+          "name": "sbomer:location:0:path",
+          "value": "/var/lib/rpm/Packages"
+        }
+      ],
+      "publisher": "Red Hat, Inc.",
+      "purl": "pkg:rpm/redhat/[email protected]?arch=noarch",
+      "type": "library",
+      "version": "0.0.25-6.el8"
+    },
+    {
+      "bom-ref": "pkg:maven/collections/[email protected]",
+      "hashes": [
+        {
+          "alg": "MD5",
+          "content": "c4337f3611f7bcb5c4253d1cbcec9796"
+        },
+        {
+          "alg": "SHA-1",
+          "content": "7af5cbeab522cea32d12779b9e4920f2acc943d5"
+        },
+        {
+          "alg": "SHA-256",
+          "content": "feae3a06020d1d33be26f469ca9d96c6f253bb807a581ea145b77b11561aec4c"
+        }
+      ],
+      "name": "collections",
+      "properties": [
+        {
+          "name": "sbomer:package:language",
+          "value": "java"
+        },
+        {
+          "name": "sbomer:package:type",
+          "value": "java-archive"
+        },
+        {
+          "name": "sbomer:location:0:path",
+          "value": "/usr/share/java/quarkus-mandrel-java/collections.jar"
+        },
+        {
+          "name": "sbomer:metadata:virtualPath",
+          "value": "/usr/share/java/quarkus-mandrel-java/collections.jar"
+        }
+      ],
+      "publisher": "Red Hat",
+      "purl": "pkg:maven/org.graalvm.sdk/[email protected]?type=jar",
+      "type": "library",
+      "version": "23.1.5.0-1-redhat-00001"
+    }
+  ],
+  "dependencies": [
+    {
+      "dependsOn": [
+        "pkg:rpm/redhat/[email protected]?arch=noarch&upstream=abattis-cantarell-fonts-0.0.25-6.el8.src.rpm&distro=rhel-8.10&package-id=a91121201ed3be00",
+        "pkg:maven/collections/[email protected]?package-id=a7c3ff6d3594e20f",
+
+      ],
+      "ref": "d9851388f78c0ae4"
+    },
+    {
+      "dependsOn": [],
+      "ref": "pkg:rpm/redhat/[email protected]?arch=noarch&upstream=abattis-cantarell-fonts-0.0.25-6.el8.src.rpm&distro=rhel-8.10&package-id=a91121201ed3be00"
+    },
+    {
+      "dependsOn": [],
+      "ref": "pkg:maven/collections/[email protected]?package-id=a7c3ff6d3594e20f"
+    }
+  ]
+}
@@ -75,7 +75,7 @@
     version="3.0.7-18.el9_2",
     filename="openssl-3.0.7-18.el9_2.src.rpm",
     license_concluded="Apache-2.0",
-    checksums=["sha-256:31b5079268339cff7ba65a0aee77930560c5adef4b1b3f8f5927a43ee468dag0"],
+    checksums=["sha-256:9215c64e7289a058248728089e4d98ed1cc392bb5eb9b8fcbe661d57e8145bbd"],
     purl_summary="pkg:rpm/redhat/[email protected]_2?arch=src",
     purls=[
         "pkg:rpm/redhat/[email protected]_2?arch=src&repository_id=rhel-9-for-aarch64-baseos-eus-source-rpms",
@@ -223,6 +223,7 @@ def create_cdx(product):
     # (for all other, non-OS products).
 
     product_component = {
+        "bom-ref": min(product.cpes, key=len),
         "type": "operating-system",
         "name": product.name,
         "version": product.version,
@@ -236,12 +237,14 @@ def create_cdx(product):
         "serialNumber": "urn:uuid:337d9115-4e7c-4e76-b389-51f7aed6eba8",
         "metadata": {
             "component": product_component,
+            "supplier": {"name": "Red Hat", "url": ["https://www.redhat.com"]},
             "timestamp": product.released,
             "tools": [{"name": "example tool", "version": "1.2.3"}],
         },
         "components": [product_component.copy()],
     }
 
+    components = []
     for pkg in product.packages:
         component = {
             "type": "library",
@@ -262,7 +265,17 @@ def create_cdx(product):
                 "identity": [{"field": "purl", "concludedValue": purl} for purl in pkg.purls]
             },
         }
-        sbom["components"].append(component)
+        components.append(component)
+
+    components = sorted(components, key=lambda x: x["purl"])
+    sbom["components"].extend(components)
+    sbom["dependencies"] = [
+        {
+            "ref": product_component["bom-ref"],
+            "provides": [c["purl"] for c in components],
+            "dependsOn": [],
+        }
+    ]
 
     return fname, sbom
 
 
@@ -5,6 +5,7 @@
   "serialNumber": "urn:uuid:337d9115-4e7c-4e76-b389-51f7aed6eba8",
   "metadata": {
     "component": {
+      "bom-ref": "cpe:/a:redhat:rhel_eus:9.2::baseos",
       "type": "operating-system",
       "name": "Red Hat Enterprise Linux",
       "version": "9.2 EUS",
@@ -27,6 +28,12 @@
         ]
       }
     },
+    "supplier": {
+      "name": "Red Hat",
+      "url": [
+        "https://www.redhat.com"
+      ]
+    },
     "timestamp": "2006-08-14T02:34:56Z",
     "tools": [
       {
@@ -37,6 +44,7 @@
   },
   "components": [
     {
+      "bom-ref": "cpe:/a:redhat:rhel_eus:9.2::baseos",
       "type": "operating-system",
       "name": "Red Hat Enterprise Linux",
       "version": "9.2 EUS",
@@ -81,7 +89,7 @@
       "hashes": [
         {
           "alg": "SHA-256",
-          "content": "31b5079268339cff7ba65a0aee77930560c5adef4b1b3f8f5927a43ee468dag0"
+          "content": "9215c64e7289a058248728089e4d98ed1cc392bb5eb9b8fcbe661d57e8145bbd"
         }
       ],
       "evidence": {
@@ -149,5 +157,14 @@
         ]
       }
     }
+  ],
+  "dependencies": [
+    {
+      "ref": "cpe:/a:redhat:rhel_eus:9.2::baseos",
+      "provides": [
+        "pkg:rpm/redhat/[email protected]_2?arch=src"
+      ],
+      "dependsOn": []
+    }
   ]
 }
@@ -119,7 +119,7 @@
       "checksums": [
         {
           "algorithm": "SHA256",
-          "checksumValue": "31b5079268339cff7ba65a0aee77930560c5adef4b1b3f8f5927a43ee468dag0"
+          "checksumValue": "9215c64e7289a058248728089e4d98ed1cc392bb5eb9b8fcbe661d57e8145bbd"
         }
       ]
     }
Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,7 @@`
`5`	`5`	`"serialNumber": "urn:uuid:337d9115-4e7c-4e76-b389-51f7aed6eba8",`
`6`	`6`	`"metadata": {`
`7`	`7`	`"component": {`
	`8`	`+ "bom-ref": "cpe:/a:redhat:rhel_eus:9.2::baseos",`
`8`	`9`	`"type": "operating-system",`
`9`	`10`	`"name": "Red Hat Enterprise Linux",`
`10`	`11`	`"version": "9.2 EUS",`
`@@ -27,6 +28,12 @@`
`27`	`28`	`]`
`28`	`29`	`}`
`29`	`30`	`},`
	`31`	`+ "supplier": {`
	`32`	`+ "name": "Red Hat",`
	`33`	`+ "url": [`
	`34`	`+ "https://www.redhat.com"`
	`35`	`+ ]`
	`36`	`+ },`
`30`	`37`	`"timestamp": "2006-08-14T02:34:56Z",`
`31`	`38`	`"tools": [`
`32`	`39`	`{`
`@@ -37,6 +44,7 @@`
`37`	`44`	`},`
`38`	`45`	`"components": [`
`39`	`46`	`{`
	`47`	`+ "bom-ref": "cpe:/a:redhat:rhel_eus:9.2::baseos",`
`40`	`48`	`"type": "operating-system",`
`41`	`49`	`"name": "Red Hat Enterprise Linux",`
`42`	`50`	`"version": "9.2 EUS",`
`@@ -81,7 +89,7 @@`
`81`	`89`	`"hashes": [`
`82`	`90`	`{`
`83`	`91`	`"alg": "SHA-256",`
`84`		`- "content": "31b5079268339cff7ba65a0aee77930560c5adef4b1b3f8f5927a43ee468dag0"`
	`92`	`+ "content": "9215c64e7289a058248728089e4d98ed1cc392bb5eb9b8fcbe661d57e8145bbd"`
`85`	`93`	`}`
`86`	`94`	`],`
`87`	`95`	`"evidence": {`
`@@ -149,5 +157,14 @@`
`149`	`157`	`]`
`150`	`158`	`}`
`151`	`159`	`}`
	`160`	`+ ],`
	`161`	`+ "dependencies": [`
	`162`	`+ {`
	`163`	`+ "ref": "cpe:/a:redhat:rhel_eus:9.2::baseos",`
	`164`	`+ "provides": [`
	`165`	`+ "pkg:rpm/redhat/[email protected]_2?arch=src"`
	`166`	`+ ],`
	`167`	`+ "dependsOn": []`
	`168`	`+ }`
`152`	`169`	`]`
`153`	`170`	`}`
Original file line number	Diff line number	Diff line change
`@@ -119,7 +119,7 @@`
`119`	`119`	`"checksums": [`
`120`	`120`	`{`
`121`	`121`	`"algorithm": "SHA256",`
`122`		`- "checksumValue": "31b5079268339cff7ba65a0aee77930560c5adef4b1b3f8f5927a43ee468dag0"`
	`122`	`+ "checksumValue": "9215c64e7289a058248728089e4d98ed1cc392bb5eb9b8fcbe661d57e8145bbd"`
`123`	`123`	`}`
`124`	`124`	`]`
`125`	`125`	`}`