Merge pull request #69 from RedHatProductSecurity/add-sbom-example-with-epoch

Add SBOM example with epoch

Author: mprpic

sbom/examples/rpm/build/from-koji.py

@@ -423,12 +423,13 @@ def process_build(self, build_id, rpmmod):
         cdx_root_component = None
         cdx_pedigrees = []
         for rpm in rpms:
-            (name, version, release, nvr, arch) = (
+            (name, version, release, nvr, arch, epoch) = (
                 rpm["name"],
                 rpm["version"],
                 rpm["release"],
                 rpm["nvr"],
                 rpm["arch"],
+                rpm["epoch"],
             )
             filename = f"{downloaddir}/{name}-{version}-{release}.{arch}.rpm"
             if arch == "src":
@@ -441,6 +442,8 @@ def process_build(self, build_id, rpmmod):
             sha256header = self.get_rpm_sha256header(filename)
             sigmd5 = self.get_rpm_sigmd5(filename)
             purl = f"pkg:rpm/redhat/{name}@{version}-{release}?arch={arch}"
+            if epoch:
+                purl = f"{purl}&epoch={epoch}"
             if rpmmod:
                 purl = f"{purl}&rpmmod={rpmmod}"
             package = {
@@ -624,7 +627,7 @@ def create_cdx_from_spdx(spdx_data):
 build_ids = []
 rpmmod = ""
 if is_module:
-    module_tag, module_nsvc= get_modulemd_data()
+    module_tag, module_nsvc = get_modulemd_data()
     rpmmod = module_nsvc
     module_builds = SESSION.listTagged(module_tag)
     for module_build in module_builds:

sbom/examples/rpm/build/openshift-pipelines-client-1.14.3-11352.el8.cdx.json

@@ -61527,7 +61527,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:golang/go.opentelemetry.io/contrib/[email protected]?package-id=5bd72523ff97f024#googlegolangorg/grpc/otelgrpc",
+      "bom-ref": "pkg:golang/go.opentelemetry.io/contrib/[email protected]?package-id=5bd72523ff97f024#google.golang.org/grpc/otelgrpc",
       "type": "library",
       "name": "go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc",
       "version": "v0.46.1",
@@ -61561,7 +61561,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:golang/go.opentelemetry.io/contrib/[email protected]?package-id=32dc6765d524c372#googlegolangorg/grpc/otelgrpc",
+      "bom-ref": "pkg:golang/go.opentelemetry.io/contrib/[email protected]?package-id=32dc6765d524c372#google.golang.org/grpc/otelgrpc",
       "type": "library",
       "name": "go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc",
       "version": "v0.46.1",
@@ -61595,7 +61595,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:golang/go.opentelemetry.io/contrib/[email protected]?package-id=5d57e43f394fdd30#googlegolangorg/grpc/otelgrpc",
+      "bom-ref": "pkg:golang/go.opentelemetry.io/contrib/[email protected]?package-id=5d57e43f394fdd30#google.golang.org/grpc/otelgrpc",
       "type": "library",
       "name": "go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc",
       "version": "v0.46.1",
@@ -61629,7 +61629,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:golang/go.opentelemetry.io/contrib/[email protected]?package-id=ffc736852a1ceb9e#googlegolangorg/grpc/otelgrpc",
+      "bom-ref": "pkg:golang/go.opentelemetry.io/contrib/[email protected]?package-id=ffc736852a1ceb9e#google.golang.org/grpc/otelgrpc",
       "type": "library",
       "name": "go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc",
       "version": "v0.46.1",