This is an automated email from the ASF dual-hosted git repository.
sbp pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tooling-trusted-release.git
The following commit(s) were added to refs/heads/main by this push:
new 8bb2ef9 Add more known suppliers to the SBOM tool
8bb2ef9 is described below
commit 8bb2ef95062ce20d3ade09530ff037991130f040
Author: Sean B. Palmer <[email protected]>
AuthorDate: Fri Aug 29 17:12:12 2025 +0100
Add more known suppliers to the SBOM tool
---
atr/routes/sbom.py | 4 ++++
atr/sbomtool.py | 31 +++++++++++++++++++++++--------
2 files changed, 27 insertions(+), 8 deletions(-)
diff --git a/atr/routes/sbom.py b/atr/routes/sbom.py
index 93a48be..781ba82 100644
--- a/atr/routes/sbom.py
+++ b/atr/routes/sbom.py
@@ -170,6 +170,10 @@ async def report(session: routes.CommitterSession,
project: str, version: str, f
block.h2["Errors"]
_missing_table(block, errors)
+ if not (warnings or errors):
+ block.h2["Results"]
+ block.p["No NTIA 2021 minimum data field conformance warnings or
errors found."]
+
return await template.blank("SBOM report", content=block.collect())
diff --git a/atr/sbomtool.py b/atr/sbomtool.py
index efb0a35..cbceccb 100644
--- a/atr/sbomtool.py
+++ b/atr/sbomtool.py
@@ -27,15 +27,27 @@ import tempfile
import urllib.error
import urllib.parse
import urllib.request
-from typing import Annotated, Any, Literal
+from typing import Annotated, Any, Final, Literal
import pydantic
import yyjson
-THE_APACHE_SOFTWARE_FOUNDATION = "The Apache Software Foundation"
# TODO: Simple cache to avoid rate limiting, not thread safe
CACHE_PATH = pathlib.Path("/tmp/sbomtool-cache.json")
-VERSION = "0.0.1-dev1"
+KNOWN_PURL_PREFIXES: Final[dict[str, tuple[str, str]]] = {
+ "pkg:maven/com.atlassian.": ("Atlassian", "https://www.atlassian.com/";),
+ "pkg:maven/concurrent/concurrent@": (
+ "Dough Lea",
+
"http://gee.cs.oswego.edu/dl/classes/EDU/oswego/cs/dl/util/concurrent/intro.html";,
+ ),
+}
+KNOWN_PURL_SUPPLIERS: Final[dict[tuple[str, str], tuple[str, str]]] = {
+ ("pkg:maven", "jakarta-regexp"): ("The Apache Software Foundation",
"https://apache.org/";),
+ ("pkg:maven", "javax.servlet.jsp"): ("Sun Microsystems",
"https://sun.com/";),
+ ("pkg:maven", "org.osgi"): ("OSGi Working Group, The Eclipse Foundation",
"https://www.osgi.org/";),
+}
+THE_APACHE_SOFTWARE_FOUNDATION: Final[str] = "The Apache Software Foundation"
+VERSION: Final[str] = "0.0.1-dev1"
# We include some sections from other files to make this standalone
@@ -291,12 +303,15 @@ def assemble_component_supplier(doc: yyjson.Document,
patch: Patch, index: int)
return
if purl := get_pointer(doc, f"/components/{index}/purl"):
- if purl.startswith("pkg:maven/org.apache."):
- patch.append(add_asf_op)
- return
- if purl.startswith("pkg:maven/com.atlassian."):
- patch.append(make_supplier_op("Atlassian",
"https://www.atlassian.com/";))
+ prefix = tuple(purl.split("/", 2)[:2])
+ if prefix in KNOWN_PURL_SUPPLIERS:
+ supplier, url = KNOWN_PURL_SUPPLIERS[prefix]
+ patch.append(make_supplier_op(supplier, url))
return
+ for prefix, (supplier, url) in KNOWN_PURL_PREFIXES.items():
+ if purl.startswith(prefix):
+ patch.append(make_supplier_op(supplier, url))
+ return
if group_id := get_pointer(doc, f"/components/{index}/group"):
if group_id.startswith("org.apache."):
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
