fix(spdx): include required fields (#2168)

* fix(spdx): include required fields

Signed-off-by: Keith Zantow <kzantow@gmail.com>

* chore: missed update due to refactoring

Signed-off-by: Keith Zantow <kzantow@gmail.com>

* chore: update tools-golang

Signed-off-by: Keith Zantow <kzantow@gmail.com>

* chore: add test with packageVerificationCode included and excluded

Signed-off-by: Keith Zantow <kzantow@gmail.com>

---------

Signed-off-by: Keith Zantow <kzantow@gmail.com>

syft/format/common/spdxhelpers/to_format_model.go

@@ -245,6 +245,8 @@ func toRootPackage(s source.Description) *spdx.Package {
 			Supplier: helpers.NOASSERTION,
 		},
 		PackageDownloadLocation: helpers.NOASSERTION,
+		PackageLicenseConcluded: helpers.NOASSERTION,
+		PackageLicenseDeclared:  helpers.NOASSERTION,
 	}
 
 	if purl != nil {
@@ -622,6 +624,9 @@ func toFiles(s sbom.SBOM) (results []*spdx.File) {
 			Checksums:        toFileChecksums(digests),
 			FileName:         coordinates.RealPath,
 			FileTypes:        toFileTypes(metadata),
+			LicenseInfoInFiles: []string{ // required in SPDX 2.2
+				helpers.NOASSERTION,
+			},
 		})
 	}
 

syft/format/spdxjson/encoder_test.go

@@ -3,6 +3,8 @@ package spdxjson
 import (
 	"bytes"
 	"flag"
+	"github.com/anchore/syft/syft/artifact"
+	"github.com/anchore/syft/syft/file"
 	"strings"
 	"testing"
 
@@ -113,6 +115,74 @@ func TestSPDXJSONImageEncoder(t *testing.T) {
 	)
 }
 
+func TestSPDX22JSONRequredProperties(t *testing.T) {
+	cfg := DefaultEncoderConfig()
+	cfg.Pretty = true
+	cfg.Version = "2.2"
+
+	enc, err := NewFormatEncoderWithConfig(cfg)
+	require.NoError(t, err)
+
+	coords := file.Coordinates{
+		RealPath:     "/some/file",
+		FileSystemID: "ac897d978b6c38749a1",
+	}
+
+	p1 := pkg.Package{
+		Name:      "files-analyzed-true",
+		Version:   "v1",
+		Locations: file.NewLocationSet(file.NewLocation(coords.RealPath)),
+		Licenses:  pkg.LicenseSet{},
+		Language:  pkg.Java,
+		Metadata: pkg.JavaArchive{
+			ArchiveDigests: []file.Digest{
+				{
+					Algorithm: "sha256",
+					Value:     "a9b87321a9879c79d87987987a97c97b9789ce978dffea987",
+				},
+			},
+			Parent: nil,
+		},
+	}
+	p1.SetID()
+
+	p2 := pkg.Package{
+		Name:    "files-analyzed-false",
+		Version: "v2",
+	}
+	p2.SetID()
+
+	testutil.AssertEncoderAgainstGoldenSnapshot(t,
+		testutil.EncoderSnapshotTestConfig{
+			Subject: sbom.SBOM{
+				Artifacts: sbom.Artifacts{
+					Packages: pkg.NewCollection(p1, p2),
+					FileDigests: map[file.Coordinates][]file.Digest{
+						coords: {
+							{
+								Algorithm: "sha1",
+								Value:     "3b4ab96c371d913e2a88c269844b6c5fb5cbe761",
+							},
+						},
+					},
+				},
+				Relationships: []artifact.Relationship{
+					{
+						From: p1,
+						To:   coords,
+						Type: artifact.ContainsRelationship,
+					},
+				},
+			},
+			Format:                      enc,
+			UpdateSnapshot:              *updateSnapshot,
+			PersistRedactionsInSnapshot: true,
+			IsJSON:                      true,
+			Redactor:                    redactor(),
+		},
+	)
+}
+
 func TestSPDXRelationshipOrder(t *testing.T) {
 	testImage := "image-simple"
 

syft/format/spdxjson/test-fixtures/snapshot/TestSPDX22JSONRequredProperties.golden

@@ -0,0 +1,100 @@
+{
+ "spdxVersion": "SPDX-2.2",
+ "dataLicense": "CC0-1.0",
+ "SPDXID": "SPDXRef-DOCUMENT",
+ "name": "unknown",
+ "documentNamespace":"redacted",
+ "creationInfo": {
+  "licenseListVersion":"redacted",
+  "creators": [
+   "Organization: Anchore, Inc",
+   "Tool: -"
+  ],
+  "created":"redacted"
+ },
+ "packages": [
+  {
+   "SPDXID": "SPDXRef-Package-files-analyzed-false-7d37ba9d2f7c574b",
+   "copyrightText": "NOASSERTION",
+   "downloadLocation": "NOASSERTION",
+   "filesAnalyzed": false,
+   "licenseConcluded": "NOASSERTION",
+   "licenseDeclared": "NOASSERTION",
+   "name": "files-analyzed-false",
+   "sourceInfo": "acquired package info from the following paths: ",
+   "supplier": "NOASSERTION",
+   "versionInfo": "v2"
+  },
+  {
+   "name": "files-analyzed-true",
+   "SPDXID": "SPDXRef-Package-files-analyzed-true-035066c2086b8bb4",
+   "versionInfo": "v1",
+   "supplier": "NOASSERTION",
+   "downloadLocation": "NOASSERTION",
+   "filesAnalyzed": true,
+   "packageVerificationCode": {
+    "packageVerificationCodeValue": "6fe0c471faaaa544e33cae0918eabcdc1c798d18"
+   },
+   "checksums": [
+    {
+     "algorithm": "SHA256",
+     "checksumValue": "a9b87321a9879c79d87987987a97c97b9789ce978dffea987"
+    }
+   ],
+   "sourceInfo": "acquired package info from the following paths: /some/file",
+   "licenseConcluded": "NOASSERTION",
+   "licenseDeclared": "NOASSERTION",
+   "copyrightText": "NOASSERTION"
+  },
+  {
+   "SPDXID": "SPDXRef-DocumentRoot-Unknown-",
+   "copyrightText": "",
+   "downloadLocation": "NOASSERTION",
+   "filesAnalyzed": false,
+   "licenseConcluded": "NOASSERTION",
+   "licenseDeclared": "NOASSERTION",
+   "name": "",
+   "supplier": "NOASSERTION"
+  }
+ ],
+ "files": [
+  {
+   "fileName": "/some/file",
+   "SPDXID": "SPDXRef-File-some-file-2c5bc344430decac",
+   "checksums": [
+    {
+     "algorithm": "SHA1",
+     "checksumValue": "3b4ab96c371d913e2a88c269844b6c5fb5cbe761"
+    }
+   ],
+   "licenseConcluded": "NOASSERTION",
+   "licenseInfoInFiles": [
+    "NOASSERTION"
+   ],
+   "copyrightText": "",
+   "comment": "layerID: ac897d978b6c38749a1"
+  }
+ ],
+ "relationships": [
+  {
+   "spdxElementId": "SPDXRef-Package-files-analyzed-true-035066c2086b8bb4",
+   "relatedSpdxElement": "SPDXRef-File-some-file-2c5bc344430decac",
+   "relationshipType": "CONTAINS"
+  },
+  {
+   "spdxElementId": "SPDXRef-DocumentRoot-Unknown-",
+   "relatedSpdxElement": "SPDXRef-Package-files-analyzed-false-7d37ba9d2f7c574b",
+   "relationshipType": "CONTAINS"
+  },
+  {
+   "spdxElementId": "SPDXRef-DocumentRoot-Unknown-",
+   "relatedSpdxElement": "SPDXRef-Package-files-analyzed-true-035066c2086b8bb4",
+   "relationshipType": "CONTAINS"
+  },
+  {
+   "spdxElementId": "SPDXRef-DOCUMENT",
+   "relatedSpdxElement": "SPDXRef-DocumentRoot-Unknown-",
+   "relationshipType": "DESCRIBES"
+  }
+ ]
+}

syft/format/spdxjson/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden

@@ -67,6 +67,8 @@
    "supplier": "NOASSERTION",
    "downloadLocation": "NOASSERTION",
    "filesAnalyzed": false,
+   "licenseConcluded": "NOASSERTION",
+   "licenseDeclared": "NOASSERTION",
    "primaryPackagePurpose": "FILE"
   }
  ],

syft/format/spdxjson/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden

@@ -74,6 +74,8 @@
      "checksumValue": "2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368"
     }
    ],
+   "licenseConcluded": "NOASSERTION",
+   "licenseDeclared": "NOASSERTION",
    "externalRefs": [
     {
      "referenceCategory": "PACKAGE-MANAGER",

syft/format/spdxjson/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden

@@ -74,6 +74,8 @@
      "checksumValue": "2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368"
     }
    ],
+   "licenseConcluded": "NOASSERTION",
+   "licenseDeclared": "NOASSERTION",
    "externalRefs": [
     {
      "referenceCategory": "PACKAGE-MANAGER",
@@ -98,6 +100,9 @@
     }
    ],
    "licenseConcluded": "NOASSERTION",
+   "licenseInfoInFiles": [
+    "NOASSERTION"
+   ],
    "copyrightText": ""
   },
   {
@@ -113,6 +118,9 @@
     }
    ],
    "licenseConcluded": "NOASSERTION",
+   "licenseInfoInFiles": [
+    "NOASSERTION"
+   ],
    "copyrightText": ""
   },
   {
@@ -128,6 +136,9 @@
     }
    ],
    "licenseConcluded": "NOASSERTION",
+   "licenseInfoInFiles": [
+    "NOASSERTION"
+   ],
    "copyrightText": ""
   },
   {
@@ -143,6 +154,9 @@
     }
    ],
    "licenseConcluded": "NOASSERTION",
+   "licenseInfoInFiles": [
+    "NOASSERTION"
+   ],
    "copyrightText": ""
   },
   {
@@ -158,6 +172,9 @@
     }
    ],
    "licenseConcluded": "NOASSERTION",
+   "licenseInfoInFiles": [
+    "NOASSERTION"
+   ],
    "copyrightText": ""
   },
   {
@@ -173,6 +190,9 @@
     }
    ],
    "licenseConcluded": "NOASSERTION",
+   "licenseInfoInFiles": [
+    "NOASSERTION"
+   ],
    "copyrightText": ""
   }
  ],

syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden

@@ -16,6 +16,8 @@ PackageSupplier: NOASSERTION
 PackageDownloadLocation: NOASSERTION
 PrimaryPackagePurpose: FILE
 FilesAnalyzed: false
+PackageLicenseConcluded: NOASSERTION
+PackageLicenseDeclared: NOASSERTION
 
 ##### Package: @at-sign
 

syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXRelationshipOrder.golden

@@ -15,36 +15,42 @@ SPDXID: SPDXRef-File-a1-f6-9c2f7510199b17f6
 FileType: OTHER
 FileChecksum: SHA1: 0000000000000000000000000000000000000000
 LicenseConcluded: NOASSERTION
+LicenseInfoInFile: NOASSERTION
 
 FileName: /d1/f3
 SPDXID: SPDXRef-File-d1-f3-c6f5b29dca12661f
 FileType: OTHER
 FileChecksum: SHA1: 0000000000000000000000000000000000000000
 LicenseConcluded: NOASSERTION
+LicenseInfoInFile: NOASSERTION
 
 FileName: /d2/f4
 SPDXID: SPDXRef-File-d2-f4-c641caa71518099f
 FileType: OTHER
 FileChecksum: SHA1: 0000000000000000000000000000000000000000
 LicenseConcluded: NOASSERTION
+LicenseInfoInFile: NOASSERTION
 
 FileName: /f1
 SPDXID: SPDXRef-File-f1-5265a4dde3edbf7c
 FileType: OTHER
 FileChecksum: SHA1: 0000000000000000000000000000000000000000
 LicenseConcluded: NOASSERTION
+LicenseInfoInFile: NOASSERTION
 
 FileName: /f2
 SPDXID: SPDXRef-File-f2-f9e49132a4b96ccd
 FileType: OTHER
 FileChecksum: SHA1: 0000000000000000000000000000000000000000
 LicenseConcluded: NOASSERTION
+LicenseInfoInFile: NOASSERTION
 
 FileName: /z1/f5
 SPDXID: SPDXRef-File-z1-f5-839d99ee67d9d174
 FileType: OTHER
 FileChecksum: SHA1: 0000000000000000000000000000000000000000
 LicenseConcluded: NOASSERTION
+LicenseInfoInFile: NOASSERTION
 
 ##### Package: user-image-input
 
@@ -56,6 +62,8 @@ PackageDownloadLocation: NOASSERTION
 PrimaryPackagePurpose: CONTAINER
 FilesAnalyzed: false
 PackageChecksum: SHA256: 2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368
+PackageLicenseConcluded: NOASSERTION
+PackageLicenseDeclared: NOASSERTION
 ExternalRef: PACKAGE-MANAGER purl pkg:oci/user-image-input@sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368?arch=
 
 ##### Package: package-2

syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden

@@ -16,6 +16,8 @@ PackageSupplier: NOASSERTION
 PackageDownloadLocation: NOASSERTION
 PrimaryPackagePurpose: FILE
 FilesAnalyzed: false
+PackageLicenseConcluded: NOASSERTION
+PackageLicenseDeclared: NOASSERTION
 
 ##### Package: package-2
 

syft/format/spdxtagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden

@@ -18,6 +18,8 @@ PackageDownloadLocation: NOASSERTION
 PrimaryPackagePurpose: CONTAINER
 FilesAnalyzed: false
 PackageChecksum: SHA256: 2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368
+PackageLicenseConcluded: NOASSERTION
+PackageLicenseDeclared: NOASSERTION
 ExternalRef: PACKAGE-MANAGER purl pkg:oci/user-image-input@sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368?arch=
 
 ##### Package: package-2