🧹 support origin package information sbom

mondoohq · Mar 13, 2024 · 3ebede0 · 3ebede0
1 parent 00f3bbb
commit 3ebede0
Show file tree

Hide file tree

Showing 6 changed files with 60 additions and 38 deletions.
diff --git a/sbom/report_collection.go b/sbom/report_collection.go
@@ -41,14 +41,16 @@ type BomAsset struct {
 type BomPackage struct {
 	Name    string   `json:"name,omitempty"`
 	Version string   `json:"version,omitempty"`
+	Origin  string   `json:"origin,omitempty"`
+	Arch    string   `json:"arch,omitempty"`
+	Format  string   `json:"format,omitempty"`
 	Purl    string   `json:"purl,omitempty"`
 	CPEs    []string `json:"cpes.map,omitempty"`
 	// used by python packages
 	// deprecated: remove once python.packages uses files
 	FilePath string `json:"file.path,omitempty"`
 	// used by os packages
 	FilePaths []string `json:"files.map,omitempty"`
-	Format    string   `json:"format,omitempty"`
 }
 
 type BomReport struct {

diff --git a/sbom/sbom.go b/sbom/sbom.go
@@ -90,11 +90,13 @@ func GenerateBom(r *ReportCollectionJson) ([]Sbom, error) {
 			if rb.Packages != nil {
 				for _, pkg := range rb.Packages {
 					bomPkg := &Package{
-						Name:    pkg.Name,
-						Version: pkg.Version,
-						Purl:    pkg.Purl,
-						Cpes:    pkg.CPEs,
-						Type:    pkg.Format,
+						Name:         pkg.Name,
+						Version:      pkg.Version,
+						Architecture: pkg.Arch,
+						Origin:       pkg.Origin,
+						Purl:         pkg.Purl,
+						Cpes:         pkg.CPEs,
+						Type:         pkg.Format,
 					}
 
 					for _, filepath := range pkg.FilePaths {

diff --git a/sbom/sbom.mql.yaml b/sbom/sbom.mql.yaml
@@ -12,7 +12,7 @@ packs:
         mql: asset { name platform version arch ids labels cpes.map(uri) }
       - uid: mondoo-sbom-packages
         title: Retrieve list of installed packages
-        mql: packages { name version purl cpes.map(uri) format files.map(path) }
+        mql: packages { name version purl cpes.map(uri) arch origin format files.map(path) }
       - uid: mondoo-sbom-python-packages
         title: Retrieve list of installed Python packages
         mql: python.packages { name version purl cpes.map(uri) file.path }

diff --git a/sbom/sbom.pb.go b/sbom/sbom.pb.go
diff --git a/sbom/sbom.proto b/sbom/sbom.proto
@@ -216,6 +216,8 @@ message Package {
   // 'evidence_list' is a collection of evidence that supports the presence of
   // the package in the asset. This evidence could include eg. file paths
   repeated Evidence evidence_list = 21;
+  // Package Origin (e.g. other package name, or source of the package)
+  string origin = 22;
 }
 
 enum EvidenceType {

diff --git a/sbom/textlist.go b/sbom/textlist.go
@@ -61,6 +61,11 @@ func (s *TextList) Render(w io.Writer, bom *Sbom) error {
 			sb.WriteString(" ")
 			sb.WriteString(pkg.Architecture)
 		}
+		if pkg.Origin != "" {
+			sb.WriteString(" (origin:")
+			sb.WriteString(pkg.Origin)
+			sb.WriteString(")")
+		}
 
 		// we only print the location if it is not empty
 		// this approach is deprecated and we should remove that once everything moved to evidence