Update SPDX tools-golang lib to v0.5.0

go.mod

@@ -31,7 +31,7 @@ require (
 	github.com/scylladb/go-set v1.0.3-0.20200225121959-cc7b2070d91e
 	github.com/sergi/go-diff v1.3.1
 	github.com/sirupsen/logrus v1.9.0
-	github.com/spdx/tools-golang v0.4.0
+	github.com/spdx/tools-golang v0.5.0-rc1
 	github.com/spf13/afero v1.9.3
 	github.com/spf13/cobra v1.6.1
 	github.com/spf13/pflag v1.0.5
@@ -69,6 +69,7 @@ require (
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/Masterminds/semver/v3 v3.2.0 // indirect
 	github.com/Microsoft/go-winio v0.6.0 // indirect
+	github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 // indirect
 	github.com/containerd/containerd v1.6.12 // indirect
 	github.com/containerd/stargz-snapshotter/estargz v0.12.1 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect

go.sum

@@ -138,6 +138,8 @@ github.com/anchore/go-logger v0.0.0-20220728155337-03b66a5207d8 h1:imgMA0gN0TZx7
 github.com/anchore/go-logger v0.0.0-20220728155337-03b66a5207d8/go.mod h1:+gPap4jha079qzRTUaehv+UZ6sSdaNwkH0D3b6zhTuk=
 github.com/anchore/go-macholibre v0.0.0-20220308212642-53e6d0aaf6fb h1:iDMnx6LIjtjZ46C0akqveX83WFzhpTD3eqOthawb5vU=
 github.com/anchore/go-macholibre v0.0.0-20220308212642-53e6d0aaf6fb/go.mod h1:DmTY2Mfcv38hsHbG78xMiTDdxFtkHpgYNVDPsF2TgHk=
+github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 h1:aM1rlcoLz8y5B2r4tTLMiVTrMtpfY0O8EScKJxaSaEc=
+github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092/go.mod h1:rYqSE9HbjzpHTI74vwPvae4ZVYZd1lue2ta6xHPdblA=
 github.com/anchore/go-testutils v0.0.0-20200925183923-d5f45b0d3c04 h1:VzprUTpc0vW0nnNKJfJieyH/TZ9UYAnTZs5/gHTdAe8=
 github.com/anchore/go-testutils v0.0.0-20200925183923-d5f45b0d3c04/go.mod h1:6dK64g27Qi1qGQZ67gFmBFvEHScy0/C8qhQhNe5B5pQ=
 github.com/anchore/go-version v1.2.2-0.20200701162849-18adb9c92b9b h1:e1bmaoJfZVsCYMrIZBpFxwV26CbsuoEh5muXD5I1Ods=
@@ -1046,8 +1048,8 @@ github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4k
 github.com/soheilhy/cmux v0.1.5/go.mod h1:T7TcVDs9LWfQgPlPsdngu6I6QIoyIFZDDC6sNE1GqG0=
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
 github.com/spdx/gordf v0.0.0-20201111095634-7098f93598fb/go.mod h1:uKWaldnbMnjsSAXRurWqqrdyZen1R7kxl8TkmWk2OyM=
-github.com/spdx/tools-golang v0.4.0 h1:jdhnW8zYelURCbYTphiviFKZkWu51in0E4A1KT2csP0=
-github.com/spdx/tools-golang v0.4.0/go.mod h1:VHzvNsKAfAGqs4ZvwRL+7a0dNsL20s7lGui4K9C0xQM=
+github.com/spdx/tools-golang v0.5.0-rc1 h1:ooCSe48QatlidqEFd+nSI308tyeNTR6NJvauUj3ApX8=
+github.com/spdx/tools-golang v0.5.0-rc1/go.mod h1:LI6onw172PdO57Ob/hgnLDD4Y2PMnroeNT3wO/2WJJI=
 github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
 github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
 github.com/spf13/afero v1.3.3/go.mod h1:5KUK8ByomD5Ti5Artl0RtHeI5pTF7MIDuXL3yY520V4=

syft/formats/common/spdxhelpers/to_format_model.go

@@ -8,8 +8,7 @@ import (
 	"strings"
 	"time"
 
-	"github.com/spdx/tools-golang/spdx/common"
-	spdx "github.com/spdx/tools-golang/spdx/v2_3"
+	"github.com/spdx/tools-golang/spdx"
 
 	"github.com/anchore/syft/internal"
 	"github.com/anchore/syft/internal/log"
@@ -23,7 +22,6 @@ import (
 )
 
 const (
-	spdxVersion = "SPDX-2.3"
 	noAssertion = "NOASSERTION"
 )
 
@@ -40,11 +38,11 @@ func ToFormatModel(s sbom.SBOM) *spdx.Document {
 	// for the primary package purpose field:
 	// https://spdx.github.io/spdx-spec/v2.3/package-information/#724-primary-package-purpose-field
 	documentDescribesRelationship := &spdx.Relationship{
-		RefA: common.DocElementID{
+		RefA: spdx.DocElementID{
 			ElementRefID: "DOCUMENT",
 		},
 		Relationship: string(DescribesRelationship),
-		RefB: common.DocElementID{
+		RefB: spdx.DocElementID{
 			ElementRefID: "DOCUMENT",
 		},
 		RelationshipComment: "",
@@ -55,11 +53,11 @@ func ToFormatModel(s sbom.SBOM) *spdx.Document {
 	return &spdx.Document{
 		// 6.1: SPDX Version; should be in the format "SPDX-x.x"
 		// Cardinality: mandatory, one
-		SPDXVersion: spdxVersion,
+		SPDXVersion: spdx.Version,
 
 		// 6.2: Data License; should be "CC0-1.0"
 		// Cardinality: mandatory, one
-		DataLicense: "CC0-1.0",
+		DataLicense: spdx.DataLicense,
 
 		// 6.3: SPDX Identifier; should be "DOCUMENT" to represent mandatory identifier of SPDXRef-DOCUMENT
 		// Cardinality: mandatory, one
@@ -104,7 +102,7 @@ func ToFormatModel(s sbom.SBOM) *spdx.Document {
 			// 6.8: Creators: may have multiple keys for Person, Organization
 			//      and/or Tool
 			// Cardinality: mandatory, one or many
-			Creators: []common.Creator{
+			Creators: []spdx.Creator{
 				{
 					Creator:     "Anchore, Inc",
 					CreatorType: "Organization",
@@ -129,15 +127,15 @@ func ToFormatModel(s sbom.SBOM) *spdx.Document {
 	}
 }
 
-func toSPDXID(identifiable artifact.Identifiable) common.ElementID {
+func toSPDXID(identifiable artifact.Identifiable) spdx.ElementID {
 	id := ""
 	if p, ok := identifiable.(pkg.Package); ok {
 		id = SanitizeElementID(fmt.Sprintf("Package-%+v-%s-%s", p.Type, p.Name, p.ID()))
 	} else {
 		id = string(identifiable.ID())
 	}
 	// NOTE: the spdx libraries prepend SPDXRef-, so we don't do it here
-	return common.ElementID(id)
+	return spdx.ElementID(id)
 }
 
 // packages populates all Package Information from the package Catalog (see https://spdx.github.io/spdx-spec/3-package-information/)
@@ -313,9 +311,9 @@ func toPackages(catalog *pkg.Catalog, sbom sbom.SBOM) (results []*spdx.Package)
 	return results
 }
 
-func toPackageChecksums(p pkg.Package) ([]common.Checksum, bool) {
+func toPackageChecksums(p pkg.Package) ([]spdx.Checksum, bool) {
 	filesAnalyzed := false
-	var checksums []common.Checksum
+	var checksums []spdx.Checksum
 	switch meta := p.Metadata.(type) {
 	// we generate digest for some Java packages
 	// spdx.github.io/spdx-spec/package-information/#710-package-checksum-field
@@ -325,8 +323,8 @@ func toPackageChecksums(p pkg.Package) ([]common.Checksum, bool) {
 			filesAnalyzed = true
 			for _, digest := range meta.ArchiveDigests {
 				algo := strings.ToUpper(digest.Algorithm)
-				checksums = append(checksums, common.Checksum{
-					Algorithm: common.ChecksumAlgorithm(algo),
+				checksums = append(checksums, spdx.Checksum{
+					Algorithm: spdx.ChecksumAlgorithm(algo),
 					Value:     digest.Value,
 				})
 			}
@@ -339,20 +337,20 @@ func toPackageChecksums(p pkg.Package) ([]common.Checksum, bool) {
 			break
 		}
 		algo = strings.ToUpper(algo)
-		checksums = append(checksums, common.Checksum{
-			Algorithm: common.ChecksumAlgorithm(algo),
+		checksums = append(checksums, spdx.Checksum{
+			Algorithm: spdx.ChecksumAlgorithm(algo),
 			Value:     hexStr,
 		})
 	}
 	return checksums, filesAnalyzed
 }
 
-func toPackageOriginator(p pkg.Package) *common.Originator {
+func toPackageOriginator(p pkg.Package) *spdx.Originator {
 	kind, originator := Originator(p)
 	if kind == "" || originator == "" {
 		return nil
 	}
-	return &common.Originator{
+	return &spdx.Originator{
 		Originator:     originator,
 		OriginatorType: kind,
 	}
@@ -386,11 +384,11 @@ func toRelationships(relationships []artifact.Relationship) (result []*spdx.Rela
 		}
 
 		result = append(result, &spdx.Relationship{
-			RefA: common.DocElementID{
+			RefA: spdx.DocElementID{
 				ElementRefID: toSPDXID(r.From),
 			},
 			Relationship: string(relationshipType),
-			RefB: common.DocElementID{
+			RefB: spdx.DocElementID{
 				ElementRefID: toSPDXID(r.To),
 			},
 			RelationshipComment: comment,
@@ -462,20 +460,20 @@ func toFiles(s sbom.SBOM) (results []*spdx.File) {
 	return results
 }
 
-func toFileChecksums(digests []file.Digest) (checksums []common.Checksum) {
-	checksums = make([]common.Checksum, 0, len(digests))
+func toFileChecksums(digests []file.Digest) (checksums []spdx.Checksum) {
+	checksums = make([]spdx.Checksum, 0, len(digests))
 	for _, digest := range digests {
-		checksums = append(checksums, common.Checksum{
+		checksums = append(checksums, spdx.Checksum{
 			Algorithm: toChecksumAlgorithm(digest.Algorithm),
 			Value:     digest.Value,
 		})
 	}
 	return checksums
 }
 
-func toChecksumAlgorithm(algorithm string) common.ChecksumAlgorithm {
+func toChecksumAlgorithm(algorithm string) spdx.ChecksumAlgorithm {
 	// this needs to be an uppercase version of our algorithm
-	return common.ChecksumAlgorithm(strings.ToUpper(algorithm))
+	return spdx.ChecksumAlgorithm(strings.ToUpper(algorithm))
 }
 
 func toFileTypes(metadata *source.FileMetadata) (ty []string) {
@@ -517,7 +515,7 @@ func toFileTypes(metadata *source.FileMetadata) (ty []string) {
 // f file is an "excludes" file, skip it /* exclude SPDX analysis file(s) */
 // see: https://spdx.github.io/spdx-spec/v2.3/package-information/#79-package-verification-code-field
 // the above link contains the SPDX algorithm for a package verification code
-func newPackageVerificationCode(p pkg.Package, sbom sbom.SBOM) *common.PackageVerificationCode {
+func newPackageVerificationCode(p pkg.Package, sbom sbom.SBOM) *spdx.PackageVerificationCode {
 	// key off of the contains relationship;
 	// spdx validator will fail if a package claims to contain a file but no sha1 provided
 	// if a sha1 for a file is provided then the validator will fail if the package does not have
@@ -558,7 +556,7 @@ func newPackageVerificationCode(p pkg.Package, sbom sbom.SBOM) *common.PackageVe
 	//nolint:gosec
 	hasher := sha1.New()
 	_, _ = hasher.Write([]byte(b.String()))
-	return &common.PackageVerificationCode{
+	return &spdx.PackageVerificationCode{
 		// 7.9.1: Package Verification Code Value
 		// Cardinality: mandatory, one
 		Value: fmt.Sprintf("%+x", hasher.Sum(nil)),

syft/formats/common/spdxhelpers/to_format_model_test.go

@@ -4,8 +4,7 @@ import (
 	"fmt"
 	"testing"
 
-	"github.com/spdx/tools-golang/spdx/common"
-	spdx "github.com/spdx/tools-golang/spdx/v2_3"
+	"github.com/spdx/tools-golang/spdx"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
@@ -21,7 +20,7 @@ func Test_toPackageChecksums(t *testing.T) {
 	tests := []struct {
 		name          string
 		pkg           pkg.Package
-		expected      []common.Checksum
+		expected      []spdx.Checksum
 		filesAnalyzed bool
 	}{
 		{
@@ -39,7 +38,7 @@ func Test_toPackageChecksums(t *testing.T) {
 					},
 				},
 			},
-			expected: []common.Checksum{
+			expected: []spdx.Checksum{
 				{
 					Algorithm: "SHA1",
 					Value:     "1234",
@@ -57,7 +56,7 @@ func Test_toPackageChecksums(t *testing.T) {
 					ArchiveDigests: []file.Digest{},
 				},
 			},
-			expected:      []common.Checksum{},
+			expected:      []spdx.Checksum{},
 			filesAnalyzed: false,
 		},
 		{
@@ -67,7 +66,7 @@ func Test_toPackageChecksums(t *testing.T) {
 				Version:  "1.0.0",
 				Language: pkg.Java,
 			},
-			expected:      []common.Checksum{},
+			expected:      []spdx.Checksum{},
 			filesAnalyzed: false,
 		},
 		{
@@ -81,7 +80,7 @@ func Test_toPackageChecksums(t *testing.T) {
 					H1Digest: "h1:9fHAtK0uDfpveeqqo1hkEZJcFvYXAiCN3UutL8F9xHw=",
 				},
 			},
-			expected: []common.Checksum{
+			expected: []spdx.Checksum{
 				{
 					Algorithm: "SHA256",
 					Value:     "f5f1c0b4ad2e0dfa6f79eaaaa3586411925c16f61702208ddd4bad2fc17dc47c",
@@ -97,7 +96,7 @@ func Test_toPackageChecksums(t *testing.T) {
 				Language: pkg.Java,
 				Metadata: struct{}{},
 			},
-			expected:      []common.Checksum{},
+			expected:      []spdx.Checksum{},
 			filesAnalyzed: false,
 		},
 	}
@@ -229,7 +228,7 @@ func Test_toFileChecksums(t *testing.T) {
 	tests := []struct {
 		name     string
 		digests  []file.Digest
-		expected []common.Checksum
+		expected []spdx.Checksum
 	}{
 		{
 			name: "empty",
@@ -246,7 +245,7 @@ func Test_toFileChecksums(t *testing.T) {
 					Value:     "meh",
 				},
 			},
-			expected: []common.Checksum{
+			expected: []spdx.Checksum{
 				{
 					Algorithm: "SHA256",
 					Value:     "deadbeefcafe",
@@ -275,8 +274,8 @@ func Test_fileIDsForPackage(t *testing.T) {
 		FileSystemID: "nowhere",
 	}
 
-	docElementId := func(identifiable artifact.Identifiable) common.DocElementID {
-		return common.DocElementID{
+	docElementId := func(identifiable artifact.Identifiable) spdx.DocElementID {
+		return spdx.DocElementID{
 			ElementRefID: toSPDXID(identifiable),
 		}
 	}

syft/formats/common/spdxhelpers/to_syft_model.go

@@ -6,7 +6,7 @@ import (
 	"strconv"
 	"strings"
 
-	spdx "github.com/spdx/tools-golang/spdx/v2_3"
+	"github.com/spdx/tools-golang/spdx"
 
 	"github.com/anchore/packageurl-go"
 	"github.com/anchore/syft/internal/log"

syft/formats/common/spdxhelpers/to_syft_model_test.go

@@ -3,8 +3,7 @@ package spdxhelpers
 import (
 	"testing"
 
-	"github.com/spdx/tools-golang/spdx/common"
-	spdx "github.com/spdx/tools-golang/spdx/v2_3"
+	"github.com/spdx/tools-golang/spdx"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
@@ -246,9 +245,9 @@ func TestH1Digest(t *testing.T) {
 						RefType:  "purl",
 					},
 				},
-				PackageChecksums: []common.Checksum{
+				PackageChecksums: []spdx.Checksum{
 					{
-						Algorithm: common.SHA256,
+						Algorithm: spdx.SHA256,
 						Value:     "f5f1c0b4ad2e0dfa6f79eaaaa3586411925c16f61702208ddd4bad2fc17dc47c",
 					},
 				},
@@ -267,9 +266,9 @@ func TestH1Digest(t *testing.T) {
 						RefType:  "purl",
 					},
 				},
-				PackageChecksums: []common.Checksum{
+				PackageChecksums: []spdx.Checksum{
 					{
-						Algorithm: common.SHA1,
+						Algorithm: spdx.SHA1,
 						Value:     "f5f1c0b4ad2e0dfa6f79eaaaa3586411925c16f61702208ddd4bad2fc17dc47c",
 					},
 				},
@@ -288,9 +287,9 @@ func TestH1Digest(t *testing.T) {
 						RefType:  "purl",
 					},
 				},
-				PackageChecksums: []common.Checksum{
+				PackageChecksums: []spdx.Checksum{
 					{
-						Algorithm: common.SHA256,
+						Algorithm: spdx.SHA256,
 						Value:     "",
 					},
 				},

syft/formats/spdxjson/decoder.go

@@ -4,14 +4,14 @@ import (
 	"fmt"
 	"io"
 
-	spdx "github.com/spdx/tools-golang/json"
+	"github.com/spdx/tools-golang/json"
 
 	"github.com/anchore/syft/syft/formats/common/spdxhelpers"
 	"github.com/anchore/syft/syft/sbom"
 )
 
 func decoder(reader io.Reader) (s *sbom.SBOM, err error) {
-	doc, err := spdx.Load2_3(reader)
+	doc, err := json.Read(reader)
 	if err != nil {
 		return nil, fmt.Errorf("unable to decode spdx-json: %w", err)
 	}

syft/formats/spdxtagvalue/decoder.go

@@ -4,14 +4,14 @@ import (
 	"fmt"
 	"io"
 
-	"github.com/spdx/tools-golang/tvloader"
+	"github.com/spdx/tools-golang/tagvalue"
 
 	"github.com/anchore/syft/syft/formats/common/spdxhelpers"
 	"github.com/anchore/syft/syft/sbom"
 )
 
 func decoder(reader io.Reader) (*sbom.SBOM, error) {
-	doc, err := tvloader.Load2_3(reader)
+	doc, err := tagvalue.Read(reader)
 	if err != nil {
 		return nil, fmt.Errorf("unable to decode spdx-tag-value: %w", err)
 	}