From 7e9eb073a6e17af243cbad2a40d5c1b510e47f12 Mon Sep 17 00:00:00 2001
From: Puerco <puerco@users.noreply.github.com>
Date: Fri, 26 Aug 2022 14:00:18 -0400
Subject: [PATCH] SPDX 2.3 support (#803)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This commit modifies the ko SPDX SBOMs to generate documents
conformant to version 2.3 of the spec. It makes use of the new
primary package purpose field to hint the packages as container
images.

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>

Signed-off-by: Adolfo García Veytia (Puerco) <puerco@chainguard.dev>
---
 internal/sbom/spdx.go | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/internal/sbom/spdx.go b/internal/sbom/spdx.go
index cc991d4427..3c9d1f8061 100644
--- a/internal/sbom/spdx.go
+++ b/internal/sbom/spdx.go
@@ -100,6 +100,7 @@ func GenerateImageSPDX(koVersion string, mod []byte, img oci.SignedImage) ([]byt
 		LicenseConcluded: NOASSERTION,
 		LicenseDeclared:  NOASSERTION,
 		CopyrightText:    NOASSERTION,
+		PrimaryPurpose:   "CONTAINER",
 		ExternalRefs: []ExternalRef{{
 			Category: "PACKAGE-MANAGER",
 			Type:     "purl",
@@ -235,6 +236,7 @@ func GenerateIndexSPDX(koVersion string, sii oci.SignedImageIndex) ([]byte, erro
 		LicenseConcluded: NOASSERTION,
 		LicenseDeclared:  NOASSERTION,
 		CopyrightText:    NOASSERTION,
+		PrimaryPurpose:   "CONTAINER",
 		Checksums: []Checksum{{
 			Algorithm: strings.ToUpper(indexDigest.Algorithm),
 			Value:     indexDigest.Hex,
@@ -312,6 +314,7 @@ func GenerateIndexSPDX(koVersion string, sii oci.SignedImageIndex) ([]byte, erro
 				LicenseConcluded: NOASSERTION,
 				LicenseDeclared:  NOASSERTION,
 				CopyrightText:    NOASSERTION,
+				PrimaryPurpose:   "CONTAINER",
 				ExternalRefs: []ExternalRef{{
 					Category: "PACKAGE-MANAGER",
 					Type:     "purl",
@@ -443,7 +446,7 @@ limitations under the License.
 
 const (
 	NOASSERTION = "NOASSERTION"
-	Version     = "SPDX-2.2"
+	Version     = "SPDX-2.3"
 )
 
 type Document struct {
@@ -478,6 +481,7 @@ type Package struct {
 	Originator           string                   `json:"originator,omitempty"`
 	SourceInfo           string                   `json:"sourceInfo,omitempty"`
 	CopyrightText        string                   `json:"copyrightText"`
+	PrimaryPurpose       string                   `json:"primaryPackagePurpose,omitempty"`
 	HasFiles             []string                 `json:"hasFiles,omitempty"`
 	LicenseInfoFromFiles []string                 `json:"licenseInfoFromFiles,omitempty"`
 	Checksums            []Checksum               `json:"checksums,omitempty"`