Merge pull request #84 from owasp-dep-scan/feature/go-purl-compat

go purl compatibility
owasp-dep-scan · Apr 8, 2024 · c94ab12 · c94ab12
2 parents 04e4680 + 1abdce1
commit c94ab12
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 5 deletions.
diff --git a/blint/sbom.py b/blint/sbom.py
@@ -2,7 +2,6 @@
 import binascii
 import codecs
 import os
-import urllib.parse
 import uuid
 from datetime import datetime
 from typing import Any, Dict
@@ -526,7 +525,7 @@ def process_dotnet_dependencies(dotnet_deps: dict[str, dict], dependencies_dict:
             ],
         )
         if hash_content:
-            comp.hashes = Hash(alg=HashAlg.SHA_512, content=hash_content),
+            comp.hashes = [Hash(alg=HashAlg.SHA_512, content=hash_content)],
         comp.bom_ref = RefType(purl)
         components.append(comp)
     targets: dict[str, dict[str, dict]] = dotnet_deps.get("targets", {})
@@ -559,7 +558,9 @@ def process_go_dependencies(go_deps: dict[str, str]) -> list[Component]:
     # This would make this compatible with cdxgen and depscan
     # See https://github.com/CycloneDX/cdxgen/issues/897
     for k, v in go_deps.items():
-        purl = f"""pkg:golang/{urllib.parse.quote_plus(k)}@{v.get("version")}"""
+        # See #83
+        # purl specification uses namespace hack for go to make this identifier use slash
+        purl = f"""pkg:golang/{k.lower()}@{v.get("version")}"""
         comp = Component(
             type=Type.library,
             name=k,
@@ -576,7 +577,7 @@ def process_go_dependencies(go_deps: dict[str, str]) -> list[Component]:
             except binascii.Error:
                 hash_content = str(v.get("hash").removeprefix("h1:"))
         if hash_content:
-            comp.hashes = Hash(alg=HashAlg.SHA_256, content=hash_content)
+            comp.hashes = [Hash(alg=HashAlg.SHA_256, content=hash_content)]
         comp.bom_ref = RefType(f"""pkg:golang/{k}@{v.get("version")}""")
         components.append(comp)
     return components

diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "blint"
-version = "2.0.7"
+version = "2.1.0"
 description = "Linter and SBOM generator for binary files."
 authors = ["Prabhu Subramanian <prabhu@appthreat.com>", "Caroline Russell <caroline@appthreat.dev>"]
 license = "MIT"