sosiouxme · February 15, 2024 19:39
diff --git a/migrate-sbom.py b/migrate-sbom.py
 #!/bin/python

 import json, sys

 def add_version_to_dependencies(sbom_file):
    # Load the SBOM JSON file
    with open(sbom_file, 'r') as file:
        sbom = json.load(file)

    # roll back to a version guac likes
    sbom["specVersion"] = "1.3"

    # Check and update dependencies
    update_deps = []
    for dependency in sbom['components']:
        # version can't be missing. for golang stdlib modules put golang version
        if not dependency.get('version'):
            dependency['version'] = 'go1.20.12'
        if not any(schema in dependency['purl'] for schema in ["pkg:golang", "pkg:rpm", "pkg:npm"]):
            print(f"weird pkg: {dependency['purl']}", file=sys.stderr)
            continue
        # "golang" isn't an accepted pkg type, make it "gomodules"
        dependency['purl'] = dependency['purl'].replace("pkg:golang", "pkg:gomodules")
        # "rpm" isn't an accepted pkg type, make it "npm" just for grins
        dependency['purl'] = dependency['purl'].replace("pkg:rpm/", "pkg:npm/")

        # dependency['purl'] = dependency['purl'].replace("generic/", "pkg:generic/")
        #if dependency['purl'].startswith("generic/"):
        #    continue  # "generic" stuff added in osbs seems too bogus to fix

        update_deps.append(dependency)

    sbom['components'] = update_deps
    print(json.dumps(sbom, indent=4))
                                                                                                                                                                                    
 # Example usage                                                                                                                                                                     
 sbom_file = sys.argv[1]                                                                                                                                                             
 add_version_to_dependencies(sbom_file)
	#!/bin/python

	import json, sys

	def add_version_to_dependencies(sbom_file):
	# Load the SBOM JSON file
	with open(sbom_file, 'r') as file:
	sbom = json.load(file)

	# roll back to a version guac likes
	sbom["specVersion"] = "1.3"

	# Check and update dependencies
	update_deps = []
	for dependency in sbom['components']:
	# version can't be missing. for golang stdlib modules put golang version
	if not dependency.get('version'):
	dependency['version'] = 'go1.20.12'
	if not any(schema in dependency['purl'] for schema in ["pkg:golang", "pkg:rpm", "pkg:npm"]):
	print(f"weird pkg: {dependency['purl']}", file=sys.stderr)
	continue
	# "golang" isn't an accepted pkg type, make it "gomodules"
	dependency['purl'] = dependency['purl'].replace("pkg:golang", "pkg:gomodules")
	# "rpm" isn't an accepted pkg type, make it "npm" just for grins
	dependency['purl'] = dependency['purl'].replace("pkg:rpm/", "pkg:npm/")

	# dependency['purl'] = dependency['purl'].replace("generic/", "pkg:generic/")
	#if dependency['purl'].startswith("generic/"):
	# continue # "generic" stuff added in osbs seems too bogus to fix

	update_deps.append(dependency)

	sbom['components'] = update_deps
	print(json.dumps(sbom, indent=4))

	# Example usage
	sbom_file = sys.argv[1]
	add_version_to_dependencies(sbom_file)