audit work, fixed StellaOps.sln warnings/errors, fixed tests, sprints work, new advisories

2026-01-07 18:49:59 +02:00
parent 04ec098046
commit 608a7f85c0
866 changed files with 56323 additions and 6231 deletions
--- a/src/Scanner/__Libraries/StellaOps.Scanner.Emit/Composition/SpdxComposer.cs
+++ b/src/Scanner/__Libraries/StellaOps.Scanner.Emit/Composition/SpdxComposer.cs
@@ -40,7 +40,29 @@ public sealed record SpdxCompositionOptions

    public SpdxLicenseListVersion LicenseListVersion { get; init; } = SpdxLicenseListVersion.V3_21;

-    public ImmutableArray<string> ProfileConformance { get; init; } = ImmutableArray.Create("core", "software");
+    /// <summary>
+    /// Gets or sets the SPDX 3.0.1 profile type. Defaults to Software.
+    /// </summary>
+    public Spdx3ProfileType ProfileType { get; init; } = Spdx3ProfileType.Software;
+
+    /// <summary>
+    /// Gets or sets an explicit profile conformance override.
+    /// If not set (default or empty), the conformance is derived from ProfileType.
+    /// </summary>
+    public ImmutableArray<string> ProfileConformance { get; init; } = ImmutableArray<string>.Empty;
+
+    /// <summary>
+    /// Gets the effective profile conformance based on ProfileType if ProfileConformance is not explicitly set.
+    /// </summary>
+    public ImmutableArray<string> GetEffectiveProfileConformance()
+    {
+        if (!ProfileConformance.IsDefaultOrEmpty && ProfileConformance.Length > 0)
+        {
+            return ProfileConformance;
+        }
+
+        return ProfileType.GetProfileConformance().ToImmutableArray();
+    }
 }

 public sealed class SpdxComposer : ISpdxComposer
@@ -139,12 +161,12 @@ public sealed class SpdxComposer : ISpdxComposer
        var packages = new List<SpdxPackage>();
        var packageIdMap = new Dictionary<string, string>(StringComparer.Ordinal);

-        var rootPackage = BuildRootPackage(request.Image, idBuilder);
+        var rootPackage = BuildRootPackage(request.Image, idBuilder, options);
        packages.Add(rootPackage);

        foreach (var component in graph.Components)
        {
-            var package = BuildComponentPackage(component, idBuilder, licenseList);
+            var package = BuildComponentPackage(component, idBuilder, licenseList, options);
            packages.Add(package);
            packageIdMap[component.Identity.Key] = package.SpdxId;
        }
@@ -175,7 +197,7 @@ public sealed class SpdxComposer : ISpdxComposer
            Sbom = sbom,
            Elements = packages.Cast<SpdxElement>().ToImmutableArray(),
            Relationships = relationships,
-            ProfileConformance = options.ProfileConformance
+            ProfileConformance = options.GetEffectiveProfileConformance()
        };
    }

@@ -261,17 +283,23 @@ public sealed class SpdxComposer : ISpdxComposer
            .ToImmutableArray();
    }

-    private static SpdxPackage BuildRootPackage(ImageArtifactDescriptor image, SpdxIdBuilder idBuilder)
+    private static SpdxPackage BuildRootPackage(
+        ImageArtifactDescriptor image,
+        SpdxIdBuilder idBuilder,
+        SpdxCompositionOptions options)
    {
        var digest = image.ImageDigest;
        var digestParts = digest.Split(':', 2, StringSplitOptions.TrimEntries);
        var digestValue = digestParts.Length == 2 ? digestParts[1] : digest;

-        var checksums = ImmutableArray.Create(new SpdxChecksum
-        {
-            Algorithm = digestParts.Length == 2 ? digestParts[0].ToUpperInvariant() : "SHA256",
-            Value = digestValue
-        });
+        // Lite profile omits checksums
+        var checksums = options.ProfileType.IncludeChecksums()
+            ? ImmutableArray.Create(new SpdxChecksum
+            {
+                Algorithm = digestParts.Length == 2 ? digestParts[0].ToUpperInvariant() : "SHA256",
+                Value = digestValue
+            })
+            : ImmutableArray<SpdxChecksum>.Empty;

        return new SpdxPackage
        {
@@ -288,13 +316,17 @@ public sealed class SpdxComposer : ISpdxComposer
    private static SpdxPackage BuildComponentPackage(
        AggregatedComponent component,
        SpdxIdBuilder idBuilder,
-        SpdxLicenseList licenseList)
+        SpdxLicenseList licenseList,
+        SpdxCompositionOptions options)
    {
        var packageUrl = !string.IsNullOrWhiteSpace(component.Identity.Purl)
            ? component.Identity.Purl
            : (component.Identity.Key.StartsWith("pkg:", StringComparison.Ordinal) ? component.Identity.Key : null);

-        var declared = BuildLicenseExpression(component.Metadata?.Licenses, licenseList);
+        // Lite profile omits detailed licensing
+        var declared = options.ProfileType.IncludeDetailedLicensing()
+            ? BuildLicenseExpression(component.Metadata?.Licenses, licenseList)
+            : null;

        return new SpdxPackage
        {