fix(ISV-5128): also update sbom metadata component purl

Previously the update-component-sbom script is only updating the component purl in the list of components. But in CycloneDX, there is also a component purl in the metadata. Signed-off-by: Wai Cheang <[email protected]>
konflux-ci · Nov 13, 2024 · 875ebd8 · 875ebd8
1 parent 0feab5b
commit 875ebd8
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 2 deletions.
diff --git a/sbom/test_update_component_sbom.py b/sbom/test_update_component_sbom.py
@@ -27,21 +27,33 @@ def test_get_component_to_purls_map(self) -> None:
 
     def test_update_cyclonedx_sbom(self) -> None:
         sbom = {
+            "metadata": {
+                "component": {
+                    "name": "comp1",
+                    "purl": "purl1",
+                }
+            },
             "components": [
                 {"name": "comp1", "purl": "purl1"},
                 {"name": "comp2", "purl": "purl2"},
-            ]
+            ],
         }
         mapping = {
             "comp1": ["updated_purl1"],
             "comp2": ["updated_purl2"],
         }
         update_cyclonedx_sbom(sbom, mapping)
         assert sbom == {
+            "metadata": {
+                "component": {
+                    "name": "comp1",
+                    "purl": "updated_purl1",
+                }
+            },
             "components": [
                 {"name": "comp1", "purl": "updated_purl1"},
                 {"name": "comp2", "purl": "updated_purl2"},
-            ]
+            ],
         }
 
     def test_update_spdx_sbom(self) -> None:

diff --git a/sbom/update_component_sbom.py b/sbom/update_component_sbom.py
@@ -42,6 +42,12 @@ def update_cyclonedx_sbom(sbom: Dict, component_to_purls_map: Dict[str, List[str
         component_to_purls_map: dictionary mapping of component names to list of purls.
     """
     LOG.info("Updating CycloneDX sbom")
+
+    component_name = sbom["metadata"]["component"]["name"]
+    if component_name in component_to_purls_map:
+        # only one purl is supported for CycloneDX
+        sbom["metadata"]["component"]["purl"] = component_to_purls_map[component_name][0]
+
     for component in sbom["components"]:
         if component["name"] in component_to_purls_map:
             # only one purl is supported for CycloneDX