github.com/google/osv-scalibr@v0.4.1/extractor/convert.go

github.com/google/osv-scalibr@v0.4.1/extractor/convert.go (about)

     1  // Copyright 2025 Google LLC
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //      http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package extractor
    16  
    17  import (
    18  	hexpurl "github.com/google/osv-scalibr/extractor/filesystem/language/erlang/mixlock/purl"
    19  	gopurl "github.com/google/osv-scalibr/extractor/filesystem/language/golang/purl"
    20  	mavenpurl "github.com/google/osv-scalibr/extractor/filesystem/language/java/purl"
    21  	npmpurl "github.com/google/osv-scalibr/extractor/filesystem/language/javascript/purl"
    22  	"github.com/google/osv-scalibr/extractor/filesystem/language/python/pypipurl"
    23  	osecosystem "github.com/google/osv-scalibr/extractor/filesystem/os/ecosystem"
    24  	ospurl "github.com/google/osv-scalibr/extractor/filesystem/os/purl"
    25  	cdxmeta "github.com/google/osv-scalibr/extractor/filesystem/sbom/cdx/metadata"
    26  	cdxpurl "github.com/google/osv-scalibr/extractor/filesystem/sbom/cdx/purl"
    27  	spdxmeta "github.com/google/osv-scalibr/extractor/filesystem/sbom/spdx/metadata"
    28  	spdxpurl "github.com/google/osv-scalibr/extractor/filesystem/sbom/spdx/purl"
    29  	winpurl "github.com/google/osv-scalibr/extractor/standalone/windows/common/purl"
    30  	"github.com/google/osv-scalibr/inventory/osvecosystem"
    31  	"github.com/google/osv-scalibr/purl"
    32  	"github.com/ossf/osv-schema/bindings/go/osvconstants"
    33  )
    34  
    35  // toPURL converts a SCALIBR package structure into a package URL.
    36  func toPURL(p *Package) *purl.PackageURL {
    37  	if p.PURLType == "" {
    38  		return nil
    39  	}
    40  	// See if this needs any special type-specific conversion logic.
    41  	if purl := typeSpecificPURL(p); purl != nil {
    42  		return purl
    43  	}
    44  	// All other cases: Set just the name and version.
    45  	return &purl.PackageURL{
    46  		Type:    p.PURLType,
    47  		Name:    p.Name,
    48  		Version: p.Version,
    49  	}
    50  }
    51  
    52  func typeSpecificPURL(p *Package) *purl.PackageURL {
    53  	// SPDX and CDX packages can have any PURL type so we first look at the
    54  	// metadata type to identify them.
    55  	switch m := p.Metadata.(type) {
    56  	case *spdxmeta.Metadata:
    57  		return spdxpurl.MakePackageURL(m)
    58  	case *cdxmeta.Metadata:
    59  		return cdxpurl.MakePackageURL(m)
    60  	}
    61  
    62  	switch p.PURLType {
    63  	case purl.TypePyPi:
    64  		return pypipurl.MakePackageURL(p.Name, p.Version)
    65  	case purl.TypeMaven:
    66  		return mavenpurl.MakePackageURL(p.Version, p.Metadata)
    67  	case purl.TypeNPM:
    68  		return npmpurl.MakePackageURL(p.Name, p.Version, p.Metadata)
    69  	case purl.TypeGolang:
    70  		return gopurl.MakePackageURL(p.Name, p.Version)
    71  	case purl.TypeHex:
    72  		return hexpurl.MakePackageURL(p.Name, p.Version)
    73  	case purl.TypeDebian, purl.TypeOpkg, purl.TypeFlatpak, purl.TypeApk, purl.TypeCOS, purl.TypeRPM,
    74  		purl.TypeSnap, purl.TypePacman, purl.TypePortage, purl.TypeNix:
    75  		return ospurl.MakePackageURL(p.Name, p.Version, p.PURLType, p.Metadata)
    76  	case "windows":
    77  		return winpurl.MakePackageURL(p.Name, p.Version, p.Metadata)
    78  	}
    79  	return nil
    80  }
    81  
    82  // toEcosystem converts a SCALIBR package structure into an OSV ecosystem value
    83  // defined in https://ossf.github.io/osv-schema/#defined-ecosystems
    84  func toEcosystem(p *Package) osvecosystem.Parsed {
    85  	switch p.PURLType {
    86  	case purl.TypeDebian, purl.TypeOpkg, purl.TypeApk, purl.TypeRPM,
    87  		purl.TypeSnap, purl.TypePacman, purl.TypePortage:
    88  
    89  		return osecosystem.MakeEcosystem(p.Metadata)
    90  	case purl.TypePyPi:
    91  		return osvecosystem.FromEcosystem(osvconstants.EcosystemPyPI)
    92  	case purl.TypeMaven:
    93  		return osvecosystem.FromEcosystem(osvconstants.EcosystemMaven)
    94  	case purl.TypeNPM:
    95  		return osvecosystem.FromEcosystem(osvconstants.EcosystemNPM)
    96  	case purl.TypeGolang:
    97  		return osvecosystem.FromEcosystem(osvconstants.EcosystemGo)
    98  	// Not yet supported by OSV yet
    99  	// case purl.TypeCocoapods:
   100  	// 	return string(osvschema.EcosystemCocoaPods)
   101  	case purl.TypeConan:
   102  		return osvecosystem.FromEcosystem(osvconstants.EcosystemConanCenter)
   103  	case purl.TypeCran:
   104  		return osvecosystem.FromEcosystem(osvconstants.EcosystemCRAN)
   105  	case purl.TypeGem:
   106  		return osvecosystem.FromEcosystem(osvconstants.EcosystemRubyGems)
   107  	case purl.TypeNuget:
   108  		return osvecosystem.FromEcosystem(osvconstants.EcosystemNuGet)
   109  	case purl.TypeHaskell:
   110  		return osvecosystem.FromEcosystem(osvconstants.EcosystemHackage)
   111  	case purl.TypeHex:
   112  		return osvecosystem.FromEcosystem(osvconstants.EcosystemHex)
   113  	case purl.TypeComposer:
   114  		return osvecosystem.FromEcosystem(osvconstants.EcosystemPackagist)
   115  	case purl.TypeCargo:
   116  		return osvecosystem.FromEcosystem(osvconstants.EcosystemCratesIO)
   117  	case purl.TypePub:
   118  		return osvecosystem.FromEcosystem(osvconstants.EcosystemPub)
   119  	}
   120  
   121  	// No Ecosystem defined for this package.
   122  	return osvecosystem.Parsed{}
   123  }