Deduplicate SPDX IDs with hash suffixes

sethmlarson · sethmlarson · commit ea5c9de20422 · 2024-12-02T15:49:42.000-06:00
diff --git a/sbom.py b/sbom.py
@@ -25,7 +25,7 @@
 import typing
 import zipfile
 from pathlib import Path
-from typing import Any, NotRequired, TypedDict, cast
+from typing import Any, LiteralString, NotRequired, TypedDict, cast
 from urllib.request import urlopen
 
 
@@ -90,9 +90,19 @@ class CreationInfo(TypedDict):
     licenseListVersion: str
 
 
-def spdx_id(value: str) -> str:
+# Cache of values that we've seen already. We use this
+# to de-duplicate values and their corresponding SPDX ID.
+_SPDX_IDS_TO_VALUES = {}
+
+
+def spdx_id(value: LiteralString) -> str:
     """Encode a value into characters that are valid in an SPDX ID"""
-    return re.sub(r"[^a-zA-Z0-9.\-]+", "-", value)
+    spdx_id = re.sub(r"[^a-zA-Z0-9.\-]+", "-", value)
+    # To avoid collisions we append a hash suffix.
+    suffix = hashlib.sha256(value.encode()).hexdigest()[:8]
+    spdx_id = f"{spdx_id}-{suffix}"
+    assert _SPDX_IDS_TO_VALUES.setdefault(spdx_id, value) == value
+    return spdx_id
 
 
 def calculate_package_verification_codes(sbom: SBOM) -> None:
diff --git a/tests/sbom/sbom-with-pip-removed.json b/tests/sbom/sbom-with-pip-removed.json
@@ -13,9 +13,9 @@
   "packages": [],
   "relationships": [
     {
-      "relatedSpdxElement": "SPDXRef-FILE-Modules-expat-COPYING",
+      "relatedSpdxElement": "SPDXRef-FILE-Modules-expat-COPYING-497fb0c3",
       "relationshipType": "CONTAINS",
-      "spdxElementId": "SPDXRef-PACKAGE-expat"
+      "spdxElementId": "SPDXRef-PACKAGE-expat-83b93528"
     }
   ]
 }
diff --git a/tests/sbom/sbom-with-pip.json b/tests/sbom/sbom-with-pip.json
@@ -12,7 +12,7 @@
   "files": [],
   "packages": [
     {
-      "SPDXID": "SPDXRef-PACKAGE-pip",
+      "SPDXID": "SPDXRef-PACKAGE-pip-ced959c1",
       "name": "pip",
       "versionInfo": "24.0",
       "licenseConcluded": "MIT",
@@ -38,19 +38,19 @@
   ],
   "relationships": [
     {
-      "relatedSpdxElement": "SPDXRef-FILE-Modules-expat-COPYING",
+      "relatedSpdxElement": "SPDXRef-FILE-Modules-expat-COPYING-497fb0c3",
       "relationshipType": "CONTAINS",
-      "spdxElementId": "SPDXRef-PACKAGE-expat"
+      "spdxElementId": "SPDXRef-PACKAGE-expat-83b93528"
     },
     {
-      "relatedSpdxElement": "SPDXRef-PACKAGE-urllib3",
+      "relatedSpdxElement": "SPDXRef-PACKAGE-urllib3-b7a198af",
       "relationshipType": "DEPENDS_ON",
-      "spdxElementId": "SPDXRef-PACKAGE-pip"
+      "spdxElementId": "SPDXRef-PACKAGE-pip-ced959c1"
     },
     {
-      "relatedSpdxElement": "SPDXRef-PACKAGE-pip",
+      "relatedSpdxElement": "SPDXRef-PACKAGE-pip-ced959c1",
       "relationshipType": "DEPENDS_ON",
-      "spdxElementId": "SPDXRef-PACKAGE-cpython"
+      "spdxElementId": "SPDXRef-PACKAGE-cpython-608f998c"
     }
   ]
 }

Original file line number	Diff line number	Diff line change
`@@ -13,9 +13,9 @@`
`13`	`13`	`"packages": [],`
`14`	`14`	`"relationships": [`
`15`	`15`	`{`
`16`		`- "relatedSpdxElement": "SPDXRef-FILE-Modules-expat-COPYING",`
	`16`	`+ "relatedSpdxElement": "SPDXRef-FILE-Modules-expat-COPYING-497fb0c3",`
`17`	`17`	`"relationshipType": "CONTAINS",`
`18`		`- "spdxElementId": "SPDXRef-PACKAGE-expat"`
	`18`	`+ "spdxElementId": "SPDXRef-PACKAGE-expat-83b93528"`
`19`	`19`	`}`
`20`	`20`	`]`
`21`	`21`	`}`
Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,7 @@`
`12`	`12`	`"files": [],`
`13`	`13`	`"packages": [`
`14`	`14`	`{`
`15`		`- "SPDXID": "SPDXRef-PACKAGE-pip",`
	`15`	`+ "SPDXID": "SPDXRef-PACKAGE-pip-ced959c1",`
`16`	`16`	`"name": "pip",`
`17`	`17`	`"versionInfo": "24.0",`
`18`	`18`	`"licenseConcluded": "MIT",`
`@@ -38,19 +38,19 @@`
`38`	`38`	`],`
`39`	`39`	`"relationships": [`
`40`	`40`	`{`
`41`		`- "relatedSpdxElement": "SPDXRef-FILE-Modules-expat-COPYING",`
	`41`	`+ "relatedSpdxElement": "SPDXRef-FILE-Modules-expat-COPYING-497fb0c3",`
`42`	`42`	`"relationshipType": "CONTAINS",`
`43`		`- "spdxElementId": "SPDXRef-PACKAGE-expat"`
	`43`	`+ "spdxElementId": "SPDXRef-PACKAGE-expat-83b93528"`
`44`	`44`	`},`
`45`	`45`	`{`
`46`		`- "relatedSpdxElement": "SPDXRef-PACKAGE-urllib3",`
	`46`	`+ "relatedSpdxElement": "SPDXRef-PACKAGE-urllib3-b7a198af",`
`47`	`47`	`"relationshipType": "DEPENDS_ON",`
`48`		`- "spdxElementId": "SPDXRef-PACKAGE-pip"`
	`48`	`+ "spdxElementId": "SPDXRef-PACKAGE-pip-ced959c1"`
`49`	`49`	`},`
`50`	`50`	`{`
`51`		`- "relatedSpdxElement": "SPDXRef-PACKAGE-pip",`
	`51`	`+ "relatedSpdxElement": "SPDXRef-PACKAGE-pip-ced959c1",`
`52`	`52`	`"relationshipType": "DEPENDS_ON",`
`53`		`- "spdxElementId": "SPDXRef-PACKAGE-cpython"`
	`53`	`+ "spdxElementId": "SPDXRef-PACKAGE-cpython-608f998c"`
`54`	`54`	`}`
`55`	`55`	`]`
`56`	`56`	`}`