Normalise SPDX constants before equality checks

rhyskoedijk · Dec 4, 2024 · c404f5b · c404f5b
1 parent 2f448d7
commit c404f5b
Show file tree

Hide file tree

Showing 6 changed files with 35 additions and 11 deletions.
diff --git a/shared/models/spdx/2.3/Constants.ts b/shared/models/spdx/2.3/Constants.ts
@@ -1,2 +1,10 @@
 export const NONE = 'NONE';
 export const NOASSERTION = 'NOASSERTION';
+
+export function spdxNormalised(constant: string): string {
+  return constant?.replace(/\-/g, '_')?.toUpperCase()?.trim();
+}
+
+export function spdxConstantsAreEqual(a: string, b: string): boolean {
+  return spdxNormalised(a) === spdxNormalised(b);
+}
diff --git a/shared/models/spdx/2.3/IChecksum.ts b/shared/models/spdx/2.3/IChecksum.ts
@@ -1,3 +1,5 @@
+import { spdxConstantsAreEqual } from './Constants';
+
 export interface IChecksum {
   algorithm: ChecksumAlgorithm;
   checksumValue: string;
@@ -24,5 +26,5 @@ export enum ChecksumAlgorithm {
 }
 
 export function getChecksum(checksums: IChecksum[], algorithm: ChecksumAlgorithm): string | undefined {
-  return checksums.find((checksum) => checksum.algorithm === algorithm)?.checksumValue;
+  return checksums.find((checksum) => spdxConstantsAreEqual(checksum.algorithm, algorithm))?.checksumValue;
 }
diff --git a/shared/models/spdx/2.3/IDocument.ts b/shared/models/spdx/2.3/IDocument.ts
@@ -1,3 +1,4 @@
+import { spdxConstantsAreEqual } from './Constants';
 import { ICreationInfo } from './ICreationInfo';
 import { IFile } from './IFile';
 import { IPackage } from './IPackage';
@@ -28,22 +29,26 @@ export enum DocumentVersion {
 export function isPackageTopLevel(document: IDocument, packageId: string): boolean {
   const rootPackageIds = document.documentDescribes;
   const relationships = document.relationships || [];
-  const dependsOnRelationships = relationships.filter((r) => r.relationshipType === RelationshipType.DependsOn);
+  const dependsOnRelationships = relationships.filter((r) =>
+    spdxConstantsAreEqual(r.relationshipType, RelationshipType.DependsOn),
+  );
   return (
     rootPackageIds.includes(packageId) ||
     dependsOnRelationships.some(
       (relationship) =>
         rootPackageIds.includes(relationship.spdxElementId) &&
         relationship.relatedSpdxElement === packageId &&
-        relationship.relationshipType === RelationshipType.DependsOn,
+        spdxConstantsAreEqual(relationship.relationshipType, RelationshipType.DependsOn),
     )
   );
 }
 
 export function getPackageDependsOnChain(document: IDocument, packageId: string): IPackage[] {
   const rootPackageIds = document.documentDescribes;
   const relationships = document.relationships || [];
-  const dependsOnRelationships = relationships.filter((r) => r.relationshipType === RelationshipType.DependsOn);
+  const dependsOnRelationships = relationships.filter((r) =>
+    spdxConstantsAreEqual(r.relationshipType, RelationshipType.DependsOn),
+  );
   const packages = (document.packages || []).filter((p) => {
     return !rootPackageIds.includes(p.SPDXID);
   });

diff --git a/shared/models/spdx/2.3/IExternalRef.ts b/shared/models/spdx/2.3/IExternalRef.ts
@@ -1,6 +1,8 @@
 import { Buffer } from 'buffer';
 import { PackageURL } from 'packageurl-js';
 
+import { spdxConstantsAreEqual } from './Constants';
+
 import '../../../extensions/StringExtensions';
 
 export interface IExternalRef {
@@ -47,7 +49,9 @@ export function parseExternalRefsAs<T>(
 ): T[] | undefined {
   const securityRefs = externalRefs.filter(
     (ref) =>
-      (ref.referenceCategory === category && ref.referenceType === type && customParser) ||
+      (spdxConstantsAreEqual(ref.referenceCategory, category) &&
+        spdxConstantsAreEqual(ref.referenceType, type) &&
+        customParser) ||
       ref.referenceLocator.match(/data\:text\/json\;base64/i),
   );
   if (securityRefs.length) {
@@ -62,7 +66,9 @@ export function parseExternalRefsAs<T>(
 }
 
 export function getExternalRefPackageManagerName(externalRefs: IExternalRef[]): string | undefined {
-  const packageManager = externalRefs.find((ref) => ref.referenceCategory === ExternalRefCategory.PackageManager);
+  const packageManager = externalRefs.find((ref) =>
+    spdxConstantsAreEqual(ref.referenceCategory, ExternalRefCategory.PackageManager),
+  );
   switch (packageManager?.referenceType) {
     case ExternalRefPackageManagerType.MavenCentral:
       return 'Maven Central';
@@ -80,7 +86,9 @@ export function getExternalRefPackageManagerName(externalRefs: IExternalRef[]):
 }
 
 export function getExternalRefPackageManagerUrl(externalRefs: IExternalRef[]): string | undefined {
-  const packageManager = externalRefs.find((ref) => ref.referenceCategory === ExternalRefCategory.PackageManager);
+  const packageManager = externalRefs.find((ref) =>
+    spdxConstantsAreEqual(ref.referenceCategory, ExternalRefCategory.PackageManager),
+  );
   switch (packageManager?.referenceType) {
     case ExternalRefPackageManagerType.MavenCentral:
       return `https://search.maven.org/artifact/${packageManager.referenceLocator.replace(/\:/g, '/')}/pom`;

diff --git a/ui/components/SpdxFileTableCard.tsx b/ui/components/SpdxFileTableCard.tsx
@@ -15,7 +15,7 @@ import {
 import { FILTER_CHANGE_EVENT, IFilter } from 'azure-devops-ui/Utilities/Filter';
 import { ZeroData } from 'azure-devops-ui/ZeroData';
 
-import { ChecksumAlgorithm } from '../../shared/models/spdx/2.3/IChecksum';
+import { ChecksumAlgorithm, getChecksum } from '../../shared/models/spdx/2.3/IChecksum';
 import { IDocument } from '../../shared/models/spdx/2.3/IDocument';
 import { IFile } from '../../shared/models/spdx/2.3/IFile';
 
@@ -60,7 +60,7 @@ export class SpdxFileTableCard extends React.Component<Props, State> {
           return {
             id: x.SPDXID,
             name: Path.normalize(x.fileName),
-            checksum: x.checksums.find((c) => c.algorithm === ChecksumAlgorithm.SHA256)?.checksumValue || '',
+            checksum: getChecksum(x.checksums, ChecksumAlgorithm.SHA256) || '',
           };
         }) || [];
 

diff --git a/ui/components/SpdxSummaryCard.tsx b/ui/components/SpdxSummaryCard.tsx
@@ -8,6 +8,7 @@ import { ISecurityVulnerability } from '../../shared/ghsa/ISecurityVulnerability
 import { getHexStringFromColor } from '../../shared/models/severity/IColor';
 import { ISeverity } from '../../shared/models/severity/ISeverity';
 import { SEVERITIES } from '../../shared/models/severity/Severities';
+import { spdxConstantsAreEqual } from '../../shared/models/spdx/2.3/Constants';
 import { IDocument, isPackageTopLevel } from '../../shared/models/spdx/2.3/IDocument';
 import { ExternalRefCategory, getExternalRefPackageManagerName } from '../../shared/models/spdx/2.3/IExternalRef';
 import { IFile } from '../../shared/models/spdx/2.3/IFile';
@@ -115,8 +116,8 @@ export class SpdxSummaryCard extends React.Component<Props, State> {
             ),
             groupedByVulnerable: props.packages.reduce(
               (acc, p) => {
-                const hasVulnerabilities = p.externalRefs?.some(
-                  (ref) => ref.referenceCategory === ExternalRefCategory.Security,
+                const hasVulnerabilities = p.externalRefs?.some((ref) =>
+                  spdxConstantsAreEqual(ref.referenceCategory, ExternalRefCategory.Security),
                 );
                 const key = hasVulnerabilities ? 'Vulnerable' : 'Not Vulnerable';
                 acc[key] = (acc[key] || 0) + 1;