sbom/spdx: add SPDX decoder

Adds a Decoder interface to the sbom package and implements an SPDX JSON
decoder that converts SPDX documents back to IndexReport format.

Includes round-trip tests and test coverage with real-world SPDX
documents from Konflux.

Signed-off-by: Brad Lugo <blugo@redhat.com>

Author: BradLugo

sbom/sbom.go

@@ -11,3 +11,8 @@ import (
 type Encoder interface {
 	Encode(ctx context.Context, w io.Writer, ir *claircore.IndexReport) error
 }
+
+// Decoder is an interface to convert an encoded SBOM into a [claircore.IndexReport].
+type Decoder interface {
+	Decode(ctx context.Context, r io.Reader) (*claircore.IndexReport, error)
+}

sbom/spdx/decoder.go

@@ -9,18 +9,18 @@ import (
 	"strconv"
 
 	"github.com/package-url/packageurl-go"
-	"github.com/quay/claircore/sbom"
 	spdxjson "github.com/spdx/tools-golang/json"
 	"github.com/spdx/tools-golang/spdx/v2/v2_3"
 
 	"github.com/quay/claircore"
 	"github.com/quay/claircore/purl"
+	"github.com/quay/claircore/sbom"
 )
 
 // DecoderOption is a type for setting optional fields for the Decoder.
 type DecoderOption func(*Decoder)
 
-// Decoder defines an SPDX decoder that converts SPDX documents to IndexReports.
+// Decoder defines an SPDX decoder that converts SPDX documents to [claircore.IndexReport].
 type Decoder struct {
 	// The data format to decode.
 	Format Format
@@ -58,10 +58,10 @@ func WithDecoderPURLConverter(registry purl.Converter) DecoderOption {
 	}
 }
 
-// Decode decodes an SPDX document from r and returns an IndexReport.
+// Decode decodes an SPDX document from r and returns a [claircore.IndexReport].
 //
 // Known limitations:
-// - Only package indexing via PURL ExternalRefs is supported.
+//   - Only package indexing via PURL ExternalRefs is supported.
 func (d *Decoder) Decode(ctx context.Context, r io.Reader) (*claircore.IndexReport, error) {
 	var doc *v2_3.Document
 	var err error
@@ -115,7 +115,7 @@ func (d *Decoder) parseDocument(ctx context.Context, doc *v2_3.Document) (*clair
 			if err != nil {
 				slog.WarnContext(ctx, "failed to parse PURL string to PURL",
 					"purl", ref.Locator,
-					"error", err)
+					"reason", err)
 				continue
 			}
 
@@ -130,7 +130,7 @@ func (d *Decoder) parseDocument(ctx context.Context, doc *v2_3.Document) (*clair
 				} else {
 					slog.WarnContext(ctx, "failed to parse PURL to IndexRecords",
 						"purl", ref.Locator,
-						"error", err)
+						"reason", err)
 				}
 				continue
 			}

sbom/spdx/decoder_test.go

@@ -0,0 +1,132 @@
+package spdx
+
+import (
+	"context"
+	"os"
+	"strings"
+	"testing"
+
+	"github.com/package-url/packageurl-go"
+	"github.com/quay/claircore/purl"
+	"github.com/quay/claircore/python"
+	"github.com/quay/claircore/rhel"
+)
+
+func TestDecoder(t *testing.T) {
+	ctx := context.Background()
+
+	t.Run("konflux-manifest", func(t *testing.T) {
+		// konflux-manifest.spdx.json contains only OCI PURLs (5 total)
+		// There's no standalone OCI PURL parser in the ecosystem packages,
+		// so this tests that the decoder handles unknown PURL types gracefully.
+		reg := purl.NewRegistry()
+
+		d := NewDefaultDecoder(WithDecoderPURLConverter(reg))
+
+		f, err := os.Open("testdata/decoder/konflux-manifest.spdx.json")
+		if err != nil {
+			t.Skip("testdata file not available:", err)
+		}
+		defer f.Close()
+
+		ir, err := d.Decode(ctx, f)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		// OCI PURLs are not registered, so we expect no packages
+		t.Logf("decoded %d packages from konflux-manifest.spdx.json (OCI PURLs not registered)", len(ir.Packages))
+	})
+
+	t.Run("konflux-syft+hermeto", func(t *testing.T) {
+		// konflux-syft+hermeto.spdx.json contains:
+		// - rpm/redhat PURLs (requires repository_cpes qualifier to parse)
+		// - pypi PURLs (should parse successfully)
+		// - oci PURLs (no parser registered)
+		repoMap := map[string][]string{
+			"rhel-9-for-aarch64-appstream-rpms":        {"cpe:/a:redhat:enterprise_linux:9::appstream"},
+			"rhel-9-for-aarch64-appstream-source-rpms": {"cpe:/a:redhat:enterprise_linux:9::appstream"},
+			"rhel-9-for-aarch64-baseos-rpms":           {"cpe:/o:redhat:enterprise_linux:9::baseos"},
+			"rhel-9-for-aarch64-baseos-source-rpms":    {"cpe:/o:redhat:enterprise_linux:9::baseos"},
+			"rhel-9-for-ppc64le-appstream-rpms":        {"cpe:/a:redhat:enterprise_linux:9::appstream"},
+			"rhel-9-for-ppc64le-appstream-source-rpms": {"cpe:/a:redhat:enterprise_linux:9::appstream"},
+			"rhel-9-for-ppc64le-baseos-rpms":           {"cpe:/o:redhat:enterprise_linux:9::baseos"},
+			"rhel-9-for-ppc64le-baseos-source-rpms":    {"cpe:/o:redhat:enterprise_linux:9::baseos"},
+			"rhel-9-for-s390x-appstream-rpms":          {"cpe:/a:redhat:enterprise_linux:9::appstream"},
+			"rhel-9-for-s390x-appstream-source-rpms":   {"cpe:/a:redhat:enterprise_linux:9::appstream"},
+			"rhel-9-for-s390x-baseos-rpms":             {"cpe:/o:redhat:enterprise_linux:9::baseos"},
+			"rhel-9-for-s390x-baseos-source-rpms":      {"cpe:/o:redhat:enterprise_linux:9::baseos"},
+			"rhel-9-for-x86_64-appstream-rpms":         {"cpe:/a:redhat:enterprise_linux:9::appstream"},
+			"rhel-9-for-x86_64-appstream-source-rpms":  {"cpe:/a:redhat:enterprise_linux:9::appstream"},
+			"rhel-9-for-x86_64-baseos-rpms":            {"cpe:/o:redhat:enterprise_linux:9::baseos"},
+			"rhel-9-for-x86_64-baseos-source-rpms":     {"cpe:/o:redhat:enterprise_linux:9::baseos"},
+		}
+		reg := purl.NewRegistry()
+		reg.RegisterPurlType(python.PURLType, purl.NoneNamespace, python.ParsePURL)
+		reg.RegisterPurlType(rhel.PURLType, rhel.PURLNamespace, rhel.ParseRPMPURL, mockTransformer(repoMap))
+
+		d := NewDefaultDecoder(WithDecoderPURLConverter(reg))
+
+		f, err := os.Open("testdata/decoder/konflux-syft+hermeto.spdx.json")
+		if err != nil {
+			t.Skip("testdata file not available:", err)
+		}
+		defer f.Close()
+
+		ir, err := d.Decode(ctx, f)
+		if err != nil {
+			t.Fatal(err)
+		}
+
+		//   1511 valid rpm/redhat PURLs
+		// -  188 invalid valid rpm/redhat PURLs (no repository_id)
+		// +   18 valid pypi PURLs
+		// = 1341 packages
+		if len(ir.Packages) != 1341 {
+			t.Errorf("expected %d packages, got %d", 1341, len(ir.Packages))
+		}
+		t.Logf("decoded %d packages, %d distributions, %d repositories",
+			len(ir.Packages), len(ir.Distributions), len(ir.Repositories))
+	})
+}
+
+func TestDecoderNoPURLConverter(t *testing.T) {
+	ctx := context.Background()
+
+	// Decoder without a PURL converter should return an empty IndexReport.
+	d := NewDefaultDecoder()
+
+	f, err := os.Open("testdata/decoder/konflux-manifest.spdx.json")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer f.Close()
+
+	ir, err := d.Decode(ctx, f)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	// Without PURL converter, should have no packages
+	if len(ir.Packages) != 0 {
+		t.Errorf("expected no packages without PURL converter, got %d", len(ir.Packages))
+	}
+}
+
+func mockTransformer(repoMap map[string][]string) func(ctx context.Context, p *packageurl.PackageURL) error {
+	return func(ctx context.Context, p *packageurl.PackageURL) error {
+		// It has already been transformed, or doesn't need to be.
+		if _, ok := p.Qualifiers.Map()["repository_cpes"]; ok {
+			return nil
+		}
+		repoid, ok := p.Qualifiers.Map()["repository_id"]
+		if !ok {
+			return nil
+		}
+		if cpes, ok := repoMap[repoid]; ok {
+			cpesStr := strings.Join(cpes, ",")
+			p.Qualifiers = append(p.Qualifiers, packageurl.Qualifier{Key: "repository_cpes", Value: cpesStr})
+		}
+		return nil
+	}
+}

sbom/spdx/encoder_test.go

@@ -4,10 +4,8 @@ import (
 	"bytes"
 	"context"
 	"encoding/json"
-	"fmt"
 	"io/fs"
 	"os"
-	"path"
 	"strings"
 	"testing"
 
@@ -42,14 +40,14 @@ func TestEncoder(t *testing.T) {
 	WithPURLConverter(pr)(e)
 
 	ctx := context.Background()
-	td := os.DirFS("testdata")
+	td := os.DirFS("testdata/round-trip")
 	de, err := fs.ReadDir(td, ".")
 	if err != nil {
 		t.Fatal(err)
 	}
 	for _, de := range de {
 		n := de.Name()
-		if strings.HasSuffix(n, ".want.json") {
+		if de.IsDir() || !strings.HasSuffix(n, ".ir.json") {
 			continue
 		}
 		t.Run(n, func(t *testing.T) {
@@ -58,9 +56,8 @@ func TestEncoder(t *testing.T) {
 				t.Fatal(err)
 			}
 			defer f.Close()
-			ext := path.Ext(n)
-			base := strings.TrimSuffix(n, ext)
-			wantPath := fmt.Sprintf("%s.want%s", base, ext)
+			base := strings.TrimSuffix(n, ".ir.json")
+			wantPath := base + ".spdx.json"
 			w, err := td.Open(wantPath)
 			if err != nil {
 				t.Fatal(err)

sbom/spdx/round_trip_test.go

@@ -0,0 +1,146 @@
+package spdx
+
+import (
+	"bytes"
+	"context"
+	"encoding/json"
+	"io/fs"
+	"os"
+	"strings"
+	"testing"
+
+	"github.com/quay/claircore"
+	"github.com/quay/claircore/gobin"
+	"github.com/quay/claircore/purl"
+)
+
+// TestRoundTrip tests encoding an IndexReport to SPDX and decoding it back.
+func TestRoundTrip(t *testing.T) {
+	ctx := context.Background()
+
+	// Create a registry for both encoding and decoding.
+	// For golang PURLs, we need to register parsers for all namespaces we might encounter.
+	// The golang PURL generator splits package names like "github.com/example/pkg" into:
+	//   namespace: github.com, name: example, subpath: pkg
+	// So we need to register the parser for the "github.com" namespace.
+	reg := purl.NewRegistry()
+	reg.RegisterDetector(gobin.Detector{}, gobin.GeneratePURL)
+	reg.RegisterPurlType(gobin.PURLType, purl.NoneNamespace, gobin.ParsePURL)
+	reg.RegisterPurlType(gobin.PURLType, "github.com", gobin.ParsePURL)
+
+	original := &claircore.IndexReport{
+		State:   "IndexFinished",
+		Success: true,
+		Packages: map[string]*claircore.Package{
+			"1": {
+				ID:      "1",
+				Name:    "github.com/example/pkg",
+				Version: "v1.2.3",
+				Kind:    claircore.BINARY,
+				Detector: &claircore.Detector{
+					Name:    "gobin",
+					Version: "1",
+					Kind:    "package",
+				},
+			},
+		},
+		Distributions: map[string]*claircore.Distribution{},
+		Repositories:  map[string]*claircore.Repository{},
+		Environments: map[string][]*claircore.Environment{
+			"1": {{PackageDB: "go.sum"}},
+		},
+	}
+
+	// Encode to SPDX.
+	encoder := NewDefaultEncoder(
+		WithPURLConverter(reg),
+		WithDocumentName("test"),
+		WithDocumentNamespace("test-ns"),
+	)
+
+	var buf bytes.Buffer
+	if err := encoder.Encode(ctx, &buf, original); err != nil {
+		t.Fatalf("encode failed: %v", err)
+	}
+
+	// Decode back to IndexReport.
+	decoder := NewDefaultDecoder(WithDecoderPURLConverter(reg))
+	decoded, err := decoder.Decode(ctx, &buf)
+	if err != nil {
+		t.Fatalf("decode failed: %v", err)
+	}
+
+	// Compare key fields.
+	if len(decoded.Packages) != len(original.Packages) {
+		t.Errorf("package count mismatch: got %d, want %d", len(decoded.Packages), len(original.Packages))
+	}
+
+	// Check that we got a package with the right name and version.
+	foundPkg := false
+	for _, pkg := range decoded.Packages {
+		if pkg.Name == "github.com/example/pkg" && pkg.Version == "v1.2.3" {
+			foundPkg = true
+			break
+		}
+	}
+	if !foundPkg {
+		t.Error("expected to find package github.com/example/pkg@v1.2.3 after round-trip")
+	}
+}
+
+// TestRoundTripTestdata tests round-tripping the testdata files.
+func TestRoundTripTestdata(t *testing.T) {
+	ctx := context.Background()
+
+	// Read all .ir.json files from testdata/round-trip.
+	td := os.DirFS("testdata/round-trip")
+	entries, err := fs.ReadDir(td, ".")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	reg := purl.NewRegistry()
+	reg.RegisterPurlType(gobin.PURLType, purl.NoneNamespace, gobin.ParsePURL)
+
+	for _, entry := range entries {
+		name := entry.Name()
+		if entry.IsDir() || !strings.HasSuffix(name, ".ir.json") {
+			continue
+		}
+
+		t.Run(name, func(t *testing.T) {
+			// Read the original IndexReport.
+			f, err := td.Open(name)
+			if err != nil {
+				t.Fatal(err)
+			}
+			defer f.Close()
+
+			var original claircore.IndexReport
+			if err := json.NewDecoder(f).Decode(&original); err != nil {
+				t.Fatal(err)
+			}
+
+			// Encode to SPDX.
+			encoder := NewDefaultEncoder(
+				WithDocumentName("test"),
+				WithDocumentNamespace("test-ns"),
+			)
+
+			var buf bytes.Buffer
+			if err := encoder.Encode(ctx, &buf, &original); err != nil {
+				t.Fatal(err)
+			}
+
+			// Decode back.
+			decoder := NewDefaultDecoder(WithDecoderPURLConverter(reg))
+			decoded, err := decoder.Decode(ctx, &buf)
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			t.Logf("original: %d packages, decoded: %d packages",
+				len(original.Packages), len(decoded.Packages))
+		})
+	}
+}