feat: refactor to use set_cpe/set_purl

anthonyharrison · anthonyharrison · commit ee56ff95f3ff · 2024-03-24T20:03:51.000Z
diff --git a/requirements.txt b/requirements.txt
@@ -1,4 +1,4 @@
-lib4sbom >= 0.5.3
+lib4sbom >= 0.7.0
 sbom4files >= 0.3.0
 sbom2dot >= 0.3.0
 lib4package
diff --git a/sbom4python/scanner.py b/sbom4python/scanner.py
@@ -139,19 +139,13 @@ def process_module(self, module, parent="-"):
                 f'https://pypi.org/project/{self.get("Name")}/{version}'
             )
             # External references
-            self.sbom_package.set_externalreference(
-                "PACKAGE-MANAGER", "purl", f"pkg:pypi/{package}@{version}"
-            )
+            self.sbom_package.set_purl(f"pkg:pypi/{package}@{version}")
             if len(supplier) > 1:
                 component_supplier = self._format_supplier(
                     supplier, include_email=False
                 )
                 cpe_version = version.replace(':','\\:')
-                self.sbom_package.set_externalreference(
-                    "SECURITY",
-                    "cpe23Type",
-                    f"cpe:2.3:a:{component_supplier.replace(' ', '_').lower()}:{package}:{cpe_version}:*:*:*:*:*:*:*",
-                )
+                self.sbom_package.set_cpe(f"cpe:2.3:a:{component_supplier.replace(' ', '_').lower()}:{package}:{cpe_version}:*:*:*:*:*:*:*")
             self.package_metadata.get_package(package)
             checksum = self.package_metadata.get_checksum(version=version)
             if checksum is not None:
