Cleanup

- use `packaging.version` to compare versions
- minor fixes

Author: xaker00

gen_sbom.py

@@ -2,7 +2,7 @@
 #
 # /// script
 # requires-python = ">=3.10"
-# dependencies = ["openpyxl", "pydantic"]
+# dependencies = ["openpyxl", "pydantic", "packaging"]
 # ///
 
 import argparse
@@ -12,6 +12,7 @@
 from typing import Generator, Literal
 
 import openpyxl
+from packaging import version
 from pydantic import AliasPath, BaseModel, Field, computed_field
 
 logger = logging.getLogger(__name__)
@@ -36,7 +37,7 @@ class SPDXPackage(BaseModel):
     # I haven't yet seen a case where it is missing and it should be included in the human-readable SBOM
     versionInfo: str
     supplier: str = "Open-source software"
-    externalRefs: list[SPDXRef] = []
+    externalRefs: list[SPDXRef] = Field(default_factory=list)
 
     @computed_field
     def purl(self) -> str | None:
@@ -109,20 +110,31 @@ def to_fda_records(self, author: str | None) -> Generator["FDARecord"]:
 
 
 class FDARecord(BaseModel):
-    """RDA required fields."""
+    """FDA required fields."""
 
     author: str
     timestamp: str
     supplier: str = "Open-source software"
     component: str
     version: str
     unique_identifier: str
-    relationship: Literal["is contained by"] = "is contained by"
-
-
-def newer2(p1, p2):
-    """Return the package with the newer version."""
-    return p1 if p1.version > p2.version else p2
+    relationship: Literal["Is contained by"] = "Is contained by"
+
+
+def newer(p1: FDARecord, p2: FDARecord) -> FDARecord:
+    """Return the package with the newer version using semantic version comparison."""
+    if p1.version == p2.version:
+        return p2  # Arbitrary choice if versions are equal
+    try:
+        v1 = version.parse(p1.version)
+        v2 = version.parse(p2.version)
+        return p1 if v1 > v2 else p2
+    except Exception as e:
+        # Fallback to string comparison if version parsing fails
+        logger.warning(
+            f"Failed to parse versions '{p1.version}' or '{p2.version}': {e}"
+        )
+        return p1 if p1.version > p2.version else p2
 
 
 def merge_sboms(sbom1: list[FDARecord], sbom2: list[FDARecord]) -> list[FDARecord]:
@@ -131,7 +143,7 @@ def merge_sboms(sbom1: list[FDARecord], sbom2: list[FDARecord]) -> list[FDARecor
     for r in sbom2:
         key = (r.component, r.supplier)
         if key in records:
-            records[key] = newer2(records[key], r)
+            records[key] = newer(records[key], r)
         else:
             records[key] = r
     return list(records.values())
@@ -156,7 +168,7 @@ def gen_sbom(
 ):
     """Generate a combined SBOM from multiple SPDX and CycloneDX SBOMs in the input directory."""
     bom_parsers: list[type[BaseSBOM]] = [SPDX2_3, Cyclone1_6]
-    boms = []
+    boms: list[list[FDARecord]] = []
 
     for bom_file in input_directory_path.glob("*.json"):
         for bom_parser in bom_parsers:
@@ -173,9 +185,9 @@ def gen_sbom(
             logger.error(f"Failed to parse {bom_file} with all known parsers")
             raise ValueError(f"Unknown BOM format in {bom_file}")
 
-    merged_bom = reduce(merge_sboms, boms, [])
+    merged_bom: list[FDARecord] = reduce(merge_sboms, boms, [])
     save_as_xlsx(merged_bom, output_file_path)
-    # Check for duplicates
+    # Check for duplicates (side effect: log warnings)
     deduplicate(merged_bom)
 
 

requirements.txt

@@ -9,6 +9,9 @@ et-xmlfile==2.0.0 \
 openpyxl==3.1.5 \
     --hash=sha256:5282c12b107bffeef825f4617dc029afaf41d0ea60823bbb665ef3079dc79de2 \
     --hash=sha256:cf0e3cf56142039133628b5acffe8ef0c12bc902d2aadd3e0fe5878dc08d1050
+packaging==25.0 \
+    --hash=sha256:29572ef2b1f17581046b3a2227d5c611fb25ec70ca1ba8554b24b0e69331a484 \
+    --hash=sha256:d443872c98d677bf60f6a1f2f8c1cb748e8fe762d2bf9d3148b5599295b0fc4f
 pydantic==2.11.9 \
     --hash=sha256:6b8ffda597a14812a7975c90b82a8a2e777d9257aba3453f973acd3c032a18e2 \
     --hash=sha256:c42dd626f5cfc1c6950ce6205ea58c93efa406da65f479dcb4029d5934857da2