Merge branch 'main' into copilot/fix-1040

Author: pragnya17

src/Microsoft.Sbom.Api/Executors/FileHasher.cs

@@ -90,6 +90,7 @@ public FileHasher(
         var output = Channel.CreateUnbounded<InternalSbomFileInfo>();
         var errors = Channel.CreateUnbounded<FileValidationResult>();
 
+#pragma warning disable VSTHRD002 // Avoid problematic synchronous waits
         Task.Run(async () =>
         {
             await foreach (var file in fileInfo.ReadAllAsync())
@@ -99,7 +100,8 @@ public FileHasher(
 
             output.Writer.Complete();
             errors.Writer.Complete();
-        });
+        }).ConfigureAwait(false).GetAwaiter().GetResult();
+#pragma warning restore VSTHRD002 // Avoid problematic synchronous waits
 
         return (output, errors);
     }

src/Microsoft.Sbom.Api/Executors/PackageInfoJsonWriter.cs

@@ -19,11 +19,11 @@ namespace Microsoft.Sbom.Api.Executors;
 /// </summary>
 public class PackageInfoJsonWriter
 {
-    private readonly ManifestGeneratorProvider manifestGeneratorProvider;
+    private readonly IManifestGeneratorProvider manifestGeneratorProvider;
     private readonly ILogger log;
 
     public PackageInfoJsonWriter(
-        ManifestGeneratorProvider manifestGeneratorProvider,
+        IManifestGeneratorProvider manifestGeneratorProvider,
         ILogger log)
     {
         if (manifestGeneratorProvider is null)
@@ -54,7 +54,7 @@ public PackageInfoJsonWriter(
         return (result, errors);
     }
 
-    private async Task GenerateJson(
+    internal async Task GenerateJson(
         IList<ISbomConfig> packagesArraySupportingConfigs,
         SbomPackage packageInfo,
         Channel<JsonDocWithSerializer> result,
@@ -67,14 +67,22 @@ private async Task GenerateJson(
                 var generationResult =
                     manifestGeneratorProvider.Get(sbomConfig.ManifestInfo).GenerateJsonDocument(packageInfo);
 
+                var recordedAnyDependencies = false;
+
                 if (generationResult?.ResultMetadata?.DependOn != null)
                 {
                     foreach (var dependency in generationResult?.ResultMetadata?.DependOn)
                     {
                         sbomConfig.Recorder.RecordPackageId(generationResult?.ResultMetadata?.EntityId, dependency);
+                        recordedAnyDependencies = true;
                     }
                 }
 
+                if (!recordedAnyDependencies)
+                {
+                    sbomConfig.Recorder.RecordPackageId(generationResult?.ResultMetadata?.EntityId, null);
+                }
+
                 await result.Writer.WriteAsync((generationResult?.Document, sbomConfig.JsonSerializer));
             }
         }

src/Microsoft.Sbom.Api/Hashing/Algorithms/Sha1HashAlgorithm.cs

@@ -12,5 +12,5 @@ namespace Microsoft.Sbom.Api.Hashing.Algorithms;
 #pragma warning disable CA5350 // Suppress Do Not Use Weak Cryptographic Algorithms as we use SHA1 intentionally
 public class Sha1HashAlgorithm : IHashAlgorithm
 {
-    public byte[] ComputeHash(Stream stream) => SHA1.Create().ComputeHash(stream);
+    public byte[] ComputeHash(Stream stream) => SHA1.Create().ComputeHash(stream); // CodeQL [SM02196] Sha1 is required per the SPDX spec.
 }

src/Microsoft.Sbom.Api/Manifest/IManifestGeneratorProvider.cs

@@ -0,0 +1,17 @@
+// Copyright (c) Microsoft. All rights reserved.
+// Licensed under the MIT license. See LICENSE file in the project root for full license information.
+
+using System.Collections.Generic;
+using Microsoft.Sbom.Extensions;
+using Microsoft.Sbom.Extensions.Entities;
+
+namespace Microsoft.Sbom.Api.Manifest;
+
+public interface IManifestGeneratorProvider
+{
+    public IManifestGenerator Get(ManifestInfo manifestInfo);
+
+    public IEnumerable<ManifestInfo> GetSupportedManifestInfos();
+
+    public ManifestGeneratorProvider Init();
+}

src/Microsoft.Sbom.Api/Manifest/ManifestGeneratorProvider.cs

@@ -13,7 +13,7 @@ namespace Microsoft.Sbom.Api.Manifest;
 /// Factory class that returns the correct implementation of the <see cref="IManifestGenerator"/>
 /// at runtime based on the 'ManifestInfo' parameter.
 /// </summary>
-public class ManifestGeneratorProvider
+public class ManifestGeneratorProvider : IManifestGeneratorProvider
 {
     private readonly IEnumerable<IManifestGenerator> manifestGenerators;
     private readonly IDictionary<string, IManifestGenerator> manifestMap = new Dictionary<string, IManifestGenerator>(StringComparer.OrdinalIgnoreCase);

src/Microsoft.Sbom.Api/Providers/FilesProviders/CGScannedExternalDocumentReferenceFileProvider.cs

@@ -51,7 +51,7 @@ public CGScannedExternalDocumentReferenceFileProvider(
 
     public override bool IsSupported(ProviderType providerType)
     {
-        if (providerType == ProviderType.Files)
+        if (providerType == ProviderType.Files && Configuration.ManifestToolAction == ManifestToolActions.Generate)
         {
             Log.Debug($"Using the {nameof(CGScannedExternalDocumentReferenceFileProvider)} provider for the files workflow.");
             return true;

src/Microsoft.Sbom.Api/Workflows/SbomAggregationWorkflow.cs

@@ -127,7 +127,7 @@ private IEnumerable<AggregationSource> GetSbomsToAggregate(string artifactPath,
         var isValidSpdxFormat = spdxFormatDetector.TryGetSbomsWithVersion(manifestDirPath, out var detectedSboms);
         if (!isValidSpdxFormat)
         {
-            logger.Information($"No SBOMs located in {manifestDirPath} of a recognized SPDX format.");
+            logger.Warning($"No SBOMs located in {manifestDirPath} of a recognized SPDX format.");
             return null;
         }
 
@@ -148,6 +148,7 @@ private async Task<bool> ValidateSourceSbomsAsync(IEnumerable<AggregationSource>
                 configuration.IgnoreMissing = new ConfigurationSetting<bool>(source.ArtifactInfo.IgnoreMissingFiles ?? false);
                 configuration.BuildDropPath = new ConfigurationSetting<string>(source.BuildDropPath);
                 configuration.OutputPath = new ConfigurationSetting<string>(fileSystemUtils.JoinPaths(workingDir, $"validation-results-{identifier}.json"));
+                configuration.ManifestInfo = new ConfigurationSetting<IList<ManifestInfo>>(new List<ManifestInfo>() { source.SbomConfig.ManifestInfo });
                 configuration.ManifestDirPath = BuildManifestDirPathForSource(source);
 
                 Console.WriteLine($"Running validation for {source.SbomConfig.ManifestJsonFilePath} with identifier {identifier}. Writing output results to {configuration.OutputPath.Value}.");

src/Microsoft.Sbom.Api/Workflows/SbomGenerationWorkflow.cs

@@ -186,11 +186,8 @@ private async Task<IEnumerable<FileValidationResult>> CallGeneratorsAync(IEnumer
         // Write all the JSON documents from the generationResults to the manifest based on the manifestInfo.
         // When aggregating, only call the packages generator. A helper method might make this more compact,
         // but it would be less readable.
-        if (configuration.ManifestToolAction == ManifestToolActions.Generate)
-        {
-            var fileGeneratorResult = await fileArrayGenerator.GenerateAsync(targetConfigs, elementsSpdxIdList);
-            validErrors.AddRange(fileGeneratorResult.Errors);
-        }
+        var fileGeneratorResult = await fileArrayGenerator.GenerateAsync(targetConfigs, elementsSpdxIdList);
+        validErrors.AddRange(fileGeneratorResult.Errors);
 
         var packageGeneratorResult = await packageArrayGenerator.GenerateAsync(targetConfigs, elementsSpdxIdList);
         validErrors.AddRange(packageGeneratorResult.Errors);
@@ -201,11 +198,8 @@ private async Task<IEnumerable<FileValidationResult>> CallGeneratorsAync(IEnumer
             validErrors.AddRange(externalDocumentReferenceGeneratorResult.Errors);
         }
 
-        if (configuration.ManifestToolAction == ManifestToolActions.Generate)
-        {
-            var relationshipGeneratorResult = await relationshipsArrayGenerator.GenerateAsync(targetConfigs, elementsSpdxIdList);
-            validErrors.AddRange(relationshipGeneratorResult.Errors);
-        }
+        var relationshipGeneratorResult = await relationshipsArrayGenerator.GenerateAsync(targetConfigs, elementsSpdxIdList);
+        validErrors.AddRange(relationshipGeneratorResult.Errors);
 
         return validErrors;
     }

src/Microsoft.Sbom.Common/Config/IConfiguration.cs

@@ -127,8 +127,8 @@ public interface IConfiguration
 
     /// <summary>
     /// Gets or sets a list of <see cref="SbomFile"/> files provided to us from the API.
-    /// We won't traverse the build root path to get a list of files if this is set, and
-    /// use the list provided here instead.
+    /// We will use the list provided here to populate the files section in addition to
+    /// select file providers.
     /// </summary>
     public ConfigurationSetting<IEnumerable<SbomFile>> FilesList { get; set; }
 

src/Microsoft.Sbom.Common/Utils/CommonSPDXUtils.cs

@@ -5,6 +5,7 @@
 using System.Security.Cryptography;
 using System.Text;
 using System.Text.RegularExpressions;
+using Microsoft.Sbom.Contracts;
 
 namespace Microsoft.Sbom.Common.Utils;
 
@@ -23,6 +24,32 @@ public static class CommonSPDXUtils
     /// </summary>
     public static string GenerateSpdxPackageId(string id) => $"{Constants.SPDXRefPackage}-{GetStringHash(id)}";
 
+    /// <summary>
+    /// Returns the SPDX-compliant package ID from an SbomPackage object.
+    /// </summary>
+    public static string GenerateSpdxPackageId(SbomPackage packageInfo)
+    {
+        if (packageInfo is null)
+        {
+            throw new ArgumentNullException(nameof(packageInfo));
+        }
+
+        // Special case to preserve incoming SPDX ID's during aggregation
+        if (packageInfo.Id is not null && packageInfo.Id.StartsWith(Constants.SPDXRefPackage, StringComparison.OrdinalIgnoreCase))
+        {
+            return packageInfo.Id;
+        }
+
+        // Get package identity as package name and package version. If version is empty, just use package name
+        var packageIdentity = $"{packageInfo.Type}-{packageInfo.PackageName}";
+        if (!string.IsNullOrWhiteSpace(packageInfo.PackageVersion))
+        {
+            packageIdentity = string.Join("-", packageInfo.Type, packageInfo.PackageName, packageInfo.PackageVersion);
+        }
+
+        return GenerateSpdxPackageId(packageInfo.Id ?? packageIdentity);
+    }
+
     /// <summary>
     /// Returns the SPDX-compliant file ID.
     /// </summary>