feat: add evidence to SPDX SBOM

anthonyharrison · anthonyharrison · commit 848873b7288b · 2025-02-28T20:11:45.000Z
diff --git a/lib4sbom/cyclonedx/cyclonedx_generator.py b/lib4sbom/cyclonedx/cyclonedx_generator.py
@@ -600,11 +600,14 @@ def generateJSONComponent(self, id, type, package):
                 component["externalReferences"] = [externalReference]
         if "group" in package:
             component["group"] = package["group"]
-        if "evidence" in package:
+        if "evidence" in package or "filename" in package:
             occurrences = []
             evidence_info = {}
-            for evidence in package["evidence"]:
-                occurrences.append({"location": evidence})
+            if "evidence" in package:
+                for evidence in package["evidence"]:
+                    occurrences.append({"location": evidence})
+            if "filename" in package:
+                occurrences.appendd({"location": package["filename"]})
             evidence_info["occurrences"] = occurrences
             component["evidence"] = evidence_info
         if "externalreference" in package:
diff --git a/lib4sbom/spdx/spdx_generator.py b/lib4sbom/spdx/spdx_generator.py
@@ -261,6 +261,9 @@ def generateTagPackageDetails(
         self.generateTag("FilesAnalyzed", str(files_analysed).lower())
         if "filename" in package_info:
             self.generateTag("PackageFileName", package_info["filename"])
+        if "evidence" in package_info:
+            for evidence in package_info["evidence"]:
+                self.generateTag("PackageFileName", evidence)
         if "homepage" in package_info:
             self.generateTag("PackageHomePage", package_info["homepage"])
         if "checksum" in package_info:
@@ -389,6 +392,9 @@ def generateJSONPackageDetails(
         component["filesAnalyzed"] = files_analysed
         if "filename" in package_info:
             component["packageFileName"] = package_info["filename"]
+        if "evidence" in package_info:
+            for evidence in package_info["evidence"]:
+                component["packageFileName"] = evidence
         if "homepage" in package_info:
             component["homepage"] = package_info["homepage"]
         if "checksum" in package_info:
