Fix: clean SBOM output - strip synthetic pkgs, test files, noise; fix name/namespace from wheel tags

Author: vrane-tibco

.github/scripts/patch_sbom.py

@@ -1,29 +1,50 @@
 #!/usr/bin/env python3
 """
 patch_sbom.py  —  Post-process a Trivy-generated SPDX JSON file to:
-  1. Set name               to the package name (not the scanned folder name)
+  1. Set name               to the package name (not the wheel filename)
   2. Set documentNamespace  to the required pattern
   3. Set creationInfo.creators  (Organization + Tool line)
   4. Set creationInfo.created   (current UTC timestamp)
   5. Set spdxVersion            to SPDX-2.3
-  6. Remove any annotations / comments Trivy adds to packages
-
-Usage:
-    python patch_sbom.py \\
-        --input  trivy_raw.spdx.json \\
-        --output spotfire.sbom.spdx.json \\
-        --name    "spotfire-2.5.0" \\
-        --namespace "https://spotfire.com/spdx/spotfire-2.5.0/2026-03-24T12:00:00Z" \\
-        --org     "Cloud Software Group, Inc., Spotfire" \\
-        --tool    "trivy-0.69.3"
+  6. Remove synthetic Trivy filesystem/source root packages
+  7. Remove internal test/noise packages (e.g. setuptools' my-test-package)
+  8. Remove the files[] section (internal test eggs, not real deliverables)
+  9. Remove annotations / comments Trivy adds to packages
 """
 
 import argparse
 import json
+import re
 from datetime import datetime, timezone
 
 _STRIP_PKG_FIELDS = {"annotations", "comment"}
 
+# Packages Trivy picks up from setuptools internals — not real deliverable deps
+_NOISE_PACKAGE_NAMES = {
+    "my-test-package",
+    "my_test_package",
+}
+
+# SPDX package purposes that are Trivy synthetic scan-root artefacts
+_SYNTHETIC_PURPOSES = {"SOURCE"}
+
+
+def _is_synthetic(pkg: dict) -> bool:
+    """True for Trivy's filesystem scan-root package (not a real dependency)."""
+    if pkg.get("primaryPackagePurpose") in _SYNTHETIC_PURPOSES:
+        # Must also have no purl to be sure it's the scan root
+        refs = pkg.get("externalRefs", [])
+        if not any(r.get("referenceType") == "purl" for r in refs):
+            return True
+    return False
+
+
+def _is_noise(pkg: dict) -> bool:
+    """True for known internal test packages bundled inside setuptools."""
+    return pkg.get("name", "").lower().replace("-", "_") in {
+        n.replace("-", "_") for n in _NOISE_PACKAGE_NAMES
+    }
+
 
 def patch(input_path: str, output_path: str,
           name: str, namespace: str, org: str, tool: str) -> None:
@@ -34,7 +55,7 @@ def patch(input_path: str, output_path: str,
     # 1. SPDX version
     doc["spdxVersion"] = "SPDX-2.3"
 
-    # 2. Document name — replace Trivy's folder name with the real package name
+    # 2. Document name — clean package name, not wheel filename
     doc["name"] = name
 
     # 3. Namespace
@@ -49,10 +70,31 @@ def patch(input_path: str, output_path: str,
         f"Tool: {tool}",
     ]
 
-    # 5. Strip Trivy annotations / comments from every package
+    # 5. Filter packages — remove synthetic scan-root + noise packages
+    removed_spdxids = set()
+    kept_packages = []
     for pkg in doc.get("packages", []):
+        if _is_synthetic(pkg) or _is_noise(pkg):
+            removed_spdxids.add(pkg.get("SPDXID"))
+            continue
+        # Strip Trivy-added fields
         for field in _STRIP_PKG_FIELDS:
             pkg.pop(field, None)
+        kept_packages.append(pkg)
+    doc["packages"] = kept_packages
+
+    # 6. Remove files[] section entirely (internal test eggs, not deliverables)
+    doc.pop("files", None)
+
+    # 7. Remove relationships that reference removed packages or files
+    kept_rels = []
+    for rel in doc.get("relationships", []):
+        if (rel.get("spdxElementId") in removed_spdxids or
+                rel.get("relatedSpdxElement") in removed_spdxids):
+            continue
+        # Also drop DESCRIBES relationships pointing at the old scan-root
+        kept_rels.append(rel)
+    doc["relationships"] = kept_rels
 
     with open(output_path, "w", encoding="utf-8") as f:
         json.dump(doc, f, indent=2, ensure_ascii=False)
@@ -63,14 +105,15 @@ def patch(input_path: str, output_path: str,
     print(f"  namespace : {namespace}")
     print(f"  created   : {now}")
     print(f"  creators  : Organization: {org} | Tool: {tool}")
-    print(f"  packages  : {len(doc.get('packages', []))}")
+    print(f"  packages  : {len(doc.get('packages', []))} kept, {len(removed_spdxids)} removed")
+    print(f"  files     : removed (internal test artefacts)")
 
 
 def main() -> None:
     p = argparse.ArgumentParser(description=__doc__)
     p.add_argument("--input",     required=True)
     p.add_argument("--output",    required=True)
-    p.add_argument("--name",      required=True,  help="SPDX document name (package name + version)")
+    p.add_argument("--name",      required=True, help="Clean package name e.g. spotfire-2.5.0")
     p.add_argument("--namespace", required=True)
     p.add_argument("--org",       required=True)
     p.add_argument("--tool",      required=True)

.github/workflows/sbom.yaml

@@ -87,6 +87,7 @@ jobs:
       - name: Set SBOM metadata
         id: meta
         run: |
+          # Extract just "spotfire-2.5.0.dev0" from "spotfire-2.5.0.dev0.tar.gz"
           PKG_NAME=$(ls dist/spotfire-*.tar.gz | sed 's|dist/||;s|\.tar\.gz||')
           CREATED=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
           echo "pkg_name=$PKG_NAME"                                    >> $GITHUB_OUTPUT
@@ -172,7 +173,9 @@ jobs:
       - name: Set SBOM metadata
         id: meta
         run: |
-          PKG_NAME=$(ls dist/spotfire-*.whl | sed 's|dist/||;s|\.whl||')
+          # Extract just "spotfire-2.5.0.dev0" from the full wheel filename
+          # wheel format: {name}-{version}-{python}-{abi}-{platform}.whl
+          PKG_NAME=$(ls dist/spotfire-*.whl | sed 's|dist/||;s|\.whl||' | cut -d- -f1,2)
           CREATED=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
           echo "pkg_name=$PKG_NAME"                                    >> $GITHUB_OUTPUT
           echo "namespace=${{ env.SBOM_NS_BASE }}/$PKG_NAME/$CREATED" >> $GITHUB_OUTPUT