From 1af1a231469f6f0b5168308c05261fc165f4643c Mon Sep 17 00:00:00 2001 From: jasinner Date: Wed, 25 Feb 2026 10:39:58 +1000 Subject: [PATCH 1/3] add .cursor/ to gitignore --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index eeb8a6e..204d49e 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ **/__pycache__ +.cursor/ From e584edf9ee95a3283d73814cc764ffbc69262990 Mon Sep 17 00:00:00 2001 From: jasinner Date: Tue, 24 Feb 2026 15:43:52 +1000 Subject: [PATCH 2/3] split business logic from display by adding ProductSearchResult, and added json output mode --- src/trustshell/__init__.py | 8 +- src/trustshell/models.py | 64 + src/trustshell/osidb.py | 67 +- src/trustshell/product_definitions.py | 159 +- src/trustshell/products.py | 178 +- src/trustshell/renderers.py | 107 + tests/test_product_definitions.py | 314 +- tests/test_products.py | 187 +- tests/testdata/go-crypto.json | 3470 +++++++++++++++++ .../products/product-definitions.json | 15 + 10 files changed, 4096 insertions(+), 473 deletions(-) create mode 100644 src/trustshell/models.py create mode 100644 src/trustshell/renderers.py create mode 100644 tests/testdata/go-crypto.json diff --git a/src/trustshell/__init__.py b/src/trustshell/__init__.py index d926c92..fc94a86 100644 --- a/src/trustshell/__init__.py +++ b/src/trustshell/__init__.py @@ -389,7 +389,11 @@ def make_request_with_retry( return {"items": all_items, "total": total_available} +def render_tree_to_string(root: Node) -> str: + """Return tree as string (for testing and composition).""" + return "\n".join(f"{pre}{node.name}" for pre, _, node in RenderTree(root)) + + def render_tree(root: Node) -> None: """Pretty print a tree using name only""" - for pre, _, node in RenderTree(root): - console.print("%s%s" % (pre, node.name)) + console.print(render_tree_to_string(root)) diff --git a/src/trustshell/models.py b/src/trustshell/models.py new file mode 100644 index 0000000..9853a86 --- /dev/null +++ b/src/trustshell/models.py @@ -0,0 +1,64 @@ +"""Data models for trust-products search results.""" + +from dataclasses import dataclass, field +from typing import Optional + + +@dataclass(frozen=True) +class Affect: + """Single affect entry for OSIDB flaw affects.""" + + ps_update_stream: str + purl: str # shipped_component PURL + + +@dataclass +class ProductResultRow: + """Single result: CPE + product info + matched and shipped components.""" + + cpe: str + ps_update_stream: str + ps_module: Optional[str] + matched_component: str # PURL that matched (important for wildcard search) + shipped_component: ( + str # PURL for affects: image-index/arch-specific OCI, or SRPM/binary RPM + ) + sbom_ids: list[str] = field( + default_factory=list + ) # SBOM IDs from path (root to leaf) + + +@dataclass +class ProductSearchResult: + """Flat result model. No tree structure—just product info and components. + + results and affects are sorted by (ps_update_stream, purl/shipped_component) + at creation time; consumers can iterate without re-sorting. + """ + + results: list[ProductResultRow] + affects: list[Affect] + searched_purl: str + + def render( + self, + output: str, + include_modules: bool = True, + cpes: bool = False, + show_sbom_ids: bool = False, + ) -> None: + """Render result to stdout. output is 'text' or 'json'.""" + from trustshell import console + from trustshell.renderers import render_json_format, render_tree_format + + if output == "text": + console.print( + render_tree_format( + self, + show_module=include_modules, + cpes=cpes, + show_sbom_ids=show_sbom_ids, + ) + ) + else: + console.print_json(render_json_format(self, include_module=include_modules)) diff --git a/src/trustshell/osidb.py b/src/trustshell/osidb.py index c3a4055..5ea9950 100644 --- a/src/trustshell/osidb.py +++ b/src/trustshell/osidb.py @@ -4,9 +4,11 @@ import subprocess import sys import tempfile -from typing import Any +from typing import Any, Union import click + +from trustshell.models import Affect from requests import HTTPError from trustshell import console import osidb_bindings @@ -50,11 +52,11 @@ def parse_stream_purl_tuples(tuples_list: list[str]) -> set[tuple[str, str]]: @staticmethod def edit_tuples_in_editor( - current_tuples: set[tuple[str, str]], - ) -> set[tuple[str, str]]: + current_tuples: Union[list[tuple[str, str]], set[tuple[str, str]]], + ) -> list[tuple[str, str]]: """ Opens the default text editor for the user to modify the ps_update_stream/purl tuples. - Returns the modified set of tuples. + Returns the modified list of tuples, sorted by (ps_update_stream, purl). """ editor = os.environ.get("EDITOR", "vi") original_content = "\n".join([f"{m},{p}" for m, p in current_tuples]) @@ -93,14 +95,17 @@ def edit_tuples_in_editor( modified_lines = [ line.strip() for line in modified_content.splitlines() if line.strip() ] - return OSIDB.parse_stream_purl_tuples(modified_lines) + parsed = OSIDB.parse_stream_purl_tuples(modified_lines) + return sorted(parsed, key=lambda x: (x[0], x[1])) + + def _affects_to_tuples(self, affects: list[Affect]) -> list[tuple[str, str]]: + """Convert list[Affect] to list of (ps_update_stream, purl) tuples for display.""" + return [(a.ps_update_stream, a.purl) for a in affects] - def add_affects(self, flaw: Flaw, affects_to_add: set[tuple[str, str]]) -> None: + def add_affects(self, flaw: Flaw, affects_to_add: list[Affect]) -> None: console.print("Adding affects...") affects_data: list[dict[str, Any]] = [] - for affect in affects_to_add: - ps_update_stream, purl = affect - + for ps_update_stream, purl in self._affects_to_tuples(affects_to_add): osidb_affect = { "flaw": flaw.uuid, "embargoed": flaw.embargoed, @@ -122,10 +127,11 @@ def add_affects(self, flaw: Flaw, affects_to_add: set[tuple[str, str]]) -> None: def edit_flaw_affects( self, flaw_id: str, - ps_stream_purls: set[tuple[str, str]], + ps_stream_purls: list[Affect], replace_mode: bool = False, ) -> None: - if not ps_stream_purls: + ps_stream_purls_list = self._affects_to_tuples(ps_stream_purls) + if not ps_stream_purls_list: console.print("No new affects to add", style="warning") return @@ -147,31 +153,32 @@ def edit_flaw_affects( if affects_by_state: for state, affects_list in affects_by_state.items(): console.print(f"State: {state}") - for affect_str in affects_list: + for affect_str in sorted(affects_list, key=lambda x: (x[0], x[1])): console.print(affect_str) else: console.print(" No affects found for this flaw.") console.print("-----------------------------\n") console.print("New affects:") - for ps_stream_purl in ps_stream_purls: + for ps_stream_purl in ps_stream_purls_list: console.print(ps_stream_purl) # Optionally edit tuples in editor if click.confirm("Do you want to edit these affects?"): console.print("Entering editor mode to modify input tuples...") - ps_stream_purls = self.edit_tuples_in_editor(ps_stream_purls) + ps_stream_purls_list = self.edit_tuples_in_editor(ps_stream_purls_list) console.print("\n--- Modified Tuples from Editor ---") - if ps_stream_purls: - for m, p in ps_stream_purls: + if ps_stream_purls_list: + for m, p in ps_stream_purls_list: console.print(f" - {m},{p}") else: console.print(" (No tuples provided after editing)") console.print("-----------------------------------\n") + ps_stream_purls_set = set(ps_stream_purls_list) if not replace_mode: affects_to_add = ( - ps_stream_purls - affects_by_state["NEW"] + ps_stream_purls_set - affects_by_state["NEW"] ) # Only truly new ones if not affects_to_add: console.print( @@ -180,15 +187,18 @@ def edit_flaw_affects( return console.print("\n--- Affects to be ADDED ---") - for affect in affects_to_add: - console.print(f" - {affect[0]},{affect[1]}") + affects_to_add_list = [ + Affect(ps_update_stream=ps, purl=p) for ps, p in affects_to_add + ] + for affect in affects_to_add_list: + console.print(f" - {affect.ps_update_stream},{affect.purl}") console.print("---------------------------\n") click.confirm("Confirm adding the above affects?", abort=True) - self.add_affects(flaw, affects_to_add) + self.add_affects(flaw, affects_to_add_list) else: - if not affects_by_state["NEW"] and not ps_stream_purls: + if not affects_by_state["NEW"] and not ps_stream_purls_list: console.print( "No existing 'NEW' affects to replace and no new affects provided. Nothing to do." ) @@ -196,15 +206,17 @@ def edit_flaw_affects( console.print("\n--- Existing 'NEW' Affects to be REPLACED ---") if affects_by_state["NEW"]: - for affect in affects_by_state["NEW"]: + for affect in sorted( + affects_by_state["NEW"], key=lambda x: (x[0], x[1]) + ): console.print(affect) else: console.print(" (No existing affects with state 'NEW')") console.print("--------------------------------------------\n") console.print("\n--- New Affects that will REPLACE the above ---") - if ps_stream_purls: - for affect in ps_stream_purls: + if ps_stream_purls_list: + for affect in ps_stream_purls_list: console.print(affect) else: console.print(" (No new affects provided)") @@ -228,7 +240,7 @@ def edit_flaw_affects( existing_uuid, existing_affectedness = existing_value # Don't delete and re-add existing new affects if ( - existing_key not in ps_stream_purls + existing_key not in ps_stream_purls_set and existing_affectedness == "NEW" ): try: @@ -242,4 +254,7 @@ def edit_flaw_affects( exit(1) # Add any new affects not already on the flaw in NEW state - self.add_affects(flaw, ps_stream_purls) + ps_stream_purls_as_affects = [ + Affect(ps_update_stream=ps, purl=p) for ps, p in ps_stream_purls_list + ] + self.add_affects(flaw, ps_stream_purls_as_affects) diff --git a/src/trustshell/product_definitions.py b/src/trustshell/product_definitions.py index 0178427..5b6953b 100644 --- a/src/trustshell/product_definitions.py +++ b/src/trustshell/product_definitions.py @@ -8,7 +8,7 @@ from typing import Any, Optional import httpx -from anytree import Node, NodeMixin, LevelOrderGroupIter +from anytree import NodeMixin, LevelOrderGroupIter from trustshell import CONFIG_DIR, console from trustshell.rhel_releases import EnhancedProdDefs @@ -133,6 +133,7 @@ def __init__( ) -> None: self.stream_nodes_by_cpe: dict[str, list[ProductStream]] = defaultdict(list) product_streams_by_name: dict[str, list[ProductStream]] = defaultdict(list) + self.stream_to_module: dict[str, str] = {} # stream_name -> ps_module self.product_trees: list[NodeMixin] = [] # Initialize enhanced RHEL release data @@ -195,6 +196,7 @@ def __init__( active_streams: set[str] = set() active_streams.update(module_data.get("active_ps_update_streams", [])) for stream in module_data.get("ps_update_streams"): + self.stream_to_module.setdefault(stream, ps_module) for stream_node in product_streams_by_name[stream]: if stream in active_streams: stream_node.set_active(True) @@ -268,65 +270,41 @@ def _clean_cpe(cpe: str) -> str: # Remove trailing ':' characters return cleaned_cpe.rstrip(":") - def extend_with_product_mappings( - self, ancestor_trees: list[Node], keep_cpes: bool = False - ) -> None: - """Update the ancestor_trees with any matching streams or module as descendants + def get_product_mappings_for_cpe(self, cpe: str) -> list[tuple[str, Optional[str]]]: + """Return (ps_update_stream, ps_module) for each product matching the CPE. - Args: - ancestor_trees: List of Node trees to extend with product mappings - keep_cpes: If False, replace CPE leaf nodes with product streams. If True, keep CPE nodes as parents of streams. + Tries ps_update_stream direct CPE match first, then falls back to ps_module + pattern match. Populates ps_module from stream's parent module when matching + via stream. """ if not self.product_trees: - # ProdDefs service is unavailable, don't attempt any product mapping - return None + return [] - for tree in ancestor_trees: - for leaf in tree.leaves: - cleaned_leaf_name = self._clean_cpe(leaf.name) - # Don't try and match single digit enterprise_linux CPEs - if re.search(r":redhat:enterprise_linux:\d:", cleaned_leaf_name): - leaf.parent = None - continue - leaf_with_products = self._check_streams( - leaf, cleaned_leaf_name, keep_cpes - ) - if not leaf_with_products: - leaf_with_products = self._check_modules( - leaf, cleaned_leaf_name, keep_cpes - ) - if not leaf_with_products: - console.print( - f"Warning, didn't find any products matching {cleaned_leaf_name}", - style="warning", - ) - else: - # When keep_cpes=False, we need to remove the CPE leaf from the tree - # since it's been replaced by the product streams - if not keep_cpes: - # Remove the CPE leaf node from its parent - leaf.parent = None - - def _check_streams(self, leaf: Node, cpe: str, keep_cpes: bool) -> list[Node]: - """Check if cpe matches exactly to any ProductStreams, if it does add the CPE as a parent - of the stream. If more than one stream matches, create copies of the stream and leaf""" - # First try enhanced matching if RHEL release data is available - enhanced_streams = self._check_enhanced_streams(cpe) - if enhanced_streams: - return self._duplicate_leaves_and_set_parents( - leaf, enhanced_streams, keep_cpes - ) - # Fallback to original direct matching - if cpe not in self.stream_nodes_by_cpe: + cleaned_cpe = self._clean_cpe(cpe) + if re.search(r":redhat:enterprise_linux:\d:", cleaned_cpe): return [] - stream_nodes = self.stream_nodes_by_cpe[cpe] - # Create a copy so that pop in the _duplicate_leaves_and_set_parent function doesn't modify - # the original stream_nodes_by_cpe map which should be preserved incase we encounter the - # same CPE twice - copy_of_stream_nodes = copy.deepcopy(stream_nodes) - return self._duplicate_leaves_and_set_parents( - leaf, copy_of_stream_nodes, keep_cpes - ) + + mappings: list[tuple[str, Optional[str]]] = [] + + # Try stream matches first (direct CPE match or enhanced) + enhanced_streams = self._check_enhanced_streams(cleaned_cpe) + if enhanced_streams: + for stream in enhanced_streams: + ps_module = self.stream_to_module.get(stream.name) + mappings.append((stream.name, ps_module)) + elif cleaned_cpe in self.stream_nodes_by_cpe: + for stream in self.stream_nodes_by_cpe[cleaned_cpe]: + ps_module = self.stream_to_module.get(stream.name) + mappings.append((stream.name, ps_module)) + + # Fall back to module matches only if no stream match + if not mappings: + module_matches = self.match_module_pattern(cleaned_cpe) + for module in module_matches: + if module.parent and isinstance(module.parent, ProductStream): + mappings.append((module.parent.name, module.name)) + + return mappings def _check_enhanced_streams(self, cpe: str) -> list[ProductStream]: """Check if CPE matches using enhanced RHEL release data logic.""" @@ -361,71 +339,6 @@ def _check_enhanced_streams(self, cpe: str) -> list[ProductStream]: return result_streams - def _check_modules(self, leaf: Node, cpe: str, keep_cpes: bool) -> list[Node]: - """Check if the cpe matches any ProductModule""" - module_nodes = self.match_module_pattern(cpe) - return self._duplicate_leaves_and_set_parents(leaf, module_nodes, keep_cpes) - - def _duplicate_leaves_and_set_parents( - self, leaf: Node, product_nodes: list[Any], keep_cpes: bool - ) -> list[Node]: - """Convert product modules to their parent streams and attach all streams as children of the leaf. - Deduplicates streams to avoid multiple identical children. - - Args: - leaf: The leaf node to process - product_nodes: List of product nodes (modules or streams) - keep_cpes: If False, replace the leaf with streams in the tree. If True, set streams as children of the leaf. - - Returns: - If keep_cpes=True: Returns the leaf in a list. - If keep_cpes=False: Returns the list of unique streams that replaced the leaf. - """ - if not product_nodes: - if keep_cpes: - # Keep the CPE node even if no products match - return [leaf] - else: - return [] - - # Convert modules to their parent streams - streams_to_attach: list[Any] = [] - for product in product_nodes: - if isinstance(product, ProductModule): - # For modules, find the stream that contains this module - if product.parent: - streams_to_attach.append(product.parent) - else: - # For streams, use directly - streams_to_attach.append(product) - - # Remove duplicates while preserving order - unique_streams: list[Any] = [] - seen: set[Any] = set() - for stream in streams_to_attach: - if stream not in seen: - unique_streams.append(stream) - seen.add(stream) - - if keep_cpes: - # Original behavior: set streams as children of the leaf - # Create copies to avoid modifying shared objects - stream_copies = [] - for stream in unique_streams: - stream_copy = copy.deepcopy(stream) - stream_copy.parent = leaf - stream_copies.append(stream_copy) - return [leaf] - else: - # New behavior: replace the leaf with the streams in the tree - # Create copies to avoid modifying shared objects - stream_copies = [] - for stream in unique_streams: - stream_copy = copy.deepcopy(stream) - stream_copy.parent = leaf.parent - stream_copies.append(stream_copy) - return stream_copies - def get_all_cpes_for_rhel_stream(self, stream_name: str) -> set[str]: """ Get all CPEs that should be associated with a given RHEL stream by traversing @@ -456,9 +369,3 @@ def get_all_cpes_for_rhel_stream(self, stream_name: str) -> set[str]: # Use enhanced matching to get all related CPEs return self.enhanced_proddefs.get_all_cpes_for_stream(stream_name, stream_cpes) - - def _add_ancestor(self, leaf: Node, product: Any) -> None: - if product.parent: - product.parent.parent = leaf - else: - product.parent = leaf diff --git a/src/trustshell/products.py b/src/trustshell/products.py index a993adb..3c974a2 100644 --- a/src/trustshell/products.py +++ b/src/trustshell/products.py @@ -3,9 +3,9 @@ import httpx import logging import sys -from typing import Any +from typing import Any, Optional -from anytree import Node, PreOrderIter +from anytree import Node, NodeMixin, PreOrderIter from anytree.walker import Walker, WalkError from packageurl import PackageURL from rich.console import Console @@ -18,9 +18,9 @@ config_logging, print_version, purl_sans_version, - render_tree, paginated_trustify_query, ) +from trustshell.models import Affect, ProductResultRow, ProductSearchResult from trustshell.osidb import OSIDB from trustshell.product_definitions import ProdDefs, ProductModule, ProductStream @@ -33,6 +33,22 @@ logger = logging.getLogger("trustshell") +class ComponentNode(NodeMixin): + """Tree node with name and sbom_ids for component hierarchy from Trustify API.""" + + def __init__( + self, + name: str, + parent: Optional["ComponentNode"] = None, + sbom_id: Optional[str] = None, + ) -> None: + self.name = name + self.parent = parent + self.sbom_ids: set[str] = set() + if sbom_id: + self.sbom_ids.add(sbom_id) + + @click.command(context_settings={"help_option_names": ["-h", "--help"]}) @click.option("--check", "-c", is_flag=True, help="Check the status only, don't prime") @click.option("--debug", "-d", is_flag=True, help="Debug log level.") @@ -113,6 +129,25 @@ def prime_cache(check: bool, debug: bool) -> None: help="Replace flaw affects. Requires --flaw to be set.", callback=lambda ctx, param, value: _check_flaw(ctx, param, value, "replace"), ) +@click.option( + "--output", + "-o", + type=click.Choice(["text", "json"]), + default="text", + help="Output format. Mutually exclusive with --flaw.", +) +@click.option( + "--show-module", + is_flag=True, + default=True, + help="Show ps_module in output (tree format).", +) +@click.option( + "--show-sbom-ids", + is_flag=True, + default=False, + help="Show sbom_ids in text output (tree format).", +) @click.option("--debug", "-d", is_flag=True, help="Debug log level.") @click.argument( "purl", @@ -120,8 +155,11 @@ def prime_cache(check: bool, debug: bool) -> None: ) def search( purl: str, - flaw: str, + flaw: Optional[str], replace: bool, + output: str, + show_module: bool, + show_sbom_ids: bool, debug: bool, latest: bool, cpes: bool, @@ -129,6 +167,9 @@ def search( include_rpm_containers: bool, ) -> None: """Relate a purl to products in Trustify""" + if flaw and output == "json": + raise click.UsageError("--flaw and --output are mutually exclusive.") + if not debug: config_logging(level="INFO") else: @@ -151,23 +192,19 @@ def search( return prod_defs = ProdDefs() - prod_defs.extend_with_product_mappings(ancestor_trees, keep_cpes=cpes) - - seen_trees = set() - for tree in ancestor_trees: - _remove_duplicate_branches(tree) - tree_signature = _get_branch_signature(tree.root) - if tree_signature in seen_trees: - continue - seen_trees.add(tree_signature) - render_tree(tree.root) + result = build_product_search_result(ancestor_trees, prod_defs, purl, cpes=cpes) - if not flaw: - exit(0) + if flaw: + osidb = OSIDB() + osidb.edit_flaw_affects(flaw, result.affects, replace) + return - osidb = OSIDB() - affects = extract_affects(ancestor_trees) - osidb.edit_flaw_affects(flaw, affects, replace) + result.render( + output=output, + include_modules=show_module, + cpes=cpes, + show_sbom_ids=show_sbom_ids, + ) def _check_flaw(ctx: Any, param: Any, value: Any, dependent_option_name: str) -> Any: @@ -181,6 +218,101 @@ def _check_flaw(ctx: Any, param: Any, value: Any, dependent_option_name: str) -> return value +def _format_affect_purl( + purl: PackageURL, root_name: str, root_is_maven: bool = False +) -> str: + """Format purl for affects: OCI sans tag, maven/generic use root, else sans version.""" + if purl.type == "oci" and purl.qualifiers and "tag" in purl.qualifiers: + purl = PackageURL( + type=purl.type, + namespace=purl.namespace, + name=purl.name, + version=purl.version, + qualifiers={k: v for k, v in purl.qualifiers.items() if k != "tag"}, + ) + elif purl.type == "maven" or (purl.type == "generic" and root_is_maven): + purl = PackageURL.from_string(root_name) + else: + purl = purl_sans_version(purl) + return purl.to_string() + + +def build_product_search_result( + ancestor_trees: list[Node], + prod_defs: ProdDefs, + searched_purl: str, + cpes: bool = False, +) -> ProductSearchResult: + """Build flat ProductSearchResult from component trees. + + Does not mutate trees. Uses get_product_mappings_for_cpe for product matching. + """ + results: list[ProductResultRow] = [] + for tree in ancestor_trees: + root_name = tree.root.name + try: + root_purl = PackageURL.from_string(root_name) + root_is_maven = root_purl.type == "maven" + except ValueError: + root_is_maven = False + for leaf in tree.leaves: + if not leaf.name.startswith("cpe:/"): + continue + cpe = leaf.name + mappings = prod_defs.get_product_mappings_for_cpe(cpe) + if not mappings: + continue + pkg_ancestors = [a for a in leaf.ancestors if a.name.startswith("pkg:")] + if not pkg_ancestors: + continue + shipped_purl_node = None + for a in pkg_ancestors: + try: + if PackageURL.from_string(a.name).type in ("rpm", "oci", "maven"): + shipped_purl_node = a + break + except ValueError: + continue + if shipped_purl_node is None: + continue + shipped_purl = PackageURL.from_string(shipped_purl_node.name) + shipped_component = _format_affect_purl( + shipped_purl, root_name, root_is_maven + ) + matched_component = root_name + cleaned_cpe = prod_defs._clean_cpe(cpe) + # Collect sbom_ids from path (root to leaf) + path_sbom_ids: set[str] = set() + for node in list(leaf.ancestors) + [leaf]: + if hasattr(node, "sbom_ids"): + path_sbom_ids.update(node.sbom_ids) + sbom_ids_list = sorted(path_sbom_ids) + for ps_update_stream, ps_module in mappings: + results.append( + ProductResultRow( + cpe=cleaned_cpe, + ps_update_stream=ps_update_stream, + ps_module=ps_module, + matched_component=matched_component, + shipped_component=shipped_component, + sbom_ids=sbom_ids_list, + ) + ) + affects_unique = { + Affect(ps_update_stream=row.ps_update_stream, purl=row.shipped_component) + for row in results + } + results_sorted = sorted( + results, key=lambda r: (r.ps_update_stream, r.shipped_component) + ) + affects_sorted = sorted(affects_unique, key=lambda a: (a.ps_update_stream, a.purl)) + return ProductSearchResult( + results=results_sorted, + affects=affects_sorted, + searched_purl=searched_purl, + ) + + def extract_affects(ancestor_trees: list[Node]) -> set[tuple[str, str]]: """Collect all the leaf and root node tuples for OSIDB affects. @@ -278,8 +410,10 @@ def build_ancestor_tree( ) -> None: """ Recursive function to build an ancestor tree from a nested set of purls, or CPEs. + Records sbom_id from each component on the corresponding node. """ for component in ancestors: + sbom_id = component.get("sbom_id") base_purl = build_node_purl(component["purl"], show_versions) if not base_purl: cpes = component["cpe"] @@ -287,9 +421,11 @@ def build_ancestor_tree( # Try the next ancestor continue for cpe in cpes: - Node(cpe, parent=parent) + ComponentNode(cpe, parent=parent, sbom_id=sbom_id) else: - node = Node(base_purl.to_string(), parent=parent) + node = ComponentNode( + base_purl.to_string(), parent=parent, sbom_id=sbom_id + ) if "ancestors" in component: build_ancestor_tree(node, component["ancestors"], show_versions) # else try the next ancestor diff --git a/src/trustshell/renderers.py b/src/trustshell/renderers.py new file mode 100644 index 0000000..a43a4bf --- /dev/null +++ b/src/trustshell/renderers.py @@ -0,0 +1,107 @@ +"""Output renderers for trust-products search results.""" + +import json +from typing import Any + +from anytree import Node + +from trustshell import render_tree_to_string +from trustshell.models import ProductResultRow, ProductSearchResult + + +def render_tree_format( + result: ProductSearchResult, + show_module: bool = True, + cpes: bool = False, + show_sbom_ids: bool = False, +) -> str: + """Render text output as string. By default shows ps_update_stream; use cpes=True to show CPE.""" + seen_roots: set[str] = set() + parts: list[str] = [] + for row in result.results: + root_key = row.matched_component + if root_key in seen_roots: + continue + seen_roots.add(root_key) + rows_for_root = [r for r in result.results if r.matched_component == root_key] + tree_str = _render_result_tree( + root_key, rows_for_root, show_module, cpes, show_sbom_ids + ) + parts.append(tree_str) + return "\n".join(parts) + + +def _render_result_tree( + root_name: str, + rows: list[ProductResultRow], + show_module: bool, + cpes: bool, + show_sbom_ids: bool = False, +) -> str: + """Build and return tree as string from result rows. Root is matched_component.""" + root = Node(root_name) + groups: dict[tuple[str, ...], list[ProductResultRow]] = {} + for row in rows: + if cpes: + dedup_key: tuple[str, ...] = ( + row.cpe, + row.ps_update_stream, + row.ps_module or "", + ) + else: + dedup_key = (row.ps_update_stream, row.ps_module or "") + groups.setdefault(dedup_key, []).append(row) + + for dedup_key, group_rows in groups.items(): + aggregated_sbom_ids = sorted( + {sid for row in group_rows for sid in row.sbom_ids} + ) + sbom_suffix = "" + if show_sbom_ids and aggregated_sbom_ids: + sbom_suffix = " [" + ", ".join(aggregated_sbom_ids) + "]" + + if cpes: + cpe_node = Node(group_rows[0].cpe, parent=root) + stream_node = Node(group_rows[0].ps_update_stream, parent=cpe_node) + if show_module and group_rows[0].ps_module: + leaf_name = (group_rows[0].ps_module or "") + sbom_suffix + else: + leaf_name = group_rows[0].shipped_component + sbom_suffix + Node(leaf_name, parent=stream_node) + else: + stream_node = Node(group_rows[0].ps_update_stream, parent=root) + if show_module and group_rows[0].ps_module: + leaf_name = (group_rows[0].ps_module or "") + sbom_suffix + else: + leaf_name = group_rows[0].shipped_component + sbom_suffix + Node(leaf_name, parent=stream_node) + return render_tree_to_string(root) + + +def render_json_format( + result: ProductSearchResult, + include_module: bool = True, +) -> str: + """Return flat JSON structure as string: results and affects. No tree.""" + output: dict[str, Any] = { + "searched_purl": result.searched_purl, + "results": [ + { + "cpe": row.cpe, + "ps_update_stream": row.ps_update_stream, + "matched_component": row.matched_component, + "shipped_component": row.shipped_component, + "sbom_ids": row.sbom_ids, + } + for row in result.results + ], + "affects": [ + {"ps_update_stream": a.ps_update_stream, "purl": a.purl} + for a in result.affects + ], + } + if include_module: + for i, row in enumerate(result.results): + output["results"][i]["ps_module"] = row.ps_module + + return json.dumps(output, indent=2) diff --git a/tests/test_product_definitions.py b/tests/test_product_definitions.py index a2b5cae..5d59973 100644 --- a/tests/test_product_definitions.py +++ b/tests/test_product_definitions.py @@ -4,9 +4,11 @@ import unittest from anytree import Node from unittest.mock import patch + from test_products import _check_node_names_at_depth +from trustshell import render_tree from trustshell.product_definitions import ProdDefs -from trustshell.products import render_tree +from trustshell.products import build_product_search_result class TestProdDefs(unittest.TestCase): @@ -64,7 +66,7 @@ def test_prod_defs_stream_nodes_by_cpe_rhel_10(self, mock_service): def test_prod_defs_product_trees(self, mock_service): mock_service.return_value = self.mock_proddefs_data prod_defs = ProdDefs() - assert len(prod_defs.product_trees) == 6 + assert len(prod_defs.product_trees) == 7 for tree in prod_defs.product_trees: render_tree(tree) rhel_9_2_z_stream = prod_defs.product_trees[1] @@ -75,66 +77,33 @@ def test_prod_defs_product_trees(self, mock_service): _check_node_names_at_depth(quay_3_12_stream, 1, ["quay-3"]) @patch("trustshell.product_definitions.ProdDefs.get_product_definitions_service") - def test_extend_with_product_mappings(self, mock_service): - """Tests that the CPE is cleaned and matched directly to stream""" - mock_service.return_value = self.mock_proddefs_data - component = "pkg:rpm/redhat/openssl" - component_node = Node(component) - cpe = "cpe:/a:redhat:rhel_eus:9.2:*:appstream:*" - Node(cpe, parent=component_node) - test_trees = [component_node] - ProdDefs().extend_with_product_mappings(test_trees, keep_cpes=True) - assert len(test_trees) == 1 - root = test_trees[0].root - render_tree(root) - assert root.name == component - _check_node_names_at_depth(root, 1, [cpe]) - _check_node_names_at_depth(root, 2, ["rhel-9.2.0.z"]) - _check_node_names_at_depth(root, 3, ["rhel-9"]) - - @patch("trustshell.product_definitions.ProdDefs.get_product_definitions_service") - def test_extend_with_product_mappings_no_cpes(self, mock_service): - """Tests that the CPE is cleaned and matched directly to stream""" + def test_build_product_search_result_rhel_eus(self, mock_service): + """Tests that CPE is cleaned and matched to stream - same data as extend_with_product_mappings.""" mock_service.return_value = self.mock_proddefs_data component = "pkg:rpm/redhat/openssl" component_node = Node(component) cpe = "cpe:/a:redhat:rhel_eus:9.2:*:appstream:*" Node(cpe, parent=component_node) test_trees = [component_node] - ProdDefs().extend_with_product_mappings(test_trees) - assert len(test_trees) == 1 - root = test_trees[0].root - render_tree(root) - assert root.name == component - _check_node_names_at_depth(root, 1, ["rhel-9.2.0.z"]) - _check_node_names_at_depth(root, 2, ["rhel-9"]) - - @patch("trustshell.product_definitions.ProdDefs.get_product_definitions_service") - def test_extend_with_product_mappings_multi_products(self, mock_service): - """Tests that duplicate CPEs return duplicates branches""" - mock_service.return_value = self.mock_proddefs_data - component_1 = "pkg:rpm/redhat/openssl" - component_2 = "pkg:rpm/redhat/openssl-debug" - cpe = "cpe:/a:redhat:enterprise_linux:9.6::appstream" - component_node_1 = Node(component_1) - Node(cpe, parent=component_node_1) - component_node_2 = Node(component_2) - Node(cpe, parent=component_node_2) - test_trees = [component_node_1, component_node_2] prod_defs = ProdDefs() - prod_defs.extend_with_product_mappings(test_trees, keep_cpes=True) - assert len(test_trees) == 2 - for r in test_trees: - root = r.root - render_tree(root) - assert root.name in (component_1, component_2) - _check_node_names_at_depth(root, 1, [cpe]) - _check_node_names_at_depth(root, 2, ["rhel-9.6.z"]) - _check_node_names_at_depth(root, 3, ["rhel-9"]) + result = build_product_search_result( + test_trees, prod_defs, component, cpes=True + ) + assert len(result.results) == 1 + row = result.results[0] + assert row.cpe == "cpe:/a:redhat:rhel_eus:9.2::appstream" + assert row.ps_update_stream == "rhel-9.2.0.z" + # Stream match populates ps_module from stream's parent module + assert row.ps_module == "rhel-9" + assert row.matched_component == component + assert row.shipped_component == "pkg:rpm/redhat/openssl" + assert len(result.affects) == 1 + assert next(iter(result.affects)).purl == "pkg:rpm/redhat/openssl" @patch("trustshell.product_definitions.ProdDefs.get_product_definitions_service") - def test_extend_with_product_mappings_multi_products_no_cpes(self, mock_service): - """Tests that duplicate CPEs return duplicates branches""" + def test_build_product_search_result_multi_products(self, mock_service): + """Tests that duplicate CPEs produce multiple result rows - same data as extend_with_product_mappings_multi_products. + CPE matches rhel-9 module (prefix), yielding multiple streams; 2 components × N streams = 2N rows.""" mock_service.return_value = self.mock_proddefs_data component_1 = "pkg:rpm/redhat/openssl" component_2 = "pkg:rpm/redhat/openssl-debug" @@ -145,128 +114,62 @@ def test_extend_with_product_mappings_multi_products_no_cpes(self, mock_service) Node(cpe, parent=component_node_2) test_trees = [component_node_1, component_node_2] prod_defs = ProdDefs() - prod_defs.extend_with_product_mappings(test_trees) - assert len(test_trees) == 2 - for r in test_trees: - root = r.root - render_tree(root) - assert root.name in (component_1, component_2) - _check_node_names_at_depth(root, 1, ["rhel-9.6.z"]) - _check_node_names_at_depth(root, 2, ["rhel-9"]) - - @patch("trustshell.product_definitions.ProdDefs.get_product_definitions_service") - def test_extend_with_product_mapping_module_match(self, mock_service): - """Tests that if a CPE matches multiple streams there is a result returned for each""" - mock_service.return_value = self.mock_proddefs_data - cpe = "cpe:/a:redhat:quay:3" - component = "oci:quay" - component_node = Node(component) - Node(cpe, parent=component_node) - test_trees = [component_node] - ProdDefs().extend_with_product_mappings(test_trees, keep_cpes=True) - for r in test_trees: - render_tree(r) - assert len(test_trees) == 1 - first_root = test_trees[0].root - assert first_root.name == component - _check_node_names_at_depth(first_root, 1, [cpe]) - _check_node_names_at_depth(first_root, 2, ["quay-3.13", "quay-3.12"]) - _check_node_names_at_depth(first_root, 3, ["quay-3", "quay-3"]) + result = build_product_search_result( + test_trees, prod_defs, "pkg:rpm/redhat/openssl", cpes=True + ) + matched = {row.matched_component for row in result.results} + assert matched == {component_1, component_2} + ps_streams = {row.ps_update_stream for row in result.results} + assert "rhel-9.6.z" in ps_streams + assert all(row.ps_module == "rhel-9" for row in result.results) @patch("trustshell.product_definitions.ProdDefs.get_product_definitions_service") - def test_extend_with_product_mapping_module_match_no_cpes(self, mock_service): - """Tests that if a CPE matches multiple streams with keep_cpes=False, CPE nodes are replaced by streams""" + def test_build_product_search_result_quay_module_match(self, mock_service): + """Tests that CPE matching module returns multiple streams - same data as extend_with_product_mapping_module_match.""" mock_service.return_value = self.mock_proddefs_data cpe = "cpe:/a:redhat:quay:3" - component = "oci:quay" + component = "pkg:oci/quay" component_node = Node(component) Node(cpe, parent=component_node) test_trees = [component_node] - ProdDefs().extend_with_product_mappings(test_trees) - for r in test_trees: - render_tree(r) - assert len(test_trees) == 1 - - # Both results should have the same root (component) - first_root = test_trees[0].root - assert first_root.name == component - - _check_node_names_at_depth(first_root, 1, ["quay-3.12", "quay-3.13"]) - _check_node_names_at_depth(first_root, 2, ["quay-3", "quay-3"]) - - @patch("trustshell.product_definitions.ProdDefs.get_product_definitions_service") - def test_extend_with_product_mapping_multi_module_match(self, mock_service): - """Test that when multiple components match a stream and module in the same product tree, - that we get a result for each""" - mock_service.return_value = self.mock_proddefs_data - component_1 = "oci:quay@123" - component_1_node = Node(component_1) - component_2 = "oci:quay@345" - component_2_node = Node(component_2) - module_cpe = "cpe:/a:redhat:quay:3" - Node(module_cpe, parent=component_1_node) - stream_cpe = "cpe:/a:redhat:quay:3.13" - Node(stream_cpe, parent=component_2_node) - test_trees = [component_1_node, component_2_node] - ProdDefs().extend_with_product_mappings(test_trees, keep_cpes=True) - for r in test_trees: - render_tree(r.root) - # oci:quay@123 - # └── cpe:/a:redhat:quay:3 - # └── quay-3.13 - # └── quay-3 - # └── quay-3.12 - # └── quay-3 - # oci:quay@345 - # └── cpe:/a:redhat:quay:3.13 - # └── quay-3.13 - # └── quay-3 - assert len(test_trees) == 2 - first_root = test_trees[0].root - second_root = test_trees[1].root - assert first_root.name == component_1 - assert second_root.name == component_2 - _check_node_names_at_depth(first_root, 1, [module_cpe]) - _check_node_names_at_depth(first_root, 2, ["quay-3.13", "quay-3.12"]) - _check_node_names_at_depth(first_root, 3, ["quay-3", "quay-3"]) - _check_node_names_at_depth(second_root, 1, [stream_cpe]) - _check_node_names_at_depth(second_root, 2, ["quay-3.13"]) - _check_node_names_at_depth(second_root, 3, ["quay-3"]) + prod_defs = ProdDefs() + result = build_product_search_result( + test_trees, prod_defs, component, cpes=True + ) + assert len(result.results) == 2 + ps_streams = {row.ps_update_stream for row in result.results} + assert ps_streams == {"quay-3.12", "quay-3.13"} + assert all(row.ps_module == "quay-3" for row in result.results) + assert all(row.matched_component == component for row in result.results) @patch("trustshell.product_definitions.ProdDefs.get_product_definitions_service") - def test_extend_with_product_mapping_multi_module_match_no_cpes(self, mock_service): - """Test that when multiple components match a stream and module in the same product tree, - that we get a result for each""" + def test_build_product_search_result_multi_module_match(self, mock_service): + """Test multiple components with different CPEs - same data as extend_with_product_mapping_multi_module_match.""" mock_service.return_value = self.mock_proddefs_data - component_1 = "oci:quay@123" + component_1 = "pkg:oci/quay@sha256:123" component_1_node = Node(component_1) - component_2 = "oci:quay@345" + component_2 = "pkg:oci/quay@sha256:345" component_2_node = Node(component_2) module_cpe = "cpe:/a:redhat:quay:3" Node(module_cpe, parent=component_1_node) stream_cpe = "cpe:/a:redhat:quay:3.13" Node(stream_cpe, parent=component_2_node) test_trees = [component_1_node, component_2_node] - ProdDefs().extend_with_product_mappings(test_trees) - for r in test_trees: - render_tree(r.root) - # oci:quay@123 - # └── quay-3.13 - # └── quay-3 - # └── quay-3.12 - # └── quay-3 - # oci:quay@345 - # └── quay-3.13 - # └── quay-3 - assert len(test_trees) == 2 - first_root = test_trees[0].root - second_root = test_trees[1].root - assert first_root.name == component_1 - assert second_root.name == component_2 - _check_node_names_at_depth(first_root, 1, ["quay-3.13", "quay-3.12"]) - _check_node_names_at_depth(first_root, 2, ["quay-3", "quay-3"]) - _check_node_names_at_depth(second_root, 1, ["quay-3.13"]) - _check_node_names_at_depth(second_root, 2, ["quay-3"]) + prod_defs = ProdDefs() + result = build_product_search_result( + test_trees, prod_defs, "pkg:oci/quay", cpes=True + ) + rows_by_cpe = {} + for row in result.results: + rows_by_cpe.setdefault(row.cpe, []).append(row) + assert "cpe:/a:redhat:quay:3" in rows_by_cpe + assert "cpe:/a:redhat:quay:3.13" in rows_by_cpe + module_rows = rows_by_cpe["cpe:/a:redhat:quay:3"] + assert len(module_rows) == 2 + assert {r.ps_update_stream for r in module_rows} == {"quay-3.12", "quay-3.13"} + stream_rows = rows_by_cpe["cpe:/a:redhat:quay:3.13"] + assert len(stream_rows) >= 1 + assert {r.ps_update_stream for r in stream_rows} >= {"quay-3.13"} def _create_test_rhel_releases_yaml(self): """Create a temporary RHEL releases YAML file for testing.""" @@ -390,88 +293,60 @@ def test_rhel_releases_direct_cpe_match(self, mock_service): rhel_yaml_path = self._create_test_rhel_releases_yaml() try: - # Create ProdDefs with RHEL release data prod_defs = ProdDefs(active_only=True, rhel_releases_path=rhel_yaml_path) - # Test direct CPE match + # Test direct CPE match - get_product_mappings_for_cpe + # Stream matches populate ps_module from stream's parent module + cpe = "cpe:/a:redhat:rhel_eus:9.0::appstream" + mappings = prod_defs.get_product_mappings_for_cpe(cpe) + assert len(mappings) == 1 + assert mappings[0] == ("rhel-9.0.0.z", "rhel-9") + + # Also verify build_product_search_result produces correct result component = "pkg:rpm/redhat/openssl" component_node = Node(component) - # This CPE exists directly in the rhel-9.0.0.z stream - cpe = "cpe:/a:redhat:rhel_eus:9.0::appstream" Node(cpe, parent=component_node) test_trees = [component_node] - - prod_defs.extend_with_product_mappings(test_trees, keep_cpes=True) - - # Verify the mapping worked - root = test_trees[0].root - render_tree(root) - assert root.name == component - _check_node_names_at_depth(root, 1, [cpe]) - _check_node_names_at_depth(root, 2, ["rhel-9.0.0.z"]) - _check_node_names_at_depth(root, 3, ["rhel-9"]) + result = build_product_search_result( + test_trees, prod_defs, component, cpes=True + ) + assert len(result.results) == 1 + assert result.results[0].ps_update_stream == "rhel-9.0.0.z" finally: os.unlink(rhel_yaml_path) @patch("trustshell.product_definitions.ProdDefs.get_product_definitions_service") def test_rhel_releases_parent_cpe_match(self, mock_service): - """Test that parent CPE matches work and map to leaf streams.""" + """Test that single-digit CPEs are filtered out - get_product_mappings_for_cpe returns [].""" mock_service.return_value = self._create_enhanced_product_definitions() rhel_yaml_path = self._create_test_rhel_releases_yaml() try: - # Create ProdDefs with RHEL release data prod_defs = ProdDefs(active_only=True, rhel_releases_path=rhel_yaml_path) - # Test parent CPE match - component = "pkg:rpm/redhat/httpd" - component_node = Node(component) - # This CPE appears in parent nodes (GA, MAIN+EUS) but should now be filtered out - # so no matches should occur with single digit CPEs + # Single-digit CPE cpe:/a:redhat:enterprise_linux:9::appstream is filtered cpe = "cpe:/a:redhat:enterprise_linux:9::appstream" - Node(cpe, parent=component_node) - test_trees = [component_node] - - prod_defs.extend_with_product_mappings(test_trees, keep_cpes=True) - - # Verify that single digit CPE is now filtered out and doesn't match - root = test_trees[0].root - render_tree(root) - assert root.name == component - _check_node_names_at_depth(root, 1, []) + mappings = prod_defs.get_product_mappings_for_cpe(cpe) + assert mappings == [] finally: os.unlink(rhel_yaml_path) @patch("trustshell.product_definitions.ProdDefs.get_product_definitions_service") def test_rhel_releases_versioned_cpe_still_works(self, mock_service): - """Test that versioned CPEs (like 9.0::appstream) still work with RHEL release data.""" + """Test that versioned CPEs (like 9.2::appstream) still work with RHEL release data.""" mock_service.return_value = self._create_enhanced_product_definitions() rhel_yaml_path = self._create_test_rhel_releases_yaml() try: - # Create ProdDefs with RHEL release data prod_defs = ProdDefs(active_only=True, rhel_releases_path=rhel_yaml_path) - # Test versioned CPE that should work (not filtered out) - component = "pkg:rpm/redhat/httpd" - component_node = Node(component) - # This CPE has version (9.2) so should NOT be filtered out + # Versioned CPE cpe:/a:redhat:enterprise_linux:9.2::appstream should match cpe = "cpe:/a:redhat:enterprise_linux:9.2::appstream" - Node(cpe, parent=component_node) - test_trees = [component_node] - - prod_defs.extend_with_product_mappings(test_trees, keep_cpes=True) - - # Verify the versioned CPE can still map to streams through RHEL release data - root = test_trees[0].root - render_tree(root) - assert root.name == component - _check_node_names_at_depth(root, 1, [cpe]) - - # Should map to active streams since versioned CPE exists in RHEL release data - stream_names = [node.name for node in root.children[0].children] + mappings = prod_defs.get_product_mappings_for_cpe(cpe) + assert len(mappings) >= 1 + stream_names = [m[0] for m in mappings] assert "rhel-9.2.0.z" in stream_names finally: @@ -479,33 +354,16 @@ def test_rhel_releases_versioned_cpe_still_works(self, mock_service): @patch("trustshell.product_definitions.ProdDefs.get_product_definitions_service") def test_rhel_releases_no_match_behavior(self, mock_service): - """Test behavior when CPE doesn't match any RHEL release data.""" + """Test that get_product_mappings_for_cpe returns [] for unknown CPE.""" mock_service.return_value = self._create_enhanced_product_definitions() rhel_yaml_path = self._create_test_rhel_releases_yaml() try: - # Create ProdDefs with RHEL release data prod_defs = ProdDefs(active_only=True, rhel_releases_path=rhel_yaml_path) - # Test with a CPE that doesn't match RHEL release data - component = "pkg:rpm/unknown/package" - component_node = Node(component) - # This CPE doesn't exist in our test RHEL release data cpe = "cpe:/a:unknown:product:1.0" - Node(cpe, parent=component_node) - test_trees = [component_node] - - prod_defs.extend_with_product_mappings(test_trees, keep_cpes=True) - - # Should fall back to module pattern matching (which should also fail) - # and display a warning about no matching products - root = test_trees[0].root - assert root.name == component - # Should still have the original CPE node - assert len(root.children) == 1 - assert root.children[0].name == cpe - # But no product mappings should be added - assert len(root.children[0].children) == 0 + mappings = prod_defs.get_product_mappings_for_cpe(cpe) + assert mappings == [] finally: os.unlink(rhel_yaml_path) diff --git a/tests/test_products.py b/tests/test_products.py index cb7df05..7dc1f16 100644 --- a/tests/test_products.py +++ b/tests/test_products.py @@ -5,16 +5,15 @@ from anytree import Node -from trustshell import build_node_purl +from trustshell import build_node_purl, render_tree from trustshell.products import ( _get_branch_signature, _remove_duplicate_parent_nodes, _remove_non_cpe_branches, _trees_with_cpes, - render_tree, _has_cpe_node, container_in_tree, - extract_affects, + build_product_search_result, ) from trustshell.product_definitions import ProdDefs @@ -400,119 +399,167 @@ def test_remove_rpms_in_containers(self): assert container_in_tree(root) @patch("trustshell.product_definitions.ProdDefs.get_product_definitions_service") - def test_extract_affects_container_cdx(self, mock_service): + def test_build_product_search_result_go_crypto_shipped_components( + self, mock_service + ): + mock_service.return_value = self.mock_proddefs_data + """Test PSDEVOPS-4563: affects use shipped components, not searched dependency.""" + with open("tests/testdata/go-crypto.json") as file: + data = json.load(file) + ancestor_trees = _trees_with_cpes(data, show_versions=True) + prod_defs = ProdDefs() + result = build_product_search_result( + ancestor_trees, prod_defs, "pkg:golang/golang.org/x/crypto" + ) + assert len(result.affects) > 0 + for affect in result.affects: + assert affect.purl.startswith("pkg:rpm/") or affect.purl.startswith( + "pkg:oci/" + ), ( + f"Affect should be shipped component (rpm/oci), not dependency: {affect.purl}" + ) + + @patch("trustshell.product_definitions.ProdDefs.get_product_definitions_service") + def test_build_product_search_result_quay(self, mock_service): mock_service.return_value = self.mock_proddefs_data - """Test extract_affects using quay-builder-qemu-rhcos-rhel-8.json data""" + """Test build_product_search_result with quay data - shipped_component is root when top-level.""" with open("tests/testdata/quay-builder-qemu-rhcos-rhel-8.json") as file: data = json.load(file) + ancestor_trees = _trees_with_cpes(data, show_versions=True) + prod_defs = ProdDefs() + result = build_product_search_result( + ancestor_trees, prod_defs, "pkg:oci/quay-builder-qemu-rhcos-rhel8" + ) + assert len(result.results) >= 1 + assert len(result.affects) >= 1 + for affect in result.affects: + assert affect.purl.startswith("pkg:oci/") + assert "quay" in affect.purl.lower() - # Build the initial trees + @patch("trustshell.product_definitions.ProdDefs.get_product_definitions_service") + def test_build_product_search_result_sbom_ids(self, mock_service): + """Verify result rows include sbom_ids when built from API data.""" + mock_service.return_value = self.mock_proddefs_data + with open("tests/testdata/openssl.json", "r") as file: + data = json.load(file) ancestor_trees = _trees_with_cpes(data, show_versions=True) + prod_defs = ProdDefs() + result = build_product_search_result( + ancestor_trees, prod_defs, "pkg:rpm/redhat/openssl@3.0.7-18.el9_2" + ) + assert len(result.results) >= 1 + # All rows should have sbom_ids list + for row in result.results: + assert hasattr(row, "sbom_ids") + assert isinstance(row.sbom_ids, list) + assert len(row.sbom_ids) >= 1 - # Extend with product mappings to add ProductModule nodes + @patch("trustshell.product_definitions.ProdDefs.get_product_definitions_service") + @patch("trustshell.console") + def test_render_json_includes_sbom_ids(self, mock_console, mock_service): + """Verify JSON output includes sbom_ids per result row.""" + mock_service.return_value = self.mock_proddefs_data + with open("tests/testdata/openssl.json", "r") as file: + data = json.load(file) + ancestor_trees = _trees_with_cpes(data, show_versions=True) prod_defs = ProdDefs() - prod_defs.extend_with_product_mappings(ancestor_trees, keep_cpes=True) + result = build_product_search_result( + ancestor_trees, prod_defs, "pkg:rpm/redhat/openssl@3.0.7-18.el9_2" + ) + result.render(output="json", include_modules=True) + call_args = mock_console.print_json.call_args[0][0] + output = json.loads(call_args) + assert "results" in output + assert len(output["results"]) >= 1 + for row_out in output["results"]: + assert "sbom_ids" in row_out + assert isinstance(row_out["sbom_ids"], list) + assert len(row_out["sbom_ids"]) >= 1 - # Print the tree structure for debugging - for i, tree in enumerate(ancestor_trees): - print(f"\n--- Tree {i} ---") - render_tree(tree.root) + @patch("trustshell.product_definitions.ProdDefs.get_product_definitions_service") + def test_extract_affects_container_cdx(self, mock_service): + mock_service.return_value = self.mock_proddefs_data + """Test build_product_search_result affects using quay-builder-qemu-rhcos-rhel-8.json data""" + with open("tests/testdata/quay-builder-qemu-rhcos-rhel-8.json") as file: + data = json.load(file) - # Call extract_affects and print the result - affects = extract_affects(ancestor_trees) - print(f"\nExtracted affects: {affects}") + ancestor_trees = _trees_with_cpes(data, show_versions=True) + prod_defs = ProdDefs() + result = build_product_search_result( + ancestor_trees, prod_defs, "pkg:oci/quay-builder-qemu-rhcos-rhel8" + ) - assert len(affects) == 2 - for affect in affects: - assert affect[0] in ["quay-3.12", "quay-3.13"] + assert len(result.affects) == 2 + for affect in result.affects: + assert affect.ps_update_stream in ["quay-3.12", "quay-3.13"] assert ( - affect[1] + affect.purl == "pkg:oci/quay-builder-qemu-rhcos-rhel8?repository_url=registry.access.redhat.com/quay/quay-builder-qemu-rhcos-rhel8" ) @patch("trustshell.product_definitions.ProdDefs.get_product_definitions_service") def test_extract_affects_container_cdx_no_cpes(self, mock_service): mock_service.return_value = self.mock_proddefs_data - """Test extract_affects using quay-builder-qemu-rhcos-rhel-8.json data""" + """Test build_product_search_result affects (no cpes flag) using quay-builder-qemu-rhcos-rhel-8.json""" with open("tests/testdata/quay-builder-qemu-rhcos-rhel-8.json") as file: data = json.load(file) - # Build the initial trees ancestor_trees = _trees_with_cpes(data, show_versions=True) - - # Extend with product mappings to add ProductModule nodes prod_defs = ProdDefs() - prod_defs.extend_with_product_mappings(ancestor_trees) - - # Print the tree structure for debugging - for i, tree in enumerate(ancestor_trees): - print(f"\n--- Tree {i} ---") - render_tree(tree.root) - - # Call extract_affects and print the result - affects = extract_affects(ancestor_trees) - print(f"\nExtracted affects: {affects}") + result = build_product_search_result( + ancestor_trees, + prod_defs, + "pkg:oci/quay-builder-qemu-rhcos-rhel8", + cpes=False, + ) - assert len(affects) == 2 - for affect in affects: - assert affect[0] in ["quay-3.12", "quay-3.13"] + assert len(result.affects) == 2 + for affect in result.affects: + assert affect.ps_update_stream in ["quay-3.12", "quay-3.13"] assert ( - affect[1] + affect.purl == "pkg:oci/quay-builder-qemu-rhcos-rhel8?repository_url=registry.access.redhat.com/quay/quay-builder-qemu-rhcos-rhel8" ) @patch("trustshell.product_definitions.ProdDefs.get_product_definitions_service") def test_extract_affects_maven(self, mock_service): mock_service.return_value = self.mock_proddefs_data - """Test extract_affects maven special handling""" + """Test build_product_search_result maven special handling - root maven PURL in affects""" with open("tests/testdata/maven-special-handling.json") as file: data = json.load(file) - # Build the initial trees ancestor_trees = _trees_with_cpes(data, show_versions=True) - - # Extend with product mappings to add ProductModule nodes prod_defs = ProdDefs() - prod_defs.extend_with_product_mappings(ancestor_trees) - - # Print the tree structure for debugging - for i, tree in enumerate(ancestor_trees): - print(f"\n--- Tree {i} ---") - render_tree(tree.root) - - # Call extract_affects and print the result - affects = extract_affects(ancestor_trees) - print(f"\nExtracted affects: {affects}") + # Maven root - use the root component from the tree + result = build_product_search_result( + ancestor_trees, prod_defs, "pkg:maven/io.quay/hey", cpes=False + ) - # We expect the root level maven PURL, not the generic one - assert len(affects) == 2 - for affect in affects: - assert affect[0] in ["quay-3.12", "quay-3.13"] # ps_update_stream - assert affect[1] == "pkg:maven/io.quay/hey@1.2.3.redhat-00001?type=jar" + assert len(result.affects) == 2 + for affect in result.affects: + assert affect.ps_update_stream in ["quay-3.12", "quay-3.13"] + assert affect.purl == "pkg:maven/io.quay/hey@1.2.3.redhat-00001?type=jar" @patch("trustshell.product_definitions.ProdDefs.get_product_definitions_service") def test_no_duplicates_from_product_mappings(self, mock_service): mock_service.return_value = self.mock_proddefs_data - """Test that the product mappings does not create duplicates""" + """Test that build_product_search_result produces unique affects (no duplicate stream+purl)""" with open("tests/testdata/libxml2.json") as file: data = json.load(file) - # Build the initial trees ancestor_trees = _trees_with_cpes(data, show_versions=True) - original_len = len(ancestor_trees) - - # Extend with product mappings to add ProductModule nodes prod_defs = ProdDefs() - prod_defs.extend_with_product_mappings(ancestor_trees) - - # Print the tree structure for debugging - for i, tree in enumerate(ancestor_trees): - print(f"\n--- Tree {i} ---") - render_tree(tree.root) + result = build_product_search_result( + ancestor_trees, prod_defs, "pkg:rpm/redhat/libxml2" + ) - # We expect that the number of the trees - # will not be changed by the product mappings - assert len(ancestor_trees) == original_len + # affects is a set - no duplicates by design + assert len(result.affects) > 0 + seen = set() + for affect in result.affects: + key = (affect.ps_update_stream, affect.purl) + assert key not in seen, f"Duplicate affect: {key}" + seen.add(key) @patch("trustshell.product_definitions.ProdDefs.get_product_definitions_service") def test_no_duplicates_from_unsorted_branches(self, mock_service): diff --git a/tests/testdata/go-crypto.json b/tests/testdata/go-crypto.json new file mode 100644 index 0000000..485b500 --- /dev/null +++ b/tests/testdata/go-crypto.json @@ -0,0 +1,3470 @@ +{ + "items": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-0b3af8830cd65ee4a0d51e131dd08ea6c36829e5ded8892f92aa1845d53742a8-pkg-golang-golang.org-x-crypto-v0.36.0-package-id-b8068dba1b59f282", + "purl": [ + "pkg:golang/golang.org/x/crypto@v0.36.0" + ], + "cpe": [], + "name": "golang.org/x/crypto", + "version": "v0.36.0", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-03073bd93ba0e3febd288eb1d87385651aafe41824fbdc37268ffd25723931a1-pkg-rpm-redhat-microshift-4.20.0-202510201126.p0.g1c4675a.assembly.4.20.0.el9-arch-src", + "purl": [ + "pkg:rpm/redhat/microshift@4.20.0-202510201126.p0.g1c4675a.assembly.4.20.0.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-aarch64-source-rpms", + "pkg:rpm/redhat/microshift@4.20.0-202510201126.p0.g1c4675a.assembly.4.20.0.el9?arch=src", + "pkg:rpm/redhat/microshift@4.20.0-202510201126.p0.g1c4675a.assembly.4.20.0.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-x86_64-source-rpms" + ], + "cpe": [], + "name": "microshift", + "version": "4.20.0-202510201126.p0.g1c4675a.assembly.4.20.0.el9", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "generates", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-6f712f436dbd9506b88bec5fc7233271fa85bd6da89be48015aad8ef77e00eab-openshift-4.20", + "purl": [], + "cpe": [ + "cpe:/a:redhat:openshift:4.20:*:el8:*", + "cpe:/a:redhat:openshift:4.20:*:el9:*" + ], + "name": "openshift-4.20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "package", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-DOCUMENT", + "purl": [], + "cpe": [], + "name": "openshift-4.20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "describes", + "ancestors": [] + } + ] + } + ] + } + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-039ad9214ee66b73cc6735ce7bc580f25b93b129850319206769dc01733cdcc3-pkg-golang-golang.org-x-crypto-v0.40.0-package-id-ceabd2ca11055905", + "purl": [ + "pkg:golang/golang.org/x/crypto@v0.40.0" + ], + "cpe": [], + "name": "golang.org/x/crypto", + "version": "v0.40.0", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-3eba2d51899046da976d3a1017096c284d2de787c4ca26b6b9daa05e607eb94a-pkg-rpm-redhat-openshift-clients-4.20.0-202511182227.p2.g0963a01.assembly.stream.el9-arch-src", + "purl": [ + "pkg:rpm/redhat/openshift-clients@4.20.0-202511182227.p2.g0963a01.assembly.stream.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-s390x-source-rpms", + "pkg:rpm/redhat/openshift-clients@4.20.0-202511182227.p2.g0963a01.assembly.stream.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-x86_64-source-rpms", + "pkg:rpm/redhat/openshift-clients@4.20.0-202511182227.p2.g0963a01.assembly.stream.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-aarch64-source-rpms", + "pkg:rpm/redhat/openshift-clients@4.20.0-202511182227.p2.g0963a01.assembly.stream.el9?arch=src", + "pkg:rpm/redhat/openshift-clients@4.20.0-202511182227.p2.g0963a01.assembly.stream.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-ppc64le-source-rpms" + ], + "cpe": [], + "name": "openshift-clients", + "version": "4.20.0-202511182227.p2.g0963a01.assembly.stream.el9", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "generates", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-6f712f436dbd9506b88bec5fc7233271fa85bd6da89be48015aad8ef77e00eab-openshift-4.20", + "purl": [], + "cpe": [ + "cpe:/a:redhat:openshift:4.20:*:el8:*", + "cpe:/a:redhat:openshift:4.20:*:el9:*" + ], + "name": "openshift-4.20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "package", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-DOCUMENT", + "purl": [], + "cpe": [], + "name": "openshift-4.20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "describes", + "ancestors": [] + } + ] + } + ] + } + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-07265ee8b9571ebd5f8f10cda3b12e0b0fb4e33a8318c2d6d4e2d38804e4e5a8-pkg-golang-golang.org-x-crypto-v0.36.0-package-id-8e01c19f06caad6b", + "purl": [ + "pkg:golang/golang.org/x/crypto@v0.36.0" + ], + "cpe": [], + "name": "golang.org/x/crypto", + "version": "v0.36.0", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-03073bd93ba0e3febd288eb1d87385651aafe41824fbdc37268ffd25723931a1-pkg-rpm-redhat-microshift-4.20.0-202510201126.p0.g1c4675a.assembly.4.20.0.el9-arch-src", + "purl": [ + "pkg:rpm/redhat/microshift@4.20.0-202510201126.p0.g1c4675a.assembly.4.20.0.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-aarch64-source-rpms", + "pkg:rpm/redhat/microshift@4.20.0-202510201126.p0.g1c4675a.assembly.4.20.0.el9?arch=src", + "pkg:rpm/redhat/microshift@4.20.0-202510201126.p0.g1c4675a.assembly.4.20.0.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-x86_64-source-rpms" + ], + "cpe": [], + "name": "microshift", + "version": "4.20.0-202510201126.p0.g1c4675a.assembly.4.20.0.el9", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "generates", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-6f712f436dbd9506b88bec5fc7233271fa85bd6da89be48015aad8ef77e00eab-openshift-4.20", + "purl": [], + "cpe": [ + "cpe:/a:redhat:openshift:4.20:*:el8:*", + "cpe:/a:redhat:openshift:4.20:*:el9:*" + ], + "name": "openshift-4.20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "package", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-DOCUMENT", + "purl": [], + "cpe": [], + "name": "openshift-4.20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "describes", + "ancestors": [] + } + ] + } + ] + } + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-04f0c283a301e9d8de959ff94c75ee5a774ce386ea9c652933b1a74db5be3b5f-pkg-golang-golang.org-x-crypto-v0.36.0-package-id-1f23e4e518dca5c0", + "purl": [ + "pkg:golang/golang.org/x/crypto@v0.36.0" + ], + "cpe": [], + "name": "golang.org/x/crypto", + "version": "v0.36.0", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-f57d4ad6469bbbc6f325cffb77ba690f50221fd99fafadb5fcc2bef2a681340e-pkg-rpm-redhat-openshift-4.20.0-202511172055.p2.g4c392f9.assembly.stream.el9-arch-src", + "purl": [ + "pkg:rpm/redhat/openshift@4.20.0-202511172055.p2.g4c392f9.assembly.stream.el9?arch=src", + "pkg:rpm/redhat/openshift@4.20.0-202511172055.p2.g4c392f9.assembly.stream.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-aarch64-source-rpms", + "pkg:rpm/redhat/openshift@4.20.0-202511172055.p2.g4c392f9.assembly.stream.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-ppc64le-source-rpms", + "pkg:rpm/redhat/openshift@4.20.0-202511172055.p2.g4c392f9.assembly.stream.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-s390x-source-rpms", + "pkg:rpm/redhat/openshift@4.20.0-202511172055.p2.g4c392f9.assembly.stream.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-x86_64-source-rpms" + ], + "cpe": [], + "name": "openshift", + "version": "4.20.0-202511172055.p2.g4c392f9.assembly.stream.el9", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "generates", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-6f712f436dbd9506b88bec5fc7233271fa85bd6da89be48015aad8ef77e00eab-openshift-4.20", + "purl": [], + "cpe": [ + "cpe:/a:redhat:openshift:4.20:*:el8:*", + "cpe:/a:redhat:openshift:4.20:*:el9:*" + ], + "name": "openshift-4.20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "package", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-DOCUMENT", + "purl": [], + "cpe": [], + "name": "openshift-4.20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "describes", + "ancestors": [] + } + ] + } + ] + } + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-0ba9d2e1bcc4d9856add2008e8e6b29f868c8112671f400032a6ffa5efa9c278-SPDXRef-Package-golang.org-x-crypto-scrypt-v0.42.0-706f2b3153f6091edd33a0623d4d8db8a8aed60ec564195ae1ce66ae5c74d810", + "purl": [ + "pkg:golang/golang.org/x/crypto/scrypt@v0.42.0?type=package" + ], + "cpe": [], + "name": "golang.org/x/crypto/scrypt", + "version": "v0.42.0", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-a08081753fb36e8538df6baf71d6a2a6829324a14d5eb34f233073b6f572eb1f-SPDXRef-component-lifecycle-agent-operator-bundle-4-20", + "purl": [ + "pkg:oci/lifecycle-agent-operator-bundle@sha256:0899f4f2dbbefd95865255fe87bf0a6ff6b974bd16bede28f365cbcf24207b1d?repository_url=registry.redhat.io/openshift4/lifecycle-agent-operator-bundle&tag=v4.20.1-44", + "pkg:oci/lifecycle-agent-operator-bundle@sha256:0899f4f2dbbefd95865255fe87bf0a6ff6b974bd16bede28f365cbcf24207b1d?repository_url=registry.redhat.io/openshift4/lifecycle-agent-operator-bundle&tag=v4.20.1", + "pkg:oci/lifecycle-agent-operator-bundle@sha256:0899f4f2dbbefd95865255fe87bf0a6ff6b974bd16bede28f365cbcf24207b1d?repository_url=registry.redhat.io/openshift4/lifecycle-agent-operator-bundle&tag=v4.20" + ], + "cpe": [], + "name": "lifecycle-agent-operator-bundle-4-20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "contains", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-6f712f436dbd9506b88bec5fc7233271fa85bd6da89be48015aad8ef77e00eab-openshift-4.20", + "purl": [], + "cpe": [ + "cpe:/a:redhat:openshift:4.20:*:el8:*", + "cpe:/a:redhat:openshift:4.20:*:el9:*" + ], + "name": "openshift-4.20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "package", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-DOCUMENT", + "purl": [], + "cpe": [], + "name": "openshift-4.20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "describes", + "ancestors": [] + } + ] + } + ] + } + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-097c1b3c39ae3847cf093f69ae305c352d33c9873fc56531e53e643c3b28a6d5-SPDXRef-Package-golang.org-x-crypto-blowfish-v0.40.0-b8e325c81348664f1331bbb456beeb268e131766bd8292ce3537619a1993004c", + "purl": [ + "pkg:golang/golang.org/x/crypto/blowfish@v0.40.0?type=package" + ], + "cpe": [], + "name": "golang.org/x/crypto/blowfish", + "version": "v0.40.0", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-a216623e7a4cd34885a354431e7f0d8f4d9695ac6d1e857cd90853e45d147d1c-SPDXRef-image-art-images-0c180e12f75f1ead1f9c1e4aef6c609901ee6993ba50438c2e250cb11ee50464", + "purl": [ + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?arch=amd64&repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=c33f91c282414eaedaa7b289cbd9ee767eb22695121f0fc6cfc3aa668b129161", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?arch=amd64&repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=latest", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?arch=amd64&repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=v4.20.0", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?arch=amd64&repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=v4.20.0-202510281626.p2.g0913987.assembly.stream.el9", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?arch=amd64&repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=openshift-enterprise-tests-container-v4.20.0-202510281626.p2.g0913987.assembly.stream.el9", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?arch=amd64&repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=v4.20" + ], + "cpe": [], + "name": "art-images_amd64", + "version": "ose-tests-rhel9-v4.20.0-20251028.165359-linux-x86-64", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "contains", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-0b6f59d0b9e432dc76cd427690ff981e255c366922476f7c02fd686056590e5f-SPDXRef-component-ose-4-20-ose-tools", + "purl": [ + "pkg:oci/ose-tools-rhel9@sha256:9a8b8c9dd32204f016b19f0b6f1d0b9dd9061b56e53718ab64e544477475c43e?repository_url=registry.redhat.io/openshift4/ose-tools-rhel9&tag=9a8b8c9dd32204f016b19f0b6f1d0b9dd9061b56e53718ab64e544477475c43e", + "pkg:oci/ose-tools-rhel9@sha256:9a8b8c9dd32204f016b19f0b6f1d0b9dd9061b56e53718ab64e544477475c43e?repository_url=registry.redhat.io/openshift4/ose-tools-rhel9&tag=ose-tools-container-v4.20.0-202601280915.p2.gdc61926.assembly.stream.el9", + "pkg:oci/ose-tools-rhel9@sha256:9a8b8c9dd32204f016b19f0b6f1d0b9dd9061b56e53718ab64e544477475c43e?repository_url=registry.redhat.io/openshift4/ose-tools-rhel9&tag=v4.20.0", + "pkg:oci/ose-tools-rhel9@sha256:9a8b8c9dd32204f016b19f0b6f1d0b9dd9061b56e53718ab64e544477475c43e?repository_url=registry.redhat.io/openshift4/ose-tools-rhel9&tag=v4.20.0-202601280915.p2.gdc61926.assembly.stream.el9", + "pkg:oci/ose-tools-rhel9@sha256:9a8b8c9dd32204f016b19f0b6f1d0b9dd9061b56e53718ab64e544477475c43e?repository_url=registry.redhat.io/openshift4/ose-tools-rhel9&tag=v4.20" + ], + "cpe": [], + "name": "ose-4-20-ose-tools", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "ancestor_of", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-6f712f436dbd9506b88bec5fc7233271fa85bd6da89be48015aad8ef77e00eab-openshift-4.20", + "purl": [], + "cpe": [ + "cpe:/a:redhat:openshift:4.20:*:el8:*", + "cpe:/a:redhat:openshift:4.20:*:el9:*" + ], + "name": "openshift-4.20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "package", + "warnings": [ + "This node was already visited. Possible relationship loop. Skipping further processing." + ] + } + ] + } + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-f8f55841f92e242c492b8637715de1fc8e08b1bba120ad05e5b1ef2876831aa8-SPDXRef-image-art-images-286648d2eadaef1f297f0c41deebdea9557613645652bfab2bb783ab04b5fd81", + "purl": [ + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=latest", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=c33f91c282414eaedaa7b289cbd9ee767eb22695121f0fc6cfc3aa668b129161", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=v4.20.0", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=openshift-enterprise-tests-container-v4.20.0-202510281626.p2.g0913987.assembly.stream.el9", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=v4.20", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=v4.20.0-202510281626.p2.g0913987.assembly.stream.el9" + ], + "cpe": [], + "name": "art-images_amd64", + "version": "ose-tests-rhel9-v4.20.0-20251028.165359", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "contains", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-bfa44bd0a76e25c1d7c9a6dddc0f0384af6f1a417c3edc261a4cfac943d850f9-SPDXRef-component-ose-4-20-openshift-enterprise-tests", + "purl": [ + "pkg:oci/ose-tests-rhel9@sha256:ed1ac74f3744a4b7c8fc640d1309efeb3af889148f5e4d0ead735872d5bf216f?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=v4.20.0-202601280915.p2.ge2a089f.assembly.stream.el9", + "pkg:oci/ose-tests-rhel9@sha256:ed1ac74f3744a4b7c8fc640d1309efeb3af889148f5e4d0ead735872d5bf216f?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=v4.20.0", + "pkg:oci/ose-tests-rhel9@sha256:ed1ac74f3744a4b7c8fc640d1309efeb3af889148f5e4d0ead735872d5bf216f?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=v4.20", + "pkg:oci/ose-tests-rhel9@sha256:ed1ac74f3744a4b7c8fc640d1309efeb3af889148f5e4d0ead735872d5bf216f?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=openshift-enterprise-tests-container-v4.20.0-202601280915.p2.ge2a089f.assembly.stream.el9", + "pkg:oci/ose-tests-rhel9@sha256:ed1ac74f3744a4b7c8fc640d1309efeb3af889148f5e4d0ead735872d5bf216f?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=ed1ac74f3744a4b7c8fc640d1309efeb3af889148f5e4d0ead735872d5bf216f" + ], + "cpe": [], + "name": "ose-4-20-openshift-enterprise-tests", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "variant", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-6f712f436dbd9506b88bec5fc7233271fa85bd6da89be48015aad8ef77e00eab-openshift-4.20", + "purl": [], + "cpe": [ + "cpe:/a:redhat:openshift:4.20:*:el8:*", + "cpe:/a:redhat:openshift:4.20:*:el9:*" + ], + "name": "openshift-4.20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "package", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-DOCUMENT", + "purl": [], + "cpe": [], + "name": "openshift-4.20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "describes", + "ancestors": [] + } + ] + } + ] + } + ] + } + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-062ae647fc8d4cec4642675471f0d1da8e4ef449dbbe258db7532a5a5076d90e-SPDXRef-Package-golang.org-x-crypto-hkdf-v0.38.0-02fa88c3b3f7a06721726b6b9538334cdd68de2248f6911d71e5fb3a8a03d885", + "purl": [ + "pkg:golang/golang.org/x/crypto/hkdf@v0.38.0?type=package" + ], + "cpe": [], + "name": "golang.org/x/crypto/hkdf", + "version": "v0.38.0", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-74b05595f801657d6e6a1dc539981ad279bf81f32920afcf2120c3691ccc8c51-SPDXRef-image-art-images-fa498754ac0a6cdec23c3bb4edb95a29d549b945282ca78a20c904a53b3add11", + "purl": [ + "pkg:oci/ose-baremetal-installer-rhel9@sha256:36894f68293327d88b69cdccaa2e5c36f9ab88462d31f7ade6dff35e2cc00ac8?repository_url=registry.redhat.io/openshift4/ose-baremetal-installer-rhel9&tag=v4.20", + "pkg:oci/ose-baremetal-installer-rhel9@sha256:36894f68293327d88b69cdccaa2e5c36f9ab88462d31f7ade6dff35e2cc00ac8?repository_url=registry.redhat.io/openshift4/ose-baremetal-installer-rhel9&tag=v4.20.0-202510241956.p2.gcbd9f67.assembly.stream.el9", + "pkg:oci/ose-baremetal-installer-rhel9@sha256:36894f68293327d88b69cdccaa2e5c36f9ab88462d31f7ade6dff35e2cc00ac8?repository_url=registry.redhat.io/openshift4/ose-baremetal-installer-rhel9&tag=ose-baremetal-installer-container-v4.20.0-202510241956.p2.gcbd9f67.assembly.stream.el9", + "pkg:oci/ose-baremetal-installer-rhel9@sha256:36894f68293327d88b69cdccaa2e5c36f9ab88462d31f7ade6dff35e2cc00ac8?repository_url=registry.redhat.io/openshift4/ose-baremetal-installer-rhel9&tag=latest", + "pkg:oci/ose-baremetal-installer-rhel9@sha256:36894f68293327d88b69cdccaa2e5c36f9ab88462d31f7ade6dff35e2cc00ac8?repository_url=registry.redhat.io/openshift4/ose-baremetal-installer-rhel9&tag=v4.20.0", + "pkg:oci/ose-baremetal-installer-rhel9@sha256:36894f68293327d88b69cdccaa2e5c36f9ab88462d31f7ade6dff35e2cc00ac8?repository_url=registry.redhat.io/openshift4/ose-baremetal-installer-rhel9&tag=ec52b242791219e9a670f4dfa21890893cc155dae92c9ad3aea398a94d3cd31a" + ], + "cpe": [], + "name": "art-images_s390x", + "version": "ose-baremetal-installer-rhel9-v4.20.0-20251024.201149", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "contains", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-bcb2266405688cc8eb0edf185bd5a6f5e2d2e03d067c2f964cf9cb1460085635-SPDXRef-component-ose-4-20-ose-baremetal-installer", + "purl": [ + "pkg:oci/ose-baremetal-installer-rhel9@sha256:b939d8a50ca46e198e329cccc8e9e96b2e9b10d30cd6ba5621cfdae80ab44d02?repository_url=registry.redhat.io/openshift4/ose-baremetal-installer-rhel9&tag=ose-baremetal-installer-container-v4.20.0-202601271911.p2.g1a6e473.assembly.stream.el9", + "pkg:oci/ose-baremetal-installer-rhel9@sha256:b939d8a50ca46e198e329cccc8e9e96b2e9b10d30cd6ba5621cfdae80ab44d02?repository_url=registry.redhat.io/openshift4/ose-baremetal-installer-rhel9&tag=v4.20.0-202601271911.p2.g1a6e473.assembly.stream.el9", + "pkg:oci/ose-baremetal-installer-rhel9@sha256:b939d8a50ca46e198e329cccc8e9e96b2e9b10d30cd6ba5621cfdae80ab44d02?repository_url=registry.redhat.io/openshift4/ose-baremetal-installer-rhel9&tag=v4.20.0", + "pkg:oci/ose-baremetal-installer-rhel9@sha256:b939d8a50ca46e198e329cccc8e9e96b2e9b10d30cd6ba5621cfdae80ab44d02?repository_url=registry.redhat.io/openshift4/ose-baremetal-installer-rhel9&tag=v4.20", + "pkg:oci/ose-baremetal-installer-rhel9@sha256:b939d8a50ca46e198e329cccc8e9e96b2e9b10d30cd6ba5621cfdae80ab44d02?repository_url=registry.redhat.io/openshift4/ose-baremetal-installer-rhel9&tag=b939d8a50ca46e198e329cccc8e9e96b2e9b10d30cd6ba5621cfdae80ab44d02" + ], + "cpe": [], + "name": "ose-4-20-ose-baremetal-installer", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "variant", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-6f712f436dbd9506b88bec5fc7233271fa85bd6da89be48015aad8ef77e00eab-openshift-4.20", + "purl": [], + "cpe": [ + "cpe:/a:redhat:openshift:4.20:*:el8:*", + "cpe:/a:redhat:openshift:4.20:*:el9:*" + ], + "name": "openshift-4.20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "package", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-DOCUMENT", + "purl": [], + "cpe": [], + "name": "openshift-4.20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "describes", + "ancestors": [] + } + ] + } + ] + } + ] + } + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-10451d953217ed7bb508026194929dc49dc859d8dafce12fe370221eef071573-SPDXRef-Package-golang.org-x-crypto-ssh-internal-bcrypt-pbkdf-v0.38.0-a817478e264252c42703d0884974e334fb9187f7ede9d326b10cc8517f16f1f3", + "purl": [ + "pkg:golang/golang.org/x/crypto/ssh/internal/bcrypt_pbkdf@v0.38.0?type=package" + ], + "cpe": [], + "name": "golang.org/x/crypto/ssh/internal/bcrypt_pbkdf", + "version": "v0.38.0", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-74b05595f801657d6e6a1dc539981ad279bf81f32920afcf2120c3691ccc8c51-SPDXRef-image-art-images-fa498754ac0a6cdec23c3bb4edb95a29d549b945282ca78a20c904a53b3add11", + "purl": [ + "pkg:oci/ose-baremetal-installer-rhel9@sha256:36894f68293327d88b69cdccaa2e5c36f9ab88462d31f7ade6dff35e2cc00ac8?repository_url=registry.redhat.io/openshift4/ose-baremetal-installer-rhel9&tag=v4.20", + "pkg:oci/ose-baremetal-installer-rhel9@sha256:36894f68293327d88b69cdccaa2e5c36f9ab88462d31f7ade6dff35e2cc00ac8?repository_url=registry.redhat.io/openshift4/ose-baremetal-installer-rhel9&tag=v4.20.0-202510241956.p2.gcbd9f67.assembly.stream.el9", + "pkg:oci/ose-baremetal-installer-rhel9@sha256:36894f68293327d88b69cdccaa2e5c36f9ab88462d31f7ade6dff35e2cc00ac8?repository_url=registry.redhat.io/openshift4/ose-baremetal-installer-rhel9&tag=ose-baremetal-installer-container-v4.20.0-202510241956.p2.gcbd9f67.assembly.stream.el9", + "pkg:oci/ose-baremetal-installer-rhel9@sha256:36894f68293327d88b69cdccaa2e5c36f9ab88462d31f7ade6dff35e2cc00ac8?repository_url=registry.redhat.io/openshift4/ose-baremetal-installer-rhel9&tag=latest", + "pkg:oci/ose-baremetal-installer-rhel9@sha256:36894f68293327d88b69cdccaa2e5c36f9ab88462d31f7ade6dff35e2cc00ac8?repository_url=registry.redhat.io/openshift4/ose-baremetal-installer-rhel9&tag=v4.20.0", + "pkg:oci/ose-baremetal-installer-rhel9@sha256:36894f68293327d88b69cdccaa2e5c36f9ab88462d31f7ade6dff35e2cc00ac8?repository_url=registry.redhat.io/openshift4/ose-baremetal-installer-rhel9&tag=ec52b242791219e9a670f4dfa21890893cc155dae92c9ad3aea398a94d3cd31a" + ], + "cpe": [], + "name": "art-images_s390x", + "version": "ose-baremetal-installer-rhel9-v4.20.0-20251024.201149", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "contains", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-bcb2266405688cc8eb0edf185bd5a6f5e2d2e03d067c2f964cf9cb1460085635-SPDXRef-component-ose-4-20-ose-baremetal-installer", + "purl": [ + "pkg:oci/ose-baremetal-installer-rhel9@sha256:b939d8a50ca46e198e329cccc8e9e96b2e9b10d30cd6ba5621cfdae80ab44d02?repository_url=registry.redhat.io/openshift4/ose-baremetal-installer-rhel9&tag=ose-baremetal-installer-container-v4.20.0-202601271911.p2.g1a6e473.assembly.stream.el9", + "pkg:oci/ose-baremetal-installer-rhel9@sha256:b939d8a50ca46e198e329cccc8e9e96b2e9b10d30cd6ba5621cfdae80ab44d02?repository_url=registry.redhat.io/openshift4/ose-baremetal-installer-rhel9&tag=v4.20.0-202601271911.p2.g1a6e473.assembly.stream.el9", + "pkg:oci/ose-baremetal-installer-rhel9@sha256:b939d8a50ca46e198e329cccc8e9e96b2e9b10d30cd6ba5621cfdae80ab44d02?repository_url=registry.redhat.io/openshift4/ose-baremetal-installer-rhel9&tag=v4.20.0", + "pkg:oci/ose-baremetal-installer-rhel9@sha256:b939d8a50ca46e198e329cccc8e9e96b2e9b10d30cd6ba5621cfdae80ab44d02?repository_url=registry.redhat.io/openshift4/ose-baremetal-installer-rhel9&tag=v4.20", + "pkg:oci/ose-baremetal-installer-rhel9@sha256:b939d8a50ca46e198e329cccc8e9e96b2e9b10d30cd6ba5621cfdae80ab44d02?repository_url=registry.redhat.io/openshift4/ose-baremetal-installer-rhel9&tag=b939d8a50ca46e198e329cccc8e9e96b2e9b10d30cd6ba5621cfdae80ab44d02" + ], + "cpe": [], + "name": "ose-4-20-ose-baremetal-installer", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "variant", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-6f712f436dbd9506b88bec5fc7233271fa85bd6da89be48015aad8ef77e00eab-openshift-4.20", + "purl": [], + "cpe": [ + "cpe:/a:redhat:openshift:4.20:*:el8:*", + "cpe:/a:redhat:openshift:4.20:*:el9:*" + ], + "name": "openshift-4.20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "package", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-DOCUMENT", + "purl": [], + "cpe": [], + "name": "openshift-4.20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "describes", + "ancestors": [] + } + ] + } + ] + } + ] + } + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-22cf7e9bc51ccd807bd71df3184a75434489f724be1b109f8b10dabcd9294f9b-SPDXRef-Package-golang.org-x-crypto-cryptobyte-v0.36.0-556fb6965d60bc83e3bfa704988d10285d25c6ada3b358d1b8e2213d7702680b", + "purl": [ + "pkg:golang/golang.org/x/crypto/cryptobyte@v0.36.0?type=package" + ], + "cpe": [], + "name": "golang.org/x/crypto/cryptobyte", + "version": "v0.36.0", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-c300866ae32dd04f248b6bdc8808255e27c546bd4214262abe5be3ebbc788671-SPDXRef-image-art-images-cb40d5f75a7ef2985beb389916274965e2a8e9d6136d46cc31de00477a4c3bf0", + "purl": [ + "pkg:oci/ose-secrets-store-csi-mustgather-rhel9@sha256:ad6f8fc71ffd4aea2bdbce675c87e054b8c3a13feca29c950e552620f3eaa9c3?arch=amd64&repository_url=registry.redhat.io/openshift4/ose-secrets-store-csi-mustgather-rhel9&tag=latest", + "pkg:oci/ose-secrets-store-csi-mustgather-rhel9@sha256:ad6f8fc71ffd4aea2bdbce675c87e054b8c3a13feca29c950e552620f3eaa9c3?arch=amd64&repository_url=registry.redhat.io/openshift4/ose-secrets-store-csi-mustgather-rhel9&tag=v4.20.0-202510221121.p2.g354833a.assembly.stream.el9", + "pkg:oci/ose-secrets-store-csi-mustgather-rhel9@sha256:ad6f8fc71ffd4aea2bdbce675c87e054b8c3a13feca29c950e552620f3eaa9c3?arch=amd64&repository_url=registry.redhat.io/openshift4/ose-secrets-store-csi-mustgather-rhel9&tag=v4.20", + "pkg:oci/ose-secrets-store-csi-mustgather-rhel9@sha256:ad6f8fc71ffd4aea2bdbce675c87e054b8c3a13feca29c950e552620f3eaa9c3?arch=amd64&repository_url=registry.redhat.io/openshift4/ose-secrets-store-csi-mustgather-rhel9&tag=a0b23a6031d9fc57100d655487890caba47c415c419180d53c7a0a2a795d76ff", + "pkg:oci/ose-secrets-store-csi-mustgather-rhel9@sha256:ad6f8fc71ffd4aea2bdbce675c87e054b8c3a13feca29c950e552620f3eaa9c3?arch=amd64&repository_url=registry.redhat.io/openshift4/ose-secrets-store-csi-mustgather-rhel9&tag=v4.20.0", + "pkg:oci/ose-secrets-store-csi-mustgather-rhel9@sha256:ad6f8fc71ffd4aea2bdbce675c87e054b8c3a13feca29c950e552620f3eaa9c3?arch=amd64&repository_url=registry.redhat.io/openshift4/ose-secrets-store-csi-mustgather-rhel9&tag=ose-secrets-store-csi-mustgather-container-v4.20.0-202510221121.p2.g354833a.assembly.stream.el9" + ], + "cpe": [], + "name": "art-images_amd64", + "version": "ose-secrets-store-csi-mustgather-rhel9-v4.20.0-20251022.113738-linux-x86-64", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "contains", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-01ca646cb19b9ed8c2eaaa091a8c62f829693e73e9d842f6059e69377cf986c4-SPDXRef-image-art-images-355c7081399148f9605d9ff35f5d879aaa583db98eae7ecc0f81f70a82250407", + "purl": [ + "pkg:oci/art-images@sha256:18dd8349dc6e1a2bdcb170eef0e6832daafe987dd723d3cab74ff150a21368c5?repository_url=quay.io/redhat-user-workloads/ocp-art-tenant/art-images" + ], + "cpe": [], + "name": "art-images", + "version": "ose-must-gather-rhel9-v4.20.0-20251022.113738", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "ancestor_of", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-2696ecca42bce9976dc618b693ddf145bd74fbac9f06e06519348a0c0ded9b30-SPDXRef-component-ose-4-20-openshift-enterprise-cli", + "purl": [ + "pkg:oci/ose-cli-rhel9@sha256:c9eb55a696fe3d25f8d3a1a59f72fba67df21466ca4c8a7f6fc4b99d83fba0fc?repository_url=registry.redhat.io/openshift4/ose-cli-rhel9&tag=v4.20", + "pkg:oci/ose-cli-rhel9@sha256:c9eb55a696fe3d25f8d3a1a59f72fba67df21466ca4c8a7f6fc4b99d83fba0fc?repository_url=registry.redhat.io/openshift4/ose-cli-rhel9&tag=v4.20.0-202601271911.p2.gdc61926.assembly.stream.el9", + "pkg:oci/ose-cli-rhel9@sha256:c9eb55a696fe3d25f8d3a1a59f72fba67df21466ca4c8a7f6fc4b99d83fba0fc?repository_url=registry.redhat.io/openshift4/ose-cli-rhel9&tag=c9eb55a696fe3d25f8d3a1a59f72fba67df21466ca4c8a7f6fc4b99d83fba0fc", + "pkg:oci/ose-cli-rhel9@sha256:c9eb55a696fe3d25f8d3a1a59f72fba67df21466ca4c8a7f6fc4b99d83fba0fc?repository_url=registry.redhat.io/openshift4/ose-cli-rhel9&tag=v4.20.0", + "pkg:oci/ose-cli-rhel9@sha256:c9eb55a696fe3d25f8d3a1a59f72fba67df21466ca4c8a7f6fc4b99d83fba0fc?repository_url=registry.redhat.io/openshift4/ose-cli-rhel9&tag=openshift-enterprise-cli-container-v4.20.0-202601271911.p2.gdc61926.assembly.stream.el9" + ], + "cpe": [], + "name": "ose-4-20-openshift-enterprise-cli", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "ancestor_of", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-6f712f436dbd9506b88bec5fc7233271fa85bd6da89be48015aad8ef77e00eab-openshift-4.20", + "purl": [], + "cpe": [ + "cpe:/a:redhat:openshift:4.20:*:el8:*", + "cpe:/a:redhat:openshift:4.20:*:el9:*" + ], + "name": "openshift-4.20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "package", + "warnings": [ + "This node was already visited. Possible relationship loop. Skipping further processing." + ] + } + ] + } + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-24ba9b5d24fbd374cf40dcc1b31c78d09f0d7a8f8bdc93ea36e350b43162cfb1-SPDXRef-component-ose-4-20-ose-must-gather", + "purl": [ + "pkg:oci/ose-must-gather-rhel9@sha256:36753ddc7909580e81f394aa81b2fdca2eb68d8ec1070678aad8db35f791e3ea?repository_url=registry.redhat.io/openshift4/ose-must-gather-rhel9&tag=v4.20", + "pkg:oci/ose-must-gather-rhel9@sha256:36753ddc7909580e81f394aa81b2fdca2eb68d8ec1070678aad8db35f791e3ea?repository_url=registry.redhat.io/openshift4/ose-must-gather-rhel9&tag=v4.20.0", + "pkg:oci/ose-must-gather-rhel9@sha256:36753ddc7909580e81f394aa81b2fdca2eb68d8ec1070678aad8db35f791e3ea?repository_url=registry.redhat.io/openshift4/ose-must-gather-rhel9&tag=v4.20.0-202601271911.p2.gf0c6474.assembly.stream.el9", + "pkg:oci/ose-must-gather-rhel9@sha256:36753ddc7909580e81f394aa81b2fdca2eb68d8ec1070678aad8db35f791e3ea?repository_url=registry.redhat.io/openshift4/ose-must-gather-rhel9&tag=36753ddc7909580e81f394aa81b2fdca2eb68d8ec1070678aad8db35f791e3ea", + "pkg:oci/ose-must-gather-rhel9@sha256:36753ddc7909580e81f394aa81b2fdca2eb68d8ec1070678aad8db35f791e3ea?repository_url=registry.redhat.io/openshift4/ose-must-gather-rhel9&tag=ose-must-gather-container-v4.20.0-202601271911.p2.gf0c6474.assembly.stream.el9" + ], + "cpe": [], + "name": "ose-4-20-ose-must-gather", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "ancestor_of", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-6f712f436dbd9506b88bec5fc7233271fa85bd6da89be48015aad8ef77e00eab-openshift-4.20", + "purl": [], + "cpe": [ + "cpe:/a:redhat:openshift:4.20:*:el8:*", + "cpe:/a:redhat:openshift:4.20:*:el9:*" + ], + "name": "openshift-4.20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "package", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-DOCUMENT", + "purl": [], + "cpe": [], + "name": "openshift-4.20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "describes", + "ancestors": [] + } + ] + } + ] + } + ] + } + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-1d819ef460b5e5f4ff3555ba9be446c47cf43aec40df7c106dee6ef24e1299c7-SPDXRef-Package-golang.org-x-crypto-md4-v0.40.0-6eb1014ad1f7805cb5fcd55a1b62550491222690b510c5eb857a89c0a8e7b0a6", + "purl": [ + "pkg:golang/golang.org/x/crypto/md4@v0.40.0?type=package" + ], + "cpe": [], + "name": "golang.org/x/crypto/md4", + "version": "v0.40.0", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-f8f55841f92e242c492b8637715de1fc8e08b1bba120ad05e5b1ef2876831aa8-SPDXRef-image-art-images-286648d2eadaef1f297f0c41deebdea9557613645652bfab2bb783ab04b5fd81", + "purl": [ + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=latest", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=c33f91c282414eaedaa7b289cbd9ee767eb22695121f0fc6cfc3aa668b129161", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=v4.20.0", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=openshift-enterprise-tests-container-v4.20.0-202510281626.p2.g0913987.assembly.stream.el9", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=v4.20", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=v4.20.0-202510281626.p2.g0913987.assembly.stream.el9" + ], + "cpe": [], + "name": "art-images_amd64", + "version": "ose-tests-rhel9-v4.20.0-20251028.165359", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "contains", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-bfa44bd0a76e25c1d7c9a6dddc0f0384af6f1a417c3edc261a4cfac943d850f9-SPDXRef-component-ose-4-20-openshift-enterprise-tests", + "purl": [ + "pkg:oci/ose-tests-rhel9@sha256:ed1ac74f3744a4b7c8fc640d1309efeb3af889148f5e4d0ead735872d5bf216f?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=v4.20.0-202601280915.p2.ge2a089f.assembly.stream.el9", + "pkg:oci/ose-tests-rhel9@sha256:ed1ac74f3744a4b7c8fc640d1309efeb3af889148f5e4d0ead735872d5bf216f?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=v4.20.0", + "pkg:oci/ose-tests-rhel9@sha256:ed1ac74f3744a4b7c8fc640d1309efeb3af889148f5e4d0ead735872d5bf216f?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=v4.20", + "pkg:oci/ose-tests-rhel9@sha256:ed1ac74f3744a4b7c8fc640d1309efeb3af889148f5e4d0ead735872d5bf216f?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=openshift-enterprise-tests-container-v4.20.0-202601280915.p2.ge2a089f.assembly.stream.el9", + "pkg:oci/ose-tests-rhel9@sha256:ed1ac74f3744a4b7c8fc640d1309efeb3af889148f5e4d0ead735872d5bf216f?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=ed1ac74f3744a4b7c8fc640d1309efeb3af889148f5e4d0ead735872d5bf216f" + ], + "cpe": [], + "name": "ose-4-20-openshift-enterprise-tests", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "variant", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-6f712f436dbd9506b88bec5fc7233271fa85bd6da89be48015aad8ef77e00eab-openshift-4.20", + "purl": [], + "cpe": [ + "cpe:/a:redhat:openshift:4.20:*:el8:*", + "cpe:/a:redhat:openshift:4.20:*:el9:*" + ], + "name": "openshift-4.20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "package", + "warnings": [ + "This node was already visited. Possible relationship loop. Skipping further processing." + ] + } + ] + } + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-a216623e7a4cd34885a354431e7f0d8f4d9695ac6d1e857cd90853e45d147d1c-SPDXRef-image-art-images-0c180e12f75f1ead1f9c1e4aef6c609901ee6993ba50438c2e250cb11ee50464", + "purl": [ + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?arch=amd64&repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=c33f91c282414eaedaa7b289cbd9ee767eb22695121f0fc6cfc3aa668b129161", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?arch=amd64&repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=latest", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?arch=amd64&repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=v4.20.0", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?arch=amd64&repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=v4.20.0-202510281626.p2.g0913987.assembly.stream.el9", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?arch=amd64&repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=openshift-enterprise-tests-container-v4.20.0-202510281626.p2.g0913987.assembly.stream.el9", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?arch=amd64&repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=v4.20" + ], + "cpe": [], + "name": "art-images_amd64", + "version": "ose-tests-rhel9-v4.20.0-20251028.165359-linux-x86-64", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "contains", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-0b6f59d0b9e432dc76cd427690ff981e255c366922476f7c02fd686056590e5f-SPDXRef-component-ose-4-20-ose-tools", + "purl": [ + "pkg:oci/ose-tools-rhel9@sha256:9a8b8c9dd32204f016b19f0b6f1d0b9dd9061b56e53718ab64e544477475c43e?repository_url=registry.redhat.io/openshift4/ose-tools-rhel9&tag=9a8b8c9dd32204f016b19f0b6f1d0b9dd9061b56e53718ab64e544477475c43e", + "pkg:oci/ose-tools-rhel9@sha256:9a8b8c9dd32204f016b19f0b6f1d0b9dd9061b56e53718ab64e544477475c43e?repository_url=registry.redhat.io/openshift4/ose-tools-rhel9&tag=ose-tools-container-v4.20.0-202601280915.p2.gdc61926.assembly.stream.el9", + "pkg:oci/ose-tools-rhel9@sha256:9a8b8c9dd32204f016b19f0b6f1d0b9dd9061b56e53718ab64e544477475c43e?repository_url=registry.redhat.io/openshift4/ose-tools-rhel9&tag=v4.20.0", + "pkg:oci/ose-tools-rhel9@sha256:9a8b8c9dd32204f016b19f0b6f1d0b9dd9061b56e53718ab64e544477475c43e?repository_url=registry.redhat.io/openshift4/ose-tools-rhel9&tag=v4.20.0-202601280915.p2.gdc61926.assembly.stream.el9", + "pkg:oci/ose-tools-rhel9@sha256:9a8b8c9dd32204f016b19f0b6f1d0b9dd9061b56e53718ab64e544477475c43e?repository_url=registry.redhat.io/openshift4/ose-tools-rhel9&tag=v4.20" + ], + "cpe": [], + "name": "ose-4-20-ose-tools", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "ancestor_of", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-6f712f436dbd9506b88bec5fc7233271fa85bd6da89be48015aad8ef77e00eab-openshift-4.20", + "purl": [], + "cpe": [ + "cpe:/a:redhat:openshift:4.20:*:el8:*", + "cpe:/a:redhat:openshift:4.20:*:el9:*" + ], + "name": "openshift-4.20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "package", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-DOCUMENT", + "purl": [], + "cpe": [], + "name": "openshift-4.20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "describes", + "ancestors": [] + } + ] + } + ] + } + ] + } + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-2b5292d17cfb397e4f2244a84f8d54aea4b7b1ef706a4432b25d29a7976ae646-SPDXRef-Package-golang.org-x-crypto-blowfish-v0.42.0-50f07ad4f5f091d51b9c0fb1ff44c91ae23b2a18ee126770bb5f51b218a117d0", + "purl": [ + "pkg:golang/golang.org/x/crypto/blowfish@v0.42.0?type=package" + ], + "cpe": [], + "name": "golang.org/x/crypto/blowfish", + "version": "v0.42.0", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-a08081753fb36e8538df6baf71d6a2a6829324a14d5eb34f233073b6f572eb1f-SPDXRef-component-lifecycle-agent-operator-bundle-4-20", + "purl": [ + "pkg:oci/lifecycle-agent-operator-bundle@sha256:0899f4f2dbbefd95865255fe87bf0a6ff6b974bd16bede28f365cbcf24207b1d?repository_url=registry.redhat.io/openshift4/lifecycle-agent-operator-bundle&tag=v4.20.1-44", + "pkg:oci/lifecycle-agent-operator-bundle@sha256:0899f4f2dbbefd95865255fe87bf0a6ff6b974bd16bede28f365cbcf24207b1d?repository_url=registry.redhat.io/openshift4/lifecycle-agent-operator-bundle&tag=v4.20.1", + "pkg:oci/lifecycle-agent-operator-bundle@sha256:0899f4f2dbbefd95865255fe87bf0a6ff6b974bd16bede28f365cbcf24207b1d?repository_url=registry.redhat.io/openshift4/lifecycle-agent-operator-bundle&tag=v4.20" + ], + "cpe": [], + "name": "lifecycle-agent-operator-bundle-4-20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "contains", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-6f712f436dbd9506b88bec5fc7233271fa85bd6da89be48015aad8ef77e00eab-openshift-4.20", + "purl": [], + "cpe": [ + "cpe:/a:redhat:openshift:4.20:*:el8:*", + "cpe:/a:redhat:openshift:4.20:*:el9:*" + ], + "name": "openshift-4.20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "package", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-DOCUMENT", + "purl": [], + "cpe": [], + "name": "openshift-4.20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "describes", + "ancestors": [] + } + ] + } + ] + } + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-24d51eff65cc9dd72e0522efc31b74ebd086fe853ee676050977e5a20767d6fb-pkg-golang-golang.org-x-crypto-v0.40.0-package-id-351c1234b3cb683c", + "purl": [ + "pkg:golang/golang.org/x/crypto@v0.40.0" + ], + "cpe": [], + "name": "golang.org/x/crypto", + "version": "v0.40.0", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-defd9b228abb666d35c9d38343a94fd558b5a932bd7fa26c5e267dc55ce2b7cb-pkg-golang-github.com-openshift-microshift-v4.20.0-package-id-fe74760daa21ab93", + "purl": [ + "pkg:golang/github.com/openshift/microshift@v4.20.0" + ], + "cpe": [], + "name": "github.com/openshift/microshift", + "version": "v4.20.0", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "dependency", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-13ff8fde614b5b62f0bd28f41d463aa1951181f73f4f666adbb1c7c2acbe11bc-pkg-rpm-redhat-microshift-4.20.0-202510201126.p0.g1c4675a.assembly.4.20.0.el9-arch-x86-64", + "purl": [ + "pkg:rpm/redhat/microshift@4.20.0-202510201126.p0.g1c4675a.assembly.4.20.0.el9?arch=x86_64&repository_id=rhocp-4_DOT_20-for-rhel-9-x86_64-rpms" + ], + "cpe": [], + "name": "microshift", + "version": "4.20.0-202510201126.p0.g1c4675a.assembly.4.20.0.el9", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "generates", + "warnings": [ + "This node was already visited. Possible relationship loop. Skipping further processing." + ] + } + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-13ff8fde614b5b62f0bd28f41d463aa1951181f73f4f666adbb1c7c2acbe11bc-pkg-rpm-redhat-microshift-4.20.0-202510201126.p0.g1c4675a.assembly.4.20.0.el9-arch-x86-64", + "purl": [ + "pkg:rpm/redhat/microshift@4.20.0-202510201126.p0.g1c4675a.assembly.4.20.0.el9?arch=x86_64&repository_id=rhocp-4_DOT_20-for-rhel-9-x86_64-rpms" + ], + "cpe": [], + "name": "microshift", + "version": "4.20.0-202510201126.p0.g1c4675a.assembly.4.20.0.el9", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "generates", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-03073bd93ba0e3febd288eb1d87385651aafe41824fbdc37268ffd25723931a1-pkg-rpm-redhat-microshift-4.20.0-202510201126.p0.g1c4675a.assembly.4.20.0.el9-arch-src", + "purl": [ + "pkg:rpm/redhat/microshift@4.20.0-202510201126.p0.g1c4675a.assembly.4.20.0.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-aarch64-source-rpms", + "pkg:rpm/redhat/microshift@4.20.0-202510201126.p0.g1c4675a.assembly.4.20.0.el9?arch=src", + "pkg:rpm/redhat/microshift@4.20.0-202510201126.p0.g1c4675a.assembly.4.20.0.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-x86_64-source-rpms" + ], + "cpe": [], + "name": "microshift", + "version": "4.20.0-202510201126.p0.g1c4675a.assembly.4.20.0.el9", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "generates", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-6f712f436dbd9506b88bec5fc7233271fa85bd6da89be48015aad8ef77e00eab-openshift-4.20", + "purl": [], + "cpe": [ + "cpe:/a:redhat:openshift:4.20:*:el8:*", + "cpe:/a:redhat:openshift:4.20:*:el9:*" + ], + "name": "openshift-4.20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "package", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-DOCUMENT", + "purl": [], + "cpe": [], + "name": "openshift-4.20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "describes", + "ancestors": [] + } + ] + } + ] + } + ] + } + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-25f8f99badd704acfe054ae1becc219e9321359eb01c494f6d0b9df85c762547-SPDXRef-Package-golang.org-x-crypto-argon2-v0.40.0-02f307b42c98fe6b98272b1ac21b7263882c701a71f4bed9c2eb7f427415fa7b", + "purl": [ + "pkg:golang/golang.org/x/crypto/argon2@v0.40.0?type=package" + ], + "cpe": [], + "name": "golang.org/x/crypto/argon2", + "version": "v0.40.0", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-f8f55841f92e242c492b8637715de1fc8e08b1bba120ad05e5b1ef2876831aa8-SPDXRef-image-art-images-286648d2eadaef1f297f0c41deebdea9557613645652bfab2bb783ab04b5fd81", + "purl": [ + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=latest", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=c33f91c282414eaedaa7b289cbd9ee767eb22695121f0fc6cfc3aa668b129161", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=v4.20.0", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=openshift-enterprise-tests-container-v4.20.0-202510281626.p2.g0913987.assembly.stream.el9", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=v4.20", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=v4.20.0-202510281626.p2.g0913987.assembly.stream.el9" + ], + "cpe": [], + "name": "art-images_amd64", + "version": "ose-tests-rhel9-v4.20.0-20251028.165359", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "contains", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-bfa44bd0a76e25c1d7c9a6dddc0f0384af6f1a417c3edc261a4cfac943d850f9-SPDXRef-component-ose-4-20-openshift-enterprise-tests", + "purl": [ + "pkg:oci/ose-tests-rhel9@sha256:ed1ac74f3744a4b7c8fc640d1309efeb3af889148f5e4d0ead735872d5bf216f?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=v4.20.0-202601280915.p2.ge2a089f.assembly.stream.el9", + "pkg:oci/ose-tests-rhel9@sha256:ed1ac74f3744a4b7c8fc640d1309efeb3af889148f5e4d0ead735872d5bf216f?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=v4.20.0", + "pkg:oci/ose-tests-rhel9@sha256:ed1ac74f3744a4b7c8fc640d1309efeb3af889148f5e4d0ead735872d5bf216f?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=v4.20", + "pkg:oci/ose-tests-rhel9@sha256:ed1ac74f3744a4b7c8fc640d1309efeb3af889148f5e4d0ead735872d5bf216f?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=openshift-enterprise-tests-container-v4.20.0-202601280915.p2.ge2a089f.assembly.stream.el9", + "pkg:oci/ose-tests-rhel9@sha256:ed1ac74f3744a4b7c8fc640d1309efeb3af889148f5e4d0ead735872d5bf216f?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=ed1ac74f3744a4b7c8fc640d1309efeb3af889148f5e4d0ead735872d5bf216f" + ], + "cpe": [], + "name": "ose-4-20-openshift-enterprise-tests", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "variant", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-6f712f436dbd9506b88bec5fc7233271fa85bd6da89be48015aad8ef77e00eab-openshift-4.20", + "purl": [], + "cpe": [ + "cpe:/a:redhat:openshift:4.20:*:el8:*", + "cpe:/a:redhat:openshift:4.20:*:el9:*" + ], + "name": "openshift-4.20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "package", + "warnings": [ + "This node was already visited. Possible relationship loop. Skipping further processing." + ] + } + ] + } + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-a216623e7a4cd34885a354431e7f0d8f4d9695ac6d1e857cd90853e45d147d1c-SPDXRef-image-art-images-0c180e12f75f1ead1f9c1e4aef6c609901ee6993ba50438c2e250cb11ee50464", + "purl": [ + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?arch=amd64&repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=c33f91c282414eaedaa7b289cbd9ee767eb22695121f0fc6cfc3aa668b129161", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?arch=amd64&repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=latest", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?arch=amd64&repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=v4.20.0", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?arch=amd64&repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=v4.20.0-202510281626.p2.g0913987.assembly.stream.el9", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?arch=amd64&repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=openshift-enterprise-tests-container-v4.20.0-202510281626.p2.g0913987.assembly.stream.el9", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?arch=amd64&repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=v4.20" + ], + "cpe": [], + "name": "art-images_amd64", + "version": "ose-tests-rhel9-v4.20.0-20251028.165359-linux-x86-64", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "contains", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-0b6f59d0b9e432dc76cd427690ff981e255c366922476f7c02fd686056590e5f-SPDXRef-component-ose-4-20-ose-tools", + "purl": [ + "pkg:oci/ose-tools-rhel9@sha256:9a8b8c9dd32204f016b19f0b6f1d0b9dd9061b56e53718ab64e544477475c43e?repository_url=registry.redhat.io/openshift4/ose-tools-rhel9&tag=9a8b8c9dd32204f016b19f0b6f1d0b9dd9061b56e53718ab64e544477475c43e", + "pkg:oci/ose-tools-rhel9@sha256:9a8b8c9dd32204f016b19f0b6f1d0b9dd9061b56e53718ab64e544477475c43e?repository_url=registry.redhat.io/openshift4/ose-tools-rhel9&tag=ose-tools-container-v4.20.0-202601280915.p2.gdc61926.assembly.stream.el9", + "pkg:oci/ose-tools-rhel9@sha256:9a8b8c9dd32204f016b19f0b6f1d0b9dd9061b56e53718ab64e544477475c43e?repository_url=registry.redhat.io/openshift4/ose-tools-rhel9&tag=v4.20.0", + "pkg:oci/ose-tools-rhel9@sha256:9a8b8c9dd32204f016b19f0b6f1d0b9dd9061b56e53718ab64e544477475c43e?repository_url=registry.redhat.io/openshift4/ose-tools-rhel9&tag=v4.20.0-202601280915.p2.gdc61926.assembly.stream.el9", + "pkg:oci/ose-tools-rhel9@sha256:9a8b8c9dd32204f016b19f0b6f1d0b9dd9061b56e53718ab64e544477475c43e?repository_url=registry.redhat.io/openshift4/ose-tools-rhel9&tag=v4.20" + ], + "cpe": [], + "name": "ose-4-20-ose-tools", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "ancestor_of", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-6f712f436dbd9506b88bec5fc7233271fa85bd6da89be48015aad8ef77e00eab-openshift-4.20", + "purl": [], + "cpe": [ + "cpe:/a:redhat:openshift:4.20:*:el8:*", + "cpe:/a:redhat:openshift:4.20:*:el9:*" + ], + "name": "openshift-4.20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "package", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-DOCUMENT", + "purl": [], + "cpe": [], + "name": "openshift-4.20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "describes", + "ancestors": [] + } + ] + } + ] + } + ] + } + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-26a630d0505b5b64e8b42128ebf3475724219b86e36c31c5b677e9af09706959-SPDXRef-Package-golang.org-x-crypto-internal-poly1305-v0.40.0-277dae353d9e46115eafdd4e436bb6ab6930a2742a476a51a42c0836e1dc2251", + "purl": [ + "pkg:golang/golang.org/x/crypto/internal/poly1305@v0.40.0?type=package" + ], + "cpe": [], + "name": "golang.org/x/crypto/internal/poly1305", + "version": "v0.40.0", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-f8f55841f92e242c492b8637715de1fc8e08b1bba120ad05e5b1ef2876831aa8-SPDXRef-image-art-images-286648d2eadaef1f297f0c41deebdea9557613645652bfab2bb783ab04b5fd81", + "purl": [ + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=latest", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=c33f91c282414eaedaa7b289cbd9ee767eb22695121f0fc6cfc3aa668b129161", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=v4.20.0", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=openshift-enterprise-tests-container-v4.20.0-202510281626.p2.g0913987.assembly.stream.el9", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=v4.20", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=v4.20.0-202510281626.p2.g0913987.assembly.stream.el9" + ], + "cpe": [], + "name": "art-images_amd64", + "version": "ose-tests-rhel9-v4.20.0-20251028.165359", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "contains", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-bfa44bd0a76e25c1d7c9a6dddc0f0384af6f1a417c3edc261a4cfac943d850f9-SPDXRef-component-ose-4-20-openshift-enterprise-tests", + "purl": [ + "pkg:oci/ose-tests-rhel9@sha256:ed1ac74f3744a4b7c8fc640d1309efeb3af889148f5e4d0ead735872d5bf216f?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=v4.20.0-202601280915.p2.ge2a089f.assembly.stream.el9", + "pkg:oci/ose-tests-rhel9@sha256:ed1ac74f3744a4b7c8fc640d1309efeb3af889148f5e4d0ead735872d5bf216f?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=v4.20.0", + "pkg:oci/ose-tests-rhel9@sha256:ed1ac74f3744a4b7c8fc640d1309efeb3af889148f5e4d0ead735872d5bf216f?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=v4.20", + "pkg:oci/ose-tests-rhel9@sha256:ed1ac74f3744a4b7c8fc640d1309efeb3af889148f5e4d0ead735872d5bf216f?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=openshift-enterprise-tests-container-v4.20.0-202601280915.p2.ge2a089f.assembly.stream.el9", + "pkg:oci/ose-tests-rhel9@sha256:ed1ac74f3744a4b7c8fc640d1309efeb3af889148f5e4d0ead735872d5bf216f?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=ed1ac74f3744a4b7c8fc640d1309efeb3af889148f5e4d0ead735872d5bf216f" + ], + "cpe": [], + "name": "ose-4-20-openshift-enterprise-tests", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "variant", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-6f712f436dbd9506b88bec5fc7233271fa85bd6da89be48015aad8ef77e00eab-openshift-4.20", + "purl": [], + "cpe": [ + "cpe:/a:redhat:openshift:4.20:*:el8:*", + "cpe:/a:redhat:openshift:4.20:*:el9:*" + ], + "name": "openshift-4.20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "package", + "warnings": [ + "This node was already visited. Possible relationship loop. Skipping further processing." + ] + } + ] + } + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-a216623e7a4cd34885a354431e7f0d8f4d9695ac6d1e857cd90853e45d147d1c-SPDXRef-image-art-images-0c180e12f75f1ead1f9c1e4aef6c609901ee6993ba50438c2e250cb11ee50464", + "purl": [ + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?arch=amd64&repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=c33f91c282414eaedaa7b289cbd9ee767eb22695121f0fc6cfc3aa668b129161", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?arch=amd64&repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=latest", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?arch=amd64&repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=v4.20.0", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?arch=amd64&repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=v4.20.0-202510281626.p2.g0913987.assembly.stream.el9", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?arch=amd64&repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=openshift-enterprise-tests-container-v4.20.0-202510281626.p2.g0913987.assembly.stream.el9", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?arch=amd64&repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=v4.20" + ], + "cpe": [], + "name": "art-images_amd64", + "version": "ose-tests-rhel9-v4.20.0-20251028.165359-linux-x86-64", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "contains", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-0b6f59d0b9e432dc76cd427690ff981e255c366922476f7c02fd686056590e5f-SPDXRef-component-ose-4-20-ose-tools", + "purl": [ + "pkg:oci/ose-tools-rhel9@sha256:9a8b8c9dd32204f016b19f0b6f1d0b9dd9061b56e53718ab64e544477475c43e?repository_url=registry.redhat.io/openshift4/ose-tools-rhel9&tag=9a8b8c9dd32204f016b19f0b6f1d0b9dd9061b56e53718ab64e544477475c43e", + "pkg:oci/ose-tools-rhel9@sha256:9a8b8c9dd32204f016b19f0b6f1d0b9dd9061b56e53718ab64e544477475c43e?repository_url=registry.redhat.io/openshift4/ose-tools-rhel9&tag=ose-tools-container-v4.20.0-202601280915.p2.gdc61926.assembly.stream.el9", + "pkg:oci/ose-tools-rhel9@sha256:9a8b8c9dd32204f016b19f0b6f1d0b9dd9061b56e53718ab64e544477475c43e?repository_url=registry.redhat.io/openshift4/ose-tools-rhel9&tag=v4.20.0", + "pkg:oci/ose-tools-rhel9@sha256:9a8b8c9dd32204f016b19f0b6f1d0b9dd9061b56e53718ab64e544477475c43e?repository_url=registry.redhat.io/openshift4/ose-tools-rhel9&tag=v4.20.0-202601280915.p2.gdc61926.assembly.stream.el9", + "pkg:oci/ose-tools-rhel9@sha256:9a8b8c9dd32204f016b19f0b6f1d0b9dd9061b56e53718ab64e544477475c43e?repository_url=registry.redhat.io/openshift4/ose-tools-rhel9&tag=v4.20" + ], + "cpe": [], + "name": "ose-4-20-ose-tools", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "ancestor_of", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-6f712f436dbd9506b88bec5fc7233271fa85bd6da89be48015aad8ef77e00eab-openshift-4.20", + "purl": [], + "cpe": [ + "cpe:/a:redhat:openshift:4.20:*:el8:*", + "cpe:/a:redhat:openshift:4.20:*:el9:*" + ], + "name": "openshift-4.20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "package", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-DOCUMENT", + "purl": [], + "cpe": [], + "name": "openshift-4.20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "describes", + "ancestors": [] + } + ] + } + ] + } + ] + } + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-2e11277d3fdb2c216a63fa0007895586032312e8f9e05cae0b756ebaba66916d-pkg-golang-golang.org-x-crypto-v0.36.0-package-id-903e6cccd213a82d", + "purl": [ + "pkg:golang/golang.org/x/crypto@v0.36.0" + ], + "cpe": [], + "name": "golang.org/x/crypto", + "version": "v0.36.0", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-f57d4ad6469bbbc6f325cffb77ba690f50221fd99fafadb5fcc2bef2a681340e-pkg-rpm-redhat-openshift-4.20.0-202511172055.p2.g4c392f9.assembly.stream.el9-arch-src", + "purl": [ + "pkg:rpm/redhat/openshift@4.20.0-202511172055.p2.g4c392f9.assembly.stream.el9?arch=src", + "pkg:rpm/redhat/openshift@4.20.0-202511172055.p2.g4c392f9.assembly.stream.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-aarch64-source-rpms", + "pkg:rpm/redhat/openshift@4.20.0-202511172055.p2.g4c392f9.assembly.stream.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-ppc64le-source-rpms", + "pkg:rpm/redhat/openshift@4.20.0-202511172055.p2.g4c392f9.assembly.stream.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-s390x-source-rpms", + "pkg:rpm/redhat/openshift@4.20.0-202511172055.p2.g4c392f9.assembly.stream.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-x86_64-source-rpms" + ], + "cpe": [], + "name": "openshift", + "version": "4.20.0-202511172055.p2.g4c392f9.assembly.stream.el9", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "generates", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-6f712f436dbd9506b88bec5fc7233271fa85bd6da89be48015aad8ef77e00eab-openshift-4.20", + "purl": [], + "cpe": [ + "cpe:/a:redhat:openshift:4.20:*:el8:*", + "cpe:/a:redhat:openshift:4.20:*:el9:*" + ], + "name": "openshift-4.20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "package", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-DOCUMENT", + "purl": [], + "cpe": [], + "name": "openshift-4.20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "describes", + "ancestors": [] + } + ] + } + ] + } + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-2c99f7de3c50b1a398e5164c1bb87fdbe9c5017a189709294359c72b96faa45b-SPDXRef-Package-golang.org-x-crypto-ssh-internal-bcrypt-pbkdf-v0.40.0-e9c58bb16534a207108625acdcd61cf9c259c0af9a66b0ad87d2eef20b00df8a", + "purl": [ + "pkg:golang/golang.org/x/crypto/ssh/internal/bcrypt_pbkdf@v0.40.0?type=package" + ], + "cpe": [], + "name": "golang.org/x/crypto/ssh/internal/bcrypt_pbkdf", + "version": "v0.40.0", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-a216623e7a4cd34885a354431e7f0d8f4d9695ac6d1e857cd90853e45d147d1c-SPDXRef-image-art-images-0c180e12f75f1ead1f9c1e4aef6c609901ee6993ba50438c2e250cb11ee50464", + "purl": [ + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?arch=amd64&repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=c33f91c282414eaedaa7b289cbd9ee767eb22695121f0fc6cfc3aa668b129161", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?arch=amd64&repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=latest", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?arch=amd64&repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=v4.20.0", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?arch=amd64&repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=v4.20.0-202510281626.p2.g0913987.assembly.stream.el9", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?arch=amd64&repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=openshift-enterprise-tests-container-v4.20.0-202510281626.p2.g0913987.assembly.stream.el9", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?arch=amd64&repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=v4.20" + ], + "cpe": [], + "name": "art-images_amd64", + "version": "ose-tests-rhel9-v4.20.0-20251028.165359-linux-x86-64", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "contains", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-0b6f59d0b9e432dc76cd427690ff981e255c366922476f7c02fd686056590e5f-SPDXRef-component-ose-4-20-ose-tools", + "purl": [ + "pkg:oci/ose-tools-rhel9@sha256:9a8b8c9dd32204f016b19f0b6f1d0b9dd9061b56e53718ab64e544477475c43e?repository_url=registry.redhat.io/openshift4/ose-tools-rhel9&tag=9a8b8c9dd32204f016b19f0b6f1d0b9dd9061b56e53718ab64e544477475c43e", + "pkg:oci/ose-tools-rhel9@sha256:9a8b8c9dd32204f016b19f0b6f1d0b9dd9061b56e53718ab64e544477475c43e?repository_url=registry.redhat.io/openshift4/ose-tools-rhel9&tag=ose-tools-container-v4.20.0-202601280915.p2.gdc61926.assembly.stream.el9", + "pkg:oci/ose-tools-rhel9@sha256:9a8b8c9dd32204f016b19f0b6f1d0b9dd9061b56e53718ab64e544477475c43e?repository_url=registry.redhat.io/openshift4/ose-tools-rhel9&tag=v4.20.0", + "pkg:oci/ose-tools-rhel9@sha256:9a8b8c9dd32204f016b19f0b6f1d0b9dd9061b56e53718ab64e544477475c43e?repository_url=registry.redhat.io/openshift4/ose-tools-rhel9&tag=v4.20.0-202601280915.p2.gdc61926.assembly.stream.el9", + "pkg:oci/ose-tools-rhel9@sha256:9a8b8c9dd32204f016b19f0b6f1d0b9dd9061b56e53718ab64e544477475c43e?repository_url=registry.redhat.io/openshift4/ose-tools-rhel9&tag=v4.20" + ], + "cpe": [], + "name": "ose-4-20-ose-tools", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "ancestor_of", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-6f712f436dbd9506b88bec5fc7233271fa85bd6da89be48015aad8ef77e00eab-openshift-4.20", + "purl": [], + "cpe": [ + "cpe:/a:redhat:openshift:4.20:*:el8:*", + "cpe:/a:redhat:openshift:4.20:*:el9:*" + ], + "name": "openshift-4.20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "package", + "warnings": [ + "This node was already visited. Possible relationship loop. Skipping further processing." + ] + } + ] + } + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-f8f55841f92e242c492b8637715de1fc8e08b1bba120ad05e5b1ef2876831aa8-SPDXRef-image-art-images-286648d2eadaef1f297f0c41deebdea9557613645652bfab2bb783ab04b5fd81", + "purl": [ + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=latest", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=c33f91c282414eaedaa7b289cbd9ee767eb22695121f0fc6cfc3aa668b129161", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=v4.20.0", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=openshift-enterprise-tests-container-v4.20.0-202510281626.p2.g0913987.assembly.stream.el9", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=v4.20", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=v4.20.0-202510281626.p2.g0913987.assembly.stream.el9" + ], + "cpe": [], + "name": "art-images_amd64", + "version": "ose-tests-rhel9-v4.20.0-20251028.165359", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "contains", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-bfa44bd0a76e25c1d7c9a6dddc0f0384af6f1a417c3edc261a4cfac943d850f9-SPDXRef-component-ose-4-20-openshift-enterprise-tests", + "purl": [ + "pkg:oci/ose-tests-rhel9@sha256:ed1ac74f3744a4b7c8fc640d1309efeb3af889148f5e4d0ead735872d5bf216f?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=v4.20.0-202601280915.p2.ge2a089f.assembly.stream.el9", + "pkg:oci/ose-tests-rhel9@sha256:ed1ac74f3744a4b7c8fc640d1309efeb3af889148f5e4d0ead735872d5bf216f?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=v4.20.0", + "pkg:oci/ose-tests-rhel9@sha256:ed1ac74f3744a4b7c8fc640d1309efeb3af889148f5e4d0ead735872d5bf216f?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=v4.20", + "pkg:oci/ose-tests-rhel9@sha256:ed1ac74f3744a4b7c8fc640d1309efeb3af889148f5e4d0ead735872d5bf216f?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=openshift-enterprise-tests-container-v4.20.0-202601280915.p2.ge2a089f.assembly.stream.el9", + "pkg:oci/ose-tests-rhel9@sha256:ed1ac74f3744a4b7c8fc640d1309efeb3af889148f5e4d0ead735872d5bf216f?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=ed1ac74f3744a4b7c8fc640d1309efeb3af889148f5e4d0ead735872d5bf216f" + ], + "cpe": [], + "name": "ose-4-20-openshift-enterprise-tests", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "variant", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-6f712f436dbd9506b88bec5fc7233271fa85bd6da89be48015aad8ef77e00eab-openshift-4.20", + "purl": [], + "cpe": [ + "cpe:/a:redhat:openshift:4.20:*:el8:*", + "cpe:/a:redhat:openshift:4.20:*:el9:*" + ], + "name": "openshift-4.20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "package", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-DOCUMENT", + "purl": [], + "cpe": [], + "name": "openshift-4.20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "describes", + "ancestors": [] + } + ] + } + ] + } + ] + } + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-2e12330421f061c4920c7253dabcd656e83d88b40cd77f338b8f34ffd092aad6-pkg-golang-golang.org-x-crypto-v0.38.0-package-id-9a3b855f8018cd9e", + "purl": [ + "pkg:golang/golang.org/x/crypto@v0.38.0" + ], + "cpe": [], + "name": "golang.org/x/crypto", + "version": "v0.38.0", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-00703657ee410f986d740aa248406f5360cc311f945b92c456e09d4d206cafe3-pkg-golang-github.com-go-jose-go-jose-v4.0.5-package-id-2326cc7c5c665450-v4", + "purl": [ + "pkg:golang/github.com/go-jose/go-jose@v4.0.5" + ], + "cpe": [], + "name": "github.com/go-jose/go-jose/v4", + "version": "v4.0.5", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "dependency", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-90a6593355a1479380adf1fbe393f55ec59facbe12d16e07d25925d79a206b53-pkg-golang-github.com-containers-ocicrypt-v1.2.1-package-id-34a1006149853918", + "purl": [ + "pkg:golang/github.com/containers/ocicrypt@v1.2.1" + ], + "cpe": [], + "name": "github.com/containers/ocicrypt", + "version": "v1.2.1", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "dependency", + "warnings": [ + "This node was already visited. Possible relationship loop. Skipping further processing." + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-54635fef042aa2d7a21b3bb7b13c7b8e15fd44cb9dbc096955d8815adb1ec6f0-pkg-golang-github.com-letsencrypt-boulder-v0.0.0-20240620165639-de9c06129bec-package-id-c6645a76cae09737", + "purl": [ + "pkg:golang/github.com/letsencrypt/boulder@v0.0.0-20240620165639-de9c06129bec" + ], + "cpe": [], + "name": "github.com/letsencrypt/boulder", + "version": "v0.0.0-20240620165639-de9c06129bec", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "dependency", + "warnings": [ + "This node was already visited. Possible relationship loop. Skipping further processing." + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-3ddd78007421f2c6fd9fe8191ddc2a3893ffebf81ae8439ed3fb05e49d30d7fb-pkg-rpm-redhat-cri-o-1.33.8-3.rhaos4.20.git9658698.el9-arch-src", + "purl": [ + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-s390x-source-rpms", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-aarch64-source-rpms", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-x86_64-source-rpms", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-ppc64le-source-rpms" + ], + "cpe": [], + "name": "cri-o", + "version": "1.33.8-3.rhaos4.20.git9658698.el9", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "generates", + "warnings": [ + "This node was already visited. Possible relationship loop. Skipping further processing." + ] + } + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-95e4988fb6e6c5c8aa582a3527ee1a9272ded6e76ee1b4c8ab927fc3bbe87833-pkg-golang-github.com-sigstore-sigstore-v1.9.3-package-id-a9b1c4d0528ddf4e", + "purl": [ + "pkg:golang/github.com/sigstore/sigstore@v1.9.3" + ], + "cpe": [], + "name": "github.com/sigstore/sigstore", + "version": "v1.9.3", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "dependency", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-9e917e63aa0175f6ddf2315a189f035f2498417b89e2931e5062b450c50b9903-pkg-golang-github.com-containers-image-v5.35.0-package-id-41f984cec7eddb5a-v5", + "purl": [ + "pkg:golang/github.com/containers/image@v5.35.0" + ], + "cpe": [], + "name": "github.com/containers/image/v5", + "version": "v5.35.0", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "dependency", + "warnings": [ + "This node was already visited. Possible relationship loop. Skipping further processing." + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-3ddd78007421f2c6fd9fe8191ddc2a3893ffebf81ae8439ed3fb05e49d30d7fb-pkg-rpm-redhat-cri-o-1.33.8-3.rhaos4.20.git9658698.el9-arch-src", + "purl": [ + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-s390x-source-rpms", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-aarch64-source-rpms", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-x86_64-source-rpms", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-ppc64le-source-rpms" + ], + "cpe": [], + "name": "cri-o", + "version": "1.33.8-3.rhaos4.20.git9658698.el9", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "generates", + "warnings": [ + "This node was already visited. Possible relationship loop. Skipping further processing." + ] + } + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-54635fef042aa2d7a21b3bb7b13c7b8e15fd44cb9dbc096955d8815adb1ec6f0-pkg-golang-github.com-letsencrypt-boulder-v0.0.0-20240620165639-de9c06129bec-package-id-c6645a76cae09737", + "purl": [ + "pkg:golang/github.com/letsencrypt/boulder@v0.0.0-20240620165639-de9c06129bec" + ], + "cpe": [], + "name": "github.com/letsencrypt/boulder", + "version": "v0.0.0-20240620165639-de9c06129bec", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "dependency", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-95e4988fb6e6c5c8aa582a3527ee1a9272ded6e76ee1b4c8ab927fc3bbe87833-pkg-golang-github.com-sigstore-sigstore-v1.9.3-package-id-a9b1c4d0528ddf4e", + "purl": [ + "pkg:golang/github.com/sigstore/sigstore@v1.9.3" + ], + "cpe": [], + "name": "github.com/sigstore/sigstore", + "version": "v1.9.3", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "dependency", + "warnings": [ + "This node was already visited. Possible relationship loop. Skipping further processing." + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-3ddd78007421f2c6fd9fe8191ddc2a3893ffebf81ae8439ed3fb05e49d30d7fb-pkg-rpm-redhat-cri-o-1.33.8-3.rhaos4.20.git9658698.el9-arch-src", + "purl": [ + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-s390x-source-rpms", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-aarch64-source-rpms", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-x86_64-source-rpms", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-ppc64le-source-rpms" + ], + "cpe": [], + "name": "cri-o", + "version": "1.33.8-3.rhaos4.20.git9658698.el9", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "generates", + "warnings": [ + "This node was already visited. Possible relationship loop. Skipping further processing." + ] + } + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-9e917e63aa0175f6ddf2315a189f035f2498417b89e2931e5062b450c50b9903-pkg-golang-github.com-containers-image-v5.35.0-package-id-41f984cec7eddb5a-v5", + "purl": [ + "pkg:golang/github.com/containers/image@v5.35.0" + ], + "cpe": [], + "name": "github.com/containers/image/v5", + "version": "v5.35.0", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "dependency", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-1165c7e4978a144d1191a7ab38d2a755179274bfaf39090deeaf811b55dd5055-pkg-golang-github.com-containers-common-v0.63.0-package-id-cd3b153dd6295c30", + "purl": [ + "pkg:golang/github.com/containers/common@v0.63.0" + ], + "cpe": [], + "name": "github.com/containers/common", + "version": "v0.63.0", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "dependency", + "warnings": [ + "This node was already visited. Possible relationship loop. Skipping further processing." + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-0da7aeadc340173ae9844fb6d75a09f815433f177a39fdfc6bddb20b817375a4-pkg-golang-github.com-cri-o-cri-o-package-id-0751994bc553faba", + "purl": [ + "pkg:golang/github.com/cri-o/cri-o" + ], + "cpe": [], + "name": "github.com/cri-o/cri-o", + "version": "UNKNOWN", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "dependency", + "warnings": [ + "This node was already visited. Possible relationship loop. Skipping further processing." + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-3ddd78007421f2c6fd9fe8191ddc2a3893ffebf81ae8439ed3fb05e49d30d7fb-pkg-rpm-redhat-cri-o-1.33.8-3.rhaos4.20.git9658698.el9-arch-src", + "purl": [ + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-s390x-source-rpms", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-aarch64-source-rpms", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-x86_64-source-rpms", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-ppc64le-source-rpms" + ], + "cpe": [], + "name": "cri-o", + "version": "1.33.8-3.rhaos4.20.git9658698.el9", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "generates", + "warnings": [ + "This node was already visited. Possible relationship loop. Skipping further processing." + ] + } + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-2e523e324aad8923c1c578365ec6f29a37536ed0c731b92b04a5332785ff5779-pkg-golang-github.com-go-git-go-git-v5.13.2-package-id-f8e61570dd9e120a-v5", + "purl": [ + "pkg:golang/github.com/go-git/go-git@v5.13.2" + ], + "cpe": [], + "name": "github.com/go-git/go-git/v5", + "version": "v5.13.2", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "dependency", + "warnings": [ + "This node was already visited. Possible relationship loop. Skipping further processing." + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-3ddd78007421f2c6fd9fe8191ddc2a3893ffebf81ae8439ed3fb05e49d30d7fb-pkg-rpm-redhat-cri-o-1.33.8-3.rhaos4.20.git9658698.el9-arch-src", + "purl": [ + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-s390x-source-rpms", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-aarch64-source-rpms", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-x86_64-source-rpms", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-ppc64le-source-rpms" + ], + "cpe": [], + "name": "cri-o", + "version": "1.33.8-3.rhaos4.20.git9658698.el9", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "generates", + "warnings": [ + "This node was already visited. Possible relationship loop. Skipping further processing." + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-8876db97f1ecf99ab8e487e8b1e0183e076d64626bfe9299d57a716218d9b674-pkg-golang-github.com-secure-systems-lab-go-securesystemslib-v0.9.0-package-id-8ee2d167c4ab8d5c", + "purl": [ + "pkg:golang/github.com/secure-systems-lab/go-securesystemslib@v0.9.0" + ], + "cpe": [], + "name": "github.com/secure-systems-lab/go-securesystemslib", + "version": "v0.9.0", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "dependency", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-9e917e63aa0175f6ddf2315a189f035f2498417b89e2931e5062b450c50b9903-pkg-golang-github.com-containers-image-v5.35.0-package-id-41f984cec7eddb5a-v5", + "purl": [ + "pkg:golang/github.com/containers/image@v5.35.0" + ], + "cpe": [], + "name": "github.com/containers/image/v5", + "version": "v5.35.0", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "dependency", + "warnings": [ + "This node was already visited. Possible relationship loop. Skipping further processing." + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-95e4988fb6e6c5c8aa582a3527ee1a9272ded6e76ee1b4c8ab927fc3bbe87833-pkg-golang-github.com-sigstore-sigstore-v1.9.3-package-id-a9b1c4d0528ddf4e", + "purl": [ + "pkg:golang/github.com/sigstore/sigstore@v1.9.3" + ], + "cpe": [], + "name": "github.com/sigstore/sigstore", + "version": "v1.9.3", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "dependency", + "warnings": [ + "This node was already visited. Possible relationship loop. Skipping further processing." + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-3ddd78007421f2c6fd9fe8191ddc2a3893ffebf81ae8439ed3fb05e49d30d7fb-pkg-rpm-redhat-cri-o-1.33.8-3.rhaos4.20.git9658698.el9-arch-src", + "purl": [ + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-s390x-source-rpms", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-aarch64-source-rpms", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-x86_64-source-rpms", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-ppc64le-source-rpms" + ], + "cpe": [], + "name": "cri-o", + "version": "1.33.8-3.rhaos4.20.git9658698.el9", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "generates", + "warnings": [ + "This node was already visited. Possible relationship loop. Skipping further processing." + ] + } + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-35490463073045e7e900637f0072d9e446fdce5f4f03a8e296038c0a1c8857da-pkg-golang-github.com-smallstep-pkcs7-v0.1.1-package-id-0bae93f0a388d625", + "purl": [ + "pkg:golang/github.com/smallstep/pkcs7@v0.1.1" + ], + "cpe": [], + "name": "github.com/smallstep/pkcs7", + "version": "v0.1.1", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "dependency", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-90a6593355a1479380adf1fbe393f55ec59facbe12d16e07d25925d79a206b53-pkg-golang-github.com-containers-ocicrypt-v1.2.1-package-id-34a1006149853918", + "purl": [ + "pkg:golang/github.com/containers/ocicrypt@v1.2.1" + ], + "cpe": [], + "name": "github.com/containers/ocicrypt", + "version": "v1.2.1", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "dependency", + "warnings": [ + "This node was already visited. Possible relationship loop. Skipping further processing." + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-3ddd78007421f2c6fd9fe8191ddc2a3893ffebf81ae8439ed3fb05e49d30d7fb-pkg-rpm-redhat-cri-o-1.33.8-3.rhaos4.20.git9658698.el9-arch-src", + "purl": [ + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-s390x-source-rpms", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-aarch64-source-rpms", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-x86_64-source-rpms", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-ppc64le-source-rpms" + ], + "cpe": [], + "name": "cri-o", + "version": "1.33.8-3.rhaos4.20.git9658698.el9", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "generates", + "warnings": [ + "This node was already visited. Possible relationship loop. Skipping further processing." + ] + } + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-6dca67cbb234273870561c873d97cfbfd4965823bcdd996f22e38f122e71e3eb-pkg-golang-github.com-skeema-knownhosts-v1.3.1-package-id-e885b1c0c290d315", + "purl": [ + "pkg:golang/github.com/skeema/knownhosts@v1.3.1" + ], + "cpe": [], + "name": "github.com/skeema/knownhosts", + "version": "v1.3.1", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "dependency", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-2e523e324aad8923c1c578365ec6f29a37536ed0c731b92b04a5332785ff5779-pkg-golang-github.com-go-git-go-git-v5.13.2-package-id-f8e61570dd9e120a-v5", + "purl": [ + "pkg:golang/github.com/go-git/go-git@v5.13.2" + ], + "cpe": [], + "name": "github.com/go-git/go-git/v5", + "version": "v5.13.2", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "dependency", + "warnings": [ + "This node was already visited. Possible relationship loop. Skipping further processing." + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-3ddd78007421f2c6fd9fe8191ddc2a3893ffebf81ae8439ed3fb05e49d30d7fb-pkg-rpm-redhat-cri-o-1.33.8-3.rhaos4.20.git9658698.el9-arch-src", + "purl": [ + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-s390x-source-rpms", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-aarch64-source-rpms", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-x86_64-source-rpms", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-ppc64le-source-rpms" + ], + "cpe": [], + "name": "cri-o", + "version": "1.33.8-3.rhaos4.20.git9658698.el9", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "generates", + "warnings": [ + "This node was already visited. Possible relationship loop. Skipping further processing." + ] + } + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-9371cfd6da7344718a331a90919ca4b3a4bb294f6a873da978e9fa1da8a4f4ef-pkg-golang-github.com-xanzy-ssh-agent-v0.3.3-package-id-56e96dfcc1bebf9a", + "purl": [ + "pkg:golang/github.com/xanzy/ssh-agent@v0.3.3" + ], + "cpe": [], + "name": "github.com/xanzy/ssh-agent", + "version": "v0.3.3", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "dependency", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-2e523e324aad8923c1c578365ec6f29a37536ed0c731b92b04a5332785ff5779-pkg-golang-github.com-go-git-go-git-v5.13.2-package-id-f8e61570dd9e120a-v5", + "purl": [ + "pkg:golang/github.com/go-git/go-git@v5.13.2" + ], + "cpe": [], + "name": "github.com/go-git/go-git/v5", + "version": "v5.13.2", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "dependency", + "warnings": [ + "This node was already visited. Possible relationship loop. Skipping further processing." + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-3ddd78007421f2c6fd9fe8191ddc2a3893ffebf81ae8439ed3fb05e49d30d7fb-pkg-rpm-redhat-cri-o-1.33.8-3.rhaos4.20.git9658698.el9-arch-src", + "purl": [ + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-s390x-source-rpms", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-aarch64-source-rpms", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-x86_64-source-rpms", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-ppc64le-source-rpms" + ], + "cpe": [], + "name": "cri-o", + "version": "1.33.8-3.rhaos4.20.git9658698.el9", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "generates", + "warnings": [ + "This node was already visited. Possible relationship loop. Skipping further processing." + ] + } + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-90a6593355a1479380adf1fbe393f55ec59facbe12d16e07d25925d79a206b53-pkg-golang-github.com-containers-ocicrypt-v1.2.1-package-id-34a1006149853918", + "purl": [ + "pkg:golang/github.com/containers/ocicrypt@v1.2.1" + ], + "cpe": [], + "name": "github.com/containers/ocicrypt", + "version": "v1.2.1", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "dependency", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-9e917e63aa0175f6ddf2315a189f035f2498417b89e2931e5062b450c50b9903-pkg-golang-github.com-containers-image-v5.35.0-package-id-41f984cec7eddb5a-v5", + "purl": [ + "pkg:golang/github.com/containers/image@v5.35.0" + ], + "cpe": [], + "name": "github.com/containers/image/v5", + "version": "v5.35.0", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "dependency", + "warnings": [ + "This node was already visited. Possible relationship loop. Skipping further processing." + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-0da7aeadc340173ae9844fb6d75a09f815433f177a39fdfc6bddb20b817375a4-pkg-golang-github.com-cri-o-cri-o-package-id-0751994bc553faba", + "purl": [ + "pkg:golang/github.com/cri-o/cri-o" + ], + "cpe": [], + "name": "github.com/cri-o/cri-o", + "version": "UNKNOWN", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "dependency", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-3ddd78007421f2c6fd9fe8191ddc2a3893ffebf81ae8439ed3fb05e49d30d7fb-pkg-rpm-redhat-cri-o-1.33.8-3.rhaos4.20.git9658698.el9-arch-src", + "purl": [ + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-s390x-source-rpms", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-aarch64-source-rpms", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-x86_64-source-rpms", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-ppc64le-source-rpms" + ], + "cpe": [], + "name": "cri-o", + "version": "1.33.8-3.rhaos4.20.git9658698.el9", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "generates", + "warnings": [ + "This node was already visited. Possible relationship loop. Skipping further processing." + ] + } + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-1165c7e4978a144d1191a7ab38d2a755179274bfaf39090deeaf811b55dd5055-pkg-golang-github.com-containers-common-v0.63.0-package-id-cd3b153dd6295c30", + "purl": [ + "pkg:golang/github.com/containers/common@v0.63.0" + ], + "cpe": [], + "name": "github.com/containers/common", + "version": "v0.63.0", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "dependency", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-0da7aeadc340173ae9844fb6d75a09f815433f177a39fdfc6bddb20b817375a4-pkg-golang-github.com-cri-o-cri-o-package-id-0751994bc553faba", + "purl": [ + "pkg:golang/github.com/cri-o/cri-o" + ], + "cpe": [], + "name": "github.com/cri-o/cri-o", + "version": "UNKNOWN", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "dependency", + "warnings": [ + "This node was already visited. Possible relationship loop. Skipping further processing." + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-3ddd78007421f2c6fd9fe8191ddc2a3893ffebf81ae8439ed3fb05e49d30d7fb-pkg-rpm-redhat-cri-o-1.33.8-3.rhaos4.20.git9658698.el9-arch-src", + "purl": [ + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-s390x-source-rpms", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-aarch64-source-rpms", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-x86_64-source-rpms", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-ppc64le-source-rpms" + ], + "cpe": [], + "name": "cri-o", + "version": "1.33.8-3.rhaos4.20.git9658698.el9", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "generates", + "warnings": [ + "This node was already visited. Possible relationship loop. Skipping further processing." + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-5ad532720406ad7f083865cb52fafd1ae2bfdd6fc16aa4877b679ee178ff10fc-pkg-golang-github.com-containers-conmon-rs-v0.6.6-package-id-9149b20d3986c461", + "purl": [ + "pkg:golang/github.com/containers/conmon-rs@v0.6.6" + ], + "cpe": [], + "name": "github.com/containers/conmon-rs", + "version": "v0.6.6", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "dependency", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-0da7aeadc340173ae9844fb6d75a09f815433f177a39fdfc6bddb20b817375a4-pkg-golang-github.com-cri-o-cri-o-package-id-0751994bc553faba", + "purl": [ + "pkg:golang/github.com/cri-o/cri-o" + ], + "cpe": [], + "name": "github.com/cri-o/cri-o", + "version": "UNKNOWN", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "dependency", + "warnings": [ + "This node was already visited. Possible relationship loop. Skipping further processing." + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-3ddd78007421f2c6fd9fe8191ddc2a3893ffebf81ae8439ed3fb05e49d30d7fb-pkg-rpm-redhat-cri-o-1.33.8-3.rhaos4.20.git9658698.el9-arch-src", + "purl": [ + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-s390x-source-rpms", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-aarch64-source-rpms", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-x86_64-source-rpms", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-ppc64le-source-rpms" + ], + "cpe": [], + "name": "cri-o", + "version": "1.33.8-3.rhaos4.20.git9658698.el9", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "generates", + "warnings": [ + "This node was already visited. Possible relationship loop. Skipping further processing." + ] + } + ] + } + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-3ddd78007421f2c6fd9fe8191ddc2a3893ffebf81ae8439ed3fb05e49d30d7fb-pkg-rpm-redhat-cri-o-1.33.8-3.rhaos4.20.git9658698.el9-arch-src", + "purl": [ + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-s390x-source-rpms", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-aarch64-source-rpms", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-x86_64-source-rpms", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-ppc64le-source-rpms" + ], + "cpe": [], + "name": "cri-o", + "version": "1.33.8-3.rhaos4.20.git9658698.el9", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "generates", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-6f712f436dbd9506b88bec5fc7233271fa85bd6da89be48015aad8ef77e00eab-openshift-4.20", + "purl": [], + "cpe": [ + "cpe:/a:redhat:openshift:4.20:*:el8:*", + "cpe:/a:redhat:openshift:4.20:*:el9:*" + ], + "name": "openshift-4.20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "package", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-DOCUMENT", + "purl": [], + "cpe": [], + "name": "openshift-4.20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "describes", + "ancestors": [] + } + ] + } + ] + } + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-2c25494c281d9c7cbdd880e47adc76ea206c98dce9e6e0292c6daa325eb8405a-pkg-golang-github.com-protonmail-go-crypto-v1.1.6-package-id-1a162bb964867ff6", + "purl": [ + "pkg:golang/github.com/protonmail/go-crypto@v1.1.6" + ], + "cpe": [], + "name": "github.com/ProtonMail/go-crypto", + "version": "v1.1.6", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "dependency", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-3ddd78007421f2c6fd9fe8191ddc2a3893ffebf81ae8439ed3fb05e49d30d7fb-pkg-rpm-redhat-cri-o-1.33.8-3.rhaos4.20.git9658698.el9-arch-src", + "purl": [ + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-s390x-source-rpms", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-aarch64-source-rpms", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-x86_64-source-rpms", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-ppc64le-source-rpms" + ], + "cpe": [], + "name": "cri-o", + "version": "1.33.8-3.rhaos4.20.git9658698.el9", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "generates", + "warnings": [ + "This node was already visited. Possible relationship loop. Skipping further processing." + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-2e523e324aad8923c1c578365ec6f29a37536ed0c731b92b04a5332785ff5779-pkg-golang-github.com-go-git-go-git-v5.13.2-package-id-f8e61570dd9e120a-v5", + "purl": [ + "pkg:golang/github.com/go-git/go-git@v5.13.2" + ], + "cpe": [], + "name": "github.com/go-git/go-git/v5", + "version": "v5.13.2", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "dependency", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-3ddd78007421f2c6fd9fe8191ddc2a3893ffebf81ae8439ed3fb05e49d30d7fb-pkg-rpm-redhat-cri-o-1.33.8-3.rhaos4.20.git9658698.el9-arch-src", + "purl": [ + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-s390x-source-rpms", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-aarch64-source-rpms", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-x86_64-source-rpms", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-ppc64le-source-rpms" + ], + "cpe": [], + "name": "cri-o", + "version": "1.33.8-3.rhaos4.20.git9658698.el9", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "generates", + "warnings": [ + "This node was already visited. Possible relationship loop. Skipping further processing." + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-62c329fb09d83d4072f0bd3b85391a5153db8f9f39042ce15bdc79e945c94ac3-pkg-golang-sigs.k8s.io-release-sdk-v0.12.2-package-id-ececdaa8b9e28464", + "purl": [ + "pkg:golang/sigs.k8s.io/release-sdk@v0.12.2" + ], + "cpe": [], + "name": "sigs.k8s.io/release-sdk", + "version": "v0.12.2", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "dependency", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-0da7aeadc340173ae9844fb6d75a09f815433f177a39fdfc6bddb20b817375a4-pkg-golang-github.com-cri-o-cri-o-package-id-0751994bc553faba", + "purl": [ + "pkg:golang/github.com/cri-o/cri-o" + ], + "cpe": [], + "name": "github.com/cri-o/cri-o", + "version": "UNKNOWN", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "dependency", + "warnings": [ + "This node was already visited. Possible relationship loop. Skipping further processing." + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-3ddd78007421f2c6fd9fe8191ddc2a3893ffebf81ae8439ed3fb05e49d30d7fb-pkg-rpm-redhat-cri-o-1.33.8-3.rhaos4.20.git9658698.el9-arch-src", + "purl": [ + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-s390x-source-rpms", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-aarch64-source-rpms", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-x86_64-source-rpms", + "pkg:rpm/redhat/cri-o@1.33.8-3.rhaos4.20.git9658698.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-ppc64le-source-rpms" + ], + "cpe": [], + "name": "cri-o", + "version": "1.33.8-3.rhaos4.20.git9658698.el9", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "generates", + "warnings": [ + "This node was already visited. Possible relationship loop. Skipping further processing." + ] + } + ] + } + ] + } + ] + } + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-2e03b38f24c2507c18fd7f37fc5f767dc9215d1c63ca892eb82279ae6de62e24-SPDXRef-Package-go-module-golang.org-x-crypto-3f379f90ee75218b", + "purl": [ + "pkg:golang/golang.org/x/crypto@v0.33.0" + ], + "cpe": [], + "name": "golang.org/x/crypto", + "version": "v0.33.0", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-74b05595f801657d6e6a1dc539981ad279bf81f32920afcf2120c3691ccc8c51-SPDXRef-image-art-images-fa498754ac0a6cdec23c3bb4edb95a29d549b945282ca78a20c904a53b3add11", + "purl": [ + "pkg:oci/ose-baremetal-installer-rhel9@sha256:36894f68293327d88b69cdccaa2e5c36f9ab88462d31f7ade6dff35e2cc00ac8?repository_url=registry.redhat.io/openshift4/ose-baremetal-installer-rhel9&tag=v4.20", + "pkg:oci/ose-baremetal-installer-rhel9@sha256:36894f68293327d88b69cdccaa2e5c36f9ab88462d31f7ade6dff35e2cc00ac8?repository_url=registry.redhat.io/openshift4/ose-baremetal-installer-rhel9&tag=v4.20.0-202510241956.p2.gcbd9f67.assembly.stream.el9", + "pkg:oci/ose-baremetal-installer-rhel9@sha256:36894f68293327d88b69cdccaa2e5c36f9ab88462d31f7ade6dff35e2cc00ac8?repository_url=registry.redhat.io/openshift4/ose-baremetal-installer-rhel9&tag=ose-baremetal-installer-container-v4.20.0-202510241956.p2.gcbd9f67.assembly.stream.el9", + "pkg:oci/ose-baremetal-installer-rhel9@sha256:36894f68293327d88b69cdccaa2e5c36f9ab88462d31f7ade6dff35e2cc00ac8?repository_url=registry.redhat.io/openshift4/ose-baremetal-installer-rhel9&tag=latest", + "pkg:oci/ose-baremetal-installer-rhel9@sha256:36894f68293327d88b69cdccaa2e5c36f9ab88462d31f7ade6dff35e2cc00ac8?repository_url=registry.redhat.io/openshift4/ose-baremetal-installer-rhel9&tag=v4.20.0", + "pkg:oci/ose-baremetal-installer-rhel9@sha256:36894f68293327d88b69cdccaa2e5c36f9ab88462d31f7ade6dff35e2cc00ac8?repository_url=registry.redhat.io/openshift4/ose-baremetal-installer-rhel9&tag=ec52b242791219e9a670f4dfa21890893cc155dae92c9ad3aea398a94d3cd31a" + ], + "cpe": [], + "name": "art-images_s390x", + "version": "ose-baremetal-installer-rhel9-v4.20.0-20251024.201149", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "contains", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-bcb2266405688cc8eb0edf185bd5a6f5e2d2e03d067c2f964cf9cb1460085635-SPDXRef-component-ose-4-20-ose-baremetal-installer", + "purl": [ + "pkg:oci/ose-baremetal-installer-rhel9@sha256:b939d8a50ca46e198e329cccc8e9e96b2e9b10d30cd6ba5621cfdae80ab44d02?repository_url=registry.redhat.io/openshift4/ose-baremetal-installer-rhel9&tag=ose-baremetal-installer-container-v4.20.0-202601271911.p2.g1a6e473.assembly.stream.el9", + "pkg:oci/ose-baremetal-installer-rhel9@sha256:b939d8a50ca46e198e329cccc8e9e96b2e9b10d30cd6ba5621cfdae80ab44d02?repository_url=registry.redhat.io/openshift4/ose-baremetal-installer-rhel9&tag=v4.20.0-202601271911.p2.g1a6e473.assembly.stream.el9", + "pkg:oci/ose-baremetal-installer-rhel9@sha256:b939d8a50ca46e198e329cccc8e9e96b2e9b10d30cd6ba5621cfdae80ab44d02?repository_url=registry.redhat.io/openshift4/ose-baremetal-installer-rhel9&tag=v4.20.0", + "pkg:oci/ose-baremetal-installer-rhel9@sha256:b939d8a50ca46e198e329cccc8e9e96b2e9b10d30cd6ba5621cfdae80ab44d02?repository_url=registry.redhat.io/openshift4/ose-baremetal-installer-rhel9&tag=v4.20", + "pkg:oci/ose-baremetal-installer-rhel9@sha256:b939d8a50ca46e198e329cccc8e9e96b2e9b10d30cd6ba5621cfdae80ab44d02?repository_url=registry.redhat.io/openshift4/ose-baremetal-installer-rhel9&tag=b939d8a50ca46e198e329cccc8e9e96b2e9b10d30cd6ba5621cfdae80ab44d02" + ], + "cpe": [], + "name": "ose-4-20-ose-baremetal-installer", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "variant", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-6f712f436dbd9506b88bec5fc7233271fa85bd6da89be48015aad8ef77e00eab-openshift-4.20", + "purl": [], + "cpe": [ + "cpe:/a:redhat:openshift:4.20:*:el8:*", + "cpe:/a:redhat:openshift:4.20:*:el9:*" + ], + "name": "openshift-4.20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "package", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-DOCUMENT", + "purl": [], + "cpe": [], + "name": "openshift-4.20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "describes", + "ancestors": [] + } + ] + } + ] + } + ] + } + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-341cfb0672683075f96321be3e576ee817d47e197fc6906cc2441aa6339ad98b-pkg-golang-golang.org-x-crypto-v0.40.0-package-id-7118be10f74fae70", + "purl": [ + "pkg:golang/golang.org/x/crypto@v0.40.0" + ], + "cpe": [], + "name": "golang.org/x/crypto", + "version": "v0.40.0", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-eadf7b25147add9dd6c06da2e77e153c28ca231136041e58a22e80781f0f55de-pkg-golang-github.com-openshift-oc-package-id-3d92698f37cc6a53", + "purl": [ + "pkg:golang/github.com/openshift/oc" + ], + "cpe": [], + "name": "github.com/openshift/oc", + "version": "UNKNOWN", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "dependency", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-585e329dbc801d7104f56b7b4a6f709275c47b49839fd83f0d5422ca0bd8dcf6-pkg-rpm-redhat-openshift-clients-4.20.0-202511182227.p2.g0963a01.assembly.stream.el9-arch-aarch64", + "purl": [ + "pkg:rpm/redhat/openshift-clients@4.20.0-202511182227.p2.g0963a01.assembly.stream.el9?arch=aarch64&repository_id=rhocp-4_DOT_20-for-rhel-9-aarch64-rpms" + ], + "cpe": [], + "name": "openshift-clients", + "version": "4.20.0-202511182227.p2.g0963a01.assembly.stream.el9", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "generates", + "warnings": [ + "This node was already visited. Possible relationship loop. Skipping further processing." + ] + } + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-585e329dbc801d7104f56b7b4a6f709275c47b49839fd83f0d5422ca0bd8dcf6-pkg-rpm-redhat-openshift-clients-4.20.0-202511182227.p2.g0963a01.assembly.stream.el9-arch-aarch64", + "purl": [ + "pkg:rpm/redhat/openshift-clients@4.20.0-202511182227.p2.g0963a01.assembly.stream.el9?arch=aarch64&repository_id=rhocp-4_DOT_20-for-rhel-9-aarch64-rpms" + ], + "cpe": [], + "name": "openshift-clients", + "version": "4.20.0-202511182227.p2.g0963a01.assembly.stream.el9", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "generates", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-3eba2d51899046da976d3a1017096c284d2de787c4ca26b6b9daa05e607eb94a-pkg-rpm-redhat-openshift-clients-4.20.0-202511182227.p2.g0963a01.assembly.stream.el9-arch-src", + "purl": [ + "pkg:rpm/redhat/openshift-clients@4.20.0-202511182227.p2.g0963a01.assembly.stream.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-s390x-source-rpms", + "pkg:rpm/redhat/openshift-clients@4.20.0-202511182227.p2.g0963a01.assembly.stream.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-x86_64-source-rpms", + "pkg:rpm/redhat/openshift-clients@4.20.0-202511182227.p2.g0963a01.assembly.stream.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-aarch64-source-rpms", + "pkg:rpm/redhat/openshift-clients@4.20.0-202511182227.p2.g0963a01.assembly.stream.el9?arch=src", + "pkg:rpm/redhat/openshift-clients@4.20.0-202511182227.p2.g0963a01.assembly.stream.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-ppc64le-source-rpms" + ], + "cpe": [], + "name": "openshift-clients", + "version": "4.20.0-202511182227.p2.g0963a01.assembly.stream.el9", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "generates", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-6f712f436dbd9506b88bec5fc7233271fa85bd6da89be48015aad8ef77e00eab-openshift-4.20", + "purl": [], + "cpe": [ + "cpe:/a:redhat:openshift:4.20:*:el8:*", + "cpe:/a:redhat:openshift:4.20:*:el9:*" + ], + "name": "openshift-4.20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "package", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-DOCUMENT", + "purl": [], + "cpe": [], + "name": "openshift-4.20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "describes", + "ancestors": [] + } + ] + } + ] + } + ] + } + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-35fa2d579df635d1de279415ba72c6b1671f7789024b6a74681583111cfc9447-pkg-golang-golang.org-x-crypto-v0.36.0-package-id-a7c3e7b0f0b1973b", + "purl": [ + "pkg:golang/golang.org/x/crypto@v0.36.0" + ], + "cpe": [], + "name": "golang.org/x/crypto", + "version": "v0.36.0", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-9362fa8c127e547f6f653f56f447b69dc2781641cd3c9a3f295522c86bb1ad57-pkg-golang-k8s.io-kubernetes-v1.33.5-package-id-260e535690818d69", + "purl": [ + "pkg:golang/k8s.io/kubernetes@v1.33.5" + ], + "cpe": [], + "name": "k8s.io/kubernetes", + "version": "v1.33.5", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "dependency", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-3374ee284b9fec886e67a0e4af856d089c5ff8fea15b6c175c9ad08fddae3324-pkg-rpm-redhat-openshift-kube-apiserver-4.20.0-202511172055.p2.g4c392f9.assembly.stream.el9-arch-aarch64", + "purl": [ + "pkg:rpm/redhat/openshift-kube-apiserver@4.20.0-202511172055.p2.g4c392f9.assembly.stream.el9?arch=aarch64&repository_id=rhocp-4_DOT_20-for-rhel-9-aarch64-rpms" + ], + "cpe": [], + "name": "openshift-kube-apiserver", + "version": "4.20.0-202511172055.p2.g4c392f9.assembly.stream.el9", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "generates", + "warnings": [ + "This node was already visited. Possible relationship loop. Skipping further processing." + ] + } + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-3374ee284b9fec886e67a0e4af856d089c5ff8fea15b6c175c9ad08fddae3324-pkg-rpm-redhat-openshift-kube-apiserver-4.20.0-202511172055.p2.g4c392f9.assembly.stream.el9-arch-aarch64", + "purl": [ + "pkg:rpm/redhat/openshift-kube-apiserver@4.20.0-202511172055.p2.g4c392f9.assembly.stream.el9?arch=aarch64&repository_id=rhocp-4_DOT_20-for-rhel-9-aarch64-rpms" + ], + "cpe": [], + "name": "openshift-kube-apiserver", + "version": "4.20.0-202511172055.p2.g4c392f9.assembly.stream.el9", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "generates", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-f57d4ad6469bbbc6f325cffb77ba690f50221fd99fafadb5fcc2bef2a681340e-pkg-rpm-redhat-openshift-4.20.0-202511172055.p2.g4c392f9.assembly.stream.el9-arch-src", + "purl": [ + "pkg:rpm/redhat/openshift@4.20.0-202511172055.p2.g4c392f9.assembly.stream.el9?arch=src", + "pkg:rpm/redhat/openshift@4.20.0-202511172055.p2.g4c392f9.assembly.stream.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-aarch64-source-rpms", + "pkg:rpm/redhat/openshift@4.20.0-202511172055.p2.g4c392f9.assembly.stream.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-ppc64le-source-rpms", + "pkg:rpm/redhat/openshift@4.20.0-202511172055.p2.g4c392f9.assembly.stream.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-s390x-source-rpms", + "pkg:rpm/redhat/openshift@4.20.0-202511172055.p2.g4c392f9.assembly.stream.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-x86_64-source-rpms" + ], + "cpe": [], + "name": "openshift", + "version": "4.20.0-202511172055.p2.g4c392f9.assembly.stream.el9", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "generates", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-6f712f436dbd9506b88bec5fc7233271fa85bd6da89be48015aad8ef77e00eab-openshift-4.20", + "purl": [], + "cpe": [ + "cpe:/a:redhat:openshift:4.20:*:el8:*", + "cpe:/a:redhat:openshift:4.20:*:el9:*" + ], + "name": "openshift-4.20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "package", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-DOCUMENT", + "purl": [], + "cpe": [], + "name": "openshift-4.20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "describes", + "ancestors": [] + } + ] + } + ] + } + ] + } + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-3c430db678fab8f2594a74fb92777215b40e8e20ce3a2a4a54180061a5931f2a-pkg-golang-golang.org-x-crypto-v0.36.0-package-id-f95657ee88538ea6", + "purl": [ + "pkg:golang/golang.org/x/crypto@v0.36.0" + ], + "cpe": [], + "name": "golang.org/x/crypto", + "version": "v0.36.0", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-f7c5e201265217f6bbbf029a9bd1d76e8cf549ffc267446c9f66b8d0ec55577f-pkg-golang-k8s.io-kubernetes-v1.0.2-package-id-076ec028c9f018da", + "purl": [ + "pkg:golang/k8s.io/kubernetes@v1.0.2" + ], + "cpe": [], + "name": "k8s.io/kubernetes", + "version": "v1.0.2", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "dependency", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-0640af5e1972a92fc0c6ee3932e5ffb52804bb7b8237204fa9ef77e362823e53-pkg-rpm-redhat-openshift-kubelet-4.20.0-202511172055.p2.g4c392f9.assembly.stream.el9-arch-s390x", + "purl": [ + "pkg:rpm/redhat/openshift-kubelet@4.20.0-202511172055.p2.g4c392f9.assembly.stream.el9?arch=s390x&repository_id=rhocp-4_DOT_20-for-rhel-9-s390x-rpms" + ], + "cpe": [], + "name": "openshift-kubelet", + "version": "4.20.0-202511172055.p2.g4c392f9.assembly.stream.el9", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "generates", + "warnings": [ + "This node was already visited. Possible relationship loop. Skipping further processing." + ] + } + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-0640af5e1972a92fc0c6ee3932e5ffb52804bb7b8237204fa9ef77e362823e53-pkg-rpm-redhat-openshift-kubelet-4.20.0-202511172055.p2.g4c392f9.assembly.stream.el9-arch-s390x", + "purl": [ + "pkg:rpm/redhat/openshift-kubelet@4.20.0-202511172055.p2.g4c392f9.assembly.stream.el9?arch=s390x&repository_id=rhocp-4_DOT_20-for-rhel-9-s390x-rpms" + ], + "cpe": [], + "name": "openshift-kubelet", + "version": "4.20.0-202511172055.p2.g4c392f9.assembly.stream.el9", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "generates", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-f57d4ad6469bbbc6f325cffb77ba690f50221fd99fafadb5fcc2bef2a681340e-pkg-rpm-redhat-openshift-4.20.0-202511172055.p2.g4c392f9.assembly.stream.el9-arch-src", + "purl": [ + "pkg:rpm/redhat/openshift@4.20.0-202511172055.p2.g4c392f9.assembly.stream.el9?arch=src", + "pkg:rpm/redhat/openshift@4.20.0-202511172055.p2.g4c392f9.assembly.stream.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-aarch64-source-rpms", + "pkg:rpm/redhat/openshift@4.20.0-202511172055.p2.g4c392f9.assembly.stream.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-ppc64le-source-rpms", + "pkg:rpm/redhat/openshift@4.20.0-202511172055.p2.g4c392f9.assembly.stream.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-s390x-source-rpms", + "pkg:rpm/redhat/openshift@4.20.0-202511172055.p2.g4c392f9.assembly.stream.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-x86_64-source-rpms" + ], + "cpe": [], + "name": "openshift", + "version": "4.20.0-202511172055.p2.g4c392f9.assembly.stream.el9", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "generates", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-6f712f436dbd9506b88bec5fc7233271fa85bd6da89be48015aad8ef77e00eab-openshift-4.20", + "purl": [], + "cpe": [ + "cpe:/a:redhat:openshift:4.20:*:el8:*", + "cpe:/a:redhat:openshift:4.20:*:el9:*" + ], + "name": "openshift-4.20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "package", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-DOCUMENT", + "purl": [], + "cpe": [], + "name": "openshift-4.20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "describes", + "ancestors": [] + } + ] + } + ] + } + ] + } + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-43e686c2cac39ae99b56c172fe8241b1f159f3facf5576f4430a6136ef29b762-SPDXRef-Package-golang.org-x-crypto-openpgp-packet-v0.40.0-ba9f29d843c6a5cc6b0d13f04661e6040bbe7c50a4bedbd411fa2a0e3ac40752", + "purl": [ + "pkg:golang/golang.org/x/crypto/openpgp/packet@v0.40.0?type=package" + ], + "cpe": [], + "name": "golang.org/x/crypto/openpgp/packet", + "version": "v0.40.0", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-f8f55841f92e242c492b8637715de1fc8e08b1bba120ad05e5b1ef2876831aa8-SPDXRef-image-art-images-286648d2eadaef1f297f0c41deebdea9557613645652bfab2bb783ab04b5fd81", + "purl": [ + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=latest", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=c33f91c282414eaedaa7b289cbd9ee767eb22695121f0fc6cfc3aa668b129161", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=v4.20.0", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=openshift-enterprise-tests-container-v4.20.0-202510281626.p2.g0913987.assembly.stream.el9", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=v4.20", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=v4.20.0-202510281626.p2.g0913987.assembly.stream.el9" + ], + "cpe": [], + "name": "art-images_amd64", + "version": "ose-tests-rhel9-v4.20.0-20251028.165359", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "contains", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-bfa44bd0a76e25c1d7c9a6dddc0f0384af6f1a417c3edc261a4cfac943d850f9-SPDXRef-component-ose-4-20-openshift-enterprise-tests", + "purl": [ + "pkg:oci/ose-tests-rhel9@sha256:ed1ac74f3744a4b7c8fc640d1309efeb3af889148f5e4d0ead735872d5bf216f?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=v4.20.0-202601280915.p2.ge2a089f.assembly.stream.el9", + "pkg:oci/ose-tests-rhel9@sha256:ed1ac74f3744a4b7c8fc640d1309efeb3af889148f5e4d0ead735872d5bf216f?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=v4.20.0", + "pkg:oci/ose-tests-rhel9@sha256:ed1ac74f3744a4b7c8fc640d1309efeb3af889148f5e4d0ead735872d5bf216f?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=v4.20", + "pkg:oci/ose-tests-rhel9@sha256:ed1ac74f3744a4b7c8fc640d1309efeb3af889148f5e4d0ead735872d5bf216f?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=openshift-enterprise-tests-container-v4.20.0-202601280915.p2.ge2a089f.assembly.stream.el9", + "pkg:oci/ose-tests-rhel9@sha256:ed1ac74f3744a4b7c8fc640d1309efeb3af889148f5e4d0ead735872d5bf216f?repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=ed1ac74f3744a4b7c8fc640d1309efeb3af889148f5e4d0ead735872d5bf216f" + ], + "cpe": [], + "name": "ose-4-20-openshift-enterprise-tests", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "variant", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-6f712f436dbd9506b88bec5fc7233271fa85bd6da89be48015aad8ef77e00eab-openshift-4.20", + "purl": [], + "cpe": [ + "cpe:/a:redhat:openshift:4.20:*:el8:*", + "cpe:/a:redhat:openshift:4.20:*:el9:*" + ], + "name": "openshift-4.20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "package", + "warnings": [ + "This node was already visited. Possible relationship loop. Skipping further processing." + ] + } + ] + } + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-a216623e7a4cd34885a354431e7f0d8f4d9695ac6d1e857cd90853e45d147d1c-SPDXRef-image-art-images-0c180e12f75f1ead1f9c1e4aef6c609901ee6993ba50438c2e250cb11ee50464", + "purl": [ + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?arch=amd64&repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=c33f91c282414eaedaa7b289cbd9ee767eb22695121f0fc6cfc3aa668b129161", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?arch=amd64&repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=latest", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?arch=amd64&repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=v4.20.0", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?arch=amd64&repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=v4.20.0-202510281626.p2.g0913987.assembly.stream.el9", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?arch=amd64&repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=openshift-enterprise-tests-container-v4.20.0-202510281626.p2.g0913987.assembly.stream.el9", + "pkg:oci/ose-tests-rhel9@sha256:b1cee94d27200b9d3f432dbd0f61a9867e7ecf070d4f5bc41716275136a60912?arch=amd64&repository_url=registry.redhat.io/openshift4/ose-tests-rhel9&tag=v4.20" + ], + "cpe": [], + "name": "art-images_amd64", + "version": "ose-tests-rhel9-v4.20.0-20251028.165359-linux-x86-64", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "contains", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-0b6f59d0b9e432dc76cd427690ff981e255c366922476f7c02fd686056590e5f-SPDXRef-component-ose-4-20-ose-tools", + "purl": [ + "pkg:oci/ose-tools-rhel9@sha256:9a8b8c9dd32204f016b19f0b6f1d0b9dd9061b56e53718ab64e544477475c43e?repository_url=registry.redhat.io/openshift4/ose-tools-rhel9&tag=9a8b8c9dd32204f016b19f0b6f1d0b9dd9061b56e53718ab64e544477475c43e", + "pkg:oci/ose-tools-rhel9@sha256:9a8b8c9dd32204f016b19f0b6f1d0b9dd9061b56e53718ab64e544477475c43e?repository_url=registry.redhat.io/openshift4/ose-tools-rhel9&tag=ose-tools-container-v4.20.0-202601280915.p2.gdc61926.assembly.stream.el9", + "pkg:oci/ose-tools-rhel9@sha256:9a8b8c9dd32204f016b19f0b6f1d0b9dd9061b56e53718ab64e544477475c43e?repository_url=registry.redhat.io/openshift4/ose-tools-rhel9&tag=v4.20.0", + "pkg:oci/ose-tools-rhel9@sha256:9a8b8c9dd32204f016b19f0b6f1d0b9dd9061b56e53718ab64e544477475c43e?repository_url=registry.redhat.io/openshift4/ose-tools-rhel9&tag=v4.20.0-202601280915.p2.gdc61926.assembly.stream.el9", + "pkg:oci/ose-tools-rhel9@sha256:9a8b8c9dd32204f016b19f0b6f1d0b9dd9061b56e53718ab64e544477475c43e?repository_url=registry.redhat.io/openshift4/ose-tools-rhel9&tag=v4.20" + ], + "cpe": [], + "name": "ose-4-20-ose-tools", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "ancestor_of", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-6f712f436dbd9506b88bec5fc7233271fa85bd6da89be48015aad8ef77e00eab-openshift-4.20", + "purl": [], + "cpe": [ + "cpe:/a:redhat:openshift:4.20:*:el8:*", + "cpe:/a:redhat:openshift:4.20:*:el9:*" + ], + "name": "openshift-4.20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "package", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-DOCUMENT", + "purl": [], + "cpe": [], + "name": "openshift-4.20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "describes", + "ancestors": [] + } + ] + } + ] + } + ] + } + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-42199b1e13e838b12e7201f03a73d6f3522fbc6405f60f433fe7431978f6c313-SPDXRef-Package-golang.org-x-crypto-ssh-internal-bcrypt-pbkdf-v0.42.0-3a284c80823d8fc95367cc08afbd820b85f4c4031fe2c0f2adf1342d38ec573e", + "purl": [ + "pkg:golang/golang.org/x/crypto/ssh/internal/bcrypt_pbkdf@v0.42.0?type=package" + ], + "cpe": [], + "name": "golang.org/x/crypto/ssh/internal/bcrypt_pbkdf", + "version": "v0.42.0", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-a08081753fb36e8538df6baf71d6a2a6829324a14d5eb34f233073b6f572eb1f-SPDXRef-component-lifecycle-agent-operator-bundle-4-20", + "purl": [ + "pkg:oci/lifecycle-agent-operator-bundle@sha256:0899f4f2dbbefd95865255fe87bf0a6ff6b974bd16bede28f365cbcf24207b1d?repository_url=registry.redhat.io/openshift4/lifecycle-agent-operator-bundle&tag=v4.20.1-44", + "pkg:oci/lifecycle-agent-operator-bundle@sha256:0899f4f2dbbefd95865255fe87bf0a6ff6b974bd16bede28f365cbcf24207b1d?repository_url=registry.redhat.io/openshift4/lifecycle-agent-operator-bundle&tag=v4.20.1", + "pkg:oci/lifecycle-agent-operator-bundle@sha256:0899f4f2dbbefd95865255fe87bf0a6ff6b974bd16bede28f365cbcf24207b1d?repository_url=registry.redhat.io/openshift4/lifecycle-agent-operator-bundle&tag=v4.20" + ], + "cpe": [], + "name": "lifecycle-agent-operator-bundle-4-20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "contains", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-6f712f436dbd9506b88bec5fc7233271fa85bd6da89be48015aad8ef77e00eab-openshift-4.20", + "purl": [], + "cpe": [ + "cpe:/a:redhat:openshift:4.20:*:el8:*", + "cpe:/a:redhat:openshift:4.20:*:el9:*" + ], + "name": "openshift-4.20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "package", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-DOCUMENT", + "purl": [], + "cpe": [], + "name": "openshift-4.20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "describes", + "ancestors": [] + } + ] + } + ] + } + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-4074da18ce9850991bca1726101bb6bab76fab167c51208479eab337bd51639e-SPDXRef-Package-golang.org-x-crypto-ssh-agent-v0.38.0-a6630cfdc2d5773bac1cd02bc9b43301fdfe683544359b1e37a849be32e9cc02", + "purl": [ + "pkg:golang/golang.org/x/crypto/ssh/agent@v0.38.0?type=package" + ], + "cpe": [], + "name": "golang.org/x/crypto/ssh/agent", + "version": "v0.38.0", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-74b05595f801657d6e6a1dc539981ad279bf81f32920afcf2120c3691ccc8c51-SPDXRef-image-art-images-fa498754ac0a6cdec23c3bb4edb95a29d549b945282ca78a20c904a53b3add11", + "purl": [ + "pkg:oci/ose-baremetal-installer-rhel9@sha256:36894f68293327d88b69cdccaa2e5c36f9ab88462d31f7ade6dff35e2cc00ac8?repository_url=registry.redhat.io/openshift4/ose-baremetal-installer-rhel9&tag=v4.20", + "pkg:oci/ose-baremetal-installer-rhel9@sha256:36894f68293327d88b69cdccaa2e5c36f9ab88462d31f7ade6dff35e2cc00ac8?repository_url=registry.redhat.io/openshift4/ose-baremetal-installer-rhel9&tag=v4.20.0-202510241956.p2.gcbd9f67.assembly.stream.el9", + "pkg:oci/ose-baremetal-installer-rhel9@sha256:36894f68293327d88b69cdccaa2e5c36f9ab88462d31f7ade6dff35e2cc00ac8?repository_url=registry.redhat.io/openshift4/ose-baremetal-installer-rhel9&tag=ose-baremetal-installer-container-v4.20.0-202510241956.p2.gcbd9f67.assembly.stream.el9", + "pkg:oci/ose-baremetal-installer-rhel9@sha256:36894f68293327d88b69cdccaa2e5c36f9ab88462d31f7ade6dff35e2cc00ac8?repository_url=registry.redhat.io/openshift4/ose-baremetal-installer-rhel9&tag=latest", + "pkg:oci/ose-baremetal-installer-rhel9@sha256:36894f68293327d88b69cdccaa2e5c36f9ab88462d31f7ade6dff35e2cc00ac8?repository_url=registry.redhat.io/openshift4/ose-baremetal-installer-rhel9&tag=v4.20.0", + "pkg:oci/ose-baremetal-installer-rhel9@sha256:36894f68293327d88b69cdccaa2e5c36f9ab88462d31f7ade6dff35e2cc00ac8?repository_url=registry.redhat.io/openshift4/ose-baremetal-installer-rhel9&tag=ec52b242791219e9a670f4dfa21890893cc155dae92c9ad3aea398a94d3cd31a" + ], + "cpe": [], + "name": "art-images_s390x", + "version": "ose-baremetal-installer-rhel9-v4.20.0-20251024.201149", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "contains", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-bcb2266405688cc8eb0edf185bd5a6f5e2d2e03d067c2f964cf9cb1460085635-SPDXRef-component-ose-4-20-ose-baremetal-installer", + "purl": [ + "pkg:oci/ose-baremetal-installer-rhel9@sha256:b939d8a50ca46e198e329cccc8e9e96b2e9b10d30cd6ba5621cfdae80ab44d02?repository_url=registry.redhat.io/openshift4/ose-baremetal-installer-rhel9&tag=ose-baremetal-installer-container-v4.20.0-202601271911.p2.g1a6e473.assembly.stream.el9", + "pkg:oci/ose-baremetal-installer-rhel9@sha256:b939d8a50ca46e198e329cccc8e9e96b2e9b10d30cd6ba5621cfdae80ab44d02?repository_url=registry.redhat.io/openshift4/ose-baremetal-installer-rhel9&tag=v4.20.0-202601271911.p2.g1a6e473.assembly.stream.el9", + "pkg:oci/ose-baremetal-installer-rhel9@sha256:b939d8a50ca46e198e329cccc8e9e96b2e9b10d30cd6ba5621cfdae80ab44d02?repository_url=registry.redhat.io/openshift4/ose-baremetal-installer-rhel9&tag=v4.20.0", + "pkg:oci/ose-baremetal-installer-rhel9@sha256:b939d8a50ca46e198e329cccc8e9e96b2e9b10d30cd6ba5621cfdae80ab44d02?repository_url=registry.redhat.io/openshift4/ose-baremetal-installer-rhel9&tag=v4.20", + "pkg:oci/ose-baremetal-installer-rhel9@sha256:b939d8a50ca46e198e329cccc8e9e96b2e9b10d30cd6ba5621cfdae80ab44d02?repository_url=registry.redhat.io/openshift4/ose-baremetal-installer-rhel9&tag=b939d8a50ca46e198e329cccc8e9e96b2e9b10d30cd6ba5621cfdae80ab44d02" + ], + "cpe": [], + "name": "ose-4-20-ose-baremetal-installer", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "variant", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-6f712f436dbd9506b88bec5fc7233271fa85bd6da89be48015aad8ef77e00eab-openshift-4.20", + "purl": [], + "cpe": [ + "cpe:/a:redhat:openshift:4.20:*:el8:*", + "cpe:/a:redhat:openshift:4.20:*:el9:*" + ], + "name": "openshift-4.20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "package", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-DOCUMENT", + "purl": [], + "cpe": [], + "name": "openshift-4.20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "describes", + "ancestors": [] + } + ] + } + ] + } + ] + } + ] + }, + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-42a6d6c37633d8e0cc512c8317870a1c1b88ae7fd4e3170e9c557036c438665d-pkg-golang-golang.org-x-crypto-v0.36.0-package-id-1c88ca588642c769", + "purl": [ + "pkg:golang/golang.org/x/crypto@v0.36.0" + ], + "cpe": [], + "name": "golang.org/x/crypto", + "version": "v0.36.0", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-f57d4ad6469bbbc6f325cffb77ba690f50221fd99fafadb5fcc2bef2a681340e-pkg-rpm-redhat-openshift-4.20.0-202511172055.p2.g4c392f9.assembly.stream.el9-arch-src", + "purl": [ + "pkg:rpm/redhat/openshift@4.20.0-202511172055.p2.g4c392f9.assembly.stream.el9?arch=src", + "pkg:rpm/redhat/openshift@4.20.0-202511172055.p2.g4c392f9.assembly.stream.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-aarch64-source-rpms", + "pkg:rpm/redhat/openshift@4.20.0-202511172055.p2.g4c392f9.assembly.stream.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-ppc64le-source-rpms", + "pkg:rpm/redhat/openshift@4.20.0-202511172055.p2.g4c392f9.assembly.stream.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-s390x-source-rpms", + "pkg:rpm/redhat/openshift@4.20.0-202511172055.p2.g4c392f9.assembly.stream.el9?arch=src&repository_id=rhocp-4_DOT_20-for-rhel-9-x86_64-source-rpms" + ], + "cpe": [], + "name": "openshift", + "version": "4.20.0-202511172055.p2.g4c392f9.assembly.stream.el9", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "generates", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-6f712f436dbd9506b88bec5fc7233271fa85bd6da89be48015aad8ef77e00eab-openshift-4.20", + "purl": [], + "cpe": [ + "cpe:/a:redhat:openshift:4.20:*:el8:*", + "cpe:/a:redhat:openshift:4.20:*:el9:*" + ], + "name": "openshift-4.20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "package", + "ancestors": [ + { + "sbom_id": "019c8d9a-9abb-7f10-acce-69ea137226ce", + "node_id": "SPDXRef-DOCUMENT", + "purl": [], + "cpe": [], + "name": "openshift-4.20", + "version": "", + "published": "2026-02-07 06:16:45+00", + "document_id": "https://security.access.redhat.com/data/sbom/v1/spdx/openshift-4.20/2026-02-07/e262df043cb67d6a5c33f2dd1d2b0ffe9549ee3c64a09ce82e313b8bd16c2721", + "product_name": "openshift-4.20", + "product_version": "", + "relationship": "describes", + "ancestors": [] + } + ] + } + ] + } + ] + } + ], + "total": 127 + } \ No newline at end of file diff --git a/tests/testdata/products/product-definitions.json b/tests/testdata/products/product-definitions.json index d8038d5..c16ffed 100644 --- a/tests/testdata/products/product-definitions.json +++ b/tests/testdata/products/product-definitions.json @@ -77,6 +77,13 @@ "cpe:/a:redhat:quay:3" ], "manifest": true + }, + "openshift-4.20": { + "public_description": "OpenShift 4.20", + "ps_update_streams": ["openshift-4.20"], + "active_ps_update_streams": ["openshift-4.20"], + "cpe": ["cpe:/a:redhat:openshift:4.20"], + "manifest": true } }, "ps_update_streams": { @@ -145,6 +152,14 @@ "cpe": [ "cpe:/a:redhat:quay:3.13" ] + }, + "openshift-4.20": { + "pp_label": "openshift-4.20", + "version": "4.20", + "cpe": [ + "cpe:/a:redhat:openshift:4.20:*:el8:*", + "cpe:/a:redhat:openshift:4.20:*:el9:*" + ] } } } \ No newline at end of file From 78ce1911d73089fa50960c48c64db676c9fc0fc0 Mon Sep 17 00:00:00 2001 From: jasinner Date: Tue, 24 Feb 2026 16:22:45 +1000 Subject: [PATCH 3/3] include sbom ids for easy lookup in TPA --- src/trustshell/products.py | 77 ++++++++++++++++++++----------------- src/trustshell/renderers.py | 1 + tests/test_products.py | 20 ++++++++++ 3 files changed, 63 insertions(+), 35 deletions(-) diff --git a/src/trustshell/products.py b/src/trustshell/products.py index 3c974a2..b39bc84 100644 --- a/src/trustshell/products.py +++ b/src/trustshell/products.py @@ -5,7 +5,7 @@ import sys from typing import Any, Optional -from anytree import Node, NodeMixin, PreOrderIter +from anytree import NodeMixin, PreOrderIter from anytree.walker import Walker, WalkError from packageurl import PackageURL from rich.console import Console @@ -238,7 +238,7 @@ def _format_affect_purl( def build_product_search_result( - ancestor_trees: list[Node], + ancestor_trees: list[ComponentNode], prod_defs: ProdDefs, searched_purl: str, cpes: bool = False, @@ -313,7 +313,7 @@ def build_product_search_result( ) -def extract_affects(ancestor_trees: list[Node]) -> set[tuple[str, str]]: +def extract_affects(ancestor_trees: list[ComponentNode]) -> set[tuple[str, str]]: """Collect all the leaf and root node tuples for OSIDB affects. Extracts (ps_update_stream, purl) tuples where: @@ -378,7 +378,7 @@ def _get_roots( latest: bool = True, show_versions: bool = False, include_rpm_containers: bool = False, -) -> list[Node]: +) -> list[ComponentNode]: """Look up base_purl ancestors in Trustify Uses purl~ query which Trustify automatically translates into optimized @@ -406,7 +406,7 @@ def _get_roots( def build_ancestor_tree( - parent: Node, ancestors: list[dict[str, Any]], show_versions: bool + parent: ComponentNode, ancestors: list[dict[str, Any]], show_versions: bool ) -> None: """ Recursive function to build an ancestor tree from a nested set of purls, or CPEs. @@ -423,15 +423,13 @@ def build_ancestor_tree( for cpe in cpes: ComponentNode(cpe, parent=parent, sbom_id=sbom_id) else: - node = ComponentNode( - base_purl.to_string(), parent=parent, sbom_id=sbom_id - ) + node = ComponentNode(base_purl.to_string(), parent=parent, sbom_id=sbom_id) if "ancestors" in component: build_ancestor_tree(node, component["ancestors"], show_versions) # else try the next ancestor -def _remove_root_return_children(root: Node) -> list[Node]: +def _remove_root_return_children(root: ComponentNode) -> list[ComponentNode]: """ Removes the root node and returns a list of its direct children. @@ -452,7 +450,7 @@ def _remove_root_return_children(root: Node) -> list[Node]: return children -def _get_branch_signature(node: Node) -> str: +def _get_branch_signature(node: ComponentNode) -> str: """ Create a unique signature for a branch structure starting from the given node. The signature includes the root component to ensure different components @@ -471,7 +469,7 @@ def _get_branch_signature(node: Node) -> str: # Use a list to collect branch elements in pre-order traversal elements = [f"ROOT:{root_component}"] - def traverse(current_node: Node, path: str = "") -> None: + def traverse(current_node: ComponentNode, path: str = "") -> None: # Add node name and its level in the path (skip root since it's already included) if current_node != node: node_sig = f"{path}{current_node.name}" @@ -486,7 +484,7 @@ def traverse(current_node: Node, path: str = "") -> None: return "|".join(elements) -def _has_cpe_node(node: Node) -> bool: +def _has_cpe_node(node: ComponentNode) -> bool: """ Check if the node or any of its descendants have a name starting with "cpe:/". @@ -508,7 +506,7 @@ def _has_cpe_node(node: Node) -> bool: return False -def _remove_non_cpe_branches(root: Node) -> Node: +def _remove_non_cpe_branches(root: ComponentNode) -> ComponentNode: # Inspect all the leaves for ones not starting with cpe:/ leaves_to_remove = set() leaves_to_keep = set() @@ -533,15 +531,19 @@ def _remove_non_cpe_branches(root: Node) -> Node: return root -def _remove_duplicate_branches(root: Node) -> Node: - """ - Removes duplicate branch structures from an Anytree tree +def _merge_branch_sbom_ids(kept: ComponentNode, removed: ComponentNode) -> None: + """Merge sbom_ids from removed branch into kept branch (same structure).""" + kept.sbom_ids.update(removed.sbom_ids) + kept_children = sorted(kept.children, key=lambda x: x.name) + removed_children = sorted(removed.children, key=lambda x: x.name) + for k, r in zip(kept_children, removed_children): + _merge_branch_sbom_ids(k, r) # type: ignore[arg-type] - Args: - root (Node): The root node of the tree - Returns: - Node: The root node of the modified tree with duplicate branches removed +def _remove_duplicate_branches(root: ComponentNode) -> ComponentNode: + """ + Removes duplicate branch structures from an Anytree tree. + Merges sbom_ids from removed branches into the kept branch. """ # Dictionary to store branches by their signatures @@ -557,9 +559,10 @@ def _remove_duplicate_branches(root: Node) -> Node: # Remove duplicate branches for signature, nodes in branches_by_signature.items(): if len(nodes) > 1: - # Keep the first occurrence of the branch + # Keep the first occurrence; merge sbom_ids from duplicates, then remove + kept = nodes[0] for node in nodes[1:]: - # Remove this duplicate branch + _merge_branch_sbom_ids(kept, node) if node.parent: node.parent = None @@ -570,18 +573,18 @@ def _trees_with_cpes( ancestor_data: dict[str, Any], show_versions: bool, include_rpm_containers: bool = False, -) -> list[Node]: +) -> list[ComponentNode]: """Builds a tree of ancestors with a target component root""" if "items" not in ancestor_data or not ancestor_data["items"]: return [] - base_node = Node("root") + base_node = ComponentNode("root") build_ancestor_tree(base_node, ancestor_data["items"], show_versions) _remove_duplicate_branches(base_node) _remove_duplicate_parent_nodes(base_node) # re-parenting the tree can introduce new duplicate branches _remove_duplicate_branches(base_node) first_children = _remove_root_return_children(base_node) - trees_with_cpes: list[Node] = [] + trees_with_cpes: list[ComponentNode] = [] for tree in first_children: # Remove this once https://issues.redhat.com/browse/TC-2659 is implemented if tree.name.startswith("pkg:rpm/") and not include_rpm_containers: @@ -598,7 +601,7 @@ def _trees_with_cpes( return trees_with_cpes -def container_in_tree(root: Node) -> bool: +def container_in_tree(root: ComponentNode) -> bool: """ Returns true if containers exist in tree descendants """ @@ -608,16 +611,20 @@ def container_in_tree(root: Node) -> bool: return False -def _remove_duplicate_parent_nodes(node: Node) -> None: +def _remove_duplicate_parent_nodes(node: ComponentNode) -> None: """ Removes nodes in an anytree tree that have the same name as their direct parent, and reparents their children to the remaining node. - - :param node: The node to process. + Merges sbom_ids from the removed node into the parent. """ - for descandant in node.descendants: - if descandant.name == descandant.parent.name: - new_children = list(descandant.siblings) - new_children.extend(descandant.children) - descandant.parent.children = new_children - descandant.parent = None + for descendant in node.descendants: + if descendant.name == descendant.parent.name: + # Merge sbom_ids before detaching (if both support it) + if hasattr(descendant, "sbom_ids") and hasattr( + descendant.parent, "sbom_ids" + ): + descendant.parent.sbom_ids.update(descendant.sbom_ids) + new_children = list(descendant.siblings) + new_children.extend(descendant.children) + descendant.parent.children = new_children + descendant.parent = None diff --git a/src/trustshell/renderers.py b/src/trustshell/renderers.py index a43a4bf..2358e2d 100644 --- a/src/trustshell/renderers.py +++ b/src/trustshell/renderers.py @@ -40,6 +40,7 @@ def _render_result_tree( ) -> str: """Build and return tree as string from result rows. Root is matched_component.""" root = Node(root_name) + # Group rows by dedup_key and aggregate sbom_ids groups: dict[tuple[str, ...], list[ProductResultRow]] = {} for row in rows: if cpes: diff --git a/tests/test_products.py b/tests/test_products.py index 7dc1f16..ba66111 100644 --- a/tests/test_products.py +++ b/tests/test_products.py @@ -7,6 +7,7 @@ from trustshell import build_node_purl, render_tree from trustshell.products import ( + ComponentNode, _get_branch_signature, _remove_duplicate_parent_nodes, _remove_non_cpe_branches, @@ -85,6 +86,25 @@ def test_trees_with_cpes_srpm(self): ] _check_node_names_at_depth(result[0], 1, expected_cpes) + def test_trees_with_cpes_sbom_ids(self): + """Verify sbom_ids are collected on nodes from API data.""" + with open("tests/testdata/openssl.json", "r") as file: + data = json.load(file) + result = _trees_with_cpes(data, show_versions=True) + assert len(result) == 1 + tree = result[0] + assert isinstance(tree, ComponentNode) + # openssl.json has sbom_id at component and product levels + for node in list(tree.descendants) + [tree]: + assert hasattr(node, "sbom_ids") + # Collect all sbom_ids from the tree (openssl has component + product levels) + all_sbom_ids = { + sid for node in list(tree.descendants) + [tree] for sid in node.sbom_ids + } + assert len(all_sbom_ids) >= 1 + # RHEL 9.2 EUS product-level sbom_id from ancestor + assert "0195d531-b2ea-7031-af29-72de8330e51f" in all_sbom_ids + def test_trees_with_cpes_binary_rpm(self): with open("tests/testdata/openssl-libs.json", "r") as file: data = json.load(file)