From 419430dd1b30d0e10d7990e1bb4bccc27121e0d8 Mon Sep 17 00:00:00 2001
From: Wai Cheang <wcheang@redhat.com>
Date: Fri, 8 Nov 2024 03:51:11 -0500
Subject: [PATCH] fix(ISV-5128): also update sbom metadata component purl

Previously the update-component-sbom script is only updating the
component purl in the list of components. But in CycloneDX, there
is also a component purl in the metadata.

Signed-off-by: Wai Cheang <wcheang@redhat.com>
---
 sbom/test_update_component_sbom.py | 16 ++++++++++++++--
 sbom/update_component_sbom.py      |  6 ++++++
 2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/sbom/test_update_component_sbom.py b/sbom/test_update_component_sbom.py
index e7ac5f4..cabdca9 100644
--- a/sbom/test_update_component_sbom.py
+++ b/sbom/test_update_component_sbom.py
@@ -27,10 +27,16 @@ def test_get_component_to_purls_map(self) -> None:
 
     def test_update_cyclonedx_sbom(self) -> None:
         sbom = {
+            "metadata": {
+                "component": {
+                    "name": "comp1",
+                    "purl": "purl1",
+                }
+            },
             "components": [
                 {"name": "comp1", "purl": "purl1"},
                 {"name": "comp2", "purl": "purl2"},
-            ]
+            ],
         }
         mapping = {
             "comp1": ["updated_purl1"],
@@ -38,10 +44,16 @@ def test_update_cyclonedx_sbom(self) -> None:
         }
         update_cyclonedx_sbom(sbom, mapping)
         assert sbom == {
+            "metadata": {
+                "component": {
+                    "name": "comp1",
+                    "purl": "updated_purl1",
+                }
+            },
             "components": [
                 {"name": "comp1", "purl": "updated_purl1"},
                 {"name": "comp2", "purl": "updated_purl2"},
-            ]
+            ],
         }
 
     def test_update_spdx_sbom(self) -> None:
diff --git a/sbom/update_component_sbom.py b/sbom/update_component_sbom.py
index 230062e..399df34 100755
--- a/sbom/update_component_sbom.py
+++ b/sbom/update_component_sbom.py
@@ -42,6 +42,12 @@ def update_cyclonedx_sbom(sbom: Dict, component_to_purls_map: Dict[str, List[str
         component_to_purls_map: dictionary mapping of component names to list of purls.
     """
     LOG.info("Updating CycloneDX sbom")
+
+    component_name = sbom["metadata"]["component"]["name"]
+    if component_name in component_to_purls_map:
+        # only one purl is supported for CycloneDX
+        sbom["metadata"]["component"]["purl"] = component_to_purls_map[component_name][0]
+
     for component in sbom["components"]:
         if component["name"] in component_to_purls_map:
             # only one purl is supported for CycloneDX