feat: convert spdx absolute to relative

Signed-off-by: Christopher Phillips <[email protected]>

Author: spiffcs

syft/format/common/spdxhelpers/to_format_model.go

@@ -5,6 +5,7 @@ import (
 	"crypto/sha1"
 	"fmt"
 	"path"
+	"path/filepath"
 	"regexp"
 	"slices"
 	"sort"
@@ -627,13 +628,18 @@ func toFiles(s sbom.SBOM) (results []*spdx.File) {
 			comment = fmt.Sprintf("layerID: %s", coordinates.FileSystemID)
 		}
 
+		relativePath, err := convertAbsoluteToRelative(coordinates.RealPath)
+		if err != nil {
+			// TODO:
+		}
+
 		results = append(results, &spdx.File{
 			FileSPDXIdentifier: toSPDXID(coordinates),
 			FileComment:        comment,
 			// required, no attempt made to determine license information
 			LicenseConcluded: noAssertion,
 			Checksums:        toFileChecksums(digests),
-			FileName:         coordinates.RealPath,
+			FileName:         relativePath,
 			FileTypes:        toFileTypes(metadata),
 			LicenseInfoInFiles: []string{ // required in SPDX 2.2
 				helpers.NOASSERTION,
@@ -831,3 +837,21 @@ func trimPatchVersion(semver string) string {
 	}
 	return semver
 }
+
+// spdx requires that the file name field is a relative filename
+// with the root of the package archive or directory
+func convertAbsoluteToRelative(absPath string) (string, error) {
+	// Ensure the absolute path is absolute (although it should already be)
+	absPath, err := filepath.Abs(absPath)
+	if err != nil {
+		return "", fmt.Errorf("error converting absPath to absolute path: %v", err)
+	}
+
+	// Calculate the relative path from the root directory "/"
+	relPath, err := filepath.Rel("/", absPath)
+	if err != nil {
+		return "", fmt.Errorf("error calculating relative path: %v", err)
+	}
+
+	return relPath, nil
+}

syft/format/common/spdxhelpers/to_format_model_test.go

@@ -382,6 +382,51 @@ func Test_toPackageChecksums(t *testing.T) {
 	}
 }
 
+func Test_toFiles(t *testing.T) {
+	tests := []struct {
+		name string
+		in   sbom.SBOM
+		want spdx.File
+	}{
+		{
+			name: "File paths are converted to relative in final SPDX collection",
+			in: sbom.SBOM{
+				Source: source.Description{
+					Name:    "alpine",
+					Version: "sha256:d34db33f",
+					Metadata: source.ImageMetadata{
+						UserInput:      "alpine:latest",
+						ManifestDigest: "sha256:d34db33f",
+					},
+				},
+				Artifacts: sbom.Artifacts{
+					Packages: pkg.NewCollection(pkg.Package{
+						Name:    "pkg-1",
+						Version: "version-1",
+					}),
+					FileMetadata: map[file.Coordinates]file.Metadata{
+						file.Coordinates{
+							RealPath:     "/some/path",
+							FileSystemID: "",
+						}: file.Metadata{
+							Path: "/some/path",
+						},
+					},
+				},
+			},
+			want: spdx.File{
+				FileName: "some/path",
+			},
+		},
+	}
+
+	for _, test := range tests {
+		files := toFiles(test.in)
+		got := files[0]
+		assert.Equal(t, test.want.FileName, got.FileName)
+	}
+}
+
 func Test_toFileTypes(t *testing.T) {
 
 	tests := []struct {