-
Notifications
You must be signed in to change notification settings - Fork 26
/
sbom.go
138 lines (118 loc) · 3.4 KB
/
sbom.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
// Package sbom implements standardized SBoM tooling that allows multiple SBoM
// formats to be generated from the same scanning information.
package sbom
import (
"fmt"
"os"
"github.com/anchore/syft/syft"
"github.com/anchore/syft/syft/cpe"
"github.com/anchore/syft/syft/pkg"
"github.com/anchore/syft/syft/pkg/cataloger"
"github.com/anchore/syft/syft/sbom"
"github.com/anchore/syft/syft/source"
"github.com/paketo-buildpacks/packit/v2/postal"
)
// UnknownCPE is a Common Platform Enumeration (CPE) that uses the NA (Not
// applicable) logical operator for all components of its name. It is designed
// not to match with other CPEs, to avoid false positive CPE matches.
const UnknownCPE = "cpe:2.3:-:-:-:-:-:-:-:-:-:-:-"
// SBOM holds the internal representation of the generated software
// bill-of-materials. This type can be combined with a FormattedReader to
// output the SBoM in a number of file formats.
type SBOM struct {
syft sbom.SBOM
}
func NewSBOM(syft sbom.SBOM) SBOM {
return SBOM{syft: syft}
}
// Generate returns a populated SBOM given a path to a directory to scan.
func Generate(path string) (SBOM, error) {
info, err := os.Stat(path)
if err != nil {
return SBOM{}, err
}
var src source.Source
if info.IsDir() {
src, err = source.NewFromDirectory(path)
if err != nil {
return SBOM{}, err
}
} else {
var cleanup func()
src, cleanup = source.NewFromFile(path)
defer cleanup()
}
config := cataloger.Config{
Search: cataloger.SearchConfig{
Scope: source.UnknownScope,
},
}
catalog, _, release, err := syft.CatalogPackages(&src, config)
if err != nil {
return SBOM{}, err
}
return SBOM{
syft: sbom.SBOM{
Artifacts: sbom.Artifacts{
Packages: catalog,
LinuxDistribution: release,
},
Source: src.Metadata,
},
}, nil
}
// GenerateFromDependency returns a populated SBOM given a postal.Dependency
// and the directory path where the dependency will be located within the
// application image.
//nolint Ignore SA1019, informed usage of deprecated package
func GenerateFromDependency(dependency postal.Dependency, path string) (SBOM, error) {
//nolint Ignore SA1019, informed usage of deprecated package
if dependency.CPE == "" {
dependency.CPE = UnknownCPE
}
if len(dependency.CPEs) == 0 {
//nolint Ignore SA1019, informed usage of deprecated package
dependency.CPEs = []string{dependency.CPE}
}
var cpes []cpe.CPE
for _, cpeString := range dependency.CPEs {
cpe, err := cpe.New(cpeString)
if err != nil {
return SBOM{}, err
}
cpes = append(cpes, cpe)
}
catalog := pkg.NewCatalog(pkg.Package{
Name: dependency.Name,
Version: dependency.Version,
Licenses: dependency.Licenses,
CPEs: cpes,
PURL: dependency.PURL,
})
return SBOM{
syft: sbom.SBOM{
Artifacts: sbom.Artifacts{
Packages: catalog,
},
Source: source.Metadata{
Scheme: source.DirectoryScheme,
Path: path,
},
},
}, nil
}
// InFormats returns a Formatter containing mappings for the given Formats.
func (s SBOM) InFormats(mediaTypes ...string) (Formatter, error) {
var fs []sbom.FormatID
for _, m := range mediaTypes {
format, err := sbomFormatByMediaType(m)
if err != nil {
return Formatter{}, err
}
if format.Extension() == "" {
return Formatter{}, fmt.Errorf("unable to determine file extension for SBOM format '%s'", format.ID())
}
fs = append(fs, format.ID())
}
return Formatter{sbom: s, formatIDs: fs}, nil
}