bundler-sbom 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 675a0be818dcf56528e18dcbb7a40bc77a88d31f2f168f5b9c27eb0c21bcdaf6
+  data.tar.gz: c0073141244450742d51354d94ad91359d531ebe66cd7c653c2c5ed47667d5a8
+SHA512:
+  metadata.gz: 4d018b46d78d11b87723578ba1a489ad4ff940ef3296bc6f65706b5906269ebb785b64152699b408eb183705625ed7d95d251adfa340cfe82d78727b3f0ad106
+  data.tar.gz: 6a51a7389dd1d22607a6175c8046a3a375a1f7d12f484312f1ce807f63daa497173b897a4bbcf5fd4eb01aa7031798feddc83e9beeb49436dc090b6d9625870d

data/README.md

@@ -0,0 +1,37 @@
+# Bundler SBOM Plugin
+
+Generate and analyze Software Bill of Materials (SBOM) for your Ruby projects using Bundler.
+
+## Installation
+
+Install this plugin by running:
+
+```
+$ bundler plugin install bundler-sbom
+```
+
+## Usage
+
+### Generate SBOM
+
+To generate an SBOM file in SPDX format from your project's Gemfile.lock:
+
+```
+$ bundle sbom dump
+```
+
+This will create a `bom.json` file in your project directory.
+
+### Analyze License Information
+
+To view a summary of licenses used in your project's dependencies:
+
+```
+$ bundle sbom license
+```
+
+This command will show:
+- A count of packages using each license
+- A detailed list of packages grouped by license
+
+Note: The `license` command requires that you've already generated the SBOM using `bundle sbom dump`.

data/lib/bundler/cli/sbom.rb

@@ -0,0 +1,29 @@
+require "bundler/cli"
+require "bundler/sbom"
+
+module Bundler
+  class CLI::Sbom
+    def initialize(options = {})
+      @options = options
+    end
+
+    def dump
+      sbom = Bundler::Sbom::Generator.generate_sbom
+      File.write("bom.json", JSON.pretty_generate(sbom))
+      Bundler.ui.info "Generated SBOM at bom.json"
+    end
+
+    def license
+      begin
+        sbom = JSON.parse(File.read("bom.json"))
+        Bundler::Sbom::Generator.display_license_report(sbom)
+      rescue Errno::ENOENT
+        Bundler.ui.error "Error: bom.json not found. Run 'bundle sbom dump' first."
+        exit 1
+      rescue JSON::ParserError
+        Bundler.ui.error "Error: bom.json is not a valid JSON file"
+        exit 1
+      end
+    end
+  end
+end

data/lib/bundler/sbom.rb

@@ -0,0 +1,126 @@
+require "bundler"
+require "json"
+require "securerandom"
+require "rubygems"
+
+module Bundler
+  module Sbom
+    class Generator
+      def self.generate_sbom
+        lockfile_path = Bundler.default_lockfile
+        unless lockfile_path.exist?
+          abort "No Gemfile.lock found. Run `bundle install` first."
+        end
+
+        lockfile = Bundler::LockfileParser.new(lockfile_path.read)
+        document_name = File.basename(Dir.pwd)
+        spdx_id = SecureRandom.uuid
+
+        sbom = {
+          "SPDXID" => "SPDXRef-DOCUMENT",
+          "spdxVersion" => "SPDX-2.2",
+          "creationInfo" => {
+            "created" => Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ"),
+            "creators" => ["Tool: bundle-sbom"],
+            "licenseListVersion" => "3.17"
+          },
+          "name" => document_name,
+          "dataLicense" => "CC0-1.0",
+          "documentNamespace" => "https://spdx.org/spdxdocs/#{document_name}-#{spdx_id}",
+          "packages" => []
+        }
+
+        lockfile.specs.each do |spec|
+          begin
+            gemspec = Gem::Specification.find_by_name(spec.name, spec.version)
+            licenses = []
+            if gemspec
+              if gemspec.license && !gemspec.license.empty?
+                licenses << gemspec.license
+              end
+
+              if gemspec.licenses && !gemspec.licenses.empty?
+                licenses.concat(gemspec.licenses)
+              end
+
+              licenses.uniq!
+            end
+
+            license_string = licenses.empty? ? "NOASSERTION" : licenses.join(", ")
+          rescue Gem::LoadError
+            license_string = "NOASSERTION"
+          end
+
+          package = {
+            "SPDXID" => "SPDXRef-Package-#{spec.name}",
+            "name" => spec.name,
+            "versionInfo" => spec.version.to_s,
+            "downloadLocation" => "NOASSERTION",
+            "filesAnalyzed" => false,
+            "licenseConcluded" => license_string,
+            "licenseDeclared" => license_string,
+            "supplier" => "NOASSERTION",
+            "externalRefs" => [
+              {
+                "referenceCategory" => "PACKAGE_MANAGER",
+                "referenceType" => "purl",
+                "referenceLocator" => "pkg:gem/#{spec.name}@#{spec.version}"
+              }
+            ]
+          }
+          sbom["packages"] << package
+        end
+
+        sbom
+      end
+
+      def self.analyze_licenses(sbom)
+        license_count = Hash.new(0)
+
+        sbom["packages"].each do |package|
+          license = package["licenseDeclared"]
+
+          if license.include?(",")
+            licenses = license.split(",").map(&:strip)
+            licenses.each do |lic|
+              license_count[lic] += 1
+            end
+          else
+            license_count[license] += 1
+          end
+        end
+
+        license_count
+      end
+
+      def self.display_license_report(sbom)
+        license_count = analyze_licenses(sbom)
+        sorted_licenses = license_count.sort_by { |_, count| -count }
+
+        puts "=== License Usage in SBOM ==="
+        puts "Total packages: #{sbom["packages"].size}"
+        puts
+
+        sorted_licenses.each do |license, count|
+          puts "#{license}: #{count} package(s)"
+        end
+
+        puts "\n=== Packages by License ==="
+        sorted_licenses.each do |license, _|
+          packages = sbom["packages"].select do |package|
+            if package["licenseDeclared"].include?(",")
+              package["licenseDeclared"].split(",").map(&:strip).include?(license)
+            else
+              package["licenseDeclared"] == license
+            end
+          end
+
+          puts "\n#{license} (#{packages.size} package(s)):"
+          packages.each do |package|
+            puts "  - #{package["name"]} (#{package["versionInfo"]})"
+          end
+        end
+      end
+    end
+  end
+end

data/lib/bundler-sbom.rb

@@ -0,0 +1,3 @@
+require "bundler/cli/sbom"
+
+Bundler::Plugin.add_command("sbom", Bundler::CLI::Sbom)

metadata

@@ -0,0 +1,72 @@
+--- !ruby/object:Gem::Specification
+name: bundler-sbom
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- SHIBATA Hiroshi
+bindir: exe
+cert_chain: []
+date: 2025-03-05 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Generate SPDX format SBOM from Gemfile.lock and analyze license information
+email:
+- hsbt@ruby-lang.org
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- README.md
+- lib/bundler-sbom.rb
+- lib/bundler/cli/sbom.rb
+- lib/bundler/sbom.rb
+homepage: https://github.com/hsbt/hsbt
+licenses:
+- MIT
+metadata: {}
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.7.0.dev
+specification_version: 4
+summary: Bundler plugin to generate and analyze SBOM
+test_files: []