RubyGems - bundler-sbom - Versions diffs - 0.1.3 → 0.1.5 - Mend

bundler-sbom 0.1.3 → 0.1.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

checksums.yaml +4 -4
data/Gemfile +11 -0
data/Rakefile +6 -0
data/lib/bundler/sbom/cli.rb +31 -0
data/lib/bundler/sbom/generator.rb +118 -0
data/lib/bundler/sbom/version.rb +5 -0
data/lib/bundler/sbom.rb +3 -126
data/plugins.rb +11 -8
metadata +25 -8
data/lib/bundler/cli/sbom.rb +0 -29

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 11988f0f90e45b23bb081c4c27781e5242f387d39e658dbde782497aa5699d4b
-  data.tar.gz: f588574646c487ff5099d155f2184ebad49f05a4821706d233f33b0c7a0ff0e6
+  metadata.gz: bb32eb6e21ec3b09fe1d3d199b978c44313f119ee57bb9d3899b20ae443020c0
+  data.tar.gz: 36b4b1b637fbafa93ac463418e5e26330146cff96b7c2e76733bc7c5b4a2cfc9
 SHA512:
-  metadata.gz: 68ea6d07b959c6f441329583ddb62953cc348dacb17bf3f9da85414f69aa53fcc7cc4f2f736bc149cd7da434790baa722d19058f3f822b920370107128ea9fa4
-  data.tar.gz: e92b354809e79a8d3e91b6fe170b2ceaa9caa2d7393a70c7b537c951f983d6ac5f91d5fcc5f56ede207884559616d1e42451cb3dc2d5b9f99fc829bc769dbedf
+  metadata.gz: 39825222126b541eaf3df0b04c5b9784ce7cdc68d6fd837f642cad6e6ce5e6196a709a31154565f97efaea0ab8f1f483417daada360e331990a675880f3f75e6
+  data.tar.gz: f95ddbec1b92a9eeffd0732f31d30005e3fb36d85f3c381454977a7130e24630e32fe4d6fbfbf005f3cefaaa35d5bc264c92aa29403d64aff33050797727505b

data/Gemfile ADDED Viewed

@@ -0,0 +1,11 @@
+source "https://rubygems.org"
+gemspec
+group :development do
+  gem "rake"
+  gem "rspec"
+  gem "simplecov", require: false
+  gem "rspec-its"
+  gem "rspec-mocks"
+end

data/Rakefile ADDED Viewed

@@ -0,0 +1,6 @@
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+RSpec::Core::RakeTask.new(:spec)
+task :default => :spec

data/lib/bundler/sbom/cli.rb ADDED Viewed

@@ -0,0 +1,31 @@
+require "json"
+require "bundler/sbom/generator"
+module Bundler
+  module Sbom
+    class CLI < Thor
+      desc "dump", "Generate SBOM and save to bom.json"
+      def dump
+        sbom = Bundler::Sbom::Generator.generate_sbom
+        File.write("bom.json", JSON.pretty_generate(sbom))
+        Bundler.ui.info("Generated SBOM at bom.json")
+      end
+      desc "license", "Display license report from existing bom.json"
+      def license
+        unless File.exist?("bom.json")
+          Bundler.ui.error("Error: bom.json not found. Run 'bundle sbom dump' first.")
+          exit 1
+        end
+        begin
+          sbom = JSON.parse(File.read("bom.json"))
+          Bundler::Sbom::Generator.display_license_report(sbom)
+        rescue JSON::ParserError
+          Bundler.ui.error("Error: bom.json is not a valid JSON file")
+          exit 1
+        end
+      end
+    end
+  end
+end

data/lib/bundler/sbom/generator.rb ADDED Viewed

@@ -0,0 +1,118 @@
+require "bundler"
+require "securerandom"
+module Bundler
+  module Sbom
+    class Generator
+      def self.generate_sbom
+        lockfile_path = Bundler.default_lockfile
+        unless lockfile_path.exist?
+          abort "No Gemfile.lock found. Run `bundle install` first."
+        end
+        lockfile = Bundler::LockfileParser.new(lockfile_path.read)
+        document_name = File.basename(Dir.pwd)
+        spdx_id = SecureRandom.uuid
+        sbom = {
+          "SPDXID" => "SPDXRef-DOCUMENT",
+          "spdxVersion" => "SPDX-2.2",
+          "creationInfo" => {
+            "created" => Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ"),
+            "creators" => ["Tool: bundle-sbom"],
+            "licenseListVersion" => "3.17"
+          },
+          "name" => document_name,
+          "dataLicense" => "CC0-1.0",
+          "documentNamespace" => "https://spdx.org/spdxdocs/#{document_name}-#{spdx_id}",
+          "packages" => []
+        }
+        lockfile.specs.each do |spec|
+          begin
+            gemspec = Gem::Specification.find_by_name(spec.name, spec.version)
+            licenses = []
+            if gemspec
+              if gemspec.license && !gemspec.license.empty?
+                licenses << gemspec.license
+              end
+              if gemspec.licenses && !gemspec.licenses.empty?
+                licenses.concat(gemspec.licenses)
+              end
+              licenses.uniq!
+            end
+            license_string = licenses.empty? ? "NOASSERTION" : licenses.join(", ")
+          rescue Gem::LoadError
+            license_string = "NOASSERTION"
+          end
+          package = {
+            "SPDXID" => "SPDXRef-Package-#{spec.name}",
+            "name" => spec.name,
+            "versionInfo" => spec.version.to_s,
+            "downloadLocation" => "NOASSERTION",
+            "filesAnalyzed" => false,
+            "licenseConcluded" => license_string,
+            "licenseDeclared" => license_string,
+            "supplier" => "NOASSERTION",
+            "externalRefs" => [
+              {
+                "referenceCategory" => "PACKAGE_MANAGER",
+                "referenceType" => "purl",
+                "referenceLocator" => "pkg:gem/#{spec.name}@#{spec.version}"
+              }
+            ]
+          }
+          sbom["packages"] << package
+        end
+        sbom
+      end
+      def self.display_license_report(sbom)
+        license_count = analyze_licenses(sbom)
+        sorted_licenses = license_count.sort_by { |_, count| -count }
+        puts "=== License Usage in SBOM ==="
+        puts "Total packages: #{sbom["packages"].size}"
+        puts
+        sorted_licenses.each do |license, count|
+          puts "#{license}: #{count} package(s)"
+        end
+        puts "\n=== Packages by License ==="
+        sorted_licenses.each do |license, _|
+          packages = sbom["packages"].select do |package|
+            if package["licenseDeclared"].include?(",")
+              package["licenseDeclared"].split(",").map(&:strip).include?(license)
+            else
+              package["licenseDeclared"] == license
+            end
+          end
+          puts "\n#{license} (#{packages.size} package(s)):"
+          packages.each do |package|
+            puts "  - #{package["name"]} (#{package["versionInfo"]})"
+          end
+        end
+      end
+      private
+      def self.analyze_licenses(sbom)
+        license_count = Hash.new(0)
+        sbom["packages"].each do |package|
+          licenses = package["licenseDeclared"].split(",").map(&:strip)
+          licenses.each do |license|
+            license_count[license] += 1
+          end
+        end
+        license_count
+      end
+    end
+  end
+end

data/lib/bundler/sbom/version.rb ADDED Viewed

@@ -0,0 +1,5 @@
+module Bundler
+  module Sbom
+    VERSION = "0.1.5"
+  end
+end

data/lib/bundler/sbom.rb CHANGED Viewed

@@ -1,126 +1,3 @@
-require "bundler"
-require "json"
-require "securerandom"
-require "rubygems"
-module Bundler
-  module Sbom
-    class Generator
-      def self.generate_sbom
-        lockfile_path = Bundler.default_lockfile
-        unless lockfile_path.exist?
-          abort "No Gemfile.lock found. Run `bundle install` first."
-        end
-        lockfile = Bundler::LockfileParser.new(lockfile_path.read)
-        document_name = File.basename(Dir.pwd)
-        spdx_id = SecureRandom.uuid
-        sbom = {
-          "SPDXID" => "SPDXRef-DOCUMENT",
-          "spdxVersion" => "SPDX-2.2",
-          "creationInfo" => {
-            "created" => Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ"),
-            "creators" => ["Tool: bundle-sbom"],
-            "licenseListVersion" => "3.17"
-          },
-          "name" => document_name,
-          "dataLicense" => "CC0-1.0",
-          "documentNamespace" => "https://spdx.org/spdxdocs/#{document_name}-#{spdx_id}",
-          "packages" => []
-        }
-        lockfile.specs.each do |spec|
-          begin
-            gemspec = Gem::Specification.find_by_name(spec.name, spec.version)
-            licenses = []
-            if gemspec
-              if gemspec.license && !gemspec.license.empty?
-                licenses << gemspec.license
-              end
-              if gemspec.licenses && !gemspec.licenses.empty?
-                licenses.concat(gemspec.licenses)
-              end
-              licenses.uniq!
-            end
-            license_string = licenses.empty? ? "NOASSERTION" : licenses.join(", ")
-          rescue Gem::LoadError
-            license_string = "NOASSERTION"
-          end
-          package = {
-            "SPDXID" => "SPDXRef-Package-#{spec.name}",
-            "name" => spec.name,
-            "versionInfo" => spec.version.to_s,
-            "downloadLocation" => "NOASSERTION",
-            "filesAnalyzed" => false,
-            "licenseConcluded" => license_string,
-            "licenseDeclared" => license_string,
-            "supplier" => "NOASSERTION",
-            "externalRefs" => [
-              {
-                "referenceCategory" => "PACKAGE_MANAGER",
-                "referenceType" => "purl",
-                "referenceLocator" => "pkg:gem/#{spec.name}@#{spec.version}"
-              }
-            ]
-          }
-          sbom["packages"] << package
-        end
-        sbom
-      end
-      def self.analyze_licenses(sbom)
-        license_count = Hash.new(0)
-        sbom["packages"].each do |package|
-          license = package["licenseDeclared"]
-          if license.include?(",")
-            licenses = license.split(",").map(&:strip)
-            licenses.each do |lic|
-              license_count[lic] += 1
-            end
-          else
-            license_count[license] += 1
-          end
-        end
-        license_count
-      end
-      def self.display_license_report(sbom)
-        license_count = analyze_licenses(sbom)
-        sorted_licenses = license_count.sort_by { |_, count| -count }
-        puts "=== License Usage in SBOM ==="
-        puts "Total packages: #{sbom["packages"].size}"
-        puts
-        sorted_licenses.each do |license, count|
-          puts "#{license}: #{count} package(s)"
-        end
-        puts "\n=== Packages by License ==="
-        sorted_licenses.each do |license, _|
-          packages = sbom["packages"].select do |package|
-            if package["licenseDeclared"].include?(",")
-              package["licenseDeclared"].split(",").map(&:strip).include?(license)
-            else
-              package["licenseDeclared"] == license
-            end
-          end
-          puts "\n#{license} (#{packages.size} package(s)):"
-          packages.each do |package|
-            puts "  - #{package["name"]} (#{package["versionInfo"]})"
-          end
-        end
-      end
-    end
-  end
-end
+require "bundler/sbom/version"
+require "bundler/sbom/generator"
+require "bundler/sbom/cli"

data/plugins.rb CHANGED Viewed

@@ -1,11 +1,14 @@
-require "bundler/cli/sbom"
+require "bundler"
+require "bundler/sbom"
-Bundler::Plugin::API.command "sbom" do |command|
-  command.command "dump" do
-    Bundler::CLI::Sbom.new.dump
-  end
+module Bundler
+  module Sbom
+    class Plugin < ::Bundler::Plugin::API
+      command "sbom"
-  command.command "license" do
-    Bundler::CLI::Sbom.new.license
+      def exec(command_name, args)
+        ::Bundler::Sbom::CLI.start(args)
+      end
+    end
   end
-end
+end

metadata CHANGED Viewed

@@ -1,28 +1,45 @@
 --- !ruby/object:Gem::Specification
 name: bundler-sbom
 version: !ruby/object:Gem::Version
-  version: 0.1.3
+  version: 0.1.5
 platform: ruby
 authors:
 - SHIBATA Hiroshi
 bindir: exe
 cert_chain: []
 date: 2025-03-05 00:00:00.000000000 Z
-dependencies: []
-description: Generate SPDX format SBOM from Gemfile.lock and analyze license information
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '2.0'
+description: Generate CycloneDX SBOM(Software Bill of Materials) files with Bundler
 email:
 - hsbt@ruby-lang.org
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- Gemfile
 - README.md
-- lib/bundler/cli/sbom.rb
+- Rakefile
 - lib/bundler/sbom.rb
+- lib/bundler/sbom/cli.rb
+- lib/bundler/sbom/generator.rb
+- lib/bundler/sbom/version.rb
 - plugins.rb
 homepage: https://github.com/hsbt/bundler-sbom
-licenses:
-- MIT
+licenses: []
 metadata:
   homepage_uri: https://github.com/hsbt/bundler-sbom
   source_code_uri: https://github.com/hsbt/bundler-sbom
@@ -35,7 +52,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 2.6.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
@@ -44,5 +61,5 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements: []
 rubygems_version: 3.6.2
 specification_version: 4
-summary: Bundler plugin to generate and analyze SBOM
+summary: Generate CycloneDX SBOM(Software Bill of Materials) files with Bundler
 test_files: []

data/lib/bundler/cli/sbom.rb DELETED Viewed

@@ -1,29 +0,0 @@
-require "bundler/cli"
-require "bundler/sbom"
-module Bundler
-  class CLI::Sbom
-    def initialize(options = {})
-      @options = options
-    end
-    def dump
-      sbom = Bundler::Sbom::Generator.generate_sbom
-      File.write("bom.json", JSON.pretty_generate(sbom))
-      Bundler.ui.info "Generated SBOM at bom.json"
-    end
-    def license
-      begin
-        sbom = JSON.parse(File.read("bom.json"))
-        Bundler::Sbom::Generator.display_license_report(sbom)
-      rescue Errno::ENOENT
-        Bundler.ui.error "Error: bom.json not found. Run 'bundle sbom dump' first."
-        exit 1
-      rescue JSON::ParserError
-        Bundler.ui.error "Error: bom.json is not a valid JSON file"
-        exit 1
-      end
-    end
-  end
-end