RubyGems - bundler-sbom - Versions diffs - 0.1.7 → 0.2.0 - Mend

bundler-sbom 0.1.7 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

checksums.yaml +4 -4
data/Gemfile +1 -1
data/README.md +43 -5
data/Rakefile +1 -1
data/lib/bundler/sbom/cli.rb +17 -17
data/lib/bundler/sbom/cyclonedx.rb +40 -37
data/lib/bundler/sbom/generator.rb +2 -2
data/lib/bundler/sbom/reporter.rb +3 -3
data/lib/bundler/sbom/spdx.rb +29 -22
data/lib/bundler/sbom/version.rb +1 -1
metadata +3 -3

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d5d7fea7d39796fd36fec03e1e5b13695fdccb0cfc6926cfb5a8631d86f94f09
-  data.tar.gz: fe3abc900c32f11af2b0c1f432c9b376042b48a9d8e69c293ccc76b7383a97b0
+  metadata.gz: f578e54cb4d73e62b18d305684a0ff770edb7cde70b31fdd8cb9eaa7b53e0885
+  data.tar.gz: 9e853789b6b01962185dde4a528f84c1e1f16f4432d4a9c5f57b16d5680e0489
 SHA512:
-  metadata.gz: 8b79df0b6ab84ce586694fffcf9b9a25e4de2586f85b0430be60f93404df699675e5890936a4ea963f528ed7526b6ffb9e9afe591ee8c8b327952981457654a0
-  data.tar.gz: dec35c52cf5cd36d1b0692a3eb6bb73431f2e07836226af366fd7a8d0c58c964c9577545bf10c01e5178333acbf75a299a63f205bbc3496c557835af5473496b
+  metadata.gz: 4bd4342d874517d03999ba5166fac776610ae3832d79eb620732de9cb7fa6e82614b61ba52a1dc89c79580d1985dad790c6f2ca4c641fd10afbc65ed32fe1b85
+  data.tar.gz: 9f30c4813af67c7882dcec7d132e8c324bc243d6f8fb19cef7a8571a9678fbbf0b92d15fd1a598f0afe6f73497faeea428bbbcd3d03838f3347380f4e44f722c

data/Gemfile CHANGED Viewed

@@ -9,4 +9,4 @@ group :development do
   gem "simplecov", require: false
   gem "rspec-its"
   gem "rspec-mocks"
-end
+end

data/README.md CHANGED Viewed

@@ -14,24 +14,62 @@ $ bundler plugin install bundler-sbom
 ### Generate SBOM
-To generate an SBOM file in SPDX format from your project's Gemfile.lock:
+To generate an SBOM file from your project's Gemfile.lock:
 ```
-$ bundle sbom dump
+$ bundle sbom dump [options]
 ```
-This will create a `bom.json` file in your project directory.
+Available options:
+- `-f, --format FORMAT`: Output format (json or xml, default: json)
+- `-s, --sbom FORMAT`: SBOM specification format (spdx or cyclonedx, default: spdx)
+Generated files will be named according to the following pattern:
+- SPDX format: `bom.json` or `bom.xml`
+- CycloneDX format: `bom-cyclonedx.json` or `bom-cyclonedx.xml`
+Examples:
+```
+$ bundle sbom dump                           # Generates SPDX format in JSON (bom.json)
+$ bundle sbom dump -f xml                    # Generates SPDX format in XML (bom.xml)
+$ bundle sbom dump -s cyclonedx             # Generates CycloneDX format in JSON (bom-cyclonedx.json)
+$ bundle sbom dump -s cyclonedx -f xml      # Generates CycloneDX format in XML (bom-cyclonedx.xml)
+```
 ### Analyze License Information
 To view a summary of licenses used in your project's dependencies:
 ```
-$ bundle sbom license
+$ bundle sbom license [options]
 ```
+Available options:
+- `-f, --file PATH`: Input SBOM file path
+- `-F, --format FORMAT`: Input format (json or xml)
+If no options are specified, the command will automatically look for SBOM files in the following order:
+1. `bom.xml` (if format is xml)
+2. `bom-cyclonedx.json`
+3. `bom-cyclonedx.xml`
+4. `bom.json`
 This command will show:
 - A count of packages using each license
 - A detailed list of packages grouped by license
-Note: The `license` command requires that you've already generated the SBOM using `bundle sbom dump`.
+Note: The `license` command requires that you've already generated the SBOM using `bundle sbom dump`.
+## Supported SBOM Formats
+### SPDX
+[SPDX (Software Package Data Exchange)](https://spdx.dev/) is a standard format for communicating software bill of material information, including components, licenses, copyrights, and security references.
+### CycloneDX
+[CycloneDX](https://cyclonedx.org/) is a lightweight SBOM specification designed for use in application security contexts and supply chain component analysis.
+## References
+- [SPDX Specification](https://spdx.github.io/spdx-spec/)
+- [CycloneDX Specification](https://cyclonedx.org/specification/overview/)
+- [About Software Bill of Materials (SBOM)](https://www.cisa.gov/sbom)

data/Rakefile CHANGED Viewed

@@ -3,4 +3,4 @@ require "rspec/core/rake_task"
 RSpec::Core::RakeTask.new(:spec)
-task :default => :spec
+task default: :spec

data/lib/bundler/sbom/cli.rb CHANGED Viewed

@@ -26,24 +26,24 @@ module Bundler
         # Generate SBOM based on specified format
         sbom = Bundler::Sbom::Generator.generate_sbom(sbom_format)
         # Determine file extension based on output format
-        ext = format == "json" ? "json" : "xml"
+        ext = (format == "json") ? "json" : "xml"
         # Determine filename prefix based on SBOM format
-        prefix = sbom_format == "spdx" ? "bom" : "bom-cyclonedx"
+        prefix = (sbom_format == "spdx") ? "bom" : "bom-cyclonedx"
         output_file = "#{prefix}.#{ext}"
         if format == "json"
           File.write(output_file, JSON.pretty_generate(sbom))
         else # xml
           xml_content = Bundler::Sbom::Generator.convert_to_xml(sbom)
           File.write(output_file, xml_content)
         end
         Bundler.ui.info("Generated #{sbom_format.upcase} SBOM at #{output_file}")
       end
       desc "license", "Display license report from SBOM file"
       method_option :file, type: :string, desc: "Input SBOM file path", aliases: "-f"
       method_option :format, type: :string, desc: "Input format: json or xml", aliases: "-F"
@@ -59,19 +59,19 @@ module Bundler
         # Determine input file based on format or find default files
         if input_file.nil?
-          if format == "xml" || (format.nil? && File.exist?("bom.xml"))
-            input_file = "bom.xml"
+          input_file = if format == "xml" || (format.nil? && File.exist?("bom.xml"))
+            "bom.xml"
           elsif File.exist?("bom-cyclonedx.json")
-            input_file = "bom-cyclonedx.json"
+            "bom-cyclonedx.json"
           elsif File.exist?("bom-cyclonedx.xml")
-            input_file = "bom-cyclonedx.xml"
+            "bom-cyclonedx.xml"
           else
-            input_file = "bom.json"
+            "bom.json"
           end
         end
         unless File.exist?(input_file)
-          file_type = File.extname(input_file) == ".xml" ? "xml" : "json"
+          file_type = (File.extname(input_file) == ".xml") ? "xml" : "json"
           sbom_type = input_file.include?("cyclonedx") ? "cyclonedx" : "spdx"
           Bundler.ui.error("Error: #{input_file} not found. Run 'bundle sbom dump --format=#{file_type} --sbom=#{sbom_type}' first.")
           exit 1
@@ -79,18 +79,18 @@ module Bundler
         begin
           content = File.read(input_file)
           sbom = if format == "xml" || (!format && File.extname(input_file) == ".xml")
             Bundler::Sbom::Generator.parse_xml(content)
           else
             JSON.parse(content)
           end
           Bundler::Sbom::Reporter.display_license_report(sbom)
         rescue JSON::ParserError
           Bundler.ui.error("Error: #{input_file} is not a valid JSON file")
           exit 1
-        rescue StandardError => e
+        rescue => e
           Bundler.ui.error("Error processing #{input_file}: #{e.message}")
           exit 1
         end
@@ -102,4 +102,4 @@ module Bundler
       end
     end
   end
-end
+end

data/lib/bundler/sbom/cyclonedx.rb CHANGED Viewed

@@ -31,7 +31,12 @@ module Bundler
           "components" => []
         }
+        # Deduplicate specs by name and version
+        seen_gems = Set.new
         lockfile.specs.each do |spec|
+          gem_key = "#{spec.name}:#{spec.version}"
+          next if seen_gems.include?(gem_key)
+          seen_gems.add(gem_key)
           begin
             gemspec = Gem::Specification.find_by_name(spec.name, spec.version)
             licenses = []
@@ -56,7 +61,7 @@ module Bundler
           }
           unless licenses.empty?
-            component["licenses"] = licenses.map { |license| { "license" => { "id" => license } } }
+            component["licenses"] = licenses.map { |license| {"license" => {"id" => license}} }
           end
           sbom["components"] << component
@@ -68,72 +73,72 @@ module Bundler
       def self.to_xml(sbom)
         doc = REXML::Document.new
         doc << REXML::XMLDecl.new("1.0", "UTF-8")
         # Root element
         root = REXML::Element.new("bom")
         root.add_namespace("http://cyclonedx.org/schema/bom/1.4")
         root.add_attributes({
           "serialNumber" => sbom["serialNumber"],
-          "version" => sbom["version"].to_s,
+          "version" => sbom["version"].to_s
         })
         doc.add_element(root)
         # Metadata
         metadata = REXML::Element.new("metadata")
         root.add_element(metadata)
         add_element(metadata, "timestamp", sbom["metadata"]["timestamp"])
         # Tools
         tools = REXML::Element.new("tools")
         metadata.add_element(tools)
         sbom["metadata"]["tools"].each do |tool_data|
           tool = REXML::Element.new("tool")
           tools.add_element(tool)
           add_element(tool, "vendor", tool_data["vendor"])
           add_element(tool, "name", tool_data["name"])
           add_element(tool, "version", tool_data["version"].to_s)
         end
         # Component (root project)
         component = REXML::Element.new("component")
         component.add_attribute("type", sbom["metadata"]["component"]["type"])
         metadata.add_element(component)
         add_element(component, "name", sbom["metadata"]["component"]["name"])
         add_element(component, "version", sbom["metadata"]["component"]["version"])
         # Components
         components = REXML::Element.new("components")
         root.add_element(components)
         sbom["components"].each do |comp_data|
           comp = REXML::Element.new("component")
           comp.add_attribute("type", comp_data["type"])
           components.add_element(comp)
           add_element(comp, "name", comp_data["name"])
           add_element(comp, "version", comp_data["version"])
           add_element(comp, "purl", comp_data["purl"])
           # Licenses
           if comp_data["licenses"] && !comp_data["licenses"].empty?
             licenses = REXML::Element.new("licenses")
             comp.add_element(licenses)
             comp_data["licenses"].each do |license_data|
               license = REXML::Element.new("license")
               licenses.add_element(license)
               if license_data["license"]["id"]
                 add_element(license, "id", license_data["license"]["id"])
               end
             end
           end
         end
         formatter = REXML::Formatters::Pretty.new(2)
         formatter.compact = true
         output = ""
@@ -143,7 +148,7 @@ module Bundler
       def self.parse_xml(doc)
         root = doc.root
         sbom = {
           "bomFormat" => "CycloneDX",
           "specVersion" => "1.4",
@@ -160,7 +165,7 @@ module Bundler
           },
           "components" => []
         }
         # Collect tools
         REXML::XPath.each(root, "metadata/tools/tool") do |tool|
           tool_data = {
@@ -170,7 +175,7 @@ module Bundler
           }
           sbom["metadata"]["tools"] << tool_data
         end
         # Collect components
         REXML::XPath.each(root, "components/component") do |comp|
           component = {
@@ -179,26 +184,26 @@ module Bundler
             "version" => get_element_text(comp, "version"),
             "purl" => get_element_text(comp, "purl")
           }
           # Collect licenses
           licenses = []
           REXML::XPath.each(comp, "licenses/license") do |license|
             license_id = get_element_text(license, "id")
-            licenses << { "license" => { "id" => license_id } } if license_id
+            licenses << {"license" => {"id" => license_id}} if license_id
           end
           component["licenses"] = licenses unless licenses.empty?
           sbom["components"] << component
         end
         # Convert CycloneDX format to SPDX-like format for compatibility with Reporter
-        converted_sbom = {
+        {
           "packages" => sbom["components"].map do |comp|
             license_string = if comp["licenses"]
-                              comp["licenses"].map { |l| l["license"]["id"] }.join(", ")
-                            else
-                              "NOASSERTION"
-                            end
+              comp["licenses"].map { |l| l["license"]["id"] }.join(", ")
+            else
+              "NOASSERTION"
+            end
             {
               "name" => comp["name"],
               "versionInfo" => comp["version"],
@@ -206,18 +211,16 @@ module Bundler
             }
           end
         }
-        converted_sbom
       end
       def self.to_report_format(sbom)
         {
           "packages" => sbom["components"].map do |comp|
             license_string = if comp["licenses"]
-                             comp["licenses"].map { |l| l["license"]["id"] }.join(", ")
-                           else
-                             "NOASSERTION"
-                           end
+              comp["licenses"].map { |l| l["license"]["id"] }.join(", ")
+            else
+              "NOASSERTION"
+            end
             {
               "name" => comp["name"],
               "versionInfo" => comp["version"],
@@ -228,17 +231,17 @@ module Bundler
       end
       private
       def self.add_element(parent, name, value)
         element = REXML::Element.new(name)
         element.text = value
         parent.add_element(element)
       end
       def self.get_element_text(element, xpath)
         result = REXML::XPath.first(element, xpath)
         result ? result.text : nil
       end
     end
   end
-end
+end

data/lib/bundler/sbom/generator.rb CHANGED Viewed

@@ -39,7 +39,7 @@ module Bundler
       def self.parse_xml(xml_content)
         doc = REXML::Document.new(xml_content)
         root = doc.root
         # Determine if it's CycloneDX or SPDX
         if root.name == "bom" && root.namespace.include?("cyclonedx.org")
           CycloneDX.parse_xml(doc)
@@ -49,4 +49,4 @@ module Bundler
       end
     end
   end
-end
+end

data/lib/bundler/sbom/reporter.rb CHANGED Viewed

@@ -8,7 +8,7 @@ module Bundler
         else
           SPDX.to_report_format(sbom)
         end
         display_report(sbom)
       end
@@ -16,7 +16,7 @@ module Bundler
       def self.sbom_format(sbom)
         return :cyclonedx if sbom["bomFormat"] == "CycloneDX"
-        return :spdx
+        :spdx
       end
       def self.display_report(sbom)
@@ -60,4 +60,4 @@ module Bundler
       end
     end
   end
-end
+end

data/lib/bundler/sbom/spdx.rb CHANGED Viewed

@@ -6,7 +6,7 @@ module Bundler
   module Sbom
     class SPDX
       def self.generate(lockfile, document_name)
-        spdx_id = SecureRandom.uuid
+        spdx_id = generate_spdx_id
         sbom = {
           "SPDXID" => "SPDXRef-DOCUMENT",
           "spdxVersion" => "SPDX-2.3",
@@ -21,7 +21,12 @@ module Bundler
           "packages" => []
         }
+        # Deduplicate specs by name and version
+        seen_gems = Set.new
         lockfile.specs.each do |spec|
+          gem_key = "#{spec.name}:#{spec.version}"
+          next if seen_gems.include?(gem_key)
+          seen_gems.add(gem_key)
           begin
             gemspec = Gem::Specification.find_by_name(spec.name, spec.version)
             licenses = []
@@ -67,39 +72,39 @@ module Bundler
       def self.to_xml(sbom)
         doc = REXML::Document.new
         doc << REXML::XMLDecl.new("1.0", "UTF-8")
         # Root element
         root = REXML::Element.new("SpdxDocument")
         root.add_namespace("https://spdx.org/spdxdocs/")
         doc.add_element(root)
         # Document info
         add_element(root, "SPDXID", sbom["SPDXID"])
         add_element(root, "spdxVersion", sbom["spdxVersion"])
         add_element(root, "name", sbom["name"])
         add_element(root, "dataLicense", sbom["dataLicense"])
         add_element(root, "documentNamespace", sbom["documentNamespace"])
         # Creation info
         creation_info = REXML::Element.new("creationInfo")
         root.add_element(creation_info)
         add_element(creation_info, "created", sbom["creationInfo"]["created"])
         add_element(creation_info, "licenseListVersion", sbom["creationInfo"]["licenseListVersion"])
         sbom["creationInfo"]["creators"].each do |creator|
           add_element(creation_info, "creator", creator)
         end
         # Describes
         sbom["documentDescribes"].each do |describes|
           add_element(root, "documentDescribes", describes)
         end
         # Packages
         sbom["packages"].each do |pkg|
           package = REXML::Element.new("package")
           root.add_element(package)
           add_element(package, "SPDXID", pkg["SPDXID"])
           add_element(package, "name", pkg["name"])
           add_element(package, "versionInfo", pkg["versionInfo"])
@@ -109,20 +114,20 @@ module Bundler
           add_element(package, "licenseDeclared", pkg["licenseDeclared"])
           add_element(package, "copyrightText", pkg["copyrightText"])
           add_element(package, "supplier", pkg["supplier"])
           # External references
           if pkg["externalRefs"]
             pkg["externalRefs"].each do |ref|
               ext_ref = REXML::Element.new("externalRef")
               package.add_element(ext_ref)
               add_element(ext_ref, "referenceCategory", ref["referenceCategory"])
               add_element(ext_ref, "referenceType", ref["referenceType"])
               add_element(ext_ref, "referenceLocator", ref["referenceLocator"])
             end
           end
         end
         formatter = REXML::Formatters::Pretty.new(2)
         formatter.compact = true
         output = ""
@@ -132,7 +137,7 @@ module Bundler
       def self.parse_xml(doc)
         root = doc.root
         sbom = {
           "SPDXID" => get_element_text(root, "SPDXID"),
           "spdxVersion" => get_element_text(root, "spdxVersion"),
@@ -147,17 +152,17 @@ module Bundler
           "packages" => [],
           "documentDescribes" => []
         }
         # Collect creators
         REXML::XPath.each(root, "creationInfo/creator") do |creator|
           sbom["creationInfo"]["creators"] << creator.text
         end
         # Collect documentDescribes
         REXML::XPath.each(root, "documentDescribes") do |describes|
           sbom["documentDescribes"] << describes.text
         end
         # Collect packages
         REXML::XPath.each(root, "package") do |pkg_element|
           package = {
@@ -172,7 +177,7 @@ module Bundler
             "supplier" => get_element_text(pkg_element, "supplier"),
             "externalRefs" => []
           }
           # Collect external references
           REXML::XPath.each(pkg_element, "externalRef") do |ref_element|
             ref = {
@@ -182,10 +187,10 @@ module Bundler
             }
             package["externalRefs"] << ref
           end
           sbom["packages"] << package
         end
         sbom
       end
@@ -203,18 +208,20 @@ module Bundler
         }
       end
-      private
+      def self.generate_spdx_id
+        SecureRandom.uuid
+      end
       def self.add_element(parent, name, value)
         element = REXML::Element.new(name)
         element.text = value
         parent.add_element(element)
       end
       def self.get_element_text(element, xpath)
         result = REXML::XPath.first(element, xpath)
         result ? result.text : nil
       end
     end
   end
-end
+end

data/lib/bundler/sbom/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 module Bundler
   module Sbom
-    VERSION = "0.1.7"
+    VERSION = "0.2.0"
   end
 end

metadata CHANGED Viewed

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: bundler-sbom
 version: !ruby/object:Gem::Version
-  version: 0.1.7
+  version: 0.2.0
 platform: ruby
 authors:
 - SHIBATA Hiroshi
 bindir: exe
 cert_chain: []
-date: 2025-03-06 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -78,7 +78,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.2
+rubygems_version: 4.0.3
 specification_version: 4
 summary: Generate SPDX SBOM(Software Bill of Materials) files with Bundler
 test_files: []