bundler-sbom 0.1.8 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. checksums.yaml +4 -4
  2. data/lib/bundler/sbom/cli.rb +9 -9
  3. data/lib/bundler/sbom/cyclonedx.rb +13 -10
  4. data/lib/bundler/sbom/reporter.rb +1 -1
  5. data/lib/bundler/sbom/spdx.rb +5 -0
  6. data/lib/bundler/sbom/version.rb +1 -1
  7. metadata +2 -2
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 590a4da5b45a12b7d7946aa14626eae531db3220a2441047895db77c078ccf4b
4
- data.tar.gz: 525d811c49ee31132eafbccc53e96d7fc4b39e92cd1dac8c704da334120584d4
3
+ metadata.gz: f578e54cb4d73e62b18d305684a0ff770edb7cde70b31fdd8cb9eaa7b53e0885
4
+ data.tar.gz: 9e853789b6b01962185dde4a528f84c1e1f16f4432d4a9c5f57b16d5680e0489
5
5
  SHA512:
6
- metadata.gz: a4bc5d533a846c9c0786f5fcc17d9ca6f85fe6bbd72719ff016caeebedd2a6e6b68fef6d86c59fced37a5a96a1c601eb5f6fbda00554a67b3e2cb287b1c95a37
7
- data.tar.gz: b7e135ea95bbdc7cb93b90864f7f0daf75cda5640f6be982813f6d156d7942bfb4d6c8da8df7f688fb1399afdf9d30d428e75bb4dfcccb4db0ff6fe905d44b9c
6
+ metadata.gz: 4bd4342d874517d03999ba5166fac776610ae3832d79eb620732de9cb7fa6e82614b61ba52a1dc89c79580d1985dad790c6f2ca4c641fd10afbc65ed32fe1b85
7
+ data.tar.gz: 9f30c4813af67c7882dcec7d132e8c324bc243d6f8fb19cef7a8571a9678fbbf0b92d15fd1a598f0afe6f73497faeea428bbbcd3d03838f3347380f4e44f722c
data/lib/bundler/sbom/cli.rb CHANGED
@@ -28,10 +28,10 @@ module Bundler
28
28
  sbom = Bundler::Sbom::Generator.generate_sbom(sbom_format)
29
29
 
30
30
  # Determine file extension based on output format
31
- ext = format == "json" ? "json" : "xml"
31
+ ext = (format == "json") ? "json" : "xml"
32
32
 
33
33
  # Determine filename prefix based on SBOM format
34
- prefix = sbom_format == "spdx" ? "bom" : "bom-cyclonedx"
34
+ prefix = (sbom_format == "spdx") ? "bom" : "bom-cyclonedx"
35
35
  output_file = "#{prefix}.#{ext}"
36
36
 
37
37
  if format == "json"
@@ -59,19 +59,19 @@ module Bundler
59
59
 
60
60
  # Determine input file based on format or find default files
61
61
  if input_file.nil?
62
- if format == "xml" || (format.nil? && File.exist?("bom.xml"))
63
- input_file = "bom.xml"
62
+ input_file = if format == "xml" || (format.nil? && File.exist?("bom.xml"))
63
+ "bom.xml"
64
64
  elsif File.exist?("bom-cyclonedx.json")
65
- input_file = "bom-cyclonedx.json"
65
+ "bom-cyclonedx.json"
66
66
  elsif File.exist?("bom-cyclonedx.xml")
67
- input_file = "bom-cyclonedx.xml"
67
+ "bom-cyclonedx.xml"
68
68
  else
69
- input_file = "bom.json"
69
+ "bom.json"
70
70
  end
71
71
  end
72
72
 
73
73
  unless File.exist?(input_file)
74
- file_type = File.extname(input_file) == ".xml" ? "xml" : "json"
74
+ file_type = (File.extname(input_file) == ".xml") ? "xml" : "json"
75
75
  sbom_type = input_file.include?("cyclonedx") ? "cyclonedx" : "spdx"
76
76
  Bundler.ui.error("Error: #{input_file} not found. Run 'bundle sbom dump --format=#{file_type} --sbom=#{sbom_type}' first.")
77
77
  exit 1
@@ -90,7 +90,7 @@ module Bundler
90
90
  rescue JSON::ParserError
91
91
  Bundler.ui.error("Error: #{input_file} is not a valid JSON file")
92
92
  exit 1
93
- rescue StandardError => e
93
+ rescue => e
94
94
  Bundler.ui.error("Error processing #{input_file}: #{e.message}")
95
95
  exit 1
96
96
  end
data/lib/bundler/sbom/cyclonedx.rb CHANGED
@@ -31,7 +31,12 @@ module Bundler
31
31
  "components" => []
32
32
  }
33
33
 
34
+ # Deduplicate specs by name and version
35
+ seen_gems = Set.new
34
36
  lockfile.specs.each do |spec|
37
+ gem_key = "#{spec.name}:#{spec.version}"
38
+ next if seen_gems.include?(gem_key)
39
+ seen_gems.add(gem_key)
35
40
  begin
36
41
  gemspec = Gem::Specification.find_by_name(spec.name, spec.version)
37
42
  licenses = []
@@ -56,7 +61,7 @@ module Bundler
56
61
  }
57
62
 
58
63
  unless licenses.empty?
59
- component["licenses"] = licenses.map { |license| { "license" => { "id" => license } } }
64
+ component["licenses"] = licenses.map { |license| {"license" => {"id" => license}} }
60
65
  end
61
66
 
62
67
  sbom["components"] << component
@@ -74,7 +79,7 @@ module Bundler
74
79
  root.add_namespace("http://cyclonedx.org/schema/bom/1.4")
75
80
  root.add_attributes({
76
81
  "serialNumber" => sbom["serialNumber"],
77
- "version" => sbom["version"].to_s,
82
+ "version" => sbom["version"].to_s
78
83
  })
79
84
  doc.add_element(root)
80
85
 
@@ -184,7 +189,7 @@ module Bundler
184
189
  licenses = []
185
190
  REXML::XPath.each(comp, "licenses/license") do |license|
186
191
  license_id = get_element_text(license, "id")
187
- licenses << { "license" => { "id" => license_id } } if license_id
192
+ licenses << {"license" => {"id" => license_id}} if license_id
188
193
  end
189
194
 
190
195
  component["licenses"] = licenses unless licenses.empty?
@@ -192,12 +197,12 @@ module Bundler
192
197
  end
193
198
 
194
199
  # Convert CycloneDX format to SPDX-like format for compatibility with Reporter
195
- converted_sbom = {
200
+ {
196
201
  "packages" => sbom["components"].map do |comp|
197
202
  license_string = if comp["licenses"]
198
203
  comp["licenses"].map { |l| l["license"]["id"] }.join(", ")
199
- else
200
- "NOASSERTION"
204
+ else
205
+ "NOASSERTION"
201
206
  end
202
207
  {
203
208
  "name" => comp["name"],
@@ -206,8 +211,6 @@ module Bundler
206
211
  }
207
212
  end
208
213
  }
209
-
210
- converted_sbom
211
214
  end
212
215
 
213
216
  def self.to_report_format(sbom)
@@ -215,8 +218,8 @@ module Bundler
215
218
  "packages" => sbom["components"].map do |comp|
216
219
  license_string = if comp["licenses"]
217
220
  comp["licenses"].map { |l| l["license"]["id"] }.join(", ")
218
- else
219
- "NOASSERTION"
221
+ else
222
+ "NOASSERTION"
220
223
  end
221
224
  {
222
225
  "name" => comp["name"],
data/lib/bundler/sbom/reporter.rb CHANGED
@@ -16,7 +16,7 @@ module Bundler
16
16
 
17
17
  def self.sbom_format(sbom)
18
18
  return :cyclonedx if sbom["bomFormat"] == "CycloneDX"
19
- return :spdx
19
+ :spdx
20
20
  end
21
21
 
22
22
  def self.display_report(sbom)
data/lib/bundler/sbom/spdx.rb CHANGED
@@ -21,7 +21,12 @@ module Bundler
21
21
  "packages" => []
22
22
  }
23
23
 
24
+ # Deduplicate specs by name and version
25
+ seen_gems = Set.new
24
26
  lockfile.specs.each do |spec|
27
+ gem_key = "#{spec.name}:#{spec.version}"
28
+ next if seen_gems.include?(gem_key)
29
+ seen_gems.add(gem_key)
25
30
  begin
26
31
  gemspec = Gem::Specification.find_by_name(spec.name, spec.version)
27
32
  licenses = []
data/lib/bundler/sbom/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  module Bundler
2
2
  module Sbom
3
- VERSION = "0.1.8"
3
+ VERSION = "0.2.0"
4
4
  end
5
5
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: bundler-sbom
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.8
4
+ version: 0.2.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - SHIBATA Hiroshi
@@ -78,7 +78,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
78
78
  - !ruby/object:Gem::Version
79
79
  version: '0'
80
80
  requirements: []
81
- rubygems_version: 3.6.9
81
+ rubygems_version: 4.0.3
82
82
  specification_version: 4
83
83
  summary: Generate SPDX SBOM(Software Bill of Materials) files with Bundler
84
84
  test_files: []