bundler-sbom 0.2.0 → 0.3.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f578e54cb4d73e62b18d305684a0ff770edb7cde70b31fdd8cb9eaa7b53e0885
-  data.tar.gz: 9e853789b6b01962185dde4a528f84c1e1f16f4432d4a9c5f57b16d5680e0489
+  metadata.gz: c2d31deef79ab54416961ff900632cf386f95207f35afd2c2e491d97c53d4c0e
+  data.tar.gz: 6060186d5f3394f12f9c58a2ad1aa4a01b554500f58ef606403536675e506f18
 SHA512:
-  metadata.gz: 4bd4342d874517d03999ba5166fac776610ae3832d79eb620732de9cb7fa6e82614b61ba52a1dc89c79580d1985dad790c6f2ca4c641fd10afbc65ed32fe1b85
-  data.tar.gz: 9f30c4813af67c7882dcec7d132e8c324bc243d6f8fb19cef7a8571a9678fbbf0b92d15fd1a598f0afe6f73497faeea428bbbcd3d03838f3347380f4e44f722c
+  metadata.gz: bb372a7bf2da186dcdf3a3406f236682b35b3aba690a21f3617a32cd94cebf85a4902e39a755a0e1698ff463a9f37fa8c79a425230ab6d1b68c16d1790dbb476
+  data.tar.gz: aab0fffe6b7c684d8bb07c33040f2f5897c00d9353e5809b665333a714ee6175a36a2eae4ac01d8427c5b273e3911e91fadc8580f486d4dc04db0ec9f6ec337d

data/README.md

@@ -23,6 +23,7 @@ $ bundle sbom dump [options]
 Available options:
 - `-f, --format FORMAT`: Output format (json or xml, default: json)
 - `-s, --sbom FORMAT`: SBOM specification format (spdx or cyclonedx, default: spdx)
+- `--without GROUPS`: Exclude groups (comma or colon separated, e.g., 'development:test' or 'development,test')
 
 Generated files will be named according to the following pattern:
 - SPDX format: `bom.json` or `bom.xml`
@@ -34,6 +35,8 @@ $ bundle sbom dump                           # Generates SPDX format in JSON (bo
 $ bundle sbom dump -f xml                    # Generates SPDX format in XML (bom.xml)
 $ bundle sbom dump -s cyclonedx             # Generates CycloneDX format in JSON (bom-cyclonedx.json)
 $ bundle sbom dump -s cyclonedx -f xml      # Generates CycloneDX format in XML (bom-cyclonedx.xml)
+$ bundle sbom dump --without development    # Excludes development group
+$ bundle sbom dump --without development:test  # Excludes development and test groups
 ```
 
 ### Analyze License Information

data/lib/bundler/sbom/cli.rb

@@ -8,9 +8,11 @@ module Bundler
       desc "dump", "Generate SBOM and save to file"
       method_option :format, type: :string, default: "json", desc: "Output format: json or xml", aliases: "-f"
       method_option :sbom, type: :string, default: "spdx", desc: "SBOM format: spdx or cyclonedx", aliases: "-s"
+      method_option :without, type: :string, desc: "Exclude groups (comma or colon separated, e.g., 'development:test' or 'development,test')"
       def dump
         format = options[:format].downcase
         sbom_format = options[:sbom].downcase
+        without_groups = parse_without_groups(options[:without])
 
         # Validate output format
         unless ["json", "xml"].include?(format)
@@ -25,7 +27,7 @@ module Bundler
         end
 
         # Generate SBOM based on specified format
-        sbom = Bundler::Sbom::Generator.generate_sbom(sbom_format)
+        sbom = Bundler::Sbom::Generator.generate_sbom(sbom_format, without_groups: without_groups)
 
         # Determine file extension based on output format
         ext = (format == "json") ? "json" : "xml"
@@ -100,6 +102,16 @@ module Bundler
       def self.exit_on_failure?
         true
       end
+
+      private
+
+      def parse_without_groups(without_option)
+        return [] unless without_option
+
+        # Split by comma or colon and clean up whitespace
+        groups = without_option.split(%r{[:,]}).map(&:strip).reject(&:empty?)
+        groups.map(&:to_sym)
+      end
     end
   end
 end

data/lib/bundler/sbom/cyclonedx.rb

@@ -5,7 +5,7 @@ require "rexml/document"
 module Bundler
   module Sbom
     class CycloneDX
-      def self.generate(lockfile, document_name)
+      def self.generate(gems, document_name)
         serial_number = SecureRandom.uuid
         timestamp = Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
         sbom = {
@@ -33,7 +33,7 @@ module Bundler
 
         # Deduplicate specs by name and version
         seen_gems = Set.new
-        lockfile.specs.each do |spec|
+        gems.each do |spec|
           gem_key = "#{spec.name}:#{spec.version}"
           next if seen_gems.include?(gem_key)
           seen_gems.add(gem_key)

data/lib/bundler/sbom/generator.rb

@@ -10,7 +10,7 @@ module Bundler
     class GemfileLockNotFoundError < StandardError; end
 
     class Generator
-      def self.generate_sbom(format = "spdx")
+      def self.generate_sbom(format = "spdx", without_groups: [])
         lockfile_path = Bundler.default_lockfile
         if !lockfile_path || !lockfile_path.exist?
           Bundler.ui.error "No Gemfile.lock found. Run `bundle install` first."
@@ -20,11 +20,14 @@ module Bundler
         lockfile = Bundler::LockfileParser.new(lockfile_path.read)
         document_name = File.basename(Dir.pwd)
 
+        # Get gems to include based on groups
+        gems = get_gems_for_groups(lockfile, without_groups)
+
         case format.to_s.downcase
         when "cyclonedx"
-          CycloneDX.generate(lockfile, document_name)
+          CycloneDX.generate(gems, document_name)
         else # default to spdx
-          SPDX.generate(lockfile, document_name)
+          SPDX.generate(gems, document_name)
         end
       end
 
@@ -47,6 +50,44 @@ module Bundler
           SPDX.parse_xml(doc)
         end
       end
+
+      private
+
+      def self.get_gems_for_groups(lockfile, without_groups)
+        # If no groups specified, use all specs
+        if without_groups.empty?
+          return lockfile.specs
+        end
+
+        # Try to get group information from Bundler.definition if available
+        if defined?(Bundler::Definition) && Bundler.respond_to?(:definition)
+          begin
+            definition = Bundler.definition
+            all_groups = definition.groups
+            include_groups = all_groups - without_groups
+
+            # Use specs_for to get all gems (including transitive dependencies) for included groups
+            if definition.respond_to?(:specs_for)
+              definition.specs_for(include_groups)
+            else
+              # Fallback to old method if specs_for is not available
+              included_gems = Set.new
+              include_groups.each do |group|
+                definition.dependencies_for(group).each do |dep|
+                  included_gems.add(dep.name)
+                end
+              end
+              lockfile.specs.select { |spec| included_gems.include?(spec.name) }
+            end
+          rescue => e
+            # Fallback to all specs if there's any issue with Bundler.definition
+            Bundler.ui.warn("Warning: Could not determine group information: #{e.message}")
+            lockfile.specs
+          end
+        else
+          lockfile.specs
+        end
+      end
     end
   end
 end

data/lib/bundler/sbom/spdx.rb

@@ -5,7 +5,7 @@ require "rexml/document"
 module Bundler
   module Sbom
     class SPDX
-      def self.generate(lockfile, document_name)
+      def self.generate(gems, document_name)
         spdx_id = generate_spdx_id
         sbom = {
           "SPDXID" => "SPDXRef-DOCUMENT",
@@ -23,7 +23,7 @@ module Bundler
 
         # Deduplicate specs by name and version
         seen_gems = Set.new
-        lockfile.specs.each do |spec|
+        gems.each do |spec|
           gem_key = "#{spec.name}:#{spec.version}"
           next if seen_gems.include?(gem_key)
           seen_gems.add(gem_key)

data/lib/bundler/sbom/version.rb

@@ -1,5 +1,5 @@
 module Bundler
   module Sbom
-    VERSION = "0.2.0"
+    VERSION = "0.3.0"
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: bundler-sbom
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 0.3.0
 platform: ruby
 authors:
 - SHIBATA Hiroshi