bundler-sbom 0.3.1 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 25aca7901f1cf5074fa7d089541543e1626e61a2ed2969729fd5cd2e5308e831
-  data.tar.gz: fa38d57d57377305b21fe0deae6907ebd4bca352443c3b9ea5cc0ca068270927
+  metadata.gz: b17b7f0d6f921d10fa80cc62402f321077779f4c51b81cc22bad0720f3767576
+  data.tar.gz: edecba78478c7979ae85a48b5cdb98175a48c9506d56db8959ebddb5c398abfc
 SHA512:
-  metadata.gz: '028fb94c9fd911c34a0c73cef0c2f49e97a4a6278090cbd46595d46311181b351239f643d83a546c17eb63eaa8222b3873810310ca99504531aa02c5822a3735'
-  data.tar.gz: e91cc42c49bf6f4d62528fe4c97c9942bef964afc6f48af9e8bebb96ed588929344eb06557549019855ebfd0cda2cb2950a167091fbc49c934bc1c3f5d697cd7
+  metadata.gz: a450eb2b7aca4e994e888cee8a60d4af2738a8b619f19185f2a4504001af3f12a2ef8bb2b2b8df7254b015c31755b5c9972988e796309469607b51b3ecc848e3
+  data.tar.gz: 4b1e698caa08514bd595403948f0a2e989144780b425d3afee08f0b8b6a5e144adab155916b161c1f10aaf9f7bd73d2799d36de3fb2a40a76aad4c0be9ea4526

data/Gemfile

@@ -5,8 +5,8 @@ gemspec
 group :development do
   gem "thor"
   gem "rake"
-  gem "rspec"
+  gem "minitest"
+  gem "minitest-mock"
   gem "simplecov", require: false
-  gem "rspec-its"
-  gem "rspec-mocks"
+  gem "json_schemer"
 end

data/README.md

@@ -26,13 +26,12 @@ Available options:
 - `--without GROUPS`: Exclude groups (comma or colon separated, e.g., 'development:test' or 'development,test')
 
 Generated files will be named according to the following pattern:
-- SPDX format: `bom.json` or `bom.xml`
+- SPDX format: `bom.json`
 - CycloneDX format: `bom-cyclonedx.json` or `bom-cyclonedx.xml`
 
 Examples:
 ```
 $ bundle sbom dump                           # Generates SPDX format in JSON (bom.json)
-$ bundle sbom dump -f xml                    # Generates SPDX format in XML (bom.xml)
 $ bundle sbom dump -s cyclonedx             # Generates CycloneDX format in JSON (bom-cyclonedx.json)
 $ bundle sbom dump -s cyclonedx -f xml      # Generates CycloneDX format in XML (bom-cyclonedx.xml)
 $ bundle sbom dump --without development    # Excludes development group
@@ -52,10 +51,9 @@ Available options:
 - `-F, --format FORMAT`: Input format (json or xml)
 
 If no options are specified, the command will automatically look for SBOM files in the following order:
-1. `bom.xml` (if format is xml)
+1. `bom.json`
 2. `bom-cyclonedx.json`
 3. `bom-cyclonedx.xml`
-4. `bom.json`
 
 This command will show:
 - A count of packages using each license
@@ -65,12 +63,23 @@ Note: The `license` command requires that you've already generated the SBOM usin
 
 ## Supported SBOM Formats
 
-### SPDX
+### SPDX (v2.3)
 [SPDX (Software Package Data Exchange)](https://spdx.dev/) is a standard format for communicating software bill of material information, including components, licenses, copyrights, and security references.
 
-### CycloneDX
+- Spec version: [SPDX 2.3](https://spdx.github.io/spdx-spec/v2.3/)
+- Output formats: JSON
+- License identifiers are validated against the [SPDX License List](https://spdx.org/licenses/) via the `spdx-licenses` gem. Non-SPDX licenses are output as `LicenseRef-` identifiers, and deprecated SPDX IDs (e.g., `GPL-2.0`) are mapped to their current equivalents (e.g., `GPL-2.0-only`).
+- `DEPENDS_ON` relationships between packages are emitted from `Gemfile.lock`.
+- `creationInfo.licenseListVersion` reflects the SPDX license list version bundled with the `spdx-licenses` gem.
+
+### CycloneDX (v1.7)
 [CycloneDX](https://cyclonedx.org/) is a lightweight SBOM specification designed for use in application security contexts and supply chain component analysis.
 
+- Spec version: [CycloneDX 1.7](https://cyclonedx.org/docs/1.7/json/)
+- Output formats: JSON, XML
+- SPDX license IDs are placed in the `license.id` field, and non-SPDX licenses use the `license.name` field, per the CycloneDX specification.
+- Each component is assigned a `bom-ref` (its purl) and the full dependency graph from `Gemfile.lock` is emitted in the `dependencies` section.
+
 ## References
 
 - [SPDX Specification](https://spdx.github.io/spdx-spec/)

data/Rakefile

@@ -1,6 +1,9 @@
 require "bundler/gem_tasks"
-require "rspec/core/rake_task"
+require "rake/testtask"
 
-RSpec::Core::RakeTask.new(:spec)
+Rake::TestTask.new(:test) do |t|
+  t.libs << "test"
+  t.test_files = FileList["test/**/test_*.rb"]
+end
 
-task default: :spec
+task default: :test

data/lib/bundler/sbom/cli.rb

@@ -14,33 +14,29 @@ module Bundler
         sbom_format = options[:sbom].downcase
         without_groups = parse_without_groups(options[:without])
 
-        # Validate output format
         unless ["json", "xml"].include?(format)
-          Bundler.ui.error("Error: Unsupported output format '#{format}'. Supported formats: json, xml")
-          exit 1
+          raise Thor::Error, "Error: Unsupported output format '#{format}'. Supported formats: json, xml"
         end
 
-        # Validate SBOM format
         unless ["spdx", "cyclonedx"].include?(sbom_format)
-          Bundler.ui.error("Error: Unsupported SBOM format '#{sbom_format}'. Supported formats: spdx, cyclonedx")
-          exit 1
+          raise Thor::Error, "Error: Unsupported SBOM format '#{sbom_format}'. Supported formats: spdx, cyclonedx"
         end
 
-        # Generate SBOM based on specified format
-        sbom = Bundler::Sbom::Generator.generate_sbom(sbom_format, without_groups: without_groups)
+        if sbom_format == "spdx" && format == "xml"
+          raise Thor::Error, "Error: SPDX 2.3 does not define an XML serialization. Use '--format json' or '--sbom cyclonedx --format xml'."
+        end
 
-        # Determine file extension based on output format
-        ext = (format == "json") ? "json" : "xml"
+        generator = Bundler::Sbom::Generator.new(format: sbom_format, without_groups: without_groups)
+        sbom = generator.generate
 
-        # Determine filename prefix based on SBOM format
+        ext = (format == "json") ? "json" : "xml"
         prefix = (sbom_format == "spdx") ? "bom" : "bom-cyclonedx"
         output_file = "#{prefix}.#{ext}"
 
         if format == "json"
-          File.write(output_file, JSON.pretty_generate(sbom))
-        else # xml
-          xml_content = Bundler::Sbom::Generator.convert_to_xml(sbom)
-          File.write(output_file, xml_content)
+          File.write(output_file, JSON.pretty_generate(sbom.to_hash))
+        else
+          File.write(output_file, sbom.to_xml)
         end
 
         Bundler.ui.info("Generated #{sbom_format.upcase} SBOM at #{output_file}")
@@ -53,16 +49,13 @@ module Bundler
         format = options[:format]&.downcase
         input_file = options[:file]
 
-        # Validate format if provided
         if format && !["json", "xml"].include?(format)
-          Bundler.ui.error("Error: Unsupported format '#{format}'. Supported formats: json, xml")
-          exit 1
+          raise Thor::Error, "Error: Unsupported format '#{format}'. Supported formats: json, xml"
         end
 
-        # Determine input file based on format or find default files
         if input_file.nil?
-          input_file = if format == "xml" || (format.nil? && File.exist?("bom.xml"))
-            "bom.xml"
+          input_file = if File.exist?("bom.json")
+            "bom.json"
           elsif File.exist?("bom-cyclonedx.json")
             "bom-cyclonedx.json"
           elsif File.exist?("bom-cyclonedx.xml")
@@ -75,30 +68,26 @@ module Bundler
         unless File.exist?(input_file)
           file_type = (File.extname(input_file) == ".xml") ? "xml" : "json"
           sbom_type = input_file.include?("cyclonedx") ? "cyclonedx" : "spdx"
-          Bundler.ui.error("Error: #{input_file} not found. Run 'bundle sbom dump --format=#{file_type} --sbom=#{sbom_type}' first.")
-          exit 1
+          raise Thor::Error, "Error: #{input_file} not found. Run 'bundle sbom dump --format=#{file_type} --sbom=#{sbom_type}' first."
         end
 
-        begin
-          content = File.read(input_file)
+        content = File.read(input_file)
 
-          sbom = if format == "xml" || (!format && File.extname(input_file) == ".xml")
-            Bundler::Sbom::Generator.parse_xml(content)
-          else
-            JSON.parse(content)
-          end
-
-          Bundler::Sbom::Reporter.display_license_report(sbom)
-        rescue JSON::ParserError
-          Bundler.ui.error("Error: #{input_file} is not a valid JSON file")
-          exit 1
-        rescue => e
-          Bundler.ui.error("Error processing #{input_file}: #{e.message}")
-          exit 1
+        sbom = if format == "xml" || (!format && File.extname(input_file) == ".xml")
+          Bundler::Sbom::Generator.parse_xml(content)
+        else
+          Bundler::Sbom::Generator.from_hash(JSON.parse(content))
         end
+
+        Bundler::Sbom::Reporter.new(sbom).display_license_report
+      rescue JSON::ParserError
+        raise Thor::Error, "Error: #{input_file} is not a valid JSON file"
+      rescue Thor::Error
+        raise
+      rescue => e
+        raise Thor::Error, "Error processing #{input_file}: #{e.message}"
       end
 
-      # 適切にエラーで終了することを保証するためのメソッド
       def self.exit_on_failure?
         true
       end
@@ -108,7 +97,6 @@ module Bundler
       def parse_without_groups(without_option)
         return [] unless without_option
 
-        # Split by comma or colon and clean up whitespace
         groups = without_option.split(%r{[:,]}).map(&:strip).reject(&:empty?)
         groups.map(&:to_sym)
       end

data/lib/bundler/sbom/cyclonedx.rb

@@ -1,115 +1,207 @@
 require "bundler"
 require "securerandom"
-require "rexml/document"
+require "bundler/sbom/sbom_document"
 
 module Bundler
   module Sbom
     class CycloneDX
-      def self.generate(gems, document_name)
+      include SbomDocument
+
+      SPEC_VERSION = "1.7"
+      XML_NAMESPACE = "http://cyclonedx.org/schema/bom/#{SPEC_VERSION}"
+
+      def self.generate(gem_data, document_name, direct_dependencies: [])
         serial_number = SecureRandom.uuid
         timestamp = Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
+        root_ref = document_name
         sbom = {
           "bomFormat" => "CycloneDX",
-          "specVersion" => "1.4",
+          "specVersion" => SPEC_VERSION,
           "serialNumber" => "urn:uuid:#{serial_number}",
           "version" => 1,
           "metadata" => {
             "timestamp" => timestamp,
-            "tools" => [
-              {
-                "vendor" => "Bundler",
-                "name" => "bundle-sbom",
-                "version" => Bundler::Sbom::VERSION
-              }
-            ],
+            "tools" => {
+              "components" => [
+                {
+                  "type" => "application",
+                  "name" => "bundle-sbom",
+                  "version" => Bundler::Sbom::VERSION
+                }
+              ]
+            },
             "component" => {
               "type" => "application",
+              "bom-ref" => root_ref,
               "name" => document_name,
-              "version" => "0.0.0" # Default version
+              "version" => "0.0.0"
             }
           },
-          "components" => []
+          "components" => [],
+          "dependencies" => []
         }
 
-        # Deduplicate specs by name and version
-        seen_gems = Set.new
-        gems.each do |spec|
-          gem_key = "#{spec.name}:#{spec.version}"
-          next if seen_gems.include?(gem_key)
-          seen_gems.add(gem_key)
-          licenses = SpecLicenseFinder.find_licenses(spec)
+        ref_by_name = {}
+        gem_data.each do |gem|
+          ref_by_name[gem[:name]] = "pkg:gem/#{gem[:name]}@#{gem[:version]}"
+        end
 
+        gem_data.each do |gem|
+          purl = ref_by_name[gem[:name]]
           component = {
             "type" => "library",
-            "name" => spec.name,
-            "version" => spec.version.to_s,
-            "purl" => "pkg:gem/#{spec.name}@#{spec.version}"
+            "bom-ref" => purl,
+            "name" => gem[:name],
+            "version" => gem[:version],
+            "purl" => purl
+          }
+
+          unless gem[:licenses].empty?
+            component["licenses"] = gem[:licenses].map { |license| build_license_entry(license) }
+          end
+
+          sbom["components"] << component
+
+          dep_refs = (gem[:dependencies] || []).filter_map { |name| ref_by_name[name] }
+          sbom["dependencies"] << {"ref" => purl, "dependsOn" => dep_refs}
+        end
+
+        root_deps = direct_dependencies.filter_map { |name| ref_by_name[name] }
+        sbom["dependencies"].unshift({"ref" => root_ref, "dependsOn" => root_deps})
+
+        new(sbom)
+      end
+
+      def self.parse_xml(doc)
+        root = doc.root
+        spec_version = root.namespace.to_s[%r{/bom/(\d+\.\d+)}, 1] || SPEC_VERSION
+
+        sbom = {
+          "bomFormat" => "CycloneDX",
+          "specVersion" => spec_version,
+          "serialNumber" => root.attributes["serialNumber"],
+          "version" => root.attributes["version"].to_i,
+          "metadata" => {
+            "timestamp" => get_element_text(root, "metadata/timestamp"),
+            "tools" => {"components" => []},
+            "component" => {
+              "type" => REXML::XPath.first(root, "metadata/component").attributes["type"],
+              "name" => get_element_text(root, "metadata/component/name"),
+              "version" => get_element_text(root, "metadata/component/version")
+            }
+          },
+          "components" => []
+        }
+
+        REXML::XPath.each(root, "metadata/tools/components/component") do |tool|
+          sbom["metadata"]["tools"]["components"] << {
+            "type" => tool.attributes["type"],
+            "name" => get_element_text(tool, "name"),
+            "version" => get_element_text(tool, "version")
           }
+        end
 
-          unless licenses.empty?
-            component["licenses"] = licenses.map { |license| {"license" => {"id" => license}} }
+        REXML::XPath.each(root, "metadata/tools/tool") do |tool|
+          sbom["metadata"]["tools"]["components"] << {
+            "type" => "application",
+            "name" => get_element_text(tool, "name"),
+            "version" => get_element_text(tool, "version")
+          }
+        end
+
+        REXML::XPath.each(root, "components/component") do |comp|
+          component = {
+            "type" => comp.attributes["type"],
+            "bom-ref" => comp.attributes["bom-ref"],
+            "name" => get_element_text(comp, "name"),
+            "version" => get_element_text(comp, "version"),
+            "purl" => get_element_text(comp, "purl")
+          }.compact
+
+          licenses = []
+          REXML::XPath.each(comp, "licenses/license") do |license|
+            license_id = get_element_text(license, "id")
+            license_name = get_element_text(license, "name")
+            if license_id
+              licenses << {"license" => {"id" => license_id}}
+            elsif license_name
+              licenses << {"license" => {"name" => license_name}}
+            end
           end
 
+          component["licenses"] = licenses unless licenses.empty?
           sbom["components"] << component
         end
 
-        sbom
+        meta_component = REXML::XPath.first(root, "metadata/component")
+        if meta_component && meta_component.attributes["bom-ref"]
+          sbom["metadata"]["component"]["bom-ref"] = meta_component.attributes["bom-ref"]
+        end
+
+        sbom["dependencies"] = []
+        REXML::XPath.each(root, "dependencies/dependency") do |dep|
+          depends_on = REXML::XPath.each(dep, "dependency").map { |c| c.attributes["ref"] }
+          sbom["dependencies"] << {"ref" => dep.attributes["ref"], "dependsOn" => depends_on}
+        end
+
+        new(sbom)
       end
 
-      def self.to_xml(sbom)
+      def to_xml
         doc = REXML::Document.new
         doc << REXML::XMLDecl.new("1.0", "UTF-8")
 
-        # Root element
         root = REXML::Element.new("bom")
-        root.add_namespace("http://cyclonedx.org/schema/bom/1.4")
+        root.add_namespace(XML_NAMESPACE)
         root.add_attributes({
-          "serialNumber" => sbom["serialNumber"],
-          "version" => sbom["version"].to_s
+          "serialNumber" => @data["serialNumber"],
+          "version" => @data["version"].to_s
         })
         doc.add_element(root)
 
-        # Metadata
         metadata = REXML::Element.new("metadata")
         root.add_element(metadata)
 
-        add_element(metadata, "timestamp", sbom["metadata"]["timestamp"])
+        add_element(metadata, "timestamp", @data["metadata"]["timestamp"])
 
-        # Tools
         tools = REXML::Element.new("tools")
         metadata.add_element(tools)
 
-        sbom["metadata"]["tools"].each do |tool_data|
-          tool = REXML::Element.new("tool")
-          tools.add_element(tool)
+        tool_components = REXML::Element.new("components")
+        tools.add_element(tool_components)
+
+        each_tool_component do |tool_data|
+          tool = REXML::Element.new("component")
+          tool.add_attribute("type", tool_data["type"] || "application")
+          tool_components.add_element(tool)
 
-          add_element(tool, "vendor", tool_data["vendor"])
           add_element(tool, "name", tool_data["name"])
           add_element(tool, "version", tool_data["version"].to_s)
         end
 
-        # Component (root project)
         component = REXML::Element.new("component")
-        component.add_attribute("type", sbom["metadata"]["component"]["type"])
+        component.add_attribute("type", @data["metadata"]["component"]["type"])
+        if @data["metadata"]["component"]["bom-ref"]
+          component.add_attribute("bom-ref", @data["metadata"]["component"]["bom-ref"])
+        end
         metadata.add_element(component)
 
-        add_element(component, "name", sbom["metadata"]["component"]["name"])
-        add_element(component, "version", sbom["metadata"]["component"]["version"])
+        add_element(component, "name", @data["metadata"]["component"]["name"])
+        add_element(component, "version", @data["metadata"]["component"]["version"])
 
-        # Components
         components = REXML::Element.new("components")
         root.add_element(components)
 
-        sbom["components"].each do |comp_data|
+        @data["components"].each do |comp_data|
           comp = REXML::Element.new("component")
           comp.add_attribute("type", comp_data["type"])
+          comp.add_attribute("bom-ref", comp_data["bom-ref"]) if comp_data["bom-ref"]
           components.add_element(comp)
 
           add_element(comp, "name", comp_data["name"])
           add_element(comp, "version", comp_data["version"])
           add_element(comp, "purl", comp_data["purl"])
 
-          # Licenses
           if comp_data["licenses"] && !comp_data["licenses"].empty?
             licenses = REXML::Element.new("licenses")
             comp.add_element(licenses)
@@ -120,90 +212,38 @@ module Bundler
 
               if license_data["license"]["id"]
                 add_element(license, "id", license_data["license"]["id"])
+              elsif license_data["license"]["name"]
+                add_element(license, "name", license_data["license"]["name"])
               end
             end
           end
         end
 
-        formatter = REXML::Formatters::Pretty.new(2)
-        formatter.compact = true
-        output = ""
-        formatter.write(doc, output)
-        output.sub(%r{<\?xml version='1\.0' encoding='UTF-8'\?>}, '<?xml version="1.0" encoding="UTF-8"?>')
-      end
+        if @data["dependencies"] && !@data["dependencies"].empty?
+          deps_el = REXML::Element.new("dependencies")
+          root.add_element(deps_el)
 
-      def self.parse_xml(doc)
-        root = doc.root
+          @data["dependencies"].each do |dep|
+            dep_el = REXML::Element.new("dependency")
+            dep_el.add_attribute("ref", dep["ref"])
+            deps_el.add_element(dep_el)
 
-        sbom = {
-          "bomFormat" => "CycloneDX",
-          "specVersion" => "1.4",
-          "serialNumber" => root.attributes["serialNumber"],
-          "version" => root.attributes["version"].to_i,
-          "metadata" => {
-            "timestamp" => get_element_text(root, "metadata/timestamp"),
-            "tools" => [],
-            "component" => {
-              "type" => REXML::XPath.first(root, "metadata/component").attributes["type"],
-              "name" => get_element_text(root, "metadata/component/name"),
-              "version" => get_element_text(root, "metadata/component/version")
-            }
-          },
-          "components" => []
-        }
-
-        # Collect tools
-        REXML::XPath.each(root, "metadata/tools/tool") do |tool|
-          tool_data = {
-            "vendor" => get_element_text(tool, "vendor"),
-            "name" => get_element_text(tool, "name"),
-            "version" => get_element_text(tool, "version")
-          }
-          sbom["metadata"]["tools"] << tool_data
-        end
-
-        # Collect components
-        REXML::XPath.each(root, "components/component") do |comp|
-          component = {
-            "type" => comp.attributes["type"],
-            "name" => get_element_text(comp, "name"),
-            "version" => get_element_text(comp, "version"),
-            "purl" => get_element_text(comp, "purl")
-          }
-
-          # Collect licenses
-          licenses = []
-          REXML::XPath.each(comp, "licenses/license") do |license|
-            license_id = get_element_text(license, "id")
-            licenses << {"license" => {"id" => license_id}} if license_id
+            (dep["dependsOn"] || []).each do |child_ref|
+              child = REXML::Element.new("dependency")
+              child.add_attribute("ref", child_ref)
+              dep_el.add_element(child)
+            end
           end
-
-          component["licenses"] = licenses unless licenses.empty?
-          sbom["components"] << component
         end
 
-        # Convert CycloneDX format to SPDX-like format for compatibility with Reporter
-        {
-          "packages" => sbom["components"].map do |comp|
-            license_string = if comp["licenses"]
-              comp["licenses"].map { |l| l["license"]["id"] }.join(", ")
-            else
-              "NOASSERTION"
-            end
-            {
-              "name" => comp["name"],
-              "versionInfo" => comp["version"],
-              "licenseDeclared" => license_string
-            }
-          end
-        }
+        format_xml(doc)
       end
 
-      def self.to_report_format(sbom)
+      def to_report_format
         {
-          "packages" => sbom["components"].map do |comp|
+          "packages" => @data["components"].map do |comp|
             license_string = if comp["licenses"]
-              comp["licenses"].map { |l| l["license"]["id"] }.join(", ")
+              comp["licenses"].map { |l| l["license"]["id"] || l["license"]["name"] }.join(", ")
             else
               "NOASSERTION"
             end
@@ -216,18 +256,27 @@ module Bundler
         }
       end
 
-      private
-
-      def self.add_element(parent, name, value)
-        element = REXML::Element.new(name)
-        element.text = value
-        parent.add_element(element)
+      def each_tool_component(&block)
+        tools = @data.dig("metadata", "tools")
+        case tools
+        when Hash
+          (tools["components"] || []).each(&block)
+        when Array
+          tools.each(&block)
+        end
       end
 
-      def self.get_element_text(element, xpath)
-        result = REXML::XPath.first(element, xpath)
-        result ? result.text : nil
+      def self.build_license_entry(license)
+        mapped = SPDX::DEPRECATED_LICENSE_MAP[license]
+        license = mapped if mapped
+
+        if SpdxLicenses.exist?(license)
+          {"license" => {"id" => license}}
+        else
+          {"license" => {"name" => license}}
+        end
       end
+      private_class_method :build_license_entry
     end
   end
 end

data/lib/bundler/sbom/generator.rb

@@ -1,6 +1,5 @@
 require "bundler"
-require "securerandom"
-require "json"
+require "set"
 require "rexml/document"
 require "bundler/sbom/spdx"
 require "bundler/sbom/cyclonedx"
@@ -10,7 +9,12 @@ module Bundler
     class GemfileLockNotFoundError < StandardError; end
 
     class Generator
-      def self.generate_sbom(format = "spdx", without_groups: [])
+      def initialize(format: "spdx", without_groups: [])
+        @format = format.to_s.downcase
+        @without_groups = without_groups
+      end
+
+      def generate
         lockfile_path = Bundler.default_lockfile
         if !lockfile_path || !lockfile_path.exist?
           Bundler.ui.error "No Gemfile.lock found. Run `bundle install` first."
@@ -20,22 +24,15 @@ module Bundler
         lockfile = Bundler::LockfileParser.new(lockfile_path.read)
         document_name = File.basename(Dir.pwd)
 
-        # Get gems to include based on groups
-        gems = get_gems_for_groups(lockfile, without_groups)
+        gems = get_gems_for_groups(lockfile)
+        gem_data = resolve_gem_data(gems)
+        direct_dependencies = lockfile.dependencies.keys
 
-        case format.to_s.downcase
+        case @format
         when "cyclonedx"
-          CycloneDX.generate(gems, document_name)
-        else # default to spdx
-          SPDX.generate(gems, document_name)
-        end
-      end
-
-      def self.convert_to_xml(sbom)
-        if sbom["bomFormat"] == "CycloneDX"
-          CycloneDX.to_xml(sbom)
+          CycloneDX.generate(gem_data, document_name, direct_dependencies: direct_dependencies)
         else
-          SPDX.to_xml(sbom)
+          SPDX.generate(gem_data, document_name)
         end
       end
 
@@ -43,34 +40,37 @@ module Bundler
         doc = REXML::Document.new(xml_content)
         root = doc.root
 
-        # Determine if it's CycloneDX or SPDX
         if root.name == "bom" && root.namespace.include?("cyclonedx.org")
           CycloneDX.parse_xml(doc)
         else
-          SPDX.parse_xml(doc)
+          raise ArgumentError, "Unsupported XML SBOM: only CycloneDX XML can be read"
+        end
+      end
+
+      def self.from_hash(hash)
+        if hash["bomFormat"] == "CycloneDX"
+          CycloneDX.new(hash)
+        else
+          SPDX.new(hash)
         end
       end
 
       private
 
-      def self.get_gems_for_groups(lockfile, without_groups)
-        # If no groups specified, use all specs
-        if without_groups.empty?
+      def get_gems_for_groups(lockfile)
+        if @without_groups.empty?
           return lockfile.specs
         end
 
-        # Try to get group information from Bundler.definition if available
         if defined?(Bundler::Definition) && Bundler.respond_to?(:definition)
           begin
             definition = Bundler.definition
             all_groups = definition.groups
-            include_groups = all_groups - without_groups
+            include_groups = all_groups - @without_groups
 
-            # Use specs_for to get all gems (including transitive dependencies) for included groups
             if definition.respond_to?(:specs_for)
               definition.specs_for(include_groups)
             else
-              # Fallback to old method if specs_for is not available
               included_gems = Set.new
               include_groups.each do |group|
                 definition.dependencies_for(group).each do |dep|
@@ -80,7 +80,6 @@ module Bundler
               lockfile.specs.select { |spec| included_gems.include?(spec.name) }
             end
           rescue => e
-            # Fallback to all specs if there's any issue with Bundler.definition
             Bundler.ui.warn("Warning: Could not determine group information: #{e.message}")
             lockfile.specs
           end
@@ -88,6 +87,26 @@ module Bundler
           lockfile.specs
         end
       end
+
+      def resolve_gem_data(gems)
+        seen = Set.new
+        gems.filter_map do |spec|
+          gem_key = "#{spec.name}:#{spec.version}"
+          next if seen.include?(gem_key)
+          seen.add(gem_key)
+          {
+            name: spec.name,
+            version: spec.version.to_s,
+            licenses: SpecLicenseFinder.find_licenses(spec),
+            dependencies: spec_dependency_names(spec)
+          }
+        end
+      end
+
+      def spec_dependency_names(spec)
+        return [] unless spec.respond_to?(:dependencies) && spec.dependencies
+        spec.dependencies.reject { |d| d.respond_to?(:type) && d.type == :development }.map(&:name)
+      end
     end
   end
 end

data/lib/bundler/sbom/reporter.rb

@@ -1,63 +1,55 @@
 module Bundler
   module Sbom
     class Reporter
-      def self.display_license_report(sbom)
-        # フォーマットに応じて適切な形式に変換
-        sbom = if sbom_format(sbom) == :cyclonedx
-          CycloneDX.to_report_format(sbom)
-        else
-          SPDX.to_report_format(sbom)
-        end
+      def initialize(sbom)
+        @sbom = sbom
+      end
 
-        display_report(sbom)
+      def display_license_report
+        report = @sbom.to_report_format
+        display_report(report)
       end
 
       private
 
-      def self.sbom_format(sbom)
-        return :cyclonedx if sbom["bomFormat"] == "CycloneDX"
-        :spdx
-      end
-
-      def self.display_report(sbom)
-        license_count = analyze_licenses(sbom)
+      def display_report(report)
+        license_count = analyze_licenses(report)
         sorted_licenses = license_count.sort_by { |_, count| -count }
 
-        puts "=== License Usage in SBOM ==="
-        puts "Total packages: #{sbom["packages"].size}"
-        puts
+        Bundler.ui.info "=== License Usage in SBOM ==="
+        Bundler.ui.info "Total packages: #{report["packages"].size}"
+        Bundler.ui.info ""
 
         sorted_licenses.each do |license, count|
-          puts "#{license}: #{count} package(s)"
+          Bundler.ui.info "#{license}: #{count} package(s)"
         end
 
-        puts "\n=== Packages by License ==="
+        Bundler.ui.info "\n=== Packages by License ==="
         sorted_licenses.each do |license, _|
-          packages = sbom["packages"].select do |package|
-            if package["licenseDeclared"].include?(",")
-              package["licenseDeclared"].split(",").map(&:strip).include?(license)
-            else
-              package["licenseDeclared"] == license
-            end
+          packages = report["packages"].select do |package|
+            split_licenses(package["licenseDeclared"]).include?(license)
           end
 
-          puts "\n#{license} (#{packages.size} package(s)):"
+          Bundler.ui.info "\n#{license} (#{packages.size} package(s)):"
           packages.each do |package|
-            puts "  - #{package["name"]} (#{package["versionInfo"]})"
+            Bundler.ui.info "  - #{package["name"]} (#{package["versionInfo"]})"
           end
         end
       end
 
-      def self.analyze_licenses(sbom)
+      def analyze_licenses(report)
         license_count = Hash.new(0)
-        sbom["packages"].each do |package|
-          licenses = package["licenseDeclared"].split(",").map(&:strip)
-          licenses.each do |license|
+        report["packages"].each do |package|
+          split_licenses(package["licenseDeclared"]).each do |license|
             license_count[license] += 1
           end
         end
         license_count
       end
+
+      def split_licenses(license_declared)
+        license_declared.split(/ AND |, /).map(&:strip)
+      end
     end
   end
 end

data/lib/bundler/sbom/sbom_document.rb

@@ -0,0 +1,45 @@
+require "rexml/document"
+
+module Bundler
+  module Sbom
+    module SbomDocument
+      def self.included(base)
+        base.attr_reader :data
+        base.extend(ClassMethods)
+      end
+
+      def initialize(data)
+        @data = data
+      end
+
+      def to_hash
+        @data
+      end
+
+      module ClassMethods
+        private
+
+        def get_element_text(element, xpath)
+          result = REXML::XPath.first(element, xpath)
+          result ? result.text : nil
+        end
+      end
+
+      private
+
+      def add_element(parent, name, value)
+        element = REXML::Element.new(name)
+        element.text = value
+        parent.add_element(element)
+      end
+
+      def format_xml(doc)
+        formatter = REXML::Formatters::Pretty.new(2)
+        formatter.compact = true
+        output = ""
+        formatter.write(doc, output)
+        output.sub(%r{<\?xml version='1\.0' encoding='UTF-8'\?>}, '<?xml version="1.0" encoding="UTF-8"?>')
+      end
+    end
+  end
+end

data/lib/bundler/sbom/spdx.rb

@@ -1,19 +1,21 @@
 require "bundler"
 require "securerandom"
-require "rexml/document"
+require "spdx-licenses"
+require "bundler/sbom/sbom_document"
 
 module Bundler
   module Sbom
     class SPDX
-      def self.generate(gems, document_name)
-        spdx_id = generate_spdx_id
+      include SbomDocument
+
+      def self.generate(gem_data, document_name)
+        spdx_id = SecureRandom.uuid
         sbom = {
           "SPDXID" => "SPDXRef-DOCUMENT",
           "spdxVersion" => "SPDX-2.3",
           "creationInfo" => {
             "created" => Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ"),
-            "creators" => ["Tool: bundle-sbom"],
-            "licenseListVersion" => "3.20"
+            "creators" => ["Tool: bundle-sbom"]
           },
           "name" => document_name,
           "dataLicense" => "CC0-1.0",
@@ -21,20 +23,24 @@ module Bundler
           "packages" => []
         }
 
-        # Deduplicate specs by name and version
-        seen_gems = Set.new
-        gems.each do |spec|
-          gem_key = "#{spec.name}:#{spec.version}"
-          next if seen_gems.include?(gem_key)
-          seen_gems.add(gem_key)
-          licenses = SpecLicenseFinder.find_licenses(spec)
-          license_string = licenses.empty? ? "NOASSERTION" : licenses.join(", ")
+        if (list_version = license_list_version)
+          sbom["creationInfo"]["licenseListVersion"] = list_version
+        end
+
+        package_ids = {}
+        gem_data.each do |gem|
+          package_ids[gem[:name]] = "SPDXRef-Package-#{gem[:name]}"
+        end
+
+        gem_data.each do |gem|
+          spdx_licenses = gem[:licenses].map { |l| normalize_license_id(l) }
+          license_string = spdx_licenses.empty? ? "NOASSERTION" : spdx_licenses.join(" AND ")
 
           package = {
-            "SPDXID" => "SPDXRef-Package-#{spec.name}",
-            "name" => spec.name,
-            "versionInfo" => spec.version.to_s,
-            "downloadLocation" => "NOASSERTION",
+            "SPDXID" => package_ids[gem[:name]],
+            "name" => gem[:name],
+            "versionInfo" => gem[:version],
+            "downloadLocation" => "https://rubygems.org/gems/#{gem[:name]}/versions/#{gem[:version]}",
             "filesAnalyzed" => false,
             "licenseConcluded" => license_string,
             "licenseDeclared" => license_string,
@@ -42,9 +48,9 @@ module Bundler
             "supplier" => "NOASSERTION",
             "externalRefs" => [
               {
-                "referenceCategory" => "PACKAGE_MANAGER",
+                "referenceCategory" => "PACKAGE-MANAGER",
                 "referenceType" => "purl",
-                "referenceLocator" => "pkg:gem/#{spec.name}@#{spec.version}"
+                "referenceLocator" => "pkg:gem/#{gem[:name]}@#{gem[:version]}"
               }
             ]
           }
@@ -52,139 +58,66 @@ module Bundler
         end
 
         sbom["documentDescribes"] = sbom["packages"].map { |p| p["SPDXID"] }
-        sbom
-      end
-
-      def self.to_xml(sbom)
-        doc = REXML::Document.new
-        doc << REXML::XMLDecl.new("1.0", "UTF-8")
-
-        # Root element
-        root = REXML::Element.new("SpdxDocument")
-        root.add_namespace("https://spdx.org/spdxdocs/")
-        doc.add_element(root)
-
-        # Document info
-        add_element(root, "SPDXID", sbom["SPDXID"])
-        add_element(root, "spdxVersion", sbom["spdxVersion"])
-        add_element(root, "name", sbom["name"])
-        add_element(root, "dataLicense", sbom["dataLicense"])
-        add_element(root, "documentNamespace", sbom["documentNamespace"])
-
-        # Creation info
-        creation_info = REXML::Element.new("creationInfo")
-        root.add_element(creation_info)
-        add_element(creation_info, "created", sbom["creationInfo"]["created"])
-        add_element(creation_info, "licenseListVersion", sbom["creationInfo"]["licenseListVersion"])
-
-        sbom["creationInfo"]["creators"].each do |creator|
-          add_element(creation_info, "creator", creator)
-        end
 
-        # Describes
-        sbom["documentDescribes"].each do |describes|
-          add_element(root, "documentDescribes", describes)
+        sbom["relationships"] = sbom["packages"].map do |p|
+          {
+            "spdxElementId" => "SPDXRef-DOCUMENT",
+            "relatedSpdxElement" => p["SPDXID"],
+            "relationshipType" => "DESCRIBES"
+          }
         end
 
-        # Packages
-        sbom["packages"].each do |pkg|
-          package = REXML::Element.new("package")
-          root.add_element(package)
-
-          add_element(package, "SPDXID", pkg["SPDXID"])
-          add_element(package, "name", pkg["name"])
-          add_element(package, "versionInfo", pkg["versionInfo"])
-          add_element(package, "downloadLocation", pkg["downloadLocation"])
-          add_element(package, "filesAnalyzed", pkg["filesAnalyzed"].to_s)
-          add_element(package, "licenseConcluded", pkg["licenseConcluded"])
-          add_element(package, "licenseDeclared", pkg["licenseDeclared"])
-          add_element(package, "copyrightText", pkg["copyrightText"])
-          add_element(package, "supplier", pkg["supplier"])
-
-          # External references
-          if pkg["externalRefs"]
-            pkg["externalRefs"].each do |ref|
-              ext_ref = REXML::Element.new("externalRef")
-              package.add_element(ext_ref)
-
-              add_element(ext_ref, "referenceCategory", ref["referenceCategory"])
-              add_element(ext_ref, "referenceType", ref["referenceType"])
-              add_element(ext_ref, "referenceLocator", ref["referenceLocator"])
-            end
+        gem_data.each do |gem|
+          (gem[:dependencies] || []).each do |dep_name|
+            dep_id = package_ids[dep_name]
+            next unless dep_id
+            sbom["relationships"] << {
+              "spdxElementId" => package_ids[gem[:name]],
+              "relatedSpdxElement" => dep_id,
+              "relationshipType" => "DEPENDS_ON"
+            }
           end
         end
 
-        formatter = REXML::Formatters::Pretty.new(2)
-        formatter.compact = true
-        output = ""
-        formatter.write(doc, output)
-        output.sub(%r{<\?xml version='1\.0' encoding='UTF-8'\?>}, '<?xml version="1.0" encoding="UTF-8"?>')
+        new(sbom)
       end
 
-      def self.parse_xml(doc)
-        root = doc.root
-
-        sbom = {
-          "SPDXID" => get_element_text(root, "SPDXID"),
-          "spdxVersion" => get_element_text(root, "spdxVersion"),
-          "name" => get_element_text(root, "name"),
-          "dataLicense" => get_element_text(root, "dataLicense"),
-          "documentNamespace" => get_element_text(root, "documentNamespace"),
-          "creationInfo" => {
-            "created" => get_element_text(root, "creationInfo/created"),
-            "licenseListVersion" => get_element_text(root, "creationInfo/licenseListVersion"),
-            "creators" => []
-          },
-          "packages" => [],
-          "documentDescribes" => []
-        }
-
-        # Collect creators
-        REXML::XPath.each(root, "creationInfo/creator") do |creator|
-          sbom["creationInfo"]["creators"] << creator.text
+      DEPRECATED_LICENSE_MAP = {
+        "AGPL-3.0" => "AGPL-3.0-only",
+        "GPL-2.0" => "GPL-2.0-only",
+        "GPL-3.0" => "GPL-3.0-only",
+        "LGPL-2.1" => "LGPL-2.1-only",
+        "LGPL-3.0" => "LGPL-3.0-only",
+      }.freeze
+
+      def self.normalize_license_id(license_id)
+        if mapped = DEPRECATED_LICENSE_MAP[license_id]
+          return mapped
         end
 
-        # Collect documentDescribes
-        REXML::XPath.each(root, "documentDescribes") do |describes|
-          sbom["documentDescribes"] << describes.text
-        end
-
-        # Collect packages
-        REXML::XPath.each(root, "package") do |pkg_element|
-          package = {
-            "SPDXID" => get_element_text(pkg_element, "SPDXID"),
-            "name" => get_element_text(pkg_element, "name"),
-            "versionInfo" => get_element_text(pkg_element, "versionInfo"),
-            "downloadLocation" => get_element_text(pkg_element, "downloadLocation"),
-            "filesAnalyzed" => get_element_text(pkg_element, "filesAnalyzed") == "true",
-            "licenseConcluded" => get_element_text(pkg_element, "licenseConcluded"),
-            "licenseDeclared" => get_element_text(pkg_element, "licenseDeclared"),
-            "copyrightText" => get_element_text(pkg_element, "copyrightText"),
-            "supplier" => get_element_text(pkg_element, "supplier"),
-            "externalRefs" => []
-          }
+        return license_id if SpdxLicenses.exist?(license_id)
 
-          # Collect external references
-          REXML::XPath.each(pkg_element, "externalRef") do |ref_element|
-            ref = {
-              "referenceCategory" => get_element_text(ref_element, "referenceCategory"),
-              "referenceType" => get_element_text(ref_element, "referenceType"),
-              "referenceLocator" => get_element_text(ref_element, "referenceLocator")
-            }
-            package["externalRefs"] << ref
-          end
-
-          sbom["packages"] << package
+        if license_id.start_with?("LicenseRef-")
+          license_id
+        else
+          "LicenseRef-#{license_id}"
         end
-
-        sbom
       end
+      private_class_method :normalize_license_id
+
+      def self.license_list_version
+        return @license_list_version if defined?(@license_list_version)
+        gem_spec = Gem.loaded_specs["spdx-licenses"]
+        path = File.join(gem_spec.full_gem_path, "licenses.json")
+        @license_list_version = JSON.parse(File.read(path))["licenseListVersion"]
+      rescue StandardError
+        @license_list_version = nil
+      end
+      private_class_method :license_list_version
 
-      def self.to_report_format(sbom)
-        # SPDXフォーマットは既にレポート形式と互換性があるため、
-        # packagesセクションだけを抽出して返す
+      def to_report_format
         {
-          "packages" => sbom["packages"].map do |pkg|
+          "packages" => @data["packages"].map do |pkg|
             {
               "name" => pkg["name"],
               "versionInfo" => pkg["versionInfo"],
@@ -193,21 +126,6 @@ module Bundler
           end
         }
       end
-
-      def self.generate_spdx_id
-        SecureRandom.uuid
-      end
-
-      def self.add_element(parent, name, value)
-        element = REXML::Element.new(name)
-        element.text = value
-        parent.add_element(element)
-      end
-
-      def self.get_element_text(element, xpath)
-        result = REXML::XPath.first(element, xpath)
-        result ? result.text : nil
-      end
     end
   end
 end

data/lib/bundler/sbom/spec_license_finder.rb

@@ -2,24 +2,30 @@ module Bundler
   module Sbom
     module SpecLicenseFinder
       def self.find_licenses(spec)
-        gemspec = spec.__materialize__ if spec.respond_to?(:__materialize__)
+        gemspec = begin
+          mat = spec.materialize_for_installation if spec.respond_to?(:materialize_for_installation)
+          mat if mat.respond_to?(:licenses)
+        rescue Bundler::GemspecError
+          nil
+        end
+
+        begin
+          gemspec ||= spec.__materialize__ if spec.respond_to?(:__materialize__)
+        rescue Bundler::GemspecError
+          # ignore
+        end
+
         begin
           gemspec ||= Gem::Specification.find_by_name(spec.name, spec.version)
         rescue Gem::LoadError
-          # ignore
+          Bundler.ui.warn("Warning: Could not find license information for #{spec.name} (#{spec.version})")
         end
 
-        licenses = []
-        if gemspec
-          if gemspec.respond_to?(:license) && gemspec.license && !gemspec.license.empty?
-            licenses << gemspec.license
-          end
-          if gemspec.respond_to?(:licenses) && gemspec.licenses && !gemspec.licenses.empty?
-            licenses.concat(gemspec.licenses)
-          end
-          licenses.uniq!
+        if gemspec && gemspec.respond_to?(:licenses) && gemspec.licenses && !gemspec.licenses.empty?
+          gemspec.licenses
+        else
+          []
         end
-        licenses
       end
     end
   end

data/lib/bundler/sbom/version.rb

@@ -1,5 +1,5 @@
 module Bundler
   module Sbom
-    VERSION = "0.3.1"
+    VERSION = "0.4.0"
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: bundler-sbom
 version: !ruby/object:Gem::Version
-  version: 0.3.1
+  version: 0.4.0
 platform: ruby
 authors:
 - SHIBATA Hiroshi
@@ -37,7 +37,21 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-description: Generate SPDX SBOM(Software Bill of Materials) files with Bundler
+- !ruby/object:Gem::Dependency
+  name: spdx-licenses
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Generate SBOM(Software Bill of Materials) files with Bundler
 email:
 - hsbt@ruby-lang.org
 executables: []
@@ -53,6 +67,7 @@ files:
 - lib/bundler/sbom/cyclonedx.rb
 - lib/bundler/sbom/generator.rb
 - lib/bundler/sbom/reporter.rb
+- lib/bundler/sbom/sbom_document.rb
 - lib/bundler/sbom/spdx.rb
 - lib/bundler/sbom/spec_license_finder.rb
 - lib/bundler/sbom/version.rb
@@ -63,7 +78,7 @@ licenses:
 metadata:
   homepage_uri: https://github.com/hsbt/bundler-sbom
   source_code_uri: https://github.com/hsbt/bundler-sbom
-  changelog_uri: https://github.com/hsbt/bundler-sbom/blob/main/CHANGELOG.md
+  changelog_uri: https://github.com/hsbt/bundler-sbom/releases
   bug_tracker_uri: https://github.com/hsbt/bundler-sbom/issues
 rdoc_options: []
 require_paths:
@@ -79,7 +94,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 4.0.3
+rubygems_version: 4.0.10
 specification_version: 4
-summary: Generate SPDX SBOM(Software Bill of Materials) files with Bundler
+summary: Generate SBOM(Software Bill of Materials) files with Bundler
 test_files: []