bundler-sbom 0.1.7 → 0.1.8

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d5d7fea7d39796fd36fec03e1e5b13695fdccb0cfc6926cfb5a8631d86f94f09
-  data.tar.gz: fe3abc900c32f11af2b0c1f432c9b376042b48a9d8e69c293ccc76b7383a97b0
+  metadata.gz: 590a4da5b45a12b7d7946aa14626eae531db3220a2441047895db77c078ccf4b
+  data.tar.gz: 525d811c49ee31132eafbccc53e96d7fc4b39e92cd1dac8c704da334120584d4
 SHA512:
-  metadata.gz: 8b79df0b6ab84ce586694fffcf9b9a25e4de2586f85b0430be60f93404df699675e5890936a4ea963f528ed7526b6ffb9e9afe591ee8c8b327952981457654a0
-  data.tar.gz: dec35c52cf5cd36d1b0692a3eb6bb73431f2e07836226af366fd7a8d0c58c964c9577545bf10c01e5178333acbf75a299a63f205bbc3496c557835af5473496b
+  metadata.gz: a4bc5d533a846c9c0786f5fcc17d9ca6f85fe6bbd72719ff016caeebedd2a6e6b68fef6d86c59fced37a5a96a1c601eb5f6fbda00554a67b3e2cb287b1c95a37
+  data.tar.gz: b7e135ea95bbdc7cb93b90864f7f0daf75cda5640f6be982813f6d156d7942bfb4d6c8da8df7f688fb1399afdf9d30d428e75bb4dfcccb4db0ff6fe905d44b9c

data/Gemfile

@@ -9,4 +9,4 @@ group :development do
   gem "simplecov", require: false
   gem "rspec-its"
   gem "rspec-mocks"
-end
+end

data/README.md

@@ -14,24 +14,62 @@ $ bundler plugin install bundler-sbom
 
 ### Generate SBOM
 
-To generate an SBOM file in SPDX format from your project's Gemfile.lock:
+To generate an SBOM file from your project's Gemfile.lock:
 
 ```
-$ bundle sbom dump
+$ bundle sbom dump [options]
 ```
 
-This will create a `bom.json` file in your project directory.
+Available options:
+- `-f, --format FORMAT`: Output format (json or xml, default: json)
+- `-s, --sbom FORMAT`: SBOM specification format (spdx or cyclonedx, default: spdx)
+
+Generated files will be named according to the following pattern:
+- SPDX format: `bom.json` or `bom.xml`
+- CycloneDX format: `bom-cyclonedx.json` or `bom-cyclonedx.xml`
+
+Examples:
+```
+$ bundle sbom dump                           # Generates SPDX format in JSON (bom.json)
+$ bundle sbom dump -f xml                    # Generates SPDX format in XML (bom.xml)
+$ bundle sbom dump -s cyclonedx             # Generates CycloneDX format in JSON (bom-cyclonedx.json)
+$ bundle sbom dump -s cyclonedx -f xml      # Generates CycloneDX format in XML (bom-cyclonedx.xml)
+```
 
 ### Analyze License Information
 
 To view a summary of licenses used in your project's dependencies:
 
 ```
-$ bundle sbom license
+$ bundle sbom license [options]
 ```
 
+Available options:
+- `-f, --file PATH`: Input SBOM file path
+- `-F, --format FORMAT`: Input format (json or xml)
+
+If no options are specified, the command will automatically look for SBOM files in the following order:
+1. `bom.xml` (if format is xml)
+2. `bom-cyclonedx.json`
+3. `bom-cyclonedx.xml`
+4. `bom.json`
+
 This command will show:
 - A count of packages using each license
 - A detailed list of packages grouped by license
 
-Note: The `license` command requires that you've already generated the SBOM using `bundle sbom dump`.
+Note: The `license` command requires that you've already generated the SBOM using `bundle sbom dump`.
+
+## Supported SBOM Formats
+
+### SPDX
+[SPDX (Software Package Data Exchange)](https://spdx.dev/) is a standard format for communicating software bill of material information, including components, licenses, copyrights, and security references.
+
+### CycloneDX
+[CycloneDX](https://cyclonedx.org/) is a lightweight SBOM specification designed for use in application security contexts and supply chain component analysis.
+
+## References
+
+- [SPDX Specification](https://spdx.github.io/spdx-spec/)
+- [CycloneDX Specification](https://cyclonedx.org/specification/overview/)
+- [About Software Bill of Materials (SBOM)](https://www.cisa.gov/sbom)

data/Rakefile

@@ -3,4 +3,4 @@ require "rspec/core/rake_task"
 
 RSpec::Core::RakeTask.new(:spec)
 
-task :default => :spec
+task default: :spec

data/lib/bundler/sbom/cli.rb

@@ -26,24 +26,24 @@ module Bundler
 
         # Generate SBOM based on specified format
         sbom = Bundler::Sbom::Generator.generate_sbom(sbom_format)
-        
+
         # Determine file extension based on output format
         ext = format == "json" ? "json" : "xml"
-        
+
         # Determine filename prefix based on SBOM format
         prefix = sbom_format == "spdx" ? "bom" : "bom-cyclonedx"
         output_file = "#{prefix}.#{ext}"
-        
+
         if format == "json"
           File.write(output_file, JSON.pretty_generate(sbom))
         else # xml
           xml_content = Bundler::Sbom::Generator.convert_to_xml(sbom)
           File.write(output_file, xml_content)
         end
-        
+
         Bundler.ui.info("Generated #{sbom_format.upcase} SBOM at #{output_file}")
       end
-      
+
       desc "license", "Display license report from SBOM file"
       method_option :file, type: :string, desc: "Input SBOM file path", aliases: "-f"
       method_option :format, type: :string, desc: "Input format: json or xml", aliases: "-F"
@@ -79,13 +79,13 @@ module Bundler
 
         begin
           content = File.read(input_file)
-          
+
           sbom = if format == "xml" || (!format && File.extname(input_file) == ".xml")
             Bundler::Sbom::Generator.parse_xml(content)
           else
             JSON.parse(content)
           end
-          
+
           Bundler::Sbom::Reporter.display_license_report(sbom)
         rescue JSON::ParserError
           Bundler.ui.error("Error: #{input_file} is not a valid JSON file")
@@ -102,4 +102,4 @@ module Bundler
       end
     end
   end
-end
+end

data/lib/bundler/sbom/cyclonedx.rb

@@ -68,7 +68,7 @@ module Bundler
       def self.to_xml(sbom)
         doc = REXML::Document.new
         doc << REXML::XMLDecl.new("1.0", "UTF-8")
-        
+
         # Root element
         root = REXML::Element.new("bom")
         root.add_namespace("http://cyclonedx.org/schema/bom/1.4")
@@ -77,63 +77,63 @@ module Bundler
           "version" => sbom["version"].to_s,
         })
         doc.add_element(root)
-        
+
         # Metadata
         metadata = REXML::Element.new("metadata")
         root.add_element(metadata)
-        
+
         add_element(metadata, "timestamp", sbom["metadata"]["timestamp"])
-        
+
         # Tools
         tools = REXML::Element.new("tools")
         metadata.add_element(tools)
-        
+
         sbom["metadata"]["tools"].each do |tool_data|
           tool = REXML::Element.new("tool")
           tools.add_element(tool)
-          
+
           add_element(tool, "vendor", tool_data["vendor"])
           add_element(tool, "name", tool_data["name"])
           add_element(tool, "version", tool_data["version"].to_s)
         end
-        
+
         # Component (root project)
         component = REXML::Element.new("component")
         component.add_attribute("type", sbom["metadata"]["component"]["type"])
         metadata.add_element(component)
-        
+
         add_element(component, "name", sbom["metadata"]["component"]["name"])
         add_element(component, "version", sbom["metadata"]["component"]["version"])
-        
+
         # Components
         components = REXML::Element.new("components")
         root.add_element(components)
-        
+
         sbom["components"].each do |comp_data|
           comp = REXML::Element.new("component")
           comp.add_attribute("type", comp_data["type"])
           components.add_element(comp)
-          
+
           add_element(comp, "name", comp_data["name"])
           add_element(comp, "version", comp_data["version"])
           add_element(comp, "purl", comp_data["purl"])
-          
+
           # Licenses
           if comp_data["licenses"] && !comp_data["licenses"].empty?
             licenses = REXML::Element.new("licenses")
             comp.add_element(licenses)
-            
+
             comp_data["licenses"].each do |license_data|
               license = REXML::Element.new("license")
               licenses.add_element(license)
-              
+
               if license_data["license"]["id"]
                 add_element(license, "id", license_data["license"]["id"])
               end
             end
           end
         end
-        
+
         formatter = REXML::Formatters::Pretty.new(2)
         formatter.compact = true
         output = ""
@@ -143,7 +143,7 @@ module Bundler
 
       def self.parse_xml(doc)
         root = doc.root
-        
+
         sbom = {
           "bomFormat" => "CycloneDX",
           "specVersion" => "1.4",
@@ -160,7 +160,7 @@ module Bundler
           },
           "components" => []
         }
-        
+
         # Collect tools
         REXML::XPath.each(root, "metadata/tools/tool") do |tool|
           tool_data = {
@@ -170,7 +170,7 @@ module Bundler
           }
           sbom["metadata"]["tools"] << tool_data
         end
-        
+
         # Collect components
         REXML::XPath.each(root, "components/component") do |comp|
           component = {
@@ -179,14 +179,14 @@ module Bundler
             "version" => get_element_text(comp, "version"),
             "purl" => get_element_text(comp, "purl")
           }
-          
+
           # Collect licenses
           licenses = []
           REXML::XPath.each(comp, "licenses/license") do |license|
             license_id = get_element_text(license, "id")
             licenses << { "license" => { "id" => license_id } } if license_id
           end
-          
+
           component["licenses"] = licenses unless licenses.empty?
           sbom["components"] << component
         end
@@ -195,10 +195,10 @@ module Bundler
         converted_sbom = {
           "packages" => sbom["components"].map do |comp|
             license_string = if comp["licenses"]
-                              comp["licenses"].map { |l| l["license"]["id"] }.join(", ")
+              comp["licenses"].map { |l| l["license"]["id"] }.join(", ")
                             else
                               "NOASSERTION"
-                            end
+            end
             {
               "name" => comp["name"],
               "versionInfo" => comp["version"],
@@ -206,7 +206,7 @@ module Bundler
             }
           end
         }
-        
+
         converted_sbom
       end
 
@@ -214,10 +214,10 @@ module Bundler
         {
           "packages" => sbom["components"].map do |comp|
             license_string = if comp["licenses"]
-                             comp["licenses"].map { |l| l["license"]["id"] }.join(", ")
+              comp["licenses"].map { |l| l["license"]["id"] }.join(", ")
                            else
                              "NOASSERTION"
-                           end
+            end
             {
               "name" => comp["name"],
               "versionInfo" => comp["version"],
@@ -228,17 +228,17 @@ module Bundler
       end
 
       private
-      
+
       def self.add_element(parent, name, value)
         element = REXML::Element.new(name)
         element.text = value
         parent.add_element(element)
       end
-      
+
       def self.get_element_text(element, xpath)
         result = REXML::XPath.first(element, xpath)
         result ? result.text : nil
       end
     end
   end
-end
+end

data/lib/bundler/sbom/generator.rb

@@ -39,7 +39,7 @@ module Bundler
       def self.parse_xml(xml_content)
         doc = REXML::Document.new(xml_content)
         root = doc.root
-        
+
         # Determine if it's CycloneDX or SPDX
         if root.name == "bom" && root.namespace.include?("cyclonedx.org")
           CycloneDX.parse_xml(doc)
@@ -49,4 +49,4 @@ module Bundler
       end
     end
   end
-end
+end

data/lib/bundler/sbom/reporter.rb

@@ -8,7 +8,7 @@ module Bundler
         else
           SPDX.to_report_format(sbom)
         end
-        
+
         display_report(sbom)
       end
 
@@ -60,4 +60,4 @@ module Bundler
       end
     end
   end
-end
+end

data/lib/bundler/sbom/spdx.rb

@@ -6,7 +6,7 @@ module Bundler
   module Sbom
     class SPDX
       def self.generate(lockfile, document_name)
-        spdx_id = SecureRandom.uuid
+        spdx_id = generate_spdx_id
         sbom = {
           "SPDXID" => "SPDXRef-DOCUMENT",
           "spdxVersion" => "SPDX-2.3",
@@ -67,39 +67,39 @@ module Bundler
       def self.to_xml(sbom)
         doc = REXML::Document.new
         doc << REXML::XMLDecl.new("1.0", "UTF-8")
-        
+
         # Root element
         root = REXML::Element.new("SpdxDocument")
         root.add_namespace("https://spdx.org/spdxdocs/")
         doc.add_element(root)
-        
+
         # Document info
         add_element(root, "SPDXID", sbom["SPDXID"])
         add_element(root, "spdxVersion", sbom["spdxVersion"])
         add_element(root, "name", sbom["name"])
         add_element(root, "dataLicense", sbom["dataLicense"])
         add_element(root, "documentNamespace", sbom["documentNamespace"])
-        
+
         # Creation info
         creation_info = REXML::Element.new("creationInfo")
         root.add_element(creation_info)
         add_element(creation_info, "created", sbom["creationInfo"]["created"])
         add_element(creation_info, "licenseListVersion", sbom["creationInfo"]["licenseListVersion"])
-        
+
         sbom["creationInfo"]["creators"].each do |creator|
           add_element(creation_info, "creator", creator)
         end
-        
+
         # Describes
         sbom["documentDescribes"].each do |describes|
           add_element(root, "documentDescribes", describes)
         end
-        
+
         # Packages
         sbom["packages"].each do |pkg|
           package = REXML::Element.new("package")
           root.add_element(package)
-          
+
           add_element(package, "SPDXID", pkg["SPDXID"])
           add_element(package, "name", pkg["name"])
           add_element(package, "versionInfo", pkg["versionInfo"])
@@ -109,20 +109,20 @@ module Bundler
           add_element(package, "licenseDeclared", pkg["licenseDeclared"])
           add_element(package, "copyrightText", pkg["copyrightText"])
           add_element(package, "supplier", pkg["supplier"])
-          
+
           # External references
           if pkg["externalRefs"]
             pkg["externalRefs"].each do |ref|
               ext_ref = REXML::Element.new("externalRef")
               package.add_element(ext_ref)
-              
+
               add_element(ext_ref, "referenceCategory", ref["referenceCategory"])
               add_element(ext_ref, "referenceType", ref["referenceType"])
               add_element(ext_ref, "referenceLocator", ref["referenceLocator"])
             end
           end
         end
-        
+
         formatter = REXML::Formatters::Pretty.new(2)
         formatter.compact = true
         output = ""
@@ -132,7 +132,7 @@ module Bundler
 
       def self.parse_xml(doc)
         root = doc.root
-        
+
         sbom = {
           "SPDXID" => get_element_text(root, "SPDXID"),
           "spdxVersion" => get_element_text(root, "spdxVersion"),
@@ -147,17 +147,17 @@ module Bundler
           "packages" => [],
           "documentDescribes" => []
         }
-        
+
         # Collect creators
         REXML::XPath.each(root, "creationInfo/creator") do |creator|
           sbom["creationInfo"]["creators"] << creator.text
         end
-        
+
         # Collect documentDescribes
         REXML::XPath.each(root, "documentDescribes") do |describes|
           sbom["documentDescribes"] << describes.text
         end
-        
+
         # Collect packages
         REXML::XPath.each(root, "package") do |pkg_element|
           package = {
@@ -172,7 +172,7 @@ module Bundler
             "supplier" => get_element_text(pkg_element, "supplier"),
             "externalRefs" => []
           }
-          
+
           # Collect external references
           REXML::XPath.each(pkg_element, "externalRef") do |ref_element|
             ref = {
@@ -182,10 +182,10 @@ module Bundler
             }
             package["externalRefs"] << ref
           end
-          
+
           sbom["packages"] << package
         end
-        
+
         sbom
       end
 
@@ -203,18 +203,20 @@ module Bundler
         }
       end
 
-      private
-      
+      def self.generate_spdx_id
+        SecureRandom.uuid
+      end
+
       def self.add_element(parent, name, value)
         element = REXML::Element.new(name)
         element.text = value
         parent.add_element(element)
       end
-      
+
       def self.get_element_text(element, xpath)
         result = REXML::XPath.first(element, xpath)
         result ? result.text : nil
       end
     end
   end
-end
+end

data/lib/bundler/sbom/version.rb

@@ -1,5 +1,5 @@
 module Bundler
   module Sbom
-    VERSION = "0.1.7"
+    VERSION = "0.1.8"
   end
 end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: bundler-sbom
 version: !ruby/object:Gem::Version
-  version: 0.1.7
+  version: 0.1.8
 platform: ruby
 authors:
 - SHIBATA Hiroshi
 bindir: exe
 cert_chain: []
-date: 2025-03-06 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -78,7 +78,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.6.2
+rubygems_version: 3.6.9
 specification_version: 4
 summary: Generate SPDX SBOM(Software Bill of Materials) files with Bundler
 test_files: []