sbom 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: e5779ca3a21e46aa2032845504cda20229928dad1570d5de2a055ffe2a2dae8d
+  data.tar.gz: d57cc2a38620373ca402ca34322e0cfcb4d30bfa88b8a6791868c92f87b2393d
+SHA512:
+  metadata.gz: 221caf4d995e38991fd6c720b00e662fe90ae7709b7032a35d6592848ce669e5245591ca66866b66b29b68326d78afc213ce5292815b4e0f18cce51dcbcf651d
+  data.tar.gz: 1a4e9340fda31c7fff6dddbfc12b912220a7aee701c4e3df860c41c00e26c6c5a7999727017bb7af201a09d5e505b8fd24a67d5188eef0b3450b1efdfbfc50e7

data/.gitmodules

@@ -0,0 +1,7 @@
+[submodule "spec/cyclonedx"]
+	path = spec/cyclonedx
+	url = https://github.com/CycloneDX/specification
+[submodule "spec/spdx"]
+	path = spec/spdx
+	url = https://github.com/spdx/spdx-spec
+	branch = support/2.3.1

data/CHANGELOG.md

@@ -0,0 +1,5 @@
+## [Unreleased]
+
+## [0.1.0] - 2025-12-14
+
+- Initial release

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,10 @@
+# Code of Conduct
+
+"sbom" follows [The Ruby Community Conduct Guideline](https://www.ruby-lang.org/en/conduct) in all "collaborative space", which is defined as community communications channels (such as mailing lists, submitted patches, commit comments, etc.):
+
+* Participants will be tolerant of opposing views.
+* Participants must ensure that their language and actions are free of personal attacks and disparaging personal remarks.
+* When interpreting the words and actions of others, participants should always assume good intentions.
+* Behaviour which can be reasonably considered harassment will not be tolerated.
+
+If you have any concerns about behaviour within this project, please contact us at ["andrewnez@gmail.com"](mailto:"andrewnez@gmail.com").

data/README.md

@@ -0,0 +1,153 @@
+# SBOM
+
+A Ruby library for parsing, generating, and validating Software Bill of Materials in SPDX and CycloneDX formats.
+
+## Installation
+
+Add to your Gemfile:
+
+```ruby
+gem 'sbom'
+```
+
+Or install directly:
+
+```bash
+gem install sbom
+```
+
+## Usage
+
+### Parsing SBOMs
+
+```ruby
+require 'sbom'
+
+# Parse from file (auto-detects format)
+sbom = Sbom.parse_file("example.spdx.json")
+
+# Parse from string
+sbom = Sbom.parse_string(content, sbom_type: :cyclonedx)
+
+# Parsed data is returned as hashes
+sbom.packages.each do |pkg|
+  puts "#{pkg[:name]} @ #{pkg[:version]}"
+  puts "  License: #{pkg[:license_concluded]}"
+end
+
+sbom.relationships.each do |rel|
+  puts "#{rel[:source_id]} --[#{rel[:type]}]--> #{rel[:target_id]}"
+end
+```
+
+### Generating SBOMs
+
+```ruby
+# Generate SPDX JSON
+generator = Sbom::Generator.new(sbom_type: :spdx, format: :json)
+generator.generate("MyProject", { packages: packages_data })
+puts generator.output
+
+# Generate CycloneDX
+generator = Sbom::Generator.new(sbom_type: :cyclonedx)
+generator.generate("MyProject", sbom_data)
+File.write("sbom.cdx.json", generator.output)
+```
+
+### Validating SBOMs
+
+```ruby
+result = Sbom.validate_file("example.cdx.json")
+
+if result.valid?
+  puts "#{result.format}: version #{result.version}"
+else
+  puts "Invalid: #{result.errors.join(', ')}"
+end
+
+# Or raise on invalid
+Sbom::Validator.validate_file!("example.cdx.json")
+```
+
+### Building Packages
+
+The Package class provides an object interface for building package data:
+
+```ruby
+package = Sbom::Data::Package.new
+package.name = "rails"
+package.version = "7.0.0"
+package.license_concluded = "MIT"
+package.add_checksum("SHA256", "abc123...")
+
+# Generate a PURL
+package.generate_purl(type: "gem")
+# => "pkg:gem/rails@7.0.0"
+
+# Or set an existing PURL
+package.purl = "pkg:npm/%40angular/core@16.0.0"
+
+# Access parsed PURL components
+package.purl_type      # => "npm"
+package.purl_namespace # => "@angular"
+package.purl_name      # => "core"
+package.purl_version   # => "16.0.0"
+
+# Convert to hash for generation
+package.to_h
+```
+
+## CLI
+
+```bash
+# Parse and display SBOM
+sbom parse example.spdx.json
+sbom parse example.cdx.json --format json
+
+# Validate SBOM against schema
+sbom validate example.spdx.json
+
+# Convert between formats
+sbom convert example.spdx.json --type cyclonedx --output example.cdx.json
+
+# Generate new SBOM
+sbom generate --name MyProject --type spdx --format json
+
+# Document commands
+sbom document outline example.cdx.json
+sbom document info example.spdx.json
+sbom document query example.cdx.json --package rails
+sbom document query example.cdx.json --license MIT
+```
+
+## Supported Formats
+
+**SPDX** (versions 2.2, 2.3):
+- Tag-Value (.spdx)
+- JSON (.spdx.json)
+- YAML (.spdx.yaml, .spdx.yml)
+- XML (.spdx.xml)
+- RDF (.spdx.rdf)
+
+**CycloneDX** (versions 1.4, 1.5, 1.6, 1.7):
+- JSON (.cdx.json, .bom.json)
+- XML (.cdx.xml, .bom.xml)
+
+## Related Libraries
+
+- [purl](https://github.com/andrew/purl) - Package URL (PURL) parsing and generation
+- [vers](https://github.com/andrew/vers) - Version range parsing and matching
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then run `rake test` to run the tests.
+
+The project uses git submodules for the official SPDX and CycloneDX specifications:
+
+```bash
+git submodule update --init --recursive
+```
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/andrew/sbom.

data/Rakefile

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+require "minitest/test_task"
+
+Minitest::TestTask.create
+
+task default: :test

data/exe/sbom

@@ -0,0 +1,346 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require "optparse"
+require "sbom"
+
+module Sbom
+  class CLI
+    def initialize(args)
+      @args = args
+      @options = {}
+    end
+
+    def run
+      return show_help if @args.empty?
+
+      command = @args.shift
+
+      case command
+      when "parse"
+        parse_command
+      when "generate"
+        generate_command
+      when "validate"
+        validate_command
+      when "convert"
+        convert_command
+      when "document"
+        document_command
+      when "version", "-v", "--version"
+        puts "sbom #{Sbom::VERSION}"
+      when "help", "-h", "--help"
+        show_help
+      else
+        warn "Unknown command: #{command}"
+        show_help
+        exit 1
+      end
+    end
+
+    private
+
+    def parse_command
+      parser = OptionParser.new do |opts|
+        opts.banner = "Usage: sbom parse <file> [options]"
+        opts.on("-t", "--type TYPE", "SBOM type (spdx, cyclonedx, auto)") { |v| @options[:type] = v.to_sym }
+        opts.on("-f", "--format FORMAT", "Output format (json, yaml, summary)") { |v| @options[:format] = v }
+        opts.on("-h", "--help", "Show help") { puts opts; exit }
+      end
+      parser.parse!(@args)
+
+      file = @args.shift
+      abort "Error: No file specified" unless file
+
+      sbom_type = @options[:type] || :auto
+      sbom = Sbom::Parser.parse_file(file, sbom_type: sbom_type)
+
+      format = @options[:format] || "summary"
+
+      case format
+      when "json"
+        puts JSON.pretty_generate(sbom.to_h)
+      when "yaml"
+        puts sbom.to_h.to_yaml
+      else
+        print_summary(sbom)
+      end
+    rescue Sbom::ParserError => e
+      abort "Parse error: #{e.message}"
+    end
+
+    def generate_command
+      parser = OptionParser.new do |opts|
+        opts.banner = "Usage: sbom generate [options]"
+        opts.on("-n", "--name NAME", "Project name") { |v| @options[:name] = v }
+        opts.on("-t", "--type TYPE", "SBOM type (spdx, cyclonedx)") { |v| @options[:type] = v.to_sym }
+        opts.on("-f", "--format FORMAT", "Output format (tag, json, yaml)") { |v| @options[:format] = v.to_sym }
+        opts.on("-o", "--output FILE", "Output file") { |v| @options[:output] = v }
+        opts.on("-h", "--help", "Show help") { puts opts; exit }
+      end
+      parser.parse!(@args)
+
+      name = @options[:name] || "SBOM"
+      sbom_type = @options[:type] || :spdx
+      format = @options[:format] || :json
+
+      generator = Sbom::Generator.new(sbom_type: sbom_type, format: format)
+
+      sbom_data = { packages: {} }
+      generator.generate(name, sbom_data)
+
+      output = generator.output
+
+      if @options[:output]
+        File.write(@options[:output], output)
+        puts "SBOM written to #{@options[:output]}"
+      else
+        puts output
+      end
+    end
+
+    def validate_command
+      parser = OptionParser.new do |opts|
+        opts.banner = "Usage: sbom validate <file> [options]"
+        opts.on("-t", "--type TYPE", "SBOM type (spdx, cyclonedx, auto)") { |v| @options[:type] = v.to_sym }
+        opts.on("-h", "--help", "Show help") { puts opts; exit }
+      end
+      parser.parse!(@args)
+
+      file = @args.shift
+      abort "Error: No file specified" unless file
+
+      sbom_type = @options[:type] || :auto
+      validator = Sbom::Validator.new(sbom_type: sbom_type)
+      result = validator.validate_file(file)
+
+      if result.valid?
+        puts "#{result.format.to_s.upcase}: Valid (version #{result.version})"
+      else
+        puts "#{result.format&.to_s&.upcase || 'SBOM'}: INVALID"
+        result.errors.each { |e| puts "  - #{e}" }
+        exit 1
+      end
+    rescue Sbom::ValidatorError => e
+      abort "Validation error: #{e.message}"
+    end
+
+    def convert_command
+      parser = OptionParser.new do |opts|
+        opts.banner = "Usage: sbom convert <file> [options]"
+        opts.on("-t", "--type TYPE", "Output SBOM type (spdx, cyclonedx)") { |v| @options[:type] = v.to_sym }
+        opts.on("-f", "--format FORMAT", "Output format (tag, json, yaml)") { |v| @options[:format] = v.to_sym }
+        opts.on("-o", "--output FILE", "Output file") { |v| @options[:output] = v }
+        opts.on("-h", "--help", "Show help") { puts opts; exit }
+      end
+      parser.parse!(@args)
+
+      file = @args.shift
+      abort "Error: No file specified" unless file
+
+      sbom = Sbom::Parser.parse_file(file)
+
+      output_type = @options[:type] || :spdx
+      output_format = @options[:format] || :json
+
+      generator = Sbom::Generator.new(sbom_type: output_type, format: output_format)
+      generator.generate(sbom.document&.dig(:name) || "Converted", sbom.to_h)
+
+      output = generator.output
+
+      if @options[:output]
+        File.write(@options[:output], output)
+        puts "Converted SBOM written to #{@options[:output]}"
+      else
+        puts output
+      end
+    rescue Sbom::ParserError, Sbom::GeneratorError => e
+      abort "Conversion error: #{e.message}"
+    end
+
+    def document_command
+      subcommand = @args.shift
+
+      case subcommand
+      when "outline"
+        document_outline_command
+      when "query"
+        document_query_command
+      when "info"
+        document_info_command
+      else
+        puts "Usage: sbom document <subcommand>"
+        puts ""
+        puts "Subcommands:"
+        puts "  outline    Show structure of an SBOM document"
+        puts "  query      Search for information in an SBOM"
+        puts "  info       Show document metadata"
+        exit 1
+      end
+    end
+
+    def document_outline_command
+      parser = OptionParser.new do |opts|
+        opts.banner = "Usage: sbom document outline <file>"
+        opts.on("-h", "--help", "Show help") { puts opts; exit }
+      end
+      parser.parse!(@args)
+
+      file = @args.shift
+      abort "Error: No file specified" unless file
+
+      sbom = Sbom::Parser.parse_file(file)
+
+      puts "SBOM Structure"
+      puts "=============="
+      puts ""
+      puts "Type: #{sbom.sbom_type}"
+      puts "Version: #{sbom.version}"
+      puts ""
+
+      if sbom.document
+        puts "Document:"
+        puts "  Name: #{sbom.document[:name]}"
+        puts "  ID: #{sbom.document[:id]}"
+        puts ""
+      end
+
+      puts "Packages (#{sbom.packages.count}):"
+      sbom.packages.each_with_index do |pkg, i|
+        puts "  #{i + 1}. #{pkg[:name]}#{pkg[:version] ? " @ #{pkg[:version]}" : ""}"
+      end
+      puts ""
+
+      if sbom.files.any?
+        puts "Files (#{sbom.files.count}):"
+        sbom.files.each_with_index do |file_data, i|
+          puts "  #{i + 1}. #{file_data[:name]}"
+        end
+        puts ""
+      end
+
+      puts "Relationships (#{sbom.relationships.count}):"
+      sbom.relationships.each do |rel|
+        puts "  #{rel[:source]} --[#{rel[:type]}]--> #{rel[:target]}"
+      end
+    rescue Sbom::ParserError => e
+      abort "Error: #{e.message}"
+    end
+
+    def document_query_command
+      parser = OptionParser.new do |opts|
+        opts.banner = "Usage: sbom document query <file> [options]"
+        opts.on("-p", "--package NAME", "Find package by name") { |v| @options[:package] = v }
+        opts.on("-l", "--license LICENSE", "Find packages with license") { |v| @options[:license] = v }
+        opts.on("--purl PURL", "Find package by PURL") { |v| @options[:purl] = v }
+        opts.on("-h", "--help", "Show help") { puts opts; exit }
+      end
+      parser.parse!(@args)
+
+      file = @args.shift
+      abort "Error: No file specified" unless file
+
+      sbom = Sbom::Parser.parse_file(file)
+
+      if @options[:package]
+        results = sbom.packages.select { |p| p[:name]&.include?(@options[:package]) }
+        puts "Packages matching '#{@options[:package]}':"
+        results.each do |pkg|
+          puts "  - #{pkg[:name]} @ #{pkg[:version]}"
+          puts "    License: #{pkg[:license_concluded] || pkg[:license_declared] || 'Unknown'}"
+        end
+      elsif @options[:license]
+        results = sbom.packages.select do |p|
+          (p[:license_concluded] || p[:license_declared])&.include?(@options[:license])
+        end
+        puts "Packages with license '#{@options[:license]}':"
+        results.each { |pkg| puts "  - #{pkg[:name]} @ #{pkg[:version]}" }
+      elsif @options[:purl]
+        results = sbom.packages.select { |p| p[:purl]&.include?(@options[:purl]) }
+        puts "Packages matching PURL '#{@options[:purl]}':"
+        results.each { |pkg| puts "  - #{pkg[:name]} @ #{pkg[:version]}" }
+      else
+        puts "Specify a query option. Use --help for options."
+      end
+    rescue Sbom::ParserError => e
+      abort "Error: #{e.message}"
+    end
+
+    def document_info_command
+      parser = OptionParser.new do |opts|
+        opts.banner = "Usage: sbom document info <file>"
+        opts.on("-h", "--help", "Show help") { puts opts; exit }
+      end
+      parser.parse!(@args)
+
+      file = @args.shift
+      abort "Error: No file specified" unless file
+
+      sbom = Sbom::Parser.parse_file(file)
+
+      puts "Document Information"
+      puts "===================="
+      puts ""
+      puts "Format: #{sbom.sbom_type.to_s.upcase}"
+      puts "Version: #{sbom.version}"
+
+      if sbom.document
+        doc = sbom.document
+        puts "Name: #{doc[:name]}" if doc[:name]
+        puts "ID: #{doc[:id]}" if doc[:id]
+        puts "Namespace: #{doc[:namespace]}" if doc[:namespace]
+        puts "Created: #{doc[:created]}" if doc[:created]
+        puts "Supplier: #{doc[:metadata_supplier]}" if doc[:metadata_supplier]
+      end
+
+      puts ""
+      puts "Statistics:"
+      puts "  Packages: #{sbom.packages.count}"
+      puts "  Files: #{sbom.files.count}"
+      puts "  Relationships: #{sbom.relationships.count}"
+
+      licenses = sbom.packages.map { |p| p[:license_concluded] || p[:license_declared] }.compact.uniq
+      if licenses.any?
+        puts ""
+        puts "Licenses found:"
+        licenses.each { |lic| puts "  - #{lic}" }
+      end
+    rescue Sbom::ParserError => e
+      abort "Error: #{e.message}"
+    end
+
+    def print_summary(sbom)
+      puts "SBOM Summary"
+      puts "============"
+      puts "Type: #{sbom.sbom_type}"
+      puts "Packages: #{sbom.packages.count}"
+      puts "Files: #{sbom.files.count}"
+      puts "Relationships: #{sbom.relationships.count}"
+    end
+
+    def show_help
+      puts <<~HELP
+        sbom - Software Bill of Materials tool
+
+        Usage: sbom <command> [options]
+
+        Commands:
+          parse      Parse and display SBOM contents
+          generate   Create a new SBOM
+          validate   Validate SBOM against schema
+          convert    Convert between SBOM formats
+          document   Work with SBOM documents
+          version    Show version
+
+        Document subcommands:
+          outline    Show structure of an SBOM
+          query      Search for information in an SBOM
+          info       Show document metadata
+
+        Run 'sbom <command> --help' for more information on a command.
+      HELP
+    end
+  end
+end
+
+Sbom::CLI.new(ARGV).run