sbom 0.1.0 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e5779ca3a21e46aa2032845504cda20229928dad1570d5de2a055ffe2a2dae8d
-  data.tar.gz: d57cc2a38620373ca402ca34322e0cfcb4d30bfa88b8a6791868c92f87b2393d
+  metadata.gz: a22cb6e2f3394ccd7abb7e8a28d7282f11e4a9277cf1451dca16060d00ceb0f6
+  data.tar.gz: aaf00ea47acdb68969fb20a638a9300849fe363c1d7e8dfeb1955405d6a9d570
 SHA512:
-  metadata.gz: 221caf4d995e38991fd6c720b00e662fe90ae7709b7032a35d6592848ce669e5245591ca66866b66b29b68326d78afc213ce5292815b4e0f18cce51dcbcf651d
-  data.tar.gz: 1a4e9340fda31c7fff6dddbfc12b912220a7aee701c4e3df860c41c00e26c6c5a7999727017bb7af201a09d5e505b8fd24a67d5188eef0b3450b1efdfbfc50e7
+  metadata.gz: 8151a326269d029319b4dcb69bd61edcf6ef5745a673cda96464bb91afa2103aa5896d4c8e315951e54ac605b031582af3bd1eae0eb2d7f7b673cd4afc8999df
+  data.tar.gz: 6c47ebcbbdeef79496348fdde56280b90ac6e90bec8e52cded836d95415fa1ec0b8b2ad3874992d3bd7ca9e928114e57cabc1a72d7525e1923faf94db3273d07

data/CHANGELOG.md

@@ -1,5 +1,12 @@
 ## [Unreleased]
 
+## [0.2.0] - 2025-12-14
+
+- Add `enrich` command to CLI for enriching SBOMs with data from ecosyste.ms
+- Add `Sbom.enrich` and `Sbom.enrich_file` library methods
+- Add `Sbom::Enricher` class for enriching packages with metadata and security advisories
+- Enrichment adds: description, homepage, download location, license, repository URL, registry URL, documentation URL, supplier info, and security advisories
+
 ## [0.1.0] - 2025-12-14
 
 - Initial release

data/CONTRIBUTING.md

@@ -0,0 +1,49 @@
+# Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/andrew/sbom.
+
+## Getting Started
+
+1. Fork the repository
+2. Clone your fork and set up the development environment:
+
+```bash
+git clone https://github.com/YOUR_USERNAME/sbom.git
+cd sbom
+bin/setup
+git submodule update --init --recursive
+```
+
+3. Run the tests to make sure everything works:
+
+```bash
+bundle exec rake test
+```
+
+## Making Changes
+
+1. Create a feature branch from `main`
+2. Make your changes
+3. Add tests for any new functionality
+4. Ensure all tests pass
+5. Submit a pull request
+
+## Code Style
+
+- Follow existing code conventions
+- Keep commits focused and atomic
+- Write clear commit messages
+
+## Running Tests
+
+```bash
+bundle exec rake test
+```
+
+## Reporting Bugs
+
+When reporting bugs, please include:
+- Ruby version
+- Steps to reproduce
+- Expected vs actual behavior
+- Sample SBOM files if relevant (sanitized of any sensitive data)

data/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 Andrew Nesbitt
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -69,6 +69,22 @@ end
 Sbom::Validator.validate_file!("example.cdx.json")
 ```
 
+### Enriching SBOMs
+
+Enrich packages with metadata from [ecosyste.ms](https://ecosyste.ms):
+
+```ruby
+# Enrich an entire SBOM
+sbom = Sbom.parse_file("example.cdx.json")
+enriched = Sbom.enrich(sbom)
+
+# Or parse and enrich in one step
+enriched = Sbom.enrich_file("example.cdx.json")
+
+```
+
+Enrichment adds: description, homepage, download location, license, repository URL, registry URL, documentation URL, supplier info, and security advisories.
+
 ### Building Packages
 
 The Package class provides an object interface for building package data:
@@ -118,6 +134,11 @@ sbom document outline example.cdx.json
 sbom document info example.spdx.json
 sbom document query example.cdx.json --package rails
 sbom document query example.cdx.json --license MIT
+
+# Enrich SBOM with ecosyste.ms data
+sbom enrich example.cdx.json
+sbom enrich example.cdx.json --output enriched.json
+cat example.cdx.json | sbom enrich -
 ```
 
 ## Supported Formats

data/SECURITY.md

@@ -0,0 +1,21 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 0.1.x   | :white_check_mark: |
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in this project, please report it privately by emailing andrewnez@gmail.com.
+
+Please include:
+- A description of the vulnerability
+- Steps to reproduce the issue
+- Potential impact
+- Any suggested fixes (optional)
+
+You can expect an initial response within 48 hours. We will work with you to understand and address the issue promptly.
+
+Please do not open public issues for security vulnerabilities.

data/exe/sbom

@@ -25,6 +25,8 @@ module Sbom
         validate_command
       when "convert"
         convert_command
+      when "enrich"
+        enrich_command
       when "document"
         document_command
       when "version", "-v", "--version"
@@ -158,6 +160,51 @@ module Sbom
       abort "Conversion error: #{e.message}"
     end
 
+    def enrich_command
+      parser = OptionParser.new do |opts|
+        opts.banner = "Usage: sbom enrich <file> [options]"
+        opts.on("-t", "--type TYPE", "SBOM type (spdx, cyclonedx, auto)") { |v| @options[:type] = v.to_sym }
+        opts.on("-f", "--format FORMAT", "Output format (json, yaml)") { |v| @options[:format] = v }
+        opts.on("-o", "--output FILE", "Output file") { |v| @options[:output] = v }
+        opts.on("--advisories", "Include security advisories") { @options[:advisories] = true }
+        opts.on("-h", "--help", "Show help") { puts opts; exit }
+      end
+      parser.parse!(@args)
+
+      file = @args.shift
+      abort "Error: No file specified. Use '-' for stdin." unless file
+
+      sbom = if file == "-"
+               content = $stdin.read
+               Sbom::Parser.parse_string(content, sbom_type: @options[:type] || :auto)
+             else
+               Sbom::Parser.parse_file(file, sbom_type: @options[:type] || :auto)
+             end
+
+      enricher = Sbom::Enricher.new(sbom)
+      enriched = enricher.enrich
+
+      format = @options[:format] || "json"
+      output = case format
+               when "yaml"
+                 enriched.to_h.to_yaml
+               else
+                 JSON.pretty_generate(enriched.to_h)
+               end
+
+      if @options[:output]
+        File.write(@options[:output], output)
+        warn "Enriched SBOM written to #{@options[:output]}"
+        warn "Enrichment errors: #{enricher.errors.count}" if enricher.errors.any?
+      else
+        puts output
+      end
+
+      enricher.errors.each { |e| warn "Warning: #{e[:purl]} - #{e[:error]}" } if enricher.errors.any?
+    rescue Sbom::ParserError => e
+      abort "Error: #{e.message}"
+    end
+
     def document_command
       subcommand = @args.shift
 
@@ -329,6 +376,7 @@ module Sbom
           generate   Create a new SBOM
           validate   Validate SBOM against schema
           convert    Convert between SBOM formats
+          enrich     Enrich SBOM with data from ecosyste.ms
           document   Work with SBOM documents
           version    Show version
 

data/lib/sbom/enricher.rb

@@ -0,0 +1,162 @@
+# frozen_string_literal: true
+
+module Sbom
+  class Enricher
+    attr_reader :sbom, :errors
+
+    def initialize(sbom)
+      @sbom = sbom
+      @errors = []
+    end
+
+    def enrich
+      @sbom.packages.each do |package|
+        enrich_package(package)
+      end
+      @sbom
+    end
+
+    def enrich_package(package)
+      purl_string = package[:purl] || find_purl_in_external_refs(package)
+      return unless purl_string
+
+      parsed = parse_purl(purl_string)
+      return unless parsed
+
+      lookup_data = fetch_lookup(parsed)
+      enrich_from_lookup(package, lookup_data) if lookup_data
+
+      advisories = fetch_advisories(parsed)
+      enrich_from_advisories(package, advisories) if advisories&.any?
+    rescue StandardError => e
+      @errors << { purl: purl_string, error: e.message }
+    end
+
+    def self.enrich(sbom)
+      new(sbom).enrich
+    end
+
+    def self.enrich_package(package)
+      purl_string = package[:purl] || find_purl_in_refs(package)
+      return package unless purl_string
+
+      parsed = Purl.parse(purl_string)
+      return package unless parsed
+
+      lookup_data = parsed.lookup
+      apply_lookup_enrichment(package, lookup_data) if lookup_data
+
+      advisories = parsed.advisories
+      apply_advisory_enrichment(package, advisories) if advisories&.any?
+
+      package
+    rescue StandardError
+      package
+    end
+
+    private
+
+    def find_purl_in_external_refs(package)
+      refs = package[:external_references] || []
+      refs.find { |_, type, _| type == "purl" }&.last
+    end
+
+    def self.find_purl_in_refs(package)
+      refs = package[:external_references] || []
+      refs.find { |_, type, _| type == "purl" }&.last
+    end
+
+    def parse_purl(purl_string)
+      Purl.parse(purl_string)
+    rescue Purl::InvalidPackageURL
+      @errors << { purl: purl_string, error: "Invalid PURL format" }
+      nil
+    end
+
+    def fetch_lookup(parsed_purl)
+      parsed_purl.lookup
+    rescue StandardError => e
+      @errors << { purl: parsed_purl.to_s, error: "Lookup failed: #{e.message}" }
+      nil
+    end
+
+    def fetch_advisories(parsed_purl)
+      parsed_purl.advisories
+    rescue StandardError => e
+      @errors << { purl: parsed_purl.to_s, error: "Advisories fetch failed: #{e.message}" }
+      []
+    end
+
+    def enrich_from_lookup(package, data)
+      self.class.apply_lookup_enrichment(package, data)
+    end
+
+    def enrich_from_advisories(package, advisories)
+      self.class.apply_advisory_enrichment(package, advisories)
+    end
+
+    def self.apply_lookup_enrichment(package, data)
+      pkg_data = data[:package] || {}
+      version_data = data[:version] || {}
+
+      package[:description] ||= pkg_data[:description]
+      package[:homepage] ||= pkg_data[:homepage]
+      package[:download_location] ||= version_data[:download_url]
+
+      if pkg_data[:licenses] && !package[:license_concluded]
+        package[:license_concluded] = pkg_data[:licenses]
+      end
+
+      package[:repository_url] ||= pkg_data[:repository_url]
+      package[:registry_url] ||= pkg_data[:registry_url]
+      package[:documentation_url] ||= pkg_data[:documentation_url]
+
+      if pkg_data[:maintainers]&.any? && !package[:supplier]
+        first_maintainer = pkg_data[:maintainers].first
+        package[:supplier] = first_maintainer[:login] if first_maintainer
+        package[:supplier_type] = "Organization"
+      end
+
+      if pkg_data[:keywords]&.any?
+        package[:tags] ||= []
+        package[:tags].concat(pkg_data[:keywords]).uniq!
+      end
+
+      package[:properties] ||= []
+      if pkg_data[:latest_version]
+        package[:properties] << ["ecosystems:latest_version", pkg_data[:latest_version]]
+      end
+      if pkg_data[:latest_version_published_at]
+        package[:properties] << ["ecosystems:latest_version_published_at", pkg_data[:latest_version_published_at]]
+      end
+      if pkg_data[:versions_count]
+        package[:properties] << ["ecosystems:versions_count", pkg_data[:versions_count].to_s]
+      end
+      if version_data[:published_at]
+        package[:properties] << ["ecosystems:version_published_at", version_data[:published_at]]
+      end
+
+      package
+    end
+
+    def self.apply_advisory_enrichment(package, advisories)
+      package[:advisories] ||= []
+
+      advisories.each do |advisory|
+        package[:advisories] << {
+          id: advisory[:id],
+          title: advisory[:title],
+          description: advisory[:description],
+          severity: advisory[:severity],
+          cvss_score: advisory[:cvss_score],
+          url: advisory[:url],
+          published_at: advisory[:published_at],
+          source: advisory[:source_kind],
+          references: advisory[:references]
+        }
+      end
+
+      package
+    end
+  end
+end

data/lib/sbom/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Sbom
-  VERSION = "0.1.0"
+  VERSION = "0.2.0"
 end

data/lib/sbom.rb

@@ -32,6 +32,7 @@ require_relative "sbom/generator"
 require_relative "sbom/validation_result"
 require_relative "sbom/validator"
 require_relative "sbom/output"
+require_relative "sbom/enricher"
 
 module Sbom
   class << self
@@ -50,5 +51,14 @@ module Sbom
     def validate_file(filename, sbom_type: :auto)
       Validator.validate_file(filename, sbom_type: sbom_type)
     end
+
+    def enrich(sbom)
+      Enricher.enrich(sbom)
+    end
+
+    def enrich_file(filename, sbom_type: :auto)
+      sbom = parse_file(filename, sbom_type: sbom_type)
+      Enricher.enrich(sbom)
+    end
   end
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: sbom
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 0.2.0
 platform: ruby
 authors:
 - Andrew Nesbitt
@@ -63,8 +63,11 @@ files:
 - ".gitmodules"
 - CHANGELOG.md
 - CODE_OF_CONDUCT.md
+- CONTRIBUTING.md
+- LICENSE
 - README.md
 - Rakefile
+- SECURITY.md
 - exe/sbom
 - lib/sbom.rb
 - lib/sbom/cyclonedx/generator.rb
@@ -74,6 +77,7 @@ files:
 - lib/sbom/data/package.rb
 - lib/sbom/data/relationship.rb
 - lib/sbom/data/sbom.rb
+- lib/sbom/enricher.rb
 - lib/sbom/error.rb
 - lib/sbom/generator.rb
 - lib/sbom/license/data/spdx_licenses.json