sbom 0.1.0

data/lib/sbom/cyclonedx/generator.rb

@@ -0,0 +1,307 @@
+# frozen_string_literal: true
+
+require "json"
+require "securerandom"
+require "time"
+
+module Sbom
+  module Cyclonedx
+    class Generator
+      DEFAULT_VERSION = "1.6"
+      SUPPORTED_VERSIONS = %w[1.4 1.5 1.6 1.7].freeze
+
+      LIFECYCLE_PHASES = %w[
+        design pre-build build post-build operations discovery decommission
+      ].freeze
+
+      def initialize(format: :json, application: "sbom", version: Sbom::VERSION)
+        @format = format
+        @application = application
+        @app_version = version
+        @spec_version = ENV.fetch("SBOM_CYCLONEDX_VERSION", DEFAULT_VERSION)
+        @organization = ENV["SBOM_ORGANIZATION"]
+
+        @output = {}
+        @components = []
+        @dependencies = []
+        @element_refs = {}
+      end
+
+      def generate(project_name, sbom_data)
+        return if sbom_data.nil? || (sbom_data.respond_to?(:empty?) && sbom_data.empty?)
+
+        data = sbom_data.is_a?(Hash) ? sbom_data : sbom_data.to_h
+
+        @spec_version = normalize_version(data[:version]) if data[:version]
+
+        uuid = data[:uuid] || "urn:uuid:#{SecureRandom.uuid}"
+        bom_version = data[:bom_version] || "1"
+
+        component_data = extract_component_data(data)
+        generate_document_header(project_name, component_data, uuid, bom_version)
+        generate_components(data[:packages])
+        generate_dependencies(data[:relationships])
+
+        finalize_output
+      end
+
+      def output
+        JSON.pretty_generate(@output)
+      end
+
+      def to_h
+        @output
+      end
+
+      private
+
+      def normalize_version(version)
+        return version if SUPPORTED_VERSIONS.include?(version)
+
+        match = version.to_s.match(/(\d+\.\d+)/)
+        return match[1] if match && SUPPORTED_VERSIONS.include?(match[1])
+
+        DEFAULT_VERSION
+      end
+
+      def extract_component_data(data)
+        result = {
+          type: "application",
+          supplier: @organization,
+          version: nil,
+          bom_ref: nil,
+          timestamp: nil,
+          creator: nil,
+          lifecycle: nil
+        }
+
+        return result unless data[:document]
+
+        doc = data[:document]
+        result[:type] = doc[:metadata_type] || "application"
+        result[:supplier] = doc[:metadata_supplier] || @organization
+        result[:version] = doc[:metadata_version]
+        result[:bom_ref] = doc[:bom_ref]
+        result[:lifecycle] = doc[:lifecycle]
+        result[:timestamp] = doc[:created]
+        result[:creator] = doc[:creators]&.first
+
+        result
+      end
+
+      def generate_document_header(name, component_data, uuid, bom_version)
+        timestamp = component_data[:timestamp] || Time.now.utc.strftime("%Y-%m-%dT%H:%M:%SZ")
+
+        @output = {
+          "bomFormat" => "CycloneDX",
+          "specVersion" => @spec_version,
+          "serialNumber" => uuid,
+          "version" => bom_version.to_i
+        }
+
+        metadata = {
+          "timestamp" => timestamp
+        }
+
+        if version_at_least?("1.5")
+          metadata["tools"] = {
+            "components" => [
+              {
+                "type" => "application",
+                "name" => @application,
+                "version" => @app_version
+              }
+            ]
+          }
+        else
+          metadata["tools"] = [
+            {
+              "vendor" => "sbom",
+              "name" => @application,
+              "version" => @app_version
+            }
+          ]
+        end
+
+        if component_data[:supplier]
+          metadata["supplier"] = { "name" => component_data[:supplier] }
+        end
+
+        if component_data[:lifecycle] && LIFECYCLE_PHASES.include?(component_data[:lifecycle])
+          metadata["lifecycles"] = [{ "phase" => component_data[:lifecycle] }]
+        end
+
+        metadata["component"] = {
+          "type" => component_data[:type],
+          "name" => name
+        }
+
+        metadata["component"]["version"] = component_data[:version] if component_data[:version]
+        metadata["component"]["bom-ref"] = component_data[:bom_ref] if component_data[:bom_ref]
+
+        @output["metadata"] = metadata
+      end
+
+      def generate_components(packages_data)
+        return unless packages_data
+
+        packages = packages_data.is_a?(Hash) ? packages_data.values : packages_data
+        packages.each_with_index do |pkg, index|
+          generate_component(pkg, index + 1)
+        end
+      end
+
+      def generate_component(pkg, index)
+        name = pkg[:name]
+        return unless name
+
+        bom_ref = pkg[:bom_ref] || pkg[:id] || "#{index}-#{name}"
+        @element_refs[name] = bom_ref
+
+        component = {
+          "type" => normalize_component_type(pkg[:type]),
+          "name" => name,
+          "bom-ref" => bom_ref
+        }
+
+        component["version"] = pkg[:version] if pkg[:version]
+        component["description"] = pkg[:description] if pkg[:description]
+        component["copyright"] = pkg[:copyright_text] if pkg[:copyright_text]
+
+        if pkg[:supplier] && pkg[:supplier_type]
+          component["supplier"] = { "name" => pkg[:supplier] }
+        end
+
+        if version_at_least?("1.7") && pkg[:originator]
+          component["authors"] = [{ "name" => pkg[:originator] }]
+        elsif pkg[:originator]
+          component["author"] = pkg[:originator]
+        end
+
+        if pkg[:checksums]&.any?
+          component["hashes"] = pkg[:checksums].map do |algo, value|
+            { "alg" => normalize_algorithm(algo), "content" => value }
+          end
+        end
+
+        licenses = extract_licenses(pkg)
+        component["licenses"] = licenses if licenses.any?
+
+        purl = pkg[:purl] || find_purl(pkg)
+        component["purl"] = purl if purl
+
+        if pkg[:external_references]&.any?
+          refs = pkg[:external_references].reject { |r| r[1] == "purl" }
+          if refs.any?
+            component["externalReferences"] = refs.map do |ref|
+              { "type" => ref[1], "url" => ref[2] }
+            end
+          end
+        end
+
+        if pkg[:properties]&.any?
+          component["properties"] = pkg[:properties].map do |prop|
+            { "name" => prop[0], "value" => prop[1].to_s }
+          end
+        end
+
+        @components << component
+      end
+
+      def generate_dependencies(relationships_data)
+        return unless relationships_data&.any?
+
+        deps_map = {}
+
+        relationships_data.each do |rel|
+          source = rel[:source] || @element_refs.key(rel[:source_id])
+          target = rel[:target] || @element_refs.key(rel[:target_id])
+
+          next unless source && target
+
+          source_ref = @element_refs[source] || source
+          target_ref = @element_refs[target] || target
+
+          deps_map[source_ref] ||= []
+          deps_map[source_ref] << target_ref unless deps_map[source_ref].include?(target_ref)
+        end
+
+        deps_map.each do |ref, depends_on|
+          @dependencies << {
+            "ref" => ref,
+            "dependsOn" => depends_on
+          }
+        end
+      end
+
+      def finalize_output
+        @output["components"] = @components if @components.any?
+        @output["dependencies"] = @dependencies if @dependencies.any?
+      end
+
+      def version_at_least?(version)
+        Gem::Version.new(@spec_version) >= Gem::Version.new(version)
+      end
+
+      def normalize_component_type(type)
+        return "library" unless type
+
+        normalized = type.to_s.downcase.tr("_", "-")
+
+        valid_types = %w[
+          application framework library container operating-system
+          device firmware file machine-learning-model data
+          device-driver platform cryptographic-asset
+        ]
+
+        return "cryptographic-asset" if normalized == "cryptographic-asset" && version_at_least?("1.6")
+        return "library" if normalized == "cryptographic-asset"
+
+        valid_types.include?(normalized) ? normalized : "library"
+      end
+
+      def normalize_algorithm(algo)
+        algo.to_s.gsub(/^SHA(\d)/, 'SHA-\1')
+      end
+
+      def extract_licenses(pkg)
+        licenses = []
+
+        license_id = pkg[:license_concluded] || pkg[:license_declared]
+        return licenses unless license_id
+        return licenses if %w[NOASSERTION NONE].include?(license_id.upcase)
+
+        if license_id.include?(" AND ") || license_id.include?(" OR ")
+          licenses << { "expression" => license_id }
+        else
+          license_entry = { "license" => {} }
+
+          if license_id.start_with?("LicenseRef")
+            license_entry["license"]["name"] = license_id
+          else
+            license_entry["license"]["id"] = license_id
+          end
+
+          if version_at_least?("1.6")
+            if pkg[:license_concluded]
+              license_entry["license"]["acknowledgement"] = "concluded"
+            else
+              license_entry["license"]["acknowledgement"] = "declared"
+            end
+          end
+
+          licenses << license_entry
+        end
+
+        licenses
+      end
+
+      def find_purl(pkg)
+        return nil unless pkg[:external_references]
+
+        ref = pkg[:external_references].find { |r| r[1] == "purl" }
+        ref&.last
+      end
+    end
+  end
+end

data/lib/sbom/cyclonedx/parser.rb

@@ -0,0 +1,275 @@
+# frozen_string_literal: true
+
+require "json"
+require "rexml/document"
+
+module Sbom
+  module Cyclonedx
+    class Parser
+      FORMAT_JSON = :json
+      FORMAT_XML = :xml
+
+      def initialize
+        @document = Data::Document.new
+        @packages = {}
+        @files = {}
+        @relationships = []
+        @licenses = []
+        @version = nil
+      end
+
+      def parse(content, format = nil)
+        format ||= detect_format(content)
+
+        case format
+        when FORMAT_JSON
+          parse_json(content)
+        when FORMAT_XML
+          parse_xml(content)
+        else
+          raise ParserError, "Unknown CycloneDX format"
+        end
+
+        build_sbom
+      end
+
+      private
+
+      def detect_format(content)
+        stripped = content.strip
+        return FORMAT_JSON if stripped.start_with?("{")
+        return FORMAT_XML if stripped.start_with?("<")
+
+        FORMAT_JSON
+      end
+
+      def parse_json(content)
+        data = JSON.parse(content)
+        return unless data["bomFormat"] == "CycloneDX"
+
+        @version = data["specVersion"]
+        @document.version = @version
+        @document.sbom_type = "cyclonedx"
+        @document.id = data["serialNumber"]
+
+        parse_metadata(data["metadata"]) if data["metadata"]
+        parse_components(data["components"]) if data["components"]
+        parse_dependencies(data["dependencies"]) if data["dependencies"]
+      rescue JSON::ParserError => e
+        raise ParserError, "Invalid JSON: #{e.message}"
+      end
+
+      def parse_xml(content)
+        doc = REXML::Document.new(content)
+        root = doc.root
+        return unless root && root.name == "bom"
+
+        @schema = root.namespace
+        @version = root.attributes["version"] || extract_version_from_namespace(@schema)
+        @document.version = @version
+        @document.sbom_type = "cyclonedx"
+        @document.id = root.attributes["serialNumber"]
+
+        parse_xml_metadata(root.elements["metadata"]) if root.elements["metadata"]
+        parse_xml_components(root.elements["components"]) if root.elements["components"]
+        parse_xml_dependencies(root.elements["dependencies"]) if root.elements["dependencies"]
+      rescue REXML::ParseException => e
+        raise ParserError, "Invalid XML: #{e.message}"
+      end
+
+      def parse_metadata(metadata)
+        @document.created = metadata["timestamp"]
+
+        if metadata["component"]
+          @document.name = metadata["component"]["name"]
+          @document.metadata_type = metadata["component"]["type"]
+          @document.metadata_version = metadata["component"]["version"]
+        end
+
+        if metadata["supplier"]
+          @document.metadata_supplier = metadata["supplier"]["name"]
+        end
+
+        if metadata["manufacture"]
+          @document.metadata_supplier ||= metadata["manufacture"]["name"]
+        end
+
+        Array(metadata["lifecycles"]).each do |lc|
+          @document.lifecycle = lc["phase"] if lc["phase"]
+        end
+      end
+
+      def parse_components(components, parent_ref = nil)
+        components.each do |comp|
+          parse_component(comp, parent_ref)
+        end
+      end
+
+      def parse_component(comp, parent_ref = nil)
+        package = Data::Package.new
+        package.name = comp["name"]
+        package.version = comp["version"]
+        package.id = comp["bom-ref"]
+        package.package_type = comp["type"]
+        package.description = comp["description"]
+        package.copyright_text = comp["copyright"]
+
+        if comp["supplier"]
+          package.set_supplier("Organization", comp["supplier"]["name"])
+        end
+
+        if comp["author"]
+          package.set_originator("Person", comp["author"])
+        end
+
+        Array(comp["hashes"]).each do |hash|
+          algo = hash["alg"]&.gsub("-", "")
+          package.add_checksum(algo, hash["content"]) if algo
+        end
+
+        Array(comp["licenses"]).each do |lic|
+          if lic["license"]
+            license_id = lic["license"]["id"] || lic["license"]["name"]
+            package.license_concluded = license_id
+            package.set_license_declared(license_id)
+          elsif lic["expression"]
+            package.license_concluded = lic["expression"]
+            package.set_license_declared(lic["expression"])
+          end
+        end
+
+        if comp["purl"]
+          package.purl = comp["purl"]
+        end
+
+        Array(comp["externalReferences"]).each do |ref|
+          package.add_external_reference(ref["type"], ref["type"], ref["url"])
+        end
+
+        Array(comp["properties"]).each do |prop|
+          package.add_property(prop["name"], prop["value"])
+        end
+
+        @packages[[package.name, package.version]] = package.to_h
+
+        if parent_ref
+          rel = Data::Relationship.new
+          rel.source = parent_ref
+          rel.target = package.id || package.name
+          rel.relationship_type = "DEPENDS_ON"
+          @relationships << rel.to_h
+        end
+
+        if comp["components"]
+          parse_components(comp["components"], package.id || package.name)
+        end
+      end
+
+      def parse_dependencies(dependencies)
+        dependencies.each do |dep|
+          ref = dep["ref"]
+          Array(dep["dependsOn"]).each do |depends_on|
+            rel = Data::Relationship.new
+            rel.source = ref
+            rel.target = depends_on
+            rel.relationship_type = "DEPENDS_ON"
+            @relationships << rel.to_h
+          end
+        end
+      end
+
+      def parse_xml_metadata(metadata)
+        timestamp = metadata.elements["timestamp"]
+        @document.created = timestamp.text if timestamp
+
+        component = metadata.elements["component"]
+        if component
+          @document.name = component.elements["name"]&.text
+          @document.metadata_type = component.attributes["type"]
+          @document.metadata_version = component.elements["version"]&.text
+        end
+
+        supplier = metadata.elements["supplier"]
+        @document.metadata_supplier = supplier.elements["name"]&.text if supplier
+      end
+
+      def parse_xml_components(components)
+        components.elements.each("component") do |comp|
+          parse_xml_component(comp)
+        end
+      end
+
+      def parse_xml_component(comp)
+        package = Data::Package.new
+        package.name = comp.elements["name"]&.text
+        package.version = comp.elements["version"]&.text
+        package.id = comp.attributes["bom-ref"]
+        package.package_type = comp.attributes["type"]
+        package.description = comp.elements["description"]&.text
+
+        supplier = comp.elements["supplier"]
+        if supplier
+          package.set_supplier("Organization", supplier.elements["name"]&.text)
+        end
+
+        comp.elements.each("hashes/hash") do |hash|
+          algo = hash.attributes["alg"]&.gsub("-", "")
+          package.add_checksum(algo, hash.text) if algo
+        end
+
+        comp.elements.each("licenses/license") do |lic|
+          license_id = lic.elements["id"]&.text || lic.elements["name"]&.text
+          if license_id
+            package.license_concluded = license_id
+            package.set_license_declared(license_id)
+          end
+        end
+
+        purl = comp.elements["purl"]
+        package.purl = purl.text if purl
+
+        comp.elements.each("externalReferences/reference") do |ref|
+          ref_type = ref.attributes["type"]
+          url = ref.elements["url"]&.text
+          package.add_external_reference(ref_type, ref_type, url) if url
+        end
+
+        @packages[[package.name, package.version]] = package.to_h
+
+        nested = comp.elements["components"]
+        parse_xml_components(nested) if nested
+      end
+
+      def parse_xml_dependencies(dependencies)
+        dependencies.elements.each("dependency") do |dep|
+          ref = dep.attributes["ref"]
+          dep.elements.each("dependency") do |child|
+            rel = Data::Relationship.new
+            rel.source = ref
+            rel.target = child.attributes["ref"]
+            rel.relationship_type = "DEPENDS_ON"
+            @relationships << rel.to_h
+          end
+        end
+      end
+
+      def extract_version_from_namespace(namespace)
+        return nil unless namespace
+
+        match = namespace.match(/bom[\/\-](\d+\.\d+)/)
+        match[1] if match
+      end
+
+      def build_sbom
+        sbom = Data::Sbom.new(sbom_type: :cyclonedx)
+        sbom.version = @document.version
+        sbom.add_document(@document.to_h)
+        sbom.add_packages(@packages)
+        sbom.add_files(@files)
+        sbom.add_relationships(@relationships)
+        sbom.add_licenses(@licenses)
+        sbom
+      end
+    end
+  end
+end