RubyGems - sbom - Versions diffs - 0.1.0 - Mend

sbom 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (28) hide show

checksums.yaml +7 -0
data/.gitmodules +7 -0
data/CHANGELOG.md +5 -0
data/CODE_OF_CONDUCT.md +10 -0
data/README.md +153 -0
data/Rakefile +8 -0
data/exe/sbom +346 -0
data/lib/sbom/cyclonedx/generator.rb +307 -0
data/lib/sbom/cyclonedx/parser.rb +275 -0
data/lib/sbom/data/document.rb +143 -0
data/lib/sbom/data/file.rb +169 -0
data/lib/sbom/data/package.rb +417 -0
data/lib/sbom/data/relationship.rb +43 -0
data/lib/sbom/data/sbom.rb +124 -0
data/lib/sbom/error.rb +13 -0
data/lib/sbom/generator.rb +79 -0
data/lib/sbom/license/data/spdx_licenses.json +8533 -0
data/lib/sbom/license/scanner.rb +101 -0
data/lib/sbom/output.rb +88 -0
data/lib/sbom/parser.rb +111 -0
data/lib/sbom/spdx/generator.rb +337 -0
data/lib/sbom/spdx/parser.rb +426 -0
data/lib/sbom/validation_result.rb +30 -0
data/lib/sbom/validator.rb +261 -0
data/lib/sbom/version.rb +5 -0
data/lib/sbom.rb +54 -0
data/sig/sbom.rbs +4 -0
metadata +114 -0

data/lib/sbom/validator.rb ADDED Viewed

@@ -0,0 +1,261 @@
+# frozen_string_literal: true
+require "json"
+require "pathname"
+module Sbom
+  class Validator
+    SPDX_VERSIONS = %w[2.2 2.3].freeze
+    CYCLONEDX_VERSIONS = %w[1.4 1.5 1.6 1.7].freeze
+    EXTENSION_MAP = {
+      ".spdx" => :spdx,
+      ".spdx.json" => :spdx,
+      ".spdx.yaml" => :spdx,
+      ".spdx.yml" => :spdx,
+      ".spdx.xml" => :spdx,
+      ".spdx.rdf" => :spdx,
+      ".cdx.json" => :cyclonedx,
+      ".bom.json" => :cyclonedx,
+      ".cdx.xml" => :cyclonedx,
+      ".bom.xml" => :cyclonedx
+    }.freeze
+    def initialize(sbom_type: :auto, version: nil, schema_dir: nil)
+      @sbom_type = sbom_type
+      @version = version
+      @schema_dir = schema_dir || default_schema_dir
+    end
+    def validate_file(filename)
+      raise ValidatorError, "File not found: #{filename}" unless File.exist?(filename)
+      raise ValidatorError, "Empty file: #{filename}" if File.size(filename).zero?
+      content = File.read(filename)
+      sbom_type = detect_type(filename, content)
+      validate_content(content, sbom_type)
+    end
+    def validate_file!(filename)
+      result = validate_file(filename)
+      raise ValidatorError, "Invalid SBOM: #{result.errors.join(', ')}" if result.invalid?
+      result
+    end
+    def validate_string(content, sbom_type: nil)
+      sbom_type ||= detect_type_from_content(content)
+      validate_content(content, sbom_type)
+    end
+    def validate_string!(content, sbom_type: nil)
+      result = validate_string(content, sbom_type: sbom_type)
+      raise ValidatorError, "Invalid SBOM: #{result.errors.join(', ')}" if result.invalid?
+      result
+    end
+    def self.validate_file(filename, sbom_type: :auto)
+      new(sbom_type: sbom_type).validate_file(filename)
+    end
+    def self.validate_file!(filename, sbom_type: :auto)
+      new(sbom_type: sbom_type).validate_file!(filename)
+    end
+    private
+    def default_schema_dir
+      spec_dir = File.expand_path("../../spec", __dir__)
+      return spec_dir if File.directory?(spec_dir)
+      nil
+    end
+    def detect_type(filename, content)
+      return @sbom_type unless @sbom_type == :auto
+      EXTENSION_MAP.each do |ext, type|
+        return type if filename.end_with?(ext)
+      end
+      detect_type_from_content(content)
+    end
+    def detect_type_from_content(content)
+      stripped = content.strip
+      if stripped.start_with?("{")
+        begin
+          data = JSON.parse(stripped)
+          return :cyclonedx if data["bomFormat"] == "CycloneDX"
+          return :spdx if data["spdxVersion"]
+        rescue JSON::ParserError
+          nil
+        end
+      end
+      return :spdx if stripped.include?("SPDXVersion:")
+      return :spdx if stripped.include?("<spdx:")
+      return :cyclonedx if stripped.include?("cyclonedx")
+      :unknown
+    end
+    def validate_content(content, sbom_type)
+      case sbom_type
+      when :spdx
+        validate_spdx(content)
+      when :cyclonedx
+        validate_cyclonedx(content)
+      else
+        ValidationResult.new(valid: false, errors: ["Unknown SBOM format"])
+      end
+    end
+    def validate_spdx(content)
+      stripped = content.strip
+      if stripped.start_with?("{")
+        validate_spdx_json(content)
+      elsif stripped.include?("SPDXID:")
+        validate_spdx_yaml(content)
+      else
+        validate_spdx_tag(content)
+      end
+    end
+    def validate_spdx_json(content)
+      unless json_schemer_available?
+        return ValidationResult.new(valid: true, format: :spdx, version: extract_spdx_version_json(content))
+      end
+      schema_path = spdx_schema_path
+      unless schema_path && File.exist?(schema_path)
+        return ValidationResult.new(valid: true, format: :spdx, version: extract_spdx_version_json(content))
+      end
+      begin
+        data = JSON.parse(content)
+        schema = JSONSchemer.schema(Pathname.new(schema_path))
+        errors = schema.validate(data).map { |e| e["error"] }
+        if errors.empty?
+          version = data["spdxVersion"]&.gsub("SPDX-", "")
+          ValidationResult.new(valid: true, format: :spdx, version: version)
+        else
+          ValidationResult.new(valid: false, format: :spdx, errors: errors.first(5))
+        end
+      rescue JSON::ParserError => e
+        ValidationResult.new(valid: false, format: :spdx, errors: ["JSON parse error: #{e.message}"])
+      end
+    end
+    def validate_spdx_yaml(content)
+      begin
+        data = YAML.safe_load(content)
+        version = data["spdxVersion"]&.gsub("SPDX-", "")
+        ValidationResult.new(valid: true, format: :spdx, version: version)
+      rescue Psych::SyntaxError => e
+        ValidationResult.new(valid: false, format: :spdx, errors: ["YAML parse error: #{e.message}"])
+      end
+    end
+    def validate_spdx_tag(content)
+      version = nil
+      content.each_line do |line|
+        if line.start_with?("SPDXVersion:")
+          version = line.split(":").last.strip.gsub("SPDX-", "")
+          break
+        end
+      end
+      ValidationResult.new(valid: true, format: :spdx, version: version)
+    end
+    def validate_cyclonedx(content)
+      stripped = content.strip
+      if stripped.start_with?("{")
+        validate_cyclonedx_json(content)
+      else
+        validate_cyclonedx_xml(content)
+      end
+    end
+    def validate_cyclonedx_json(content)
+      unless json_schemer_available?
+        return ValidationResult.new(valid: true, format: :cyclonedx, version: extract_cyclonedx_version_json(content))
+      end
+      versions_to_try = @version ? [@version] : CYCLONEDX_VERSIONS.reverse
+      begin
+        data = JSON.parse(content)
+      rescue JSON::ParserError => e
+        return ValidationResult.new(valid: false, format: :cyclonedx, errors: ["JSON parse error: #{e.message}"])
+      end
+      versions_to_try.each do |version|
+        schema_path = cyclonedx_schema_path(version)
+        next unless schema_path && File.exist?(schema_path)
+        schema = JSONSchemer.schema(Pathname.new(schema_path))
+        return ValidationResult.new(valid: true, format: :cyclonedx, version: version) if schema.valid?(data)
+      end
+      ValidationResult.new(valid: false, format: :cyclonedx, errors: ["Does not match any known CycloneDX schema"])
+    end
+    def validate_cyclonedx_xml(content)
+      begin
+        doc = REXML::Document.new(content)
+        root = doc.root
+        if root && root.name == "bom"
+          namespace = root.namespace
+          version = namespace&.match(/bom[\/\-](\d+\.\d+)/)&.captures&.first
+          return ValidationResult.new(valid: true, format: :cyclonedx, version: version)
+        end
+      rescue REXML::ParseException => e
+        return ValidationResult.new(valid: false, format: :cyclonedx, errors: ["XML parse error: #{e.message}"])
+      end
+      ValidationResult.new(valid: false, format: :cyclonedx, errors: ["Not a valid CycloneDX XML document"])
+    end
+    def extract_spdx_version_json(content)
+      data = JSON.parse(content)
+      data["spdxVersion"]&.gsub("SPDX-", "")
+    rescue JSON::ParserError
+      nil
+    end
+    def extract_cyclonedx_version_json(content)
+      data = JSON.parse(content)
+      data["specVersion"]
+    rescue JSON::ParserError
+      nil
+    end
+    def spdx_schema_path
+      return nil unless @schema_dir
+      File.join(@schema_dir, "spdx", "schemas", "spdx-schema.json")
+    end
+    def cyclonedx_schema_path(version)
+      return nil unless @schema_dir
+      File.join(@schema_dir, "cyclonedx", "schema", "bom-#{version}.schema.json")
+    end
+    def json_schemer_available?
+      require "json_schemer"
+      true
+    rescue LoadError
+      false
+    end
+  end
+end

data/lib/sbom/version.rb ADDED Viewed

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+module Sbom
+  VERSION = "0.1.0"
+end

data/lib/sbom.rb ADDED Viewed

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+require "json"
+require "yaml"
+require "rexml/document"
+require "purl"
+require_relative "sbom/version"
+require_relative "sbom/error"
+# Data models
+require_relative "sbom/data/document"
+require_relative "sbom/data/package"
+require_relative "sbom/data/file"
+require_relative "sbom/data/relationship"
+require_relative "sbom/data/sbom"
+# License handling
+require_relative "sbom/license/scanner"
+# SPDX implementation
+require_relative "sbom/spdx/parser"
+require_relative "sbom/spdx/generator"
+# CycloneDX implementation
+require_relative "sbom/cyclonedx/parser"
+require_relative "sbom/cyclonedx/generator"
+# Facade classes
+require_relative "sbom/parser"
+require_relative "sbom/generator"
+require_relative "sbom/validation_result"
+require_relative "sbom/validator"
+require_relative "sbom/output"
+module Sbom
+  class << self
+    def parse_file(filename, sbom_type: :auto)
+      Parser.parse_file(filename, sbom_type: sbom_type)
+    end
+    def parse_string(content, sbom_type: :auto)
+      Parser.parse_string(content, sbom_type: sbom_type)
+    end
+    def generate(project_name, sbom_data, sbom_type: :spdx, format: :json)
+      Generator.generate(project_name, sbom_data, sbom_type: sbom_type, format: format)
+    end
+    def validate_file(filename, sbom_type: :auto)
+      Validator.validate_file(filename, sbom_type: sbom_type)
+    end
+  end
+end

data/sig/sbom.rbs ADDED Viewed

@@ -0,0 +1,4 @@
+module Sbom
+  VERSION: String
+  # See the writing guide of rbs: https://github.com/ruby/rbs#guides
+end

metadata ADDED Viewed

@@ -0,0 +1,114 @@
+--- !ruby/object:Gem::Specification
+name: sbom
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Andrew Nesbitt
+bindir: exe
+cert_chain: []
+date: 1980-01-02 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: json_schemer
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: purl
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.6'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.6'
+- !ruby/object:Gem::Dependency
+  name: rexml
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.2'
+description: A Ruby library for working with Software Bill of Materials in SPDX and
+  CycloneDX formats. Supports parsing, generation, validation, and format conversion.
+email:
+- andrewnez@gmail.com
+executables:
+- sbom
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitmodules"
+- CHANGELOG.md
+- CODE_OF_CONDUCT.md
+- README.md
+- Rakefile
+- exe/sbom
+- lib/sbom.rb
+- lib/sbom/cyclonedx/generator.rb
+- lib/sbom/cyclonedx/parser.rb
+- lib/sbom/data/document.rb
+- lib/sbom/data/file.rb
+- lib/sbom/data/package.rb
+- lib/sbom/data/relationship.rb
+- lib/sbom/data/sbom.rb
+- lib/sbom/error.rb
+- lib/sbom/generator.rb
+- lib/sbom/license/data/spdx_licenses.json
+- lib/sbom/license/scanner.rb
+- lib/sbom/output.rb
+- lib/sbom/parser.rb
+- lib/sbom/spdx/generator.rb
+- lib/sbom/spdx/parser.rb
+- lib/sbom/validation_result.rb
+- lib/sbom/validator.rb
+- lib/sbom/version.rb
+- sig/sbom.rbs
+homepage: https://github.com/andrew/sbom
+licenses:
+- MIT
+metadata:
+  homepage_uri: https://github.com/andrew/sbom
+  source_code_uri: https://github.com/andrew/sbom
+  changelog_uri: https://github.com/andrew/sbom/blob/main/CHANGELOG.md
+  rubygems_mfa_required: 'true'
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 3.2.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 4.0.1
+specification_version: 4
+summary: Parse, generate, and validate Software Bill of Materials (SBOM)
+test_files: []