sbom 0.3.0 → 0.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.ruby-version +1 -0
- data/CHANGELOG.md +4 -0
- data/README.md +18 -0
- data/lib/sbom/cyclonedx/generator.rb +47 -0
- data/lib/sbom/version.rb +1 -1
- metadata +3 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: b296a99b1a2ba980aedaa542532fd88bdea816209af3a2be1999a6e4305d0167
|
|
4
|
+
data.tar.gz: 1e9a7c1e385a4ec311baac0ea055453631d559e76ab4bab67e34cfcf3166f536
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 60e7f56853ad7c7874b3d1b073c06ccbf6a455985ce86b10fba011273d0491a798a6067e866f3d399a2317150128aa035b05dbcae9b53979652fb56e3f924f73
|
|
7
|
+
data.tar.gz: 4f35f84db7c6d1dfe219e73cc7ecdefd14f701ce5fd091c504318ba7bad4c036b18dc04a17a375ecf6b0ee396a5bbf590c30d4f4d71b96812a375da54d3a84f8
|
data/.ruby-version
ADDED
|
@@ -0,0 +1 @@
|
|
|
1
|
+
4.0.0
|
data/CHANGELOG.md
CHANGED
data/README.md
CHANGED
|
@@ -52,6 +52,24 @@ puts generator.output
|
|
|
52
52
|
generator = Sbom::Generator.new(sbom_type: :cyclonedx)
|
|
53
53
|
generator.generate("MyProject", sbom_data)
|
|
54
54
|
File.write("sbom.cdx.json", generator.output)
|
|
55
|
+
|
|
56
|
+
# Generate CycloneDX with vulnerabilities
|
|
57
|
+
data = {
|
|
58
|
+
packages: packages_data,
|
|
59
|
+
vulnerabilities: [
|
|
60
|
+
{
|
|
61
|
+
id: "CVE-2024-1234",
|
|
62
|
+
source: { name: "OSV", url: "https://osv.dev" },
|
|
63
|
+
ratings: [{ severity: "high", score: 8.1, method: "CVSSv31" }],
|
|
64
|
+
description: "A critical vulnerability",
|
|
65
|
+
affects: [{ ref: "pkg:npm/lodash@4.17.20" }],
|
|
66
|
+
published: "2024-01-15T00:00:00Z",
|
|
67
|
+
updated: "2024-01-20T12:00:00Z"
|
|
68
|
+
}
|
|
69
|
+
]
|
|
70
|
+
}
|
|
71
|
+
generator = Sbom::Generator.new(sbom_type: :cyclonedx)
|
|
72
|
+
generator.generate("MyProject", data)
|
|
55
73
|
```
|
|
56
74
|
|
|
57
75
|
### Validating SBOMs
|
|
@@ -24,6 +24,7 @@ module Sbom
|
|
|
24
24
|
@output = {}
|
|
25
25
|
@components = []
|
|
26
26
|
@dependencies = []
|
|
27
|
+
@vulnerabilities = []
|
|
27
28
|
@element_refs = {}
|
|
28
29
|
end
|
|
29
30
|
|
|
@@ -41,6 +42,7 @@ module Sbom
|
|
|
41
42
|
generate_document_header(project_name, component_data, uuid, bom_version)
|
|
42
43
|
generate_components(data[:packages])
|
|
43
44
|
generate_dependencies(data[:relationships])
|
|
45
|
+
generate_vulnerabilities(data[:vulnerabilities])
|
|
44
46
|
|
|
45
47
|
finalize_output
|
|
46
48
|
end
|
|
@@ -234,9 +236,54 @@ module Sbom
|
|
|
234
236
|
end
|
|
235
237
|
end
|
|
236
238
|
|
|
239
|
+
def generate_vulnerabilities(vulnerabilities_data)
|
|
240
|
+
return unless vulnerabilities_data&.any?
|
|
241
|
+
|
|
242
|
+
vulnerabilities_data.each do |vuln|
|
|
243
|
+
generate_vulnerability(vuln)
|
|
244
|
+
end
|
|
245
|
+
end
|
|
246
|
+
|
|
247
|
+
def generate_vulnerability(vuln)
|
|
248
|
+
return unless vuln[:id]
|
|
249
|
+
|
|
250
|
+
vulnerability = { "id" => vuln[:id] }
|
|
251
|
+
|
|
252
|
+
if vuln[:source]
|
|
253
|
+
source = {}
|
|
254
|
+
source["name"] = vuln[:source][:name] if vuln[:source][:name]
|
|
255
|
+
source["url"] = vuln[:source][:url] if vuln[:source][:url]
|
|
256
|
+
vulnerability["source"] = source if source.any?
|
|
257
|
+
end
|
|
258
|
+
|
|
259
|
+
if vuln[:ratings]&.any?
|
|
260
|
+
vulnerability["ratings"] = vuln[:ratings].map do |rating|
|
|
261
|
+
r = {}
|
|
262
|
+
r["severity"] = rating[:severity] if rating[:severity]
|
|
263
|
+
r["score"] = rating[:score] if rating[:score]
|
|
264
|
+
r["method"] = rating[:method] if rating[:method]
|
|
265
|
+
r
|
|
266
|
+
end.reject(&:empty?)
|
|
267
|
+
end
|
|
268
|
+
|
|
269
|
+
vulnerability["description"] = vuln[:description] if vuln[:description]
|
|
270
|
+
|
|
271
|
+
if vuln[:affects]&.any?
|
|
272
|
+
vulnerability["affects"] = vuln[:affects].map do |affect|
|
|
273
|
+
{ "ref" => affect[:ref] }
|
|
274
|
+
end
|
|
275
|
+
end
|
|
276
|
+
|
|
277
|
+
vulnerability["published"] = vuln[:published] if vuln[:published]
|
|
278
|
+
vulnerability["updated"] = vuln[:updated] if vuln[:updated]
|
|
279
|
+
|
|
280
|
+
@vulnerabilities << vulnerability
|
|
281
|
+
end
|
|
282
|
+
|
|
237
283
|
def finalize_output
|
|
238
284
|
@output["components"] = @components if @components.any?
|
|
239
285
|
@output["dependencies"] = @dependencies if @dependencies.any?
|
|
286
|
+
@output["vulnerabilities"] = @vulnerabilities if @vulnerabilities.any?
|
|
240
287
|
end
|
|
241
288
|
|
|
242
289
|
def version_at_least?(version)
|
data/lib/sbom/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: sbom
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.4.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Andrew Nesbitt
|
|
@@ -61,6 +61,7 @@ extensions: []
|
|
|
61
61
|
extra_rdoc_files: []
|
|
62
62
|
files:
|
|
63
63
|
- ".gitmodules"
|
|
64
|
+
- ".ruby-version"
|
|
64
65
|
- CHANGELOG.md
|
|
65
66
|
- CODE_OF_CONDUCT.md
|
|
66
67
|
- CONTRIBUTING.md
|
|
@@ -113,7 +114,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
113
114
|
- !ruby/object:Gem::Version
|
|
114
115
|
version: '0'
|
|
115
116
|
requirements: []
|
|
116
|
-
rubygems_version: 4.0.
|
|
117
|
+
rubygems_version: 4.0.3
|
|
117
118
|
specification_version: 4
|
|
118
119
|
summary: Parse, generate, and validate Software Bill of Materials (SBOM)
|
|
119
120
|
test_files: []
|