capycli 2.8.0__tar.gz → 2.9.0.dev1__tar.gz

{capycli-2.8.0 → capycli-2.9.0.dev1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: capycli
-Version: 2.8.0
+Version: 2.9.0.dev1
 Summary: CaPyCli - Clearing Automation Python Command Line Interface for SW360
 Home-page: https://github.com/sw360/capycli
 License: MIT

{capycli-2.8.0 → capycli-2.9.0.dev1}/capycli/__init__.py

@@ -63,6 +63,12 @@ def get_app_version() -> str:
     return version
 
 
+def get_app_signature() -> str:
+    """Get the signature of this application."""
+    version = get_app_version()
+    return f"{APP_NAME}, {version}"
+
+
 # There is nothing lower than logging.DEBUG (10) in the logging library,
 # but we want an extra level to avoid being too verbose when using -vv.
 _EXTRA_VERBOSE = 5

{capycli-2.8.0 → capycli-2.9.0.dev1}/capycli/bom/bom_convert.py

@@ -163,7 +163,7 @@ class BomConvert(capycli.common.script_base.ScriptBase):
 
     def run(self, args: Any) -> None:
         """Main method()"""
-        print("\n" + capycli.APP_NAME + ", " + capycli.get_app_version() + " - Convert SBOM formats\n")
+        print("\n" + capycli.get_app_signature() + " - Convert SBOM formats\n")
 
         if args.help:
             self.display_help()

{capycli-2.8.0 → capycli-2.9.0.dev1}/capycli/bom/bom_validate.py

@@ -61,7 +61,7 @@ class BomValidate(capycli.common.script_base.ScriptBase):
 
     def run(self, args: Any) -> None:
         """Main method()"""
-        print("\n" + capycli.APP_NAME + ", " + capycli.get_app_version() + " - Validate a CaPyCLI/CycloneDX SBOM\n")
+        print("\n" + capycli.get_app_signature() + " - Validate a CaPyCLI/CycloneDX SBOM\n")
 
         if args.help:
             self.display_help()

{capycli-2.8.0 → capycli-2.9.0.dev1}/capycli/bom/check_bom.py

@@ -158,7 +158,7 @@ class CheckBom(capycli.common.script_base.ScriptBase):
             logging.getLogger("urllib3.connectionpool").setLevel(logging.WARNING)
 
         print_text(
-            "\n" + capycli.APP_NAME + ", " + capycli.get_app_version() +
+            "\n" + capycli.get_app_signature() +
             " - Check that all releases in the SBOM exist on target SW360 instance.\n")
 
         if args.help:

{capycli-2.8.0 → capycli-2.9.0.dev1}/capycli/bom/check_bom_item_status.py

@@ -176,7 +176,7 @@ class CheckBomItemStatus(capycli.common.script_base.ScriptBase):
             logging.getLogger("urllib3.connectionpool").setLevel(logging.WARNING)
 
         print_text(
-            "\n" + capycli.APP_NAME + ", " + capycli.get_app_version()
+            "\n" + capycli.get_app_signature()
             + " - check the status of the items on SW360\n")
 
         if args.help:

{capycli-2.8.0 → capycli-2.9.0.dev1}/capycli/bom/check_granularity.py

@@ -224,7 +224,7 @@ class CheckGranularity(capycli.common.script_base.ScriptBase):
             LOG = capycli.get_logger(__name__)
 
         print_text(
-            "\n" + capycli.APP_NAME + ", " + capycli.get_app_version() +
+            "\n" + capycli.get_app_signature() +
             " - Check the granularity of all releases in the SBOM.\n")
 
         if args.help:

{capycli-2.8.0 → capycli-2.9.0.dev1}/capycli/bom/create_components.py

@@ -1,5 +1,5 @@
 # -------------------------------------------------------------------------------
-# Copyright (c) 2019-2024 Siemens
+# Copyright (c) 2019-2025 Siemens
 # All Rights Reserved.
 # Author: thomas.graf@siemens.com
 #
@@ -259,6 +259,10 @@ class BomCreateComponents(capycli.common.script_base.ScriptBase):
             # ensure that we have the only correct external-id name: package-url
             data["externalIds"]["package-url"] = cx_comp.purl.to_string()
 
+        # add information that this release was created by CaPyCli
+        data["additionalData"] = {}
+        data["additionalData"]["createdWith"] = capycli.get_app_signature()
+
         # use project site as fallback for source code download url
         website = CycloneDxSupport.get_ext_ref_website(cx_comp)
         repo = CycloneDxSupport.get_ext_ref_repository(cx_comp)
@@ -318,6 +322,11 @@ class BomCreateComponents(capycli.common.script_base.ScriptBase):
         if cx_comp.purl:
             purl = PurlUtils.component_purl_from_release_purl(cx_comp.purl)
             data["externalIds"] = {"package-url": purl}
+
+        # add information that this component was created by CaPyCli
+        data["additionalData"] = {}
+        data["additionalData"]["createdWith"] = capycli.get_app_signature()
+
         return data
 
     def create_release(self, cx_comp: Component, component_id: str) -> Optional[Dict[str, Any]]:
@@ -733,7 +742,7 @@ class BomCreateComponents(capycli.common.script_base.ScriptBase):
             logging.getLogger("urllib3.connectionpool").setLevel(logging.WARNING)
 
         print_text(
-            "\n" + capycli.APP_NAME + ", " + capycli.get_app_version() +
+            "\n" + capycli.get_app_signature() +
             " - Create new components and releases on SW360\n")
 
         if args.help:

{capycli-2.8.0 → capycli-2.9.0.dev1}/capycli/bom/diff_bom.py

@@ -202,7 +202,7 @@ class DiffBom(capycli.common.script_base.ScriptBase):
             LOG = capycli.get_logger(__name__)
 
         print_text(
-            "\n" + capycli.APP_NAME + ", " + capycli.get_app_version() +
+            "\n" + capycli.get_app_signature() +
             " - Compare two SBOM files.\n")
 
         if args.help:

{capycli-2.8.0 → capycli-2.9.0.dev1}/capycli/bom/download_sources.py

@@ -158,7 +158,7 @@ class BomDownloadSources(capycli.common.script_base.ScriptBase):
             logging.getLogger("urllib3.connectionpool").setLevel(logging.WARNING)
 
         print_text(
-            "\n" + capycli.APP_NAME + ", " + capycli.get_app_version() +
+            "\n" + capycli.get_app_signature() +
             " - Download source files from the URL specified in the SBOM\n")
 
         if args.help:

{capycli-2.8.0 → capycli-2.9.0.dev1}/capycli/bom/filter_bom.py

@@ -271,7 +271,7 @@ class FilterBom(capycli.common.script_base.ScriptBase):
             global LOG
             LOG = capycli.get_logger(__name__)
 
-        print_text("\n" + capycli.APP_NAME + ", " + capycli.get_app_version() + " - Apply a filter file to a SBOM\n")
+        print_text("\n" + capycli.get_app_signature() + " - Apply a filter file to a SBOM\n")
 
         if args.help:
             print("Usage: CaPyCli bom filter [-h] [-v] -i INPUTFILE -o OUTPUTFILE -filterfile FILTERFILE")

{capycli-2.8.0 → capycli-2.9.0.dev1}/capycli/bom/findsources.py

@@ -232,12 +232,14 @@ class FindSources(capycli.common.script_base.ScriptBase):
                     w_prefix = [w_prefix]
 
                 # ORDER BY tag-name-length DESC
-                by_size = sorted([(len(tag['ref']), tag) for tag in w_prefix],
+                # Note: it may happen that the GithHubSupport.github_request
+                # returns items without 'ref'
+                by_size = sorted([(len(tag.get('ref', '')), tag) for tag in w_prefix],
                                  key=lambda x: x[0])
                 w_prefix = [itm[1] for itm in reversed(by_size)]
 
                 transformed_for_get_matching_tags = [
-                    {'name': tag['ref'].replace('refs/tags/', '', 1),
+                    {'name': tag.get('ref', '').replace('refs/tags/', '', 1),
                      'zipball_url': tag['url'].replace(
                         '/git/refs/tags/', '/zipball/refs/tags/', 1),
                      } for tag in w_prefix]
@@ -692,7 +694,7 @@ class FindSources(capycli.common.script_base.ScriptBase):
             logging.getLogger("urllib3.connectionpool").setLevel(logging.WARNING)
 
         print_text(
-            "\n" + capycli.APP_NAME + ", " + capycli.get_app_version() +
+            "\n" + capycli.get_app_signature() +
             " - Go through the list of SBOM items and try to determine the source code.\n")
 
         if args.help:

{capycli-2.8.0 → capycli-2.9.0.dev1}/capycli/bom/map_bom.py

@@ -14,7 +14,7 @@ import re
 import sys
 import urllib
 from enum import Enum
-from typing import Any, Dict, List, Optional, Tuple
+from typing import Any, Dict, List, Optional
 
 from cyclonedx.model import ExternalReference, ExternalReferenceType, XsUri
 from cyclonedx.model.bom import Bom
@@ -183,24 +183,22 @@ class MapBom(capycli.common.script_base.ScriptBase):
     def map_bom_item(self, component: Component, check_similar: bool, result_required: bool) -> MapResult:
         """Maps a single SBOM item to the list of SW360 releases"""
 
-        result, _, _ = self.map_bom_commons(component)
+        result = self.map_bom_commons(component)
+        result_release_ids = [r.split("/")[-1] for r in result.release_hrefs]
+        result_component_ids = [r.split("/")[-1] for r in result.component_hrefs]
 
         for release in self.releases:
             if ("Id" in release) and ("Sw360Id" not in release):
                 release["Sw360Id"] = release["Id"]
 
             # first check: unique id
-            if result.release_id == release["Sw360Id"] or self.is_id_match(release, component):
+            if release["Sw360Id"] in result_release_ids or self.is_id_match(release, component):
                 self.add_match_if_better(result, release, MapResult.FULL_MATCH_BY_ID)
                 break
 
             # second check: name AND version
-            if (component.name
-                and ("Name" in release)
-                    and release["Name"]):
-                if (
-                    (result.component_id is not None)
-                        and (result.component_id == release["ComponentId"])):
+            if (component.name and release.get("Name")):
+                if release["ComponentId"] in result_component_ids:
                     name_match = True
                 else:
                     name_match = component.name.lower() == release["Name"].lower()
@@ -276,17 +274,38 @@ class MapBom(capycli.common.script_base.ScriptBase):
 
     def map_bom_item_no_cache(self, component: Component) -> MapResult:
         """Maps a single SBOM item to SW360 via online checks (no cache!)"""
+
+        def get_release_details(href: str) -> Optional[Dict[str, Any]]:
+            """Get release data from SW360 for match result"""
+            if not self.client:
+                return None
+            real_release = self.client.get_release_by_url(href)
+            if not real_release:
+                print_red("Error accessing release " + href)
+                return None
+            release = ComponentCacheManagement.convert_release_details(self.client, real_release)
+            return release
+
         if not self.client:
             print_red("  No client!")
             sys.exit(ResultCode.RESULT_ERROR_ACCESSING_SW360)
 
-        result, release_url, component_url = self.map_bom_commons(component)
+        result = self.map_bom_commons(component)
         components = []
-        if component_url:
-            components.append(component_url)
 
-        # if there's no purl match, search for component names
-        if len(components) == 0:
+        # Handle matches of PURL cache
+        if result.release_hrefs:
+            for href in result.release_hrefs:
+                release = get_release_details(href)
+                if release:
+                    self.add_match_if_better(result, release, MapResult.FULL_MATCH_BY_ID)
+                # If we have release matches by PURL, we're done
+                return result
+
+        if result.component_hrefs:
+            components += result.component_hrefs
+        else:
+            # if there's no purl match for components, search by name
             components2 = self.client.get_component_by_name(component.name)
             if not components2:
                 return result
@@ -297,45 +316,30 @@ class MapBom(capycli.common.script_base.ScriptBase):
             ]
 
         for compref in components:
-            if release_url is not None:
-                rel_list = [{"_links": {"self": {"href": release_url}}}]
-            else:
-                comp = self.client.get_component_by_url(compref)
-                if not comp:
-                    continue
-                rel_list = comp["_embedded"].get("sw360:releases", [])
+            comp = self.client.get_component_by_url(compref)
+            if not comp:
+                continue
+            rel_list = comp["_embedded"].get("sw360:releases", [])
 
             # Sorted alternatives in descending version order
             # Please note: the release list sometimes contain just the href but no version
             try:
                 rel_list = sorted(rel_list,
                                   key=lambda x: "version" in x and ComparableVersion(
-                                      x.get("version", "")), reverse=True)  # type: ignore
+                                      x.get("version", "")), reverse=True)
             except ValueError:
                 pass  # we can live with an unsorted list
 
             for relref in rel_list:
                 href = relref["_links"]["self"]["href"]
-                real_release = self.client.get_release_by_url(href)
-                if not real_release:
-                    print_red("Error accessign release " + href)
-                    continue
 
                 # generate proper release for result
-                release = {}
-                release["Name"] = real_release["name"]
-                if self.relaxed_debian_parsing:
-                    release["Version"] = self.cut_off_debian_extras(real_release["version"])
-                else:
-                    release["Version"] = real_release["version"]
-                release["ExternalIds"] = real_release.get("externalIds", "")
-                release["Id"] = release["Sw360Id"] = self.client.get_id_from_href(href)
-                release["ComponentId"] = self.client.get_id_from_href(compref)
-
-                release = ComponentCacheManagement.convert_release_details(self.client, real_release)
+                release = get_release_details(href)
+                if not release:
+                    continue
 
                 # first check: unique id
-                if href == release_url or self.is_id_match(release, component):
+                if self.is_id_match(release, component):
                     self.add_match_if_better(result, release, MapResult.FULL_MATCH_BY_ID)
                     break
 
@@ -446,8 +450,8 @@ class MapBom(capycli.common.script_base.ScriptBase):
                 continue
 
             dataitem: Dict[str, Any] = {}
-            if item.component:
-                dataitem["BomItem"] = item.component.name + ", " + (item.component.version or "")
+            if item.input_component:
+                dataitem["BomItem"] = item.input_component.name + ", " + (item.input_component.version or "")
             dataitem["ResultCode"] = item.result
             dataitem["ResultText"] = item.map_code_to_string(item.result)
             dataitems.append(dataitem)
@@ -632,21 +636,17 @@ class MapBom(capycli.common.script_base.ScriptBase):
                     newbom.register_dependency(newbom.metadata.component, [newitem])
             elif (item.result == MapResult.NO_MATCH
                   or not self.is_good_match(item.result)):
+                # if we have no good match, add the component we're looking for as well
 
                 if (self.mode == MapMode.FOUND):
                     continue
 
-                newitem = item.component
+                newitem = item.input_component
                 if newitem:
                     CycloneDxSupport.update_or_set_property(
                         newitem,
                         CycloneDxSupport.CDX_PROP_MAPRESULT,
                         MapResult.NO_MATCH)
-                    if item.component_id is not None:
-                        CycloneDxSupport.update_or_set_property(
-                            newitem,
-                            CycloneDxSupport.CDX_PROP_COMPONENT_ID,
-                            item.component_id)
                 newbom.components.add(newitem)
 
             # Sorted alternatives in descending version order
@@ -657,7 +657,8 @@ class MapBom(capycli.common.script_base.ScriptBase):
 
             for match_item in item.releases:
                 if self.is_good_match(match_item["MapResult"]):
-                    newitem = self.update_bom_item(item.component, match_item)
+                    # For good matches, merge the input component with the match item
+                    newitem = self.update_bom_item(item.input_component, match_item)
                 else:
                     # newitem = match_item
                     newitem = self.update_bom_item(None, match_item)
@@ -680,15 +681,15 @@ class MapBom(capycli.common.script_base.ScriptBase):
 
         for item in result:
             single_result: Dict[str, Any] = {}
-            if not item.component:
+            if not item.input_component:
                 continue
 
-            for prop in item.component.properties:
+            for prop in item.input_component.properties:
                 if prop.name == CycloneDxSupport.CDX_PROP_MAPRESULT:
-                    item.component.properties.remove(prop)
+                    item.input_component.properties.remove(prop)
                     break
 
-            single_result["BomItem"] = LegacySupport.cdx_component_to_legacy(item.component)
+            single_result["BomItem"] = LegacySupport.cdx_component_to_legacy(item.input_component)
             single_result["Result"] = item.result
             single_result["Matches"] = []
             for item_match in item.releases:
@@ -716,34 +717,23 @@ class MapBom(capycli.common.script_base.ScriptBase):
             cachefile, True, token, oauth2=oauth2, url=sw360_url)
         return rel_data
 
-    def map_bom_commons(self, component: Component) -> Tuple[MapResult, Optional[str], Optional[str]]:
+    def map_bom_commons(self, component: Component) -> MapResult:
         """
         Common parts to map from a SBOM component to the SW360 component/release.
         :param bomitem: SBOM component
         :return: MapResult instance, (Optional) release url, (Optional) component url
         """
-        if not self.client:
-            print_red("  No client!")
-            sys.exit(ResultCode.RESULT_ERROR_ACCESSING_SW360)
-
         if self.relaxed_debian_parsing and component.version:
             component.version = self.cut_off_debian_extras(component.version)
 
-        result = capycli.common.map_result.MapResult(component)
+        result = MapResult(component)
 
         # search release and component by purl which is independent of the component cache.
-        if type(component.purl) is PackageURL:
-            component_href, release_href = self.external_id_svc.search_component_and_release(
-                component.purl.to_string())
-        else:
-            component_href, release_href = self.external_id_svc.search_component_and_release(
-                component.purl)  # type: ignore
-        if component_href:
-            result.component_id = self.client.get_id_from_href(component_href)
-        if release_href:
-            result.release_id = self.client.get_id_from_href(release_href)
+        if component.purl:
+            result.component_hrefs = self.external_id_svc.search_components_by_purl(component.purl)
+            result.release_hrefs = self.external_id_svc.search_releases_by_purl(component.purl)
 
-        return result, release_href, component_href
+        return result
 
     @property
     def external_id_svc(self) -> PurlService:
@@ -842,7 +832,7 @@ class MapBom(capycli.common.script_base.ScriptBase):
             logging.getLogger("urllib3.connectionpool").setLevel(logging.WARNING)
 
         print_text(
-            "\n" + capycli.APP_NAME + ", " + capycli.get_app_version() +
+            "\n" + capycli.get_app_signature() +
             " - Map a given SBOM to data on SW360\n")
 
         if args.help:

{capycli-2.8.0 → capycli-2.9.0.dev1}/capycli/bom/merge_bom.py

@@ -122,7 +122,7 @@ class MergeBom(capycli.common.script_base.ScriptBase):
             LOG = capycli.get_logger(__name__)
 
         print_text(
-            "\n" + capycli.APP_NAME + ", " + capycli.get_app_version() +
+            "\n" + capycli.get_app_signature() +
             " - Merge two SBOM files.\n")
 
         if args.help:

{capycli-2.8.0 → capycli-2.9.0.dev1}/capycli/bom/show_bom.py

@@ -98,7 +98,7 @@ class ShowBom(capycli.common.script_base.ScriptBase):
             global LOG
             LOG = capycli.get_logger(__name__)
 
-        print_text("\n" + capycli.APP_NAME + ", " + capycli.get_app_version() + " - Print SBOM contents to stdout\n")
+        print_text("\n" + capycli.get_app_signature() + " - Print SBOM contents to stdout\n")
 
         if args.help:
             print("usage: capycli bom show [-h] -i bomfile")

{capycli-2.8.0 → capycli-2.9.0.dev1}/capycli/common/map_result.py

@@ -46,31 +46,42 @@ class MapResult:
     NO_MATCH = "9-no-match"
 
     def __init__(self, component: Optional[Component] = None) -> None:
-        self.component: Optional[Component] = component
+        self.input_component: Optional[Component] = component
         self.result: str = MapResult.NO_MATCH
-        self._component_id: str = ""
-        self._release_id: str = ""
+        self._component_hrefs: List[str] = []
+        self._release_hrefs: List[str] = []
         self.releases: List[Any] = []
 
     @property
-    def component_id(self) -> str:
-        return self._component_id
-
-    @component_id.setter
-    def component_id(self, value: str) -> None:
-        self._component_id = value
-        if self.component:
-            CycloneDxSupport.update_or_set_property(self.component, CycloneDxSupport.CDX_PROP_COMPONENT_ID, value)
+    def component_hrefs(self) -> List[str]:
+        return self._component_hrefs
+
+    @component_hrefs.setter
+    def component_hrefs(self, value: List[str]) -> None:
+        self._component_hrefs = value
+        if not self.input_component:
+            return
+        if len(value) == 1:
+            CycloneDxSupport.update_or_set_property(self.input_component, CycloneDxSupport.CDX_PROP_COMPONENT_ID,
+                                                    value[0].split("/")[-1])
+        else:
+            CycloneDxSupport.remove_property(self.input_component,
+                                             CycloneDxSupport.CDX_PROP_COMPONENT_ID)
 
     @property
-    def release_id(self) -> str:
-        return self._release_id
-
-    @release_id.setter
-    def release_id(self, value: str) -> None:
-        self._release_id = value
-        if self.component:
-            CycloneDxSupport.update_or_set_property(self.component, CycloneDxSupport.CDX_PROP_SW360ID, value)
+    def release_hrefs(self) -> List[str]:
+        return self._release_hrefs
+
+    @release_hrefs.setter
+    def release_hrefs(self, value: List[str]) -> None:
+        self._release_hrefs = value
+        if not self.input_component:
+            return
+        if len(value) == 1:
+            CycloneDxSupport.update_or_set_property(self.input_component, CycloneDxSupport.CDX_PROP_SW360ID,
+                                                    value[0].split("/")[-1])
+        else:
+            CycloneDxSupport.remove_property(self.input_component, CycloneDxSupport.CDX_PROP_SW360ID)
 
     @classmethod
     def map_code_to_string(cls, map_code: str) -> str:
@@ -109,7 +120,7 @@ class MapResult:
                 + more
             )
 
-        if not self.component:
+        if not self.input_component:
             return (
                 self.map_code_to_string(self.result)
                 + ", (no component), "
@@ -119,9 +130,9 @@ class MapResult:
             return (
                 self.map_code_to_string(self.result)
                 + ", "
-                + str(self.component.name)
+                + str(self.input_component.name)
                 + ", "
-                + str(self.component.version or "")
+                + str(self.input_component.version or "")
                 + " "
                 + str(rel)
             )