capycli 2.9.1__tar.gz → 2.10.0.dev1__tar.gz

{capycli-2.9.1 → capycli-2.10.0.dev1}/PKG-INFO

@@ -1,30 +1,25 @@
-Metadata-Version: 2.1
+Metadata-Version: 2.4
 Name: capycli
-Version: 2.9.1
+Version: 2.10.0.dev1
 Summary: CaPyCli - Clearing Automation Python Command Line Interface for SW360
-Home-page: https://github.com/sw360/capycli
-License: MIT
+License-Expression: MIT
+License-File: License.md
 Keywords: sw360,cli, automation,license,compliance,clearing
 Author: Thomas Graf
 Author-email: thomas.graf@siemens.com
-Requires-Python: >=3.9,<4.0
+Requires-Python: >=3.11,<3.15
 Classifier: Development Status :: 5 - Production/Stable
 Classifier: Intended Audience :: Developers
-Classifier: License :: OSI Approved :: MIT License
 Classifier: Natural Language :: English
 Classifier: Operating System :: OS Independent
-Classifier: Programming Language :: Python :: 3
-Classifier: Programming Language :: Python :: 3.9
-Classifier: Programming Language :: Python :: 3.10
-Classifier: Programming Language :: Python :: 3.11
-Classifier: Programming Language :: Python :: 3.12
 Classifier: Programming Language :: Python :: 3 :: Only
 Requires-Dist: beautifulsoup4 (>=4.11.1,<5.0.0)
 Requires-Dist: chardet (==5.2.0)
 Requires-Dist: cli-support (==2.0.1)
 Requires-Dist: colorama (>=0.4.3,<0.5.0)
-Requires-Dist: cyclonedx-python-lib (>=8.0.0,<9.0.0)
+Requires-Dist: cyclonedx-python-lib (>=11.4.0,<12.0.0)
 Requires-Dist: dateparser (>=1.1.8,<2.0.0)
+Requires-Dist: halo (>=0.0.31,<0.0.32)
 Requires-Dist: importlib-resources (>=5.12.0,<6.0.0)
 Requires-Dist: jsonschema (>=4.23.0,<5.0.0)
 Requires-Dist: openpyxl (>=3.0.3,<4.0.0)
@@ -34,10 +29,10 @@ Requires-Dist: requests (>=2.31.0,<3.0.0)
 Requires-Dist: requirements-parser (==0.11.0)
 Requires-Dist: semver (==3.0.2)
 Requires-Dist: sw360 (>=1.8.1,<2.0.0)
-Requires-Dist: tomli (>=2.0.2,<3.0.0)
-Requires-Dist: urllib3
+Requires-Dist: urllib3 (>=2.5.0,<3.0.0)
 Requires-Dist: validation (>=0.8.3,<0.9.0)
 Requires-Dist: wheel (>=0.38.4,<0.39.0)
+Project-URL: Homepage, https://github.com/sw360/capycli
 Project-URL: Repository, https://github.com/sw360/capycli
 Project-URL: issues, https://github.com/sw360/capycli/issues
 Description-Content-Type: text/markdown

{capycli-2.9.1 → capycli-2.10.0.dev1}/capycli/__init__.py

@@ -19,9 +19,9 @@ import importlib
 import logging
 import os
 import sys
+import tomllib
 from typing import Any
 
-import tomli
 from colorama import Fore, Style, init
 
 APP_NAME = "CaPyCli"
@@ -36,7 +36,7 @@ def _get_project_meta() -> Any:
     """Read version information from poetry configuration file."""
     try:
         with open('pyproject.toml', mode='rb') as pyproject:
-            return tomli.load(pyproject)['tool']['poetry']
+            return tomllib.load(pyproject)['tool']['poetry']
     except Exception:
         # ignore all errors
         pass
@@ -123,7 +123,7 @@ class ConsoleHandler(logging.Handler):
             else:
                 # info, debug, all other
                 # suppress all cyclonedx serialize log output
-                if record.name == "serializable":
+                if (record.name == "serializable") or record.name == "py_serializable":
                     return
                 print(msg)
         except Exception:

{capycli-2.9.1 → capycli-2.10.0.dev1}/capycli/bom/create_components.py

@@ -24,6 +24,7 @@ from sw360 import SW360Error
 
 import capycli.common.json_support
 import capycli.common.script_base
+from capycli.bom.download_sources import BomDownloadSources
 from capycli.common.capycli_bom_support import CaPyCliBom, CycloneDxSupport, SbomWriter
 from capycli.common.print import print_green, print_red, print_text, print_yellow
 from capycli.common.purl_utils import PurlUtils
@@ -162,6 +163,8 @@ class BomCreateComponents(capycli.common.script_base.ScriptBase):
                             "      File with the name '", tail, "' is already attached to release. Skip the upload!")
                     else:
                         self.upload_source_file(release_id, fullpath, filetype, comment)
+                        if not BomDownloadSources.is_good_source_file(fullpath):
+                            print_yellow("    Downloaded file seems not to be a valid source file!")
                 except Exception as ex:
                     print_red("      Error writing downloaded file: " + repr(ex))
             else:
@@ -399,7 +402,7 @@ class BomCreateComponents(capycli.common.script_base.ScriptBase):
                         bom_purl = packageurl.PackageURL.from_string(
                             data["externalIds"][repository_type])
                         sw360_purls = PurlUtils.get_purl_list_from_sw360_object(release_data)
-                        id_match = PurlUtils.contains(sw360_purls, bom_purl)
+                        id_match = PurlUtils.contains(sw360_purls, bom_purl, compare_qualifiers=True)
                     except ValueError:
                         pass
                     if not id_match:

{capycli-2.9.1 → capycli-2.10.0.dev1}/capycli/bom/download_sources.py

@@ -1,5 +1,5 @@
 # -------------------------------------------------------------------------------
-# Copyright (c) 2020-2023 Siemens
+# Copyright (c) 2020-2025 Siemens
 # All Rights Reserved.
 # Author: thomas.graf@siemens.com
 #
@@ -11,7 +11,9 @@ import logging
 import os
 import pathlib
 import re
+import shutil
 import sys
+import tempfile
 from typing import Any, Optional, Tuple
 from urllib.parse import urlparse
 
@@ -45,6 +47,16 @@ class BomDownloadSources(capycli.common.script_base.ScriptBase):
             return ""
         return fname[0].rstrip('"').lstrip('"')
 
+    @staticmethod
+    def is_good_source_file(filename: str) -> bool:
+        """
+        Checks whether this seems to be a valid/good source file.
+        The only thing we can do it to check the file extension.
+        """
+        good_extensions = [".zip", ".tar", ".gz", ".tar.gz", ".tgz", ".tar.bz2", ".tbz2", ".tar.xz", ".txz", ".7z"]
+        _, extension = os.path.splitext(filename)
+        return extension in good_extensions
+
     def download_source_file(self, url: str, source_folder: str) -> Optional[Tuple[str, str]]:
         """Download a file from a URL.
 
@@ -70,6 +82,8 @@ class BomDownloadSources(capycli.common.script_base.ScriptBase):
             path = os.path.join(source_folder, filename)
             if (response.status_code == requests.codes["ok"]):
                 open(path, "wb").write(response.content)
+                if not BomDownloadSources.is_good_source_file(path):
+                    print_yellow("    Downloaded file seems not to be a valid source file!")
                 sha1 = hashlib.sha1(response.content).hexdigest()
                 return (path, sha1)
             else:
@@ -110,14 +124,17 @@ class BomDownloadSources(capycli.common.script_base.ScriptBase):
                 new = False
                 ext_ref = CycloneDxSupport.get_ext_ref(
                     component, ExternalReferenceType.DISTRIBUTION, CaPyCliBom.SOURCE_FILE_COMMENT)
+                file_uri = path
+                if not file_uri.startswith("file://"):
+                    file_uri = "file:///" + file_uri
                 if not ext_ref:
                     ext_ref = ExternalReference(
                         type=ExternalReferenceType.DISTRIBUTION,
                         comment=CaPyCliBom.SOURCE_FILE_COMMENT,
-                        url=XsUri(path))
+                        url=XsUri(file_uri))
                     new = True
                 else:
-                    ext_ref.url = XsUri(path)
+                    ext_ref.url = XsUri(file_uri)
                 ext_ref.hashes.add(HashType(
                     alg=HashAlgorithm.SHA_1,
                     content=sha1))
@@ -170,6 +187,7 @@ class BomDownloadSources(capycli.common.script_base.ScriptBase):
             print("    -source SOURCE        source folder or additional source file")
             print("    -o OUTPUTFILE         output file to write to")
             print("    -v                    be verbose")
+            print("    -bp, --bom-package    create a single zip archive that contains the SBOM and all source files")
             return
 
         if not args.inputfile:
@@ -188,21 +206,32 @@ class BomDownloadSources(capycli.common.script_base.ScriptBase):
             sys.exit(ResultCode.RESULT_ERROR_READING_BOM)
 
         if args.verbose:
-            print_text(" " + str(len(bom.components)) + "components written to SBOM file")
+            print_text(" " + str(len(bom.components)) + "components read from SBOM file")
 
         source_folder = "./"
+        cleanup_temp_dir = False
+        if args.bom_package and not args.source:
+            temp_dir = tempfile.TemporaryDirectory(prefix="capycli_bom_pkg_")
+            source_folder = temp_dir.name
+            cleanup_temp_dir = True
         if args.source:
             source_folder = args.source
         if (not source_folder) or (not os.path.isdir(source_folder)):
             print_red("Target source code folder does not exist!")
             sys.exit(ResultCode.RESULT_COMMAND_ERROR)
 
-        print_text("Downloading source files to folder " + source_folder + " ...")
+        if args.bom_package:
+            pp = pathlib.Path(args.bom_package)
+            if pp.suffix.lower() != ".zip":
+                print_yellow("Warning: bom package file should have .zip extension")
+                args.bom_package = args.bom_package + ".zip"
+
+        print_text("\nDownloading source files to folder " + source_folder + " ...")
 
         self.download_sources(bom, source_folder)
 
         if args.outputfile:
-            print_text("Updating path information")
+            print_text("\nUpdating path information")
             self.update_local_path(bom, args.outputfile)
 
             print_text("Writing updated SBOM to " + args.outputfile)
@@ -215,4 +244,21 @@ class BomDownloadSources(capycli.common.script_base.ScriptBase):
             if args.verbose:
                 print_text(" " + str(len(bom.components)) + " components written to SBOM file")
 
+        if args.bom_package:
+            print_text("\nCreating BOM package " + args.bom_package)
+            try:
+                # add SBOM to temp folder
+                sbom_file = os.path.join(source_folder, "sbom.cdx.json")
+                self.update_local_path(bom, sbom_file)
+                SbomWriter.write_to_json(bom, sbom_file, True)
+                shutil.make_archive(
+                    base_name=args.bom_package.rstrip(".zip"),
+                    format="zip",
+                    root_dir=source_folder)
+                if cleanup_temp_dir:
+                    temp_dir.cleanup()
+            except Exception as ex:
+                print_red("Error creating BOM package: " + repr(ex))
+                sys.exit(ResultCode.RESULT_ERROR_WRITING_BOM)
+
         print("\n")

{capycli-2.9.1 → capycli-2.10.0.dev1}/capycli/bom/filter_bom.py

@@ -195,15 +195,18 @@ class FilterBom(capycli.common.script_base.ScriptBase):
                     continue
 
                 match = False
-                if "Name" in filterentry["component"]:
+                name = filterentry["component"].get("Name", "")
+                if not name:
+                    name = filterentry["component"].get("name", "")
+                if name:
                     prefix = ""
-                    if filterentry["component"]["Name"].endswith("*"):
-                        prefix = filterentry["component"]["Name"][:-1]
+                    if name.endswith("*"):
+                        prefix = name[:-1]
 
                     if prefix:
                         match = component.name.startswith(prefix)
                     else:
-                        match = component.name == filterentry["component"]["Name"]
+                        match = component.name == name
                 elif "RepositoryId" in filterentry["component"]:
                     prefix = ""
                     if filterentry["component"]["RepositoryId"].endswith("*"):

{capycli-2.9.1 → capycli-2.10.0.dev1}/capycli/bom/findsources.py

@@ -93,6 +93,48 @@ class FindSources(capycli.common.script_base.ScriptBase):
         self.sw360_url: str = os.environ.get("SW360ServerUrl", "")
         self.tag_cache = self.TagCache()
 
+    @staticmethod
+    def does_url_exist(url: str) -> bool:
+        """Check if a URL exists"""
+        try:
+            response = requests.head(url, allow_redirects=True)
+            return response.ok
+
+        except requests.ConnectionError:
+            return False
+
+    @staticmethod
+    def is_github_repo(url: str) -> bool:
+        """Check if URL is a GitHub repository URL"""
+        # do *NOT* use r"^(https?://)?(www\.)?github\.com/([a-zA-Z0-9-]+)(/[a-zA-Z0-9-]+)+/?$")
+        return "github.com" in url.lower()
+
+    def guess_source_code_url(self, github_project: str, version: str) -> str:
+        """Try to guess the source code URL from project url and version"""
+        github_project = github_project.replace(".git", "").replace("#readme", "")
+        if not github_project:
+            return ""
+
+        if not FindSources.is_github_repo(github_project):
+            # only works for GitHub repos
+            return ""
+
+        source_url = github_project + "/archive/tags/" + version + ".zip"
+        LOG.debug(f"  Guessing source code url {source_url}")
+        valid = self.is_sourcefile_accessible(source_url)
+        if valid:
+            return source_url
+
+        # try leading 'v'
+        source_url = github_project + "/archive/tags/v" + version + ".zip"
+        LOG.debug(f"  Guessing source code url {source_url}")
+        valid = self.is_sourcefile_accessible(source_url)
+        if valid:
+            return source_url
+
+        LOG.debug("  Url does not exist")
+        return ""
+
     def is_sourcefile_accessible(self, sourcefile_url: str) -> bool:
         """Check if the URL is accessible."""
         try:

{capycli-2.9.1 → capycli-2.10.0.dev1}/capycli/bom/legacy.py

@@ -1,5 +1,5 @@
 # -------------------------------------------------------------------------------
-# Copyright (c) 2023 Siemens
+# Copyright (c) 2023-2025 Siemens
 # All Rights Reserved.
 # Author: thomas.graf@siemens.com
 #
@@ -70,6 +70,10 @@ class LegacySupport():
 
     @staticmethod
     def get_purl_from_legacy(item: Dict[str, Any]) -> PackageURL:
+        if "purl" in item:
+            id = item.get("purl", "")
+            if id:
+                return PackageURL.from_string(id)
         if "RepositoryType" in item:
             if (item["RepositoryType"] == "package-url") or (item["RepositoryType"] == "purl"):
                 id = item.get("RepositoryId", "")
@@ -201,6 +205,8 @@ class LegacySupport():
 
         binaryFile = item.get("BinaryFile", "")
         if binaryFile:
+            if not binaryFile.startswith("file://"):
+                binaryFile = "file:///" + binaryFile
             ext_ref = ExternalReference(
                 type=ExternalReferenceType.DISTRIBUTION,
                 comment=CaPyCliBom.BINARY_FILE_COMMENT,

{capycli-2.9.1 → capycli-2.10.0.dev1}/capycli/bom/legacy_cx.py

@@ -1,5 +1,5 @@
 # -------------------------------------------------------------------------------
-# Copyright (c) 2023 Siemens
+# Copyright (c) 2023-2025 Siemens
 # All Rights Reserved.
 # Author: thomas.graf@siemens.com
 #
@@ -66,10 +66,13 @@ class LegacyCx(CaPyCliBom):
         # extra handling
         prop = CycloneDxSupport.get_property(component, "source-file")
         if prop:
+            file_uri = prop.value
+            if not file_uri.startswith("file://"):
+                file_uri = "file:///" + file_uri
             ext_ref = ExternalReference(
                 type=ExternalReferenceType.DISTRIBUTION,
                 comment=CaPyCliBom.SOURCE_FILE_COMMENT,
-                url=XsUri(prop.value))
+                url=XsUri(file_uri))
             prop2 = CycloneDxSupport.get_property(component, "source-file-hash")
             if prop2:
                 ext_ref.hashes.add(HashType(
@@ -80,10 +83,13 @@ class LegacyCx(CaPyCliBom):
 
         prop = CycloneDxSupport.get_property(component, "source-file-url")
         if prop:
+            file_uri = prop.value
+            if not file_uri.startswith("file://"):
+                file_uri = "file:///" + file_uri
             ext_ref = ExternalReference(
                 type=ExternalReferenceType.DISTRIBUTION,
                 comment=CaPyCliBom.SOURCE_URL_COMMENT,
-                url=XsUri(prop.value))
+                url=XsUri(file_uri))
             prop2 = CycloneDxSupport.get_property(component, "source-file-hash")
             if prop2:
                 ext_ref.hashes.add(HashType(
@@ -112,10 +118,13 @@ class LegacyCx(CaPyCliBom):
 
         prop = CycloneDxSupport.get_property(component, "binary-file")
         if prop:
+            file_uri = prop.value
+            if not file_uri.startswith("file://"):
+                file_uri = "file:///" + file_uri
             ext_ref = ExternalReference(
                 type=ExternalReferenceType.DISTRIBUTION,
                 comment=CaPyCliBom.BINARY_FILE_COMMENT,
-                url=XsUri(prop.value))
+                url=XsUri(file_uri))
             prop2 = CycloneDxSupport.get_property(component, "binary-file-hash")
             if prop2:
                 ext_ref.hashes.add(HashType(

{capycli-2.9.1 → capycli-2.10.0.dev1}/capycli/bom/map_bom.py

@@ -6,6 +6,7 @@
 # SPDX-License-Identifier: MIT
 # -------------------------------------------------------------------------------
 
+import copy
 import json
 import logging
 import os
@@ -58,6 +59,8 @@ class MapBom(capycli.common.script_base.ScriptBase):
         self.mode = MapMode.ALL
         self.purl_service: Optional[PurlService] = None
         self.no_match_by_name_only = True
+        self.full_search = False
+        self.qualifier_match = False
 
     def is_id_match(self, release: Dict[str, Any], component: Component) -> bool:
         """Determines whether this release is a match via identifier for the specified SBOM item"""
@@ -194,31 +197,22 @@ class MapBom(capycli.common.script_base.ScriptBase):
             # first check: unique id
             if release["Sw360Id"] in result_release_ids or self.is_id_match(release, component):
                 self.add_match_if_better(result, release, MapResult.FULL_MATCH_BY_ID)
-                break
-
-            # second check: name AND version
-            if (component.name and release.get("Name")):
-                if release["ComponentId"] in result_component_ids:
-                    name_match = True
+                if self.full_search:
+                    continue
                 else:
-                    name_match = component.name.lower() == release["Name"].lower()
-                version_exists = "Version" in release
-                if (name_match
-                    and version_exists and component.version
-                        and (component.version.lower() == release["Version"].lower())):
-                    self.add_match_if_better(result, release, MapResult.FULL_MATCH_BY_NAME_AND_VERSION)
                     break
-            else:
-                name_match = False
 
-            # third check unique(?) file hashes
+            # second check unique(?) file hashes
             cmp_hash = CycloneDxSupport.get_source_file_hash(component)
             if (("SourceFileHash" in release)
                     and cmp_hash
                     and release["SourceFileHash"]):
                 if (cmp_hash.lower() == release["SourceFileHash"].lower()):
                     self.add_match_if_better(result, release, MapResult.FULL_MATCH_BY_HASH)
-                    break
+                    if self.full_search:
+                        continue
+                    else:
+                        break
 
             cmp_hash = CycloneDxSupport.get_binary_file_hash(component)
             if (("BinaryFileHash" in release)
@@ -226,7 +220,28 @@ class MapBom(capycli.common.script_base.ScriptBase):
                     and release["BinaryFileHash"]):
                 if (cmp_hash.lower() == release["BinaryFileHash"].lower()):
                     self.add_match_if_better(result, release, MapResult.FULL_MATCH_BY_HASH)
-                    break
+                    if self.full_search:
+                        continue
+                    else:
+                        break
+
+            # third check: name AND version
+            if (component.name and release.get("Name")):
+                if release["ComponentId"] in result_component_ids:
+                    name_match = True
+                else:
+                    name_match = component.name.lower() == release["Name"].lower()
+                version_exists = "Version" in release
+                if (name_match
+                    and version_exists and component.version
+                        and (component.version.lower() == release["Version"].lower())):
+                    self.add_match_if_better(result, release, MapResult.FULL_MATCH_BY_NAME_AND_VERSION)
+                    if self.full_search:
+                        continue
+                    else:
+                        break
+            else:
+                name_match = False
 
             # fourth check: source filename
             cmp_src_file = CycloneDxSupport.get_ext_ref_source_file(component)
@@ -235,7 +250,10 @@ class MapBom(capycli.common.script_base.ScriptBase):
                     and release["SourceFile"]):
                 if cmp_src_file.lower() == release["SourceFile"].lower():
                     self.add_match_if_better(result, release, MapResult.MATCH_BY_FILENAME)
-                    break
+                    if self.full_search:
+                        continue
+                    else:
+                        break
 
             # fifth check: name and ANY version
             if name_match:
@@ -299,8 +317,10 @@ class MapBom(capycli.common.script_base.ScriptBase):
                 release = get_release_details(href)
                 if release:
                     self.add_match_if_better(result, release, MapResult.FULL_MATCH_BY_ID)
-                # If we have release matches by PURL, we're done
-                return result
+                    if not self.full_search:
+                        return result
+            # If we have release matches by PURL, we're done
+            return result
 
         if result.component_hrefs:
             components += result.component_hrefs
@@ -343,22 +363,17 @@ class MapBom(capycli.common.script_base.ScriptBase):
                     self.add_match_if_better(result, release, MapResult.FULL_MATCH_BY_ID)
                     break
 
-                # second check: name AND version (we don't need to check the name
-                # again as we checked it when compiling component list)
-                version_exists = "Version" in release
-                if (version_exists
-                        and ((component.version or "").lower() == release.get("Version", "").lower())):
-                    self.add_match_if_better(result, release, MapResult.FULL_MATCH_BY_NAME_AND_VERSION)
-                    break
-
-                # third check unique(?) file hashes
+                # second check unique(?) file hashes
                 cmp_hash = CycloneDxSupport.get_source_file_hash(component)
                 if (("SourceFileHash" in release)
                         and cmp_hash
                         and release["SourceFileHash"]):
                     if (cmp_hash.lower() == release["SourceFileHash"].lower()):
                         self.add_match_if_better(result, release, MapResult.FULL_MATCH_BY_HASH)
-                        break
+                        if self.full_search:
+                            continue
+                        else:
+                            break
 
                 cmp_hash = CycloneDxSupport.get_binary_file_hash(component)
                 if (("BinaryFileHash" in release)
@@ -366,6 +381,20 @@ class MapBom(capycli.common.script_base.ScriptBase):
                         and release["BinaryFileHash"]):
                     if (cmp_hash.lower() == release["BinaryFileHash"].lower()):
                         self.add_match_if_better(result, release, MapResult.FULL_MATCH_BY_HASH)
+                        if self.full_search:
+                            continue
+                        else:
+                            break
+
+                # third check: name AND version (we don't need to check the name
+                # again as we checked it when compiling component list)
+                version_exists = "Version" in release
+                if (version_exists
+                        and ((component.version or "").lower() == release.get("Version", "").lower())):
+                    self.add_match_if_better(result, release, MapResult.FULL_MATCH_BY_NAME_AND_VERSION)
+                    if self.full_search:
+                        continue
+                    else:
                         break
 
                 # fifth check: name and ANY version
@@ -506,6 +535,9 @@ class MapBom(capycli.common.script_base.ScriptBase):
                     name=match.get("Name", ""),
                     version=match.get("Version", ""))
         else:
+            # copy component so we don't overwrite the input component
+            component = copy.deepcopy(component)
+
             # always overwrite the following properties
             name = match.get("Name", "")
             if name:
@@ -730,7 +762,9 @@ class MapBom(capycli.common.script_base.ScriptBase):
         # search release and component by purl which is independent of the component cache.
         if component.purl:
             result.component_hrefs = self.external_id_svc.search_components_by_purl(component.purl)
-            result.release_hrefs = self.external_id_svc.search_releases_by_purl(component.purl)
+            r = self.external_id_svc.search_releases_by_purl(component.purl, self.qualifier_match)
+            result.release_hrefs = r["hrefs"]
+            result.release_hrefs_results = r["results"]
 
         return result
 
@@ -815,9 +849,14 @@ class MapBom(capycli.common.script_base.ScriptBase):
         print("                          all = default, write everything to resulting SBOM")
         print("                          found = resulting SBOM shows only components that were found")
         print("                          notfound = resulting SBOM shows only components that were not found")
-        print("    --dbx                 relaxed Debian version handling: *completely* ignore Debian revision,")
-        print("                          so SBOM version 3.1 will match SW360 version 3.1-3.debian")
-        print("    -all                  also report matches for name, but different version")
+        print("    --matchmode MATCHMODE matching mode, comma separated list of:")
+        print("                          full-search = report best matches, don't abort on first match (recommended)")
+        print("                          all-versions = also report matches for name, but different version")
+        print("                          qualifier-match = consider qualifiers for PURL matching")
+        print("                          ignore-debian = ignore Debian revision in version comparison, so SBOM")
+        print("                                          version 3.1 will match SW360 version 3.1-3.debian")
+        print("    -all                  deprecated, please use --matchmode all-versions")
+        print("    --dbx                 deprecated, please use --matchmode ignore-debian")
 
     def run(self, args: Any) -> None:
         """Main method()"""
@@ -849,16 +888,29 @@ class MapBom(capycli.common.script_base.ScriptBase):
         if args.verbose:
             self.verbosity = 2
 
-        if args.dbx:
+        if not args.matchmode:
+            args.matchmode = ""
+
+        if "ignore-debian" in args.matchmode or args.dbx:
+            if args.dbx:
+                print_yellow("bom map --dbx is deprecated, use --matchmode ignore-debian instead")
             print_text("Using relaxed debian version checks")
             self.relaxed_debian_parsing = True
 
         if args.mode:
             self.mode = args.mode
 
-        if args.all:
+        if "all-versions" in args.matchmode or args.all:
+            if args.all:
+                print_yellow("bom map -all is deprecated, use --matchmode all-versions instead")
             self.no_match_by_name_only = False
 
+        if "full-search" in args.matchmode:
+            self.full_search = True
+
+        if "qualifier-match" in args.matchmode:
+            self.qualifier_match = True
+
         print_text("Loading SBOM file", args.inputfile)
         try:
             sbom = CaPyCliBom.read_sbom(args.inputfile)

{capycli-2.9.1 → capycli-2.10.0.dev1}/capycli/bom/show_bom.py

@@ -14,12 +14,13 @@ import os
 import sys
 from typing import Any
 
-from cyclonedx.factory.license import DisjunctiveLicense, LicenseExpression  # type: ignore
 from cyclonedx.model import XsUri
 from cyclonedx.model.bom import Bom
 from cyclonedx.model.component import Component
+from cyclonedx.model.license import DisjunctiveLicense, LicenseExpression
 
 import capycli.common.script_base
+from capycli.bom.download_sources import BomDownloadSources
 from capycli.common.capycli_bom_support import CaPyCliBom, CycloneDxSupport
 from capycli.common.print import print_red, print_text, print_yellow
 from capycli.main.result_codes import ResultCode
@@ -63,7 +64,11 @@ class ShowBom(capycli.common.script_base.ScriptBase):
             return
 
         for bomitem in bom.components:
-            print_text("  " + bomitem.name + ", " + bomitem.version)
+            if not bomitem.version:
+                print_text("  " + bomitem.name)
+                print_yellow("  component version is missing!")
+            else:
+                print_text("  " + bomitem.name + ", " + bomitem.version)
 
             if self.verbose:
                 if bomitem.purl:
@@ -80,6 +85,9 @@ class ShowBom(capycli.common.script_base.ScriptBase):
                 download_url = CycloneDxSupport.get_ext_ref_source_url(bomitem)
                 if download_url:
                     print_text("    download URL: " + download_url.uri)
+                    if not BomDownloadSources.is_good_source_file(download_url.uri):
+                        print_yellow("    Download file seems not to be a valid source file!")
+                        self.has_error = True
                 else:
                     print_yellow("    No download URL given!")
                     self.has_error = True