csspin-python 4.1.0rc1__py3-none-any.whl → 4.1.0rc2__py3-none-any.whl

csspin_python/python_sbom.py

@@ -17,8 +17,12 @@
 
 """Module implementing the python_sbom plugin for csspin"""
 
+import email.utils
 import json
 import sys
+import sysconfig
+from importlib.metadata import metadata as _pkg_metadata
+from importlib.metadata import version as _pkg_version
 from subprocess import DEVNULL, PIPE
 from tempfile import TemporaryDirectory
 
@@ -68,8 +72,9 @@ def sbom(cfg: ConfigTree) -> None:
         third_party_deps = _collect_thirdparty_deps(
             metadata.get("requires_dist", set()), python_version=cfg.python.version
         )
-        sbom_content = _run_cyclonedx(cfg, third_party_deps, stderr)
-        _write_sbom(cfg, sbom_content, metadata.get("name"), metadata.get("version"))
+        sbom_json = json.loads(_run_cyclonedx(cfg, third_party_deps, stderr))
+        _enrich_sbom(sbom_json, metadata, third_party_deps)
+        _write_sbom(cfg, sbom_json, metadata.get("name"))
 
 
 def cleanup(cfg: ConfigTree) -> None:
@@ -159,22 +164,118 @@ def _run_cyclonedx(cfg: ConfigTree, third_party_deps: set[str], stderr: int) ->
         return backtick(interpreter_cdx, "-m", "cyclonedx_py", "environment", venv, stderr=stderr)  # type: ignore[no-any-return] # noqa: E501
 
 
-def _write_sbom(
-    cfg: ConfigTree, content: str, project_name: str, project_version: str
-) -> None:
-    """Inject project metadata into the cyclonedx JSON and write the output file."""
-    output_file = cfg.spin.project_root / f"{project_name}.python_sbom.cdx.json"
-    # cyclonedx-bom doesn't add primary component name and version when not
-    # using pyproject.toml
-    sbom_json = json.loads(content)
-    sbom_json |= {
-        "metadata": {"component": {"name": project_name, "version": project_version}}
-    }
+def _write_sbom(cfg: ConfigTree, sbom_json: dict, project_name: str) -> None:
+    """Write the CycloneDX JSON document to the output file."""
+    platform_tag = sysconfig.get_platform().replace("-", "_")
+    output_file = cfg.spin.project_root / (
+        f"{project_name}.{platform_tag}.python_sbom.cdx.json"
+    )
     with open(output_file, "w", encoding="utf-8") as f:
         json.dump(sbom_json, f, indent=2, sort_keys=True)
     info(f"Generated Python SBOM successfully ({output_file})")
 
 
+def _parse_authors(author_name: str, author_email: str) -> str:
+    """Parse RFC 2822 Author-email metadata into 'name (email)' format."""
+    if not author_email:
+        die("Project metadata has no Author-email field.")
+        return ""
+
+    entries = email.utils.getaddresses([author_email])
+
+    if len(entries) == 1 and not entries[0][0] and author_name:
+        entries = [(author_name, entries[0][1])]
+
+    for name, addr in entries:
+        if not name:
+            die(f"Author entry '{addr}' has no name; all authors require a name.")
+            return ""
+        if not addr:
+            die(f"Author entry '{name}' has no email; all authors require an email.")
+            return ""
+
+    return ", ".join(f"{name} ({addr})" for name, addr in entries)
+
+
+def _build_primary_component(metadata: dict) -> tuple[dict, str]:
+    """Build the CycloneDX primary component dict and its bom-ref from project metadata."""
+    if not (name := metadata.get("name")):
+        die("Project metadata is missing 'name'.")
+    if not (version := metadata.get("version")):
+        die("Project metadata is missing 'version'.")
+    if not (license_id := metadata.get("license")):
+        die("Project metadata is missing 'license'.")
+
+    authors = _parse_authors(
+        author_name=metadata.get("author", "").strip(),
+        author_email=metadata.get("author_email", "").strip(),
+    )
+    primary_ref = f"{name}=={version}"
+    component = {
+        "author": authors,
+        "bom-ref": primary_ref,
+        "licenses": [{"expression": license_id}],
+        "name": name,
+        "type": "application",
+        "version": version,
+    }
+    return component, primary_ref
+
+
+def _enrich_sbom(
+    sbom_json: dict,
+    metadata: dict,
+    third_party_deps: set[str],
+) -> None:
+    """Add the primary component and its dependency entry to the CycloneDX document."""
+    component, primary_ref = _build_primary_component(metadata)
+    existing_metadata = sbom_json.get("metadata", {})
+    existing_tools = existing_metadata.get("tools", {})
+    existing_tool_components = (
+        existing_tools
+        if isinstance(existing_tools, list)
+        else existing_tools.get("components", [])
+    )
+    sbom_json["metadata"] = {
+        **existing_metadata,
+        "component": component,
+        "tools": {
+            "components": existing_tool_components
+            + [
+                {
+                    "description": "Python SBOM plugin for csspin",
+                    "licenses": [
+                        {
+                            "expression": _pkg_metadata("csspin-python")[
+                                "License-Expression"
+                            ]
+                        }
+                    ],
+                    "name": "csspin-python",
+                    "supplier": {
+                        "name": "CONTACT Software GmbH",
+                        "url": [
+                            "https://www.contact-software.com/",
+                            "https://pypi.org/project/csspin-python/",
+                        ],
+                    },
+                    "type": "application",
+                    "version": _pkg_version("csspin-python"),
+                }
+            ]
+        },
+    }
+    direct_dep_names = {Requirement(dep).name.lower() for dep in third_party_deps}
+    direct_dep_refs = sorted(
+        comp["bom-ref"]
+        for comp in sbom_json.get("components", [])
+        if comp.get("name", "").lower() in direct_dep_names and "bom-ref" in comp
+    )
+    dependencies = sbom_json.get("dependencies", [])
+    dependencies.append({"dependsOn": direct_dep_refs, "ref": primary_ref})
+    sbom_json["dependencies"] = dependencies
+
+
 def _collect_thirdparty_deps(requires_dist: list, python_version: str) -> set[str]:
     """Extract 'thirdparty' dependency specifiers from project metadata."""
 

{csspin_python-4.1.0rc1.dist-info → csspin_python-4.1.0rc2.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: csspin-python
-Version: 4.1.0rc1
+Version: 4.1.0rc2
 Summary: Plugin-package for csspin providing Python related plugins
 Author-email: CONTACT Software GmbH <info@contact-software.com>
 Maintainer-email: Waleri Enns <waleri.enns@contact-software.com>, Benjamin Thomas Schwertfeger <benjaminthomas.schwertfeger@contact-software.com>, Fabian Hafer <fabian.hafer@contact-software.com>

{csspin_python-4.1.0rc1.dist-info → csspin_python-4.1.0rc2.dist-info}/RECORD

@@ -9,15 +9,17 @@ csspin_python/playwright_schema.yaml,sha256=TSeR16YHa7m7bfO59F2eMV-jXcglluTJdEpU
 csspin_python/pytest.py,sha256=N9YaU_ouQab0PFPf46HLE7Vg4JeoZW4dzVD7EevqJ1U,4573
 csspin_python/pytest_schema.yaml,sha256=tzXtdF6MvGC9v59EVRJFfLeMMHqPsXcFXy2zJtRECBI,1535
 csspin_python/python.py,sha256=yqH1eG6mqRJomu-F99cB74PFaUzbSoG_dhpUjYwr1xE,37725
-csspin_python/python_sbom.py,sha256=RpqobiJ768Q6no7uwYAqvykp1-Bj0bkvED3a3pZbEBI,6817
+csspin_python/python_sbom.py,sha256=8NVZ6uVUz7rU3VhEoXJ_wHLCdv4BIV6Zjz1ZRa9nQhc,10488
 csspin_python/python_sbom_schema.yaml,sha256=VCxY9E2AG_fS00dvIYe6Fbvz1maPjpY0zyZK1Z0wJu4,538
 csspin_python/python_schema.yaml,sha256=pgVVjByUYjxQWek7aFmjQzRwmq2ROLvHYgwGPMrT9sM,6351
 csspin_python/radon.py,sha256=uFqm6FEi5oWj-_XVaAm3s9cam0cUmr1_FwRf40K6xWs,1876
 csspin_python/radon_schema.yaml,sha256=rlRzXw5z4XbjOVznRiUxWGP4E9hx1Jm-gGw1iQiYzE0,548
 csspin_python/uv_provisioner.py,sha256=1e-_Sb39JrqNWyaUNeBX59R5tutXLJ1ZsT7urCN1U0I,6044
 csspin_python/uv_provisioner_schema.yaml,sha256=Y8ZNC2OMnhR8Us3WUXAXK9hMjqGWAKFJB2puX4X5XNQ,727
-csspin_python-4.1.0rc1.dist-info/licenses/LICENSE,sha256=4MAecetnRTQw5DlHtiikDSzKWO1xVLwzM5_DsPMYlnE,10172
-csspin_python-4.1.0rc1.dist-info/METADATA,sha256=kW0dZXu1Wwuhw4EooWroAHOZGMw5wjBso1MFJDzkJX8,5257
-csspin_python-4.1.0rc1.dist-info/WHEEL,sha256=aeYiig01lYGDzBgS8HxWXOg3uV61G9ijOsup-k9o1sk,91
-csspin_python-4.1.0rc1.dist-info/top_level.txt,sha256=QSeglMEGbFu1z4L6MCQYwo01NgL0KojWvC4rzgMQ8gU,14
-csspin_python-4.1.0rc1.dist-info/RECORD,,
+csspin_python-4.1.0rc2.dist-info/licenses/LICENSE,sha256=4MAecetnRTQw5DlHtiikDSzKWO1xVLwzM5_DsPMYlnE,10172
+csspin_python-4.1.0rc2.dist-info/METADATA,sha256=v7TeI32ffR2KghQaNg2Yi1nXefTReG2Pr6iI3D8LKM0,5257
+csspin_python-4.1.0rc2.dist-info/WHEEL,sha256=aeYiig01lYGDzBgS8HxWXOg3uV61G9ijOsup-k9o1sk,91
+csspin_python-4.1.0rc2.dist-info/scm_file_list.json,sha256=Q47_SEZYR492yYYWq_DlPPp-64AFlvHaOz7APY0i8j0,2902
+csspin_python-4.1.0rc2.dist-info/scm_version.json,sha256=r-bmiPdloFp64jPWB2hS3VjSJvF_ljCIL5y985ukLKY,163
+csspin_python-4.1.0rc2.dist-info/top_level.txt,sha256=QSeglMEGbFu1z4L6MCQYwo01NgL0KojWvC4rzgMQ8gU,14
+csspin_python-4.1.0rc2.dist-info/RECORD,,

csspin_python-4.1.0rc2.dist-info/scm_file_list.json

@@ -0,0 +1,78 @@
+{
+  "files": [
+    "spinfile.yaml",
+    "README.rst",
+    ".pre-commit-config.yaml",
+    "CONTRIBUTING.md",
+    "requirements-dev.txt",
+    "LICENSE",
+    ".gitignore",
+    ".gitlab-ci.yml",
+    ".prettierrc.yaml",
+    "pyproject.toml",
+    ".readthedocs.yaml",
+    "doc/virtual_environment.rst",
+    "doc/development.rst",
+    "doc/relnotes.rst",
+    "doc/index.rst",
+    "doc/links.rst",
+    "doc/conf.py",
+    "doc/installation.rst",
+    "doc/plugins/playwright.rst",
+    "doc/plugins/uv_provisioner.rst",
+    "doc/plugins/debugpy.rst",
+    "doc/plugins/devpi.rst",
+    "doc/plugins/python.rst",
+    "doc/plugins/python_sbom.rst",
+    "doc/plugins/pytest.rst",
+    "doc/plugins/behave.rst",
+    "doc/plugins/radon.rst",
+    "tests/conftest.py",
+    "tests/unit/test_uv_provisioner.py",
+    "tests/unit/test_python_sbom.py",
+    "tests/unit/test_python.py",
+    "tests/integration/test_provisioning.py",
+    "tests/integration/conftest.py",
+    "tests/integration/fixtures/activation_script/test_env.ps1",
+    "tests/integration/fixtures/activation_script/test_env.sh",
+    "tests/integration/fixtures/activation_script/plugins/dummy.py",
+    "tests/integration/yamls/pytest.yaml",
+    "tests/integration/yamls/uv_provisioner_use.yaml",
+    "tests/integration/yamls/pytest_with_playwright.yaml",
+    "tests/integration/yamls/python_version.yaml",
+    "tests/integration/yamls/playwright.yaml",
+    "tests/integration/yamls/devpi.yaml",
+    "tests/integration/yamls/python_use.yaml",
+    "tests/integration/yamls/behave.yaml",
+    "tests/integration/yamls/radon.yaml",
+    "tests/integration/yamls/python_activation_scripts.yaml",
+    "tests/integration/yamls/uv_provisioner.yaml",
+    "tests/acceptance/test_aws_auth.py",
+    "tests/acceptance/python_sbom/spinfile.yaml",
+    "tests/acceptance/python_sbom/test_sbom.py",
+    "tests/acceptance/python_sbom/pyproject.toml",
+    "tests/acceptance/python_constraints/test_constraints.py",
+    "tests/acceptance/python_constraints/spinfile.yaml",
+    "tests/acceptance/python_constraints/constraints.txt",
+    "tests/acceptance/yamls/python_aws_auth.yaml",
+    "src/csspin_python/debugpy_schema.yaml",
+    "src/csspin_python/devpi_schema.yaml",
+    "src/csspin_python/uv_provisioner_schema.yaml",
+    "src/csspin_python/pytest.py",
+    "src/csspin_python/playwright_schema.yaml",
+    "src/csspin_python/behave.py",
+    "src/csspin_python/pytest_schema.yaml",
+    "src/csspin_python/uv_provisioner.py",
+    "src/csspin_python/radon.py",
+    "src/csspin_python/python_sbom_schema.yaml",
+    "src/csspin_python/python_sbom.py",
+    "src/csspin_python/devpi.py",
+    "src/csspin_python/debugpy.py",
+    "src/csspin_python/playwright.py",
+    "src/csspin_python/behave_schema.yaml",
+    "src/csspin_python/python.py",
+    "src/csspin_python/python_schema.yaml",
+    "src/csspin_python/radon_schema.yaml",
+    ".gitlab/merge_request_templates/default.md"
+  ]
+}

csspin_python-4.1.0rc2.dist-info/scm_version.json

@@ -0,0 +1,8 @@
+{
+  "tag": "4.1.0rc2",
+  "distance": 0,
+  "node": "gcaf72582381496c091ef82854c9703c0c9583259",
+  "dirty": false,
+  "branch": "HEAD",
+  "node_date": "2026-06-23"
+}