sbom4python 0.12.5__py3-none-any.whl

sbom4python/__init__.py

@@ -0,0 +1,2 @@
+# Copyright (C) 2023 Anthony Harrison
+# SPDX-License-Identifier: Apache-2.0

sbom4python/cli.py

@@ -0,0 +1,215 @@
+# Copyright (C) 2023 Anthony Harrison
+# SPDX-License-Identifier: Apache-2.0
+
+import argparse
+import sys
+import textwrap
+from collections import ChainMap
+
+from lib4sbom.generator import SBOMGenerator
+from lib4sbom.output import SBOMOutput
+from lib4sbom.sbom import SBOM
+from sbom2dot.dotgenerator import DOTGenerator
+
+from sbom4python.scanner import SBOMScanner
+from sbom4python.version import VERSION
+
+# CLI processing
+
+
+def main(argv=None):
+
+    argv = argv or sys.argv
+    app_name = "sbom4python"
+    parser = argparse.ArgumentParser(
+        prog=app_name,
+        description=textwrap.dedent(
+            """
+            SBOM4Python generates a Software Bill of Materials for the
+            specified installed Python module identifying all of the dependent
+            components which are explicity defined (typically via requirements.txt
+            file) or implicitly as a hidden dependency.
+            """
+        ),
+    )
+    input_group = parser.add_argument_group("Input")
+    input_group.add_argument(
+        "-m",
+        "--module",
+        action="store",
+        default="",
+        help="identity of python module",
+    )
+    input_group.add_argument(
+        "-r",
+        "--requirement",
+        action="store",
+        default="",
+        help="name of requirements file",
+    )
+    input_group.add_argument(
+        "--system",
+        action="store_true",
+        help="include all installed python modules within system",
+    )
+    input_group.add_argument(
+        "--exclude-license",
+        action="store_true",
+        help="suppress detecting the license of components",
+    )
+    input_group.add_argument(
+        "--include-file",
+        action="store_true",
+        default=False,
+        help="include reporting files associated with module",
+    )
+    input_group.add_argument(
+        "--include-service",
+        action="store_true",
+        default=False,
+        help="include reporting of endpoints",
+    )
+    input_group.add_argument(
+        "--use-pip",
+        action="store_true",
+        default=False,
+        help="use pip for package management",
+    )
+    input_group.add_argument(
+        "--python",
+        action="store",
+        help="use specified Python interpreter for pip",
+    )
+
+    output_group = parser.add_argument_group("Output")
+    output_group.add_argument(
+        "-d",
+        "--debug",
+        action="store_true",
+        default=False,
+        help="add debug information",
+    )
+    output_group.add_argument(
+        "--sbom",
+        action="store",
+        default="spdx",
+        choices=["spdx", "cyclonedx"],
+        help="specify type of sbom to generate (default: spdx)",
+    )
+    output_group.add_argument(
+        "--format",
+        action="store",
+        default="tag",
+        choices=["tag", "json", "yaml"],
+        help="specify format of software bill of materials (sbom) (default: tag)",
+    )
+
+    output_group.add_argument(
+        "-o",
+        "--output-file",
+        action="store",
+        default="",
+        help="output filename (default: output to stdout)",
+    )
+
+    output_group.add_argument(
+        "-g",
+        "--graph",
+        action="store",
+        default="",
+        help="filename for dependency graph",
+    )
+
+    parser.add_argument("-V", "--version", action="version", version=VERSION)
+
+    defaults = {
+        "module": "",
+        "requirement": "",
+        "include_file": False,
+        "include_service": False,
+        "exclude_license": False,
+        "use_pip": False,
+        "system": False,
+        "output_file": "",
+        "sbom": "spdx",
+        "debug": False,
+        "format": "tag",
+        "graph": "",
+        "python": "",
+    }
+
+    raw_args = parser.parse_args(argv[1:])
+    args = {key: value for key, value in vars(raw_args).items() if value}
+    args = ChainMap(args, defaults)
+
+    # Validate CLI parameters
+
+    module_name = args["module"]
+
+    # Ensure format is aligned with type of SBOM
+    bom_format = args["format"]
+    if args["sbom"] == "cyclonedx":
+        # Only JSON format valid for CycloneDX
+        if bom_format != "json":
+            bom_format = "json"
+
+    if args["debug"]:
+        print("Exclude Licences:", args["exclude_license"])
+        print("Include Files:", args["include_file"])
+        print("Include Services:", args["include_service"])
+        print("Use Pip:", args["use_pip"])
+        print("Module", module_name)
+        print("Requirements file", args["requirement"])
+        print("System", args["system"])
+        print("SBOM type:", args["sbom"])
+        print("Format:", bom_format)
+        print("Output file:", args["output_file"])
+        print("Graph file:", args["graph"])
+        print(f"Analysing {module_name}")
+
+    sbom_scan = SBOMScanner(
+        args["debug"],
+        args["include_file"],
+        args["exclude_license"],
+        include_service=args["include_service"],
+        use_pip=args["use_pip"],
+        python_path=args["python"],
+    )
+
+    if len(module_name) > 0:
+        sbom_scan.process_python_module(module_name)
+    elif args["system"]:
+        sbom_scan.process_system()
+    elif len(args["requirement"]) > 0:
+        sbom_scan.process_requirements(args["requirement"])
+    else:
+        print("[ERROR] Nothing to process")
+        return -1
+
+    # Generate SBOM file
+    python_sbom = SBOM()
+    python_sbom.add_document(sbom_scan.get_document())
+    python_sbom.add_files(sbom_scan.get_files())
+    python_sbom.add_packages(sbom_scan.get_packages())
+    python_sbom.add_relationships(sbom_scan.get_relationships())
+
+    sbom_gen = SBOMGenerator(
+        sbom_type=args["sbom"], format=bom_format, application=app_name, version=VERSION
+    )
+    sbom_gen.generate(
+        project_name=sbom_scan.get_parent(),
+        sbom_data=python_sbom.get_sbom(),
+        filename=args["output_file"],
+    )
+
+    if len(args["graph"]) > 0:
+        sbom_dot = DOTGenerator(python_sbom.get_sbom()["packages"])
+        sbom_dot.generatedot(python_sbom.get_sbom()["relationships"])
+        dot_out = SBOMOutput(args["graph"], "dot")
+        dot_out.generate_output(sbom_dot.getDOT())
+
+    return 0
+
+
+if __name__ == "__main__":
+    sys.exit(main())

sbom4python/license.py

@@ -0,0 +1,54 @@
+# Copyright (C) 2023 Anthony Harrison
+# SPDX-License-Identifier: Apache-2.0
+
+
+import json
+import os
+
+
+class LicenseScanner:
+
+    APACHE_SYNOYMNS = [
+        "Apache Software License",
+        "Apache License, Version 2.0",
+        "Apache 2.0",
+        "Apache_2.0",
+        "Apache 2",
+    ]
+    DEFAULT_LICENSE = "UNKNOWN"
+    SPDX_LICENSE_VERSION = "3.18"
+
+    def __init__(self):
+        # Load licenses
+        license_dir, filename = os.path.split(__file__)
+        license_path = os.path.join(license_dir, "license_data", "spdx_licenses.json")
+        licfile = open(license_path)
+        self.licenses = json.load(licfile)
+
+    def get_license_version(self):
+        return self.SPDX_LICENSE_VERSION
+
+    def check_synoymn(self, license, synoymns, value):
+        return value if license in synoymns else None
+
+    def find_license(self, license):
+        # Search list of licenses to find match
+
+        for lic in self.licenses["licenses"]:
+            # Comparisons ignore case of provided license text
+            if lic["licenseId"].lower() == license.lower():
+                return lic["licenseId"]
+            elif lic["name"].lower() == license.lower():
+                return lic["licenseId"]
+        license_id = self.check_synoymn(license, self.APACHE_SYNOYMNS, "Apache-2.0")
+        return license_id if license_id is not None else self.DEFAULT_LICENSE
+
+    def get_license_url(self, license_id):
+        # Assume that license_id is a valid SPDX id
+        if license_id != self.DEFAULT_LICENSE:
+            for lic in self.licenses["licenses"]:
+                # License URL is in the seeAlso field.
+                # If multiple entries, just return first one
+                if lic["licenseId"] == license_id:
+                    return lic["seeAlso"][0]
+        return None  # License not found