scanoss 1.29.0__py3-none-any.whl → 1.31.0__py3-none-any.whl

scanoss/cyclonedx.py

@@ -28,6 +28,9 @@ import os.path
 import sys
 import uuid
 
+from cyclonedx.schema import SchemaVersion
+from cyclonedx.validation.json import JsonValidator
+
 from . import __version__
 from .scanossbase import ScanossBase
 from .spdxlite import SpdxLite
@@ -296,13 +299,13 @@ class CycloneDx(ScanossBase):
         """
         vuln_id = vuln.get('ID', '') or vuln.get('id', '')
         vuln_cve = vuln.get('CVE', '') or vuln.get('cve', '')
-        
+
         # Skip CPE entries, use CVE if available
         if vuln_id.upper().startswith('CPE:') and vuln_cve:
             vuln_id = vuln_cve
-        
+
         return vuln_id, vuln_cve
-    
+
     def _create_vulnerability_entry(self, vuln_id: str, vuln: dict, vuln_cve: str, purl: str) -> dict:
         """
         Create a new vulnerability entry for CycloneDX format.
@@ -313,61 +316,56 @@ class CycloneDx(ScanossBase):
             'source': {
                 'name': 'NVD' if vuln_source == 'nvd' else 'GitHub Advisories',
                 'url': f'https://nvd.nist.gov/vuln/detail/{vuln_cve}'
-                      if vuln_source == 'nvd'
-                      else f'https://github.com/advisories/{vuln_id}'
+                if vuln_source == 'nvd'
+                else f'https://github.com/advisories/{vuln_id}',
             },
             'ratings': [{'severity': self._sev_lookup(vuln.get('severity', 'unknown').lower())}],
-            'affects': [{'ref': purl}]
+            'affects': [{'ref': purl}],
         }
-    
+
     def append_vulnerabilities(self, cdx_dict: dict, vulnerabilities_data: dict, purl: str) -> dict:
         """
         Append vulnerabilities to an existing CycloneDX dictionary
-        
+
         Args:
             cdx_dict (dict): The existing CycloneDX dictionary
             vulnerabilities_data (dict): The vulnerabilities data from get_vulnerabilities_json
             purl (str): The PURL of the component these vulnerabilities affect
-            
+
         Returns:
             dict: The updated CycloneDX dictionary with vulnerabilities appended
         """
         if not cdx_dict or not vulnerabilities_data:
             return cdx_dict
-            
+
         if 'vulnerabilities' not in cdx_dict:
             cdx_dict['vulnerabilities'] = []
-            
+
         # Extract vulnerabilities from the response
         vulns_list = vulnerabilities_data.get('purls', [])
         if not vulns_list:
             return cdx_dict
-            
+
         vuln_items = vulns_list[0].get('vulnerabilities', [])
-        
+
         for vuln in vuln_items:
             vuln_id, vuln_cve = self._normalize_vulnerability_id(vuln)
-            
+
             # Skip empty IDs or CPE-only entries
             if not vuln_id or vuln_id.upper().startswith('CPE:'):
                 continue
-            
+
             # Check if vulnerability already exists
-            existing_vuln = next(
-                (v for v in cdx_dict['vulnerabilities'] if v.get('id') == vuln_id),
-                None
-            )
-            
+            existing_vuln = next((v for v in cdx_dict['vulnerabilities'] if v.get('id') == vuln_id), None)
+
             if existing_vuln:
                 # Add this PURL to the affects list if not already present
                 if not any(ref.get('ref') == purl for ref in existing_vuln.get('affects', [])):
                     existing_vuln['affects'].append({'ref': purl})
             else:
                 # Create new vulnerability entry
-                cdx_dict['vulnerabilities'].append(
-                    self._create_vulnerability_entry(vuln_id, vuln, vuln_cve, purl)
-                )
-                    
+                cdx_dict['vulnerabilities'].append(self._create_vulnerability_entry(vuln_id, vuln, vuln_cve, purl))
+
         return cdx_dict
 
     @staticmethod
@@ -388,6 +386,25 @@ class CycloneDx(ScanossBase):
             'unknown': 'unknown',
         }.get(value, 'unknown')
 
+    def is_cyclonedx_json(self, json_string: str) -> bool:
+        """
+        Validate if the given JSON string is a valid CycloneDX JSON string
+        Args:
+            json_string (str): JSON string to validate
+        Returns:
+            bool: True if the JSON string is valid, False otherwise
+        """
+        try:
+            cdx_json_validator = JsonValidator(SchemaVersion.V1_6)
+            json_validation_errors = cdx_json_validator.validate_str(json_string)
+            if json_validation_errors:
+                self.print_stderr(f'ERROR: Problem parsing input JSON: {json_validation_errors}')
+                return False
+            return True
+        except Exception as e:
+            self.print_stderr(f'ERROR: Problem parsing input JSON: {e}')
+            return False
+
 
 #
 # End of CycloneDX Class

scanoss/data/build_date.txt

@@ -1 +1 @@
-date: 20250715073533, utime: 1752564933
+date: 20250808112827, utime: 1754652507

scanoss/export/__init__.py

@@ -0,0 +1,23 @@
+"""
+SPDX-License-Identifier: MIT
+
+  Copyright (c) 2025, SCANOSS
+
+  Permission is hereby granted, free of charge, to any person obtaining a copy
+  of this software and associated documentation files (the "Software"), to deal
+  in the Software without restriction, including without limitation the rights
+  to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+  copies of the Software, and to permit persons to whom the Software is
+  furnished to do so, subject to the following conditions:
+
+  The above copyright notice and this permission notice shall be included in
+  all copies or substantial portions of the Software.
+
+  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+  THE SOFTWARE.
+"""

scanoss/export/dependency_track.py

@@ -0,0 +1,222 @@
+"""
+SPDX-License-Identifier: MIT
+
+  Copyright (c) 2025, SCANOSS
+
+  Permission is hereby granted, free of charge, to any person obtaining a copy
+  of this software and associated documentation files (the "Software"), to deal
+  in the Software without restriction, including without limitation the rights
+  to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+  copies of the Software, and to permit persons to whom the Software is
+  furnished to do so, subject to the following conditions:
+
+  The above copyright notice and this permission notice shall be included in
+  all copies or substantial portions of the Software.
+
+  THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+  IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+  FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+  AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+  LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+  OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+  THE SOFTWARE.
+"""
+
+import base64
+import json
+import traceback
+
+import requests
+
+from ..cyclonedx import CycloneDx
+from ..scanossbase import ScanossBase
+from ..services.dependency_track_service import DependencyTrackService
+from ..utils.file import validate_json_file
+
+
+def _build_payload(encoded_sbom: str, project_id, project_name, project_version) -> dict:
+    """
+    Build the API payload
+
+    Args:
+        encoded_sbom: Base64 encoded SBOM
+
+    Returns:
+        API payload dictionary
+    """
+    if project_id:
+        return {'project': project_id, 'bom': encoded_sbom}
+    else:
+        return {
+            'projectName': project_name,
+            'projectVersion': project_version,
+            'autoCreate': True,
+            'bom': encoded_sbom,
+        }
+
+
+class DependencyTrackExporter(ScanossBase):
+    """
+    Class for exporting SBOM files to Dependency Track
+    """
+    def __init__( # noqa: PLR0913
+        self,
+        url: str = None,
+        apikey: str = None,
+        output: str = None,
+        debug: bool = False,
+        trace: bool = False,
+        quiet: bool = False
+    ):
+        """
+        Initialize DependencyTrackExporter
+
+        Args:
+            url: Dependency Track URL
+            apikey: Dependency Track API Key
+            output: File to store output response data (optional)
+            debug: Enable debug output
+            trace: Enable trace output
+            quiet: Enable quiet mode
+        """
+        super().__init__(debug=debug, trace=trace, quiet=quiet)
+        self.url = url.rstrip('/')
+        self.apikey = apikey
+        self.output = output
+        self.dt_service = DependencyTrackService(self.apikey, self.url, debug=debug, trace=trace, quiet=quiet)
+
+    def _read_and_validate_sbom(self, input_file: str) -> dict:
+        """
+        Read and validate the SBOM file
+
+        Args:
+            input_file: Path to the SBOM file
+
+        Returns:
+            Parsed SBOM content as dictionary
+
+        Raises:
+            ValueError: If the file doesn't exist or is invalid or not a valid CycloneDX SBOM
+        """
+        result = validate_json_file(input_file)
+        if not result.is_valid:
+            raise ValueError(f'Invalid JSON file: {result.error}')
+
+        cdx = CycloneDx(debug=self.debug)
+        if not cdx.is_cyclonedx_json(json.dumps(result.data)):
+            raise ValueError(f'Input file is not a valid CycloneDX SBOM: {input_file}')
+        return result.data
+
+    def _encode_sbom(self, sbom_content: dict) -> str:
+        """
+        Encode SBOM content to base64
+
+        Args:
+            sbom_content: SBOM dictionary
+
+        Returns:
+            Base64 encoded string
+        """
+        if not sbom_content:
+            self.print_stderr('Warning: Empty SBOM content')
+        json_str = json.dumps(sbom_content, separators=(',', ':'))
+        encoded = base64.b64encode(json_str.encode('utf-8')).decode('utf-8')
+        return encoded
+
+    def upload_sbom_file(self, input_file, project_id, project_name, project_version, output_file):
+        """
+        Uploads an SBOM file to the specified project with an
+        optional output file and processes the file content for validation.
+
+        Args:
+            input_file (str): The path to the SBOM file to be read and uploaded.
+            project_id (str): The unique identifier of the project to which the SBOM is being uploaded.
+            project_name (str): The name of the project to which the SBOM is being uploaded.
+            project_version (str): The version of the project to which the SBOM is being uploaded.
+            output_file (str): The path to save output related to the SBOM upload process.
+
+        Returns:
+            bool: Returns True if the SBOM file was uploaded successfully, False otherwise.
+
+        Raises:
+            ValueError: Raised if there are validation issues with the SBOM content.
+        """
+        try:
+            if not self.quiet:
+                self.print_stderr(f'Reading SBOM file: {input_file}')
+            sbom_content = self._read_and_validate_sbom(input_file)
+            return self.upload_sbom_contents(sbom_content, project_id, project_name, project_version, output_file)
+        except ValueError as e:
+            self.print_stderr(f'Validation error: {e}')
+        return False
+
+    def upload_sbom_contents(self, sbom_content: dict, project_id, project_name, project_version, output_file) -> bool:
+        """
+        Uploads an SBOM to a Dependency Track server.
+
+        Parameters:
+            sbom_content (dict): The SBOM content in dictionary format to be uploaded.
+            project_id: The unique identifier for the project.
+            project_name: The name of the project in Dependency Track.
+            project_version: The version of the project in Dependency Track.
+            output_file: The path to the file where the token and UUID data
+                should be written. If not provided, the data will be written to
+                standard output.
+
+        Returns:
+            bool: True if the upload is successful; False otherwise.
+
+        Raises:
+            ValueError: If the SBOM encoding process fails.
+            requests.exceptions.RequestException: If an error occurs during the HTTP request.
+            Exception: For any other unexpected error.
+        """
+        if not project_id and not (project_name and project_version):
+            self.print_stderr('Error: Missing project id or name and version.')
+            return False
+        output = self.output
+        if output_file:
+            output = output_file
+        try:
+            self.print_debug('Encoding SBOM to base64')
+            payload = _build_payload(self._encode_sbom(sbom_content), project_id, project_name, project_version)
+            url = f'{self.url}/api/v1/bom'
+            headers = {'Content-Type': 'application/json', 'X-Api-Key': self.apikey}
+            self.print_trace(f'URL: {url}, Headers: {headers}, Payload keys: {list(payload.keys())}')
+            self.print_msg('Uploading SBOM to Dependency Track...')
+            response = requests.put(url, json=payload, headers=headers)
+            response.raise_for_status()
+            # Treat any 2xx status as success
+            if (requests.codes.ok <= response.status_code < requests.codes.multiple_choices and
+                    response.status_code != requests.codes.no_content):
+                self.print_msg('SBOM uploaded successfully')
+                try:
+                    response_data = response.json()
+                    token = ''
+                    project_uuid = project_id
+                    if 'token' in response_data:
+                        token = response_data['token']
+                    if project_name and project_version:
+                      project_data = self.dt_service.get_project_by_name_version(project_name, project_version)
+                      if project_data:
+                         project_uuid = project_data.get("uuid", project_id)
+                    token_json = json.dumps(
+                        {"token": token, "project_uuid": project_uuid},
+                        indent=2
+                    )
+                    self.print_to_file_or_stdout(token_json, output)
+                except json.JSONDecodeError:
+                    pass
+                return True
+            else:
+                self.print_stderr(f'Upload failed with status code: {response.status_code}')
+                self.print_stderr(f'Response: {response.text}')
+        except ValueError as e:
+            self.print_stderr(f'DT SBOM Upload Validation error: {e}')
+        except requests.exceptions.RequestException as e:
+            self.print_stderr(f'DT API Request error: {e}')
+        except Exception as e:
+            self.print_stderr(f'Unexpected error: {e}')
+            if self.debug:
+                traceback.print_exc()
+        return False

scanoss/file_filters.py

@@ -72,11 +72,7 @@ DEFAULT_SKIPPED_DIRS = {
     'htmlcov',
     '__pypackages__',
     'example',
-    'examples',
-    'docs',
-    'tests',
-    'doc',
-    'test',
+    'examples'
 }
 
 DEFAULT_SKIPPED_DIRS_HFH = {