Merge pull request #6 from blackducksoftware/dev-worklaptop

v1.0.7

Author: matthewb66

README.md

@@ -1,4 +1,4 @@
-# Synopsys Scan Yocto Script - bd_scan_yocto_via_sbom.py v1.0.6
+# Synopsys Scan Yocto Script - bd_scan_yocto_via_sbom.py v1.0.7
 
 # PROVISION OF THIS SCRIPT
 This script is provided under the MIT license (see LICENSE file).
@@ -127,7 +127,7 @@ There are several additional options to modify the behaviour of this utility inc
                            Package type used for installing packages (e.g. rpm,
                            deb or ipx)
      --skip_sig_scan       Do not Signature scan downloads and packages
-     --scan_all_packages   Signature scan all files (only recipes not matchedfrom
+     --scan_all_packages   Signature scan all packages (only recipes not matched from
                            OE data are scanned by default)
      --detect_jar_path DETECT_JAR_PATH
                            Synopsys Detect jar path

pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "bd_scan_yocto_via_sbom"
-version = "1.0.6"
+version = "1.0.7"
 authors = [
   { name="Matthew Brady", email="[email protected]" },
 ]

yocto_import_sbom/BBClass.py

@@ -76,7 +76,7 @@ def process_bitbake_env(self, conf):
         for mline in lines:
             if re.search(
                     "^(MANIFEST_FILE|DEPLOY_DIR|MACHINE_ARCH|DL_DIR|DEPLOY_DIR_RPM|"
-                    "DEPLOY_DIR_IPK|DEPLOY_DIR_DEB|IMAGE_PKGTYPE)=",
+                    "DEPLOY_DIR_IPK|DEPLOY_DIR_DEB|IMAGE_PKGTYPE|LICENSE_DIR)=",
                     mline):
 
                 # if re.search('^TMPDIR=', mline):
@@ -98,6 +98,10 @@ def process_bitbake_env(self, conf):
                     if not conf.download_dir:
                         conf.download_dir = val
                         logging.info(f"Bitbake Env: download_dir={conf.download_dir}")
+                elif re.search('^LICENSE_DIR=', mline):
+                    if not conf.license_dir:
+                        conf.license_dir = val
+                        logging.info(f"Bitbake Env: license_dir={conf.license_dir}")
                 elif not rpm_dir and re.search('^DEPLOY_DIR_RPM=', mline):
                     rpm_dir = val
                     logging.info(f"Bitbake Env: rpm_dir={rpm_dir}")
@@ -111,7 +115,7 @@ def process_bitbake_env(self, conf):
                     conf.image_pkgtype = val
                     logging.info(f"Bitbake Env: image_pkgtype={conf.image_pkgtype}")
 
-        if conf.package_dir:
+        if not conf.package_dir:
             if conf.image_pkgtype == 'rpm' and rpm_dir:
                 conf.package_dir = rpm_dir
             elif conf.image_pkgtype == 'ipk' and ipk_dir:
@@ -123,10 +127,12 @@ def process_bitbake_env(self, conf):
             temppath = os.path.join(conf.build_dir, 'tmp', 'deploy')
             if os.path.isdir(temppath):
                 conf.deploy_dir = temppath
+
         if not conf.download_dir:
             temppath = os.path.join(conf.build_dir, 'downloads')
             if os.path.isdir(temppath):
                 conf.download_dir = temppath
+
         if not conf.package_dir and conf.deploy_dir:
             temppath = os.path.join(conf.deploy_dir, conf.image_pkgtype)
             if os.path.isdir(temppath):
@@ -219,25 +225,32 @@ def check_files(conf):
         machine = conf.machine.replace('_', '-')
 
         if not conf.license_manifest:
-            if not conf.target or not conf.machine:
-                logging.error("Manifest file not specified and it could not be determined as Target not specified or "
-                              "machine not identified from environment")
-                return False
-            else:
-                manpath = os.path.join(conf.deploy_dir, "licenses",
-                                       f"{conf.target}-{machine}-*", "license.manifest")
-                manifest = ""
-                manlist = glob.glob(manpath)
-                if len(manlist) > 0:
-                    # Get most recent file
-                    manifest = manlist[-1]
-
-                if not os.path.isfile(manifest):
-                    logging.error(f"Manifest file '{manifest}' could not be located")
+            if conf.license_dir:
+                manpath = os.path.join(conf.license_dir,
+                                       f"{conf.target}-{machine}", "license.manifest")
+                if os.path.isfile(manpath):
+                    conf.license_manifest = manpath
+
+            if not conf.license_manifest:
+                if not conf.target or not conf.machine:
+                    logging.error("Manifest file not specified and it could not be determined as Target not specified or "
+                                  "machine not identified from environment")
                     return False
                 else:
-                    logging.info(f"Located license.manifest file {manifest}")
-                    conf.license_manifest = manifest
+                    manpath = os.path.join(conf.deploy_dir, "licenses",
+                                           f"{conf.target}-{machine}-*", "license.manifest")
+                    manifest = ""
+                    manlist = glob.glob(manpath)
+                    if len(manlist) > 0:
+                        # Get most recent file
+                        manifest = manlist[-1]
+
+                    if not os.path.isfile(manifest):
+                        logging.error(f"Manifest file '{manifest}' could not be located")
+                        return False
+                    else:
+                        logging.info(f"Located license.manifest file {manifest}")
+                        conf.license_manifest = manifest
 
         imgdir = os.path.join(conf.deploy_dir, "images", machine)
         if conf.cve_check_file != "":
@@ -264,7 +277,7 @@ def get_pkg_files(conf):
         package_paths_list = glob.glob(pattern, recursive=True)
         package_files_list = []
         for path in package_paths_list:
-            package_files_list.append(os.path.basename(path))
+            package_files_list.append(path)
 
         return package_files_list
 

yocto_import_sbom/BOMClass.py

@@ -228,7 +228,7 @@ def process_cve_file(self, cve_file, reclist):
         self.CVEPatchedVulnList = patched_vulns
         return
 
-    def run_detect_sigscan(self, tdir, conf):
+    def run_detect_sigscan(self, conf, tdir):
         import shutil
 
         cmd = self.get_detect(conf)

yocto_import_sbom/ConfigClass.py

@@ -69,7 +69,7 @@ def __init__(self):
 
         parser.add_argument("--skip_sig_scan", help="Do not Signature scan downloads and packages",
                             action='store_true')
-        parser.add_argument("--scan_all_files", help="Signature scan all files (only recipes not matched"
+        parser.add_argument("--scan_all_packages", help="Signature scan all packages (only recipes not matched"
                                                      "from OE data are scanned by default)",
                             action='store_true')
         parser.add_argument("--detect_jar_path", help="OPTIONAL Synopsys Detect jar path", default="")
@@ -114,6 +114,8 @@ def __init__(self):
         self.detect_opts = args.detect_opts
         self.api_timeout = args.api_timeout
         self.sbom_custom_components = args.sbom_create_custom_components
+        self.cve_check_dir = ''
+        self.license_dir = ''
 
         terminate = False
         if args.debug:
@@ -130,7 +132,7 @@ def __init__(self):
         else:
             logging.basicConfig(level=loglevel)
 
-        logging.info("Black Duck Yocto scan via SBOM utility")
+        logging.info("Black Duck Yocto scan via SBOM utility - v1.0.7")
         logging.info("SUPPLIED ARGUMENTS:")
         for arg in vars(args):
             logging.info(f"--{arg}={getattr(args, arg)}")
@@ -229,10 +231,17 @@ def __init__(self):
             else:
                 self.package_dir = args.package_dir
 
+        if args.download_dir:
+            if not os.path.exists(args.download_dir):
+                logging.error(f"Specified package dir '{args.download_dir}' does not exist")
+                terminate = True
+            else:
+                self.download_dir = args.download_dir
+
         if args.skip_sig_scan:
             self.skip_sig_scan = True
-            if args.scan_all_files:
-                self.scan_all_packages = True
+        elif args.scan_all_packages:
+            self.scan_all_packages = True
 
         if args.detect_jar_path and not os.path.isfile(args.detect_jar_path):
             logging.error(f"Detect jar file {args.detect_jar_path} does not exist")