diff --git a/README.md b/README.md index a4bdc29..207669b 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# Black Duck SCA Scan Yocto Script - bd_scan_yocto_via_sbom.py v1.0.15 +# Black Duck SCA Scan Yocto Script - bd_scan_yocto_via_sbom.py v1.0.16 # PROVISION OF THIS SCRIPT This script is provided under the MIT license (see LICENSE file). @@ -167,6 +167,7 @@ There are several additional options to modify the behaviour of this utility inc --logfile LOGFILE Logging output file --recipe_report REPFILE Output specified file with a list of recipes including those not matched in the BOM + --no_unmap Do not unmap previous code locations (scans) when running the initial scan (default is to unmap) ### MINIMUM REQUIRED OPTIONS diff --git a/pyproject.toml b/pyproject.toml index ba04657..fc42646 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta" [project] name = "bd_scan_yocto_via_sbom" -version = "1.0.15" +version = "1.0.16" authors = [ { name="Matthew Brady", email="mbrad@blackduck.com" }, ] diff --git a/yocto_import_sbom/BOMClass.py b/yocto_import_sbom/BOMClass.py index 79560f9..cedf3bc 100644 --- a/yocto_import_sbom/BOMClass.py +++ b/yocto_import_sbom/BOMClass.py @@ -4,6 +4,7 @@ import requests import time import os +import json from pathlib import Path from .ComponentListClass import ComponentList @@ -184,7 +185,12 @@ def upload_sbom(conf, bom, sbom): if response.status_code == 201: return True else: - raise Exception(f"Return code {response.status_code}") + # Try to extract meaningful error message + repjson = response.content.decode('utf8') + err = json.loads(repjson) + err_text = err['errorMessage'] + + raise Exception(f"Return code {response.status_code} - error {err_text}") except Exception as e: logging.error("Unable to POST SPDX data") diff --git a/yocto_import_sbom/ConfigClass.py b/yocto_import_sbom/ConfigClass.py index 1573b9d..81368ae 100644 --- a/yocto_import_sbom/ConfigClass.py +++ b/yocto_import_sbom/ConfigClass.py @@ -4,7 +4,7 @@ import sys from .OEClass import OE -script_version = "v1.0.15" +script_version = "v1.0.16" class Config: def __init__(self): @@ -91,7 +91,7 @@ def __init__(self): parser.add_argument("--debug", help="Debug logging mode", action='store_true') parser.add_argument("--logfile", help="Logging output file", default="") parser.add_argument("--recipe_report", help="Output recipe report to file", default="") - + parser.add_argument("--no_unmap", help="Do not unmap previous scans when running new scan", action='store_true') args = parser.parse_args() @@ -129,6 +129,7 @@ def __init__(self): self.cve_check_dir = '' self.license_dir = '' self.recipe_report = '' + self.unmap = True terminate = False if args.debug: @@ -138,7 +139,7 @@ def __init__(self): if args.logfile: if os.path.exists(args.logfile): logging.error(f"Specified logfile '{args.logfile}' already exists - EXITING") - return + sys.exit(2) logging.basicConfig(encoding='utf-8', handlers=[logging.FileHandler(args.logfile), logging.StreamHandler(sys.stdout)], level=loglevel) @@ -146,15 +147,18 @@ def __init__(self): logging.basicConfig(level=loglevel) logging.info(f"Black Duck Yocto scan via SBOM utility - {script_version}") + logging.info('') + logging.info("--- PHASE 0 - CONFIG -----------------------------------------------------") + logging.info("SUPPLIED ARGUMENTS:") for arg in vars(args): logging.info(f"--{arg}={getattr(args, arg)}") - logging.info('') - logging.info("--- PHASE 0 - CONFIG -----------------------------------------------------") - bd_connect = True if args.output: + if os.path.exists(args.output): + logging.error(f"Specified SBOM output file '{args.output}' already exists - EXITING") + sys.exit(2) self.output_file = args.output bd_connect = False @@ -290,6 +294,9 @@ def __init__(self): if args.detect_opts != '': self.detect_opts = args.detect_opts.replace('detect', '--detect') + if args.no_unmap: + self.unmap = False + if terminate: sys.exit(2) return diff --git a/yocto_import_sbom/SBOMClass.py b/yocto_import_sbom/SBOMClass.py index bf70ae7..2bf69b3 100644 --- a/yocto_import_sbom/SBOMClass.py +++ b/yocto_import_sbom/SBOMClass.py @@ -27,7 +27,7 @@ def __init__(self, proj, ver): ], "licenseListVersion": "3.13" }, - "name": self.quote(f"{proj}-{ver}"), + "name": self.quote(f"{proj}-{ver}-" + mytime.strftime("%Y%m%dT%H%M%S")), "documentDescribes": [ self.quote(f"SPDXRef-package-{self.package_id}") ], diff --git a/yocto_import_sbom/main.py b/yocto_import_sbom/main.py index d7a32c5..9270be9 100644 --- a/yocto_import_sbom/main.py +++ b/yocto_import_sbom/main.py @@ -19,8 +19,13 @@ def main(): logging.info("") logging.info("--- PHASE 1 - PROCESS PROJECT --------------------------------------------") bom = BOM(conf) - if conf.detect_opts != '': - if not bom.run_detect_sigscan(conf, empty_dir.name, extra_opt='--detect.tools=DETECTOR'): + + if conf.output_file == '': + extra_opt = '--detect.tools=DETECTOR' + if conf.unmap: + extra_opt += ' --detect.project.codelocation.unmap=true' + if not bom.run_detect_sigscan(conf, empty_dir.name, + extra_opt=extra_opt): logging.error("Unable to run Detect to initialise project") sys.exit(2)