Merge pull request #162 from JayMandala/root-component-metadata

Component Metadata, Sbom Output Path, PURL Adjustment

Author: raboof

src/main/scala/com/github/sbt/sbom/BomExtractor.scala

@@ -5,6 +5,7 @@
 package com.github.sbt.sbom
 
 import com.github.packageurl.PackageURL
+import com.github.sbt.sbom.BomExtractor.purl
 import com.github.sbt.sbom.licenses.LicensesArchive
 import org.cyclonedx.Version
 import org.cyclonedx.model.{
@@ -22,11 +23,10 @@ import org.cyclonedx.util.BomUtils
 import sbt._
 import sbt.librarymanagement.ModuleReport
 
-import java.util
-import java.util.UUID
+import java.util.{ TreeMap => TM, UUID }
 import scala.collection.JavaConverters._
 
-import SbtUpdateReport.ModuleGraph
+import SbtUpdateReport.{ ModuleGraph, getModuleQualifier }
 
 class BomExtractor(settings: BomExtractorParams, report: UpdateReport, rootModuleID: ModuleID, log: Logger) {
   private val serialNumber: String = "urn:uuid:" + UUID.randomUUID.toString
@@ -52,9 +52,26 @@ class BomExtractor(settings: BomExtractorParams, report: UpdateReport, rootModul
       metadata.setTimestamp(null)
     }
     metadata.addTool(tool)
+    metadata.setComponent(metadataComponent)
     metadata
   }
 
+  private lazy val metadataComponent: Component = {
+    val metadataComponent = new Component()
+    val group: String = rootModuleID.organization
+    val name: String = rootModuleID.name
+    val version: String = rootModuleID.revision
+
+    metadataComponent.setGroup(group)
+    metadataComponent.setName(name)
+    metadataComponent.setBomRef(purl(group, name, version))
+    metadataComponent.setVersion(version)
+    metadataComponent.setType(toCycloneDxProjectType(settings.projectType))
+    metadataComponent.setPurl(purl(group, name, version))
+
+    metadataComponent
+  }
+
   private lazy val tool: Tool = {
     val tool = new Tool()
     // https://github.com/devops-kung-fu/bomber/blob/main/lib/loader.go#L112 searches for string CycloneDX to detect format
@@ -123,17 +140,20 @@ class BomExtractor(settings: BomExtractorParams, report: UpdateReport, rootModul
           - "info.apiURL"
           - "info.versionScheme"
        */
+
       val component = new Component()
       component.setGroup(group)
       component.setName(name)
       component.setVersion(version)
       component.setModified(false)
       component.setType(Component.Type.LIBRARY)
-      component.setPurl(purl(group, name, version))
+
+      component.setPurl(purl(group, name, version, getModuleQualifier(moduleReport, Some(log))))
       if (settings.schemaVersion.getVersion >= Version.VERSION_11.getVersion) {
         // component bom-refs must be unique
         component.setBomRef(component.getPurl)
       }
+
       component.setScope(Component.Scope.REQUIRED)
       if (settings.includeBomHashes) {
         component.setHashes(hashes(artifactPaths(moduleReport)).asJava)
@@ -214,9 +234,6 @@ class BomExtractor(settings: BomExtractorParams, report: UpdateReport, rootModul
     }
   }
 
-  private def purl(group: String, name: String, version: String): String =
-    new PackageURL(PackageURL.StandardTypes.MAVEN, group, name, version, new util.TreeMap(), null).canonicalize()
-
   private def dependencyTree: Seq[Dependency] = {
     val dependencyTree = configurationsForComponents(settings.configuration).flatMap { configuration =>
       dependencyTreeForConfiguration(configuration)
@@ -235,25 +252,56 @@ class BomExtractor(settings: BomExtractorParams, report: UpdateReport, rootModul
   }
 
   class DependencyTreeExtractor(configurationReport: ConfigurationReport) {
-    def dependencyTree: Seq[Dependency] =
+    def dependencyTree: Seq[Dependency] = {
       moduleGraph.nodes
+        .filter(_.evictedByVersion.isEmpty)
         .sortBy(_.id.idString)
         .map { node =>
-          val bomRef = purl(node.id.organization, node.id.name, node.id.version)
+          val bomRef = purl(node.id.organization, node.id.name, node.id.version, node.qualifier)
 
           val dependency = new Dependency(bomRef)
 
           val dependsOn = moduleGraph.dependencyMap.getOrElse(node.id, Nil).sortBy(_.id.idString)
           dependsOn.foreach { module =>
-            val bomRef = purl(module.id.organization, module.id.name, module.id.version)
-            dependency.addDependency(new Dependency(bomRef))
+            if (module.evictedByVersion.isEmpty) {
+              val bomRef = purl(module.id.organization, module.id.name, module.id.version, module.qualifier)
+
+              dependency.addDependency(new Dependency(bomRef))
+            }
           }
 
           dependency
         }
+    }
 
-    private def moduleGraph: ModuleGraph = SbtUpdateReport.fromConfigurationReport(configurationReport, rootModuleID)
+    private def moduleGraph: ModuleGraph =
+      SbtUpdateReport.fromConfigurationReport(configurationReport, rootModuleID, log)
   }
+
+  private def toCycloneDxProjectType(e: ProjectType): Component.Type = {
+    e match {
+      case APPLICATION            => Component.Type.APPLICATION
+      case FRAMEWORK              => Component.Type.FRAMEWORK
+      case LIBRARY                => Component.Type.LIBRARY
+      case CONTAINER              => Component.Type.CONTAINER
+      case PLATFORM               => Component.Type.PLATFORM
+      case OPERATING_SYSTEM       => Component.Type.OPERATING_SYSTEM
+      case DEVICE                 => Component.Type.DEVICE
+      case DEVICE_DRIVER          => Component.Type.DEVICE_DRIVER
+      case FIRMWARE               => Component.Type.FIRMWARE
+      case FILE                   => Component.Type.FILE
+      case MACHINE_LEARNING_MODEL => Component.Type.MACHINE_LEARNING_MODEL
+      case DATA                   => Component.Type.DATA
+      case CRYPTOGRAPHIC_ASSET    =>
+        if (settings.schemaVersion.getVersion < Version.VERSION_16.getVersion)
+          throw new UnsupportedOperationException(
+            "Current cyclonedx version does not support CRYPTOGRAPHIC_ASSET. Use 1.6 or newer"
+          )
+        else Component.Type.CRYPTOGRAPHIC_ASSET
+
+    }
+  }
+
   def logComponent(component: Component): Unit = {
     log.info(s""""
          |${component.getGroup}" % "${component.getName}" % "${component.getVersion}",
@@ -263,3 +311,16 @@ class BomExtractor(settings: BomExtractorParams, report: UpdateReport, rootModul
   }
 
 }
+
+object BomExtractor {
+  private[sbom] def purl(
+      group: String,
+      name: String,
+      version: String,
+      qualifier: Map[String, String] = Map[String, String]()
+  ): String = {
+    val convertedMap = new TM[String, String](qualifier.asJava)
+
+    new PackageURL(PackageURL.StandardTypes.MAVEN, group, name, version, convertedMap, null).canonicalize()
+  }
+}

src/main/scala/com/github/sbt/sbom/BomExtractorParams.scala

@@ -17,4 +17,6 @@ final case class BomExtractorParams(
     enableBomSha3Hashes: Boolean,
     includeBomExternalReferences: Boolean,
     includeBomDependencyTree: Boolean,
+    projectType: ProjectType,
+    bomOutputPath: sbt.File
 )

src/main/scala/com/github/sbt/sbom/BomSbtPlugin.scala

@@ -57,6 +57,12 @@ object BomSbtPlugin extends AutoPlugin {
     lazy val bomConfigurations: TaskKey[Seq[Configuration]] = taskKey[Seq[Configuration]](
       "Returns the list of configurations whose components are included in the generated bom"
     )
+    lazy val projectType: SettingKey[String] = settingKey[String](
+      "Project type specification. Project will be assigned as 'Library' by default."
+    )
+    lazy val bomOutputPath: SettingKey[String] = settingKey[String](
+      "Output path of the created BOM file. BOM File will be placed in target/ directory by default"
+    )
   }
 
   import autoImport._
@@ -90,6 +96,8 @@ object BomSbtPlugin extends AutoPlugin {
         .taskDyn(BomSbtSettings.listBomTask(Classpaths.updateTask.value, IntegrationTest))
         .value,
       bomConfigurations := Def.taskDyn(BomSbtSettings.bomConfigurationTask((configuration ?).value)).value,
+      projectType := "library",
+      bomOutputPath := "",
       packagedArtifacts += {
         Artifact(
           artifact.value.name,

src/main/scala/com/github/sbt/sbom/BomSbtSettings.scala

@@ -16,6 +16,14 @@ object BomSbtSettings {
         (currentConfiguration / bomFileName).?.value,
         bomSchemaVersion.value
       )
+
+      val outputPath = if (bomOutputPath.value.isEmpty) {
+        target.value
+      } else {
+        sbt.file(bomOutputPath.value)
+      }
+
+      val projType = ProjectType.fromString(projectType.value)
       new MakeBomTask(
         BomTaskProperties(
           report,
@@ -33,8 +41,10 @@ object BomSbtSettings {
           enableBomSha3Hashes.value,
           includeBomExternalReferences.value,
           includeBomDependencyTree.value,
+          projType,
+          outputPath
         ),
-        target.value / (currentConfiguration / bomFileName).value
+        outputPath / (currentConfiguration / bomFileName).value
       ).execute
     }
 
@@ -45,6 +55,7 @@ object BomSbtSettings {
         (currentConfiguration / bomFileName).?.value,
         bomSchemaVersion.value
       )
+      val projType = ProjectType.fromString(projectType.value)
       new ListBomTask(
         BomTaskProperties(
           report,
@@ -62,6 +73,8 @@ object BomSbtSettings {
           enableBomSha3Hashes.value,
           includeBomExternalReferences.value,
           includeBomDependencyTree.value,
+          projType,
+          sbt.file(bomOutputPath.value)
         )
       ).execute
     }

src/main/scala/com/github/sbt/sbom/BomTask.scala

@@ -29,6 +29,8 @@ final case class BomTaskProperties(
     enableBomSha3Hashes: Boolean,
     includeBomExternalReferences: Boolean,
     includeBomDependencyTree: Boolean,
+    projectType: ProjectType,
+    bomOutputPath: sbt.File
 )
 
 abstract class BomTask[T](protected val properties: BomTaskProperties) {
@@ -84,6 +86,8 @@ abstract class BomTask[T](protected val properties: BomTaskProperties) {
       enableBomSha3Hashes,
       includeBomExternalReferences,
       includeBomDependencyTree,
+      projectType,
+      bomOutputPath
     )
 
   protected def logBomInfo(params: BomExtractorParams, bom: Bom): Unit = {
@@ -124,4 +128,8 @@ abstract class BomTask[T](protected val properties: BomTaskProperties) {
   protected lazy val includeBomExternalReferences: Boolean = properties.includeBomExternalReferences
 
   protected lazy val includeBomDependencyTree: Boolean = properties.includeBomDependencyTree
+
+  protected lazy val projectType: ProjectType = properties.projectType
+
+  protected lazy val bomOutputPath: sbt.File = properties.bomOutputPath
 }

src/main/scala/com/github/sbt/sbom/ProjectType.scala

@@ -0,0 +1,47 @@
+// SPDX-FileCopyrightText: The sbt-sbom team
+//
+// SPDX-License-Identifier: MIT
+
+package com.github.sbt.sbom
+
+sealed trait ProjectType
+case object APPLICATION extends ProjectType
+case object FRAMEWORK extends ProjectType
+case object LIBRARY extends ProjectType
+case object CONTAINER extends ProjectType
+case object PLATFORM extends ProjectType
+case object OPERATING_SYSTEM extends ProjectType
+case object DEVICE extends ProjectType
+case object DEVICE_DRIVER extends ProjectType
+case object FIRMWARE extends ProjectType
+case object FILE extends ProjectType
+case object MACHINE_LEARNING_MODEL extends ProjectType
+case object DATA extends ProjectType
+case object CRYPTOGRAPHIC_ASSET extends ProjectType
+
+object ProjectType {
+  def fromString(t: String): ProjectType = {
+    val projType = t.trim().toUpperCase().replace("-", "_")
+
+    Vector(
+      APPLICATION,
+      FRAMEWORK,
+      LIBRARY,
+      CONTAINER,
+      PLATFORM,
+      OPERATING_SYSTEM,
+      DEVICE,
+      DEVICE_DRIVER,
+      FIRMWARE,
+      FILE,
+      MACHINE_LEARNING_MODEL,
+      DATA,
+      CRYPTOGRAPHIC_ASSET
+    ).find(_.toString == projType)
+      .getOrElse(
+        throw new ClassNotFoundException(
+          s"Given Project Type not found. Refer to ${ProjectType.getClass.getName} or the list of available type."
+        )
+      )
+  }
+}

src/main/scala/com/github/sbt/sbom/SbtUpdateReport.scala

@@ -5,7 +5,7 @@
 package com.github.sbt.sbom
 
 import sbt.librarymanagement.{ ConfigurationReport, ModuleID, ModuleReport }
-import sbt.{ File, OrganizationArtifactReport }
+import sbt.{ File, Logger, OrganizationArtifactReport }
 
 import scala.collection.mutable
 
@@ -24,7 +24,8 @@ object SbtUpdateReport {
       extraInfo: String = "",
       evictedByVersion: Option[String] = None,
       jarFile: Option[File] = None,
-      error: Option[String] = None
+      error: Option[String] = None,
+      qualifier: Map[String, String] = Map[String, String]()
   )
 
   private type Edge = (GraphModuleId, GraphModuleId)
@@ -62,7 +63,43 @@ object SbtUpdateReport {
       GraphModuleId(sbtId.organization, sbtId.name, sbtId.revision)
   }
 
-  def fromConfigurationReport(report: ConfigurationReport, rootInfo: ModuleID): ModuleGraph = {
+  def getModuleQualifier(moduleReport: ModuleReport, log: Option[Logger] = None): Map[String, String] = {
+    val qualifier = new mutable.HashMap[String, String]()
+
+    // Getting artifact with the same name as module name as purl qualifier
+    val moduleArtifacts = moduleReport.artifacts
+      .filter(ar => {
+        ar._1.name.equals(moduleReport.module.name)
+      })
+      .sortBy { x => (x._1.`type`, x._1.classifier, x._1.hashCode()) }
+
+    moduleArtifacts.size match {
+      case 0 => () // ignore empty found artifacts
+      case x =>
+        if (x > 1 && log.isDefined) {
+          log.foreach(
+            _.warn(
+              "Multiple artifacts with the same name as module name are detected. Taking the first artifact match as Purl qualifier."
+            )
+          )
+        }
+        if (moduleArtifacts.head._1.`type`.nonEmpty) {
+          // "jar" type will not be shown, since it's the default value of an artifact.
+          if (moduleArtifacts.head._1.`type` != "jar") {
+            qualifier.put("type", moduleArtifacts.head._1.`type`)
+          }
+        }
+        moduleArtifacts.head._1.classifier.foreach(classifier =>
+          if (classifier.nonEmpty) {
+            qualifier.put("classifier", classifier)
+          }
+        )
+    }
+
+    qualifier.toMap
+  }
+
+  def fromConfigurationReport(report: ConfigurationReport, rootInfo: ModuleID, log: Logger): ModuleGraph = {
     def moduleEdges(orgArt: OrganizationArtifactReport): Seq[(Module, Seq[Edge])] = {
       val chosenVersion = orgArt.modules.find(!_.evicted).map(_.module.revision)
       orgArt.modules.map(moduleEdge(chosenVersion))
@@ -80,11 +117,13 @@ object SbtUpdateReport {
           license = report.licenses.headOption.map(_._1),
           evictedByVersion = evictedByVersion,
           jarFile = jarFile,
-          error = report.problem
+          error = report.problem,
+          qualifier = getModuleQualifier(report)
         ),
         report.callers.map(caller => Edge(GraphModuleId(caller.caller), GraphModuleId(report.module)))
       )
     }
+
     val (nodes, edges) = report.details.flatMap(moduleEdges).unzip
     val root = Module(GraphModuleId(rootInfo))