Merge pull request #15 from jeffreysfllo24/add-json-format

coderpatros · web-flow · commit a7ba5ef9f29c · 2022-05-18T14:16:21.000+10:00
Add support for JSON bom output
diff --git a/README.md b/README.md
@@ -29,9 +29,10 @@ cyclonedx-ruby [options]
 
     `-v, --[no-]verbose` Run verbosely
     `-p, --path path` Path to Ruby project directory
+    `-f, --format` Bom output format
     `-h, --help` Show help message
 
-**Output:** bom.xml file in project directory
+**Output:** bom.xml or bom.json file in project directory
 
 #### Example
 ```bash
diff --git a/cyclonedx-ruby.gemspec b/cyclonedx-ruby.gemspec
@@ -8,7 +8,7 @@ Gem::Specification.new do |spec|
   spec.description = 'CycloneDX is a lightweight software bill-of-material (SBOM) specification designed for use in application security contexts and supply chain component analysis. This Gem generates CycloneDX BOMs from Ruby projects.'
   spec.authors     = ['Joseph Kobti', 'Steve Springett']
   spec.email       = 'josephkobti@outlook.com'
-  spec.files       = ['lib/bom_builder.rb', 'lib/bom_helpers.rb', 'lib/licenses.json']
+  spec.files       = ['lib/bom_builder.rb', 'lib/bom_helpers.rb', 'lib/licenses.json', 'lib/bom_component.rb']
   spec.homepage    = 'https://github.com/CycloneDX/cyclonedx-ruby-gem'
   spec.license     = 'Apache-2.0'
   spec.executables << 'cyclonedx-ruby'
diff --git a/lib/bom_builder.rb b/lib/bom_builder.rb
@@ -31,13 +31,16 @@
 require 'rest_client'
 require 'securerandom'
 require_relative 'bom_helpers'
+require 'active_support/core_ext/hash'
 
 class Bombuilder
+  SUPPORTED_BOM_FORMATS = %w[xml json]
+
   def self.build(path)
     original_working_directory = Dir.pwd
     setup(path)
     specs_list
-    bom = build_bom(@gems)
+    bom = build_bom(@gems, @bom_output_format)
 
     begin
       @logger.info("Changing directory to the original working directory located at #{original_working_directory}")
@@ -84,6 +87,9 @@ def self.setup(path)
       opts.on('-o', '--output bom_file_path', '(Optional) Path to output the bom.xml file to') do |bom_file_path|
         @options[:bom_file_path] = bom_file_path
       end
+      opts.on('-f', '--format bom_output_format', '(Optional) Output format for bom. Currently support xml (default) and json.') do |bom_output_format|
+        @options[:bom_output_format] = bom_output_format
+      end
       opts.on_tail('-h', '--help', 'Show help message') do
         puts opts
         exit
@@ -119,8 +125,17 @@ def self.setup(path)
       abort
     end
 
+    if @options[:bom_output_format].nil?
+      @bom_output_format = 'xml'
+    elsif SUPPORTED_BOM_FORMATS.include?(@options[:bom_output_format])
+      @bom_output_format = @options[:bom_output_format]
+    else
+      @logger.error("Unrecognized cyclonedx bom output format provided. Please choose one of #{SUPPORTED_BOM_FORMATS}")
+      abort
+    end
+
     @bom_file_path = if @options[:bom_file_path].nil?
-                       './bom.xml'
+                       "./bom.#{@bom_output_format}"
                      else
                        @options[:bom_file_path]
                      end
diff --git a/lib/bom_component.rb b/lib/bom_component.rb
@@ -0,0 +1,45 @@
+
+class BomComponent
+  DEFAULT_TYPE = "library".freeze
+  HASH_ALG = 'SHA-256'.freeze
+
+  def initialize(gem)
+    @name = gem['name']
+    @version = gem['version']
+    @description = gem['description']
+    @hash = gem['hash']
+    @purl = gem['purl']
+    @gem = gem
+  end
+
+  def hash_val
+    component_hash = {
+      "type": DEFAULT_TYPE,
+      "name": @name,
+      "version": @version,
+      "description": @description,
+      "purl": @purl,
+      "hashes": [
+          "alg": HASH_ALG,
+          "content": @hash
+      ]
+    }
+
+    if @gem['license_id']
+      component_hash[:"licenses"] = [
+        "license": {
+          "id": @gem['license_id']
+        }
+      ]
+    elsif @gem['license_name']
+      component_hash[:"licenses"] = [
+        "license": {
+          "name": @gem['license_name']
+        }
+      ]
+    end
+
+    [component_hash]
+
+  end
+end
diff --git a/lib/bom_helpers.rb b/lib/bom_helpers.rb
@@ -21,6 +21,9 @@
 # Copyright (c) OWASP Foundation. All Rights Reserved.
 #
 # frozen_string_literal: true
+
+require_relative 'bom_component'
+
 def purl(name, version)
   "pkg:gem/#{name}@#{version}"
 end
@@ -29,7 +32,31 @@ def random_urn_uuid
   "urn:uuid:#{SecureRandom.uuid}"
 end
 
-def build_bom(gems)
+def build_bom(gems, format)
+  if format == 'json'
+    build_json_bom(gems)
+  else
+    build_bom_xml(gems)
+  end
+end
+
+def build_json_bom(gems)
+  bom_hash = {
+    "bomFormat": "CycloneDX",
+    "specVersion": "1.1",
+    "serialNumber": random_urn_uuid,
+    "version": 1,
+    "components": []
+  }
+
+  gems.each do |gem|
+    bom_hash[:components] += BomComponent.new(gem).hash_val()
+  end
+
+  JSON.pretty_generate(bom_hash)
+end
+
+def build_bom_xml(gems)
   builder = Nokogiri::XML::Builder.new(encoding: 'UTF-8') do |xml|
     attributes = { 'xmlns' => 'http://cyclonedx.org/schema/bom/1.1', 'version' => '1', 'serialNumber' => random_urn_uuid }
     xml.bom(attributes) do
@@ -61,6 +88,7 @@ def build_bom(gems)
       end
     end
   end
+
   builder.to_xml
 end
 
