✨ --include-metadata (metadata.tools) & --enrich-components #40
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
There was a problem hiding this comment.
Pull Request Overview
This pull request introduces support for emitting metadata.tools information in CycloneDX BOMs when the --include-metadata flag is provided. The tools metadata identifies the producer (CycloneDX, cyclonedx-ruby, and the gem version) and is emitted for both JSON and XML formats when the selected spec version is >= 1.2.
Key changes:
- Added
--include-metadataCLI flag to control metadata.tools emission - Implemented metadata.tools generation for JSON and XML BOM formats
- Restructured test files and added RSpec configuration
- Added unit and integration tests for the new functionality
Reviewed Changes
Copilot reviewed 62 out of 82 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| spec/spec_helper.rb | Replaced Aruba-based configuration with standard RSpec setup including SimpleCov initialization |
| spec/cyclonedx/ruby_spec.rb | Added version number existence test for the gem |
| spec/cyclonedx/metadata_tools_spec.rb | New test file validating metadata.tools emission in JSON and XML BOMs |
| spec/cyclonedx/bom_helpers_spec.rb | Tests for BomHelpers.purl method with legacy method compatibility check |
| spec/cyclonedx/bom_component_spec.rb | Updated to use namespaced class name (Cyclonedx::BomComponent) |
| spec/bom_helpers_spec.rb | Deleted legacy test file |
| sig/cyclonedx/ruby.rbs | Added RBS type signature for the Ruby module with VERSION constant |
| schema/*.{json,xsd,proto} | Added CycloneDX schema files for various versions and formats |
| schema/README.md | Documentation about the CycloneDX specification and schemas |
| lib/cyclonedx_deprecated.rb | Backward compatibility layer providing deprecated global methods |
| lib/cyclonedx/ruby/version.rb | Version constant definition (VERSION = "1.2.0") |
| lib/cyclonedx/ruby.rb | Main entry point requiring dependencies and gem components |
| features/support/*.rb | Added frozen_string_literal comments |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| validation without needing internet access. | ||
| Namespace: urn:oasis:names:tc:entity:xmlns:xml:catalog | ||
| --> | ||
| <!-- to prevent unintendedn notwork access, we do not set a DTD/XSD in this XML --> |
There was a problem hiding this comment.
Corrected spelling of 'unintended' (was 'unintendedn') and 'network' (was 'notwork').
Suggested change
| <!-- to prevent unintendedn notwork access, we do not set a DTD/XSD in this XML --> | |
| <!-- to prevent unintended network access, we do not set a DTD/XSD in this XML --> |
This was referenced Oct 26, 2025
Merged
Closed
pboling
changed the title
pboling
force-pushed
the
feat/metadata-tools
branch
from
e20181d to
bc50e2a
Compare
pboling
force-pushed
the
feat/metadata-tools
branch
7 times, most recently
from
4c22698 to
3ec031f
Compare
Signed-off-by: Peter H. Boling <peter.boling@gmail.com>
Signed-off-by: Peter H. Boling <peter.boling@gmail.com>
- All generated BOMs are now automatically validated against the CycloneDX schema. If validation fails, the tool exits with an error code instead of writing an invalid BOM. - Added --validate PATH flag in Cyclonedx::BomBuilder to validate existing BOM files without generating a new one. - In validate-only mode (--validate <path>), project path is not required. - Format is automatically inferred from file extension (.json or .xml) when using --validate unless --format is explicitly provided. - Added Cyclonedx::BomHelpers.validate_bom_content(content, format, spec_version) which: - For JSON: uses json_schemer to validate against bom-<ver>.schema.json. - For XML: uses Nokogiri::XML::Schema with bom-<ver>.xsd. - Uses local schemas at schema/ and surfaces compact error messages; returns non-zero exit on failure. - Added json_schemer (~> 2.2) to cyclonedx-ruby.gemspec. - Required json_schemer in lib/cyclonedx/ruby.rb. - Updated features/help.feature to show the --validate flag. - Added features/validate.feature: - Validate generated XML BOM succeeds (automatic validation). - Validate generated JSON BOM succeeds (automatic validation). - Validate existing XML BOM succeeds with --validate flag. - Validate existing JSON BOM succeeds with --validate flag. - Validate fails for invalid XML BOM (corrupts namespace and expects exit 1). Signed-off-by: Peter H. Boling <peter.boling@gmail.com>
andrew
reviewed
Dec 19, 2025
lib/cyclonedx/bom_helpers.rb
Outdated
| end | ||
|
|
||
| def get_gem(name, version, logger) | ||
| url = "https://rubygems.org/api/v1/versions/#{name}.json" |
There was a problem hiding this comment.
might want to make the domain of this call configurable so that a user can query a private or third party gem server instead?
Contributor
Author
There was a problem hiding this comment.
Yes!
I'll make it default to gem.coop, and allow overrides.
Contributor
Author
There was a problem hiding this comment.
✨ --gem-server: Configurable Gem Server URL
Added --gem-server flag to allow users to specify a custom gem server
for fetching gem metadata instead of using the hardcoded default.
CLI changes
- Added --gem-server URL option in Cyclonedx::BomBuilder command-line parser
- Stores custom server URL in @options[:gem_server] for use during BOM generation
- When specified, passes the custom gem_server to get_gem() calls
- Defaults to gem.coop when not specified, maintaining backward compatibility
Core implementation
- Modified Cyclonedx::BomHelpers.get_gem to accept optional gem_server parameter
- Defaults to 'https://gem.coop' when nil
- Strips trailing slashes from gem_server URLs for consistency
- Constructs gem metadata API URL using provided server
- Updated get_gem call in bom_builder.rb (line 222) to pass @options[:gem_server]
Tests
Unit tests (spec/cyclonedx/bom_helpers_spec.rb):
- Validates default behavior uses gem.coop when gem_server is not provided or nil
- Verifies custom gem server URLs are used correctly
- Tests trailing slash removal from custom server URLs
- Confirms rubygems.org works as a custom server
- Maintains existing error handling tests
Cucumber tests (features/gem_server.feature):
- Validates default gem.coop behavior when --gem-server not specified
- Tests custom gem server with https://rubygems.org
- Tests custom gem server with trailing slash normalization
- Verifies help text displays the --gem-server option
Use cases
Users can now:
- Use private gem servers: --gem-server https://internal.company.com
- Use rubygems.org directly: --gem-server https://rubygems.org
- Use alternate public mirrors
- Default to gem.coop without any configuration change
- Add spec version selection end-to-end with a new --spec-version flag (default 1.7).
- Update JSON and XML outputs to honor the selected spec version.
- Update fixtures, help text, tests, and docs.
Files:
- lib/bom_helpers.rb:
- Added SUPPORTED_SPEC_VERSIONS, cyclonedx_xml_namespace helper.
build_bom now accepts spec_version and routes to:
- build_json_bom(gems, spec_version) sets specVersion to the provided version.
- build_bom_xml(gems, spec_version) sets xmlns to http://cyclonedx.org/schema/bom/<version>.</version>
- lib/bom_builder.rb:
- Added --spec-version with validation; default is 1.7.
- Pass @spec_version into build_bom(@Gems, @bom_output_format, @spec_version).
Signed-off-by: Peter H. Boling <peter.boling@gmail.com>
- Added --validate and --validate-file flags in Cyclonedx::BomBuilder. - After writing the BOM, if --validate is set, validate JSON via JSON Schema and XML via XSD with local files under schema/. - Added logic to validate an existing file with --validate --validate-file <path>, inferring format from extension unless --format is provided.</path> - In validate-only mode, project path isn’t required. - Added Cyclonedx::BomHelpers.validate_bom_content(content, format, spec_version) which: - For JSON: uses json_schemer to validate against bom-<ver>.schema.json.</ver> - For XML: uses Nokogiri::XML::Schema with bom-<ver>.xsd.</ver> - Uses local schemas at schema/ and surfaces compact error messages; returns non-zero exit on failure. - Added json_schemer (~> 2.2) to cyclonedx-ruby.gemspec. - Required json_schemer in lib/cyclonedx/ruby.rb. - Updated features/help.feature to show the new flags. - Added features/validate.feature: - Validate XML BOM succeeds. - Validate JSON BOM succeeds. - Validate fails for invalid XML BOM (corrupts namespace and expects exit 1). - Infer format from file extension when using --validate-file and no --format provided. Signed-off-by: Peter H. Boling <peter.boling@gmail.com>
- Add spec version selection end-to-end with a new --spec-version flag (default 1.7).
- Update JSON and XML outputs to honor the selected spec version.
- Update fixtures, help text, tests, and docs.
Files:
- lib/bom_helpers.rb:
- Added SUPPORTED_SPEC_VERSIONS, cyclonedx_xml_namespace helper.
build_bom now accepts spec_version and routes to:
- build_json_bom(gems, spec_version) sets specVersion to the provided version.
- build_bom_xml(gems, spec_version) sets xmlns to http://cyclonedx.org/schema/bom/<version>.</version>
- lib/bom_builder.rb:
- Added --spec-version with validation; default is 1.7.
- Pass @spec_version into build_bom(@Gems, @bom_output_format, @spec_version).
Signed-off-by: Peter H. Boling <peter.boling@gmail.com>
- Added --validate and --validate-file flags in Cyclonedx::BomBuilder. - After writing the BOM, if --validate is set, validate JSON via JSON Schema and XML via XSD with local files under schema/. - Added logic to validate an existing file with --validate --validate-file <path>, inferring format from extension unless --format is provided.</path> - In validate-only mode, project path isn’t required. - Added Cyclonedx::BomHelpers.validate_bom_content(content, format, spec_version) which: - For JSON: uses json_schemer to validate against bom-<ver>.schema.json.</ver> - For XML: uses Nokogiri::XML::Schema with bom-<ver>.xsd.</ver> - Uses local schemas at schema/ and surfaces compact error messages; returns non-zero exit on failure. - Added json_schemer (~> 2.2) to cyclonedx-ruby.gemspec. - Required json_schemer in lib/cyclonedx/ruby.rb. - Updated features/help.feature to show the new flags. - Added features/validate.feature: - Validate XML BOM succeeds. - Validate JSON BOM succeeds. - Validate fails for invalid XML BOM (corrupts namespace and expects exit 1). - Infer format from file extension when using --validate-file and no --format provided. Signed-off-by: Peter H. Boling <peter.boling@gmail.com>
- When provided, metadata.tools identifies this producer: - vendor: CycloneDX - name: cyclonedx-ruby - version: the gem’s version - Emitted for both JSON and XML, and only when the selected spec supports metadata (>= 1.2). - Help and README updated. - features/metadata_tools.feature (integration) - spec/cyclonedx/metadata_tools_spec.rb (unit, offline-safe) Signed-off-by: Peter H. Boling <peter.boling@gmail.com>
- Updated Cyclonedx::BomBuilder to add:
- CLI: --enrich-components to opt-in enrichment.
- Pass include_enrichment to build_bom(...).
- Note: This does not alter default outputs; enrichment only applies with the flag.
- Updated Cyclonedx::BomHelpers:
- build_bom supports include_enrichment and passes it to both JSON and XML builders.
- build_json_bom adds bom-ref and publisher via BomComponent when include_enrichment: true.
- build_bom_xml adds:
- bom-ref attribute on <component> using purl.
- <publisher>first_author</publisher> if authors are present (first item split on commas/ampersands).
- Added a small _get helper to read properties from either Hash or OpenStruct-like objects.
- Updated Cyclonedx::BomComponent:
- Added optional keyword parameter include_enrichment: false to hash_val.
- When true, include:
- "bom-ref": purl (if present)
- "publisher": first author (if present)
- Made property access robust across Hash/OpenStruct.
- Ensured hashes is an array with an object { alg, content } as expected by existing specs.
- Added spec/cyclonedx/component_enrichment_spec.rb:
- Verifies JSON has bom-ref and publisher when include_enrichment: true and omits them otherwise.
- Verifies XML has bom-ref attribute and <publisher> when include_enrichment: true and omits otherwise.
Signed-off-by: Peter H. Boling <peter.boling@gmail.com>
- Fix link to renamed LICENSE => LICENSE.txt Signed-off-by: Peter H. Boling <peter.boling@gmail.com>
Signed-off-by: Peter H. Boling <peter.boling@gmail.com>
pboling
force-pushed
the
feat/metadata-tools
branch
from
3ec031f to
b47dd03
Compare
Signed-off-by: Peter H. Boling <peter.boling@gmail.com>
Added --gem-server flag to allow users to specify a custom gem server for fetching gem metadata instead of using the hardcoded default. # CLI changes - Added --gem-server URL option in Cyclonedx::BomBuilder command-line parser - Stores custom server URL in @options[:gem_server] for use during BOM generation - When specified, passes the custom gem_server to get_gem() calls - Defaults to gem.coop when not specified, maintaining backward compatibility # Core implementation - Modified Cyclonedx::BomHelpers.get_gem to accept optional gem_server parameter - Defaults to 'https://gem.coop' when nil - Strips trailing slashes from gem_server URLs for consistency - Constructs gem metadata API URL using provided server - Updated get_gem call in bom_builder.rb (line 222) to pass @options[:gem_server] # Tests Unit tests (spec/cyclonedx/bom_helpers_spec.rb): - Validates default behavior uses gem.coop when gem_server is not provided or nil - Verifies custom gem server URLs are used correctly - Tests trailing slash removal from custom server URLs - Confirms rubygems.org works as a custom server - Maintains existing error handling tests Cucumber tests (features/gem_server.feature): - Validates default gem.coop behavior when --gem-server not specified - Tests custom gem server with https://rubygems.org - Tests custom gem server with trailing slash normalization - Verifies help text displays the --gem-server option # Use cases Users can now: - Use private gem servers: --gem-server https://internal.company.com - Use rubygems.org directly: --gem-server https://rubygems.org - Use alternate public mirrors - Default to gem.coop without any configuration change Signed-off-by: Peter H. Boling <peter.boling@gmail.com>
Contributor
Author
|
Got some test failures |
Contributor
Author
|
Replaced by #50 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
CLI and wiring
--include-metadata- vendor: CycloneDX
- name: cyclonedx-ruby
- version: the gem’s version
--enrich-componentsJSON and XML emission
Component shape
Tests
Signed-off-by: Peter H. Boling peter.boling@gmail.com