✨ --spec-version, --include-metadata, --enrich-components, --gem-server

.rubocop_todo.yml

@@ -1,6 +1,6 @@
 # This configuration was generated by
 # `rubocop --auto-gen-config`
-# on 2025-10-30 06:45:50 UTC using RuboCop version 1.81.6.
+# on 2025-12-19 21:12:16 UTC using RuboCop version 1.81.6.
 # The point is for the user to remove these configuration records
 # one by one as the offenses are removed from the code base.
 # Note that changes in the inspected code, or installation of new
@@ -20,36 +20,51 @@ Layout/ExtraSpacing:
   Exclude:
     - 'cyclonedx-ruby.gemspec'
 
-# Offense count: 4
+# Offense count: 1
+Lint/NoReturnInBeginEndBlocks:
+  Exclude:
+    - 'lib/cyclonedx/bom_helpers.rb'
+
+# Offense count: 1
+Lint/StructNewOverride:
+  Exclude:
+    - 'spec/cyclonedx/component_enrichment_spec.rb'
+
+# Offense count: 6
 # Configuration parameters: AllowedMethods, AllowedPatterns, CountRepeatedAttributes.
 Metrics/AbcSize:
-  Max: 68
+  Max: 100
 
-# Offense count: 4
+# Offense count: 12
 # Configuration parameters: CountComments, CountAsOne, AllowedMethods, AllowedPatterns.
 # AllowedMethods: refine
 Metrics/BlockLength:
-  Max: 38
+  Max: 83
 
 # Offense count: 1
 # Configuration parameters: CountComments, CountAsOne.
 Metrics/ClassLength:
-  Max: 129
+  Max: 195
 
-# Offense count: 1
+# Offense count: 5
 # Configuration parameters: AllowedMethods, AllowedPatterns.
 Metrics/CyclomaticComplexity:
-  Max: 9
+  Max: 20
 
-# Offense count: 7
+# Offense count: 9
 # Configuration parameters: CountComments, CountAsOne, AllowedMethods, AllowedPatterns.
 Metrics/MethodLength:
-  Max: 69
+  Max: 108
 
 # Offense count: 1
+# Configuration parameters: CountComments, CountAsOne.
+Metrics/ModuleLength:
+  Max: 175
+
+# Offense count: 5
 # Configuration parameters: AllowedMethods, AllowedPatterns.
 Metrics/PerceivedComplexity:
-  Max: 12
+  Max: 25
 
 # Offense count: 4
 # Configuration parameters: AllowedConstants.
@@ -67,7 +82,7 @@ Style/MixinUsage:
   Exclude:
     - 'lib/cyclonedx_deprecated.rb'
 
-# Offense count: 1
+# Offense count: 2
 # This cop supports unsafe autocorrection (--autocorrect-all).
 # Configuration parameters: EnforcedStyle.
 # SupportedStyles: literals, strict
@@ -95,7 +110,7 @@ Style/RedundantRegexpEscape:
     - 'features/step_definitions/json_bom_matching.rb'
     - 'features/step_definitions/xml_bom_matching.rb'
 
-# Offense count: 41
+# Offense count: 42
 # This cop supports safe autocorrection (--autocorrect).
 # Configuration parameters: EnforcedStyle, ConsistentQuotesInMultiline.
 # SupportedStyles: single_quotes, double_quotes
@@ -114,7 +129,15 @@ Style/StringLiterals:
 Style/SymbolArray:
   EnforcedStyle: brackets
 
-# Offense count: 7
+# Offense count: 1
+# This cop supports unsafe autocorrection (--autocorrect-all).
+# Configuration parameters: AllowMethodsWithArguments, AllowedMethods, AllowedPatterns, AllowComments.
+# AllowedMethods: define_method
+Style/SymbolProc:
+  Exclude:
+    - 'lib/cyclonedx/bom_helpers.rb'
+
+# Offense count: 17
 # This cop supports safe autocorrection (--autocorrect).
 # Configuration parameters: AllowHeredoc, AllowURI, AllowQualifiedName, URISchemes, IgnoreCopDirectives, AllowedPatterns, SplitStrings.
 # URISchemes: http, https

CODE_OF_CONDUCT.md

@@ -0,0 +1,133 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, caste, color, religion, or sexual
+identity and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming,
+diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment for our
+community include:
+
+* Demonstrating empathy and kindness toward other people
+* Being respectful of differing opinions, viewpoints, and experiences
+* Giving and gracefully accepting constructive feedback
+* Accepting responsibility and apologizing to those affected by our mistakes,
+  and learning from the experience
+* Focusing on what is best not just for us as individuals, but for the overall
+  community
+
+Examples of unacceptable behavior include:
+
+* The use of sexualized language or imagery, and sexual attention or advances of
+  any kind
+* Trolling, insulting or derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or email address,
+  without their explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our standards of
+acceptable behavior and will take appropriate and fair corrective action in
+response to any behavior that they deem inappropriate, threatening, offensive,
+or harmful.
+
+Community leaders have the right and responsibility to remove, edit, or reject
+comments, commits, code, wiki edits, issues, and other contributions that are
+not aligned to this Code of Conduct, and will communicate reasons for moderation
+decisions when appropriate.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also applies when
+an individual is officially representing the community in public spaces.
+Examples of representing our community include using an official email address,
+posting via an official social media account, or acting as an appointed
+representative at an online or offline event.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported to the community leaders responsible for enforcement at
+[steve.springett@owasp.org][conduct-contact].
+All complaints will be reviewed and investigated promptly and fairly.
+
+All community leaders are obligated to respect the privacy and security of the
+reporter of any incident.
+
+## Enforcement Guidelines
+
+Community leaders will follow these Community Impact Guidelines in determining
+the consequences for any action they deem in violation of this Code of Conduct:
+
+### 1. Correction
+
+**Community Impact**: Use of inappropriate language or other behavior deemed
+unprofessional or unwelcome in the community.
+
+**Consequence**: A private, written warning from community leaders, providing
+clarity around the nature of the violation and an explanation of why the
+behavior was inappropriate. A public apology may be requested.
+
+### 2. Warning
+
+**Community Impact**: A violation through a single incident or series of
+actions.
+
+**Consequence**: A warning with consequences for continued behavior. No
+interaction with the people involved, including unsolicited interaction with
+those enforcing the Code of Conduct, for a specified period of time. This
+includes avoiding interactions in community spaces as well as external channels
+like social media. Violating these terms may lead to a temporary or permanent
+ban.
+
+### 3. Temporary Ban
+
+**Community Impact**: A serious violation of community standards, including
+sustained inappropriate behavior.
+
+**Consequence**: A temporary ban from any sort of interaction or public
+communication with the community for a specified period of time. No public or
+private interaction with the people involved, including unsolicited interaction
+with those enforcing the Code of Conduct, is allowed during this period.
+Violating these terms may lead to a permanent ban.
+
+### 4. Permanent Ban
+
+**Community Impact**: Demonstrating a pattern of violation of community
+standards, including sustained inappropriate behavior, harassment of an
+individual, or aggression toward or disparagement of classes of individuals.
+
+**Consequence**: A permanent ban from any sort of public interaction within the
+community.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 2.1, available at
+[https://www.contributor-covenant.org/version/2/1/code_of_conduct.html][v2.1].
+
+Community Impact Guidelines were inspired by
+[Mozilla's code of conduct enforcement ladder][Mozilla CoC].
+
+For answers to common questions about this code of conduct, see the FAQ at
+[https://www.contributor-covenant.org/faq][FAQ]. Translations are available at
+[https://www.contributor-covenant.org/translations][translations].
+
+[homepage]: https://www.contributor-covenant.org
+[v2.1]: https://www.contributor-covenant.org/version/2/1/code_of_conduct.html
+[Mozilla CoC]: https://github.com/mozilla/diversity
+[FAQ]: https://www.contributor-covenant.org/faq
+[translations]: https://www.contributor-covenant.org/translations
+[conduct-contact]: mailto:steve.springett@owasp.org

Gemfile

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-source 'https://rubygems.org'
+source 'https://gem.coop/'
 
 # Specify your gem's dependencies in cyclonedx-ruby.gemspec
 gemspec

Gemfile.lock

@@ -9,7 +9,7 @@ PATH
       rest-client (~> 2.0)
 
 GEM
-  remote: https://rubygems.org/
+  remote: https://gem.coop/
   specs:
     activesupport (7.2.3)
       base64

README.md

@@ -1,6 +1,6 @@
 # CycloneDX Ruby Gem
 
-[![Gem Version](https://img.shields.io/gem/v/cyclonedx-ruby?logo=rubygems&logoColor=white)](https://rubygems.org/gems/cyclonedx-ruby)
+[![Gem Version](https://img.shields.io/gem/v/cyclonedx-ruby?logo=rubygems&logoColor=white)](https://bestgems.org/gems/cyclonedx-ruby)
 [![CT status](https://img.shields.io/github/actions/workflow/status/CycloneDX/cyclonedx-ruby-gem/ruby.yml?branch=master&logo=GitHub&logoColor=white)](https://github.com/CycloneDX/cyclonedx-ruby-gem/actions/workflows/ruby.yml?query=branch%3Amaster)
 [![License](https://img.shields.io/badge/license-Apache%202.0-brightgreen.svg)][License]  
 [![Website](https://img.shields.io/badge/https://-cyclonedx.org-blue.svg)](https://cyclonedx.org/)
@@ -33,12 +33,18 @@ cyclonedx-ruby [options]
     `-o, --output bom_file_path` Path to output the bom file
     `-f, --format bom_output_format` Output format for bom. Supported: xml (default), json
     `-s, --spec-version version` CycloneDX spec version to target (default: 1.7). Supported: 1.1, 1.2, 1.3, 1.4, 1.5, 1.6, 1.7
+    `--include-metadata` Include metadata.tools identifying cyclonedx-ruby as the producer
+    `--enrich-components` Include bom-ref and publisher fields on components (uses purl and first author)
+    `--gem-server URL` Gem server URL to fetch gem metadata (default: https://gem.coop)
     `-h, --help` Show help message
 
 **Output:** bom.xml or bom.json file in project directory
 
 - By default, outputs conform to CycloneDX spec version 1.7.
 - To generate an older spec version, use `--spec-version`.
+- To embed metadata about this tool (vendor/name/version) into the BOM, pass `--include-metadata` (supported for spec >= 1.2).
+- To enrich components with bom-ref and publisher fields, pass `--enrich-components`.
+- To specify a custom gem server for fetching gem metadata, use `--gem-server URL` (default: https://gem.coop).
 
 #### Examples
 ```bash
@@ -53,6 +59,15 @@ cyclonedx-ruby -p /path/to/ruby/project -s 1.3
 
 # JSON at CycloneDX 1.2 to a custom path
 cyclonedx-ruby -p /path/to/ruby/project -f json -s 1.2 -o bom/out.json
+
+# Include producer metadata and validate
+cyclonedx-ruby -p /path/to/ruby/project --include-metadata
+
+# Enrich components with bom-ref and publisher
+cyclonedx-ruby -p /path/to/ruby/project --enrich-components
+
+# Use a custom gem server
+cyclonedx-ruby -p /path/to/ruby/project --gem-server https://custom.gem.server
 ```
 
 
@@ -63,4 +78,4 @@ CycloneDX Ruby Gem is Copyright (c) OWASP Foundation. All Rights Reserved.
 
 Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE] file for the full license.
 
-[License]: https://github.com/CycloneDX/cyclonedx-ruby-gem/blob/master/LICENSE
+[License]: https://github.com/CycloneDX/cyclonedx-ruby-gem/blob/master/LICENSE.txt

exe/cyclonedx-ruby

@@ -1,6 +1,10 @@
 #!/usr/bin/env ruby
 # frozen_string_literal: true
 
+$stdout.sync = true
+
+require "rubygems"
+
 if ENV.fetch('MIMIC_NEXT_MAJOR_VERSION', 'false').casecmp?('true')
   require 'cyclonedx/ruby'
   Cyclonedx::BomBuilder.build(ARGV[0])

features/fixtures/simple/Gemfile

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-source 'https://rubygems.org'
+source 'https://gem.coop/'
 
 gem 'activesupport', '7.0.4.3'
 gem 'concurrent-ruby', '1.2.2'

features/fixtures/simple/Gemfile.lock

@@ -1,5 +1,5 @@
 GEM
-  remote: https://rubygems.org/
+  remote: https://gem.coop/
   specs:
     activesupport (7.0.4.3)
       concurrent-ruby (~> 1.0, >= 1.0.2)

features/gem_server.feature

@@ -0,0 +1,40 @@
+Feature: Custom Gem Server
+
+The `cyclonedx-ruby` command should allow users to specify a custom gem server
+to fetch gem metadata from, instead of using the default gem.coop server.
+
+Scenario: Use default gem server (gem.coop)
+  Given I use a fixture named "simple"
+  And I run `cyclonedx-ruby --path .`
+  Then the output should contain:
+  """
+  5 gems were written to BOM located at ./bom.xml
+  """
+  And a file named "bom.xml" should exist
+  And the generated XML BOM file "bom.xml" matches "bom.xml.expected"
+
+Scenario: Use custom gem server
+  Given I use a fixture named "simple"
+  And I run `cyclonedx-ruby --path . --gem-server https://rubygems.org`
+  Then the output should contain:
+  """
+  5 gems were written to BOM located at ./bom.xml
+  """
+  And a file named "bom.xml" should exist
+
+Scenario: Use custom gem server with trailing slash
+  Given I use a fixture named "simple"
+  And I run `cyclonedx-ruby --path . --gem-server https://rubygems.org/`
+  Then the output should contain:
+  """
+  5 gems were written to BOM located at ./bom.xml
+  """
+  And a file named "bom.xml" should exist
+
+Scenario: Help shows gem-server option
+  Given I run `cyclonedx-ruby --help`
+  Then the output should contain:
+  """
+  --gem-server URL             Gem server URL to fetch gem metadata (default: https://gem.coop)
+  """
+

features/help.feature

@@ -13,5 +13,9 @@ Scenario: Generate help on demand
       -o, --output bom_file_path       (Optional) Path to output the bom.xml file to
       -f, --format bom_output_format   (Optional) Output format for bom. Currently support xml (default) and json.
       -s, --spec-version version       (Optional) CycloneDX spec version to target (default: 1.7). Supported: 1.1, 1.2, 1.3, 1.4, 1.5, 1.6, 1.7
+          --include-metadata           Include metadata.tools identifying cyclonedx-ruby as the producer
+          --enrich-components          Include bom-ref and publisher fields on components (uses purl and first author)
+          --gem-server URL             Gem server URL to fetch gem metadata (default: https://gem.coop)
+          --validate                   Validate the BOM against CycloneDX schema (currently a no-op)
       -h, --help                       Show help message
   """