Add support for where filter and text wrap in license policy command (#…

…16) * Update license policy command to support multi-row output for text format Signed-off-by: Matt Rutkowski <mrutkows@us.ibm.com> * Support common tests for report contains(values) pattern Signed-off-by: Matt Rutkowski <mrutkows@us.ibm.com> * Fix linting errors Signed-off-by: Matt Rutkowski <mrutkows@us.ibm.com> * Fix linting errors Signed-off-by: Matt Rutkowski <mrutkows@us.ibm.com> * Abstract license policy test info and stub in --where flag Signed-off-by: Matt Rutkowski <mrutkows@us.ibm.com> * Expose wrap flag on policy command Signed-off-by: Matt Rutkowski <mrutkows@us.ibm.com> * Update help and README to document the wrap flag Signed-off-by: Matt Rutkowski <mrutkows@us.ibm.com> * Update license policy output example to reflect new column names Signed-off-by: Matt Rutkowski <mrutkows@us.ibm.com> * Update license policy output example to reflect new column names Signed-off-by: Matt Rutkowski <mrutkows@us.ibm.com> * Update license policy output example to reflect new column names Signed-off-by: Matt Rutkowski <mrutkows@us.ibm.com> * Add generic function that wraps text across report tables rows Signed-off-by: Matt Rutkowski <mrutkows@us.ibm.com> * Simplify exhaustive policy list test Signed-off-by: Matt Rutkowski <mrutkows@us.ibm.com> * Always Reset() global license policy config on new load Signed-off-by: Matt Rutkowski <mrutkows@us.ibm.com> * Add initial --where filter support for license policy cmd Signed-off-by: Matt Rutkowski <mrutkows@us.ibm.com> * Improve init. of filtered hashmap Signed-off-by: Matt Rutkowski <mrutkows@us.ibm.com> * Support filtered policies for csv and markdown formats Signed-off-by: Matt Rutkowski <mrutkows@us.ibm.com> * Document where flag support for policy command in README Signed-off-by: Matt Rutkowski <mrutkows@us.ibm.com> * lint fix Signed-off-by: Matt Rutkowski <mrutkows@us.ibm.com> * lint fix Signed-off-by: Matt Rutkowski <mrutkows@us.ibm.com> * Document where flag support for policy command in README Signed-off-by: Matt Rutkowski <mrutkows@us.ibm.com> * Document where flag support for policy command in README Signed-off-by: Matt Rutkowski <mrutkows@us.ibm.com> * Document where flag support for policy command in README Signed-off-by: Matt Rutkowski <mrutkows@us.ibm.com> --------- Signed-off-by: Matt Rutkowski <mrutkows@us.ibm.com>
CycloneDX · Apr 17, 2023 · 2b232da · 2b232da
1 parent 3240de6
commit 2b232da
Show file tree

Hide file tree

Showing 18 changed files with 891 additions and 390 deletions.
diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -17,6 +17,7 @@
             "databind",
             "Debugf",
             "defn",
+            "deserializers",
             "DHTML",
             "EMEA",
             "Exploitability",

diff --git a/README.md b/README.md
@@ -435,20 +435,42 @@ To view a report listing the contents of the current policy file (i.e., [`licens
 ```
 
 ```bash
-Policy        Family           SPDX ID               Name                  Annotations
-------        ------           -------               ----                  -----------
-allow         0BSD             0BSD                  BSD Zero Clause Lice  APPROVED
-allow         AFL              AFL-3.0               Academic Free Licens  APPROVED
-needs-review  AGPL             AGPL-3.0-or-later     Affero General Publi  NEEDS-APPROVAL
-needs-review  APSL             APSL-2.0              Apple Public Source   NEEDS-APPROVAL
-allow         Adobe            Adobe-2006            Adobe Systems Incorp  APPROVED
-allow         Apache           Apache-2.0            Apache License 2.0    APPROVED
+usage-policy  family                        spdx-id                       name                          annotations                       aliases                            notes
+------------  ------                        -------                       ----                          -----------                       -------                            -----
+allow         0BSD                          0BSD                          BSD Zero Clause Lice (20/23)  APPROVED                          Free Public License 1.0. (24/25)
+needs-review  ADSL                          ADSL                          Amazon Digital Servi (20/31)  NEEDS-APPROVAL
+allow         AFL                           AFL-1.1                       Academic Free Licens (20/26)  APPROVED
+needs-review  AGPL                          AGPL-1.0                      Affero General Publi (20/34)  NEEDS-APPROVAL,AGPL-WARN (24/38)
+needs-review  APSL                          APSL-1.0                      Apple Public Source  (20/27)  NEEDS-APPROVAL
+allow         Adobe                         Adobe-2006                    Adobe Systems Incorp (20/56)  APPROVED
+allow         Apache                        Apache-2.0                    Apache License 2.0            APPROVED                          Apache License, Version  (24/105)
 ...
 ```
 
 - **Note**:
   - Currently, the default `license.json` file does not contain an entry for the complete SPDX 3.2 license templates. An issue [12](https://github.com/CycloneDX/sbom-utility/issues/12) is open to add parity.
   - Annotations can be defined within the `license.json` file and one or more assigned each license entry.
+  - Column data is, by default, truncated in `txt` format views only. In these cases, the number of characters shown out of the total available will be displayed at the point of truncation (e.g., seeing `(24/26)` in a column would indicate 24 out of 26b characters were displayed).
+
+##### Wrap flag
+
+Use the `--wrap` flag to toggle the wrapping of text within columns of the license policy report (`txt` format only) output using the values `true` or `false`. The default value is `false`.
+
+###### Example: policy with where filter
+
+The following example shows filtering of  license policies using the `id` column:
+
+```bash
+./sbom-utility license policy --where id=Apache
+```
+
+```bash
+usage-policy  family  id          name                annotations  aliases                            notes
+------------  ------  --          ----                -----------  -------                            -----
+allow         Apache  Apache-1.0  Apache v1.0         APPROVED
+allow         Apache  Apache-1.1  Apache v1.1         APPROVED                                        This license has been su (24/54)
+allow         Apache  Apache-2.0  Apache License 2.0  APPROVED     Apache License, Version  (24/105)
+```
 
 ---
 
@@ -811,7 +833,7 @@ Currently, all `vulnerability list` command results are sorted by vulnerability
 ```
 
 ```bash
-id              bom-ref  source-name  source-url                                      created                   published                 updated                   rejected  description
+id              bom-ref  source-name source-url                                      created                   published                 updated                   rejected  description
 --              -------  ----------  -----------                                      -------                   ---------                 -------                   --------  -----------
 CVE-2020-25649           NVD         https://nvd.nist.gov/vuln/detail/CVE-2020-25649  2020-12-03T00:00:00.000Z  2020-12-03T00:00:00.000Z  2023-02-02T00:00:00.000Z            com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.  Affected versions of this package are vulnerable to XML External Entity (XXE) Injection.
 CVE-2022-42003           NVD         https://nvd.nist.gov/vuln/detail/CVE-2022-42003  2022-10-02T00:00:00.000Z  2022-10-02T00:00:00.000Z  2022-10-02T00:00:00.000Z            In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
@@ -825,7 +847,7 @@ CVE-2022-42004           NVD         https://nvd.nist.gov/vuln/detail/CVE-2022-4
 ```
 
 ```bash
-id              bom-ref  source-name  source-url                                      created                   published                 updated                   rejected  description
+id              bom-ref  source-name source-url                                      created                   published                 updated                   rejected  description
 --              -------  ----------  -----------                                      -------                   ---------                 -------                   --------  -----------
 CVE-2020-25649           NVD         https://nvd.nist.gov/vuln/detail/CVE-2020-25649  2020-12-03T00:00:00.000Z  2020-12-03T00:00:00.000Z  2023-02-02T00:00:00.000Z            com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.  Affected versions of this package are vulnerable to XML External Entity (XXE) Injection.
 ```

diff --git a/cmd/license.go b/cmd/license.go
@@ -94,7 +94,7 @@ func ClearGlobalLicenseData() {
 }
 
 func HashLicenseInfo(key string, licenseInfo LicenseInfo, whereFilters []WhereFilter) {
-	// Append to slice
+	// Find license usage policy by either license Id, Name or Expression
 	policy, err := FindPolicy(licenseInfo)
 
 	if err != nil {
@@ -174,8 +174,6 @@ func loadDocumentLicenses(document *schema.Sbom, whereFilters []WhereFilter) (er
 	// NOTE: DEBUG: use this to debug license policy hashmaps have appropriate # of entries
 	//licensePolicyConfig.Debug()
 
-	// TODO Support processing of []WhereFilter
-
 	// At this time, fail SPDX format SBOMs as "unsupported" (for "any" format)
 	if !document.FormatInfo.IsCycloneDx() {
 		err = schema.NewUnsupportedFormatForCommandError(

diff --git a/cmd/license_list.go b/cmd/license_list.go
@@ -36,24 +36,18 @@ import (
 // TODO: Support a new --sort <column> flag
 const (
 	FLAG_LICENSE_SUMMARY = "summary"
-	FLAG_LICENSE_EXCLUDE = "exclude"
-	FLAG_LICENSE_POLICY  = "policy" // policy-match, policy-filter, etc.
 )
 
 // License list command flag help messages
 const (
 	FLAG_LICENSE_LIST_OUTPUT_FORMAT_HELP = "format output using the specified format type"
 	FLAG_LICENSE_LIST_SUMMARY_HELP       = "summarize licenses and component references in table format (see --format flag help for supported types)"
-	FLAG_LICENSE_LIST_EXCLUDE_HELP       = "exclude policy column from summary listing"
-	FLAG_LICENSE_LIST_POLICY_HELP        = "filter license summary by usage policy (i.e., allow|deny|needs-review|UNDEFINED)"
 )
 
 // License list command informational messages
 const (
-	MSG_OUTPUT_NO_LICENSES_FOUND            = "No licenses found in BOM document"
-	MSG_OUTPUT_NO_LICENSES_ONLY_NOASSERTION = "No valid licenses found in BOM document (only licenses marked NOASSERTION)"
-	MSG_OUTPUT_NO_SCHEMAS_FOUND             = "[WARN] no schemas found in configuration (i.e., \"config.json\")"
-	MSG_OUTPUT_NO_RESOURCES_FOUND           = "[WARN] no matching resources found for query"
+	MSG_OUTPUT_NO_LICENSES_FOUND            = "no licenses found in BOM document"
+	MSG_OUTPUT_NO_LICENSES_ONLY_NOASSERTION = "no valid licenses found in BOM document (only licenses marked NOASSERTION)"
 )
 
 //"Type", "ID/Name/Expression", "Component(s)", "BOM ref.", "Document location"
@@ -111,24 +105,13 @@ func NewCommandList() *cobra.Command {
 		&utils.GlobalFlags.LicenseFlags.Summary,
 		FLAG_LICENSE_SUMMARY, "", false,
 		FLAG_LICENSE_LIST_SUMMARY_HELP)
-	command.Flags().StringVarP(
-		&utils.GlobalFlags.LicenseFlags.Policy,
-		FLAG_LICENSE_POLICY, "", "",
-		FLAG_LICENSE_LIST_POLICY_HELP)
 	command.Flags().StringP(FLAG_REPORT_WHERE, "", "", FLAG_REPORT_WHERE_HELP)
 	command.RunE = listCmdImpl
 	command.PreRunE = func(cmd *cobra.Command, args []string) (err error) {
 		if len(args) != 0 {
 			return getLogger().Errorf("Too many arguments provided: %v", args)
 		}
 
-		// Validate command line flag combinations
-		// TODO: document this flag relationship more clearly
-		bSummary := utils.GlobalFlags.LicenseFlags.Summary
-		if utils.GlobalFlags.LicenseFlags.Policy != "" && !bSummary {
-			return getLogger().Errorf("`%s` flag not valid without `%s` flag", FLAG_LICENSE_POLICY, FLAG_LICENSE_SUMMARY)
-		}
-
 		// Test for required flags (parameters)
 		err = preRunTestForInputFile(cmd, args)
 		return
@@ -500,11 +483,11 @@ func DisplayLicenseListSummaryCSV(output io.Writer) (err error) {
 			// which is automatically done by the CSV writer
 			currentRow = append(currentRow,
 				licenseInfo.Policy.UsagePolicy,
-				licenseInfo.LicenseChoiceType, //LC_TYPE_NAMES[licenseInfo.LicenseChoiceTypeValue],
+				licenseInfo.LicenseChoiceType,
 				licenseName.(string),
 				licenseInfo.ResourceName,
 				licenseInfo.BomRef,
-				licenseInfo.BomLocation, //CDX_LICENSE_LOCATION_NAMES[licenseInfo.BomLocationValue]
+				licenseInfo.BomLocation,
 			)
 
 			if errWrite := w.Write(currentRow); errWrite != nil {
@@ -555,11 +538,11 @@ func DisplayLicenseListSummaryMarkdown(output io.Writer) {
 			// Format line and write to output
 			line = append(line,
 				licenseInfo.Policy.UsagePolicy,
-				licenseInfo.LicenseChoiceType, // LC_TYPE_NAMES[licenseInfo.LicenseChoiceTypeValue],
+				licenseInfo.LicenseChoiceType,
 				licenseName.(string),
 				licenseInfo.ResourceName,
 				licenseInfo.BomRef,
-				licenseInfo.BomLocation, // CDX_LICENSE_LOCATION_NAMES[licenseInfo.BomLocationValue]
+				licenseInfo.BomLocation,
 			)
 
 			lineRow = createMarkdownRow(line)