initial commit

Marlon Pina Tojal · Marlon Pina Tojal · commit 888c20a9b1b7 · 2023-10-30T11:46:06.000+01:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -4,6 +4,9 @@ on:
   release:
     types: [published]
 
+permissions:
+  contents: write
+
 jobs:
   docker:
     runs-on: ubuntu-latest
@@ -20,20 +23,27 @@ jobs:
         with:
           push: true
           platforms: linux/arm64/v8,linux/amd64
-          tags: fnxpt/cyclonedx-merge:latest
+          tags: fnxpt/cyclonedx-merge:latest,fnxpt/cyclonedx-merge:${{ github.ref_name }}
   build:
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        # build and publish in parallel: linux/386, linux/amd64, linux/arm64, windows/386, windows/amd64, darwin/amd64, darwin/arm64
+        goos: [linux, darwin]
+        goarch: [amd64, arm64]
     steps:
     - uses: actions/checkout@v3
-    - name: Generate build files
-      uses: thatisuday/go-cross-build@v1
+    - uses: actions/setup-go@v4
       with:
-          platforms: 'linux/amd64, linux/arm64, darwin/amd64, darwin/arm64, windows/amd64'
-          name: 'cyclonedx-merge'
-          compress: 'true'
-          dest: 'dist'
+        go-version: '^1.21.1' # The Go version to download (if necessary) and use.
+    - run: go build -o dist/cyclonedx-merge-${{ matrix.goos }}-${{ matrix.goarch }} .
+      env:
+        GOOS: ${{ matrix.goos }}
+        GOARCH: ${{ matrix.goarch }}
+
     - name: Release
       uses: fnkr/github-action-ghr@v1
       env:
-        GHR_PATH: dist/
+        GHR_COMPRESS: gz
+        GHR_PATH: dist/cyclonedx-merge-${{ matrix.goos }}-${{ matrix.goarch }}
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.gitignore b/.gitignore
@@ -19,3 +19,6 @@
 
 # Go workspace file
 go.work
+
+#binary
+cyclonedx-merge
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,14 @@
+FROM golang:latest AS builder
+WORKDIR /go/src/
+ENV CGO_ENABLED=0
+
+ADD . .
+
+RUN go build -ldflags="-s -w" -o release/cyclonedx-merge .
+
+FROM scratch AS runtime
+WORKDIR /
+
+COPY --from=builder /go/src/release/cyclonedx-merge .
+
+ENTRYPOINT [ "/cyclonedx-merge" ]
diff --git a/README.md b/README.md
@@ -1,2 +1,10 @@
 # cyclonedx-merge
 Tool to merge cyclonedx files
+
+# Run
+
+To perform a merge on a specific directory
+```docker run -v `pwd`/sbom/:/sbom/ fnxpt/sbommerge:latest --dir /sbom/ > output.json```
+
+## Assumptions
+
diff --git a/go.mod b/go.mod
@@ -0,0 +1,5 @@
+module cyclonedx-merge
+
+go 1.21.1
+
+require github.com/CycloneDX/cyclonedx-go v0.7.2
diff --git a/go.sum b/go.sum
@@ -0,0 +1,22 @@
+github.com/CycloneDX/cyclonedx-go v0.7.2 h1:kKQ0t1dPOlugSIYVOMiMtFqeXI2wp/f5DBIdfux8gnQ=
+github.com/CycloneDX/cyclonedx-go v0.7.2/go.mod h1:K2bA+324+Og0X84fA8HhN2X066K7Bxz4rpMQ4ZhjtSk=
+github.com/bradleyjkemp/cupaloy/v2 v2.8.0 h1:any4BmKE+jGIaMpnU8YgH/I2LPiLBufr6oMMlVBbn9M=
+github.com/bradleyjkemp/cupaloy/v2 v2.8.0/go.mod h1:bm7JXdkRd4BHJk9HpwqAI8BoAY1lps46Enkdqw6aRX0=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/fnxpt/cyclonedx-go v0.0.0-20231028181336-dccc3992d8ff h1:Ano0LzN28iaork+wTeuGR+A2okCGJGsBHIb2NnJrID8=
+github.com/fnxpt/cyclonedx-go v0.0.0-20231028181336-dccc3992d8ff/go.mod h1:K2bA+324+Og0X84fA8HhN2X066K7Bxz4rpMQ4ZhjtSk=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
+github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/terminalstatic/go-xsd-validate v0.1.5 h1:RqpJnf6HGE2CB/lZB1A8BYguk8uRtcvYAPLCF15qguo=
+github.com/terminalstatic/go-xsd-validate v0.1.5/go.mod h1:18lsvYFofBflqCrvo1umpABZ99+GneNTw2kEEc8UPJw=
+github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f h1:J9EGpcZtP0E/raorCMxlFGSTBrsSlaDGf3jU/qvAE2c=
+github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
+github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0=
+github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
+github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17UxZ74=
+github.com/xeipuuv/gojsonschema v1.2.0/go.mod h1:anYRn/JVcOK2ZgGU+IjEV4nwlhoK5sQluxsYJ78Id3Y=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
diff --git a/main.go b/main.go
@@ -0,0 +1,277 @@
+package main
+
+import (
+	"flag"
+	"fmt"
+	"io"
+	"os"
+	"slices"
+	"strings"
+	"time"
+
+	"github.com/CycloneDX/cyclonedx-go"
+)
+
+var version = "0.0.1"
+
+var nested = false
+var sbom *cyclonedx.BOM
+var outputFormat = cyclonedx.BOMFileFormatJSON
+var output = os.Stdout
+
+func main() {
+	parseArguments()
+}
+
+func showHelpMenu() {
+	fmt.Println("usage: cyclonedx-merge [options]")
+	fmt.Println("options:")
+	os.Exit(0)
+}
+
+func parseArguments() {
+	flag.CommandLine = flag.NewFlagSet("", flag.ExitOnError)
+
+	flag.Usage = func() {
+		showHelpMenu()
+		flag.PrintDefaults()
+	}
+
+	flag.BoolVar(&nested, "nested", false, "nested merge")
+	flag.Func("file", "merges file", fileMerge)
+	flag.Func("dir", "merges files in directory", dirMerge)
+	flag.Func("format", "output format - json/xml (default: json)", func(value string) error {
+		switch value {
+		case "json":
+			outputFormat = cyclonedx.BOMFileFormatJSON
+		case "xml":
+			outputFormat = cyclonedx.BOMFileFormatXML
+		default:
+			return fmt.Errorf("invalid output format")
+		}
+		return nil
+	})
+	flag.Func("output", "output file (default: stdout)", func(value string) error {
+		file, err := os.Create(value)
+
+		if err != nil {
+			fmt.Printf("unable to create file %s\n", value)
+			return err
+		}
+		output = file
+		return nil
+	})
+
+	fillSBOM()
+	flag.Parse()
+	postSBOM()
+	writeSBOM()
+}
+
+func fileMerge(value string) error {
+	// fmt.Printf("Processing file %s\n", value)
+	if _, err := os.Stat(value); os.IsNotExist(err) {
+		fmt.Printf("file %s doesn't exist\n", value)
+		return err
+	}
+
+	file, err := os.Open(value)
+
+	if err != nil {
+		fmt.Printf("unable to open file %s\n", value)
+		return err
+	}
+
+	bom, err := parseSBOM(file)
+
+	if err != nil {
+		fmt.Printf("unable to parse file %s\n", value)
+		return err
+	}
+
+	mergeSBOM(bom)
+
+	return nil
+}
+
+var topDependencies = make([]string, 0)
+
+func mergeSBOM(value *cyclonedx.BOM) {
+	var prefix string
+
+	if value.Metadata != nil {
+		if value.Metadata.Component != nil {
+			topComponents := []cyclonedx.Component{*value.Metadata.Component}
+			if nested {
+				prefix = fmt.Sprintf("%s|", value.Metadata.Component.BOMRef)
+			}
+
+			addIfNew(sbom.Components, &topComponents, "")
+			topDependencies = append(topDependencies, value.Metadata.Component.BOMRef)
+
+			if value.Metadata.Component.Components != nil {
+				addIfNew(sbom.Components, value.Metadata.Component.Components, prefix)
+			}
+		}
+	}
+
+	addIfNew(sbom.Components, value.Components, prefix)
+	// addIfNew(sbom.Services, value.Services, prefix)
+	// addIfNew(sbom.ExternalReferences, value.ExternalReferences, prefix)
+
+	addIfNewMap(value.Dependencies, prefix)
+	// addIfNew(sbom.Compositions, value.Compositions)
+	// addIfNew(sbom.Properties, value.Properties)
+	// addIfNew(sbom.Vulnerabilities, value.Vulnerabilities, prefix)
+	// addIfNew(sbom.Annotations, value.Annotations, prefix)
+}
+
+func fillSBOM() {
+
+	sbom = cyclonedx.NewBOM()
+	sbom.Metadata = &cyclonedx.Metadata{
+		Tools: &[]cyclonedx.Tool{{
+			Vendor:  "fnxpt",
+			Name:    "cyclonedx-merge",
+			Version: version,
+		}},
+		Timestamp: time.Now().String(), //TODO: RIGHT FORMAT
+		Component: &cyclonedx.Component{
+			BOMRef: "root",
+			Name:   "root",
+			Type:   cyclonedx.ComponentTypeApplication,
+		},
+	}
+
+	annotations := make([]cyclonedx.Annotation, 0)
+	components := make([]cyclonedx.Component, 0)
+	compositions := make([]cyclonedx.Composition, 0)
+	dependencies := make([]cyclonedx.Dependency, 0)
+	externalReferences := make([]cyclonedx.ExternalReference, 0)
+	properties := make([]cyclonedx.Property, 0)
+	services := make([]cyclonedx.Service, 0)
+	vulnerabilities := make([]cyclonedx.Vulnerability, 0)
+
+	sbom.Annotations = &annotations
+	sbom.Components = &components
+	sbom.Compositions = &compositions
+	sbom.Dependencies = &dependencies
+	sbom.ExternalReferences = &externalReferences
+	sbom.Properties = &properties
+	sbom.Services = &services
+	sbom.Vulnerabilities = &vulnerabilities
+
+}
+
+func postSBOM() {
+
+	for _, item := range tmp {
+		*sbom.Dependencies = append(*sbom.Dependencies, item)
+	}
+	*sbom.Dependencies = append(*sbom.Dependencies, cyclonedx.Dependency{
+		Ref:          "root",
+		Dependencies: &topDependencies,
+	})
+
+}
+func writeSBOM() {
+
+	encoder := cyclonedx.NewBOMEncoder(output, outputFormat)
+	encoder.Encode(sbom)
+}
+
+func parseSBOM(input io.Reader) (*cyclonedx.BOM, error) {
+
+	bom := &cyclonedx.BOM{}
+	decoder := cyclonedx.NewBOMDecoder(input, cyclonedx.BOMFileFormatJSON)
+	err := decoder.Decode(bom)
+
+	if err != nil {
+		return nil, err
+	}
+
+	return bom, err
+}
+
+func dirMerge(value string) error {
+	if _, err := os.Stat(value); os.IsNotExist(err) {
+		fmt.Printf("directory %s doesn't exist\n", value)
+		return err
+	}
+
+	entries, err := os.ReadDir(value)
+	if err != nil {
+		fmt.Printf("unable to read directory %s\n", value)
+		return err
+	}
+
+	for _, e := range entries {
+		if strings.HasSuffix(e.Name(), ".json") || strings.HasSuffix(e.Name(), ".xml") {
+			fileMerge(fmt.Sprintf("%s/%s", value, e.Name()))
+		}
+	}
+
+	return nil
+}
+
+var tmp = make(map[string]cyclonedx.Dependency)
+
+func addIfNewMap(input *[]cyclonedx.Dependency, prefix string) {
+	if input != nil {
+
+		for _, item := range *input {
+			key := item.Ref
+
+			if nested && prefix[:len(prefix)-1] != item.Ref {
+				key = fmt.Sprintf("%s%s", prefix, key)
+			}
+			if _, ok := tmp[key]; ok {
+				for _, dependency := range *item.Dependencies {
+					dependency = fmt.Sprintf("%s%s", prefix, dependency)
+					if !slices.Contains(*tmp[key].Dependencies, dependency) {
+						*tmp[item.Ref].Dependencies = append(*tmp[item.Ref].Dependencies, dependency)
+					}
+				}
+			} else {
+				item.Ref = key
+				//TODO: PREFIX DEPENDENCIES
+				if len(prefix) > 0 {
+					tmp[key] = cyclonedx.Dependency{
+						Ref:          key,
+						Dependencies: &[]string{},
+					}
+					if item.Dependencies != nil {
+						for _, dep := range *item.Dependencies {
+							dependency := fmt.Sprintf("%s%s", prefix, dep)
+							*tmp[key].Dependencies = append(*tmp[key].Dependencies, dependency)
+						}
+					}
+				} else {
+					tmp[key] = item
+				}
+			}
+		}
+	}
+}
+func addIfNew(items *[]cyclonedx.Component, input *[]cyclonedx.Component, prefix string) {
+	if items != nil && input != nil {
+		for _, item := range *input {
+			item.BOMRef = fmt.Sprintf("%s%s", prefix, item.BOMRef)
+			if !has(items, &item) {
+				*items = append(*items, item)
+			}
+		}
+	}
+}
+
+func has(items *[]cyclonedx.Component, input *cyclonedx.Component) bool {
+	if items != nil {
+		for _, item := range *items {
+			if item.BOMRef == input.BOMRef {
+				return true
+			}
+		}
+	}
+
+	return false
+}
