fix: use main package instead of main file as entrypoint for app comm…

…and (#78)

* use main package instead of main file as entrypoint for app command

also add more debug logging and improve existing logging messages

Signed-off-by: nscuro <[email protected]>

* fix examples dockerfile and regenerate example sboms

Signed-off-by: nscuro <[email protected]>

* update readme

Signed-off-by: nscuro <[email protected]>

* minor logging adjustments

Signed-off-by: nscuro <[email protected]>

* update changelog

Signed-off-by: nscuro <[email protected]>

Closes #75

CHANGELOG.md

@@ -21,6 +21,8 @@
 
 * Fix annotated tags not being recognized as versions ([#56](https:/CycloneDX/cyclonedx-gomod/issues/56) via [#57](https:/CycloneDX/cyclonedx-gomod/pull/57))
 * Fix normalized versions interfering with hash calculation ([#58](https:/CycloneDX/cyclonedx-gomod/issues/58) via [#60](https:/CycloneDX/cyclonedx-gomod/pull/60))
+* Fix `app` command missing dependencies when `main` package is spread across multiple files ([#75](https:/CycloneDX/cyclonedx-gomod/issues/75) via [#78](https:/CycloneDX/cyclonedx-gomod/pull/78))
+ * Also addresses [#76](https:/CycloneDX/cyclonedx-gomod/issues/76) (thanks [TheDiveO](https:/TheDiveO) for reporting!) 
 
 ### Breaking Changes
 

Dockerfile.examples

@@ -26,7 +26,7 @@ RUN apt update && \
 
 # Create generation script
 RUN echo "#!/bin/bash\n\n\
-cyclonedx-gomod app -json -output /examples/app_minikube-v1.23.1.bom.json -licenses -main cmd/minikube/main.go /home/cdx/minikube \n\
+cyclonedx-gomod app -json -output /examples/app_minikube-v1.23.1.bom.json -licenses -main cmd/minikube /home/cdx/minikube \n\
 cyclonedx-gomod mod -json -output /examples/mod_minikube-v1.23.1.bom.json -licenses /home/cdx/minikube \n\
 cyclonedx-gomod bin -json -output /examples/bin_minikube-v1.23.1.bom.json -licenses -version v1.23.1 /home/cdx/minikube-linux-amd64 \n\
 cyclonedx validate --input-file /examples/app_minikube-v1.23.1.bom.json --input-format json_v1_3 --fail-on-errors \n\

README.md

@@ -99,22 +99,22 @@ Applicable build constraints are included as properties of the main component.
 Because build constraints influence Go's module selection, an SBOM should be generated
 for each target in the build matrix.
 
-The -main flag should be used to specify the path to the application's main file.
-It must point to a go file within MODULE_PATH. The go file must have a "package main" declaration.
+The -main flag should be used to specify the path to the application's main package.
+It must point to a directory within MODULE_PATH. If not set, MODULE_PATH is assumed.
 
 By passing -files, all files that would be included in a binary will be attached
 as subcomponents of their respective module. File versions follow the v0.0.0-SHORTHASH pattern, 
 where SHORTHASH is the first 12 characters of the file's SHA1 hash.
 
 Examples:
  $ GOARCH=arm64 GOOS=linux GOFLAGS="-tags=foo,bar" cyclonedx-gomod app -output linux-arm64.bom.xml
- $ cyclonedx-gomod app -json -output acme-app.bom.json -files -licenses -main cmd/acme-app/main.go /usr/src/acme-module
+ $ cyclonedx-gomod app -json -output acme-app.bom.json -files -licenses -main cmd/acme-app /usr/src/acme-module
 
 FLAGS
  -files=false Include files
  -json=false Output in JSON
  -licenses=false Perform license detection
- -main main.go Path to the application's main file, relative to MODULE_PATH
+ -main ...  Path to the application's main package, relative to MODULE_PATH
  -noserial=false Omit serial number
  -output - Output file path (or - for STDOUT)
  -serial ... Serial number
@@ -255,7 +255,7 @@ $ docker run -it --rm \
 ```
 
 > The image is based on `golang:1.17-alpine`. 
-> Please keep in mind that the Go version may influence module selection. 
+> When using the `app` command, please keep in mind that the Go version may influence module selection. 
 > We generally recommend using a [precompiled binary](https:/CycloneDX/cyclonedx-gomod/releases) instead.
 
 ## Important Notes

e2e/cmd_app_test.go

@@ -34,7 +34,7 @@ func TestAppCmdSimple(t *testing.T) {
  SerialNumber: zeroUUID.String(),
  },
  ModuleDir: fixturePath,
- Main: "main.go",
+ Main: "",
  }
 
  runSnapshotIT(t, &appOptions.OutputOptions, func() error { return appcmd.Exec(appOptions) })
@@ -50,7 +50,7 @@ func TestAppCmdSimpleWithFiles(t *testing.T) {
  SerialNumber: zeroUUID.String(),
  },
  ModuleDir: fixturePath,
- Main: "main.go",
+ Main: "",
  IncludeFiles: true,
  }
 
@@ -67,7 +67,7 @@ func TestAppCmdSimpleMultiCommandUUID(t *testing.T) {
  SerialNumber: zeroUUID.String(),
  },
  ModuleDir: fixturePath,
- Main: "cmd/uuid/main.go",
+ Main: "cmd/uuid",
  }
 
  runSnapshotIT(t, &appOptions.OutputOptions, func() error { return appcmd.Exec(appOptions) })
@@ -83,7 +83,7 @@ func TestAppCmdSimpleMultiCommandPURL(t *testing.T) {
  SerialNumber: zeroUUID.String(),
  },
  ModuleDir: fixturePath,
- Main: "cmd/purl/main.go",
+ Main: "cmd/purl",
  }
 
  runSnapshotIT(t, &appOptions.OutputOptions, func() error { return appcmd.Exec(appOptions) })
@@ -99,7 +99,7 @@ func TestAppCmdVendored(t *testing.T) {
  SerialNumber: zeroUUID.String(),
  },
  ModuleDir: fixturePath,
- Main: "main.go",
+ Main: "",
  }
 
  runSnapshotIT(t, &appOptions.OutputOptions, func() error { return appcmd.Exec(appOptions) })
@@ -115,7 +115,7 @@ func TestAppCmdVendoredWithFiles(t *testing.T) {
  SerialNumber: zeroUUID.String(),
  },
  ModuleDir: fixturePath,
- Main: "main.go",
+ Main: "",
  IncludeFiles: true,
  }
 

examples/app_minikube-v1.23.1.bom.json

@@ -1,35 +1,35 @@
 {
  "bomFormat": "CycloneDX",
  "specVersion": "1.3",
- "serialNumber": "urn:uuid:89b6f930-138f-47a2-bae1-effe046d6545",
+ "serialNumber": "urn:uuid:9a4f199c-bff6-4fa1-a34d-4b7586617568",
  "version": 1,
  "metadata": {
- "timestamp": "2021-09-27T18:10:47Z",
+ "timestamp": "2021-09-29T18:02:11Z",
  "tools": [
  {
  "vendor": "CycloneDX",
  "name": "cyclonedx-gomod",
- "version": "v0.0.0-20210927200930-566af677a239",
+ "version": "v0.0.0-20210929195822-2add6b416eb9",
  "hashes": [
  {
  "alg": "MD5",
- "content": "a769725a7cf4d002c88e0b59a2a3c6a4"
+ "content": "b6ccbe5ff272355fed1803c4c17ff161"
  },
  {
  "alg": "SHA-1",
- "content": "b49e5f1259ce630e3b7c678de45c600a313973fb"
+ "content": "2232bdbfd4ef618303a59c9d42f81ccfd2fa4e8a"
  },
  {
  "alg": "SHA-256",
- "content": "c5493aaa2f9f288550f87243cf9953f475e967982d5f004b1ed4836843462f3a"
+ "content": "69f0bce5fd9cdae1e3bd65b6abddd5bc966d4842dd69e33e8433783ee069c23c"
  },
  {
  "alg": "SHA-384",
- "content": "fee0fd5c99ecd1c6ec8028c8496778ea932f1601605d56601f29bee6c0e1470908bd7f737aaea640c88f06f8abfa00e1"
+ "content": "a310e367777f74d68b822c78f3d6a72aa888daae18d967be614f666a7b5916c9d1c86dbda0adc91f3c92309ddb5489d4"
  },
  {
  "alg": "SHA-512",
- "content": "52897bbd73eec9ce6a96fafd596a1e43568040d9208553786f0c7d60d5bd82b8d328648b66f9e556ed26f1666eabfef75ea191fab2ebeaa4636d249a73047910"
+ "content": "8924da342ab6da849631f2f5eb875b40eb62c54a6573e37e31e5ed5ac0f1f576d6eb266038695fec6514fe8973cc980ef7d8d7fb1ea5488fe7ec98a6ed848553"
  }
  ]
  }

examples/bin_minikube-v1.23.1.bom.json

@@ -1,35 +1,35 @@
 {
  "bomFormat": "CycloneDX",
  "specVersion": "1.3",
- "serialNumber": "urn:uuid:a557bfa0-02dd-450a-b350-23a8639aeff8",
+ "serialNumber": "urn:uuid:2eadc368-815b-420c-8886-f9ad4730fdc7",
  "version": 1,
  "metadata": {
- "timestamp": "2021-09-27T18:11:30Z",
+ "timestamp": "2021-09-29T18:02:39Z",
  "tools": [
  {
  "vendor": "CycloneDX",
  "name": "cyclonedx-gomod",
- "version": "v0.0.0-20210927200930-566af677a239",
+ "version": "v0.0.0-20210929195822-2add6b416eb9",
  "hashes": [
  {
  "alg": "MD5",
- "content": "a769725a7cf4d002c88e0b59a2a3c6a4"
+ "content": "b6ccbe5ff272355fed1803c4c17ff161"
  },
  {
  "alg": "SHA-1",
- "content": "b49e5f1259ce630e3b7c678de45c600a313973fb"
+ "content": "2232bdbfd4ef618303a59c9d42f81ccfd2fa4e8a"
  },
  {
  "alg": "SHA-256",
- "content": "c5493aaa2f9f288550f87243cf9953f475e967982d5f004b1ed4836843462f3a"
+ "content": "69f0bce5fd9cdae1e3bd65b6abddd5bc966d4842dd69e33e8433783ee069c23c"
  },
  {
  "alg": "SHA-384",
- "content": "fee0fd5c99ecd1c6ec8028c8496778ea932f1601605d56601f29bee6c0e1470908bd7f737aaea640c88f06f8abfa00e1"
+ "content": "a310e367777f74d68b822c78f3d6a72aa888daae18d967be614f666a7b5916c9d1c86dbda0adc91f3c92309ddb5489d4"
  },
  {
  "alg": "SHA-512",
- "content": "52897bbd73eec9ce6a96fafd596a1e43568040d9208553786f0c7d60d5bd82b8d328648b66f9e556ed26f1666eabfef75ea191fab2ebeaa4636d249a73047910"
+ "content": "8924da342ab6da849631f2f5eb875b40eb62c54a6573e37e31e5ed5ac0f1f576d6eb266038695fec6514fe8973cc980ef7d8d7fb1ea5488fe7ec98a6ed848553"
  }
  ]
  }

examples/mod_minikube-v1.23.1.bom.json

@@ -1,35 +1,35 @@
 {
  "bomFormat": "CycloneDX",
  "specVersion": "1.3",
- "serialNumber": "urn:uuid:f100c46e-2edb-4177-a4d9-2185af3313d2",
+ "serialNumber": "urn:uuid:984105ea-edc3-439b-bc11-3659aa99950c",
  "version": 1,
  "metadata": {
- "timestamp": "2021-09-27T18:11:08Z",
+ "timestamp": "2021-09-29T18:02:27Z",
  "tools": [
  {
  "vendor": "CycloneDX",
  "name": "cyclonedx-gomod",
- "version": "v0.0.0-20210927200930-566af677a239",
+ "version": "v0.0.0-20210929195822-2add6b416eb9",
  "hashes": [
  {
  "alg": "MD5",
- "content": "a769725a7cf4d002c88e0b59a2a3c6a4"
+ "content": "b6ccbe5ff272355fed1803c4c17ff161"
  },
  {
  "alg": "SHA-1",
- "content": "b49e5f1259ce630e3b7c678de45c600a313973fb"
+ "content": "2232bdbfd4ef618303a59c9d42f81ccfd2fa4e8a"
  },
  {
  "alg": "SHA-256",
- "content": "c5493aaa2f9f288550f87243cf9953f475e967982d5f004b1ed4836843462f3a"
+ "content": "69f0bce5fd9cdae1e3bd65b6abddd5bc966d4842dd69e33e8433783ee069c23c"
  },
  {
  "alg": "SHA-384",
- "content": "fee0fd5c99ecd1c6ec8028c8496778ea932f1601605d56601f29bee6c0e1470908bd7f737aaea640c88f06f8abfa00e1"
+ "content": "a310e367777f74d68b822c78f3d6a72aa888daae18d967be614f666a7b5916c9d1c86dbda0adc91f3c92309ddb5489d4"
  },
  {
  "alg": "SHA-512",
- "content": "52897bbd73eec9ce6a96fafd596a1e43568040d9208553786f0c7d60d5bd82b8d328648b66f9e556ed26f1666eabfef75ea191fab2ebeaa4636d249a73047910"
+ "content": "8924da342ab6da849631f2f5eb875b40eb62c54a6573e37e31e5ed5ac0f1f576d6eb266038695fec6514fe8973cc980ef7d8d7fb1ea5488fe7ec98a6ed848553"
  }
  ]
  }

internal/cli/cmd/app/app.go

@@ -21,6 +21,7 @@ import (
  "context"
  "flag"
  "fmt"
+ "os"
  "path/filepath"
  "strings"
 
@@ -64,16 +65,16 @@ Applicable build constraints are included as properties of the main component.
 Because build constraints influence Go's module selection, an SBOM should be generated
 for each target in the build matrix.
 
-The -main flag should be used to specify the path to the application's main file.
-It must point to a go file within MODULE_PATH. The go file must have a "package main" declaration.
+The -main flag should be used to specify the path to the application's main package.
+It must point to a directory within MODULE_PATH. If not set, MODULE_PATH is assumed.
 
 By passing -files, all files that would be included in a binary will be attached
 as subcomponents of their respective module. File versions follow the v0.0.0-SHORTHASH pattern, 
 where SHORTHASH is the first 12 characters of the file's SHA1 hash.
 
 Examples:
  $ GOARCH=arm64 GOOS=linux GOFLAGS="-tags=foo,bar" cyclonedx-gomod app -output linux-arm64.bom.xml
- $ cyclonedx-gomod app -json -output acme-app.bom.json -files -licenses -main cmd/acme-app/main.go /usr/src/acme-module`,
+ $ cyclonedx-gomod app -json -output acme-app.bom.json -files -licenses -main cmd/acme-app /usr/src/acme-module`,
  FlagSet: fs,
  Exec: func(_ context.Context, args []string) error {
  if len(args) > 1 {
@@ -98,9 +99,9 @@ func Exec(options Options) error {
  return err
  }
 
- modules, err := gomod.GetModulesFromPackages(options.ModuleDir, options.Main)
+ modules, err := gomod.LoadModulesFromPackages(options.ModuleDir, options.Main)
  if err != nil {
- return fmt.Errorf("failed to collect modules: %w", err)
+ return fmt.Errorf("failed to load modules: %w", err)
  }
 
  // Dependencies need to be applied prior to determining the main
@@ -253,23 +254,23 @@ func parseTagsFromGoFlags(goflags string) (tags []string) {
 //
 // If the package URL is updated, the BOM reference is as well.
 // All places within the BOM that reference the main component will be updated accordingly.
-func enrichWithApplicationDetails(bom *cdx.BOM, moduleDir, mainFile string) {
- // Resolve absolute paths to moduleDir and mainFile.
+func enrichWithApplicationDetails(bom *cdx.BOM, moduleDir, mainPkgDir string) {
+ // Resolve absolute paths to moduleDir and mainPkgDir.
  // Both may contain traversals or similar elements we don't care about.
  // This procedure is done during options validation already,
  // which is why we don't check for errors here.
  moduleDirAbs, _ := filepath.Abs(moduleDir)
- mainFileAbs, _ := filepath.Abs(filepath.Join(moduleDirAbs, mainFile))
+ mainPkgDirAbs, _ := filepath.Abs(filepath.Join(moduleDirAbs, mainPkgDir))
 
- // Construct path to mainFile relative to moduleDir
- mainFileRel := strings.TrimPrefix(mainFileAbs, moduleDirAbs)
- mainFileRel = strings.TrimPrefix(mainFileRel, "/")
+ // Construct path to mainPkgDir relative to moduleDir
+ mainPkgDirRel := strings.TrimPrefix(mainPkgDirAbs, moduleDirAbs)
+ mainPkgDirRel = strings.TrimPrefix(mainPkgDirRel, string(os.PathSeparator))
 
- if mainDir, _ := filepath.Split(mainFileRel); mainDir != "" {
- mainDir = strings.TrimSuffix(mainDir, "/")
+ if mainPkgDirRel != "" {
+ mainPkgDirRel = strings.TrimSuffix(mainPkgDirRel, string(os.PathSeparator))
 
  oldPURL := bom.Metadata.Component.PackageURL
- newPURL := oldPURL + "#" + mainDir
+ newPURL := oldPURL + "#" + mainPkgDirRel
 
  log.Debug().
  Str("old", oldPURL).