feat: add license resolution support for bin command (#52)

* first proof of concept

Signed-off-by: nscuro <[email protected]>

* regenerate bin sbom example

Signed-off-by: nscuro <[email protected]>

* handle replacements

Signed-off-by: nscuro <[email protected]>

* add license header

Signed-off-by: nscuro <[email protected]>

* use chunking for filterModules as well

Signed-off-by: nscuro <[email protected]>

* tweak makefile

Signed-off-by: nscuro <[email protected]>

* deduplication and tests

Signed-off-by: nscuro <[email protected]>

* update bin command documentation

Signed-off-by: nscuro <[email protected]>

* update readme

Signed-off-by: nscuro <[email protected]>

* minor tweaks

Signed-off-by: nscuro <[email protected]>

* regenerate example sboms

mainly to trigger github actions, as it was down yesterday.

Signed-off-by: nscuro <[email protected]>

.gitignore

@@ -1,4 +1,5 @@
 # Binaries for programs and plugins
+bin/
 *.exe
 *.exe~
 *.dll

Makefile

@@ -1,7 +1,8 @@
 LDFLAGS="-s -w -X github.com/CycloneDX/cyclonedx-gomod/internal/version.Version=v0.0.0-$(shell git show -s --date=format:'%Y%m%d%H%M%S' --format=%cd HEAD)-$(shell git rev-parse HEAD | head -c 12)"
 
 build:
- go build -v -ldflags=${LDFLAGS}
+ mkdir -p ./bin
+ go build -v -ldflags=${LDFLAGS} -o ./bin/cyclonedx-gomod
 .PHONY: build
 
 install:
@@ -28,9 +29,9 @@ docker:
  docker build -t cyclonedx/cyclonedx-gomod -f Dockerfile .
 .PHONY: docker
 
-bom:
- go run main.go -licenses -std -output bom.xml
- cyclonedx validate --input-file bom.xml --input-format xml --fail-on-errors
+bom: build
+ ./bin/cyclonedx-gomod mod -licenses -std -json -output bom.json
+ cyclonedx validate --input-file bom.json --fail-on-errors
 .PHONY: bom
 
 goreleaser-dryrun:

README.md

@@ -52,6 +52,9 @@ USAGE
 
 Generate SBOM for a binary.
 
+When license resolution is enabled, all modules (including the main module) 
+will be downloaded to the module cache using "go mod download".
+
 Please note that data embedded in binaries shouldn't be trusted,
 unless there's solid evidence that the binaries haven't been modified
 since they've been built.
@@ -61,6 +64,7 @@ Example:
 
 FLAGS
  -json=false Output in JSON
+ -licenses=false Resolve module licenses
  -noserial=false Omit serial number
  -novprefix=false Omit "v" prefix from versions
  -output - Output file path (or - for STDOUT)

e2e/cmd_bin_test.go

@@ -10,8 +10,9 @@ import (
 func TestBinCmdSimple(t *testing.T) {
  binOptions := bincmd.BinOptions{
  SBOMOptions: options.SBOMOptions{
- Reproducible: true,
- SerialNumber: zeroUUID.String(),
+ Reproducible: true,
+ ResolveLicenses: true,
+ SerialNumber: zeroUUID.String(),
  },
  BinaryPath: "./testdata/bincmd/simple",
  Version: "v1.0.0",

e2e/cmd_mod_test.go

@@ -35,12 +35,12 @@ func TestModCmdSimple(t *testing.T) {
 
  modOptions := modcmd.ModOptions{
  SBOMOptions: options.SBOMOptions{
- Reproducible: true,
- SerialNumber: zeroUUID.String(),
+ Reproducible: true,
+ ResolveLicenses: true,
+ SerialNumber: zeroUUID.String(),
  },
- ComponentType: string(cdx.ComponentTypeLibrary),
- ModuleDir: fixturePath,
- ResolveLicenses: true,
+ ComponentType: string(cdx.ComponentTypeLibrary),
+ ModuleDir: fixturePath,
  }
 
  runSnapshotIT(t, &modOptions.OutputOptions, func() error { return modcmd.Exec(modOptions) })
@@ -54,12 +54,12 @@ func TestModCmdLocal(t *testing.T) {
 
  modOptions := modcmd.ModOptions{
  SBOMOptions: options.SBOMOptions{
- Reproducible: true,
- SerialNumber: zeroUUID.String(),
+ Reproducible: true,
+ ResolveLicenses: true,
+ SerialNumber: zeroUUID.String(),
  },
- ComponentType: string(cdx.ComponentTypeLibrary),
- ModuleDir: filepath.Join(fixturePath, "local"),
- ResolveLicenses: true,
+ ComponentType: string(cdx.ComponentTypeLibrary),
+ ModuleDir: filepath.Join(fixturePath, "local"),
  }
 
  runSnapshotIT(t, &modOptions.OutputOptions, func() error { return modcmd.Exec(modOptions) })
@@ -72,12 +72,12 @@ func TestModCmdNoDependencies(t *testing.T) {
 
  modOptions := modcmd.ModOptions{
  SBOMOptions: options.SBOMOptions{
- Reproducible: true,
- SerialNumber: zeroUUID.String(),
+ Reproducible: true,
+ ResolveLicenses: true,
+ SerialNumber: zeroUUID.String(),
  },
- ComponentType: string(cdx.ComponentTypeLibrary),
- ModuleDir: fixturePath,
- ResolveLicenses: true,
+ ComponentType: string(cdx.ComponentTypeLibrary),
+ ModuleDir: fixturePath,
  }
 
  runSnapshotIT(t, &modOptions.OutputOptions, func() error { return modcmd.Exec(modOptions) })
@@ -91,12 +91,12 @@ func TestModCmdVendored(t *testing.T) {
 
  modOptions := modcmd.ModOptions{
  SBOMOptions: options.SBOMOptions{
- Reproducible: true,
- SerialNumber: zeroUUID.String(),
+ Reproducible: true,
+ ResolveLicenses: true,
+ SerialNumber: zeroUUID.String(),
  },
- ComponentType: string(cdx.ComponentTypeLibrary),
- ModuleDir: fixturePath,
- ResolveLicenses: true,
+ ComponentType: string(cdx.ComponentTypeLibrary),
+ ModuleDir: fixturePath,
  }
 
  runSnapshotIT(t, &modOptions.OutputOptions, func() error { return modcmd.Exec(modOptions) })
@@ -118,12 +118,12 @@ func TestModCmdNested(t *testing.T) {
 
  modOptions := modcmd.ModOptions{
  SBOMOptions: options.SBOMOptions{
- Reproducible: true,
- SerialNumber: zeroUUID.String(),
+ Reproducible: true,
+ ResolveLicenses: true,
+ SerialNumber: zeroUUID.String(),
  },
- ComponentType: string(cdx.ComponentTypeLibrary),
- ModuleDir: filepath.Join(fixturePath, "simple"),
- ResolveLicenses: true,
+ ComponentType: string(cdx.ComponentTypeLibrary),
+ ModuleDir: filepath.Join(fixturePath, "simple"),
  }
 
  runSnapshotIT(t, &modOptions.OutputOptions, func() error { return modcmd.Exec(modOptions) })

e2e/testdata/snapshots/TestBinCmdSimple

@@ -29,6 +29,13 @@
  <url>https:/google/uuid</url>
  </reference>
  </externalReferences>
+ <evidence>
+ <licenses>
+ <license>
+ <id>BSD-3-Clause</id>
+ </license>
+ </licenses>
+ </evidence>
  </component>
  </components>
  <dependencies>