Include build constraints

[nscuro]

Once we support a "distribution mode" (for a lack of better terms; see #20 (comment) - variant 1), we need to express for which build constraints the SBOM has been generated.

Constraints could be included via properties of the main component, e.g.

<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.3" serialNumber="urn:uuid:5f05aa95-d0d9-43aa-bf11-7c9ee2ce9325" version="1">
  <metadata>
    <component>
      <name>github.com/CycloneDX/cyclonedx-gomod</name>
      <version>vX.X.X</version>
      <properties>
        <property name="cdx:gomod:buildconstraint:goos">linux</property>
        <property name="cdx:gomod:buildconstraint:goarch">amd64</property>
        <property name="cdx:gomod:buildconstraint:tags">tag1,tag2,tag3</property>
      </properties>
    </component>
  </metadata>
  <components></components>
</bom>

Or, alternatively:

<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.3" serialNumber="urn:uuid:5f05aa95-d0d9-43aa-bf11-7c9ee2ce9325" version="1">
  <metadata>
    <component>
      <name>github.com/CycloneDX/cyclonedx-gomod</name>
      <version>vX.X.X</version>
      <properties>
        <property name="cdx:gomod:buildconstraint:goos">linux</property>
        <property name="cdx:gomod:buildconstraint:goarch">amd64</property>
        <property name="cdx:gomod:buildconstraint:tag">tag1</property>
        <property name="cdx:gomod:buildconstraint:tag">tag2</property>
        <property name="cdx:gomod:buildconstraint:tag">tag3</property>
      </properties>
    </component>
  </metadata>
  <components></components>
</bom>

This requires cyclonedx-go to support v1.3 of the spec (CycloneDX/cyclonedx-go#1).

Additionally, these constraints could be added to the main component's PURL as well, via qualifiers:

pkg:golang/github.com/CycloneDX/[email protected]?goos=windows&goarch=amd64&tags=tag1,tag2,tag3

[nscuro]

Because build constraints will be controlled via environment variables, the easiest way to tackle this is by calling go env -json and filtering out values we don't care about.

Full output on my machine:

{
        "AR": "ar",
        "CC": "gcc",
        "CGO_CFLAGS": "-g -O2",
        "CGO_CPPFLAGS": "",
        "CGO_CXXFLAGS": "-g -O2",
        "CGO_ENABLED": "1",
        "CGO_FFLAGS": "-g -O2",
        "CGO_LDFLAGS": "-g -O2",
        "CXX": "g++",
        "GCCGO": "gccgo",
        "GO111MODULE": "on",
        "GOARCH": "amd64",
        "GOBIN": "",
        "GOCACHE": "/home/nscur0/.cache/go-build",
        "GOENV": "/home/nscur0/.config/go/env",
        "GOEXE": "",
        "GOEXPERIMENT": "",
        "GOFLAGS": "",
        "GOGCCFLAGS": "-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build3276487465=/tmp/go-build -gno-record-gcc-switches",
        "GOHOSTARCH": "amd64",
        "GOHOSTOS": "linux",
        "GOINSECURE": "",
        "GOMOD": "/home/nscur0/development/projects/minikube/go.mod",
        "GOMODCACHE": "/home/nscur0/development/go/pkg/mod",
        "GONOPROXY": "",
        "GONOSUMDB": "",
        "GOOS": "linux",
        "GOPATH": "/home/nscur0/development/go",
        "GOPRIVATE": "",
        "GOPROXY": "https://proxy.golang.org,direct",
        "GOROOT": "/home/nscur0/.local/go",
        "GOSUMDB": "sum.golang.org",
        "GOTMPDIR": "",
        "GOTOOLDIR": "/home/nscur0/.local/go/pkg/tool/linux_amd64",
        "GOVCS": "",
        "GOVERSION": "go1.17",
        "PKG_CONFIG": "pkg-config"
}

What to include?

• CGO_ENABLED
• GOARCH
• GOOS
• GOFLAGS (if set; this is where tags are passed)
• GOVERSION