Merge pull request #77 from macblazer/69-add-evidence-element-for-the…

…-components

Add evidence element for the components

.rubocop.yml

@@ -35,7 +35,7 @@ Metrics/BlockLength:
 
 # Allow some long methods because breaking them up doesn't help anything.
 Metrics/MethodLength:
-  AllowedMethods: ['parse_options', 'add_to_bom', 'append_all_pod_dependencies']
+  AllowedMethods: ['parse_options', 'add_to_bom', 'append_all_pod_dependencies', 'xml_add_evidence']
 Metrics/AbcSize:
   AllowedMethods: ['parse_options', 'add_to_bom', 'source_for_pod']
 

CHANGELOG.md

@@ -4,9 +4,13 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## [Unreleased]
+## [1.4.0]
+
+### Added
+- Added `evidence` element to the component output to indicate that we are doing manifest analysis to generate the bom. ([Issue #69](https://github.com/CycloneDX/cyclonedx-cocoapods/issues/69)) [@macblazer](https://github.com/macblazer).
 
 ### Fixed
+- Added top level dependencies when the metadata/component is specified (by using the `--name`, `--version`, and `--type` parameters). ([PR #70](https://github.com/CycloneDX/cyclonedx-cocoapods/pull/70)) [@fnxpt](https://github.com/fnxpt)
 - Properly concatenate paths to Podfile and Podfile.lock (with unit tests!). ([Issue #71](https://github.com/CycloneDX/cyclonedx-cocoapods/issues/71)) [@macblazer](https://github.com/macblazer).
 
 ## [1.3.0]

cyclonedx-cocoapods.gemspec

@@ -26,8 +26,8 @@ Gem::Specification.new do |spec|
   spec.executables   = spec.files.grep(%r{\Aexe/}) { |f| File.basename(f) }
   spec.require_paths = ['lib']
 
-  spec.add_runtime_dependency 'cocoapods', ['>= 1.10.1', '< 2.0']
-  spec.add_runtime_dependency 'nokogiri', ['>= 1.11.2', '< 2.0']
+  spec.add_dependency 'cocoapods', ['>= 1.10.1', '< 2.0']
+  spec.add_dependency 'nokogiri', ['>= 1.11.2', '< 2.0']
 
   spec.add_development_dependency 'equivalent-xml', '~> 0.6.0'
   spec.add_development_dependency 'rake', '~> 13.0'

example_bom.xml

@@ -1,15 +1,15 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<bom xmlns="http://cyclonedx.org/schema/bom/1.5" version="1" serialNumber="urn:uuid:7d67e1d1-ebd7-4ae6-8f41-cc045d3542fb">
+<bom xmlns="http://cyclonedx.org/schema/bom/1.5" version="1" serialNumber="urn:uuid:fb0dad91-a67c-45f9-86d1-00cd0033c0de">
   <metadata>
-    <timestamp>2024-02-08T06:35:59Z</timestamp>
+    <timestamp>2024-10-15T03:43:07Z</timestamp>
     <tools>
       <tool>
         <vendor>CycloneDX</vendor>
         <name>cyclonedx-cocoapods</name>
-        <version>1.3.0</version>
+        <version>1.4.0</version>
       </tool>
     </tools>
-    <component type="application">
+    <component type="application" bom-ref="kizitonwose/[email protected]">
       <name>kizitonwose/PodsUpdater</name>
       <version>1.0.3</version>
     </component>
@@ -35,6 +35,19 @@
           <url>http://github.com/raspu/Highlightr</url>
         </reference>
       </externalReferences>
+      <evidence>
+        <identity>
+          <field>purl</field>
+          <confidence>0.6</confidence>
+          <methods>
+            <method>
+              <technique>manifest-analysis</technique>
+              <confidence>0.6</confidence>
+              <value>PodsUpdater/Podfile.lock</value>
+            </method>
+          </methods>
+        </identity>
+      </evidence>
     </component>
     <component type="library" bom-ref="pkg:cocoapods/[email protected]">
       <author>Krunoslav Zaher &lt;[email protected]&gt;</author>
@@ -56,6 +69,19 @@
           <url>https://github.com/ReactiveX/RxSwift</url>
         </reference>
       </externalReferences>
+      <evidence>
+        <identity>
+          <field>purl</field>
+          <confidence>0.6</confidence>
+          <methods>
+            <method>
+              <technique>manifest-analysis</technique>
+              <confidence>0.6</confidence>
+              <value>PodsUpdater/Podfile.lock</value>
+            </method>
+          </methods>
+        </identity>
+      </evidence>
     </component>
     <component type="library" bom-ref="pkg:cocoapods/[email protected]">
       <author>Krunoslav Zaher &lt;[email protected]&gt;</author>
@@ -79,6 +105,19 @@
           <url>https://github.com/ReactiveX/RxSwift</url>
         </reference>
       </externalReferences>
+      <evidence>
+        <identity>
+          <field>purl</field>
+          <confidence>0.6</confidence>
+          <methods>
+            <method>
+              <technique>manifest-analysis</technique>
+              <confidence>0.6</confidence>
+              <value>PodsUpdater/Podfile.lock</value>
+            </method>
+          </methods>
+        </identity>
+      </evidence>
     </component>
     <component type="library" bom-ref="pkg:cocoapods/[email protected]">
       <author>Krunoslav Zaher &lt;[email protected]&gt;</author>
@@ -110,9 +149,27 @@ git diff | grep bug | less          #  linux pipes - programs communicate by sen
           <url>https://github.com/ReactiveX/RxSwift</url>
         </reference>
       </externalReferences>
+      <evidence>
+        <identity>
+          <field>purl</field>
+          <confidence>0.6</confidence>
+          <methods>
+            <method>
+              <technique>manifest-analysis</technique>
+              <confidence>0.6</confidence>
+              <value>PodsUpdater/Podfile.lock</value>
+            </method>
+          </methods>
+        </identity>
+      </evidence>
     </component>
   </components>
   <dependencies>
+    <dependency ref="kizitonwose/[email protected]">
+      <dependency ref="pkg:cocoapods/[email protected]"/>
+      <dependency ref="pkg:cocoapods/[email protected]"/>
+      <dependency ref="pkg:cocoapods/[email protected]"/>
+    </dependency>
     <dependency ref="pkg:cocoapods/[email protected]"/>
     <dependency ref="pkg:cocoapods/[email protected]"/>
     <dependency ref="pkg:cocoapods/[email protected]">

lib/cyclonedx/cocoapods/bom_builder.rb

@@ -104,10 +104,28 @@ def xml_add_homepage(xml)
         end
       end
 
-      def add_to_bom(xml, trim_strings_length = 0)
+      # Add evidence of the purl identity.
+      # See https://github.com/CycloneDX/guides/blob/main/SBOM/en/0x60-Evidence.md for more info
+      def xml_add_evidence(xml, manifest_path)
+        xml.evidence do
+          xml.identity do
+            xml.field 'purl'
+            xml.confidence '0.6'
+            xml.methods_ do
+              xml.method_ do
+                xml.technique 'manifest-analysis'
+                xml.confidence '0.6'
+                xml.value manifest_path
+              end
+            end
+          end
+        end
+      end
+
+      def add_to_bom(xml, manifest_path, trim_strings_length = 0)
         xml.component(type: 'library', 'bom-ref': purl) do
           xml_add_author(xml, trim_strings_length)
-          xml.name name
+          xml.name_ name
           xml.version version.to_s
           xml.description { xml.cdata description } unless description.nil?
           unless checksum.nil?
@@ -126,14 +144,16 @@ def add_to_bom(xml, trim_strings_length = 0)
             xml.purl purl.slice(0, trim_strings_length)
           end
           xml_add_homepage(xml)
+
+          xml_add_evidence(xml, manifest_path)
         end
       end
 
       class License
         def add_to_bom(xml)
           xml.license do
             xml.id identifier if identifier_type == :id
-            xml.name identifier if identifier_type == :name
+            xml.name_ identifier if identifier_type == :name
             xml.text_ text unless text.nil?
             xml.url url unless url.nil?
           end
@@ -145,19 +165,21 @@ class Component
       def add_to_bom(xml)
         xml.component(type: type, 'bom-ref': bomref) do
           xml.group group unless group.nil?
-          xml.name name
+          xml.name_ name
           xml.version version
         end
       end
     end
 
+    # Turns the internal model data into an XML bom.
     class BOMBuilder
       NAMESPACE = 'http://cyclonedx.org/schema/bom/1.5'
 
-      attr_reader :component, :pods, :dependencies
+      attr_reader :component, :pods, :manifest_path, :dependencies
 
-      def initialize(pods:, component: nil, dependencies: nil)
+      def initialize(pods:, manifest_path:, component: nil, dependencies: nil)
         @pods = pods.sort_by(&:purl)
+        @manifest_path = manifest_path
         @component = component
         @dependencies = dependencies&.sort
       end
@@ -184,17 +206,17 @@ def unchecked_bom(version: 1, trim_strings_length: 0)
           xml.bom(xmlns: NAMESPACE, version: version.to_i.to_s, serialNumber: "urn:uuid:#{SecureRandom.uuid}") do
             bom_metadata(xml)
 
-            bom_components(xml, pods, trim_strings_length)
+            bom_components(xml, pods, manifest_path, trim_strings_length)
 
             bom_dependencies(xml, dependencies)
           end
         end.to_xml
       end
 
-      def bom_components(xml, pods, trim_strings_length)
+      def bom_components(xml, pods, manifest_path, trim_strings_length)
         xml.components do
           pods.each do |pod|
-            pod.add_to_bom(xml, trim_strings_length)
+            pod.add_to_bom(xml, manifest_path, trim_strings_length)
           end
         end
       end
@@ -223,7 +245,7 @@ def bom_tools(xml)
         xml.tools do
           xml.tool do
             xml.vendor 'CycloneDX'
-            xml.name 'cyclonedx-cocoapods'
+            xml.name_ 'cyclonedx-cocoapods'
             xml.version VERSION
           end
         end

lib/cyclonedx/cocoapods/cli_runner.rb

@@ -39,9 +39,9 @@ def run
         setup_logger(verbose: options[:verbose])
         @logger.debug "Running cyclonedx-cocoapods with options: #{options}"
 
-        component, pods, dependencies = analyze(options)
+        component, pods, manifest_path, dependencies = analyze(options)
 
-        build_and_write_bom(options, component, pods, dependencies)
+        build_and_write_bom(options, component, pods, manifest_path, dependencies)
       rescue StandardError => e
         @logger.error ([e.message] + e.backtrace).join($INPUT_RECORD_SEPARATOR)
         exit 1
@@ -144,11 +144,18 @@ def analyze(options)
           dependencies[component.bomref] = top_deps
         end
 
-        [component, pods, dependencies]
+        manifest_path = lockfile.defined_in_file
+        if manifest_path.absolute?
+          # Use the folder that we are building in, then the path to the manifest file
+          manifest_path = Pathname.pwd.basename + manifest_path.relative_path_from(Pathname.pwd)
+        end
+
+        [component, pods, manifest_path, dependencies]
       end
 
-      def build_and_write_bom(options, component, pods, dependencies)
-        builder = BOMBuilder.new(pods: pods, component: component, dependencies: dependencies)
+      def build_and_write_bom(options, component, pods, manifest_path, dependencies)
+        builder = BOMBuilder.new(pods: pods, manifest_path: manifest_path,
+                                 component: component, dependencies: dependencies)
         bom = builder.bom(version: options[:bom_version] || 1,
                           trim_strings_length: options[:trim_strings_length] || 0)
         write_bom_to_file(bom: bom, options: options)

lib/cyclonedx/cocoapods/version.rb

@@ -21,6 +21,6 @@
 
 module CycloneDX
   module CocoaPods
-    VERSION = '1.3.0'
+    VERSION = '1.4.0'
   end
 end