feat: SPDX SBOM Generator

in-toto · Oct 13, 2022 · ad38d7d · ad38d7d
1 parent 858cd0e
commit ad38d7d
Show file tree

Hide file tree

Showing 4 changed files with 198 additions and 2 deletions.
diff --git a/attestation/sbom/sbom.go b/attestation/sbom/sbom.go
@@ -0,0 +1,128 @@
+// Copyright 2022 The Witness Contributors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package sbom
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"path"
+
+	"github.com/spdx/spdx-sbom-generator/pkg/handler"
+	"github.com/spdx/spdx-sbom-generator/pkg/models"
+	"github.com/testifysec/go-witness/attestation"
+)
+
+const (
+	Name    = "sbom"
+	Type    = "https://witness.dev/attestations/sbom/v0.1"
+	RunType = attestation.PreRunType
+)
+
+var (
+	_ attestation.Attestor = &Attestor{}
+)
+
+type Attestor struct {
+	models.Document
+}
+
+func init() {
+	attestation.RegisterAttestation(Name, Type, RunType, func() attestation.Attestor {
+		return New()
+	})
+}
+
+func New() *Attestor {
+	return &Attestor{}
+}
+
+func (a *Attestor) Type() string {
+	return Type
+}
+
+func (a *Attestor) Name() string {
+	return Name
+}
+
+func (a *Attestor) RunType() attestation.RunType {
+	return RunType
+}
+
+func (a *Attestor) Attest(ctx *attestation.AttestationContext) error {
+	dir, err := os.MkdirTemp("", "sbom")
+	if err != nil {
+		return err
+	}
+
+	handler, err := handler.NewSPDX(handler.SPDXSettings{
+		Version:           "witness",
+		Path:              ctx.WorkingDir(),
+		License:           false,
+		Depth:             "",
+		OutputDir:         dir,
+		Schema:            "2.2",
+		Format:            models.OutputFormatJson,
+		GlobalSettingFile: "",
+	})
+
+	if err != nil {
+		return err
+	}
+
+	err = handler.Run()
+	if err != nil {
+		return err
+	}
+
+	err = handler.Complete()
+	if err != nil {
+		return err
+	}
+
+	//get files in dir
+	files, err := os.ReadDir(dir)
+	if err != nil {
+		return err
+	}
+
+	//get the first file
+	if len(files) == 0 {
+		return fmt.Errorf("SBOM file not found in temp directory")
+	}
+
+	file := files[0]
+
+	//marshal file into Document
+	name := file.Name()
+	//join path
+	f, err := os.Open(path.Join(dir, name))
+	if err != nil {
+		return err
+	}
+
+	err = json.NewDecoder(f).Decode(&a.Document)
+	if err != nil {
+		return err
+	}
+
+	//remove temp dir
+	err = os.RemoveAll(dir)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
diff --git a/attestors.go b/attestors.go
@@ -26,6 +26,7 @@ import (
 	_ "github.com/testifysec/go-witness/attestation/maven"
 	_ "github.com/testifysec/go-witness/attestation/oci"
 	_ "github.com/testifysec/go-witness/attestation/sarif"
+	_ "github.com/testifysec/go-witness/attestation/sbom"
 	_ "github.com/testifysec/go-witness/attestation/scorecard"
 	_ "github.com/testifysec/go-witness/attestation/syft"
 )
diff --git a/go.mod b/go.mod
@@ -1,15 +1,17 @@
 module github.com/testifysec/go-witness
 
-go 1.18
+go 1.19
 
 require (
 	github.com/anchore/stereoscope v0.0.0-20220708133445-777471f38c5b
 	github.com/anchore/syft v0.53.0
 	github.com/davecgh/go-spew v1.1.1
+	github.com/digitorus/pkcs7 v0.0.0-20220704143225-a9c8106cbfc6
 	github.com/digitorus/timestamp v0.0.0-20220704143351-8225fba02d52
 	github.com/go-git/go-git/v5 v5.4.2
 	github.com/open-policy-agent/opa v0.43.1
 	github.com/owenrumney/go-sarif v1.1.1
+	github.com/spdx/spdx-sbom-generator v0.0.15
 	github.com/spiffe/go-spiffe/v2 v2.1.1
 	github.com/stretchr/testify v1.8.0
 	github.com/testifysec/archivist-api v0.0.0-20221012004029-f5ceac2d8a3b
@@ -37,7 +39,7 @@ require (
 	github.com/containerd/containerd v1.6.6 // indirect
 	github.com/containerd/stargz-snapshotter/estargz v0.12.0 // indirect
 	github.com/coreos/go-oidc/v3 v3.2.0 // indirect
-	github.com/digitorus/pkcs7 v0.0.0-20220704143225-a9c8106cbfc6 // indirect
+	github.com/dgryski/go-minhash v0.0.0-20170608043002-7fe510aff544 // indirect
 	github.com/docker/cli v20.10.17+incompatible // indirect
 	github.com/docker/distribution v2.8.1+incompatible // indirect
 	github.com/docker/docker v20.10.17+incompatible // indirect
@@ -46,8 +48,10 @@ require (
 	github.com/docker/go-units v0.4.0 // indirect
 	github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5 // indirect
 	github.com/dustin/go-humanize v1.0.0 // indirect
+	github.com/ekzhu/minhash-lsh v0.0.0-20171225071031-5c06ee8586a1 // indirect
 	github.com/facebookincubator/nvdtools v0.1.5 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.1 // indirect
+	github.com/go-enry/go-license-detector/v4 v4.2.0 // indirect
 	github.com/go-restruct/restruct v1.2.0-alpha // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/snappy v0.0.4 // indirect
@@ -56,7 +60,9 @@ require (
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/hashicorp/golang-lru v0.5.4 // indirect
+	github.com/hhatto/gorst v0.0.0-20181029133204-ca9f730cac5b // indirect
 	github.com/huandu/xstrings v1.3.2 // indirect
+	github.com/jdkato/prose v1.1.0 // indirect
 	github.com/jinzhu/copier v0.3.5 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
@@ -74,6 +80,7 @@ require (
 	github.com/mitchellh/hashstructure/v2 v2.0.2 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/moby/term v0.0.0-20210619224110-3f7ff695adc6 // indirect
+	github.com/montanaflynn/stats v0.0.0-20151014174947-eeaced052adb // indirect
 	github.com/nwaples/rardecode v1.1.3 // indirect
 	github.com/olekukonko/tablewriter v0.0.5 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
@@ -86,8 +93,10 @@ require (
 	github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0 // indirect
 	github.com/rivo/uniseg v0.3.1 // indirect
 	github.com/rogpeppe/go-internal v1.8.0 // indirect
+	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/scylladb/go-set v1.0.3-0.20200225121959-cc7b2070d91e // indirect
 	github.com/segmentio/ksuid v1.0.4 // indirect
+	github.com/shogo82148/go-shuffle v0.0.0-20170808115208-59829097ff3b // indirect
 	github.com/shopspring/decimal v1.3.1 // indirect
 	github.com/sirupsen/logrus v1.9.0 // indirect
 	github.com/skratchdot/open-golang v0.0.0-20200116055534-eef842397966 // indirect
@@ -102,11 +111,14 @@ require (
 	github.com/wagoodman/go-progress v0.0.0-20220614130704-4b1c25a33c7c // indirect
 	github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 // indirect
 	github.com/zclconf/go-cty v1.10.0 // indirect
+	golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6 // indirect
 	golang.org/x/oauth2 v0.0.0-20220722155238-128564f6959c // indirect
 	golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4 // indirect
 	golang.org/x/tools v0.1.12 // indirect
 	golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f // indirect
+	gonum.org/v1/gonum v0.7.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
+	gopkg.in/neurosnap/sentences.v1 v1.0.6 // indirect
 	lukechampine.com/uint128 v1.2.0 // indirect
 	modernc.org/cc/v3 v3.36.1 // indirect
 	modernc.org/ccgo/v3 v3.16.8 // indirect