Skip to content

fix(report): Refactor SBOM generation: split functions, improve PURL logic, set OS as root #2171

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 12 commits into from
Apr 11, 2025
Merged

fix(report): Refactor SBOM generation: split functions, improve PURL logic, set OS as root #2171

merged 12 commits into from
Apr 11, 2025

Conversation

kl-sinclair
Copy link
Collaborator

@kl-sinclair kl-sinclair commented Apr 8, 2025
edited
Loading

What did you implement:

We have refactored and improved the CycloneDX SBOM generation functionality as follows:

  • Refactoring: Split the GenerateCycloneDX function into ToCycloneDX, which converts a ScanResult to a CycloneDX BOM, and SerializeCycloneDX, which serializes the BOM into a byte array.
  • Fix: Separated and improved functions for generating Package URLs (PURLs) from packages and libraries.
  • Fix: Modified the SBOM structure so that the OS information is set as the root component.

These changes enhance the maintainability and extensibility of the codebase by modularizing the SBOM generation process and improving the handling of Package URLs.

Type of change

  • Bug fix (non-breaking change which fixes an issue)

How Has This Been Tested?

$ vuls report -to-localfile -format-cyclonedx-json
or 
$ vuls report -to-localfile -format-cyclonedx-xml

before

{
  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  ...
  "metadata": {
    ...
    "component": {
      "bom-ref": "xxxxxxxx",
      "type": "operating-system",
      "name": "localhost"
    }
  },
  "components": [
    {
      "bom-ref": "xxxxxxxx",
      "type": "operating-system",
      "name": "macos",
      "version": "13.7.4",
      "properties": [
        {
          "name": "future-architect:vuls:Type",
          "value": "Package"
        },
        {
          "name": "RunningKernelRelease",
          "value": "22.6.0"
        }
      ]
    },
    ...
    {
      "bom-ref": "pkg:yarn/%40babel%[email protected]",
      "type": "library",
      "name": "@babel/types",
      "version": "7.26.9",
      "purl": "pkg:yarn/%40babel%[email protected]"
    },
    ...
  ],
  ...
}

after

{
  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  ...
  "metadata": {
    ...
    "component": {
      "bom-ref": "xxxxxxxx",
      "type": "operating-system",
      "name": "macos",
      "version": "13.7.4",
      "properties": [
        {
          "name": "future-architect:vuls:Type",
          "value": "macos"
        },
        {
          "name": "RunningKernelRelease",
          "value": "22.6.0"
        }
      ]
    }
  },
  "components": [
    ...
    {
      "bom-ref": "pkg:npm/%40babel/[email protected]",
      "type": "library",
      "name": "@babel/types",
      "version": "7.26.9",
      "purl": "pkg:npm/%40babel/[email protected]"
    },
    ...
  ],
  ...
}

Checklist:

You don't have to satisfy all of the following.

  • Write tests
  • Write documentation
  • Check that there aren't other open pull requests for the same issue/feature
  • Format your source code by make fmt
  • Pass the test by make test
  • Provide verification config / commands
  • Enable "Allow edits from maintainers" for this PR
  • Update the messages below

Is this ready for review?: YES

@kl-sinclair kl-sinclair self-assigned this Apr 8, 2025
@kl-sinclair kl-sinclair changed the title [WIP] fix(report): enhanced PackageURL in CycloneDX [WIP] fix(report): Refactor SBOM generation: split functions, improve PURL logic, set OS as root Apr 9, 2025
@kl-sinclair kl-sinclair requested review from shino and kotakanbe April 9, 2025 09:32
@kl-sinclair kl-sinclair changed the title [WIP] fix(report): Refactor SBOM generation: split functions, improve PURL logic, set OS as root fix(report): Refactor SBOM generation: split functions, improve PURL logic, set OS as root Apr 9, 2025
@kl-sinclair kl-sinclair marked this pull request as ready for review April 9, 2025 09:33
@kl-sinclair kl-sinclair requested a review from MaineK00n April 9, 2025 09:45
MaineK00n
MaineK00n reviewed Apr 9, 2025
View reviewed changes
MaineK00n
MaineK00n reviewed Apr 9, 2025
View reviewed changes
MaineK00n
MaineK00n reviewed Apr 9, 2025
View reviewed changes
kl-sinclair and others added 2 commits April 9, 2025 18:55
MaineK00n
MaineK00n reviewed Apr 9, 2025
View reviewed changes
MaineK00n
MaineK00n reviewed Apr 10, 2025
View reviewed changes
MaineK00n
MaineK00n reviewed Apr 10, 2025
View reviewed changes
MaineK00n
MaineK00n reviewed Apr 10, 2025
View reviewed changes
@kl-sinclair kl-sinclair requested a review from MaineK00n April 10, 2025 06:38
MaineK00n
MaineK00n previously approved these changes Apr 11, 2025
View reviewed changes
@MaineK00n MaineK00n merged commit f6cc8c2 into future-architect:master Apr 11, 2025
7 checks passed
@kl-sinclair kl-sinclair deleted the sbom-cdx-fix-and-refac branch April 11, 2025 03:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MaineK00n MaineK00n MaineK00n approved these changes

@shino shino Awaiting requested review from shino

@kotakanbe kotakanbe Awaiting requested review from kotakanbe

Assignees

@kl-sinclair kl-sinclair

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kl-sinclair @MaineK00n