[elbe-devel] [PATCH 1/1] elbepack: commands: add cyclonedx-sbom command

Tue May 7 14:10:48 CEST 2024

On Tue, May 07, 2024 at 01:56:17PM GMT, Eduard Krein wrote:
> cyclonedx-sbom is generating software-bill-of-materials in
> the OWASP cyclonedx format. This is a work-in-progress.
> 
> Signed-off-by: Eduard Krein <eduard.krein at linutronix.de>
> ---
>  elbepack/commands/cyclonedx-sbom.py | 37 +++++++++++++++++++++++++++++
>  1 file changed, 37 insertions(+)
>  create mode 100644 elbepack/commands/cyclonedx-sbom.py
> 
> diff --git a/elbepack/commands/cyclonedx-sbom.py b/elbepack/commands/cyclonedx-sbom.py
> new file mode 100644
> index 00000000..e8fce54f
> --- /dev/null
> +++ b/elbepack/commands/cyclonedx-sbom.py
> @@ -0,0 +1,37 @@
> +# ELBE - Debian Based Embedded Rootfilesystem Builder
> +
> +import datetime
> +import json
> +import os
> +from json import JSONEncoder
> +from optparse import OptionParser

For new code I'd prefer stdlib import to *not* use "from ...".

> +
> +from elbepack.elbexml import ElbeXML
> +from elbepack.uuid7 import uuid7
> +
> +
> +def run_command(argv):
> +
> +    oparser = OptionParser()
> +    oparser.add_option('-d', type='string', dest='elbe_build')

type='string' cna be omitted, it is the default.

> +    (options, args) = oparser.parse_args()

No need for these braces around the tuple unpacking.

> +
> +    xmlpath = os.path.join(options.elbe_build, 'source.xml')
> +    data = ElbeXML(xmlpath)
> +    ts = datetime.datetime.now()
> +    elbe_uuid = uuid7(ts)
> +    urn_uuid = 'urn:uuid:' + str(elbe_uuid)
> +    elbeversion = data.get_elbe_version()
> +    output = {'bomFormat': 'CycloneDX', 'specVersion': '1.4',
> +              'serialNumber': urn_uuid, 'version': 1, 'metadata':
> +              {'timestamp': ts, 'tools': [{'vendor': 'Linutronix',
> +               'name': 'Elbe', 'version': elbeversion}]}}

Please format this out.

output = {
    'bomFormat': ...,
    'specVersion': ...,
    ...
    'tools': [
       {
           'vendor': ...,
       },
    ],
}

> +
> +    json_string = json.dumps(output, indent=2, cls=DateTimeEncoder)
> +    print(json_string)

Use json.dump(output, sys.stdout), no need to have yet another copy of
this around.

> +    json_string = json.dumps(output, indent=2, cls=DateTimeEncoder)
> +
> +
> +class DateTimeEncoder(JSONEncoder):
> +    def default(self, obj):
> +        if isinstance(obj, (datetime.date, datetime.datetime)):
> +            return obj.isoformat()

Definitions should be done before they are used, please move this above
run_command().

Also this may grow other special cases in the future, so let's rename it
to something more specific like "CycloneDXEncoder".

Thanks,
Thomas