sbom: Used named bom-ref in formula object

Signed-off-by: Stewart X Addison <[email protected]>
adoptium · Dec 7, 2023 · 3709a25 · 3709a25
1 parent 61f2d76
commit 3709a25
Show file tree

Hide file tree

Showing 4 changed files with 84 additions and 46 deletions.
diff --git a/cyclonedx-lib/build.xml b/cyclonedx-lib/build.xml
@@ -473,12 +473,16 @@
                 <java classpath="${classpath}" classname="temurin.sbom.TemurinGenSBOM">
                   <arg value="--verbose"/>
                   <arg value="--addFormulation"/>
+                  <arg value="--formulaName"/>
+                  <arg value="MyFormula"/>
                   <arg value="--jsonFile"/>
                   <arg value="${testSBOMFile}"/>
                 </java>
                 <java classpath="${classpath}" classname="temurin.sbom.TemurinGenSBOM">
                   <arg value="--verbose"/>
                   <arg value="--addFormulationComp"/>
+                  <arg value="--formulaName"/>
+                  <arg value="MyFormula"/>
                   <arg value="--name"/>
                   <arg value="CycloneDX SHAs"/>
                   <arg value="--jsonFile"/>
@@ -487,6 +491,8 @@
                 <java classpath="${classpath}" classname="temurin.sbom.TemurinGenSBOM">
                   <arg value="--verbose"/>
                   <arg value="--addFormulationCompProp"/>
+                  <arg value="--formulaName"/>
+                  <arg value="MyFormula"/>
                   <arg value="--compName"/>
                   <arg value="CycloneDX SHAs"/>
                   <arg value="--name"/>

diff --git a/cyclonedx-lib/src/temurin/sbom/TemurinGenSBOM.java b/cyclonedx-lib/src/temurin/sbom/TemurinGenSBOM.java
@@ -52,6 +52,7 @@ public static void main(final String[] args) {
         String cmd = null;
         String comment = null;
         String compName = null;
+        String formulaName = null;
         String description = null;
         String fileName = null;
         String hash = null;
@@ -79,6 +80,8 @@ public static void main(final String[] args) {
                 hash = args[++i];
             } else if (args[i].equals("--compName")) {
                 compName = args[++i];
+            } else if (args[i].equals("--formulaName")) {
+                formulaName = args[++i];
             } else if (args[i].equals("--description")) {
                 description = args[++i];
             } else if (args[i].equals("--type")) {
@@ -137,16 +140,16 @@ public static void main(final String[] args) {
                 break;
 
             case "addFormulation":                                   // Adds Formulation --> name
-                bom = addFormulation(fileName);
+                bom = addFormulation(fileName, formulaName);
                 writeJSONfile(bom, fileName);
                 break;
 
             case "addFormulationComp":                               // Adds Formulation --> Component--> name
-                bom = addFormulationComp(fileName, name, type);
+                bom = addFormulationComp(fileName, formulaName, name, type);
                 writeJSONfile(bom, fileName);
                 break;
             case "addFormulationCompProp":                           // Adds Formulation --> Component -> name-value:
-                bom = addFormulationCompProp(fileName, compName, name, value);
+                bom = addFormulationCompProp(fileName, formulaName, compName, name, value);
                 writeJSONfile(bom, fileName);
                 break;
 
@@ -324,62 +327,88 @@ static Bom addComponentExternalReference(final String fileName, final String has
         return bom;
     }
 
-    static Bom addFormulation(final String fileName) {          // Method to store Formulation
+    static Bom addFormulation(final String fileName, String name) {          // Method to store Formulation
         Bom bom = readJSONfile(fileName);
         List<Formula> formulation = bom.getFormulation();
         if (formulation == null) {
           formulation = new LinkedList<Formula>();
           Formula formula  = new Formula();
+          System.err.println("SXAECW: " + name);
+          formula.setBomRef(name);
           formulation.add(formula);
           bom.setFormulation(formulation);
         }
         return bom;
     }
 
-   static Bom addFormulationComp(final String fileName, final String name, final String type/*, final String version, final String description */) {
+   static Bom addFormulationComp(final String fileName, final String formulaName, final String name, final String type/*, final String version, final String description */) {
         Bom bom = readJSONfile(fileName);
+        if ( formulaName == null ) {
+           System.out.println("addFormulationComp: formulaName is null");
+           return bom;
+        } else if ( name == null ) {
+           System.out.println("addFormulationComp: name is null");
+           return bom;
+        }
         List<Formula> formulation = bom.getFormulation();
-        // SXA TODO: Not ideal to just be pulling the first entry here
-        // But the formula is currently unnamed
-        Formula formula = formulation.get(0);
-        Component comp = new Component();
-        Component.Type compType = Component.Type.FRAMEWORK;
-        comp.setType(compType);
-        comp.setName(name);
-        List<Component> components = formula.getComponents();
-        if (components == null) {
-          components = new LinkedList<Component>();
+        // Look for the formula, and add the new component to it
+        boolean found = false;
+        for ( Formula item : formulation ) {
+          if (item.getBomRef().equals(formulaName)) {
+            found = true;
+            Component comp = new Component();
+            Component.Type compType = Component.Type.FRAMEWORK;
+            comp.setType(Component.Type.FRAMEWORK);
+            comp.setName(name);
+            List<Component> components = item.getComponents();
+            if (components == null) {
+              components = new LinkedList<Component>();
+            }
+            components.add(comp);
+            item.setComponents(components);
+          }
+        }
+        if (found == false) {
+          System.out.println("addFormulationComp could not add component as it couldn't find an entry for formula " + formulaName);
         }
-        components.add(comp);
-        formula.setComponents(components);
-        formulation.set(0, formula);
-        bom.setFormulation(formulation);
         return bom;
     }
 
-    static Bom addFormulationCompProp(final String fileName, final String componentName, final String name, final String value) {     // Method to store metadata --> Properties List --> name-values
+    static Bom addFormulationCompProp(final String fileName, final String formulaName, final String componentName, final String name, final String value) {     // Method to store metadata --> Properties List --> name-values
         Bom bom = readJSONfile(fileName);
+        boolean foundFormula=false;
+        boolean foundComponent=false;
         List<Formula> formulation = bom.getFormulation();
-        Formula formula = formulation.get(0);
-        // Similar to the last method this isn't great as we're assuming there's only one
-        // But we can't create more, and they're not named ...
-        List<Component> components = formulation.get(0).getComponents();
-        for (Component item : components) {
-
-        // What if the name wasn't found - this won't create a new one
-        // Should we skip the "already exists" case and just issue an add?
-            if (item.getName().equals(componentName)) {
-                    Property prop1 = new Property();
-                    prop1.setName(name);
-                    prop1.setValue(value);
-                    item.addProperty(prop1);
+        // Look for the formula, and add the new component to it
+        for ( Formula item : formulation ) {
+          if (item.getBomRef().equals(formulaName)) {
+            foundFormula=true;
+            // Search for the component in the formula and add new component to it
+            List<Component> components = item.getComponents();
+            if ( components == null ) {
+              System.out.println("addFormulationCompProp: Components is null - has addFormulationComp been called?");
+            } else {
+              for (Component comp : components) {
+                if (comp.getName().equals(componentName)) {
+                  foundComponent=true;
+                  Property prop1 = new Property();
+                  prop1.setName(name);
+                  prop1.setValue(value);
+                  comp.addProperty(prop1);
+                  item.setComponents(components);
+                }
+              }
             }
+          }
+        }
+        if (foundFormula == false) {
+          System.out.println("addFormulationCompProp could not add add property as it couldn't find an entry for formula " + formulaName);
+        } else if (foundComponent == false) {
+          System.out.println("addFormulationCompProp could not add add property as it couldn't find an entry for component " + componentName);
         }
-        formula.setComponents(components);
-        formulation.set(0, formula);
-        bom.setFormulation(formulation);
         return bom;
     }
+
     static String generateBomJson(final Bom bom) {
         // Use schema v15: https://cyclonedx.org/schema/bom-1.5.schema.json
         BomJsonGenerator bomGen = BomGeneratorFactory.createJson(CycloneDxSchema.Version.VERSION_15, bom);

diff --git a/sbin/build.sh b/sbin/build.sh
@@ -878,8 +878,8 @@ generateSBoM() {
   addSBOMMetadataProperty "${javaHome}" "${classpath}" "${sbomJson}" "OS architecture" "${BUILD_CONFIG[OS_ARCHITECTURE]^}"
 
   # Set default SBOM formulation
-  addSBOMFormulation "${javaHome}" "${classpath}" "${sbomJson}"
-  addSBOMFormulationComp "${javaHome}" "${classpath}" "${sbomJson}" "CycloneDX jar SHAs"
+  addSBOMFormulation "${javaHome}" "${classpath}" "${sbomJson}" "CycloneDX"
+  addSBOMFormulationComp "${javaHome}" "${classpath}" "${sbomJson}" "CycloneDX" "CycloneDX jar SHAs"
 
   # Below add build tools into metadata tools
   if [ "${BUILD_CONFIG[OS_KERNEL_NAME]}" == "linux" ]; then
@@ -1065,7 +1065,7 @@ addCycloneDXVersions() {
          else
             JarSha=$(sha256sum "${CYCLONEDB_DIR}/build/jar/cyclonedx-core-java.jar" | cut -d' ' -f1)
          fi
-         addSBOMFormulationComponentProperty "${javaHome}" "${classpath}" "${sbomJson}" "CycloneDX jar SHAs" "${JarName}" "${JarSha}"
+         addSBOMFormulationComponentProperty "${javaHome}" "${classpath}" "${sbomJson}" "CycloneDX" "CycloneDX jar SHAs" "${JarName}" "${JarSha}"
        done
    fi
 }

diff --git a/sbin/common/sbom.sh b/sbin/common/sbom.sh
@@ -50,15 +50,17 @@ addSBOMFormulation() {
   local javaHome="${1}"
   local classpath="${2}"
   local jsonFile="${3}"
-  "${javaHome}"/bin/java -cp "${classpath}" temurin.sbom.TemurinGenSBOM --addFormulation --jsonFile "${jsonFile}"
+  local formulaName="${4}"
+  "${javaHome}"/bin/java -cp "${classpath}" temurin.sbom.TemurinGenSBOM --addFormulation --formulaName "${formulaName}" --jsonFile "${jsonFile}"
 }
 
 addSBOMFormulationComp() {
   local javaHome="${1}"
   local classpath="${2}"
   local jsonFile="${3}"
-  local name="${4}"
-  "${javaHome}"/bin/java -cp "${classpath}" temurin.sbom.TemurinGenSBOM --addFormulationComp --jsonFile "${jsonFile}" --name "${name}"
+  local formulaName="${4}"
+  local name="${5}"
+  "${javaHome}"/bin/java -cp "${classpath}" temurin.sbom.TemurinGenSBOM --addFormulationComp --jsonFile "${jsonFile}" --formulaName "${formulaName}" --name "${name}"
 }  
 
 # Ref: https://cyclonedx.org/docs/1.4/json/#formulation
@@ -67,10 +69,11 @@ addSBOMFormulationComponentProperty() {
   local javaHome="${1}"
   local classpath="${2}"
   local jsonFile="${3}"
-  local compName="${4}"
-  local name="${5}"
-  local value="${6}"
-  "${javaHome}"/bin/java -cp "${classpath}" temurin.sbom.TemurinGenSBOM --addFormulationCompProp --jsonFile "${jsonFile}" --compName "${compName}" --name "${name}" --value "${value}"
+  local formulaName="${4}"
+  local compName="${5}"
+  local name="${6}"
+  local value="${7}"
+  "${javaHome}"/bin/java -cp "${classpath}" temurin.sbom.TemurinGenSBOM --addFormulationCompProp --jsonFile "${jsonFile}" --formulaName "${formulaName}" --compName "${compName}" --name "${name}" --value "${value}"
 }