fixup! output basic cyclonedx-json

33cf79e2 · Jérome Perrin · e3633073 · 33cf79e2 · 33cf79e2
Commit 33cf79e2 authored Jun 02, 2024 by Jérome Perrin
Hide whitespace changes
Inline Side-by-side

Showing with 46 additions and 12 deletions

nxdbom/__init__.py nxdbom/__init__.py +32 -11

nxdbom/nxdbom_test.py nxdbom/nxdbom_test.py +14 -1

No files found.
--- a/nxdbom/__init__.py
+++ b/nxdbom/__init__.py
@@ -36,7 +36,6 @@ import argparse
 import json
 import sys, configparser, re, codecs
 import uuid
-import warnings


 # PkgInfo represents information about a package
@@ -547,18 +546,40 @@ def fmt_bom_cyclonedx_json(bom, software_path):
        }
    }
    components = bom_json["components"] = []
-
    for _, pkginfo in sorted(bom.items()):
-        purl_type = 'pypi' if pkginfo.kind == 'egg' else 'library'
+        cpe = None
+        externalReferences = []
+        if pkginfo.url:
+            externalReferences.append(
+                {
+                    'url': pkginfo.url,
+                    'type': (
+                        'vcs'
+                        if pkginfo.kind == 'git'
+                        else 'distribution'
+                    ),
+                }
+            )
+        purl_type = 'generic'
+        if pkginfo.kind == 'egg':
+            purl_type = 'pypi'
+        elif pkginfo.kind == 'gem':
+            purl_type = 'gem'
+        else:
+            cpe = f'cpe:2.3:*:*:{pkginfo.name}:{pkginfo.version}:*:*:*:*:*:*:*'
        purl = f'pkg:{purl_type}/{pkginfo.name}@{pkginfo.version}'
-        components.append(
-            {
-                'name': pkginfo.name,
-                'purl': purl,
-                'type': 'library',
-                'version': pkginfo.version,
-            }
-        )
+        component = {
+            'name': pkginfo.name,
+            'purl': purl,
+            'type': 'library',
+            'version': pkginfo.version,
+        }
+        if cpe:
+            component['cpe'] = cpe
+        if externalReferences:
+            component['externalReferences'] = externalReferences
+        components.append(component)
+
    return bom_json



--- a/nxdbom/nxdbom_test.py
+++ b/nxdbom/nxdbom_test.py
@@ -537,14 +537,27 @@ eggs =
    assert [c['name'] for c in cyclonedx['metadata']['tools']['components']] == ['nxdbom']
    assert cyclonedx['components'] == [
         {
+             'externalReferences': [
+                 {
+                     'type': 'distribution',
+                     'url': 'https://pypi.org/project/aaa/1.2.3/',
+                 },
+             ],
             'name': 'aaa',
             'purl': 'pkg:pypi/aaa@1.2.3',
             'type': 'library',
             'version': '1.2.3',
         },
         {
+             'cpe': 'cpe:2.3:*:*:libpng:1.6.37:*:*:*:*:*:*:*',
+             'externalReferences': [
+                 {
+                     'type': 'distribution',
+                     'url': 'http://download.sourceforge.net/libpng/libpng-1.6.37.tar.xz',
+                 },
+             ],
             'name': 'libpng',
-             'purl': 'pkg:library/libpng@1.6.37',
+             'purl': 'pkg:generic/libpng@1.6.37',
             'type': 'library',
             'version': '1.6.37',
         },