From 5f20a7d993fbb7a841dbe1cd490a4b0e620a37e6 Mon Sep 17 00:00:00 2001 From: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> Date: Sun, 18 Aug 2024 18:04:37 -0500 Subject: [PATCH] Using syft Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com> --- bom.json | 1 - pkg/sbom/sbom.go | 11 +++++++---- 2 files changed, 7 insertions(+), 5 deletions(-) delete mode 100644 bom.json diff --git a/bom.json b/bom.json deleted file mode 100644 index 010752e..0000000 --- a/bom.json +++ /dev/null @@ -1 +0,0 @@ -{"bomFormat":"CycloneDX","specVersion":"1.5","serialNumber":"urn:uuid:25d32998-8016-481a-b086-58f67f1788bc","version":1,"metadata":{"timestamp":"2024-08-16T16:50:45Z","tools":{"components":[{"group":"@cyclonedx","name":"cdxgen","version":"10.9.2","purl":"pkg:npm/%40cyclonedx/cdxgen@10.9.2","type":"application","bom-ref":"pkg:npm/@cyclonedx/cdxgen@10.9.2","author":"OWASP Foundation","publisher":"OWASP Foundation"}]},"authors":[{"name":"OWASP Foundation"}],"lifecycles":[{"phase":"build"}],"properties":[]},"components":[],"services":[],"dependencies":[]} \ No newline at end of file diff --git a/pkg/sbom/sbom.go b/pkg/sbom/sbom.go index aab62e4..b95b5be 100644 --- a/pkg/sbom/sbom.go +++ b/pkg/sbom/sbom.go @@ -4,6 +4,7 @@ import ( "context" "fmt" "os/exec" + "strings" "time" proto "github.com/protobom/protobom/pkg/reader" @@ -22,16 +23,18 @@ func ValidateSBOM(sbom string) error { // GenerateSBOMWithCycloneDX generates an SBOM using the cdxgen binary. func GenerateSBOMWithCycloneDX(directory, outputFile, repo string) error { // Check if cdxgen is installed - _, err := exec.LookPath("cdxgen") + _, err := exec.LookPath("syft") if err != nil { - return fmt.Errorf("cdxgen is not installed or not in PATH: %w", err) + return fmt.Errorf("syft is not installed or not in PATH: %w", err) } - + // Generate the output file name by replacing slashes with underscores and appending .json extension + escapedRepo := strings.ReplaceAll(repo, "/", "_") + outputFileName := fmt.Sprintf("%s.json", escapedRepo) // Create a context with a 5-minute timeout ctx, cancel := context.WithTimeout(context.Background(), 2*time.Minute) defer cancel() - cmd := exec.CommandContext(ctx, "cdxgen", "-r", "-o", outputFile, "--no-install-deps", "--project-name", repo, "--install-deps", "false", "--spec-version", "1.5", directory) + cmd := exec.CommandContext(ctx, "syft", "scan", directory, "-o", "cyclonedx-json", "--file", outputFileName) fmt.Println("Executing command: for the repo", repo, cmd.String()) output, err := cmd.CombinedOutput() if ctx.Err() == context.DeadlineExceeded {