Merge pull request #107 from interlynk-io/fix/asm-dt-integration

Improve sbomasm DT integration. Generated CDX 1.6 compliant sboms.

Author: riteshnoronha

README.md

@@ -64,6 +64,20 @@ docker run -v .:/app/sboms/ ghcr.io/interlynk-io/sbomasm:v0.1.3 assemble -n "ass
 sbomasm assemble -n "mega cdx app" -v "1.0.0" -t "application" -e 1.4 -o final-product.cdx.json sbom1.json sbom2.json sbom3.json
 ```
 
+#### Dependency Track Integration 
+
+Assemble 2 projects from DT into a flat merged assembled sbom, and save the file to local disk.
+```sh
+sbomasm assemble dt -d -u "http://localhost:8081/" -k "odt_EpqhWc1Meuc50VeD0w5fuyKELt5dbCUb" -n "mega-app" -v "1.0.0
+" -t "application" -f -o merged_sbom.json  08c2777b-bc4f-4b98-be54-e3f901736d71 9d94d566-a20c-4b65-b1b8-18dc4e238a55
+```
+
+Assemble 2 projects from DT using flat merge and push the assembled sbom to another project 
+```sh 
+./build/sbomasm assemble dt -d -u "http://localhost:8081/" -k "odt_EpqhWc1Meuc50VeD0w5fuyKELt5dbCUb" -n "mega-app" -v "1.0.0
+" -t "application"  -f -o 1379d800-abb0-498b-a6e5-533318670e40  08c2777b-bc4f-4b98-be54-e3f901736d71 9d94d566-a20c-4b65-b1b8-18dc4e238a55
+```
+
 ### Edit SBOMs
 Change the name and version of the primary component.
 ```sh
@@ -160,14 +174,14 @@ for input and output formats
 ## Merge Algorithm
 The default merge algorithm is `Hierarchical` merge.
 
-| Algo  | SBOM Spec | Notes |
-|----------|----------|----------|
-| Hierarchical   | CycloneDX  | For each input SBOM, we associate the dependent components with its primary component. This primary component is then included as a dependent of the newly created primary component for the assembled SBOM. |
-| Flat  | CycloneDX   | Provides a flat list of components, duplicates are not removed. |
-| Assembly | CycloneDX | Similar to Hierarchical merge, but treats each sbom as not dependent, so no relationships are created with primary.  |
-| Hierarchical   | SPDX  | It maintains relationships among all the merged documents. Contains relationship is using to express dependencies. No duplicate components are removed.|
-| Flat  | SPDX   | It creates a flat list of all packages and files. It removes all relationships except the describes relationship|
-| Assembly | SPDX | Similar to Hierarchical, except the contains relationship is omitted |
+| Algo  | SBOM Spec| Duplicates | Notes |
+|----------|----------|------|----------|
+| Hierarchical   | CycloneDX  | Not Removed | For each input SBOM, we associate the dependent components with its primary component. This primary component is then included as a dependent of the newly created primary component for the assembled SBOM|
+| Flat  | CycloneDX   | Removed | Provides a flat list of components |
+| Assembly | CycloneDX | Removed | Similar to Hierarchical merge, but treats each sbom as not dependent, so no relationships are created with primary.  |
+| Hierarchical   | SPDX  | Not Removed | It maintains relationships among all the merged documents. Contains relationship is using to express dependencies. No duplicate components are removed.|
+| Flat  | SPDX   | Not Removed | It creates a flat list of all packages and files. It removes all relationships except the describes relationship|
+| Assembly | SPDX | Not Removed | Similar to Hierarchical, except the contains relationship is omitted |
 
 # A complete example/use-case
 Interlynk produces a variety of closed-source tools that it offers to its customers. One of its security-conscious customers recognizes the importance of being diligent about the tools running on its network and has asked Interlynk to provide SBOMs for each tool. Interlynk has complied with this request by providing individual SBOMs for each tool it ships to the customer. However, the customer soon realizes that keeping track of so many SBOMs, which they receive at regular intervals, is challenging. To address this issue, the customer automates the process by combining all the SBOMs provided by Interlynk into a single SBOM, which they can monitor more easily using their preferred tool.

cmd/dt.go

@@ -62,7 +62,6 @@ Basic Example:
 		dtParams.PopulateInputField(ctx)
 
 		assembleParams, err := extractArgsFromDTtoAssemble(dtParams)
-		fmt.Println("assemble.Input: ", assembleParams.Input)
 		if err != nil {
 			return err
 		}
@@ -165,12 +164,10 @@ func extractDtArgs(cmd *cobra.Command, args []string) (*dt.Params, error) {
 	if _, err := uuid.Parse(output); err == nil {
 		aParams.Upload = true
 		aParams.UploadProjectID = uuid.MustParse(output)
-		fmt.Printf("Upload: %v and SBOM to Project ID: %v \n", aParams.Upload, aParams.UploadProjectID)
 	} else {
 		// Assume it's a file path
 		aParams.Output = output
 		aParams.Upload = false
-		fmt.Printf("Upload: %v and SBOM to Project ID: %v \n", aParams.Upload, aParams.Output)
 	}
 
 	for _, arg := range args {

go.mod

@@ -11,7 +11,6 @@ require (
 	github.com/google/go-github/v52 v52.0.0
 	github.com/google/uuid v1.6.0
 	github.com/mitchellh/copystructure v1.2.0
-	github.com/mitchellh/hashstructure/v2 v2.0.2
 	github.com/pingcap/log v1.1.0
 	github.com/samber/lo v1.47.0
 	github.com/spdx/tools-golang v0.5.5
@@ -27,21 +26,17 @@ require (
 	github.com/anchore/go-struct-converter v0.0.0-20230627203149-c72ef8859ca9 // indirect
 	github.com/cloudflare/circl v1.3.9 // indirect
 	github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
-	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/rogpeppe/go-internal v1.12.0 // indirect
 	github.com/spdx/gordf v0.0.0-20221230105357-b735bd5aac89 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/stretchr/testify v1.9.0
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/crypto v0.26.0 // indirect
 	golang.org/x/oauth2 v0.22.0 // indirect
 	golang.org/x/sys v0.24.0 // indirect
 	golang.org/x/text v0.17.0 // indirect
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1 // indirect
-	gopkg.in/yaml.v3 v3.0.1 // indirect
 	sigs.k8s.io/yaml v1.4.0 // indirect
 )

go.sum

@@ -48,8 +48,6 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw=
 github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s=
-github.com/mitchellh/hashstructure/v2 v2.0.2 h1:vGKWl0YJqUNxE8d+h8f6NJLcCJrgbhC4NcD46KavDd4=
-github.com/mitchellh/hashstructure/v2 v2.0.2/go.mod h1:MG3aRVU/N29oo/V/IhBX8GR/zz4kQkprJgF2EVszyDE=
 github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ=
 github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
 github.com/pingcap/errors v0.11.0 h1:DCJQB8jrHbQ1VVlMFIrbj2ApScNNotVmkSNplu2yUt4=

pkg/assemble/cdx/comp_service.go

@@ -131,11 +131,6 @@ type MergeSettings struct {
 }
 
 func Merge(ms *MergeSettings) error {
-	merger := newMerge(ms)
-
-	merger.loadBoms()
-	merger.initOutBom()
-
 	if len(ms.Output.Spec) > 0 && ms.Output.Spec != "cyclonedx" {
 		return errors.New("invalid output spec")
 	}
@@ -144,13 +139,6 @@ func Merge(ms *MergeSettings) error {
 		return errors.New("invalid CycloneDX spec version")
 	}
 
-	if ms.Assemble.FlatMerge {
-		return merger.flatMerge()
-	} else if ms.Assemble.HierarchicalMerge {
-		return merger.hierarchicalMerge()
-	} else if ms.Assemble.AssemblyMerge {
-		return merger.assemblyMerge()
-	}
-
-	return merger.hierarchicalMerge()
+	merger := newMerge(ms)
+	return merger.combinedMerge()
 }