Generates cdx 1.6 compliannt sboms

Author: riteshnoronha

pkg/assemble/cdx/merge.go

@@ -59,7 +59,8 @@ func (m *merge) combinedMerge() error {
 	m.loadBoms()
 
 	log.Debugf("initialize component service")
-	cs := newComponentService(*m.settings.Ctx)
+	//cs := newComponentService(*m.settings.Ctx)
+	cs := newUniqueComponentService(*m.settings.Ctx)
 
 	// Build primary component list from each sbom
 	priCompList := buildPrimaryComponentList(m.in, cs)

pkg/assemble/cdx/uniq_comp_service.go

@@ -0,0 +1,90 @@
+// Copyright 2023 Interlynk.io
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+
+package cdx
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	cydx "github.com/CycloneDX/cyclonedx-go"
+)
+
+type uniqueComponentService struct {
+	ctx context.Context
+	//unique list of new components
+	compMap map[string]*cydx.Component
+
+	//mapping from old component id to new component id
+	idMap map[string]string
+}
+
+func newUniqueComponentService(ctx context.Context) *uniqueComponentService {
+	return &uniqueComponentService{
+		ctx:     ctx,
+		compMap: make(map[string]*cydx.Component),
+		idMap:   make(map[string]string),
+	}
+}
+
+func (s *uniqueComponentService) StoreAndCloneWithNewID(c *cydx.Component) (*cydx.Component, bool) {
+	if c == nil {
+		return nil, false
+	}
+
+	lookupKey := fmt.Sprintf("%s-%s-%s",
+		strings.ToLower(string(c.Type)),
+		strings.ToLower(c.Name),
+		strings.ToLower(c.Version))
+
+	if foundComp, ok := s.compMap[lookupKey]; ok {
+		if c.BOMRef != foundComp.BOMRef {
+			s.idMap[c.BOMRef] = foundComp.BOMRef
+		}
+		return foundComp, true
+	}
+
+	nc, err := cloneComp(c)
+	if err != nil {
+		panic(err)
+	}
+
+	newID := newBomRef()
+	nc.BOMRef = newID
+
+	s.compMap[lookupKey] = nc
+	s.idMap[c.BOMRef] = newID
+	return nc, false
+}
+
+func (s *uniqueComponentService) ResolveDepID(depID string) (string, bool) {
+	if newID, ok := s.idMap[depID]; ok {
+		return newID, true
+	}
+	return "", false
+}
+
+func (s *uniqueComponentService) ResolveDepIDs(depIDs []string) []string {
+	ids := make([]string, 0, len(depIDs))
+	for _, depID := range depIDs {
+		if newID, ok := s.idMap[depID]; ok {
+			ids = append(ids, newID)
+		}
+	}
+	return ids
+}

pkg/assemble/cdx/util.go

@@ -18,15 +18,16 @@ package cdx
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
 	"os"
+	"reflect"
 	"time"
 
 	cydx "github.com/CycloneDX/cyclonedx-go"
 	"github.com/google/uuid"
 	"github.com/interlynk-io/sbomasm/pkg/detect"
 	"github.com/interlynk-io/sbomasm/pkg/logger"
-	"github.com/mitchellh/copystructure"
 	"github.com/samber/lo"
 	"sigs.k8s.io/release-utils/version"
 )
@@ -55,21 +56,88 @@ func newBomRef() string {
 }
 
 func cloneComp(c *cydx.Component) (*cydx.Component, error) {
-	compCopy, err := copystructure.Copy(c)
+	var newComp cydx.Component
+
+	// Marshal the original component to JSON
+	b, err := json.Marshal(c)
 	if err != nil {
 		return nil, err
 	}
 
-	return compCopy.(*cydx.Component), nil
+	// Unmarshal into a map[string]interface{} to perform cleanup
+	var tempMap map[string]interface{}
+	if err := json.Unmarshal(b, &tempMap); err != nil {
+		return nil, err
+	}
+
+	// Remove empty fields recursively
+	cleanedUpMap := removeEmptyFields(tempMap)
+
+	// Marshal the cleaned-up map back to JSON
+	cleanedUpBytes, err := json.Marshal(cleanedUpMap)
+	if err != nil {
+		return nil, err
+	}
+
+	// Unmarshal the cleaned-up JSON back into a cydx.Component struct
+	if err := json.Unmarshal(cleanedUpBytes, &newComp); err != nil {
+		return nil, err
+	}
+
+	return &newComp, nil
 }
 
 func cloneService(s *cydx.Service) (*cydx.Service, error) {
-	serviceCopy, err := copystructure.Copy(s)
+	var newService cydx.Service
+	b, err := json.Marshal(s)
 	if err != nil {
 		return nil, err
 	}
+	json.Unmarshal(b, &newService)
+	return &newService, nil
+}
 
-	return serviceCopy.(*cydx.Service), nil
+// Recursive function to remove empty fields, including empty objects and arrays
+func removeEmptyFields(data interface{}) interface{} {
+	switch v := data.(type) {
+	case map[string]interface{}:
+		// Loop through map and remove empty fields
+		for key, value := range v {
+			v[key] = removeEmptyFields(value)
+			// Remove empty maps and slices
+			if isEmptyValue(v[key]) {
+				delete(v, key)
+			}
+		}
+	case []interface{}:
+		// Process arrays
+		var newArray []interface{}
+		for _, item := range v {
+			item = removeEmptyFields(item)
+			if !isEmptyValue(item) {
+				newArray = append(newArray, item)
+			}
+		}
+		return newArray
+	}
+	return data
+}
+
+// Helper function to determine if a value is considered "empty"
+func isEmptyValue(v interface{}) bool {
+	if v == nil {
+		return true
+	}
+	val := reflect.ValueOf(v)
+	switch val.Kind() {
+	case reflect.Array, reflect.Slice, reflect.Map:
+		return val.Len() == 0
+	case reflect.Struct:
+		return reflect.DeepEqual(v, reflect.Zero(val.Type()).Interface())
+	case reflect.String:
+		return v == ""
+	}
+	return false
 }
 
 func loadBom(ctx context.Context, path string) (*cydx.BOM, error) {
@@ -117,39 +185,42 @@ func utcNowTime() string {
 	return locationTime.Format(time.RFC3339)
 }
 
-func toolInfo(name, version, desc, sName, sUrl, sEmail, sLicense string) *cydx.Component {
-	return &cydx.Component{
+func buildToolList(in []*cydx.BOM) *cydx.ToolsChoice {
+	tools := cydx.ToolsChoice{}
+
+	tools.Services = &[]cydx.Service{}
+	tools.Components = &[]cydx.Component{}
+
+	*tools.Components = append(*tools.Components, cydx.Component{
 		Type:        cydx.ComponentTypeApplication,
-		Name:        name,
-		Version:     version,
-		Description: desc,
+		Name:        "sbomasm",
+		Version:     version.GetVersionInfo().GitVersion,
+		Description: "Assembler & Editor for your sboms",
 		Supplier: &cydx.OrganizationalEntity{
-			Name:    sName,
-			URL:     &[]string{sUrl},
-			Contact: &[]cydx.OrganizationalContact{{Email: sEmail}},
+			Name:    "Interlynk",
+			URL:     &[]string{"https://interlynk.io"},
+			Contact: &[]cydx.OrganizationalContact{{Email: "support@interlynk.io"}},
 		},
 		Licenses: &cydx.Licenses{
 			{
 				License: &cydx.License{
-					ID: sLicense,
+					ID: "Apache-2.0",
 				},
 			},
 		},
-	}
-}
-
-func buildToolList(in []*cydx.BOM) *cydx.ToolsChoice {
-	tools := cydx.ToolsChoice{}
-
-	tools.Services = &[]cydx.Service{}
-	tools.Components = &[]cydx.Component{}
-
-	*tools.Components = append(*tools.Components, *toolInfo("sbomasm", version.GetVersionInfo().GitVersion, "Assembler & Editor for your sboms", "Interlynk", "https://interlynk.io", "support@interlynk.io", "Apache-2.0"))
+	})
 
 	for _, bom := range in {
 		if bom.Metadata != nil && bom.Metadata.Tools != nil {
 			for _, tool := range *bom.Metadata.Tools.Tools {
-				*tools.Components = append(*tools.Components, *toolInfo(tool.Name, tool.Version, "", tool.Vendor, "", "", ""))
+				*tools.Components = append(*tools.Components, cydx.Component{
+					Type:    cydx.ComponentTypeApplication,
+					Name:    tool.Name,
+					Version: tool.Version,
+					Supplier: &cydx.OrganizationalEntity{
+						Name: tool.Vendor,
+					},
+				})
 			}
 		}
 
@@ -168,29 +239,47 @@ func buildToolList(in []*cydx.BOM) *cydx.ToolsChoice {
 		}
 	}
 
+	uniqTools := lo.UniqBy(*tools.Components, func(c cydx.Component) string {
+		return fmt.Sprintf("%s-%s", c.Name, c.Version)
+	})
+
+	uniqServices := lo.UniqBy(*tools.Services, func(s cydx.Service) string {
+		return fmt.Sprintf("%s-%s", s.Name, s.Version)
+	})
+
+	tools.Components = &uniqTools
+	tools.Services = &uniqServices
+
 	return &tools
 }
 
-func buildComponentList(in []*cydx.BOM, cs *ComponentService) []cydx.Component {
-	return lo.Flatten(lo.Map(in, func(bom *cydx.BOM, _ int) []cydx.Component {
-		newComps := []cydx.Component{}
+func buildComponentList(in []*cydx.BOM, cs *uniqueComponentService) []cydx.Component {
+	finalList := []cydx.Component{}
+
+	for _, bom := range in {
 		for _, comp := range lo.FromPtr(bom.Components) {
-			newComps = append(newComps, *cs.StoreAndCloneWithNewID(&comp))
+			newComp, duplicate := cs.StoreAndCloneWithNewID(&comp)
+			if !duplicate {
+				finalList = append(finalList, *newComp)
+			}
 		}
-		return newComps
-	}))
+	}
+	return finalList
 }
 
-func buildPrimaryComponentList(in []*cydx.BOM, cs *ComponentService) []cydx.Component {
+func buildPrimaryComponentList(in []*cydx.BOM, cs *uniqueComponentService) []cydx.Component {
 	return lo.Map(in, func(bom *cydx.BOM, _ int) cydx.Component {
 		if bom.Metadata != nil && bom.Metadata.Component != nil {
-			return *cs.StoreAndCloneWithNewID(bom.Metadata.Component)
+			newComp, duplicate := cs.StoreAndCloneWithNewID(bom.Metadata.Component)
+			if !duplicate {
+				return *newComp
+			}
 		}
 		return cydx.Component{}
 	})
 }
 
-func buildDependencyList(in []*cydx.BOM, cs *ComponentService) []cydx.Dependency {
+func buildDependencyList(in []*cydx.BOM, cs *uniqueComponentService) []cydx.Dependency {
 	return lo.Flatten(lo.Map(in, func(bom *cydx.BOM, _ int) []cydx.Dependency {
 		newDeps := []cydx.Dependency{}
 		for _, dep := range lo.FromPtr(bom.Dependencies) {