add scoring capbility and related functionality

viveksahu26 · viveksahu26 · commit 811d2c665934 · 2025-10-03T20:05:16.000+05:30
diff --git a/pkg/scorer/v2/engine.go b/pkg/scorer/v2/engine.go
@@ -23,10 +23,11 @@ import (
 	"github.com/interlynk-io/sbomqs/pkg/sbom"
 )
 
-func ScoreSBOM(ctx context.Context, config Config, paths []string) ([]ScoreResult, error) {
+func ScoreSBOM(ctx context.Context, config Config, paths []string) ([]Result, error) {
 	log := logger.FromContext(ctx)
-	var results []ScoreResult
-	var anyProcessed bool
+
+	// var results []Result
+	// var anyProcessed bool
 
 	// Validate paths
 	validPaths := validatePaths(ctx, paths)
@@ -39,69 +40,68 @@ func ScoreSBOM(ctx context.Context, config Config, paths []string) ([]ScoreResul
 		return nil, fmt.Errorf("failed to validate SBOM configuration: %w", err)
 	}
 
-	// 3) Process each valid input
-	log.Debugf("processing %d SBOM inputs", len(validPaths))
+	results := make([]Result, 0, len(validPaths))
+	var anyProcessed bool
 
-	for _, p := range validPaths {
+	for _, path := range validPaths {
 		switch {
-		case IsURL(p):
-			log.Debugf("processing URL: %s", p)
+		case IsURL(path):
+			log.Debugf("processing URL: %s", path)
+
+			// sbomFile, sig, err := processURLInput(ctx, p, config)
+			// if err != nil {
+			// 	log.Warnf("failed to process URL %s: %v", p, err)
+			// 	continue
+			// }
+			// func() {
+			// 	defer func() {
+			// 		_ = sbomFile.Close()
+			// 		_ = os.Remove(sbomFile.Name())
+			// 	}()
+			// 	res, err := processSBOMInput(ctx, sbomFile, sig, config, p)
+			// 	if err != nil {
+			// 		log.Warnf("failed to score SBOM from URL %s: %v", p, err)
+			// 		return
+			// 	}
+			// 	results = append(results, res)
+			// 	anyProcessed = true
+			// }()
+
+		case IsDir(path):
+			// dirResults := processDirectory(ctx, p, config)
+			// if len(dirResults) > 0 {
+			// 	results = append(results, dirResults...)
+			// 	anyProcessed = true
+			// }
 
-			sbomFile, sig, err := processURLInput(ctx, p, config) // returns *os.File (temp) + signature bundle
+		default:
+			log.Debugf("processing file: %s", path)
+
+			file, err := getFileHandle(ctx, path)
 			if err != nil {
-				log.Warnf("failed to process URL %s: %v", p, err)
+				log.Warnf("failed to open file %s: %v", path, err)
 				continue
 			}
-			func() { // ensure cleanup per-iteration
-				defer func() {
-					_ = sbomFile.Close()
-					_ = os.Remove(sbomFile.Name())
-				}()
-				res, err := processSBOMInput(ctx, sbomFile, sig, config, p)
-				if err != nil {
-					log.Warnf("failed to score SBOM from URL %s: %v", p, err)
-					return
-				}
-				results = append(results, res)
-				anyProcessed = true
-			}()
-
-		case IsDir(p):
-			log.Debugf("processing directory: %s", p)
-			dirResults := processDirectory(ctx, p, config) // []ScoreResult (skip bad files internally)
-			if len(dirResults) > 0 {
-				results = append(results, dirResults...)
-				anyProcessed = true
-			}
-
-		default:
-			if _, err := os.Stat(p); err != nil {
-				log.Warnf("cannot stat path %s: %v", p, err)
-				continue
+			defer file.Close()
+
+			signature, err := getSignature(
+				ctx,
+				path,
+				config.SignatureBundle.SigValue,
+				config.SignatureBundle.PublicKey,
+			)
+			if err != nil {
+				return nil, fmt.Errorf("get signature for %q: %w", path, err)
 			}
-			log.Debugf("processing file: %s", p)
 
-			f, err := getFileHandle(ctx, p) // *os.File
+			res, err := SBOMEvaluation(ctx, file, signature, config, path)
 			if err != nil {
-				log.Warnf("failed to open file %s: %v", p, err)
-				continue
+				log.Warnf("failed to process SBOM %s: %v", path, err)
+				return nil, fmt.Errorf("process SBOM %q: %w", path, err)
 			}
-			func() {
-				defer f.Close()
-
-				sig, err := getSignature(ctx, p, config.SignatureBundle.SigValue, config.SignatureBundle.PublicKey)
-				if err != nil {
-					log.Warnf("failed to get signature for %s: %v", p, err)
-					return
-				}
-				res, err := processSBOMInput(ctx, f, sig, config, p)
-				if err != nil {
-					log.Warnf("failed to process SBOM %s: %v", p, err)
-					return
-				}
-				results = append(results, res)
-				anyProcessed = true
-			}()
+
+			results = append(results, res)
+			anyProcessed = true
 		}
 	}
 
diff --git a/pkg/scorer/v2/registry.go b/pkg/scorer/v2/registry.go
@@ -0,0 +1,45 @@
+package v2
+
+var Identification = CategorySpec{
+	Name:   "Identification",
+	Weight: 10,
+	Features: []FeatureSpec{
+		{Key: "comp_with_name", Weight: 0.40, Eval: CompWithName},
+		{Key: "comp_with_version", Weight: 0.35, Eval: CompWithVersion},
+		{Key: "comp_with_ids", Weight: 0.25, Eval: CompWithUniqIDs},
+	},
+}
+
+var Provenance = CategorySpec{
+	Name:   "Provenance",
+	Weight: 12,
+	Features: []FeatureSpec{
+		{Key: "sbom_creation_timestamp", Weight: 0.20, Eval: SBOMCreationTime},
+		{Key: "sbom_authors", Weight: 0.20, Eval: SBOMAuthors},
+		{Key: "sbom_tool_version", Weight: 0.20, Eval: SBOMToolVersion},
+		{Key: "sbom_supplier", Weight: 0.15, Eval: SBOMSupplier},
+		{Key: "sbom_namespace", Weight: 0.15, Eval: SBOMNamespace},
+		{Key: "sbom_lifecycle", Weight: 0.10, Eval: SBOMLifecycle},
+	},
+}
+
+var Integrity = CategorySpec{
+	Name:   "Integrity",
+	Weight: 15,
+	Features: []FeatureSpec{
+		{Key: "sbom_signature", Weight: 0.10, Eval: SBOMDDocSignature},
+		{Key: "comp_with_hash", Weight: 0.10, Eval: CompWithChecksum},
+	},
+}
+
+var Completeness = CategorySpec{
+	Name:   "Completeness",
+	Weight: 12,
+	Features: []FeatureSpec{
+		{Key: "sbom_signature", Weight: 0.10, Eval: SBOMDDocSignature},
+		{Key: "comp_with_dependencies", Weight: 0.25, Eval: CompWithDependencies},
+		{Key: "comp_with_declared_completeness", Weight: 0.15, Eval: CompWithDeclaredCompleteness},
+		{Key: "primary_component", Weight: 0.15, Eval: PrimaryComponent},
+		{Key: "comp_with_declared_completeness", Weight: 0.15, Eval: CompWithDeclaredCompleteness},
+	},
+}
diff --git a/pkg/scorer/v2/result.go b/pkg/scorer/v2/result.go
@@ -43,3 +43,16 @@ type ScoreResult struct {
 	Overall    float64
 	Categories []CategoryResult
 }
+
+// Result represents result of an SBOM
+type Result struct {
+	Spec           string
+	SpecVersion    string
+	FileFormat     string
+	Filename       string
+	NumComponents  int
+	CreationTime   string
+	InterlynkScore float64
+	Grade          string
+	Categories     []CategoryResult
+}
diff --git a/pkg/scorer/v2/spec.go b/pkg/scorer/v2/spec.go
@@ -20,14 +20,14 @@ import "github.com/interlynk-io/sbomqs/pkg/sbom"
 // It returns a raw 0..10 score, a description, and whether to ignore (N/A).
 type FeatureFunc func(doc sbom.Document) FeatureScore
 
-// Feature contains Key, Weight and corresponding evaluating funtion.
+// FeatureSpec represents properties of a feature.
 type FeatureSpec struct {
-	Key    string
-	Weight float64
-	Eval   FeatureFunc
+	Key      string
+	Weight   float64
+	Evaluate FeatureFunc
 }
 
-// Category contains Name, Weight and collection of features.
+// CategorySpec represent properties of a category.
 type CategorySpec struct {
 	Name     string
 	Weight   float64
@@ -36,13 +36,23 @@ type CategorySpec struct {
 
 type Config struct {
 	// Categories to score (e.g., "provenance", "completeness")
-	Categories []CategorySpec
+	Categories []string
 
 	// Features to score (e.g., "components", "dependencies")
-	Features []FeatureSpec
+	Features []string
 
 	// Optional path to a config file for filters
 	ConfigFile string
 
 	SignatureBundle sbom.Signature
 }
+
+// extractMeta pulls the data to show in the final output.
+type interlynkMeta struct {
+	Filename      string
+	NumComponents int
+	CreationTime  string
+	Spec          string
+	SpecVersion   string
+	FileFormat    string
+}
diff --git a/pkg/scorer/v2/utils.go b/pkg/scorer/v2/utils.go
@@ -15,13 +15,16 @@
 package v2
 
 import (
+	"context"
 	"fmt"
 	"io"
 	"net/http"
 	"net/url"
 	"os"
 	"regexp"
 	"strings"
+
+	"github.com/interlynk-io/sbomqs/pkg/logger"
 )
 
 func IsDir(path string) bool {
@@ -93,3 +96,35 @@ func DownloadURL(url string) ([]byte, error) {
 
 	return data, err
 }
+
+func RemoveEmptyStrings(input []string) []string {
+	var output []string
+	for _, s := range input {
+		if trimmed := strings.TrimSpace(s); trimmed != "" {
+			output = append(output, trimmed)
+		}
+	}
+	return output
+}
+
+func normalizeAndValidateCategories(ctx context.Context, categories []string) ([]string, error) {
+	log := logger.FromContext(ctx)
+	var normalized []string
+
+	for _, c := range categories {
+
+		// normalize using alias
+		if alias, ok := CategoryAliases[c]; ok {
+			c = alias
+		}
+
+		// validate if it's a supported category
+		if !SupportedCategories[c] {
+			log.Warnf("unsupported category: %s", c)
+			continue
+		}
+		normalized = append(normalized, c)
+	}
+
+	return normalized, nil
+}
diff --git a/pkg/scorer/v2/validate.go b/pkg/scorer/v2/validate.go
