Merge remote-tracking branch 'origin/master'

# Conflicts:
#	cyclonedx-ruby.gemspec
#	lib/bom_builder.rb
#	lib/bom_helpers.rb

Author: stevespringett

.github/workflows/ruby.yml

@@ -1,6 +1,6 @@
 name: Ruby CI
 
-on: [push]
+on: [push, pull_request]
 
 jobs:
   build:

.gitignore

@@ -0,0 +1 @@
+.idea

Gemfile

@@ -1,4 +1,4 @@
 source 'https://rubygems.org'
 
 # Specify your gem's dependencies in cyclonedx-ruby.gemspec
-gemspec
+gemspec

README.md

@@ -2,6 +2,7 @@
 [![Gem Version](https://badge.fury.io/rb/cyclonedx-ruby.svg)](https://badge.fury.io/rb/cyclonedx-ruby)
 [![License](https://img.shields.io/badge/license-Apache%202.0-brightgreen.svg)][License]
 [![Website](https://img.shields.io/badge/https://-cyclonedx.org-blue.svg)](https://cyclonedx.org/)
+[![Slack Invite](https://img.shields.io/badge/Slack-Join-blue?logo=slack&labelColor=393939)](https://cyclonedx.org/slack/invite)
 [![Group Discussion](https://img.shields.io/badge/discussion-groups.io-blue.svg)](https://groups.io/g/CycloneDX)
 [![Twitter](https://img.shields.io/twitter/url/http/shields.io.svg?style=social&label=Follow)](https://twitter.com/CycloneDX_Spec)
 

bin/cyclonedx-ruby

@@ -1,4 +1,5 @@
 #!/usr/bin/env ruby
+# frozen_string_literal: true
 
 require 'bom_builder'
-Bombuilder.build(ARGV[0])
+Bombuilder.build(ARGV[0])

cyclonedx-ruby.gemspec

@@ -1,19 +1,21 @@
+# frozen_string_literal: true
+
 Gem::Specification.new do |spec|
-  spec.name        = "cyclonedx-ruby"
-  spec.version     = "1.1.0"
-  spec.date        = "2019-07-12"
-  spec.summary     = "CycloneDX Software Bill of Material (SBOM) generation utility"
-  spec.description = "CycloneDX is a lightweight software bill-of-material (SBOM) specification designed for use in application security contexts and supply chain component analysis. This Gem generates CycloneDX BOMs from Ruby projects."
-  spec.authors     = ["Joseph Kobti", "Steve Springett"]
-  spec.email       = "josephkobti@outlook.com"
-  spec.files       = ["lib/bom_builder.rb", "lib/bom_helpers.rb", "lib/licenses.json"]
-  spec.homepage    = "https://github.com/CycloneDX/cyclonedx-ruby-gem"
-  spec.license     = "Apache-2.0"
-  spec.executables << "cyclonedx-ruby"
+  spec.name        = 'cyclonedx-ruby'
+  spec.version     = '1.1.0'
+  spec.date        = '2019-07-12'
+  spec.summary     = 'CycloneDX software bill-of-material (SBoM) generation utility'
+  spec.description = 'CycloneDX is a lightweight software bill-of-material (SBOM) specification designed for use in application security contexts and supply chain component analysis. This Gem generates CycloneDX BOMs from Ruby projects.'
+  spec.authors     = ['Joseph Kobti', 'Steve Springett']
+  spec.email       = 'josephkobti@outlook.com'
+  spec.files       = ['lib/bom_builder.rb', 'lib/bom_helpers.rb', 'lib/licenses.json']
+  spec.homepage    = 'https://github.com/CycloneDX/cyclonedx-ruby-gem'
+  spec.license     = 'Apache-2.0'
+  spec.executables << 'cyclonedx-ruby'
   spec.add_dependency('json', '~> 2.2')
   spec.add_dependency('nokogiri', '~> 1.8')
   spec.add_dependency('ostruct', '~> 0.1')
   spec.add_dependency('rest-client', '~> 2.0')
   spec.add_development_dependency 'rake', '~> 12'
   spec.add_development_dependency 'rspec', '~> 3.7'
-end
+end

lib/bom_builder.rb

@@ -1,34 +1,15 @@
-# This file is part of CycloneDX Ruby Gem.
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements.  See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership.  The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License.  You may obtain a copy of the License at
-#
-#   http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied.  See the License for the
-# specific language governing permissions and limitations
-# under the License.
-#
-# SPDX-License-Identifier: Apache-2.0
-# Copyright (c) OWASP Foundation. All Rights Reserved.
-require "bundler"
-require "fileutils"
-require "json"
-require "logger"
-require "nokogiri"
-require "optparse"
-require "ostruct"
-require "rest_client"
+# frozen_string_literal: true
+
+require 'bundler'
+require 'fileutils'
+require 'json'
+require 'logger'
+require 'nokogiri'
+require 'optparse'
+require 'ostruct'
+require 'rest_client'
 require 'securerandom'
-require_relative "bom_helpers"
+require_relative 'bom_helpers'
 
 class Bombuilder
   def self.build(path)
@@ -40,29 +21,29 @@ def self.build(path)
     begin
       @logger.info("Changing directory to the original working directory located at #{original_working_directory}")
       Dir.chdir original_working_directory
-    rescue => e
+    rescue StandardError => e
       @logger.error("Unable to change directory the original working directory located at #{original_working_directory}. #{e.message}: #{e.backtrace.join('\n')}")
       abort
     end
 
     bom_directory = File.dirname(@bom_file_path)
     begin
       FileUtils.mkdir_p(bom_directory) unless File.directory?(bom_directory)
-    rescue => e
+    rescue StandardError => e
       @logger.error("Unable to create the directory to hold the BOM output at #{@bom_directory}. #{e.message}: #{e.backtrace.join('\n')}")
       abort
     end
 
     begin
       @logger.info("Writing BOM to #{@bom_file_path}...")
-      File.open(@bom_file_path, "w") {|file| file.write(bom)}
+      File.open(@bom_file_path, 'w') { |file| file.write(bom) }
 
       if @options[:verbose]
         @logger.info("#{@gems.size} gems were written to BOM located at #{@bom_file_path}")
       else
         puts "#{@gems.size} gems were written to BOM located at #{@bom_file_path}"
       end
-    rescue => e
+    rescue StandardError => e
       @logger.error("Unable to write BOM to #{@bom_file_path}. #{e.message}: #{e.backtrace.join('\n')}")
       abort
     end
@@ -71,96 +52,96 @@ def self.build(path)
   def self.setup(path)
     @options = {}
     OptionParser.new do |opts|
-      opts.banner = "Usage: cyclonedx-ruby [options]"
-    
-      opts.on("-v", "--[no-]verbose", "Run verbosely") do |v|
+      opts.banner = 'Usage: cyclonedx-ruby [options]'
+
+      opts.on('-v', '--[no-]verbose', 'Run verbosely') do |v|
         @options[:verbose] = v
       end
-      opts.on("-p", "--path path", "(Required) Path to Ruby project directory") do |path|
+      opts.on('-p', '--path path', '(Required) Path to Ruby project directory') do |path|
         @options[:path] = path
       end
-      opts.on("-o", "--output bom_file_path", "(Optional) Path to output the bom.xml file to") do |bom_file_path|
+      opts.on('-o', '--output bom_file_path', '(Optional) Path to output the bom.xml file to') do |bom_file_path|
         @options[:bom_file_path] = bom_file_path
       end
-      opts.on_tail("-h", "--help", "Show help message") do
+      opts.on_tail('-h', '--help', 'Show help message') do
         puts opts
         exit
       end
     end.parse!
 
-    @logger = Logger.new(STDOUT)
-    if @options[:verbose]
-      @logger.level = Logger::INFO
-    else
-      @logger.level = Logger::ERROR
-    end
+    @logger = Logger.new($stdout)
+    @logger.level = if @options[:verbose]
+                      Logger::INFO
+                    else
+                      Logger::ERROR
+                    end
 
     @gems = []
     licenses_file = File.read "#{__dir__}/licenses.json"
     @licenses_list = JSON.parse(licenses_file)
 
     if @options[:path].nil?
-      @logger.error("missing path to project directory")
+      @logger.error('missing path to project directory')
       abort
     end
 
-    if !File.directory?(@options[:path])
+    unless File.directory?(@options[:path])
       @logger.error("path provided is not a valid directory. path provided was: #{@options[:path]}")
       abort
     end
 
     begin
       @logger.info("Changing directory to Ruby project directory located at #{@options[:path]}")
       Dir.chdir @options[:path]
-    rescue => e
+    rescue StandardError => e
       @logger.error("Unable to change directory to Ruby project directory located at #{@options[:path]}. #{e.message}: #{e.backtrace.join('\n')}")
       abort
     end
 
-    if @options[:bom_file_path].nil?
-      @bom_file_path = "./bom.xml"
-    else
-      @bom_file_path = @options[:bom_file_path]
-    end
+    @bom_file_path = if @options[:bom_file_path].nil?
+                       './bom.xml'
+                     else
+                       @options[:bom_file_path]
+                     end
 
     @logger.info("BOM will be written to #{@bom_file_path}")
 
     begin
-      gemfile_path = @options[:path] + "/" + "Gemfile.lock"
+      gemfile_path = "#{@options[:path]}/Gemfile.lock"
       @logger.info("Parsing specs from #{gemfile_path}...")
       gemfile_contents = File.read(gemfile_path)
       @specs = Bundler::LockfileParser.new(gemfile_contents).specs
-      @logger.info("Specs successfully parsed!")
-    rescue => e
+      @logger.info('Specs successfully parsed!')
+    rescue StandardError => e
       @logger.error("Unable to parse specs from #{gemfile_path}. #{e.message}: #{e.backtrace.join('\n')}")
       abort
     end
   end
-  
+
   def self.specs_list
     count = 0
     @specs.each do |dependency|
       object = OpenStruct.new
-      object.name = dependency.name 
-      object.version = dependency.version 
+      object.name = dependency.name
+      object.version = dependency.version
       object.purl = purl(object.name, object.version)
       gem = get_gem(object.name, object.version)
       next if gem.nil?
-      
-      if gem["licenses"] and gem["licenses"].length > 0
-        if @licenses_list.include? gem["licenses"].first
-          object.license_id = gem["licenses"].first
+
+      if gem['licenses']&.length&.positive?
+        if @licenses_list.include? gem['licenses'].first
+          object.license_id = gem['licenses'].first
         else
-          object.license_name = gem["licenses"].first
+          object.license_name = gem['licenses'].first
         end
       end
 
-      object.author = gem["authors"]
-      object.description = gem["summary"] 
-      object.hash = gem["sha"]
+      object.author = gem['authors']
+      object.description = gem['summary']
+      object.hash = gem['sha']
       @gems.push(object)
       count += 1
       @logger.info("#{object.name}:#{object.version} gem added")
     end
-  end 
+  end
 end

lib/bom_helpers.rb

@@ -1,75 +1,57 @@
-# This file is part of CycloneDX Ruby Gem.
-#
-# Licensed to the Apache Software Foundation (ASF) under one
-# or more contributor license agreements.  See the NOTICE file
-# distributed with this work for additional information
-# regarding copyright ownership.  The ASF licenses this file
-# to you under the Apache License, Version 2.0 (the
-# "License"); you may not use this file except in compliance
-# with the License.  You may obtain a copy of the License at
-#
-#   http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing,
-# software distributed under the License is distributed on an
-# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-# KIND, either express or implied.  See the License for the
-# specific language governing permissions and limitations
-# under the License.
-#
-# SPDX-License-Identifier: Apache-2.0
-# Copyright (c) OWASP Foundation. All Rights Reserved.
+# frozen_string_literal: true
+
 def purl(name, version)
-    purl = "pkg:gem/" + name + "@" + version.to_s
+  "pkg:gem/#{name}@#{version}"
 end
 
-def random_urn_uuid()
-  random_urn_uuid = "urn:uuid:" + SecureRandom.uuid
+def random_urn_uuid
+  "urn:uuid:#{SecureRandom.uuid}"
 end
 
 def build_bom(gems)
-  builder = Nokogiri::XML::Builder.new(:encoding => "UTF-8") do |xml|
-    attributes = {"xmlns" => "http://cyclonedx.org/schema/bom/1.1", "version" => "1", "serialNumber" => random_urn_uuid}
+  builder = Nokogiri::XML::Builder.new(encoding: 'UTF-8') do |xml|
+    attributes = { 'xmlns' => 'http://cyclonedx.org/schema/bom/1.1', 'version' => '1', 'serialNumber' => random_urn_uuid }
     xml.bom(attributes) do
-      xml.components {
+      xml.components do
         gems.each do |gem|
-          xml.component("type" => "library") {
-            xml.name gem["name"]
-            xml.version gem["version"]
-            xml.description gem["description"]
-            xml.hashes{
-              xml.hash_ gem["hash"], :alg => "SHA-256"
-            }
-            if gem["license_id"]
-              xml.licenses {
-                xml.license{
-                  xml.id gem["license_id"]
-                }
-              } 
-            elsif gem["license_name"]
-              xml.licenses {
-                xml.license{
-                  xml.name gem["license_name"]
-                }
-              }
+          xml.component('type' => 'library') do
+            xml.name gem['name']
+            xml.version gem['version']
+            xml.description gem['description']
+            xml.hashes  do
+              xml.hash_ gem['hash'], alg: 'SHA-256'
+            end
+            if gem['license_id']
+              xml.licenses do
+                xml.license do
+                  xml.id gem['license_id']
+                end
+              end
+            elsif gem['license_name']
+              xml.licenses do
+                xml.license do
+                  xml.name gem['license_name']
+                end
+              end
             end
-            xml.purl gem["purl"]
-          }
+            xml.purl gem['purl']
+          end
         end
-      }
+      end
     end
-  end 
+  end
   builder.to_xml
-end 
+end
 
 def get_gem(name, version)
   url = "https://rubygems.org/api/v1/versions/#{name}.json"
   begin
+    RestClient.proxy = ENV['http_proxy']
     response = RestClient.get(url)
     body = JSON.parse(response.body)
-    body.select {|item| item["number"] == version.to_s}.first
-  rescue 
+    body.select { |item| item['number'] == version.to_s }.first
+  rescue StandardError
     @logger.warn("#{name} couldn't be fetched")
-    return nil
+    nil
   end
-end 
+end