dfetch/script/create_sbom.py at b1c6eaec680bce30875e9b8b9f2c4557de6eea94 · dfetch-org/dfetch · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
#!/usr/bin/env python3
"""Generate an sbom of the tool."""

import argparse
import contextlib
import logging
import subprocess  # nosec
import sys
import tempfile
import venv
from pathlib import Path

logging.basicConfig(level=logging.INFO)

PROJECT_DIR = Path(__file__).parent.parent.resolve()

DEPS = f"{PROJECT_DIR}[sbom]"

PLATFORM_MAPPING = {
    "darwin": "osx",
    "win": "win",
}
PLATFORM_NAME = next(
    (
        name
        for prefix, name in PLATFORM_MAPPING.items()
        if sys.platform.startswith(prefix)
    ),
    "nix",
)


@contextlib.contextmanager
def temporary_venv():
    """Create a temporary virtual environment and clean it up on exit."""
    with tempfile.TemporaryDirectory(prefix="venv_sbom_") as tmpdir:
        venv_dir = Path(tmpdir)
        logging.info(f"Creating temporary virtual environment at {venv_dir}")
        venv.create(venv_dir, with_pip=True, upgrade_deps=True)

        if sys.platform.startswith("win"):
            python_bin = venv_dir / "Scripts" / "python.exe"
        else:
            python_bin = venv_dir / "bin" / "python"

        yield str(python_bin)


def parse_args() -> argparse.Namespace:
    """Parse and return command-line arguments."""
    parser = argparse.ArgumentParser(description="Generate a CycloneDX SBOM for dfetch.")
    parser.add_argument(
        "--py",
        action="store_true",
        help="Generate SBOM for the Python distribution instead of the platform binary.",
    )
    parser.add_argument(
        "--output-dir",
        type=Path,
        default=None,
        metavar="DIR",
        help="Directory to write the SBOM into (default: dist/ for --py, build/dfetch-package/ otherwise).",
    )
    return parser.parse_args()


args = parse_args()

if args.py:
    suffix = "py"
    output_dir = args.output_dir or PROJECT_DIR / "dist"
else:
    suffix = PLATFORM_NAME
    output_dir = args.output_dir or PROJECT_DIR / "build" / "dfetch-package"

with temporary_venv() as python:
    subprocess.check_call([python, "-m", "pip", "install", DEPS])  # nosec

    version = (
        subprocess.run(  # nosec
            [
                python,
                "-c",
                "from importlib.metadata import version; print(version('dfetch'))",
            ],
            check=True,
            capture_output=True,
        )
        .stdout.decode("UTF-8")
        .strip()
    )

    output_file = output_dir / f"dfetch-{version}-{suffix}.cdx.json"
    output_file.parent.mkdir(parents=True, exist_ok=True)
    subprocess.check_call(  # nosec
        [python, "-m", "cyclonedx_py", "environment", "-o", str(output_file)]
    )

logging.info(f"SBOM generated at {output_file}")