Add more info to sbom

Author: spoorcc

dfetch/commands/report.py

@@ -64,9 +64,9 @@ def __call__(self, args: argparse.Namespace) -> None:
         """Generate the report."""
         manifest, path = dfetch.manifest.manifest.get_manifest()
 
-        reporter = REPORTERS[args.type]()
-
         with dfetch.util.util.in_directory(os.path.dirname(path)):
+            reporter = REPORTERS[args.type](path)
+
             for project in manifest.selected_projects(args.projects):
                 determined_licenses = self._determine_licenses(project)
                 version = self._determine_version(project)

dfetch/reporting/reporter.py

@@ -1,7 +1,9 @@
 """Abstract reporting interface."""
 
+import io
+import re
 from abc import ABC, abstractmethod
-from typing import List
+from typing import List, Tuple
 
 from dfetch.manifest.project import ProjectEntry
 from dfetch.util.license import License
@@ -12,6 +14,16 @@ class Reporter(ABC):
 
     name: str = "abstract"
 
+    def __init__(self, manifest_path: str) -> None:
+        """Create the reporter.
+
+        Args:
+            manifest_path (str): The path to the manifest.
+        """
+        self._manifest_path = manifest_path
+        with open(self._manifest_path, "r", encoding="utf-8") as manifest:
+            self._manifest_buffer = io.StringIO(manifest.read())
+
     @abstractmethod
     def add_project(
         self,
@@ -21,6 +33,23 @@ def add_project(
     ) -> None:
         """Add a project to the report."""
 
+    def find_name_in_manifest(self, name: str) -> Tuple[int, int, int]:
+        """Find the location of a project name in the manifest."""
+        self._manifest_buffer.seek(0)
+        for line_nr, line in enumerate(self._manifest_buffer, start=1):
+            match = re.search(rf"^\s+-\s*name:\s*(?P<name>{name})\s", line)
+
+            if match:
+                return (
+                    line_nr,
+                    int(match.start("name")) + 1,
+                    int(match.end("name")),
+                )
+        raise RuntimeError(
+            "An entry from the manifest was provided,"
+            " that doesn't exist in the manifest!"
+        )
+
     @abstractmethod
     def dump_to_file(self, outfile: str) -> bool:
         """Do nothing."""

dfetch/reporting/sbom_reporter.py

@@ -32,6 +32,7 @@
 )
 from cyclonedx.model.contact import OrganizationalEntity
 from cyclonedx.model.license import DisjunctiveLicense as CycloneDxLicense
+from cyclonedx.model.license import LicenseAcknowledgement
 from cyclonedx.output import make_outputter
 from cyclonedx.schema import OutputFormat, SchemaVersion
 
@@ -55,7 +56,9 @@ class SbomReporter(Reporter):
         name="dfetch",
         version=dfetch.__version__,
         bom_ref=f"dfetch-{dfetch.__version__}",
-        licenses=[CycloneDxLicense(name="MIT License", id="MIT")],
+        licenses=[
+            CycloneDxLicense(id="MIT", acknowledgement=LicenseAcknowledgement.DECLARED)
+        ],
         external_references=[
             ExternalReference(
                 type=ExternalReferenceType.VCS,
@@ -96,8 +99,9 @@ class SbomReporter(Reporter):
 
     name = "SBoM"
 
-    def __init__(self) -> None:
+    def __init__(self, manifest_path: str) -> None:
         """Start the report."""
+        super().__init__(manifest_path)
         self._bom = Bom()
         self._bom.metadata.tools.components.add(self.dfetch_tool)
         self._bom.metadata.tools.components.add(cdx_lib_component())
@@ -113,13 +117,20 @@ def add_project(
             project.remote_url, version=version, subpath=project.source or None
         )
 
+        name = project.name if purl.type == "generic" else purl.name
+
+        line_nr, start, _ = self.find_name_in_manifest(project.name)
+
         component = Component(
-            name=project.name,
+            name=name,
             version=version,
+            bom_ref=f"{project.name}-{version}",
             type=ComponentType.LIBRARY,
             purl=purl,
             evidence=ComponentEvidence(
-                occurrences=[Occurrence(location="dfetch.yaml")],
+                occurrences=[
+                    Occurrence(location=self._manifest_path, line=line_nr, offset=start)
+                ],
                 identity=[
                     Identity(
                         field=IdentityField.NAME,
@@ -131,7 +142,7 @@ def add_project(
                                 value="Name as used for project in dfetch.yaml",
                             )
                         ],
-                        concluded_value=project.name,
+                        concluded_value=name,
                     ),
                     Identity(
                         field=IdentityField.VERSION,
@@ -152,7 +163,8 @@ def add_project(
                             Method(
                                 technique=AnalysisTechnique.MANIFEST_ANALYSIS,
                                 confidence=Decimal.from_float(0.4),
-                                value="Determined from the VCS url as used for project in dfetch.yaml",
+                                value=f"Determined from {project.remote_url} as used"
+                                f" for the project {project.name} in dfetch.yaml",
                             )
                         ],
                         concluded_value=purl.to_string(),
@@ -189,11 +201,17 @@ def add_project(
                 )
 
         for lic in licenses:
-            cdx_license = CycloneDxLicense(name=lic.name, id=lic.spdx_id)
+
+            # License wants either an SPDX id or a name, prefer SPDX id when available
+            cdx_license = (
+                CycloneDxLicense(id=lic.spdx_id)
+                if lic.spdx_id
+                else CycloneDxLicense(name=lic.name)
+            )
 
             component.licenses.add(cdx_license)
             if component.evidence:
-                component.evidence.licenses.add(cdx_license.bom_ref)
+                component.evidence.licenses.add(cdx_license)
 
         self._bom.components.add(component)