Support exporting SBOM in spdx format (#24)

* Support the output of SBOM list in spdx format

Co-authored-by: huyongfeng <[email protected]>

Author: itxiaohu001

.github/README.md

@@ -4,7 +4,6 @@
 	<img alt="logo" src="../logo.svg">
 </p>
 <h1 align="center" style="margin: 30px 0 30px; font-weight: bold;">OpenSCA-Cli</h1>
-
 <p align="center">
 	<a href="https://github.com/XmirrorSecurity/OpenSCA-cli/blob/master/LICENSE"><img src="https://img.shields.io/github/license/XmirrorSecurity/OpenSCA-cli?style=flat-square"></a>
 	<a href="https://github.com/XmirrorSecurity/OpenSCA-cli/releases"><img src="https://img.shields.io/github/v/release/XmirrorSecurity/OpenSCA-cli?style=flat-square"></a>
@@ -77,18 +76,18 @@ opensca-cli -db db.json -path ${project_path}
 
 **You can either configure the parameters in configuration files or input the parameters in the command-line. When the two conflict with each other, the input parameters will be prioritized.**
 
-| PARAMETER  | TYPE     | DESCRIPTION                                                                                                                                                                                                                                                                | SAMPLE                            |
-| ---------- | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------- |
-| `config`   | `string` | Set the configuration file path, when the program runs, the parameter of the configuration file will be used as the startup parameters. If the configuration parameter conflicts with the command-line input parameter, the latter will be taken.                          | `-config config.json`             |
-| `path`     | `string` | Set the file or directory path to be detected.                                                                                                                                                                                                                             | `-path ./foo`                     |
-| `url`      | `string` | Check the vulnerabilities from the cloud vulnerability database, set the address of the cloud service. It needs to be used with the `token` parameter.                                                                                                                     | `-url https://opensca.xmirror.cn` |
-| `token`    | `string` | Cloud service verification. You have to apply for it on the cloud service platform and use it with the `url` parameter.                                                                                                                                                    | `-token xxxxxxx`                  |
-| `cache`    | `bool`   | This option is recommended. It can cache the downloaded files, for example, the `.pom` file, and save your time when detecting the same component next time. The downloaded files are saved in `.cache` under the same directory as opensca-cli.                           | `-cache`                          |
-| `vuln`     | `bool`   | Show the vulnerabilities info only. Using this parameter, the component hierarchical architecture will **NOT** be included in the result.                                                                                                                                  | `-vuln`                           |
-| `out`      | `string` | Set the output file. The result defaults to json format.                                                                                                                                                                                                                   | `-out output.json`                |
+| PARAMETER  | TYPE     | DESCRIPTION                                                  | SAMPLE                            |
+| ---------- | -------- | ------------------------------------------------------------ | --------------------------------- |
+| `config`   | `string` | Set the configuration file path, when the program runs, the parameter of the configuration file will be used as the startup parameters. If the configuration parameter conflicts with the command-line input parameter, the latter will be taken. | `-config config.json`             |
+| `path`     | `string` | Set the file or directory path to be detected.               | `-path ./foo`                     |
+| `url`      | `string` | Check the vulnerabilities from the cloud vulnerability database, set the address of the cloud service. It needs to be used with the `token` parameter. | `-url https://opensca.xmirror.cn` |
+| `token`    | `string` | Cloud service verification. You have to apply for it on the cloud service platform and use it with the `url` parameter. | `-token xxxxxxx`                  |
+| `cache`    | `bool`   | This option is recommended. It can cache the downloaded files, for example, the `.pom` file, and save your time when detecting the same component next time. The downloaded files are saved in `.cache` under the same directory as opensca-cli. | `-cache`                          |
+| `vuln`     | `bool`   | Show the vulnerabilities info only. Using this parameter, the component hierarchical architecture will **NOT** be included in the result. | `-vuln`                           |
+| `out`      | `string` | Set the output file. The result defaults to json format.Support the output of SBOM list in spdx format. | `-out output.json`                |
 | `db`       | `string` | Set the local vulnerability database file. It helps when you prefer to use your own vulnerability database. The format of the vulnerability database is shown below. If the cloud and local vulnerability databases are both set, the result of detection will merge both. | `-db db.json`                     |
-| `progress` | `bool`   | Show the progress bar.                                                                                                                                                                                                                                                     | `-progress`                       |
-| `dedup`    | `bool`   | Same result deduplication                                                                                                                                                                                                                                                  | `-dedup`                          |
+| `progress` | `bool`   | Show the progress bar.                                       | `-progress`                       |
+| `dedup`    | `bool`   | Same result deduplication                                    | `-dedup`                          |
 
 ------
 

README.md

@@ -2,7 +2,6 @@
 	<img alt="logo" src="./logo.svg">
 </p>
 <h1 align="center" style="margin: 30px 0 30px; font-weight: bold;">OpenSCA-Cli</h1>
-
 <p align="center">
 	<a href="https://github.com/XmirrorSecurity/OpenSCA-cli/blob/master/LICENSE"><img src="https://img.shields.io/github/license/XmirrorSecurity/OpenSCA-cli?style=flat-square"></a>
 	<a href="https://github.com/XmirrorSecurity/OpenSCA-cli/releases"><img src="https://img.shields.io/github/v/release/XmirrorSecurity/OpenSCA-cli?style=flat-square"></a>
@@ -84,7 +83,7 @@ opensca-cli -db db.json -path ${project_path}
 | `token`    | `string` | 云服务验证 `token`，需要在云服务平台申请，与 `url` 参数一起使用                                                                                   | `-token xxxxxxx`                  |
 | `cache`    | `bool`   | 建议开启，缓存下载的文件(例如 `.pom` 文件)，重复检测相同组件时会节省时间，下载的文件会保存到工具所在目录的.cache 目录下                           | `-cache`                          |
 | `vuln`     | `bool`   | 结果仅保留有漏洞信息的组件，使用该参数将不会保留组件层级结构                                                                                      | `-vuln`                           |
-| `out`      | `string` | 将检测结果保存到指定文件，根据后缀生成不同格式的文件，默认为 `json` 格式                                                                          | `-out output.json`                |
+| `out`      | `string` | 将检测结果保存到指定文件，根据后缀生成不同格式的文件，默认为 `json` 格式；；支持以`spdx`格式展示`sbom`清单只需更换相应输出文件后缀即可                                     | `-out output.json`                |
 | `db`       | `string` | 指定本地漏洞库文件，希望使用自己漏洞库时可用，漏洞库文件为 `json` 格式，具体格式会在之后给出;若同时使用云端漏洞库与本地漏洞库，漏洞查询结果取并集 | `-db db.json`                     |
 | `progress` | `bool`   | 显示进度条                                                                                                                                        | `-progress`                       |
 | `dedup`    | `bool`   | 相同组件去重                                                                                                                                      | `-dedup`                          |

analyzer/engine/archive.go

@@ -28,7 +28,8 @@ import (
 // checkFile 检测是否为可检测的文件
 func (e Engine) checkFile(filename string) bool {
 	for _, analyzer := range e.Analyzers {
-		if analyzer.CheckFile(filename) {
+		if analyzer.CheckFile(filename) ||
+			filter.CheckLicense(filename) {
 			return true
 		}
 	}

analyzer/engine/parse.go

@@ -7,16 +7,25 @@ package engine
 
 import (
 	"path"
+	"regexp"
 	"strings"
 	"util/filter"
 	"util/model"
 )
 
+// copyright匹配优先级
+const (
+	low = iota
+	mid
+	high
+)
+
 // parseDependency 解析依赖
 func (e Engine) parseDependency(dirRoot *model.DirTree, depRoot *model.DepTree) *model.DepTree {
 	if depRoot == nil {
 		depRoot = model.NewDepTree(nil)
 	}
+	var copyrightMess = make(map[string]string)
 	for _, analyzer := range e.Analyzers {
 		// 遍历目录树获取要检测的文件
 		files := []*model.FileInfo{}
@@ -30,11 +39,22 @@ func (e Engine) parseDependency(dirRoot *model.DirTree, depRoot *model.DepTree)
 			for _, f := range n.Files {
 				if analyzer.CheckFile(f.Name) {
 					files = append(files, f)
+				} else if filter.CheckLicense(f.Name) {
+					if _, ok := copyrightMess[path.Dir(f.Name)]; !ok {
+						// 记录解析到的copyrigh信息
+						copyrightMess[path.Dir(f.Name)] = parseCopyright(f)
+					}
 				}
 			}
 		}
 		// 从文件中解析依赖树
 		for _, d := range analyzer.ParseFiles(files) {
+			p := path.Dir(d.Path)
+			if _, ok := copyrightMess[p]; ok {
+				// 将copyright信息加入与其同一文件目录的依赖节点中
+				d.CopyrightText = copyrightMess[p]
+				delete(copyrightMess, p)
+			}
 			depRoot.Children = append(depRoot.Children, d)
 			d.Parent = depRoot
 			if d.Name != "" && !strings.ContainsAny(d.Vendor+d.Name, "${}") && d.Version.Ok() {
@@ -99,3 +119,47 @@ func (e Engine) parseDependency(dirRoot *model.DirTree, depRoot *model.DepTree)
 	}
 	return depRoot
 }
+
+// 从文件中提取copyright信息
+func parseCopyright(f *model.FileInfo) string {
+	matchLevel := map[int]string{}
+	ct := string(f.Data)
+	if len(ct) == 0 {
+		return ""
+	}
+	pras := strings.Split(ct, "\n\n")
+	re := regexp.MustCompile(`^\d{4}$|^\d{4}-\d{4}$|^\(c\)$`)
+	for _, pra := range pras {
+		if !strings.Contains(strings.ToLower(pra), "copyright") {
+			continue
+		}
+		lines := strings.Split(pra, "\n")
+		line := strings.TrimSpace(lines[0])
+		if len(lines) == 0 {
+			continue
+		}
+		tks := strings.Fields(line)
+		if len(tks) == 0 {
+			continue
+		}
+		if strings.EqualFold("copyright", tks[0]) {
+			if re.MatchString(tks[1]) {
+				matchLevel[high] = line
+			}
+			matchLevel[mid] = line
+		}
+		for _, l := range lines {
+			if strings.HasPrefix(strings.TrimSpace(strings.ToLower(l)), "copyright") {
+				matchLevel[low] = strings.TrimSpace(l)
+				break
+			}
+		}
+
+	}
+	for i := high; i >= low; i-- {
+		if matchLevel[i] != "" {
+			return matchLevel[i]
+		}
+	}
+	return ""
+}

analyzer/golang/gomod.go

@@ -20,6 +20,7 @@ func parseGomod(dep *model.DepTree, file *model.FileInfo) {
 		sub := model.NewDepTree(dep)
 		sub.Name = strings.Trim(match[1], `'"`)
 		sub.Version = model.NewVersion(match[2])
+		sub.HomePage = "https://" + sub.Name
 	}
 }
 
@@ -40,6 +41,7 @@ func parseGosum(dep *model.DepTree, file *model.FileInfo) {
 		sub := model.NewDepTree(dep)
 		sub.Name = strings.Trim(match[1], `'"`)
 		sub.Version = model.NewVersion(match[2])
+		sub.HomePage = sub.Name
 		exist[sub.Name] = struct{}{}
 	}
 }

analyzer/javascript/package_json.go

@@ -22,11 +22,13 @@ import (
 
 // package.json 文件结构
 type PkgJson struct {
-	Name    string            `json:"name"`
-	Version string            `json:"version"`
-	License string            `json:"license"`
-	DevDeps map[string]string `json:"devDependencies"`
-	Deps    map[string]string `json:"dependencies"`
+	Name       string            `json:"name"`
+	Version    string            `json:"version"`
+	License    string            `json:"license"`
+	DevDeps    map[string]string `json:"devDependencies"`
+	Deps       map[string]string `json:"dependencies"`
+	HomePage   string            `json:"homepage"`
+	Repository map[string]string `json:"repository,omitempty"`
 }
 
 // npm下载文件结构
@@ -41,13 +43,15 @@ func parsePackage(root *model.DepTree, file *model.FileInfo, simulation bool) (d
 	pkg := PkgJson{}
 	if err := json.Unmarshal(file.Data, &pkg); err != nil {
 		logs.Error(err)
-		return
 	}
 	if pkg.Name != "" {
 		root.Name = pkg.Name
 	}
-	root.Version = model.NewVersion(pkg.Version)
+	if pkg.Version != "" {
+		root.Version = model.NewVersion(pkg.Version)
+	}
 	root.AddLicense(pkg.License)
+	root.HomePage = pkg.HomePage
 	// 依赖列表map[name]version
 	depMap := map[string]string{}
 	for name, version := range pkg.DevDeps {
@@ -81,7 +85,7 @@ func parsePackage(root *model.DepTree, file *model.FileInfo, simulation bool) (d
 	}
 	for !q.Empty() {
 		node := q.Pop().(*model.DepTree)
-		for _, sub := range npmSimulation(node) {
+		for _, sub := range npmSimulation(node, exist) {
 			if _, ok := exist[sub.Name]; !ok {
 				bar.Npm.Add(1)
 				exist[sub.Name] = struct{}{}
@@ -93,7 +97,7 @@ func parsePackage(root *model.DepTree, file *model.FileInfo, simulation bool) (d
 }
 
 // npmSimulation 模拟npm获取详细依赖信息
-func npmSimulation(dep *model.DepTree) (subDeps []*model.DepTree) {
+func npmSimulation(dep *model.DepTree, exist map[string]struct{}) (subDeps []*model.DepTree) {
 	subDeps = []*model.DepTree{}
 	dep.Language = language.JavaScript
 	// 获取依赖数据
@@ -149,6 +153,9 @@ func npmSimulation(dep *model.DepTree) (subDeps []*model.DepTree) {
 	}
 	sort.Strings(names)
 	for _, name := range names {
+		if _, ok := exist[name]; ok {
+			continue
+		}
 		sub := model.NewDepTree(dep)
 		sub.Name = name
 		sub.Version = model.NewVersion(info.Deps[name])

analyzer/javascript/package_lock.go

@@ -45,7 +45,7 @@ func parsePackageLock(root *model.DepTree, file *model.FileInfo, direct []string
 	}{}
 	if err := json.Unmarshal(file.Data, &lock); err != nil {
 		logs.Error(err)
-		return
+		//return
 	}
 	if lock.Name != "" {
 		root.Name = lock.Name

analyzer/php/composer.go

@@ -26,6 +26,8 @@ type Composer struct {
 	License    string            `json:"license"`
 	Require    map[string]string `json:"require"`
 	RequireDev map[string]string `json:"require-dev"`
+	HomePage   string            `json:"homepage"`
+	Support    map[string]string `json:"support"`
 }
 
 type ComposerRepo struct {
@@ -47,6 +49,8 @@ func parseComposer(root *model.DepTree, file *model.FileInfo, simulation bool) (
 	if composer.Name != "" {
 		root.Name = composer.Name
 	}
+	root.HomePage = composer.HomePage
+	root.DownloadLocation = composer.Support["source"]
 	// add license
 	if composer.License != "" {
 		root.AddLicense(composer.License)
@@ -84,7 +88,7 @@ func parseComposer(root *model.DepTree, file *model.FileInfo, simulation bool) (
 	}
 	for !q.Empty() {
 		node := q.Pop().(*model.DepTree)
-		for _, sub := range composerSimulation(node) {
+		for _, sub := range composerSimulation(node, exist) {
 			if _, ok := exist[sub.Name]; !ok {
 				bar.Composer.Add(1)
 				exist[sub.Name] = struct{}{}
@@ -96,7 +100,7 @@ func parseComposer(root *model.DepTree, file *model.FileInfo, simulation bool) (
 }
 
 // composerSimulation composer simulation
-func composerSimulation(dep *model.DepTree) (subDeps []*model.DepTree) {
+func composerSimulation(dep *model.DepTree, exist map[string]struct{}) (subDeps []*model.DepTree) {
 	subDeps = []*model.DepTree{}
 	dep.Language = language.Php
 	data := cache.LoadCache(dep.Dependency)
@@ -148,6 +152,9 @@ func composerSimulation(dep *model.DepTree) (subDeps []*model.DepTree) {
 							if strings.EqualFold(name, "php") {
 								continue
 							}
+							if _, ok := exist[name]; ok {
+								continue
+							}
 							sub := model.NewDepTree(dep)
 							sub.Name = name
 							sub.Version = model.NewVersion(requires[name])

analyzer/php/composer_lock.go

@@ -8,16 +8,19 @@ package php
 import (
 	"encoding/json"
 	"sort"
+	"strings"
 	"util/logs"
 	"util/model"
 )
 
 // composer.lock
 type ComposerLock struct {
 	Pkgs []struct {
-		Name    string            `json:"name"`
-		Version string            `json:"version"`
-		Require map[string]string `json:"require"`
+		Name     string            `json:"name"`
+		Version  string            `json:"version"`
+		Require  map[string]string `json:"require"`
+		HomePage string            `json:"homepage"`
+		Source   map[string]string `json:"source"`
 	} `json:"packages"`
 }
 
@@ -26,7 +29,7 @@ func parseComposerLock(root *model.DepTree, file *model.FileInfo, direct []strin
 	lock := ComposerLock{}
 	if err := json.Unmarshal(file.Data, &lock); err != nil {
 		logs.Error(err)
-		return
+		//return
 	}
 	// 记录尚无Parent的依赖
 	depMap := map[string]*model.DepTree{}
@@ -37,6 +40,8 @@ func parseComposerLock(root *model.DepTree, file *model.FileInfo, direct []strin
 		dep.Name = cps.Name
 		dep.Version = model.NewVersion(cps.Version)
 		dep.Expand = cps.Require
+		dep.HomePage = cps.HomePage
+		dep.DownloadLocation = strings.ReplaceAll(cps.Source["url"], ".git", "")
 		depMap[cps.Name] = dep
 		directMap[cps.Name] = dep
 	}

analyzer/python/pipfile.go

@@ -2,6 +2,7 @@ package python
 
 import (
 	"encoding/json"
+	"strings"
 	"util/logs"
 	"util/model"
 
@@ -20,12 +21,12 @@ func parsePipfile(root *model.DepTree, file *model.FileInfo) {
 	for name, version := range pip.Packages {
 		dep := model.NewDepTree(root)
 		dep.Name = name
-		dep.Version = model.NewVersion(version)
+		dep.Version = model.NewVersion(formatVer(version))
 	}
 	for name, version := range pip.DevPackages {
 		dep := model.NewDepTree(root)
 		dep.Name = name
-		dep.Version = model.NewVersion(version)
+		dep.Version = model.NewVersion(formatVer(version))
 	}
 }
 
@@ -49,8 +50,17 @@ func parsePipfileLock(root *model.DepTree, file *model.FileInfo) {
 		if v != "" {
 			dep := model.NewDepTree(root)
 			dep.Name = n
-			dep.Version = model.NewVersion(v)
+			dep.Version = model.NewVersion(formatVer(v))
 		}
 	}
 	return
 }
+
+// 后续使用其他办法确定版本号
+func formatVer(v string) string {
+	res := strings.ReplaceAll(v, "==", "")
+	res = strings.ReplaceAll(res, "~=", "")
+	res = strings.ReplaceAll(res, ">=", "")
+	res = strings.ReplaceAll(res, "<=", "")
+	return res
+}

analyzer/python/setup.go

@@ -56,15 +56,15 @@ func parseSetup(root *model.DepTree, file *model.FileInfo) {
 			logs.Warn(err)
 		}
 		root.Name = dep.Name
-		root.Version = model.NewVersion(dep.Version)
+		root.Version = model.NewVersion(formatVer(dep.Version))
 		root.Licenses = append(root.Licenses, dep.License)
 		for _, pkg := range [][]string{dep.Packages, dep.InstallRequires, dep.Requires} {
 			for _, p := range pkg {
 				index := strings.IndexAny(p, "=<>")
 				sub := model.NewDepTree(root)
 				if index > -1 {
 					sub.Name = p[:index]
-					sub.Version = model.NewVersion(p[index:])
+					sub.Version = model.NewVersion(formatVer(p[index:]))
 				} else {
 					sub.Name = p
 				}