sbom export scan refactoring

Author: corneliusludmann

README.md

@@ -342,6 +342,49 @@ sbom:
 
 When enabled, Leeway automatically generates SBOMs for each package during the build process in multiple formats (CycloneDX, SPDX, and Syft JSON) using [Syft](https://github.com/anchore/syft). These SBOMs are included in the package's build artifacts.
 
+### SBOM Commands
+
+Leeway provides two commands for working with SBOMs:
+
+#### sbom export
+
+The `sbom export` command allows you to export the SBOM of a previously built package:
+
+```bash
+# Export SBOM in CycloneDX format (default) to stdout
+leeway sbom export some/component:package
+
+# Export SBOM in a specific format to a file
+leeway sbom export --format spdx --output sbom.spdx.json some/component:package
+
+# Export SBOMs for a package and all its dependencies to a directory
+leeway sbom export --with-dependencies --output-dir sboms/ some/component:package
+```
+
+Options:
+- `--format`: SBOM format to export (cyclonedx, spdx, syft). Default is cyclonedx.
+- `--output, -o`: Output file (defaults to stdout).
+- `--with-dependencies`: Export SBOMs for the package and all its dependencies.
+- `--output-dir`: Output directory for exporting multiple SBOMs (required with --with-dependencies).
+
+#### sbom scan
+
+The `sbom scan` command scans a package's SBOM for vulnerabilities and exports the results:
+
+```bash
+# Scan a package for vulnerabilities
+leeway sbom scan --output-dir vuln-reports/ some/component:package
+
+# Scan a package and all its dependencies for vulnerabilities
+leeway sbom scan --with-dependencies --output-dir vuln-reports/ some/component:package
+```
+
+Options:
+- `--output-dir`: Directory to export scan results (required).
+- `--with-dependencies`: Scan the package and all its dependencies.
+
+This command uses existing SBOM files from previously built packages and requires SBOM generation and vulnerability scanning to be enabled in the workspace settings.
+
 ### Vulnerability Scanning
 
 When `scanVulnerabilities` is enabled, Leeway scans the generated SBOMs for vulnerabilities using [Grype](https://github.com/anchore/grype). The scan results are written to the build directory in multiple formats:

cmd/sbom-export.go

@@ -9,7 +9,6 @@ import (
 	"github.com/gitpod-io/leeway/pkg/leeway"
 	log "github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
-	"slices"
 )
 
 // sbomExportCmd represents the sbom export command
@@ -48,9 +47,8 @@ to the specified output directory.`,
 		withDependencies, _ := cmd.Flags().GetBool("with-dependencies")
 		outputDir, _ := cmd.Flags().GetString("output-dir")
 
-		// Validate format
-		validFormats := []string{"cyclonedx", "spdx", "syft"}
-		formatValid := slices.Contains(validFormats, format)
+		// Validate format using the utility function
+		formatValid, validFormats := leeway.ValidateSBOMFormat(format)
 		if !formatValid {
 			log.Fatalf("Unsupported format: %s. Supported formats are: %s", format, strings.Join(validFormats, ", "))
 		}
@@ -73,7 +71,7 @@ to the specified output directory.`,
 			}
 
 			// Get all dependencies
-			deps := getAllDependencies(pkg)
+			deps := pkg.GetTransitiveDependencies()
 			log.Infof("Exporting SBOMs for %s and %d dependencies to %s", pkg.FullName(), len(deps), outputDir)
 
 			// Add the package itself to the list
@@ -91,21 +89,10 @@ to the specified output directory.`,
 
 				// Create safe filename for the package
 				safeFilename := strings.ReplaceAll(p.FullName(), "/", "_")
-				outputPath := filepath.Join(outputDir, safeFilename+getFormatExtension(format))
-
-				// Extract and output the SBOM
-				err := leeway.AccessSBOMInCachedArchive(pFN, format, func(sbomReader io.Reader) error {
-					// Create the output file
-					file, err := os.Create(outputPath)
-					if err != nil {
-						return err
-					}
-					defer file.Close()
+				outputPath := filepath.Join(outputDir, safeFilename+leeway.GetSBOMFormatExtension(format))
 
-					// Copy the SBOM content to the file
-					_, err = io.Copy(file, sbomReader)
-					return err
-				})
+				// Extract and output the SBOM using the WriteFileHandler
+				err := leeway.AccessSBOMInCachedArchive(pFN, format, leeway.WriteFileHandler(outputPath))
 
 				if err != nil {
 					if err == leeway.ErrNoSBOMFile {
@@ -165,47 +152,6 @@ to the specified output directory.`,
 	},
 }
 
-// Helper function to get all dependencies of a package
-func getAllDependencies(pkg *leeway.Package) []*leeway.Package {
-	// Use a map to avoid duplicates
-	depsMap := make(map[string]*leeway.Package)
-	
-	// Recursively collect dependencies
-	var collectDeps func(p *leeway.Package)
-	collectDeps = func(p *leeway.Package) {
-		for _, dep := range p.GetDependencies() {
-			if _, exists := depsMap[dep.FullName()]; !exists {
-				depsMap[dep.FullName()] = dep
-				collectDeps(dep)
-			}
-		}
-	}
-	
-	collectDeps(pkg)
-	
-	// Convert map to slice
-	deps := make([]*leeway.Package, 0, len(depsMap))
-	for _, dep := range depsMap {
-		deps = append(deps, dep)
-	}
-	
-	return deps
-}
-
-// Helper function to get file extension for the format
-func getFormatExtension(format string) string {
-	switch format {
-	case "cyclonedx":
-		return ".cdx.json"
-	case "spdx":
-		return ".spdx.json"
-	case "syft":
-		return ".json"
-	default:
-		return ".json"
-	}
-}
-
 func init() {
 	sbomExportCmd.Flags().String("format", "cyclonedx", "SBOM format to export (cyclonedx, spdx, syft)")
 	sbomExportCmd.Flags().StringP("output", "o", "", "Output file (defaults to stdout)")

cmd/sbom-scan.go

@@ -32,11 +32,6 @@ When used with --with-dependencies, it scans the package and all its dependencie
 			log.Fatal("SBOM scanning requires sbom.enabled=true in workspace settings")
 		}
 
-		// Check if vulnerability scanning is enabled
-		if !pkg.C.W.SBOM.ScanVulnerabilities {
-			log.Fatal("SBOM scanning requires sbom.scanVulnerabilities=true in workspace settings")
-		}
-
 		// Get build options and cache
 		_, cache := getBuildOpts(cmd)
 
@@ -71,6 +66,7 @@ When used with --with-dependencies, it scans the package and all its dependencie
 		reporter := leeway.NewConsoleReporter()
 
 		// Use the ScanPackageSBOM function to scan the package
+		// This function will use GetAllPackageDependencies internally when withDependencies is true
 		if err := leeway.ScanPackageSBOM(pkg, reporter, cache, outputDir, withDependencies); err != nil {
 			log.WithError(err).Fatalf("Failed to scan package %s for vulnerabilities", pkg.FullName())
 		}

pkg/leeway/sbom.go

@@ -374,11 +374,11 @@ func ScanPackageSBOM(p *Package, reporter Reporter, localCache cache.LocalCache,
 			LocalCache: localCache,
 		},
 	}
-	
+
 	// If we need to scan dependencies as well
 	if withDependencies {
-		// Get all dependencies
-		deps := getAllDependencies(p)
+		// Get all dependencies using the Package's GetTransitiveDependencies method
+		deps := p.GetTransitiveDependencies()
 		log.Infof("Scanning %s and %d dependencies for vulnerabilities", p.FullName(), len(deps))
 
 		// Add the package itself to the list
@@ -387,7 +387,7 @@ func ScanPackageSBOM(p *Package, reporter Reporter, localCache cache.LocalCache,
 		// Call the existing function with all packages and the custom output directory
 		return ScanAllPackagesForVulnerabilities(ctx, packagesToScan, outputDir)
 	}
-	
+
 	// Just scan the single package
 	return ScanAllPackagesForVulnerabilities(ctx, []*Package{p}, outputDir)
 }
@@ -418,7 +418,7 @@ func ScanAllPackagesForVulnerabilities(buildctx *buildContext, packages []*Packa
 		if len(customOutputDir) > 0 && customOutputDir[0] != "" {
 			// Use custom output directory if provided
 			outputDir = customOutputDir[0]
-			
+
 			// Create the output directory if it doesn't exist
 			if err := os.MkdirAll(outputDir, 0755); err != nil {
 				errMsg := fmt.Sprintf("failed to create output directory %s: %s", outputDir, err)
@@ -429,7 +429,7 @@ func ScanAllPackagesForVulnerabilities(buildctx *buildContext, packages []*Packa
 			// Use default timestamp-based directory structure
 			reportLocation := GetVulnerabilityReportLocation(p, timestamp)
 			outputDir = reportLocation.PackageDir
-			
+
 			// Create the directory for this package's vulnerability reports
 			if err := os.MkdirAll(outputDir, 0755); err != nil {
 				errMsg := fmt.Sprintf("failed to create vulnerability reports directory for package %s: %s", p.FullName(), err)
@@ -466,26 +466,9 @@ func ScanAllPackagesForVulnerabilities(buildctx *buildContext, packages []*Packa
 			}
 		}()
 
-		// Extract the SBOM file directly from the package archive
+		// Extract the SBOM file directly from the package archive using WriteFileHandler
 		// For vulnerability scanning, we use the CycloneDX format
-		err = AccessSBOMInCachedArchive(location, "cyclonedx", func(sbomReader io.Reader) error {
-			// Copy the SBOM content to the temporary file
-			sbomFile, err := os.OpenFile(tempFileName, os.O_WRONLY, 0644)
-			if err != nil {
-				return xerrors.Errorf("failed to open temporary file for writing: %w", err)
-			}
-			defer func() {
-				if err := sbomFile.Close(); err != nil {
-					buildctx.Reporter.PackageBuildLog(p, false, []byte("failed to close SBOM file: "+err.Error()+"\n"))
-				}
-			}()
-
-			_, err = io.Copy(sbomFile, sbomReader)
-			if err != nil {
-				return xerrors.Errorf("failed to write SBOM content to temporary file: %w", err)
-			}
-			return nil
-		})
+		err = AccessSBOMInCachedArchive(location, "cyclonedx", WriteFileHandler(tempFileName))
 
 		if err != nil {
 			if err == ErrNoSBOMFile {
@@ -721,33 +704,55 @@ func loadVulnerabilityDB(p *Package, buildctx *buildContext) (vulnerability.Prov
 	return provider, status, nil
 }
 
-// Helper function to get all dependencies of a package
-func getAllDependencies(pkg *Package) []*Package {
-	// Use a map to avoid duplicates
-	depsMap := make(map[string]*Package)
-	
-	// Recursively collect dependencies
-	var collectDeps func(p *Package)
-	collectDeps = func(p *Package) {
-		for _, dep := range p.GetDependencies() {
-			if _, exists := depsMap[dep.FullName()]; !exists {
-				depsMap[dep.FullName()] = dep
-				collectDeps(dep)
+// WriteFileHandler returns a handler function for AccessSBOMInCachedArchive that writes to a file
+func WriteFileHandler(outputPath string) func(io.Reader) error {
+	return func(r io.Reader) error {
+		// Create directories if needed
+		if dir := filepath.Dir(outputPath); dir != "" {
+			if err := os.MkdirAll(dir, 0755); err != nil {
+				return fmt.Errorf("cannot create output directory %s: %w", dir, err)
 			}
 		}
+		
+		// Create and write to file
+		file, err := os.Create(outputPath)
+		if err != nil {
+			return fmt.Errorf("cannot create output file %s: %w", outputPath, err)
+		}
+		defer file.Close()
+		
+		_, err = io.Copy(file, r)
+		return err
 	}
-	
-	collectDeps(pkg)
-	
-	// Convert map to slice
-	deps := make([]*Package, 0, len(depsMap))
-	for _, dep := range depsMap {
-		deps = append(deps, dep)
+}
+
+// ValidateSBOMFormat checks if the provided format is supported
+func ValidateSBOMFormat(format string) (bool, []string) {
+	validFormats := []string{"cyclonedx", "spdx", "syft"}
+	for _, f := range validFormats {
+		if format == f {
+			return true, validFormats
+		}
 	}
-	
-	return deps
+	return false, validFormats
 }
 
+// GetSBOMFormatExtension returns the file extension for the given SBOM format
+func GetSBOMFormatExtension(format string) string {
+	switch format {
+	case "cyclonedx":
+		return ".cdx.json"
+	case "spdx":
+		return ".spdx.json"
+	case "syft":
+		return ".json"
+	default:
+		return ".json"
+	}
+}
+
+// ErrNoSBOMFile is returned when no SBOM file is found in a cached archive
+
 // ErrNoSBOMFile is returned when no SBOM file is found in a cached archive
 var ErrNoSBOMFile = fmt.Errorf("no SBOM file found")