feat: additional SBOM generation options (fixes #16)

anthonyharrison · Jul 28, 2024 · fd507f9 · fd507f9
1 parent 26acd02
commit fd507f9
Show file tree

Hide file tree

Showing 2 changed files with 67 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -26,8 +26,9 @@ up for testing using different versions of Python.
 ## Usage
 
 ```
-usage: distro2sbom [-h] [--distro {rpm,deb,windows,auto}] [-i INPUT_FILE] [-n NAME] [-r RELEASE] [-p PACKAGE] [-s] [--root ROOT] [--distro-namespace DISTRO_NAMESPACE] [-d] [--sbom {spdx,cyclonedx}]
-                   [--format {tag,json,yaml}] [-o OUTPUT_FILE] [-V]
+usage: distro2sbom [-h] [--distro {rpm,deb,windows,auto}] [-i INPUT_FILE] [-n NAME] [-r RELEASE] [-p PACKAGE] [-s] [--root ROOT] [--distro-namespace DISTRO_NAMESPACE]
+                   [--product-type {application,framework,library,container,operating-system,device,firmware,file}] [--product-name PRODUCT_NAME] [--product-version PRODUCT_VERSION]
+                   [--product-author PRODUCT_AUTHOR] [-d] [--sbom {spdx,cyclonedx}] [--format {tag,json,yaml}] [-o OUTPUT_FILE] [-V]
 
 Distro2Sbom generates a Software Bill of Materials for the specified package or distribution.
 
@@ -50,6 +51,16 @@ Input:
   --distro-namespace DISTRO_NAMESPACE
                         namespace for distribution
 
+Product:
+  --product-type {application,framework,library,container,operating-system,device,firmware,file}
+                        type of product (default: application)
+  --product-name PRODUCT_NAME
+                        name of product
+  --product-version PRODUCT_VERSION
+                        version of product
+  --product-author PRODUCT_AUTHOR
+                        author of product
+
 Output:
   -d, --debug           add debug information
   --sbom {spdx,cyclonedx}
@@ -58,7 +69,6 @@ Output:
                         specify format of software bill of materials (sbom) (default: tag)
   -o OUTPUT_FILE, --output-file OUTPUT_FILE
                         output filename (default: output to stdout)
-
 ```
 						
 ## Operation
@@ -134,6 +144,9 @@ The `--disto-namespace` option is used to specify a namespace to be included in
 
 At least one of the `--input-file`, `--package` or `--system` options must be specified. If multiple options are specified, the `--input-file` option followed by the `--system` option will be assumed.
 
+The `--product-type`, `--product-name`, `--product-version` and `--product-author` options allow the specification of the top level
+component within the SBOM. These option only apply to CycloneDX SBOMs.
+
 The `--sbom` option is used to specify the format of the generated SBOM (the default is SPDX). The `--format` option
 can be used to specify the formatting of the SBOM (the default is Tag Value format for a SPDX SBOM). JSON format is supported for both
 SPDX and CycloneDX SBOMs.

diff --git a/distro2sbom/cli.py b/distro2sbom/cli.py
@@ -8,6 +8,7 @@
 from collections import ChainMap
 from pathlib import Path
 
+from lib4sbom.data.document import SBOMDocument
 from lib4sbom.generator import SBOMGenerator
 from lib4sbom.sbom import SBOM
 
@@ -105,6 +106,39 @@ def main(argv=None):
         help="namespace for distribution",
     )
 
+    product_group = parser.add_argument_group("Product")
+    product_group.add_argument(
+        "--product-type",
+        action="store",
+        default="application",
+        choices=[
+            "application",
+            "framework",
+            "library",
+            "container",
+            "operating-system",
+            "device",
+            "firmware",
+            "file",
+        ],
+        help="type of product (default: application)",
+    )
+    product_group.add_argument(
+        "--product-name",
+        action="store",
+        help="name of product",
+    )
+    product_group.add_argument(
+        "--product-version",
+        action="store",
+        help="version of product",
+    )
+    product_group.add_argument(
+        "--product-author",
+        action="store",
+        help="author of product",
+    )
+
     output_group = parser.add_argument_group("Output")
     output_group.add_argument(
         "-d",
@@ -151,6 +185,10 @@ def main(argv=None):
         "system": False,
         "root": "",
         "distro_namespace": "",
+        "product_type": "application",
+        "product_name": "",
+        "product_version": "",
+        "product_author": "",
     }
 
     raw_args = parser.parse_args(argv[1:])
@@ -190,6 +228,10 @@ def main(argv=None):
         print("SBOM type:", args["sbom"])
         print("Format:", bom_format)
         print("Output file:", args["output_file"])
+        print("Product Type", args["product_type"])
+        print("Product Name", args["product_name"])
+        print("Product Version", args["product_version"])
+        print("Product Author", args["product_author"])
 
     if args["distro"] == "auto":
         # determine distro type based on availability of key application
@@ -244,6 +286,15 @@ def main(argv=None):
     if len(sbom_build.get_packages()) > 0:
         # Generate SBOM file
         distro_sbom = SBOM()
+        sbom_doc = SBOMDocument()
+        sbom_doc.set_metadata_type(args["product_type"])
+        if args["product_name"] != "":
+            sbom_doc.set_name(args["product_name"])
+        if args["product_version"] != "":
+            sbom_doc.set_metadata_version(args["product_version"])
+        if args["product_author"] != "":
+            sbom_doc.set_metadata_supplier(args["product_author"])
+        distro_sbom.add_document(sbom_doc.get_document())
         distro_sbom.add_packages(sbom_build.get_packages())
         distro_sbom.add_relationships(sbom_build.get_relationships())