feat: add option to include packages in application sbom (#92)

* add option to include packages in application sbom

Signed-off-by: nscuro <[email protected]>

* use pkg import paths for their component names

Signed-off-by: nscuro <[email protected]>

* add changelog

Signed-off-by: nscuro <[email protected]>

* sort packages by import path

Signed-off-by: nscuro <[email protected]>

* regenerate example sboms

Signed-off-by: nscuro <[email protected]>

* handle stdlib packages #84

Signed-off-by: nscuro <[email protected]>

* fix goroot determination

Signed-off-by: nscuro <[email protected]>

* update changelog

Signed-off-by: nscuro <[email protected]>

* update changelog

Signed-off-by: nscuro <[email protected]>

* don't strip `go` prefix from go version

Signed-off-by: nscuro <[email protected]>

* don't try to load stdlib module for `bin`

Signed-off-by: nscuro <[email protected]>

* update help string for `app`

Signed-off-by: nscuro <[email protected]>

* regenerate example sboms

Signed-off-by: nscuro <[email protected]>

* use import path for package PURLs

this is also to better represent stdlib packages, see package-url/purl-spec#113

Signed-off-by: nscuro <[email protected]>

* add purl `type` qualifier for modules

to better distinguish modules from packages

Signed-off-by: nscuro <[email protected]>

* add test

Signed-off-by: nscuro <[email protected]>

* update changelog

Signed-off-by: nscuro <[email protected]>

* regenerate example sboms

Signed-off-by: nscuro <[email protected]>

* update changelog

Signed-off-by: nscuro <[email protected]>

* include stdlib and packages in our own sbom

Signed-off-by: nscuro <[email protected]>

Closes #85
Closes #84

.goreleaser.yml

@@ -28,7 +28,7 @@ builds:
     mod_timestamp: "{{ .CommitTimestamp }}"
     hooks:
       post:
-        - cmd: ./bin/cyclonedx-gomod app -licenses -json -output "{{ .ProjectName }}_{{ .Version }}_{{ .Target }}.bom.json"
+        - cmd: ./bin/cyclonedx-gomod app -licenses -packages -std -json -output "{{ .ProjectName }}_{{ .Version }}_{{ .Target }}.bom.json"
           env:
             - GOARCH={{ .Arch }}
             - GOOS={{ .Os }}

CHANGELOG.md

@@ -1,5 +1,36 @@
 # Changelog
 
+## v1.1.0 (unreleased)
+
+### Enhancements
+
+* Add option to assert detected licenses ([#96](https://github.com/CycloneDX/cyclonedx-gomod/pull/97) via [#97](https://github.com/CycloneDX/cyclonedx-gomod/pull/97))
+  * This will move licenses from `evidence/licenses` to `licenses`, which helps with SBOM ingestion in some cases
+* `app`: Add option to include packages in application SBOM ([#85](https://github.com/CycloneDX/cyclonedx-gomod/issues/85) via [#92](https://github.com/CycloneDX/cyclonedx-gomod/pull/92))
+* `app`: The `-packages` and `-files` options are now also applied to the standard library component (when `-std` is used) ([#84](https://github.com/CycloneDX/cyclonedx-gomod/issues/84) via [#92](https://github.com/CycloneDX/cyclonedx-gomod/pull/92))
+  * Thanks [TheDiveO](https://github.com/TheDiveO) for reporting!
+* Package URLs now include a `type` qualifier to better differentiate between modules and packages (via [`1c4b136`](https://github.com/CycloneDX/cyclonedx-gomod/pull/92/commits/1c4b1366ac23e6a4387f1e6d4b35b67930184aed))
+
+### Breaking Changes
+
+* `app`: `-files` can now only be used in conjunction with `-packages`
+* `app`: Files are now represented as subcomponents of packages
+
+### Miscellaneous
+
+* The `go` prefix is no longer stripped from Go versions
+  * e.g. the standard library module will now appear as `pkg:golang/[email protected]` instead of `pkg:golang/[email protected]`
+
+### Dependency Updates
+
+* Update `github.com/rs/zerolog` from `v1.25.0` to `v1.26.0`
+
+### Building and Packaging
+
+* Bump `golang` container base images from `1.17.2` to `1.17.3` (via [#95](https://github.com/CycloneDX/cyclonedx-gomod/pull/95))
+* Reference container base images by their SHA digest ([#89](https://github.com/CycloneDX/cyclonedx-gomod/issues/89) via [#90](https://github.com/CycloneDX/cyclonedx-gomod/pull/90))
+* Introduce multi-platform container image builds ([#87](https://github.com/CycloneDX/cyclonedx-gomod/issues/87) via [#90](https://github.com/CycloneDX/cyclonedx-gomod/pull/90))
+
 ## v1.0.0
 
 ### Enhancements

Dockerfile.examples

@@ -27,9 +27,13 @@ RUN apt update && \
 # Create generation script
 RUN echo "#!/bin/bash\n\n\
 cyclonedx-gomod app -json -output /examples/app_minikube-v1.23.1.bom.json -licenses -main cmd/minikube /home/cdx/minikube \n\
+cyclonedx-gomod app -json -output /examples/app_minikube-v1.23.1_with-packages.bom.json -licenses -packages -main cmd/minikube /home/cdx/minikube \n\
+cyclonedx-gomod app -json -output /examples/app_minikube-v1.23.1_with-files.bom.json -licenses -packages -files -main cmd/minikube /home/cdx/minikube \n\
 cyclonedx-gomod mod -json -output /examples/mod_minikube-v1.23.1.bom.json -licenses /home/cdx/minikube \n\
 cyclonedx-gomod bin -json -output /examples/bin_minikube-v1.23.1.bom.json -licenses -version v1.23.1 /home/cdx/minikube-linux-amd64 \n\
 cyclonedx validate --input-file /examples/app_minikube-v1.23.1.bom.json --input-format json_v1_3 --fail-on-errors \n\
+cyclonedx validate --input-file /examples/app_minikube-v1.23.1_with-packages.bom.json --input-format json_v1_3 --fail-on-errors \n\
+cyclonedx validate --input-file /examples/app_minikube-v1.23.1_with-files.bom.json --input-format json_v1_3 --fail-on-errors \n\
 cyclonedx validate --input-file /examples/mod_minikube-v1.23.1.bom.json --input-format json_v1_3 --fail-on-errors \n\
 cyclonedx validate --input-file /examples/bin_minikube-v1.23.1.bom.json --input-format json_v1_3 --fail-on-errors \n\
 " > /home/cdx/generate-examples.sh

README.md

@@ -102,9 +102,13 @@ for each target in the build matrix.
 The -main flag should be used to specify the path to the application's main package.
 It must point to a directory within MODULE_PATH. If not set, MODULE_PATH is assumed.
 
+In order to not only include modules, but also the packages within them,
+the -packages flag can be used. Packages are represented as subcomponents of modules.
+
 By passing -files, all files that would be included in a binary will be attached
-as subcomponents of their respective module. File versions follow the v0.0.0-SHORTHASH pattern, 
+as subcomponents of their respective package. File versions follow the v0.0.0-SHORTHASH pattern, 
 where SHORTHASH is the first 12 characters of the file's SHA1 hash.
+Because files are subcomponents of packages, -files can only be used in conjunction with -packages.
 
 Examples:
   $ GOARCH=arm64 GOOS=linux GOFLAGS="-tags=foo,bar" cyclonedx-gomod app -output linux-arm64.bom.xml
@@ -118,8 +122,10 @@ FLAGS
   -main ...               Path to the application's main package, relative to MODULE_PATH
   -noserial=false         Omit serial number
   -output -               Output file path (or - for STDOUT)
+  -packages=false         Include packages
   -serial ...             Serial number
   -std=false              Include Go standard library as component and dependency of the module
+  -verbose=false          Enable verbose output
 ```
 
 #### `bin`

e2e/cmd_app_test.go

@@ -66,9 +66,27 @@ func TestAppCmdSimpleWithFiles(t *testing.T) {
 			ResolveLicenses: true,
 			SerialNumber:    zeroUUID.String(),
 		},
-		ModuleDir:    fixturePath,
-		Main:         "",
-		IncludeFiles: true,
+		ModuleDir:       fixturePath,
+		Main:            "",
+		IncludeFiles:    true,
+		IncludePackages: true,
+	}
+
+	runSnapshotIT(t, &appOptions.OutputOptions, func() error { return appcmd.Exec(appOptions) })
+}
+
+func TestAppCmdSimpleWithPackages(t *testing.T) {
+	fixturePath := extractFixture(t, "./testdata/modcmd/simple.tar.gz")
+
+	appOptions := appcmd.Options{
+		SBOMOptions: options.SBOMOptions{
+			Reproducible:    true,
+			ResolveLicenses: true,
+			SerialNumber:    zeroUUID.String(),
+		},
+		ModuleDir:       fixturePath,
+		Main:            "",
+		IncludePackages: true,
 	}
 
 	runSnapshotIT(t, &appOptions.OutputOptions, func() error { return appcmd.Exec(appOptions) })
@@ -131,9 +149,27 @@ func TestAppCmdVendoredWithFiles(t *testing.T) {
 			ResolveLicenses: true,
 			SerialNumber:    zeroUUID.String(),
 		},
-		ModuleDir:    fixturePath,
-		Main:         "",
-		IncludeFiles: true,
+		ModuleDir:       fixturePath,
+		Main:            "",
+		IncludeFiles:    true,
+		IncludePackages: true,
+	}
+
+	runSnapshotIT(t, &appOptions.OutputOptions, func() error { return appcmd.Exec(appOptions) })
+}
+
+func TestAppCmdVendoredWithPackages(t *testing.T) {
+	fixturePath := extractFixture(t, "./testdata/modcmd/vendored.tar.gz")
+
+	appOptions := appcmd.Options{
+		SBOMOptions: options.SBOMOptions{
+			Reproducible:    true,
+			ResolveLicenses: true,
+			SerialNumber:    zeroUUID.String(),
+		},
+		ModuleDir:       fixturePath,
+		Main:            "",
+		IncludePackages: true,
 	}
 
 	runSnapshotIT(t, &appOptions.OutputOptions, func() error { return appcmd.Exec(appOptions) })

e2e/testdata/snapshots/TestAppCmdSimple

@@ -1,21 +1,21 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <bom xmlns="http://cyclonedx.org/schema/bom/1.3" serialNumber="urn:uuid:00000000-0000-0000-0000-000000000000" version="1">
   <metadata>
-    <component bom-ref="pkg:golang/[email protected]" type="application">
+    <component bom-ref="pkg:golang/[email protected]?type=module" type="application">
       <name>testmod-simple</name>
       <version>v0.0.0-20210716183230-c7ea7c975ab8</version>
-      <purl>pkg:golang/[email protected]</purl>
+      <purl>pkg:golang/[email protected]?type=module</purl>
     </component>
   </metadata>
   <components>
-    <component bom-ref="pkg:golang/github.com/google/[email protected]" type="library">
+    <component bom-ref="pkg:golang/github.com/google/[email protected]?type=module" type="library">
       <name>github.com/google/uuid</name>
       <version>v1.2.0</version>
       <scope>required</scope>
       <hashes>
         <hash alg="SHA-256">a8962d5e72515a6a5eee6ff75e5ca1aec2eb11446a1d1336931ce8c57ab2503b</hash>
       </hashes>
-      <purl>pkg:golang/github.com/google/[email protected]</purl>
+      <purl>pkg:golang/github.com/google/[email protected]?type=module</purl>
       <externalReferences>
         <reference type="vcs">
           <url>https://github.com/google/uuid</url>
@@ -31,9 +31,9 @@
     </component>
   </components>
   <dependencies>
-    <dependency ref="pkg:golang/[email protected]">
-      <dependency ref="pkg:golang/github.com/google/[email protected]"></dependency>
+    <dependency ref="pkg:golang/[email protected]?type=module">
+      <dependency ref="pkg:golang/github.com/google/[email protected]?type=module"></dependency>
     </dependency>
-    <dependency ref="pkg:golang/github.com/google/[email protected]"></dependency>
+    <dependency ref="pkg:golang/github.com/google/[email protected]?type=module"></dependency>
   </dependencies>
 </bom>

e2e/testdata/snapshots/TestAppCmdSimpleAssertLicenses

@@ -1,14 +1,14 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <bom xmlns="http://cyclonedx.org/schema/bom/1.3" serialNumber="urn:uuid:00000000-0000-0000-0000-000000000000" version="1">
   <metadata>
-    <component bom-ref="pkg:golang/[email protected]" type="application">
+    <component bom-ref="pkg:golang/[email protected]?type=module" type="application">
       <name>testmod-simple</name>
       <version>v0.0.0-20210716183230-c7ea7c975ab8</version>
-      <purl>pkg:golang/[email protected]</purl>
+      <purl>pkg:golang/[email protected]?type=module</purl>
     </component>
   </metadata>
   <components>
-    <component bom-ref="pkg:golang/github.com/google/[email protected]" type="library">
+    <component bom-ref="pkg:golang/github.com/google/[email protected]?type=module" type="library">
       <name>github.com/google/uuid</name>
       <version>v1.2.0</version>
       <scope>required</scope>
@@ -20,7 +20,7 @@
           <id>BSD-3-Clause</id>
         </license>
       </licenses>
-      <purl>pkg:golang/github.com/google/[email protected]</purl>
+      <purl>pkg:golang/github.com/google/[email protected]?type=module</purl>
       <externalReferences>
         <reference type="vcs">
           <url>https://github.com/google/uuid</url>
@@ -29,9 +29,9 @@
     </component>
   </components>
   <dependencies>
-    <dependency ref="pkg:golang/[email protected]">
-      <dependency ref="pkg:golang/github.com/google/[email protected]"></dependency>
+    <dependency ref="pkg:golang/[email protected]?type=module">
+      <dependency ref="pkg:golang/github.com/google/[email protected]?type=module"></dependency>
     </dependency>
-    <dependency ref="pkg:golang/github.com/google/[email protected]"></dependency>
+    <dependency ref="pkg:golang/github.com/google/[email protected]?type=module"></dependency>
   </dependencies>
 </bom>

e2e/testdata/snapshots/TestAppCmdSimpleMultiCommandPURL

@@ -1,21 +1,21 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <bom xmlns="http://cyclonedx.org/schema/bom/1.3" serialNumber="urn:uuid:00000000-0000-0000-0000-000000000000" version="1">
   <metadata>
-    <component bom-ref="pkg:golang/[email protected]#cmd/purl" type="application">
+    <component bom-ref="pkg:golang/[email protected]?type=module#cmd/purl" type="application">
       <name>testmod-simple</name>
       <version>v0.0.0-20210901192510-dc2d14d2351d</version>
-      <purl>pkg:golang/[email protected]#cmd/purl</purl>
+      <purl>pkg:golang/[email protected]?type=module#cmd/purl</purl>
     </component>
   </metadata>
   <components>
-    <component bom-ref="pkg:golang/github.com/package-url/[email protected]" type="library">
+    <component bom-ref="pkg:golang/github.com/package-url/[email protected]?type=module" type="library">
       <name>github.com/package-url/packageurl-go</name>
       <version>v0.1.0</version>
       <scope>required</scope>
       <hashes>
         <hash alg="SHA-256">79f58173df0efdd059460d69c36c620f3a2f9e532309af4d3e77da88176e87c2</hash>
       </hashes>
-      <purl>pkg:golang/github.com/package-url/[email protected]</purl>
+      <purl>pkg:golang/github.com/package-url/[email protected]?type=module</purl>
       <externalReferences>
         <reference type="vcs">
           <url>https://github.com/package-url/packageurl-go</url>
@@ -24,9 +24,9 @@
     </component>
   </components>
   <dependencies>
-    <dependency ref="pkg:golang/[email protected]#cmd/purl">
-      <dependency ref="pkg:golang/github.com/package-url/[email protected]"></dependency>
+    <dependency ref="pkg:golang/[email protected]?type=module#cmd/purl">
+      <dependency ref="pkg:golang/github.com/package-url/[email protected]?type=module"></dependency>
     </dependency>
-    <dependency ref="pkg:golang/github.com/package-url/[email protected]"></dependency>
+    <dependency ref="pkg:golang/github.com/package-url/[email protected]?type=module"></dependency>
   </dependencies>
 </bom>

e2e/testdata/snapshots/TestAppCmdSimpleMultiCommandUUID

@@ -1,21 +1,21 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <bom xmlns="http://cyclonedx.org/schema/bom/1.3" serialNumber="urn:uuid:00000000-0000-0000-0000-000000000000" version="1">
   <metadata>
-    <component bom-ref="pkg:golang/[email protected]#cmd/uuid" type="application">
+    <component bom-ref="pkg:golang/[email protected]?type=module#cmd/uuid" type="application">
       <name>testmod-simple</name>
       <version>v0.0.0-20210901192510-dc2d14d2351d</version>
-      <purl>pkg:golang/[email protected]#cmd/uuid</purl>
+      <purl>pkg:golang/[email protected]?type=module#cmd/uuid</purl>
     </component>
   </metadata>
   <components>
-    <component bom-ref="pkg:golang/github.com/google/[email protected]" type="library">
+    <component bom-ref="pkg:golang/github.com/google/[email protected]?type=module" type="library">
       <name>github.com/google/uuid</name>
       <version>v1.2.0</version>
       <scope>required</scope>
       <hashes>
         <hash alg="SHA-256">a8962d5e72515a6a5eee6ff75e5ca1aec2eb11446a1d1336931ce8c57ab2503b</hash>
       </hashes>
-      <purl>pkg:golang/github.com/google/[email protected]</purl>
+      <purl>pkg:golang/github.com/google/[email protected]?type=module</purl>
       <externalReferences>
         <reference type="vcs">
           <url>https://github.com/google/uuid</url>
@@ -31,9 +31,9 @@
     </component>
   </components>
   <dependencies>
-    <dependency ref="pkg:golang/[email protected]#cmd/uuid">
-      <dependency ref="pkg:golang/github.com/google/[email protected]"></dependency>
+    <dependency ref="pkg:golang/[email protected]?type=module#cmd/uuid">
+      <dependency ref="pkg:golang/github.com/google/[email protected]?type=module"></dependency>
     </dependency>
-    <dependency ref="pkg:golang/github.com/google/[email protected]"></dependency>
+    <dependency ref="pkg:golang/github.com/google/[email protected]?type=module"></dependency>
   </dependencies>
 </bom>