Class: SBOM Private

Inherits:

Object

• Object
• SBOM

Includes:

Utils::Output::Mixin

Defined in:

sbom.rb

Overview

This class is part of a private API. This class may only be used in the Homebrew/brew repository. Third parties should avoid using this class if possible, as it may be removed or changed without warning.

Rather than calling new directly, use one of the class methods like SBOM.create.

Constant Summary

FILENAME =

This constant is part of a private API. This constant may only be used in the Homebrew/brew repository. Third parties should avoid using this constant if possible, as it may be removed or changed without warning.

"sbom.spdx.json"

SCHEMA_FILE =

This constant is part of a private API. This constant may only be used in the Homebrew/brew repository. Third parties should avoid using this constant if possible, as it may be removed or changed without warning.

(HOMEBREW_LIBRARY_PATH/"data/schemas/sbom.json").freeze

Class Method Summary

• .create(formula, tab) ⇒ T.attached_class private

  Instantiates a SBOM for a new installation of a formula.

• .exist?(formula) ⇒ Boolean private
• .runtime_deps_hash(deps) ⇒ Array<Hash{String => String}> private
• .schema ⇒ Hash{String => T.untyped} private
• .spdxfile(formula) ⇒ Pathname private

Instance Method Summary

• #schema_validation_errors(bottling: false) ⇒ Array<Hash{String => T.untyped}> private
• #valid?(bottling: false) ⇒ Boolean private
• #write(validate: true, bottling: false) ⇒ void private

Methods included from Utils::Output::Mixin

#odebug, #odeprecated, #odie, #odisabled, #ofail, #oh1, #oh1_title, #ohai, #ohai_title, #onoe, #opoo, #opoo_outside_github_actions, #pretty_duration, #pretty_installed, #pretty_outdated, #pretty_uninstalled

Class Method Details

.create(formula, tab) ⇒ T.attached_class

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Instantiates a SBOM for a new installation of a formula.

Parameters:

• formula (Formula)
• tab (Tab)

Returns:

• (T.attached_class)

# File 'sbom.rb', line 20

def self.create(formula, tab)
  active_spec = if formula.stable?
    T.must(formula.stable)
  else
    T.must(formula.head)
  end
  active_spec_sym = formula.active_spec_sym

  attributes = {
    name:                 formula.name,
    homebrew_version:     HOMEBREW_VERSION,
    spdxfile:             SBOM.spdxfile(formula),
    time:                 tab.time || Time.now,
    source_modified_time: tab.source_modified_time.to_i,
    compiler:             tab.compiler,
    stdlib:               tab.stdlib,
    runtime_dependencies: SBOM.runtime_deps_hash(Array(tab.runtime_dependencies)),
    license:              SPDX.license_expression_to_string(formula.license),
    built_on:             DevelopmentTools.build_system_info,
    source:               {
      path:         formula.specified_path.to_s,
      tap:          formula.tap&.name,
      tap_git_head: nil, # Filled in later if possible
      spec:         active_spec_sym.to_s,
      patches:      active_spec.patches,
      bottle:       formula.bottle_hash,
      active_spec_sym =>       {
        version:  active_spec.version,
        url:      active_spec.url,
        checksum: active_spec.checksum,
      },
    },
  }

  # We can only get `tap_git_head` if the tap is installed locally
  attributes[:source][:tap_git_head] = T.must(formula.tap).git_head if formula.tap&.installed?

  new(attributes)
end

.exist?(formula) ⇒ Boolean

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Parameters:

• formula (Formula)

Returns:

• (Boolean)

# File 'sbom.rb', line 82

def self.exist?(formula)
  spdxfile(formula).exist?
end

.runtime_deps_hash(deps) ⇒ Array<Hash{String => String}>

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Parameters:

• deps (Array<Hash{String => String}>)

Returns:

• (Array<Hash{String => String}>)

# File 'sbom.rb', line 66

def self.runtime_deps_hash(deps)
  deps.map do |dep|
    full_name = dep.fetch("full_name")
    dep_formula = Formula[full_name]
    {
      "full_name"           => full_name,
      "pkg_version"         => dep.fetch("pkg_version"),
      "name"                => dep_formula.name,
      "license"             => SPDX.license_expression_to_string(dep_formula.license),
      "bottle"              => dep_formula.bottle_hash,
      "formula_pkg_version" => dep_formula.pkg_version.to_s,
    }
  end
end

.schema ⇒ Hash{String => T.untyped}

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:

• (Hash{String => T.untyped})

# File 'sbom.rb', line 87

def self.schema
  @schema ||= JSON.parse(SCHEMA_FILE.read, freeze: true)
end

.spdxfile(formula) ⇒ Pathname

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Parameters:

• formula (Formula)

Returns:

• (Pathname)

# File 'sbom.rb', line 61

def self.spdxfile(formula)
  formula.prefix/FILENAME
end

Instance Method Details

#schema_validation_errors(bottling: false) ⇒ Array<Hash{String => T.untyped}>

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Parameters:

• bottling (Boolean) (defaults to: false)

Returns:

• (Array<Hash{String => T.untyped}>)

# File 'sbom.rb', line 92

def schema_validation_errors(bottling: false)
  unless Homebrew.require? "json_schemer"
    error_message = "Need json_schemer to validate SBOM, run `brew install-bundler-gems --add-groups=bottle`!"
    odie error_message if ENV["HOMEBREW_ENFORCE_SBOM"]
    return []
  end

  schemer = JSONSchemer.schema(SBOM.schema)
  data = to_spdx_sbom(bottling:)

  schemer.validate(data).map { |error| error["error"] }
end

#valid?(bottling: false) ⇒ Boolean

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Parameters:

• bottling (Boolean) (defaults to: false)

Returns:

• (Boolean)

# File 'sbom.rb', line 106

def valid?(bottling: false)
  validation_errors = schema_validation_errors(bottling:)
  return true if validation_errors.empty?

  opoo "SBOM validation errors:"
  validation_errors.each(&:puts)

  odie "Failed to validate SBOM against JSON schema!" if ENV["HOMEBREW_ENFORCE_SBOM"]

  false
end

#write(validate: true, bottling: false) ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

Parameters:

• validate (Boolean) (defaults to: true)
• bottling (Boolean) (defaults to: false)

# File 'sbom.rb', line 119

def write(validate: true, bottling: false)
  # If this is a new installation, the cache of installed formulae
  # will no longer be valid.
  Formula.clear_cache unless spdxfile.exist?

  if validate && !valid?(bottling:)
    opoo "SBOM is not valid, not writing to disk!"
    return
  end

  spdxfile.atomic_write(JSON.pretty_generate(to_spdx_sbom(bottling:)))
end