Class: SBOM Private

Inherits:

Object

• Object
• SBOM

Defined in:

sbom.rb

Overview

This class is part of a private API. This class may only be used in the Homebrew/brew repository. Third parties should avoid using this class if possible, as it may be removed or changed without warning.

Rather than calling new directly, use one of the class methods like SBOM.create.

Constant Summary

FILENAME =

This constant is part of a private API. This constant may only be used in the Homebrew/brew repository. Third parties should avoid using this constant if possible, as it may be removed or changed without warning.

"sbom.spdx.json"

SCHEMA_FILE =

This constant is part of a private API. This constant may only be used in the Homebrew/brew repository. Third parties should avoid using this constant if possible, as it may be removed or changed without warning.

(HOMEBREW_LIBRARY_PATH/"data/schemas/sbom.json").freeze

Class Method Summary

• .create(formula, tab) ⇒ T.attached_class private

  Instantiates a SBOM for a new installation of a formula.

• .exist?(formula) ⇒ Boolean private
• .runtime_deps_hash(deps) ⇒ Array<Hash{String => String}> private
• .schema ⇒ Hash{String => T.untyped} private
• .spdxfile(formula) ⇒ Pathname private

Instance Method Summary

• #schema_validation_errors(bottling: false) ⇒ Array<Hash{String => T.untyped}> private
• #valid?(bottling: false) ⇒ Boolean private
• #write(validate: true, bottling: false) ⇒ void private

Class Method Details

.create(formula, tab) ⇒ T.attached_class

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Instantiates a SBOM for a new installation of a formula.

Parameters:

• formula (Formula)
• tab (Tab)

Returns:

• (T.attached_class)

# File 'sbom.rb', line 17

def self.create(formula, tab)
  active_spec = if formula.stable?
    T.must(formula.stable)
  else
    T.must(formula.head)
  end
  active_spec_sym = formula.active_spec_sym

  attributes = {
    name:                 formula.name,
    homebrew_version:     HOMEBREW_VERSION,
    spdxfile:             SBOM.spdxfile(formula),
    time:                 tab.time || Time.now,
    source_modified_time: tab.source_modified_time.to_i,
    compiler:             tab.compiler,
    stdlib:               tab.stdlib,
    runtime_dependencies: SBOM.runtime_deps_hash(Array(tab.runtime_dependencies)),
    license:              SPDX.license_expression_to_string(formula.license),
    built_on:             DevelopmentTools.build_system_info,
    source:               {
      path:         formula.specified_path.to_s,
      tap:          formula.tap&.name,
      tap_git_head: nil, # Filled in later if possible
      spec:         active_spec_sym.to_s,
      patches:      active_spec.patches,
      bottle:       formula.bottle_hash,
      active_spec_sym =>       {
        version:  active_spec.version,
        url:      active_spec.url,
        checksum: active_spec.checksum,
      },
    },
  }

  # We can only get `tap_git_head` if the tap is installed locally
  attributes[:source][:tap_git_head] = T.must(formula.tap).git_head if formula.tap&.installed?

  new(attributes)
end

.exist?(formula) ⇒ Boolean

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Parameters:

• formula (Formula)

Returns:

• (Boolean)

# File 'sbom.rb', line 79

def self.exist?(formula)
  spdxfile(formula).exist?
end

.runtime_deps_hash(deps) ⇒ Array<Hash{String => String}>

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Parameters:

• deps (Array<Hash{String => String}>)

Returns:

• (Array<Hash{String => String}>)

# File 'sbom.rb', line 63

def self.runtime_deps_hash(deps)
  deps.map do |dep|
    full_name = dep.fetch("full_name")
    dep_formula = Formula[full_name]
    {
      "full_name"           => full_name,
      "pkg_version"         => dep.fetch("pkg_version"),
      "name"                => dep_formula.name,
      "license"             => SPDX.license_expression_to_string(dep_formula.license),
      "bottle"              => dep_formula.bottle_hash,
      "formula_pkg_version" => dep_formula.pkg_version.to_s,
    }
  end
end

.schema ⇒ Hash{String => T.untyped}

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:

• (Hash{String => T.untyped})

# File 'sbom.rb', line 84

def self.schema
  @schema ||= JSON.parse(SCHEMA_FILE.read, freeze: true)
end

.spdxfile(formula) ⇒ Pathname

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Parameters:

• formula (Formula)

Returns:

• (Pathname)

# File 'sbom.rb', line 58

def self.spdxfile(formula)
  formula.prefix/FILENAME
end

Instance Method Details

#schema_validation_errors(bottling: false) ⇒ Array<Hash{String => T.untyped}>

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Parameters:

• bottling (Boolean) (defaults to: false)

Returns:

• (Array<Hash{String => T.untyped}>)

# File 'sbom.rb', line 89

def schema_validation_errors(bottling: false)
  unless require? "json_schemer"
    error_message = "Need json_schemer to validate SBOM, run `brew install-bundler-gems --add-groups=bottle`!"
    odie error_message if ENV["HOMEBREW_ENFORCE_SBOM"]
    return []
  end

  schemer = JSONSchemer.schema(SBOM.schema)
  data = to_spdx_sbom(bottling:)

  schemer.validate(data).map { |error| error["error"] }
end

#valid?(bottling: false) ⇒ Boolean

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Parameters:

• bottling (Boolean) (defaults to: false)

Returns:

• (Boolean)

# File 'sbom.rb', line 103

def valid?(bottling: false)
  validation_errors = schema_validation_errors(bottling:)
  return true if validation_errors.empty?

  opoo "SBOM validation errors:"
  validation_errors.each(&:puts)

  odie "Failed to validate SBOM against JSON schema!" if ENV["HOMEBREW_ENFORCE_SBOM"]

  false
end

#write(validate: true, bottling: false) ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

Parameters:

• validate (Boolean) (defaults to: true)
• bottling (Boolean) (defaults to: false)

# File 'sbom.rb', line 116

def write(validate: true, bottling: false)
  # If this is a new installation, the cache of installed formulae
  # will no longer be valid.
  Formula.clear_cache unless spdxfile.exist?

  if validate && !valid?(bottling:)
    opoo "SBOM is not valid, not writing to disk!"
    return
  end

  spdxfile.atomic_write(JSON.pretty_generate(to_spdx_sbom(bottling:)))
end