Class: SBOM Private
Overview
This class is part of a private API. This class may only be used in the Homebrew/brew repository. Third parties should avoid using this class if possible, as it may be removed or changed without warning.
Rather than calling new
directly, use one of the class methods like SBOM.create.
Constant Summary collapse
- FILENAME =
This constant is part of a private API. This constant may only be used in the Homebrew/brew repository. Third parties should avoid using this constant if possible, as it may be removed or changed without warning.
"sbom.spdx.json"
- SCHEMA_FILE =
This constant is part of a private API. This constant may only be used in the Homebrew/brew repository. Third parties should avoid using this constant if possible, as it may be removed or changed without warning.
(HOMEBREW_LIBRARY_PATH/"data/schemas/sbom.json").freeze
Class Method Summary collapse
-
.create(formula, tab) ⇒ T.attached_class
private
Instantiates a SBOM for a new installation of a formula.
- .exist?(formula) ⇒ Boolean private
- .runtime_deps_hash(deps) ⇒ Array<Hash{String => String}> private
- .schema ⇒ Hash{String => T.untyped} private
- .spdxfile(formula) ⇒ Pathname private
Instance Method Summary collapse
- #schema_validation_errors(bottling: false) ⇒ Array<Hash{String => T.untyped}> private
- #valid?(bottling: false) ⇒ Boolean private
- #write(validate: true, bottling: false) ⇒ void private
Methods included from Utils::Output::Mixin
#odebug, #odeprecated, #odie, #odisabled, #ofail, #oh1, #oh1_title, #ohai, #ohai_title, #onoe, #opoo, #opoo_outside_github_actions, #pretty_duration, #pretty_installed, #pretty_outdated, #pretty_uninstalled
Class Method Details
.create(formula, tab) ⇒ T.attached_class
This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.
Instantiates a SBOM for a new installation of a formula.
20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 |
# File 'sbom.rb', line 20 def self.create(formula, tab) active_spec = if formula.stable? T.must(formula.stable) else T.must(formula.head) end active_spec_sym = formula.active_spec_sym attributes = { name: formula.name, homebrew_version: HOMEBREW_VERSION, spdxfile: SBOM.spdxfile(formula), time: tab.time || Time.now, source_modified_time: tab.source_modified_time.to_i, compiler: tab.compiler, stdlib: tab.stdlib, runtime_dependencies: SBOM.runtime_deps_hash(Array(tab.runtime_dependencies)), license: SPDX.license_expression_to_string(formula.license), built_on: DevelopmentTools.build_system_info, source: { path: formula.specified_path.to_s, tap: formula.tap&.name, tap_git_head: nil, # Filled in later if possible spec: active_spec_sym.to_s, patches: active_spec.patches, bottle: formula.bottle_hash, active_spec_sym => { version: active_spec.version, url: active_spec.url, checksum: active_spec.checksum, }, }, } # We can only get `tap_git_head` if the tap is installed locally attributes[:source][:tap_git_head] = T.must(formula.tap).git_head if formula.tap&.installed? new(attributes) end |
.exist?(formula) ⇒ Boolean
This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.
82 83 84 |
# File 'sbom.rb', line 82 def self.exist?(formula) spdxfile(formula).exist? end |
.runtime_deps_hash(deps) ⇒ Array<Hash{String => String}>
This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.
66 67 68 69 70 71 72 73 74 75 76 77 78 79 |
# File 'sbom.rb', line 66 def self.runtime_deps_hash(deps) deps.map do |dep| full_name = dep.fetch("full_name") dep_formula = Formula[full_name] { "full_name" => full_name, "pkg_version" => dep.fetch("pkg_version"), "name" => dep_formula.name, "license" => SPDX.license_expression_to_string(dep_formula.license), "bottle" => dep_formula.bottle_hash, "formula_pkg_version" => dep_formula.pkg_version.to_s, } end end |
.schema ⇒ Hash{String => T.untyped}
This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.
87 88 89 |
# File 'sbom.rb', line 87 def self.schema @schema ||= JSON.parse(SCHEMA_FILE.read, freeze: true) end |
.spdxfile(formula) ⇒ Pathname
This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.
61 62 63 |
# File 'sbom.rb', line 61 def self.spdxfile(formula) formula.prefix/FILENAME end |
Instance Method Details
#schema_validation_errors(bottling: false) ⇒ Array<Hash{String => T.untyped}>
This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.
92 93 94 95 96 97 98 99 100 101 102 103 |
# File 'sbom.rb', line 92 def schema_validation_errors(bottling: false) unless Homebrew.require? "json_schemer" = "Need json_schemer to validate SBOM, run `brew install-bundler-gems --add-groups=bottle`!" odie if ENV["HOMEBREW_ENFORCE_SBOM"] return [] end schemer = JSONSchemer.schema(SBOM.schema) data = to_spdx_sbom(bottling:) schemer.validate(data).map { |error| error["error"] } end |
#valid?(bottling: false) ⇒ Boolean
This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.
106 107 108 109 110 111 112 113 114 115 116 |
# File 'sbom.rb', line 106 def valid?(bottling: false) validation_errors = schema_validation_errors(bottling:) return true if validation_errors.empty? opoo "SBOM validation errors:" validation_errors.each(&:puts) odie "Failed to validate SBOM against JSON schema!" if ENV["HOMEBREW_ENFORCE_SBOM"] false end |
#write(validate: true, bottling: false) ⇒ void
This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.
This method returns an undefined value.
119 120 121 122 123 124 125 126 127 128 129 130 |
# File 'sbom.rb', line 119 def write(validate: true, bottling: false) # If this is a new installation, the cache of installed formulae # will no longer be valid. Formula.clear_cache unless spdxfile.exist? if validate && !valid?(bottling:) opoo "SBOM is not valid, not writing to disk!" return end spdxfile.atomic_write(JSON.pretty_generate(to_spdx_sbom(bottling:))) end |