Class: SBOM Private
Overview
This class is part of a private API. This class may only be used in the Homebrew/brew repository. Third parties should avoid using this class if possible, as it may be removed or changed without warning.
Rather than calling new
directly, use one of the class methods like SBOM.create.
Constant Summary collapse
- FILENAME =
This constant is part of a private API. This constant may only be used in the Homebrew/brew repository. Third parties should avoid using this constant if possible, as it may be removed or changed without warning.
"sbom.spdx.json"
- SCHEMA_URL =
This constant is part of a private API. This constant may only be used in the Homebrew/brew repository. Third parties should avoid using this constant if possible, as it may be removed or changed without warning.
"https://spdx.github.io/spdx-3-model/model.jsonld"
- SCHEMA_FILENAME =
This constant is part of a private API. This constant may only be used in the Homebrew/brew repository. Third parties should avoid using this constant if possible, as it may be removed or changed without warning.
"sbom.spdx.schema.3.json"
- SCHEMA_CACHE_TARGET =
This constant is part of a private API. This constant may only be used in the Homebrew/brew repository. Third parties should avoid using this constant if possible, as it may be removed or changed without warning.
(HOMEBREW_CACHE/"sbom/#{SCHEMA_FILENAME}").freeze
Class Method Summary collapse
-
.create(formula, tab) ⇒ T.attached_class
private
Instantiates a SBOM for a new installation of a formula.
- .exist?(formula) ⇒ Boolean private
- .fetch_schema! ⇒ Hash{String => String} private
- .runtime_deps_hash(deps) ⇒ Array<Hash{String => String}> private
- .spdxfile(formula) ⇒ Pathname private
Instance Method Summary collapse
Class Method Details
.create(formula, tab) ⇒ T.attached_class
This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.
Instantiates a SBOM for a new installation of a formula.
19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 |
# File 'sbom.rb', line 19 def self.create(formula, tab) active_spec = if formula.stable? T.must(formula.stable) else T.must(formula.head) end active_spec_sym = formula.active_spec_sym homebrew_version_maybe_dev = if (match_data = HOMEBREW_VERSION.match(/^[\d.]+/)) suffix = "-dev" if HOMEBREW_VERSION.include?("-") match_data[0] + suffix.to_s else HOMEBREW_VERSION end attributes = { name: formula.name, homebrew_version: homebrew_version_maybe_dev, spdxfile: SBOM.spdxfile(formula), time: tab.time, source_modified_time: tab.source_modified_time.to_i, compiler: tab.compiler, stdlib: tab.stdlib, runtime_dependencies: SBOM.runtime_deps_hash(Array(tab.runtime_dependencies)), license: SPDX.license_expression_to_string(formula.license), built_on: DevelopmentTools.build_system_info, source: { path: formula.specified_path.to_s, tap: formula.tap&.name, tap_git_head: nil, # Filled in later if possible spec: active_spec_sym.to_s, patches: active_spec.patches, bottle: formula.bottle_hash, active_spec_sym => { version: active_spec.version, url: active_spec.url, checksum: active_spec.checksum, }, }, } # We can only get `tap_git_head` if the tap is installed locally attributes[:source][:tap_git_head] = T.must(formula.tap).git_head if formula.tap&.installed? new(attributes) end |
.exist?(formula) ⇒ Boolean
This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.
88 89 90 |
# File 'sbom.rb', line 88 def self.exist?(formula) spdxfile(formula).exist? end |
.fetch_schema! ⇒ Hash{String => String}
This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.
93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 |
# File 'sbom.rb', line 93 def self.fetch_schema! return @schema if @schema.present? url = SCHEMA_URL target = SCHEMA_CACHE_TARGET quieter = target.exist? && !target.empty? curl_args = Utils::Curl.curl_args(retries: 0) curl_args += ["--silent", "--time-cond", target.to_s] if quieter begin unless quieter oh1 "Fetching SBOM schema" ohai "Downloading #{url}" end Utils::Curl.curl_download(*curl_args, url, to: target, retries: 0) FileUtils.touch(target, mtime: Time.now) rescue ErrorDuringExecution target.unlink if target.exist? && target.empty? if target.exist? opoo "SBOM schema update failed, falling back to cached version." else opoo "Failed to fetch SBOM schema, cannot perform SBOM validation!" return {} end end @schema = begin JSON.parse(target.read, freeze: true) rescue JSON::ParserError target.unlink opoo "Failed to fetch SBOM schema, cached version corrupted, cannot perform SBOM validation!" {} end end |
.runtime_deps_hash(deps) ⇒ Array<Hash{String => String}>
This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.
72 73 74 75 76 77 78 79 80 81 82 83 84 85 |
# File 'sbom.rb', line 72 def self.runtime_deps_hash(deps) deps.map do |dep| full_name = dep.fetch("full_name") dep_formula = Formula[full_name] { "full_name" => full_name, "pkg_version" => dep.fetch("pkg_version"), "name" => dep_formula.name, "license" => SPDX.license_expression_to_string(dep_formula.license), "bottle" => dep_formula.bottle_hash, "formula_pkg_version" => dep_formula.pkg_version.to_s, } end end |
.spdxfile(formula) ⇒ Pathname
This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.
67 68 69 |
# File 'sbom.rb', line 67 def self.spdxfile(formula) formula.prefix/FILENAME end |
Instance Method Details
#valid?(bottling: false) ⇒ Boolean
This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.
132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 |
# File 'sbom.rb', line 132 def valid?(bottling: false) unless require? "json_schemer" = "Need json_schemer to validate SBOM, run `brew install-bundler-gems --add-groups=bottle`!" odie if ENV["HOMEBREW_ENFORCE_SBOM"] return true end schema = SBOM.fetch_schema! if schema.blank? = "Could not fetch JSON schema to validate SBOM!" ENV["HOMEBREW_ENFORCE_SBOM"] ? odie() : opoo() return false end schemer = JSONSchemer.schema(schema) data = to_spdx_sbom(bottling:) return true if schemer.valid?(data) opoo "SBOM validation errors:" schemer.validate(data).to_a.each do |error| puts error["error"] end odie "Failed to validate SBOM against JSON schema!" if ENV["HOMEBREW_ENFORCE_SBOM"] false end |
#write(validate: true, bottling: false) ⇒ void
This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.
This method returns an undefined value.
161 162 163 164 165 166 167 168 169 170 171 172 |
# File 'sbom.rb', line 161 def write(validate: true, bottling: false) # If this is a new installation, the cache of installed formulae # will no longer be valid. Formula.clear_cache unless spdxfile.exist? if validate && !valid?(bottling:) opoo "SBOM is not valid, not writing to disk!" return end spdxfile.atomic_write(JSON.pretty_generate(to_spdx_sbom(bottling:))) end |