Class: SBOM Private

Inherits:
Object show all
Includes:
Utils::Output::Mixin
Defined in:
sbom.rb

Overview

This class is part of a private API. This class may only be used in the Homebrew/brew repository. Third parties should avoid using this class if possible, as it may be removed or changed without warning.

Rather than calling new directly, use one of the class methods like SBOM.create.

Constant Summary collapse

FILENAME =

This constant is part of a private API. This constant may only be used in the Homebrew/brew repository. Third parties should avoid using this constant if possible, as it may be removed or changed without warning.

"sbom.spdx.json"
SCHEMA_FILE =

This constant is part of a private API. This constant may only be used in the Homebrew/brew repository. Third parties should avoid using this constant if possible, as it may be removed or changed without warning.

(HOMEBREW_LIBRARY_PATH/"data/schemas/sbom.json").freeze

Class Method Summary collapse

Instance Method Summary collapse

Methods included from Utils::Output::Mixin

#odebug, #odeprecated, #odie, #odisabled, #ofail, #oh1, #oh1_title, #ohai, #ohai_title, #onoe, #opoo, #opoo_outside_github_actions, #pretty_duration, #pretty_installed, #pretty_outdated, #pretty_uninstalled

Class Method Details

.create(formula, tab) ⇒ T.attached_class

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Instantiates a SBOM for a new installation of a formula.

Parameters:

Returns:

  • (T.attached_class)


20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
# File 'sbom.rb', line 20

def self.create(formula, tab)
  active_spec = if formula.stable?
    T.must(formula.stable)
  else
    T.must(formula.head)
  end
  active_spec_sym = formula.active_spec_sym

  attributes = {
    name:                 formula.name,
    homebrew_version:     HOMEBREW_VERSION,
    spdxfile:             SBOM.spdxfile(formula),
    time:                 tab.time || Time.now,
    source_modified_time: tab.source_modified_time.to_i,
    compiler:             tab.compiler,
    stdlib:               tab.stdlib,
    runtime_dependencies: SBOM.runtime_deps_hash(Array(tab.runtime_dependencies)),
    license:              SPDX.license_expression_to_string(formula.license),
    built_on:             DevelopmentTools.build_system_info,
    source:               {
      path:         formula.specified_path.to_s,
      tap:          formula.tap&.name,
      tap_git_head: nil, # Filled in later if possible
      spec:         active_spec_sym.to_s,
      patches:      active_spec.patches,
      bottle:       formula.bottle_hash,
      active_spec_sym =>       {
        version:  active_spec.version,
        url:      active_spec.url,
        checksum: active_spec.checksum,
      },
    },
  }

  # We can only get `tap_git_head` if the tap is installed locally
  attributes[:source][:tap_git_head] = T.must(formula.tap).git_head if formula.tap&.installed?

  new(attributes)
end

.exist?(formula) ⇒ Boolean

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Parameters:

Returns:

  • (Boolean)


82
83
84
# File 'sbom.rb', line 82

def self.exist?(formula)
  spdxfile(formula).exist?
end

.runtime_deps_hash(deps) ⇒ Array<Hash{String => String}>

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Parameters:

Returns:



66
67
68
69
70
71
72
73
74
75
76
77
78
79
# File 'sbom.rb', line 66

def self.runtime_deps_hash(deps)
  deps.map do |dep|
    full_name = dep.fetch("full_name")
    dep_formula = Formula[full_name]
    {
      "full_name"           => full_name,
      "pkg_version"         => dep.fetch("pkg_version"),
      "name"                => dep_formula.name,
      "license"             => SPDX.license_expression_to_string(dep_formula.license),
      "bottle"              => dep_formula.bottle_hash,
      "formula_pkg_version" => dep_formula.pkg_version.to_s,
    }
  end
end

.schemaHash{String => T.untyped}

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:



87
88
89
# File 'sbom.rb', line 87

def self.schema
  @schema ||= JSON.parse(SCHEMA_FILE.read, freeze: true)
end

.spdxfile(formula) ⇒ Pathname

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Parameters:

Returns:



61
62
63
# File 'sbom.rb', line 61

def self.spdxfile(formula)
  formula.prefix/FILENAME
end

Instance Method Details

#schema_validation_errors(bottling: false) ⇒ Array<Hash{String => T.untyped}>

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Parameters:

  • bottling (Boolean) (defaults to: false)

Returns:



92
93
94
95
96
97
98
99
100
101
102
103
# File 'sbom.rb', line 92

def schema_validation_errors(bottling: false)
  unless Homebrew.require? "json_schemer"
    error_message = "Need json_schemer to validate SBOM, run `brew install-bundler-gems --add-groups=bottle`!"
    odie error_message if ENV["HOMEBREW_ENFORCE_SBOM"]
    return []
  end

  schemer = JSONSchemer.schema(SBOM.schema)
  data = to_spdx_sbom(bottling:)

  schemer.validate(data).map { |error| error["error"] }
end

#valid?(bottling: false) ⇒ Boolean

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Parameters:

  • bottling (Boolean) (defaults to: false)

Returns:

  • (Boolean)


106
107
108
109
110
111
112
113
114
115
116
# File 'sbom.rb', line 106

def valid?(bottling: false)
  validation_errors = schema_validation_errors(bottling:)
  return true if validation_errors.empty?

  opoo "SBOM validation errors:"
  validation_errors.each(&:puts)

  odie "Failed to validate SBOM against JSON schema!" if ENV["HOMEBREW_ENFORCE_SBOM"]

  false
end

#write(validate: true, bottling: false) ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

Parameters:

  • validate (Boolean) (defaults to: true)
  • bottling (Boolean) (defaults to: false)


119
120
121
122
123
124
125
126
127
128
129
130
# File 'sbom.rb', line 119

def write(validate: true, bottling: false)
  # If this is a new installation, the cache of installed formulae
  # will no longer be valid.
  Formula.clear_cache unless spdxfile.exist?

  if validate && !valid?(bottling:)
    opoo "SBOM is not valid, not writing to disk!"
    return
  end

  spdxfile.atomic_write(JSON.pretty_generate(to_spdx_sbom(bottling:)))
end