Class: SBOM Private

Inherits:
Object show all
Defined in:
sbom.rb

Overview

This class is part of a private API. This class may only be used in the Homebrew/brew repository. Third parties should avoid using this class if possible, as it may be removed or changed without warning.

Rather than calling new directly, use one of the class methods like SBOM.create.

Constant Summary collapse

FILENAME =

This constant is part of a private API. This constant may only be used in the Homebrew/brew repository. Third parties should avoid using this constant if possible, as it may be removed or changed without warning.

"sbom.spdx.json"
SCHEMA_URL =

This constant is part of a private API. This constant may only be used in the Homebrew/brew repository. Third parties should avoid using this constant if possible, as it may be removed or changed without warning.

"https://spdx.github.io/spdx-3-model/model.jsonld"
SCHEMA_FILENAME =

This constant is part of a private API. This constant may only be used in the Homebrew/brew repository. Third parties should avoid using this constant if possible, as it may be removed or changed without warning.

"sbom.spdx.schema.3.json"
SCHEMA_CACHE_TARGET =

This constant is part of a private API. This constant may only be used in the Homebrew/brew repository. Third parties should avoid using this constant if possible, as it may be removed or changed without warning.

(HOMEBREW_CACHE/"sbom/#{SCHEMA_FILENAME}").freeze

Class Method Summary collapse

Instance Method Summary collapse

Class Method Details

.create(formula, tab) ⇒ T.attached_class

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Instantiates a SBOM for a new installation of a formula.

Parameters:

Returns:

  • (T.attached_class)


19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
# File 'sbom.rb', line 19

def self.create(formula, tab)
  active_spec = if formula.stable?
    T.must(formula.stable)
  else
    T.must(formula.head)
  end
  active_spec_sym = formula.active_spec_sym

  attributes = {
    name:                 formula.name,
    homebrew_version:     HOMEBREW_VERSION,
    spdxfile:             SBOM.spdxfile(formula),
    time:                 tab.time,
    source_modified_time: tab.source_modified_time.to_i,
    compiler:             tab.compiler,
    stdlib:               tab.stdlib,
    runtime_dependencies: SBOM.runtime_deps_hash(Array(tab.runtime_dependencies)),
    license:              SPDX.license_expression_to_string(formula.license),
    built_on:             DevelopmentTools.build_system_info,
    source:               {
      path:         formula.specified_path.to_s,
      tap:          formula.tap&.name,
      tap_git_head: nil, # Filled in later if possible
      spec:         active_spec_sym.to_s,
      patches:      active_spec.patches,
      bottle:       formula.bottle_hash,
      active_spec_sym =>       {
        version:  active_spec.version,
        url:      active_spec.url,
        checksum: active_spec.checksum,
      },
    },
  }

  # We can only get `tap_git_head` if the tap is installed locally
  attributes[:source][:tap_git_head] = T.must(formula.tap).git_head if formula.tap&.installed?

  new(attributes)
end

.exist?(formula) ⇒ Boolean

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Parameters:

Returns:

  • (Boolean)


81
82
83
# File 'sbom.rb', line 81

def self.exist?(formula)
  spdxfile(formula).exist?
end

.fetch_schema!Hash{String => String}

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:



86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
# File 'sbom.rb', line 86

def self.fetch_schema!
  return @schema if @schema.present?

  url = SCHEMA_URL
  target = SCHEMA_CACHE_TARGET
  quieter = target.exist? && !target.empty?

  curl_args = Utils::Curl.curl_args(retries: 0)
  curl_args += ["--silent", "--time-cond", target.to_s] if quieter

  begin
    unless quieter
      oh1 "Fetching SBOM schema"
      ohai "Downloading #{url}"
    end
    Utils::Curl.curl_download(*curl_args, url, to: target, retries: 0)
    FileUtils.touch(target, mtime: Time.now)
  rescue ErrorDuringExecution
    target.unlink if target.exist? && target.empty?

    if target.exist?
      opoo "SBOM schema update failed, falling back to cached version."
    else
      opoo "Failed to fetch SBOM schema, cannot perform SBOM validation!"

      return {}
    end
  end

  @schema = begin
    JSON.parse(target.read, freeze: true)
  rescue JSON::ParserError
    target.unlink
    opoo "Failed to fetch SBOM schema, cached version corrupted, cannot perform SBOM validation!"
    {}
  end
end

.runtime_deps_hash(deps) ⇒ Array<Hash{String => String}>

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Parameters:

Returns:



65
66
67
68
69
70
71
72
73
74
75
76
77
78
# File 'sbom.rb', line 65

def self.runtime_deps_hash(deps)
  deps.map do |dep|
    full_name = dep.fetch("full_name")
    dep_formula = Formula[full_name]
    {
      "full_name"           => full_name,
      "pkg_version"         => dep.fetch("pkg_version"),
      "name"                => dep_formula.name,
      "license"             => SPDX.license_expression_to_string(dep_formula.license),
      "bottle"              => dep_formula.bottle_hash,
      "formula_pkg_version" => dep_formula.pkg_version.to_s,
    }
  end
end

.spdxfile(formula) ⇒ Pathname

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Parameters:

Returns:



60
61
62
# File 'sbom.rb', line 60

def self.spdxfile(formula)
  formula.prefix/FILENAME
end

Instance Method Details

#valid?(bottling: false) ⇒ Boolean

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Parameters:

  • bottling (Boolean) (defaults to: false)

Returns:

  • (Boolean)


125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
# File 'sbom.rb', line 125

def valid?(bottling: false)
  unless require? "json_schemer"
    error_message = "Need json_schemer to validate SBOM, run `brew install-bundler-gems --add-groups=bottle`!"
    odie error_message if ENV["HOMEBREW_ENFORCE_SBOM"]
    return false
  end

  schema = SBOM.fetch_schema!
  if schema.blank?
    error_message = "Could not fetch JSON schema to validate SBOM!"
    ENV["HOMEBREW_ENFORCE_SBOM"] ? odie(error_message) : opoo(error_message)
    return false
  end

  schemer = JSONSchemer.schema(schema)
  data = to_spdx_sbom(bottling:)
  return true if schemer.valid?(data)

  opoo "SBOM validation errors:"
  schemer.validate(data).to_a.each do |error|
    puts error["error"]
  end

  odie "Failed to validate SBOM against JSON schema!" if ENV["HOMEBREW_ENFORCE_SBOM"]

  false
end

#write(validate: true, bottling: false) ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

Parameters:

  • validate (Boolean) (defaults to: true)
  • bottling (Boolean) (defaults to: false)


154
155
156
157
158
159
160
161
162
163
164
165
# File 'sbom.rb', line 154

def write(validate: true, bottling: false)
  # If this is a new installation, the cache of installed formulae
  # will no longer be valid.
  Formula.clear_cache unless spdxfile.exist?

  if validate && !valid?(bottling:)
    opoo "SBOM is not valid, not writing to disk!"
    return
  end

  spdxfile.atomic_write(JSON.pretty_generate(to_spdx_sbom(bottling:)))
end