search

patriksvensson / covenant

A tool to generate SBOM (Software Bill of Material) from source code artifacts.
MIT License
60 stars 6 forks source link

GH-8: Add support for files #10

Closed patriksvensson closed 1 year ago

patriksvensson commented 1 year ago

This PR adds support for adding arbitrary files to an SBOM.

Configuration

I've added a new section in the Covenant configuration file that describes what files should be included in the SBOM. File paths can include glob patterns. Licenses are optional.

{
    "files": [
        {
            "path": "./files/lol.txt",
            "license": "MIT"
        },
        {
            "path": "./**/foo.c"
        }
    ],
    "licenses": { 
        "banned": [
            "MIT"
        ]
    }
}

Generated SBOM

```json { "Name": "ConsoleApp1", "Version": "0.0.0", "ToolVendor": "Covenant", "ToolVersion": "1.0.0+e31bbe2cab3b2a93524161040052a69efca08caa", "Files": [ { "Path": "files/lol.txt", "License": { "Id": "MIT" }, "Hash": { "Algorithm": "SHA1", "Content": "DA39A3EE5E6B4B0D3255BFEF95601890AFD80709" } } ], "Components": [ { "Data": "1.0.0", "UUID": "587a9cc3-833a-4707-8b00-4c88ae7506a5", "Purl": "pkg:covenant/dotnet/ConsoleApp1@1.0.0", "Name": "ConsoleApp1", "Version": "1.0.0", "Groups": [ "ConsoleApp1.sln" ], "IsRoot": true }, { "Data": "0.46.0", "UUID": "679127ba-5437-4ed2-b06e-77e1041eb39e", "Purl": "pkg:nuget/Spectre.Console@0.46.0", "Name": "Spectre.Console", "Version": "0.46.0", "Kind": "Library", "Copyright": "Patrik Svensson, Phil Scott, Nils Andresen", "Hash": { "Algorithm": "SHA512", "Content": "E02BD9917D0C8C16657F51A0B945833AB0EBE0B6C69D4C272DAE1E0970A507EB827CCC51EC2C3E54B76D98FAD8837A6168977C3DA3C8FC9EA57D93F5511699CC" }, "License": { "Id": "MIT", "Name": "MIT License", "Url": "https://licenses.nuget.org/MIT" } }, { "Data": "4.5.5", "UUID": "9386da34-6c87-427f-83c7-8a2e8a8999d4", "Purl": "pkg:nuget/System.Memory@4.5.5", "Name": "System.Memory", "Version": "4.5.5", "Kind": "Library", "Copyright": "© Microsoft Corporation. All rights reserved.", "Hash": { "Algorithm": "SHA512", "Content": "E8C8E536C97B94AC3443C940B30DAD43CF6E97DC7A8C3D989371048FE74E168606384F5E0143BDC0D86F7783BF9FDEE8417964CB3A8A5D752713E90B125172DC" }, "License": { "Id": "MIT", "Url": "https://github.com/dotnet/corefx/blob/master/LICENSE.TXT" } } ], "Dependencies": [ { "Purl": "pkg:nuget/Spectre.Console@0.46.0", "Dependencies": [ "pkg:nuget/System.Memory@4.5.5" ] } ] } ```

Third Party SBOM

SPDX ```json { "SPDXID": "SPDXRef-DOCUMENT", "spdxVersion": "SPDX-2.3", "dataLicense": "CC0-1.0", "name": "ConsoleApp1", "documentNamespace": "http://spdx.org/spdxdocs/ConsoleApp1-0.0.0-e0b5b30d-16e0-46bc-8992-06b1694ec81d", "creationInfo": { "licenseListVersion": "3.18", "created": "2023-04-16T17:18:12Z", "creators": [ "Tool: Covenant" ] }, "packages": [ { "SPDXID": "SPDXRef-ConsoleApp1-675f0f39-12dd-40b6-8098-d6deadf7f9d1", "name": "ConsoleApp1", "versionInfo": "0.0.0", "copyrightText": "NOASSERTION", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "licenseConcluded": "NOASSERTION", "licenseDeclared": "NOASSERTION" }, { "SPDXID": "SPDXRef-Spectre.Console-6161e6e0-6ee2-47d1-b756-9f03981b32e3", "name": "Spectre.Console", "versionInfo": "0.46.0", "checksums": [ { "algorithm": "SHA512", "checksumValue": "E02BD9917D0C8C16657F51A0B945833AB0EBE0B6C69D4C272DAE1E0970A507EB827CCC51EC2C3E54B76D98FAD8837A6168977C3DA3C8FC9EA57D93F5511699CC" } ], "copyrightText": "Patrik Svensson, Phil Scott, Nils Andresen", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "licenseConcluded": "MIT", "licenseDeclared": "MIT", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:nuget/Spectre.Console@0.46.0" } ] }, { "SPDXID": "SPDXRef-System.Memory-77916b38-6b07-4977-82e6-e65575a4f9d1", "name": "System.Memory", "versionInfo": "4.5.5", "checksums": [ { "algorithm": "SHA512", "checksumValue": "E8C8E536C97B94AC3443C940B30DAD43CF6E97DC7A8C3D989371048FE74E168606384F5E0143BDC0D86F7783BF9FDEE8417964CB3A8A5D752713E90B125172DC" } ], "copyrightText": "© Microsoft Corporation. All rights reserved.", "downloadLocation": "NOASSERTION", "filesAnalyzed": false, "licenseConcluded": "MIT", "licenseDeclared": "MIT", "externalRefs": [ { "referenceCategory": "PACKAGE-MANAGER", "referenceType": "purl", "referenceLocator": "pkg:nuget/System.Memory@4.5.5" } ] } ], "files": [ { "SPDXID": "SPDXRef-files-lol.txt", "fileName": "files/lol.txt", "licenseConcluded": "MIT", "checksums": [ { "algorithm": "SHA1", "checksumValue": "DA39A3EE5E6B4B0D3255BFEF95601890AFD80709" } ] } ], "relationships": [ { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-files-lol.txt", "relationshipType": "DESCRIBES" }, { "spdxElementId": "SPDXRef-DOCUMENT", "relatedSpdxElement": "SPDXRef-ConsoleApp1-675f0f39-12dd-40b6-8098-d6deadf7f9d1", "relationshipType": "CONTAINS" }, { "spdxElementId": "SPDXRef-Spectre.Console-6161e6e0-6ee2-47d1-b756-9f03981b32e3", "relatedSpdxElement": "SPDXRef-System.Memory-77916b38-6b07-4977-82e6-e65575a4f9d1", "relationshipType": "DEPENDS_ON" } ] } ```
Cyclone DX ```xml Covenant Covenant 1.0.0+e31bbe2cab3b2a93524161040052a69efca08caa ConsoleApp1 0.0.0 ConsoleApp1 true 2023-04-16T17:18:26.4822257Z 3 1 ConsoleApp1.sln files/lol.txt DA39A3EE5E6B4B0D3255BFEF95601890AFD80709 MIT ConsoleApp1 1.0.0 pkg:covenant/dotnet/ConsoleApp1@1.0.0 true ConsoleApp1.sln Spectre.Console 0.46.0 E02BD9917D0C8C16657F51A0B945833AB0EBE0B6C69D4C272DAE1E0970A507EB827CCC51EC2C3E54B76D98FAD8837A6168977C3DA3C8FC9EA57D93F5511699CC MIT https://licenses.nuget.org/MIT pkg:nuget/Spectre.Console@0.46.0 System.Memory 4.5.5 E8C8E536C97B94AC3443C940B30DAD43CF6E97DC7A8C3D989371048FE74E168606384F5E0143BDC0D86F7783BF9FDEE8417964CB3A8A5D752713E90B125172DC MIT https://github.com/dotnet/corefx/blob/master/LICENSE.TXT pkg:nuget/System.Memory@4.5.5 ```