deptool: added support for generating CycloneDX JSON SBOMs

jakub-nt · jakub-nt · commit 0856043ba905 · 2025-04-01T19:34:33.000+02:00
Signed-off-by: jakub-nt &lt;175944085+jakub-nt@users.noreply.github.com&gt;
diff --git a/scripts/README.md b/scripts/README.md
@@ -2,6 +2,7 @@
 
 `deptool.py` is a script which can be used to enumerate dependencies of CFEngine.
 It supports printing to stdout in the Markdown table format, and printing to file in the JSON format (see `--to-json`).
+It can also generate basic SBOMs in the CycloneDX JSON format (see [below](https://github.com/cfengine/buildscripts/tree/master/scripts#generating-cyclonedx-json-sboms) for usage instructions).
 It can be used as a replacement for the [cf-bottom](https://github.com/cfengine/cf-bottom/) `depstable` command.
 
 `deptool.py` works on a local buildscripts repository. By default, the repository is assumed to be current working directory (i.e. `.`).
@@ -123,8 +124,20 @@ $ python deptool.py --compare 3.21.5 3.21.6 3.24.0 3.24.1 --no-info --skip-uncha
 
 ```
 
-## Using a copy of the repository
+### Using a copy of the repository
 
 ```
 python deptool.py --root ../../buildscripts-copy
 ```
+
+### Generating CycloneDX JSON SBOMs
+
+```
+python deptool.py --to-cdx-sbom
+```
+
+A separate CycloneDX JSON SBOM is generated for each version. Optionally, a path template can be specified using `{}` as a substitute for the version:
+
+```
+python deptool.py --to-cdx-sbom my-sbom-{}.cdx.json
+```
diff --git a/scripts/deptool.py b/scripts/deptool.py
@@ -311,7 +311,13 @@ def deps_versions(self, ref):
             ...
         }
         ```
+        The ref is checked out during the execution of this function.
         """
+        self.buildscripts_repo.checkout(ref)
+        # also support checking out refs that are not necessarily branches, such as tags
+        if self.buildscripts_repo.is_git_branch(ref):
+            self.buildscripts_repo.run_command("pull")
+
         deps_versions = {}
         deps_list = self.deps_list(ref)
         for dep in deps_list:
@@ -326,10 +332,6 @@ def deps_dict(self, refs):
 
         for ref in refs:
             ref_column_widths[ref] = len(ref)
-            self.buildscripts_repo.checkout(ref)
-            # also support checking out refs that are not necessarily branches, such as tags
-            if self.buildscripts_repo.is_git_branch(ref):
-                self.buildscripts_repo.run_command("pull")
             deps_versions = self.deps_versions(ref)
 
             for dep in deps_versions:
@@ -463,6 +465,58 @@ def write_deps_json(self, json_path, refs):
         deps_data, _ = self.deps_dict(refs)
         write_json_file(json_path, deps_data)
 
+    def write_cdx_sboms(self, cdx_sbom_path_template, refs, fake_rpm=True):
+        for ref in refs:
+            cdx_dict = collections.OrderedDict()
+            cdx_dict["bomFormat"] = "CycloneDX"
+            cdx_dict["specVersion"] = "1.6"
+
+            metadata_dict = collections.OrderedDict()
+            application_bomref = "northerntech:cfengine"
+            metadata_dict["component"] = {
+                "type": "application",
+                "bom-ref": application_bomref,
+                "name": "CFEngine",
+                "version": ref,
+            }
+            cdx_dict["metadata"] = metadata_dict
+
+            components = []
+            deps_bomrefs = []
+            deps_versions = self.deps_versions(ref)
+            for dep_name, dep_version in deps_versions.items():
+                c_bomref = f"northerntech:{dep_name}"
+                component = {
+                    "type": "library",
+                    "bom-ref": c_bomref,
+                    "name": dep_name,
+                    "version": dep_version,
+                }
+                purl = "pkg:rpm/" + dep_name + "@" + dep_version
+                if fake_rpm:
+                    component["purl"] = purl
+                components.append(component)
+                deps_bomrefs.append(c_bomref)
+
+            cdx_dict["components"] = components
+
+            dependencies = [{"ref": application_bomref, "dependsOn": deps_bomrefs}]
+            cdx_dict["dependencies"] = dependencies
+
+            if "{}" in cdx_sbom_path_template:
+                cdx_sbom_path = cdx_sbom_path_template.replace("{}", ref)
+            else:
+                log.warning(
+                    "Substring {} not found in the CycloneDX SBOM path template, continuing using paths which might be unexpected"
+                )
+                if len(refs) == 1:
+                    cdx_sbom_path = cdx_sbom_path_template
+                else:
+                    cdx_sbom_path = (
+                        cdx_sbom_path_template[:-9] + "-" + ref + ".cdx.json"
+                    )
+            write_json_file(cdx_sbom_path, cdx_dict)
+
     def comparison_md_table(self, refs, skip_unchanged=False):
         """Column headers of B refs are always bolded. Row headers are never bolded."""
         deps_data, _ = self.deps_dict(refs)
@@ -612,6 +666,14 @@ def parse_args():
         default=None,
         dest="json_path",
     )
+    parser.add_argument(
+        "--to-cdx-sbom",
+        help="Output to a CycloneDX SBOM JSON file (or files, for multiple refs) with an optionally specified path template",
+        nargs="?",
+        const="sbom-{}.cdx.json",
+        default=None,
+        dest="cdx_sbom_path_template",
+    )
     parser.add_argument(
         "--compare",
         action="store_true",
@@ -652,6 +714,9 @@ def main():
     if args.json_path:
         dr.write_deps_json(args.json_path, args.refs)
 
+    if args.cdx_sbom_path_template:
+        dr.write_cdx_sboms(args.cdx_sbom_path_template, args.refs)
+
     if args.patch or not args.compare:
         updated_readme, updated_agent_table, updated_hub_table = (
             dr.updated_deps_markdown_table(args.refs)
