sbom: add generation for windows packages in SBOM

When running `make cyclonedx`, it will also try to generate a separate SBOM for the Windows packages. For this, it require `jq` to be installed or it will generate only the linux SBOM. GitLab: #1021 Change-Id: I50dfc23c7e053e4674d2b6816a9c53106414c1d3

sbom: add generation for windows packages in SBOM
e5afe3c5 · Louis Maillard · Adrien Béraud · 6d98bac2 · e5afe3c5 · e5afe3c5
Commit e5afe3c5 authored 10 months ago by Louis Maillard Committed by Adrien Béraud 9 months ago
--- a/contrib/src/cyclonedx.sh
+++ b/contrib/src/cyclonedx.sh
@@ -7,11 +7,33 @@
 set -euo pipefail # Enable error checking


+function read_package_jsons() {
+    local SRC="${1:-}"
+    local win_cpe_list=()
+
+    for folder in "${SRC}"/*; do
+        if [[ -d "${folder}" ]]; then
+            local package_json="${folder}/package.json"
+            if [[ -f "${package_json}" ]]; then
+                local cpe=""
+                cpe=$(jq -r '.cpe' "${package_json}")
+
+                # if cpe string start with "cpe:2.3:" then it's a valid CPE
+                if [[ "${cpe}" == cpe:2.3:* ]]; then
+                    win_cpe_list+=("${cpe}")
+                fi
+            fi
+        fi
+    done
+    echo "${win_cpe_list[@]}"
+}
+
+
 function main() {
    local list_cpe=$1
-    local output="common-jami-daemon.cdx.json"
+    local filename="${2:-sbom.cdx.json}"

-    cat <<EOF > $output
+    cat <<EOF > "$filename"
 {
    "bomFormat": "CycloneDX",
    "specVersion": "1.5",
@@ -35,6 +57,10 @@ EOF

        # Split CPE v2.3 string to extract vendor, product, and version
        IFS=':' read -r -a cpe_parts <<< "$cpe"
+
+        if (( ${#cpe_parts[@]} < 6 )); then
+            continue
+        fi
        # Assuming standard CPE v2.3 format: cpe:2.3:a:vendor:product:version:...
        vendor="${cpe_parts[3]}"
        product="${cpe_parts[4]}"
@@ -53,10 +79,10 @@ EOF
        esac

        if (( components_writed >= 1 )); then
-            echo "        }," >> $output
+            echo "        }," >> "$filename"
        fi

-        cat <<EOF >> $output
+        cat <<EOF >> "$filename"
        {
            "type": "$kind",
            "bom-ref": "$cpe",
@@ -71,15 +97,28 @@ EOF
    done

    if (( components_writed >= 1 )); then
-        echo "        }" >> $output
+        echo "        }" >> "$filename"
    fi

-    cat <<EOF >> $output
+    cat <<EOF >> "$filename"
    ]
 }
 EOF

-    echo "CycloneDX SBOM file generated: $output (contains $components_writed components)"
+    echo "CycloneDX SBOM file generated: $filename (contains $components_writed components)"
 }

-main "$@"
+if [[ $# -ne 2 ]]; then
+    echo "Usage: $0 <list of CPE id> <SRC folder>"
+    exit 1
+fi
+
+main "$1" "common-jami-daemon.cdx.json"
+
+if ! command -v jq &> /dev/null; then
+    echo "jq is not installed, please install it"
+    exit 1
+fi
+
+cpe_windows=$(read_package_jsons "$2")
+main "$cpe_windows" "windows-jami-daemon.cdx.json"
--- a/contrib/src/main.mak
+++ b/contrib/src/main.mak
@@ -507,7 +507,7 @@ package: install
 pprint = @echo '  $(or $(sort $1), None)' | fmt

 cyclonedx:
-	@$(SRC)/cyclonedx.sh "$(PKG_CPE)"
+	@$(SRC)/cyclonedx.sh "$(PKG_CPE)" "$(SRC)"

 list:
 	@echo All packages: