From e5afe3c5a14bf5fa498e55dbb7450eaa494df2c5 Mon Sep 17 00:00:00 2001
From: Louis Maillard <louis.maillard@savoirfairelinux.com>
Date: Tue, 2 Jul 2024 09:16:29 -0400
Subject: [PATCH] sbom: add generation for windows packages in SBOM

When running `make cyclonedx`, it will also try to generate a separate
SBOM for the Windows packages. For this, it require `jq` to be installed
or it will generate only the linux SBOM.
GitLab: #1021

Change-Id: I50dfc23c7e053e4674d2b6816a9c53106414c1d3
---
 contrib/src/cyclonedx.sh | 55 ++++++++++++++++++++++++++++++++++------
 contrib/src/main.mak     |  2 +-
 2 files changed, 48 insertions(+), 9 deletions(-)

diff --git a/contrib/src/cyclonedx.sh b/contrib/src/cyclonedx.sh
index 8ada2ac6e9..cfa6a447e7 100755
--- a/contrib/src/cyclonedx.sh
+++ b/contrib/src/cyclonedx.sh
@@ -7,11 +7,33 @@
 set -euo pipefail # Enable error checking
 
 
+function read_package_jsons() {
+    local SRC="${1:-}"
+    local win_cpe_list=()
+
+    for folder in "${SRC}"/*; do
+        if [[ -d "${folder}" ]]; then
+            local package_json="${folder}/package.json"
+            if [[ -f "${package_json}" ]]; then
+                local cpe=""
+                cpe=$(jq -r '.cpe' "${package_json}")
+
+                # if cpe string start with "cpe:2.3:" then it's a valid CPE
+                if [[ "${cpe}" == cpe:2.3:* ]]; then
+                    win_cpe_list+=("${cpe}")
+                fi
+            fi
+        fi
+    done
+    echo "${win_cpe_list[@]}"
+}
+
+
 function main() {
     local list_cpe=$1
-    local output="common-jami-daemon.cdx.json"
+    local filename="${2:-sbom.cdx.json}"
 
-    cat <<EOF > $output
+    cat <<EOF > "$filename"
 {
     "bomFormat": "CycloneDX",
     "specVersion": "1.5",
@@ -35,6 +57,10 @@ EOF
 
         # Split CPE v2.3 string to extract vendor, product, and version
         IFS=':' read -r -a cpe_parts <<< "$cpe"
+
+        if (( ${#cpe_parts[@]} < 6 )); then
+            continue
+        fi
         # Assuming standard CPE v2.3 format: cpe:2.3:a:vendor:product:version:...
         vendor="${cpe_parts[3]}"
         product="${cpe_parts[4]}"
@@ -53,10 +79,10 @@ EOF
         esac
 
         if (( components_writed >= 1 )); then
-            echo "        }," >> $output
+            echo "        }," >> "$filename"
         fi
 
-        cat <<EOF >> $output
+        cat <<EOF >> "$filename"
         {
             "type": "$kind",
             "bom-ref": "$cpe",
@@ -71,15 +97,28 @@ EOF
     done
 
     if (( components_writed >= 1 )); then
-        echo "        }" >> $output
+        echo "        }" >> "$filename"
     fi
 
-    cat <<EOF >> $output
+    cat <<EOF >> "$filename"
     ]
 }
 EOF
 
-    echo "CycloneDX SBOM file generated: $output (contains $components_writed components)"
+    echo "CycloneDX SBOM file generated: $filename (contains $components_writed components)"
 }
 
-main "$@"
+if [[ $# -ne 2 ]]; then
+    echo "Usage: $0 <list of CPE id> <SRC folder>"
+    exit 1
+fi
+
+main "$1" "common-jami-daemon.cdx.json"
+
+if ! command -v jq &> /dev/null; then
+    echo "jq is not installed, please install it"
+    exit 1
+fi
+
+cpe_windows=$(read_package_jsons "$2")
+main "$cpe_windows" "windows-jami-daemon.cdx.json"
diff --git a/contrib/src/main.mak b/contrib/src/main.mak
index b46e85f2da..2cde607416 100644
--- a/contrib/src/main.mak
+++ b/contrib/src/main.mak
@@ -507,7 +507,7 @@ package: install
 pprint = @echo '  $(or $(sort $1), None)' | fmt
 
 cyclonedx:
-	@$(SRC)/cyclonedx.sh "$(PKG_CPE)"
+	@$(SRC)/cyclonedx.sh "$(PKG_CPE)" "$(SRC)"
 
 list:
 	@echo All packages:
-- 
GitLab