Implement sbom export

Author: corneliusludmann

cmd/sbom-export.go

@@ -0,0 +1,217 @@
+package cmd
+
+import (
+	"io"
+	"os"
+	"path/filepath"
+	"strings"
+
+	"github.com/gitpod-io/leeway/pkg/leeway"
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	"slices"
+)
+
+// sbomExportCmd represents the sbom export command
+var sbomExportCmd = &cobra.Command{
+	Use:   "export <package>",
+	Short: "Exports the SBOM of a (previously built) package",
+	Long: `Exports the SBOM of a (previously built) package.
+	
+When used with --with-dependencies, it exports SBOMs for the package and all its dependencies
+to the specified output directory.`,
+	Args: cobra.MinimumNArgs(1),
+	Run: func(cmd *cobra.Command, args []string) {
+		// Get the package
+		_, pkg, _, _ := getTarget(args, false)
+		if pkg == nil {
+			log.Fatal("sbom export requires a package")
+		}
+
+		// Check if SBOM is enabled in workspace settings
+		if !pkg.C.W.SBOM.Enabled {
+			log.Fatal("SBOM export requires sbom.enabled=true in workspace settings")
+		}
+
+		// Get build options and cache
+		_, cache := getBuildOpts(cmd)
+
+		// Get package location in cache
+		pkgFN, ok := cache.Location(pkg)
+		if !ok {
+			log.Fatalf("%s is not built", pkg.FullName())
+		}
+
+		// Get output format and file
+		format, _ := cmd.Flags().GetString("format")
+		outputFile, _ := cmd.Flags().GetString("output")
+		withDependencies, _ := cmd.Flags().GetBool("with-dependencies")
+		outputDir, _ := cmd.Flags().GetString("output-dir")
+
+		// Validate format
+		validFormats := []string{"cyclonedx", "spdx", "syft"}
+		formatValid := slices.Contains(validFormats, format)
+		if !formatValid {
+			log.Fatalf("Unsupported format: %s. Supported formats are: %s", format, strings.Join(validFormats, ", "))
+		}
+
+		// Validate flags for dependency export
+		if withDependencies {
+			if outputDir == "" {
+				log.Fatal("--output-dir is required when using --with-dependencies")
+			}
+			if outputFile != "" {
+				log.Fatal("--output and --output-dir cannot be used together")
+			}
+		}
+
+		// Handle exporting with dependencies
+		if withDependencies {
+			// Create output directory if it doesn't exist
+			if err := os.MkdirAll(outputDir, 0755); err != nil {
+				log.WithError(err).Fatalf("cannot create output directory %s", outputDir)
+			}
+
+			// Get all dependencies
+			deps := getAllDependencies(pkg)
+			log.Infof("Exporting SBOMs for %s and %d dependencies to %s", pkg.FullName(), len(deps), outputDir)
+
+			// Add the package itself to the list
+			packagesToExport := append([]*leeway.Package{pkg}, deps...)
+
+			// Export SBOM for each package
+			var exportErrors []string
+			for _, p := range packagesToExport {
+				// Get package location in cache
+				pFN, ok := cache.Location(p)
+				if !ok {
+					log.Warnf("Package %s is not built, skipping", p.FullName())
+					continue
+				}
+
+				// Create safe filename for the package
+				safeFilename := strings.ReplaceAll(p.FullName(), "/", "_")
+				outputPath := filepath.Join(outputDir, safeFilename+getFormatExtension(format))
+
+				// Extract and output the SBOM
+				err := leeway.AccessSBOMInCachedArchive(pFN, format, func(sbomReader io.Reader) error {
+					// Create the output file
+					file, err := os.Create(outputPath)
+					if err != nil {
+						return err
+					}
+					defer file.Close()
+
+					// Copy the SBOM content to the file
+					_, err = io.Copy(file, sbomReader)
+					return err
+				})
+
+				if err != nil {
+					if err == leeway.ErrNoSBOMFile {
+						log.Fatalf("No SBOM file found in package %s", p.FullName())
+					} else {
+						log.Warnf("Cannot extract SBOM for package %s: %v", p.FullName(), err)
+						exportErrors = append(exportErrors, p.FullName())
+					}
+				} else {
+					log.Infof("SBOM exported to %s", outputPath)
+				}
+			}
+
+			// Report any errors
+			if len(exportErrors) > 0 {
+				log.Warnf("Failed to export SBOMs for %d packages: %s", len(exportErrors), strings.Join(exportErrors, ", "))
+			}
+			return
+		}
+
+		// Handle single package export
+		var output io.Writer = os.Stdout
+		if outputFile != "" {
+			// Create directory if it doesn't exist
+			if dir := filepath.Dir(outputFile); dir != "" {
+				if err := os.MkdirAll(dir, 0755); err != nil {
+					log.WithError(err).Fatalf("cannot create output directory %s", dir)
+				}
+			}
+
+			file, err := os.Create(outputFile)
+			if err != nil {
+				log.WithError(err).Fatalf("cannot create output file %s", outputFile)
+			}
+			defer file.Close()
+			output = file
+		}
+
+		// Extract and output the SBOM
+		err := leeway.AccessSBOMInCachedArchive(pkgFN, format, func(sbomReader io.Reader) error {
+			log.Infof("Exporting SBOM in %s format", format)
+			// Copy the SBOM content to the output
+			_, err := io.Copy(output, sbomReader)
+			return err
+		})
+
+		if err != nil {
+			if err == leeway.ErrNoSBOMFile {
+				log.Fatalf("no SBOM file found in package %s", pkg.FullName())
+			}
+			log.WithError(err).Fatal("cannot extract SBOM")
+		}
+
+		if outputFile != "" {
+			log.Infof("SBOM exported to %s", outputFile)
+		}
+	},
+}
+
+// Helper function to get all dependencies of a package
+func getAllDependencies(pkg *leeway.Package) []*leeway.Package {
+	// Use a map to avoid duplicates
+	depsMap := make(map[string]*leeway.Package)
+	
+	// Recursively collect dependencies
+	var collectDeps func(p *leeway.Package)
+	collectDeps = func(p *leeway.Package) {
+		for _, dep := range p.GetDependencies() {
+			if _, exists := depsMap[dep.FullName()]; !exists {
+				depsMap[dep.FullName()] = dep
+				collectDeps(dep)
+			}
+		}
+	}
+	
+	collectDeps(pkg)
+	
+	// Convert map to slice
+	deps := make([]*leeway.Package, 0, len(depsMap))
+	for _, dep := range depsMap {
+		deps = append(deps, dep)
+	}
+	
+	return deps
+}
+
+// Helper function to get file extension for the format
+func getFormatExtension(format string) string {
+	switch format {
+	case "cyclonedx":
+		return ".cdx.json"
+	case "spdx":
+		return ".spdx.json"
+	case "syft":
+		return ".json"
+	default:
+		return ".json"
+	}
+}
+
+func init() {
+	sbomExportCmd.Flags().String("format", "cyclonedx", "SBOM format to export (cyclonedx, spdx, syft)")
+	sbomExportCmd.Flags().StringP("output", "o", "", "Output file (defaults to stdout)")
+	sbomExportCmd.Flags().Bool("with-dependencies", false, "Export SBOMs for the package and all its dependencies")
+	sbomExportCmd.Flags().String("output-dir", "", "Output directory for exporting multiple SBOMs (required with --with-dependencies)")
+
+	sbomCmd.AddCommand(sbomExportCmd)
+	addBuildFlags(sbomExportCmd)
+}

cmd/sbom.go

@@ -0,0 +1,16 @@
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+)
+
+// sbomCmd represents the sbom command
+var sbomCmd = &cobra.Command{
+	Use:     "sbom <command>",
+	Short:   "Helpful commands for working with Software Bill of Materials (SBOM)",
+	Args:    cobra.MinimumNArgs(1),
+}
+
+func init() {
+	rootCmd.AddCommand(sbomCmd)
+}

pkg/leeway/sbom.go

@@ -421,7 +421,8 @@ func ScanAllPackagesForVulnerabilities(buildctx *buildContext, packages []*Packa
 		}()
 
 		// Extract the SBOM file directly from the package archive
-		err = AccessSBOMInCachedArchive(location, func(sbomReader io.Reader) error {
+		// For vulnerability scanning, we use the CycloneDX format
+		err = AccessSBOMInCachedArchive(location, "cyclonedx", func(sbomReader io.Reader) error {
 			// Copy the SBOM content to the temporary file
 			sbomFile, err := os.OpenFile(tempFileName, os.O_WRONLY, 0644)
 			if err != nil {
@@ -679,13 +680,27 @@ var ErrNoSBOMFile = fmt.Errorf("no SBOM file found")
 
 // AccessSBOMInCachedArchive provides access to the SBOM file in a cached build artifact.
 // If no such file exists, ErrNoSBOMFile is returned.
-func AccessSBOMInCachedArchive(fn string, handler func(sbomFile io.Reader) error) (err error) {
+// The format parameter specifies which SBOM format to extract (cyclonedx, spdx, or syft).
+func AccessSBOMInCachedArchive(fn string, format string, handler func(sbomFile io.Reader) error) (err error) {
 	defer func() {
 		if err != nil && err != ErrNoSBOMFile {
-			err = fmt.Errorf("error extracting SBOM from %s: %w", fn, err)
+			err = fmt.Errorf("error extracting SBOM from %s (format: %s): %w", fn, format, err)
 		}
 	}()
 
+	// Determine which SBOM filename to look for based on the format
+	var sbomFilename string
+	switch format {
+	case "cyclonedx":
+		sbomFilename = sbomCycloneDXFilename
+	case "spdx":
+		sbomFilename = sbomSPDXFilename
+	case "syft":
+		sbomFilename = sbomSyftFilename
+	default:
+		return fmt.Errorf("unsupported SBOM format: %s", format)
+	}
+
 	f, err := os.Open(fn)
 	if err != nil {
 		return err
@@ -719,7 +734,7 @@ func AccessSBOMInCachedArchive(fn string, handler func(sbomFile io.Reader) error
 			break
 		}
 
-		if !strings.HasSuffix(hdr.Name, sbomCycloneDXFilename) {
+		if !strings.HasSuffix(hdr.Name, sbomFilename) {
 			continue
 		}