feat: helper method for representing a File as a Component taking into account versioning for files as per CycloneDX/cyclonedx.org-website#34

Signed-off-by: Paul Horton <[email protected]>

Author: madpah

cyclonedx/model/__init__.py

@@ -15,6 +15,7 @@
 # SPDX-License-Identifier: Apache-2.0
 #
 
+import hashlib
 from enum import Enum
 
 """
@@ -25,6 +26,16 @@
 """
 
 
+def sha1sum(filename: str) -> str:
+    h = hashlib.sha1()
+    b = bytearray(128 * 1024)
+    mv = memoryview(b)
+    with open(filename, 'rb', buffering=0) as f:
+        for n in iter(lambda: f.readinto(mv), 0):
+            h.update(mv[:n])
+    return h.hexdigest()
+
+
 class HashAlgorithm(Enum):
     """
     This is out internal representation of the hashAlg simple type within the CycloneDX standard.

cyclonedx/model/component.py

@@ -18,9 +18,11 @@
 # Copyright (c) OWASP Foundation. All Rights Reserved.
 
 from enum import Enum
+from os.path import exists
 from packageurl import PackageURL
 from typing import List
 
+from . import HashAlgorithm, HashType, sha1sum
 from .vulnerability import Vulnerability
 
 
@@ -58,17 +60,58 @@ class Component:
     _description: str = None
     _license: str = None
 
+    _hashes: List[HashType] = []
     _vulnerabilites: List[Vulnerability] = []
 
-    def __init__(self, name: str, version: str, qualifiers: str = None,
+    @staticmethod
+    def for_file(absolute_file_path: str, path_for_bom: str = None):
+        """
+        Helper method to create a Component that represents the provided local file as a Component.
+
+        Args:
+            absolute_file_path:
+                Absolute path to the file you wish to represent
+            path_for_bom:
+                Optionally, if supplied this is the path that will be used to identify the file in the BOM
+
+        Returns:
+            `Component` representing the supplied file
+        """
+        if not exists(absolute_file_path):
+            raise FileExistsError('Supplied file path \'{}\' does not exist'.format(absolute_file_path))
+
+        sha1_hash: str = sha1sum(filename=absolute_file_path)
+
+        return Component(
+            name=path_for_bom if path_for_bom else absolute_file_path,
+            version='0.0.0-{}'.format(sha1_hash[0:12]),
+            hashes=[
+                HashType(algorithm=HashAlgorithm.SHA_1, hash_value=sha1_hash)
+            ],
+            component_type=ComponentType.FILE,
+            package_url_type='generic'
+        )
+
+    def __init__(self, name: str, version: str, qualifiers: str = None, hashes: List[HashType] = [],
                  component_type: ComponentType = ComponentType.LIBRARY, package_url_type: str = 'pypi'):
         self._name = name
         self._version = version
         self._type = component_type
         self._qualifiers = qualifiers
+        self._hashes = hashes
         self._vulnerabilites = []
         self._package_url_type = package_url_type
 
+    def add_hash(self, hash: HashType):
+        """
+        Adds a hash that pins/identifies this Component.
+
+        Args:
+            hash:
+                `HashType` instance
+        """
+        self._hashes.append(hash)
+
     def add_vulnerability(self, vulnerability: Vulnerability):
         """
         Add a Vulnerability to this Component.
@@ -100,6 +143,15 @@ def get_description(self) -> str:
         """
         return self._description
 
+    def get_hashes(self) -> List[HashType]:
+        """
+        List of cryptographic hashes that identify this Component.
+
+        Returns:
+            `List` of `HashType` objects where there are any hashes, else an empty `List`.
+        """
+        return self._hashes
+
     def get_license(self) -> str:
         """
         Get the license of this Component.

cyclonedx/output/json.py

@@ -53,6 +53,15 @@ def _get_component_as_dict(self, component: Component) -> dict:
             "purl": component.get_purl()
         }
 
+        if len(component.get_hashes()) > 0:
+            hashes = []
+            for component_hash in component.get_hashes():
+                hashes.append({
+                    "alg": component_hash.get_algorithm().value,
+                    "content": component_hash.get_hash_value()
+                })
+            c['hashes'] = hashes
+
         if self.component_supports_author() and component.get_author() is not None:
             c['author'] = component.get_author()
 
@@ -67,11 +76,22 @@ def _get_metadata_as_dict(self) -> dict:
         if self.bom_metadata_supports_tools() and len(bom_metadata.get_tools()) > 0:
             metadata['tools'] = []
             for tool in bom_metadata.get_tools():
-                metadata['tools'].append({
+                tool_dict = {
                     "vendor": tool.get_vendor(),
                     "name": tool.get_name(),
                     "version": tool.get_version()
-                })
+                }
+
+                if len(tool.get_hashes()) > 0:
+                    hashes = []
+                    for tool_hash in tool.get_hashes():
+                        hashes.append({
+                            "alg": tool_hash.get_algorithm().value,
+                            "content": tool_hash.get_hash_value()
+                        })
+                    tool_dict['hashes'] = hashes
+
+                metadata['tools'].append(tool_dict)
 
         return metadata
 

cyclonedx/output/xml.py

@@ -83,35 +83,22 @@ def _get_component_as_xml_element(self, component: Component) -> ElementTree.Ele
         if self.component_supports_author() and component.get_author() is not None:
             ElementTree.SubElement(component_element, 'author').text = component.get_author()
 
-        # if publisher and publisher != "UNKNOWN":
-        #     ElementTree.SubElement(component, "publisher").text = re.sub(RE_XML_ILLEGAL, "?", publisher)
-
-        # if name and name != "UNKNOWN":
+        # name
         ElementTree.SubElement(component_element, 'name').text = component.get_name()
 
-        # if version and version != "UNKNOWN":
+        # version
         ElementTree.SubElement(component_element, 'version').text = component.get_version()
 
-        # if description and description != "UNKNOWN":
-        #     ElementTree.SubElement(component, "description").text = re.sub(RE_XML_ILLEGAL, "?", description)
-        #
-        # if hashes:
-        #     hashes_elm = ElementTree.SubElement(component, "hashes")
-        #     for h in hashes:
-        #         ElementTree.SubElement(hashes_elm, "hash", alg=h.alg).text = h.content
-        #
-        # if len(licenses):
-        #     licenses_elm = ElementTree.SubElement(component, "licenses")
-        #     for component_license in licenses:
-        #         if component_license.license is not None:
-        #             license_elm = ElementTree.SubElement(licenses_elm, "license")
-        #             ElementTree.SubElement(license_elm, "name").text = re.sub(RE_XML_ILLEGAL, "?",
-        #             component_license.license.name)
-
-        # if purl:
+        # purl
         ElementTree.SubElement(component_element, 'purl').text = component.get_purl()
 
-        # ElementTree.SubElement(component, "modified").text = modified if modified else "false"
+        # hashes
+        if len(component.get_hashes()) > 0:
+            hashes_e = ElementTree.SubElement(component_element, 'hashes')
+            for hash in component.get_hashes():
+                ElementTree.SubElement(
+                    hashes_e, 'hash', {'alg': hash.get_algorithm().value}
+                ).text = hash.get_hash_value()
 
         return component_element
 

tests/test_component.py

@@ -17,6 +17,7 @@
 # SPDX-License-Identifier: Apache-2.0
 # Copyright (c) OWASP Foundation. All Rights Reserved.
 
+from os.path import dirname, join
 from unittest import TestCase
 
 from packageurl import PackageURL
@@ -104,3 +105,14 @@ def test_custom_package_url_type(self):
             type='generic', name='/test.py', version='UNKNOWN'
         )
         self.assertEqual(TestComponent._component_generic_file.to_package_url(), purl)
+
+    def test_from_file_with_path_for_bom(self):
+        test_file = join(dirname(__file__), 'fixtures/bom_v1.3_setuptools.xml')
+        c = Component.for_file(absolute_file_path=test_file, path_for_bom='fixtures/bom_v1.3_setuptools.xml')
+        self.assertEqual(c.get_name(), 'fixtures/bom_v1.3_setuptools.xml')
+        self.assertEqual(c.get_version(), '0.0.0-16932e52ed1e')
+        purl = PackageURL(
+            type='generic', name='fixtures/bom_v1.3_setuptools.xml', version='0.0.0-16932e52ed1e'
+        )
+        self.assertEqual(c.to_package_url(), purl)
+        self.assertEqual(len(c.get_hashes()), 1)