Merge pull request #280 from viveksahu26/issue_266_support_url_path

sbomqs score directly from git URLs

cmd/score.go

@@ -37,25 +37,25 @@ var (
 )
 
 type userCmd struct {
-	//input control
+	// input control
 	path []string
 
-	//filter control
+	// filter control
 	category string
 	features []string
 
-	//output control
+	// output control
 	json     bool
 	basic    bool
 	detailed bool
 
-	//directory control
+	// directory control
 	recurse bool
 
-	//debug control
+	// debug control
 	debug bool
 
-	//config control
+	// config control
 	configPath string
 }
 
@@ -69,7 +69,6 @@ var scoreCmd = &cobra.Command{
 			if len(inFile) <= 0 && len(inDirPath) <= 0 {
 				return fmt.Errorf("provide a path to an sbom file or directory of sbom files")
 			}
-
 		}
 		return nil
 	},
@@ -94,10 +93,11 @@ func processScore(cmd *cobra.Command, args []string) error {
 	engParams := toEngineParams(uCmd)
 	return engine.Run(ctx, engParams)
 }
+
 func toUserCmd(cmd *cobra.Command, args []string) *userCmd {
 	uCmd := &userCmd{}
 
-	//input control
+	// input control
 	if len(args) <= 0 {
 		if len(inFile) > 0 {
 			uCmd.path = append(uCmd.path, inFile)
@@ -110,13 +110,13 @@ func toUserCmd(cmd *cobra.Command, args []string) *userCmd {
 		uCmd.path = append(uCmd.path, args[0:]...)
 	}
 
-	//config control
+	// config control
 	if configPath == "" {
 		uCmd.configPath, _ = cmd.Flags().GetString("configpath")
 	} else {
 		uCmd.configPath = configPath
 	}
-	//filter control
+	// filter control
 	if category == "" {
 		uCmd.category, _ = cmd.Flags().GetString("category")
 	} else {
@@ -128,7 +128,7 @@ func toUserCmd(cmd *cobra.Command, args []string) *userCmd {
 		uCmd.features = strings.Split(f, ",")
 	}
 
-	//output control
+	// output control
 	uCmd.json, _ = cmd.Flags().GetBool("json")
 	uCmd.basic, _ = cmd.Flags().GetBool("basic")
 	uCmd.detailed, _ = cmd.Flags().GetBool("detailed")
@@ -139,7 +139,7 @@ func toUserCmd(cmd *cobra.Command, args []string) *userCmd {
 		uCmd.detailed = strings.ToLower(reportFormat) == "detailed"
 	}
 
-	//debug control
+	// debug control
 	uCmd.debug, _ = cmd.Flags().GetBool("debug")
 
 	return uCmd
@@ -165,14 +165,8 @@ func validatePath(path string) error {
 	}
 	return nil
 }
-func validateFlags(cmd *userCmd) error {
-
-	for _, path := range cmd.path {
-		if err := validatePath(path); err != nil {
-			return fmt.Errorf("invalid path: %w", err)
-		}
-	}
 
+func validateFlags(cmd *userCmd) error {
 	if cmd.configPath != "" {
 		if err := validatePath(cmd.configPath); err != nil {
 			return fmt.Errorf("invalid config path: %w", err)
@@ -185,36 +179,37 @@ func validateFlags(cmd *userCmd) error {
 
 	return nil
 }
+
 func init() {
 	rootCmd.AddCommand(scoreCmd)
 
-	//Config Control
+	// Config Control
 	scoreCmd.Flags().StringP("configpath", "", "", "scoring based on config path")
 
-	//Filter Control
+	// Filter Control
 	scoreCmd.Flags().StringP("category", "c", "", "filter by category")
 	scoreCmd.Flags().StringP("feature", "f", "", "filter by feature")
 
-	//Spec Control
+	// Spec Control
 	scoreCmd.Flags().BoolP("spdx", "", false, "limit scoring to spdx sboms")
 	scoreCmd.Flags().BoolP("cdx", "", false, "limit scoring to cdx sboms")
 	scoreCmd.MarkFlagsMutuallyExclusive("spdx", "cdx")
 	scoreCmd.Flags().MarkHidden("spdx")
 	scoreCmd.Flags().MarkHidden("cdx")
 
-	//Directory Control
+	// Directory Control
 	scoreCmd.Flags().BoolP("recurse", "r", false, "recurse into subdirectories")
 	scoreCmd.Flags().MarkHidden("recurse")
 
-	//Output Control
+	// Output Control
 	scoreCmd.Flags().BoolP("json", "j", false, "results in json")
 	scoreCmd.Flags().BoolP("detailed", "d", false, "results in table format, default")
 	scoreCmd.Flags().BoolP("basic", "b", false, "results in single line format")
 
-	//Debug Control
+	// Debug Control
 	scoreCmd.Flags().BoolP("debug", "D", false, "enable debug logging")
 
-	//Deprecated
+	// Deprecated
 	scoreCmd.Flags().StringVar(&inFile, "filepath", "", "sbom file path")
 	scoreCmd.Flags().StringVar(&inDirPath, "dirpath", "", "sbom dir path")
 	scoreCmd.MarkFlagsMutuallyExclusive("filepath", "dirpath")

go.mod

@@ -23,21 +23,26 @@ require (
 )
 
 require (
+	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/stretchr/testify v1.9.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
 
 require (
 	github.com/ProtonMail/go-crypto v1.0.0 // indirect
 	github.com/anchore/go-struct-converter v0.0.0-20230627203149-c72ef8859ca9 // indirect
 	github.com/cloudflare/circl v1.3.9 // indirect
 	github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be // indirect
+	github.com/go-git/go-billy/v5 v5.5.0
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/mattn/go-runewidth v0.0.15 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
-	github.com/rogpeppe/go-internal v1.9.0 // indirect
 	github.com/spdx/gordf v0.0.0-20221230105357-b735bd5aac89 // indirect
+	github.com/spf13/afero v1.11.0
 	github.com/spf13/pflag v1.0.5 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/crypto v0.24.0 // indirect

go.sum

@@ -23,6 +23,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/github/go-spdx/v2 v2.3.1 h1:ffGuHTbHuHzWPt53n8f9o8clGutuLPObo3zB4JAjxU8=
 github.com/github/go-spdx/v2 v2.3.1/go.mod h1:2ZxKsOhvBp+OYBDlsGnUMcchLeo2mrpEBn2L1C+U3IQ=
+github.com/go-git/go-billy/v5 v5.5.0 h1:yEY4yhzCDuMGSv83oGxiBotRzhwhNr8VZyphhiu+mTU=
+github.com/go-git/go-billy/v5 v5.5.0/go.mod h1:hmexnoNsr2SJU1Ju67OaNz5ASJY3+sHgFRpCtpDCKow=
 github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
@@ -59,8 +61,8 @@ github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZN
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
 github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
-github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8=
-github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
+github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
+github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/samber/lo v1.46.0 h1:w8G+oaCPgz1PoCJztqymCFaKwXt+5cCXn51uPxExFfQ=
 github.com/samber/lo v1.46.0/go.mod h1:RmDH9Ct32Qy3gduHQuKJ3gW1fMHAnE/fAzQuf6He5cU=
@@ -71,6 +73,8 @@ github.com/spdx/gordf v0.0.0-20221230105357-b735bd5aac89 h1:dArkMwZ7Mf2JiU8Ofdmq
 github.com/spdx/gordf v0.0.0-20221230105357-b735bd5aac89/go.mod h1:uKWaldnbMnjsSAXRurWqqrdyZen1R7kxl8TkmWk2OyM=
 github.com/spdx/tools-golang v0.5.5 h1:61c0KLfAcNqAjlg6UNMdkwpMernhw3zVRwDZ2x9XOmk=
 github.com/spdx/tools-golang v0.5.5/go.mod h1:MVIsXx8ZZzaRWNQpUDhC4Dud34edUYJYecciXgrw5vE=
+github.com/spf13/afero v1.11.0 h1:WJQKhtpdm3v2IzqG8VMqrr6Rf3UYpEF239Jy9wNepM8=
+github.com/spf13/afero v1.11.0/go.mod h1:GH9Y3pIexgf1MTIWtNGyogA5MwRIDXGUr+hbWNoBjkY=
 github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM=
 github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=

pkg/engine/compliance.go

@@ -22,6 +22,7 @@ import (
 	"github.com/interlynk-io/sbomqs/pkg/compliance"
 	"github.com/interlynk-io/sbomqs/pkg/logger"
 	"github.com/interlynk-io/sbomqs/pkg/sbom"
+	"github.com/spf13/afero"
 )
 
 func ComplianceRun(ctx context.Context, ep *Params) error {
@@ -74,27 +75,60 @@ func getSbomDocument(ctx context.Context, ep *Params) (*sbom.Document, error) {
 	log.Debugf("engine.getSbomDocument()")
 
 	path := ep.Path[0]
-
-	if _, err := os.Stat(path); err != nil {
-		log.Debugf("os.Stat failed for file :%s\n", path)
-		fmt.Printf("failed to stat %s\n", path)
-		return nil, err
-	}
-
-	f, err := os.Open(path)
-	if err != nil {
-		log.Debugf("os.Open failed for file :%s\n", path)
-		fmt.Printf("failed to open %s\n", path)
-		return nil, err
-	}
-	defer f.Close()
-
-	doc, err := sbom.NewSBOMDocument(ctx, f)
-	if err != nil {
-		log.Debugf("failed to create sbom document for  :%s\n", path)
-		log.Debugf("%s\n", err)
-		fmt.Printf("failed to parse %s : %s\n", path, err)
-		return nil, err
+	var doc sbom.Document
+
+	if IsURL(path) {
+		log.Debugf("Processing Git URL path :%s\n", path)
+
+		url, sbomFilePath := path, path
+		var err error
+
+		if IsGit(url) {
+			sbomFilePath, url, err = handleURL(path)
+			if err != nil {
+				log.Fatal("failed to get sbomFilePath, rawURL: %w", err)
+			}
+		}
+		fs := afero.NewMemMapFs()
+
+		file, err := fs.Create(sbomFilePath)
+		if err != nil {
+			return nil, err
+		}
+
+		f, err := ProcessURL(url, file)
+		if err != nil {
+			return nil, err
+		}
+
+		doc, err = sbom.NewSBOMDocument(ctx, f)
+		if err != nil {
+			log.Fatalf("failed to parse SBOM document: %w", err)
+		}
+
+	} else {
+
+		if _, err := os.Stat(path); err != nil {
+			log.Debugf("os.Stat failed for file :%s\n", path)
+			fmt.Printf("failed to stat %s\n", path)
+			return nil, err
+		}
+
+		f, err := os.Open(path)
+		if err != nil {
+			log.Debugf("os.Open failed for file :%s\n", path)
+			fmt.Printf("failed to open %s\n", path)
+			return nil, err
+		}
+		defer f.Close()
+
+		doc, err = sbom.NewSBOMDocument(ctx, f)
+		if err != nil {
+			log.Debugf("failed to create sbom document for  :%s\n", path)
+			log.Debugf("%s\n", err)
+			fmt.Printf("failed to parse %s : %s\n", path, err)
+			return nil, err
+		}
 	}
 
 	return &doc, nil

pkg/engine/dtrack.go

@@ -49,7 +49,6 @@ func DtrackScore(ctx context.Context, dtP *DtParams) error {
 
 	dTrackClient, err := dtrack.NewClient(dtP.Url,
 		dtrack.WithAPIKey(dtP.ApiKey), dtrack.WithDebug(false))
-
 	if err != nil {
 		log.Fatalf("Failed to create Dependency-Track client: %s", err)
 	}
@@ -81,15 +80,15 @@ func DtrackScore(ctx context.Context, dtP *DtParams) error {
 
 			ep := &Params{}
 			ep.Path = append(ep.Path, f.Name())
-			doc, scores, err := processFile(ctx, ep, ep.Path[0])
+			doc, scores, err := processFile(ctx, ep, ep.Path[0], nil)
 			if err != nil {
 				return err
 			}
 
 			if dtP.TagProjectWithScore {
 
 				log.Debugf("Project: %+v", prj.Tags)
-				//remove old score
+				// remove old score
 				prj.Tags = lo.Filter(prj.Tags, func(t dtrack.Tag, _ int) bool {
 					return !strings.HasPrefix(t.Name, "sbomqs=")
 				})