cleanup

vinted · Aug 21, 2024 · 55c53e1 · 55c53e1
1 parent 30a7be9
commit 55c53e1
Show file tree

Hide file tree

Showing 10 changed files with 55 additions and 87 deletions.
diff --git a/build/Dockerfile b/build/Dockerfile
@@ -1,18 +1,15 @@
-FROM debian:slim-bullseye
+FROM alpine:latest
 
 ARG TARGETARCH
 
 # We will use this directory for downloads
 WORKDIR /opt
 
-# Update and install necessary packages
-RUN apt-get update && apt-get install -y --no-install-recommends \
-    curl wget git cmake unzip clang ruby ruby-dev \
-    ca-certificates openssl unzip openjdk-11-jdk \
-    nodejs npm \
-    && rm -rf /var/lib/apt/lists/*
+# APK requires you to use --no-cache instead of -y and --no-install-recommends
+RUN apk --no-cache add curl wget git cmake unzip clang ruby ruby-dev ruby-irb ruby-rake bash ruby-io-console ruby-bigdecimal ca-certificates wget openssl unzip openjdk11
 
-# Update npm to latest version
+# Node.js and npm setup
+RUN apk --no-cache add nodejs npm
 RUN npm install -g npm@latest
 
 # Ruby and Gems setup
@@ -29,7 +26,7 @@ ENV PATH="/usr/local/go/bin:${PATH}"
 
 # Android SDK setup
 ENV ANDROID_HOME=/opt/android-sdk-linux
-ENV JAVA_HOME="/usr/lib/jvm/java-11-openjdk-${TARGETARCH}"
+ENV JAVA_HOME="/usr/lib/jvm/java-11-openjdk"
 
 RUN mkdir -p ${ANDROID_HOME}/cmdline-tools && \
     wget https://dl.google.com/android/repository/commandlinetools-linux-7583922_latest.zip && \

diff --git a/integration/test/bomtools/bom-to-merge-1.json b/integration/test/bomtools/bom-to-merge-1.json
@@ -1,21 +1,16 @@
 {
+  "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.4",
   "serialNumber": "urn:uuid:4305f387-f85e-4ed2-8b3c-f7f7bea7de89",
   "version": 1,
   "metadata": {
     "timestamp": "2022-04-12T11:52:19Z",
-    "tools": [
-      {
-        "vendor": "anchore",
-        "name": "syft",
-        "version": "0.43.2"
-      }
-    ],
     "component": {
-      "bom-ref": "c064c5755f84ac3d",
-      "type": "file",
-      "name": "/tmp/ruby-repos/anonymous_rate_response"
+      "type": "application",
+      "author": "anchore",
+      "name": "syft",
+      "version": "0.43.2"
     }
   },
   "components": [
@@ -375,4 +370,4 @@
       ]
     }
   ]
-}
+}
diff --git a/integration/test/bomtools/bom-to-merge-2.json b/integration/test/bomtools/bom-to-merge-2.json
@@ -1,28 +1,19 @@
 {
+  "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
-  "specVersion": "1.4",
+  "specVersion": "1.5",
   "serialNumber": "urn:uuid:938b16ac-d9a0-4620-a7e4-bec83ff26ffb",
   "version": 1,
   "metadata": {
     "timestamp": "2022-04-12T11:52:58.780288Z",
-    "tools": [
-      {
-        "vendor": "aquasecurity",
-        "name": "trivy",
-        "version": "0.25.3"
-      }
-    ],
-    "component": {
-      "bom-ref": "62488c47-9373-46be-b003-0583e5e3850b",
+    "component":
+    {
       "type": "application",
-      "name": "/tmp/ruby-repos/anonymous_rate_response",
-      "properties": [
-        {
-          "name": "aquasecurity:trivy:SchemaVersion",
-          "value": "2"
-        }
-      ]
+      "author": "aquasecurity",
+      "name": "trivy",
+      "version": "0.25.3"
     }
+
   },
   "components": [
     {
@@ -150,4 +141,4 @@
     }
   ],
   "vulnerabilities": []
-}
+}
diff --git a/integration/test/bomtools/bom-to-merge-3.json b/integration/test/bomtools/bom-to-merge-3.json
@@ -1,23 +1,17 @@
 {
+  "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.4",
   "serialNumber": "urn:uuid:72861be8-8e26-483b-aef2-8f87eef986fb",
   "version": 1,
   "metadata": {
     "timestamp": "2022-04-12T11:56:11.107Z",
-    "tools": [
-      {
-        "vendor": "AppThreat",
-        "name": "cdxgen",
-        "version": "4.0.8"
-      }
-    ],
-    "authors": [
-      {
-        "name": "Team AppThreat",
-        "email": "[email protected]"
-      }
-    ]
+    "component": {
+      "type": "application",
+      "author": "AppThreat",
+      "name": "cdxgen",
+      "version": "4.0.8"
+    }
   },
   "components": [
     {

diff --git a/integration/test/bomtools/expected-merged-boms.json b/integration/test/bomtools/expected-merged-boms.json
@@ -1,17 +1,17 @@
 {
+  "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
-  "specVersion": "1.4",
+  "specVersion": "1.5",
   "serialNumber": "urn:uuid:39d0ea34-b60b-475b-a21e-ba88f6bf3f9c",
   "version": 1,
   "metadata": {
     "timestamp": "2022-04-13T12:39:28+03:00",
-    "tools": [
-      {
-        "vendor": "vinted",
-        "name": "sa-collector",
-        "version": "0.5.0"
-      }
-    ]
+    "component": {
+      "type": "application",
+      "author": "vinted",
+      "name": "sa-collector",
+      "version": "0.5.0"
+    }
   },
   "components": [
     {

diff --git a/integration/test/bomtools/sample-bom.xml b/integration/test/bomtools/sample-bom.xml
@@ -1,7 +1,9 @@
-<?xml version="1.0"?>
-<bom xmlns="http://cyclonedx.org/schema/bom/1.0" version="1">
+<bom xmlns="http://cyclonedx.org/schema/bom/1.2" version="1" serialNumber="urn:uuid:YOUR-UUID-HERE">
+    <metadata timestamp="2022-01-01T00:00:00Z">
+        <!-- PUT YOUR METADATA HERE -->
+    </metadata>
     <components>
-        <component type="library">
+        <component type="library" bom-ref="pkg:npm/[email protected]">
             <name>ckeditor</name>
             <version>4.0.1</version>
             <hashes>
@@ -10,11 +12,9 @@
                 <hash alg="SHA-256">0aaa1637e1c79e1ad75dbed0336f6647681d97fb80704da0c64e39854c124567</hash>
                 <hash alg="SHA-512">6c89cf1d0615d2d2214e1f06d63d51ac5535eb5e878bb6ffcc6f561d7133963a8a91b2af46fba29972ad3712762b107a088953cdb33c0c27645db5d00426235d</hash>
             </hashes>
-            <licenses><license></license></licenses>
             <purl>pkg:npm/[email protected]</purl>
-            <modified>false</modified>
         </component>
-        <component type="library">
+        <component type="library" bom-ref="pkg:npm/[email protected]">
             <name>jquery</name>
             <version>2.1.4</version>
             <hashes>
@@ -23,9 +23,7 @@
                 <hash alg="SHA-256">b2215cce5830e2350b9d420271d9bd82340f664c3f60f0ea850f7e9c0392704e</hash>
                 <hash alg="SHA-512">28c3eb3b22a8c59eb74ddac7c989512b0197e9e5867bdf056018efeb9056687f44d86a04f555d8f8c9a3dd6296c014dc8708fae197839588c490ddc0eae27229</hash>
             </hashes>
-            <licenses><license></license></licenses>
             <purl>pkg:npm/[email protected]</purl>
-            <modified>false</modified>
         </component>
     </components>
-</bom>
+</bom>
diff --git a/pkg/bomtools/merge.go b/pkg/bomtools/merge.go
@@ -206,8 +206,17 @@ func mergeAllByPURL(component *cdx.Component, allComponents []*cdx.Component) *c
 			mergedComponent.Properties = &p
 		}
 		if c.Licenses != nil {
-			l := mergeCollection[cdx.LicenseChoice](*c.Licenses, *mergedComponent.Licenses)
-			mergedComponent.Licenses = (*cdx.Licenses)(&l)
+			l := make([]cdx.LicenseChoice, 0)
+			for _, sl := range *c.Licenses {
+				// Check for license ID
+				if sl.License != nil && sl.License.ID != "" {
+					l = append(l, sl)
+				}
+			}
+
+			// Assuming mergedComponent.Licenses is initialized properly earlier
+			mergedLicenses := mergeCollection[cdx.LicenseChoice](l, *mergedComponent.Licenses)
+			mergedComponent.Licenses = (*cdx.Licenses)(&mergedLicenses)
 		}
 		if c.ExternalReferences != nil {
 			e := mergeCollection[cdx.ExternalReference](*c.ExternalReferences, *mergedComponent.ExternalReferences)

diff --git a/pkg/collectors/jvm.go b/pkg/collectors/jvm.go
@@ -70,7 +70,6 @@ func (j JVM) GenerateBOM(ctx context.Context, bomRoot string) (*cdx.BOM, error)
 		SBOMs: []*cdx.BOM{singleModeBom, multiModeBom},
 	}
 	return bomtools.MergeSBOMs(mergedSBOMparam)
-
 }
 
 // BootstrapLanguageFiles implements LanguageCollector interface

diff --git a/pkg/collectors/syft.go b/pkg/collectors/syft.go
@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"context"
 	"fmt"
+
 	"github.com/anchore/syft/syft/format/cyclonedxjson"
 	log "github.com/sirupsen/logrus"
 

diff --git a/pkg/dtrack/payloads.go b/pkg/dtrack/payloads.go
@@ -112,19 +112,3 @@ func (c updateSBOMsPayload) MarshalJSON() ([]byte, error) {
 		"bom":            base64.StdEncoding.EncodeToString([]byte(sbomsStr)),
 	})
 }
-
-func (c updateSBOMsPayload) MarshalJSONPayload(payload updateSBOMsPayload) ([]byte, error) {
-	sbomsStr, err := bomtools.CDXToString(payload.Sboms)
-	if err != nil {
-		return nil, fmt.Errorf("can't convert *cdx.BOM type Sboms to string")
-	}
-
-	// project version is the SHA256 sum of all project tags concatenated with '/' + project name
-	versionHash := sha256.Sum256([]byte(strings.Join(append(payload.Tags, payload.ProjectName), "/")))
-
-	return json.Marshal(map[string]string{
-		"projectName":    payload.ProjectName,
-		"projectVersion": fmt.Sprintf("%x", versionHash),
-		"bom":            base64.StdEncoding.EncodeToString([]byte(sbomsStr)),
-	})
-}
-Original file line number
+Diff line change
@@ Expand Up @@
     		SBOMs: []*cdx.BOM{singleModeBom, multiModeBom},
     	}
     	return bomtools.MergeSBOMs(mergedSBOMparam)
     }
     // BootstrapLanguageFiles implements LanguageCollector interface
@@ Expand Down @@