Include git metadata under formulation

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
CycloneDX · Jan 27, 2024 · 9adb10c · 9adb10c
1 parent 4e52cc0
commit 9adb10c
Show file tree

Hide file tree

Showing 9 changed files with 280 additions and 238 deletions.
diff --git a/.github/workflows/repotests.yml b/.github/workflows/repotests.yml
@@ -197,7 +197,7 @@ jobs:
         shell: bash
       - name: repotests java-sec-code
         run: |
-          bin/cdxgen.js -p -t java repotests/java-sec-code -o bomresults/bom-java-sec-code-1.json
+          bin/cdxgen.js -p -t java repotests/java-sec-code -o bomresults/bom-java-sec-code-1.json --include-formulation
           bin/cdxgen.js -p -t java repotests/java-sec-code -o bomresults/bom-java-sec-code-2.json --author foo --author bar
           bin/cdxgen.js -p -t java repotests/java-sec-code -o bomresults/bom-java-sec-code-3.json --required-only
           bin/cdxgen.js -p -t java repotests/java-sec-code -o bomresults/bom-java-sec-code-4.json --filter postgres --filter json
@@ -218,7 +218,7 @@ jobs:
         shell: bash
       - name: repotests shiftleft-ts-example
         run: |
-          FETCH_LICENSE=false bin/cdxgen.js -p -t js repotests/shiftleft-ts-example -o bomresults/bom-ts-1.json --validate
+          FETCH_LICENSE=false bin/cdxgen.js -p -t js repotests/shiftleft-ts-example -o bomresults/bom-ts-1.json --include-formulation
           node bin/evinse.js -i bomresults/bom-ts-1.json -o bomresults/bom-ts.evinse.json -l javascript --with-data-flow -p repotests/shiftleft-ts-example
           FETCH_LICENSE=true bin/cdxgen.js -p -t js repotests/shiftleft-ts-example --required-only -o bomresults/bom-ts-2.json --validate
           FETCH_LICENSE=1 bin/cdxgen.js -p -r -t js repotests/shiftleft-ts-example -o bomresults/bom-ts-3.json --validate
@@ -240,11 +240,11 @@ jobs:
         shell: bash
       - name: repotests vulnerable_net_core
         run: |
-          FETCH_LICENSE=true bin/cdxgen.js -p -r -t csharp repotests/vulnerable_net_core -o bomresults/bom-csharp2.json --validate
+          FETCH_LICENSE=true bin/cdxgen.js -p -r -t csharp repotests/vulnerable_net_core -o bomresults/bom-csharp2.json --include-formulation
         shell: bash
       - name: repotests Goatly.NET
         run: |
-          FETCH_LICENSE=false bin/cdxgen.js -p -r repotests/Goatly.NET -o bomresults/bom-csharp3.json --validate
+          FETCH_LICENSE=false bin/cdxgen.js -p -r repotests/Goatly.NET -o bomresults/bom-csharp3.json --include-formulation
         shell: bash
       - name: repotests DjanGoat
         run: |

diff --git a/README.md b/README.md
@@ -187,6 +187,8 @@ Options:
                                c.
   [choices: "appsec", "research", "operational", "threat-modeling", "license-com
                                        pliance", "generic"] [default: "generic"]
+      --include-formulation    Generate formulation section using git metadata.
+                                                      [boolean] [default: false]
       --auto-compositions      Automatically set compositions when the BOM was f
                                iltered. Defaults to true
                                                        [boolean] [default: true]

diff --git a/bin/cdxgen.js b/bin/cdxgen.js
@@ -231,6 +231,11 @@ const args = yargs(hideBin(process.argv))
     default: "bom.cdx",
     hidden: true
   })
+  .option("include-formulation", {
+    type: "boolean",
+    default: false,
+    description: "Generate formulation section using git metadata."
+  })
   .completion("completion", "Generate bash/zsh completion")
   .array("filter")
   .array("only")

diff --git a/docs/CLI.md b/docs/CLI.md
@@ -122,6 +122,8 @@ Options:
                                c.
   [choices: "appsec", "research", "operational", "threat-modeling", "license-com
                                        pliance", "generic"] [default: "generic"]
+      --include-formulation    Generate formulation section using git metadata.
+                                                      [boolean] [default: false]
       --auto-compositions      Automatically set compositions when the BOM was f
                                iltered. Defaults to true
                                                        [boolean] [default: true]

diff --git a/git.js b/git.js
@@ -0,0 +1,96 @@
+import { spawnSync } from "node:child_process";
+import { isWin } from "./utils.js";
+import process from "node:process";
+import { Buffer } from "node:buffer";
+
+const GIT_COMMAND = process.env.GIT_CMD || "git";
+
+/**
+ * Retrieves a git config item
+ * @param {string} configKey Git config key
+ * @param {string} dir repo directory
+ *
+ * @returns Output from git config or undefined
+ */
+export const getGitConfig = (configKey, dir) => {
+  return execGitCommand(dir, ["config", "--get", configKey]);
+};
+
+/**
+ * Retrieves the git origin url
+ * @param {string} dir repo directory
+ *
+ * @returns Output from git config or undefined
+ */
+export const getOriginUrl = (dir) => {
+  return getGitConfig("remote.origin.url", dir);
+};
+
+/**
+ * Retrieves the git branch name
+ * @param {string} configKey Git config key
+ * @param {string} dir repo directory
+ *
+ * @returns Output from git config or undefined
+ */
+export const getBranch = (configKey, dir) => {
+  return execGitCommand(dir, ["rev-parse", "--abbrev-ref", "HEAD"]);
+};
+
+/**
+ * Retrieves the files list from git
+ * @param {string} dir repo directory
+ *
+ * @returns Output from git config or undefined
+ */
+export const listFiles = (dir) => {
+  const filesList = [];
+  const output = execGitCommand(dir, [
+    "ls-tree",
+    "-l",
+    "-r",
+    "--full-tree",
+    "HEAD"
+  ]);
+  if (output) {
+    output.split("\n").forEach((l) => {
+      l = l.replace("\r", "");
+      if (l === "\n" || l.startsWith("#")) {
+        return;
+      }
+      const tmpA = l.split(" ");
+      if (tmpA && tmpA.length >= 5) {
+        const lastParts = tmpA[tmpA.length - 1].split("\t");
+        filesList.push({
+          hash: tmpA[2],
+          name: lastParts[lastParts.length - 1]
+        });
+      }
+    });
+  }
+  return filesList;
+};
+
+/**
+ * Execute a git command
+ * @param {string} dir Repo directory
+ * @param {Array} args arguments to git command
+ *
+ * @returns Output from the git command
+ */
+export const execGitCommand = (dir, args) => {
+  const result = spawnSync(GIT_COMMAND, args, {
+    cwd: dir,
+    encoding: "utf-8",
+    shell: isWin
+  });
+  if (result.status !== 0 || result.error) {
+    return undefined;
+  } else {
+    const stdout = result.stdout;
+    if (stdout) {
+      const cmdOutput = Buffer.from(stdout).toString();
+      return cmdOutput.trim();
+    }
+  }
+};
diff --git a/git.test.js b/git.test.js
@@ -0,0 +1,10 @@
+import { expect, test } from "@jest/globals";
+
+import { getBranch, getOriginUrl, listFiles } from "./git.js";
+
+test("git tests", () => {
+  expect(getBranch()).toBeDefined();
+  expect(getOriginUrl()).toBeDefined();
+  const files = listFiles();
+  expect(files.length).toBeGreaterThan(10);
+});