Add output flag for SBOM

debricked · Sep 30, 2024 · 2983551 · 2983551
1 parent ea68110
commit 2983551
Show file tree

Hide file tree

Showing 7 changed files with 34 additions and 10 deletions.
diff --git a/internal/cmd/report/sbom/sbom.go b/internal/cmd/report/sbom/sbom.go
@@ -15,13 +15,15 @@ var repositoryId string
 var branch string
 var vulnerabilities bool
 var licenses bool
+var output string
 
 const CommitFlag = "commit"
 const RepositorylFlag = "repository"
 const TokenFlag = "token"
 const BranchFlag = "branch"
 const VulnerabilitiesFlag = "vulnerabilities"
 const LicensesFlag = "licenses"
+const OutputFlag = "output"
 
 func NewSBOMCmd(reporter report.IReporter) *cobra.Command {
 	cmd := &cobra.Command{
@@ -54,6 +56,12 @@ This is an enterprise feature. Please visit https://debricked.com/pricing/ for m
 	cmd.Flags().BoolVar(&licenses, LicensesFlag, true, "Toggles SBOM license data inclusion")
 	viper.MustBindEnv(LicensesFlag)
 
+	cmd.Flags().StringVarP(&output, OutputFlag, "o", "", `Sets output path for downloaded SBOM json file.
+
+If no output path is set the file is created in the format <repository_id>-<commit_id>.sbom.json`,
+	)
+	viper.MustBindEnv(OutputFlag)
+
 	return cmd
 }
 
@@ -65,6 +73,7 @@ func RunE(r report.IReporter) func(_ *cobra.Command, args []string) error {
 			Branch:          viper.GetString(BranchFlag),
 			Vulnerabilities: viper.GetBool(VulnerabilitiesFlag),
 			Licenses:        viper.GetBool(LicensesFlag),
+			Output:          viper.GetString(OutputFlag),
 		}
 
 		if err := r.Order(orderArgs); err != nil {

diff --git a/internal/cmd/root/root_test.go b/internal/cmd/root/root_test.go
@@ -35,7 +35,7 @@ func TestNewRootCmd(t *testing.T) {
 		}
 	}
 	assert.Truef(t, match, "failed to assert that flag was present: "+AccessTokenFlag)
-	assert.Len(t, viperKeys, 18)
+	assert.Len(t, viperKeys, 20)
 }
 
 func TestPreRun(t *testing.T) {

diff --git a/internal/cmd/scan/scan.go b/internal/cmd/scan/scan.go
@@ -34,6 +34,7 @@ var repositoryUrl string
 var verbose bool
 var versionHint bool
 var sbom bool
+var sbomOutput string
 
 const (
 	BranchFlag                      = "branch"
@@ -57,6 +58,7 @@ const (
 	VerboseFlag                     = "verbose"
 	VersionHintFlag                 = "version-hint"
 	SBOMFlag                        = "sbom"
+	SBOMOutputFlag                  = "sbom-output"
 )
 
 var scanCmdError error
@@ -153,6 +155,7 @@ For example, if there is a "go.mod" in the target path, its dependencies are goi
 		}, "\n")
 	cmd.Flags().BoolP(NpmPreferredFlag, "", npmPreferred, npmPreferredDoc)
 	cmd.Flags().BoolVar(&sbom, SBOMFlag, false, `Toggles wether to generate and download an SBOM report after scan completion`)
+	cmd.Flags().StringVar(&sbomOutput, SBOMOutputFlag, "", `Sets output path of downloaded SBOM report (if sbom is toggled)`)
 
 	viper.MustBindEnv(RepositoryFlag)
 	viper.MustBindEnv(CommitFlag)
@@ -163,6 +166,7 @@ For example, if there is a "go.mod" in the target path, its dependencies are goi
 	viper.MustBindEnv(PassOnTimeOut)
 	viper.MustBindEnv(NpmPreferredFlag)
 	viper.MustBindEnv(SBOMFlag)
+	viper.MustBindEnv(SBOMOutputFlag)
 
 	return cmd
 }
@@ -178,6 +182,7 @@ func RunE(s *scan.IScanner) func(_ *cobra.Command, args []string) error {
 			Resolve:                     !viper.GetBool(NoResolveFlag),
 			Fingerprint:                 !viper.GetBool(NoFingerprintFlag),
 			SBOM:                        viper.GetBool(SBOMFlag),
+			SBOMOutput:                  viper.GetString(SBOMOutputFlag),
 			Exclusions:                  viper.GetStringSlice(ExclusionFlag),
 			Verbose:                     viper.GetBool(VerboseFlag),
 			Regenerate:                  viper.GetInt(RegenerateFlag),

diff --git a/internal/report/sbom/report.go b/internal/report/sbom/report.go
@@ -45,6 +45,7 @@ type OrderArgs struct {
 	RepositoryID    string
 	CommitID        string
 	Branch          string
+	Output          string
 	Vulnerabilities bool
 	Licenses        bool
 }
@@ -70,7 +71,7 @@ func (r Reporter) Order(args report.IOrderArgs) error {
 		return err
 	}
 
-	return r.writeSBOM(orderArgs.RepositoryID, orderArgs.CommitID, sbom)
+	return r.writeSBOM(orderArgs.Output, orderArgs.RepositoryID, orderArgs.CommitID, sbom)
 
 }
 
@@ -151,8 +152,14 @@ func (r Reporter) download(uuid string) ([]byte, error) {
 	}
 }
 
-func (reporter Reporter) writeSBOM(repositoryID, commitID string, sbomBytes []byte) error {
-	file, err := reporter.FileWriter.Create(fmt.Sprintf("%s-%s.sbom.json", repositoryID, commitID))
+func (reporter Reporter) writeSBOM(output, repositoryID, commitID string, sbomBytes []byte) error {
+	var filename string
+	if output == "" {
+		filename = fmt.Sprintf("%s-%s.sbom.json", repositoryID, commitID)
+	} else {
+		filename = output
+	}
+	file, err := reporter.FileWriter.Create(filename)
 	if err != nil {
 		return err
 	}

diff --git a/internal/report/sbom/report_test.go b/internal/report/sbom/report_test.go
@@ -164,7 +164,7 @@ func TestWriteSBOM(t *testing.T) {
 		CreateErr: errors.New(""),
 	}
 	reporter := Reporter{DebClient: clientMock, FileWriter: fileWriter}
-	err := reporter.writeSBOM("", "", nil)
+	err := reporter.writeSBOM("", "", "", nil)
 	assert.Error(t, err)
 }
 
@@ -175,5 +175,6 @@ func orderArgs() OrderArgs {
 		Branch:          "",
 		CommitID:        "",
 		RepositoryID:    "",
+		Output:          "",
 	}
 }
diff --git a/internal/scan/scanner.go b/internal/scan/scanner.go
@@ -50,6 +50,7 @@ type DebrickedOptions struct {
 	Fingerprint                 bool
 	CallGraph                   bool
 	SBOM                        bool
+	SBOMOutput                  string
 	Exclusions                  []string
 	Inclusions                  []string
 	Verbose                     bool
@@ -144,8 +145,8 @@ func (dScanner *DebrickedScanner) Scan(o IOptions) error {
 	return nil
 }
 
-func (dScanner *DebrickedScanner) scanReportSBOM(reportSBOM bool, detailsURL, branch string) error {
-	if !reportSBOM {
+func (dScanner *DebrickedScanner) scanReportSBOM(options DebrickedOptions, detailsURL string) error {
+	if !options.SBOM {
 		return nil
 	}
 	reporter := sbom.Reporter{DebClient: *dScanner.client, FileWriter: io.FileWriter{}}
@@ -158,9 +159,10 @@ func (dScanner *DebrickedScanner) scanReportSBOM(reportSBOM bool, detailsURL, br
 	return reporter.Order(sbom.OrderArgs{
 		RepositoryID:    repositoryID,
 		CommitID:        commitID,
-		Branch:          branch,
+		Branch:          options.BranchName,
 		Vulnerabilities: true,
 		Licenses:        true,
+		Output:          options.SBOMOutput,
 	})
 }
 
@@ -272,9 +274,8 @@ func (dScanner *DebrickedScanner) scan(options DebrickedOptions, gitMetaObject g
 		return nil, err
 	}
 	err = dScanner.scanReportSBOM(
-		options.SBOM,
+		options,
 		result.DetailsUrl,
-		options.BranchName,
 	)
 	if err != nil {
 		return nil, err

diff --git a/internal/scan/testdata/npm/13-37.sbom.json b/internal/scan/testdata/npm/13-37.sbom.json
@@ -0,0 +1 @@
+{}