Class: SBOM Private

Inherits:

Object

• Object
• SBOM

Includes:

Utils::Output::Mixin

Defined in:

sbom.rb

Overview

This class is part of a private API. This class may only be used in the Homebrew/brew repository. Third parties should avoid using this class if possible, as it may be removed or changed without warning.

Rather than calling new directly, use one of the class methods like SBOM.create.

Defined Under Namespace

Classes: Source

Constant Summary

FILENAME =

This constant is part of a private API. This constant may only be used in the Homebrew/brew repository. Third parties should avoid using this constant if possible, as it may be removed or changed without warning.

"sbom.spdx.json"

SCHEMA_FILE =

This constant is part of a private API. This constant may only be used in the Homebrew/brew repository. Third parties should avoid using this constant if possible, as it may be removed or changed without warning.

T.let((HOMEBREW_LIBRARY_PATH/"data/schemas/sbom.json").freeze, Pathname)

Class Method Summary

• .create(formula, tab) ⇒ T.attached_class private

  Instantiates a SBOM for a new installation of a formula.

• .exist?(formula) ⇒ Boolean private
• .runtime_deps_hash(deps) ⇒ Array<Hash{String => T.anything}> private
• .schema ⇒ Hash{String => T.anything} private
• .spdxfile(formula) ⇒ Pathname private

Instance Method Summary

• #schema_validation_errors(bottling: false) ⇒ Array<String> private
• #valid?(bottling: false) ⇒ Boolean private
• #write(validate: true, bottling: false) ⇒ void private

Methods included from Utils::Output::Mixin

#odebug, #odeprecated, #odie, #odisabled, #ofail, #oh1, #oh1_title, #ohai, #ohai_title, #onoe, #opoo, #opoo_outside_github_actions, #pretty_duration, #pretty_installed, #pretty_outdated, #pretty_uninstalled

Class Method Details

.create(formula, tab) ⇒ T.attached_class

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Instantiates a SBOM for a new installation of a formula.

Parameters:

• formula (Formula)
• tab (Tab)

Returns:

• (T.attached_class)

# File 'sbom.rb', line 32

def self.create(formula, tab)
  active_spec = if formula.stable?
    T.must(formula.stable)
  else
    T.must(formula.head)
  end
  active_spec_sym = formula.active_spec_sym

  new(
    name:                 formula.name,
    homebrew_version:     HOMEBREW_VERSION,
    spdxfile:             SBOM.spdxfile(formula),
    time:                 tab.time || Time.now,
    source_modified_time: tab.source_modified_time.to_i,
    compiler:             tab.compiler,
    stdlib:               tab.stdlib,
    runtime_dependencies: SBOM.runtime_deps_hash(Array(tab.runtime_dependencies)),
    license:              SPDX.license_expression_to_string(formula.license),
    built_on:             DevelopmentTools.build_system_info,
    source:               Source.new(
      path:         formula.specified_path.to_s,
      tap_name:     formula.tap&.name,
      # We can only get `tap_git_head` if the tap is installed locally
      tap_git_head: (T.must(formula.tap).git_head if formula.tap&.installed?),
      spec:         active_spec_sym,
      patches:      active_spec.patches,
      bottle:       formula.bottle_hash,
      version:      active_spec.version,
      url:          active_spec.url,
      checksum:     active_spec.checksum,
    ),
  )
end

.exist?(formula) ⇒ Boolean

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Parameters:

• formula (Formula)

Returns:

• (Boolean)

# File 'sbom.rb', line 88

def self.exist?(formula)
  spdxfile(formula).exist?
end

.runtime_deps_hash(deps) ⇒ Array<Hash{String => T.anything}>

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Parameters:

• deps (Array<Hash{String => T.untyped}>)

Returns:

• (Array<Hash{String => T.anything}>)

# File 'sbom.rb', line 72

def self.runtime_deps_hash(deps)
  deps.map do |dep|
    full_name = dep.fetch("full_name")
    dep_formula = Formula[full_name]
    {
      "full_name"           => full_name,
      "pkg_version"         => dep.fetch("pkg_version"),
      "name"                => dep_formula.name,
      "license"             => SPDX.license_expression_to_string(dep_formula.license),
      "bottle"              => dep_formula.bottle_hash,
      "formula_pkg_version" => dep_formula.pkg_version.to_s,
    }
  end
end

.schema ⇒ Hash{String => T.anything}

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Returns:

• (Hash{String => T.anything})

# File 'sbom.rb', line 93

def self.schema
  @schema ||= T.let(JSON.parse(SCHEMA_FILE.read, freeze: true), T.nilable(T::Hash[String, T.untyped]))
end

.spdxfile(formula) ⇒ Pathname

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Parameters:

• formula (Formula)

Returns:

• (Pathname)

# File 'sbom.rb', line 67

def self.spdxfile(formula)
  formula.prefix/FILENAME
end

Instance Method Details

#schema_validation_errors(bottling: false) ⇒ Array<String>

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Parameters:

• bottling (Boolean) (defaults to: false)

Returns:

• (Array<String>)

# File 'sbom.rb', line 98

def schema_validation_errors(bottling: false)
  unless Homebrew.require? "json_schemer"
    error_message = "Need json_schemer to validate SBOM, run `brew install-bundler-gems --add-groups=bottle`!"
    odie error_message if ENV["HOMEBREW_ENFORCE_SBOM"]
    return []
  end

  schemer = JSONSchemer.schema(SBOM.schema)
  data = to_spdx_sbom(bottling:)

  schemer.validate(data).map { |error| error["error"] }
end

#valid?(bottling: false) ⇒ Boolean

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

Parameters:

• bottling (Boolean) (defaults to: false)

Returns:

• (Boolean)

# File 'sbom.rb', line 112

def valid?(bottling: false)
  validation_errors = schema_validation_errors(bottling:)
  return true if validation_errors.empty?

  opoo "SBOM validation errors:"
  validation_errors.each(&:puts)

  odie "Failed to validate SBOM against JSON schema!" if ENV["HOMEBREW_ENFORCE_SBOM"]

  false
end

#write(validate: true, bottling: false) ⇒ void

This method is part of a private API. This method may only be used in the Homebrew/brew repository. Third parties should avoid using this method if possible, as it may be removed or changed without warning.

This method returns an undefined value.

Parameters:

• validate (Boolean) (defaults to: true)
• bottling (Boolean) (defaults to: false)

# File 'sbom.rb', line 125

def write(validate: true, bottling: false)
  # If this is a new installation, the cache of installed formulae
  # will no longer be valid.
  Formula.clear_cache unless spdxfile.exist?

  if validate && !valid?(bottling:)
    opoo "SBOM is not valid, not writing to disk!"
    return
  end

  spdxfile.atomic_write(JSON.pretty_generate(to_spdx_sbom(bottling:)))
end