├── .editorconfig ├── .gitattributes ├── .github ├── CODEOWNERS ├── dependabot.yml ├── release-drafter.yml └── workflows │ ├── codeql-analysis.yml │ ├── create_release_tag.yml │ ├── gen-docs.yml │ ├── pr-comment-api-change.md │ ├── pr-comment-api-change.yml │ └── release-drafter.yml ├── .gitignore ├── CODE_OF_CONDUCT.md ├── Directory.Build.props ├── Directory.Build.targets ├── Directory.Packages.props ├── Dockerfile ├── LICENSE ├── Microsoft.Sbom.sln ├── README.md ├── SECURITY.md ├── SUPPORT.md ├── docs ├── api-version-4-migration-guide.md ├── building-from-source.md ├── feature-overview.md ├── images │ ├── ado-artifacts-with-sbom.png │ ├── ado-artifacts-without-sbom.png │ ├── github-downloaded-folder-with-sbom.png │ ├── github-downloaded-folder-without-sbom.png │ └── github-workflow-run-details.png ├── sbom-tool-api-reference.md ├── sbom-tool-arguments.md ├── sbom-tool-cli-reference.md ├── setting-up-ado-pipelines.md └── setting-up-github-actions.md ├── global.json ├── nuget.config ├── pipelines ├── build-test-tool-template.yaml ├── sbom-tool-main-build.yaml └── sbom-tool-pr-build.yaml ├── samples ├── About this sample.md └── manifest.spdx.json ├── snsKey.snk ├── snsKeyPublic.snk ├── src ├── Directory.Build.props ├── Microsoft.Sbom.Adapters │ ├── Adapters │ │ └── ComponentDetection │ │ │ ├── CargoComponentExtensions.cs │ │ │ ├── ConanComponentExtensions.cs │ │ │ ├── CondaComponentExtensions.cs │ │ │ ├── DockerImageComponentExtensions.cs │ │ │ ├── DockerReferenceComponentExtensions.cs │ │ │ ├── DotNetComponentExtensions.cs │ │ │ ├── ExtendedScanResult.cs │ │ │ ├── ExtendedScannedComponent.cs │ │ │ ├── GitComponentExtensions.cs │ │ │ ├── GoComponentExtensions.cs │ │ │ ├── LinuxComponentExtensions.cs │ │ │ ├── Logging │ │ │ └── LoggingHelper.cs │ │ │ ├── MavenComponentExtensions.cs │ │ │ ├── NpmComponentExtensions.cs │ │ │ ├── NuGetComponentExtensions.cs │ │ │ ├── OtherComponentExtensions.cs │ │ │ ├── PipComponentExtensions.cs │ │ │ ├── PodComponentExtensions.cs │ │ │ ├── RubyGemsComponentExtensions.cs │ │ │ ├── ScannedComponentExtensions.cs │ │ │ ├── SpdxComponentExtensions.cs │ │ │ └── VcpkgComponentExtensions.cs │ ├── ComponentDetectionToSbomPackageAdapter.cs │ ├── Microsoft.Sbom.Adapters.csproj │ └── Report │ │ ├── AdapterReport.cs │ │ └── AdapterReportItem.cs ├── Microsoft.Sbom.Api │ ├── Config │ │ ├── ApiConfigurationBuilder.cs │ │ ├── ArgRevivers.cs │ │ ├── Args │ │ │ ├── CommonArgs.cs │ │ │ ├── FormatValidationArgs.cs │ │ │ ├── GenerationAndValidationCommonArgs.cs │ │ │ ├── GenerationArgs.cs │ │ │ ├── RedactArgs.cs │ │ │ └── ValidationArgs.cs │ │ ├── ConfigFile.cs │ │ ├── ConfigFileParser.cs │ │ ├── ConfigPostProcessor.cs │ │ ├── ConfigSanitizer.cs │ │ ├── ConfigurationBuilder.cs │ │ ├── Extensions │ │ │ └── ConfigurationExtensions.cs │ │ ├── Generator.cs │ │ ├── ISbomService.cs │ │ ├── SbomToolCmdRunner.cs │ │ ├── Validator.cs │ │ ├── Validators │ │ │ ├── ConfigValidator.cs │ │ │ ├── DirectoryExistsValidator.cs │ │ │ ├── DirectoryPathIsWritableValidator.cs │ │ │ ├── FileExistsValidator.cs │ │ │ ├── FilePathIsWritableValidator.cs │ │ │ ├── IntRangeValidator.cs │ │ │ ├── ManifestInfoValidator.cs │ │ │ ├── UriValidator.cs │ │ │ └── ValueRequiredValidator.cs │ │ └── ValueConverters │ │ │ ├── BoolConfigurationSettingAddingConverter.cs │ │ │ ├── ConformanceConfigurationSettingAddingConverter.cs │ │ │ ├── HashAlgorithmNameConfigurationSettingAddingConverter.cs │ │ │ ├── IntConfigurationSettingAddingConverter.cs │ │ │ ├── LogEventLevelConfigurationSettingAddingConverter.cs │ │ │ ├── ManifestInfoConfigurationSettingAddingConverter.cs │ │ │ ├── NullableBoolConfigurationSettingAddingConverter.cs │ │ │ └── StringConfigurationSettingAddingConverter.cs │ ├── ConfigurationProfile.cs │ ├── Converters │ │ ├── ComponentToExternalReferenceInfoConverter.cs │ │ ├── ExternalReferenceInfoToPathConverter.cs │ │ ├── IManifestPathConverter.cs │ │ ├── SbomToolManifestPathConverter.cs │ │ └── SerilogLoggerConverter.cs │ ├── Entities │ │ ├── ErrorType.cs │ │ ├── ExitCode.cs │ │ ├── FileValidationResult.cs │ │ ├── JsonDocWithSerializer.cs │ │ └── output │ │ │ ├── ErrorContainer.cs │ │ │ ├── Result.cs │ │ │ ├── Summary.cs │ │ │ ├── ValidationResult.cs │ │ │ ├── ValidationResultGenerator.cs │ │ │ └── ValidationTelemetry.cs │ ├── Exceptions │ │ ├── AccessDeniedValidationArgException.cs │ │ ├── ClearlyDefinedResponseNotSuccessfulException.cs │ │ ├── ClearlyDefinedResponseParsingException.cs │ │ ├── ComponentDetectorException.cs │ │ ├── ConfigurationException.cs │ │ ├── HashGenerationException.cs │ │ ├── InvalidConverterException.cs │ │ ├── InvalidPathException.cs │ │ ├── ManifestFolderExistsException.cs │ │ ├── ManifestToolSerializerException.cs │ │ ├── MissingGeneratorException.cs │ │ ├── PackageMetadataParsingException.cs │ │ ├── SignValidatorNotFoundException.cs │ │ └── UnsupportedHashAlgorithmException.cs │ ├── Executors │ │ ├── ChannelUtils.cs │ │ ├── ComponentDetectionBaseWalker.cs │ │ ├── ComponentToPackageInfoConverter.cs │ │ ├── ConcurrentSha256HashValidator.cs │ │ ├── DirectoryWalker.cs │ │ ├── EnumeratorChannel.cs │ │ ├── ExternalDocumentReferenceWriter.cs │ │ ├── FileFilterer.cs │ │ ├── FileHasher.cs │ │ ├── FileInfoWriter.cs │ │ ├── FileListEnumerator.cs │ │ ├── GeneratorResult.cs │ │ ├── HashValidator.cs │ │ ├── IJsonSerializationStrategy.cs │ │ ├── ILicenseInformationFetcher.cs │ │ ├── ILicenseInformationService.cs │ │ ├── ISbomReaderForExternalDocumentReference.cs │ │ ├── JsonSerializationStrategyFactory.cs │ │ ├── LicenseInformationFetcher.cs │ │ ├── LicenseInformationService.cs │ │ ├── ListWalker.cs │ │ ├── ManifestFileFilterer.cs │ │ ├── ManifestFolderFilterer.cs │ │ ├── PackageInfoJsonWriter.cs │ │ ├── PackagesWalker.cs │ │ ├── RelationshipGenerator.cs │ │ ├── SPDXSbomReaderForExternalDocumentReference.cs │ │ ├── SbomComponentsWalker.cs │ │ ├── SbomFileToFileInfoConverter.cs │ │ ├── Spdx22SerializationStrategy.cs │ │ └── Spdx30SerializationStrategy.cs │ ├── Filters │ │ ├── DownloadedRootPathFilter.cs │ │ ├── IFilter.cs │ │ └── ManifestFolderFilter.cs │ ├── FormatValidator │ │ ├── FormatValidationResults.cs │ │ ├── FormatValidationStatus.cs │ │ ├── IValidatedSbom.cs │ │ ├── RuntimeJsonPropertyValidator.cs │ │ ├── ValidatedSbom.cs │ │ └── ValidatedSbomFactory.cs │ ├── Hashing │ │ ├── Algorithms │ │ │ ├── IHashAlgorithm.cs │ │ │ ├── Sha1HashAlgorithm.cs │ │ │ └── Sha256HashAlgorithm.cs │ │ ├── HashAlgorithmProvider.cs │ │ ├── HashCodeGenerator.cs │ │ ├── IHashAlgorithmProvider.cs │ │ └── IHashCodeGenerator.cs │ ├── Manifest │ │ ├── BaseManifestConfigHandler.cs │ │ ├── Configuration │ │ │ ├── SbomConfig.cs │ │ │ ├── SbomConfigFactory.cs │ │ │ └── SbomConfigProvider.cs │ │ ├── FileHashes │ │ │ ├── FileHashes.cs │ │ │ └── FileHashesDictionary.cs │ │ ├── IManifestParserProvider.cs │ │ ├── ManifestConfigHandlers │ │ │ ├── SPDX22ManifestConfigHandler.cs │ │ │ └── SPDX30ManifestConfigHandler.cs │ │ ├── ManifestGeneratorProvider.cs │ │ └── ManifestParserProvider.cs │ ├── MetaData │ │ ├── LocalMetadataProvider.cs │ │ └── SbomApiMetadataProvider.cs │ ├── Microsoft.Sbom.Api.csproj │ ├── Output │ │ ├── FileOutputWriter.cs │ │ ├── IOutputWriter.cs │ │ ├── ManifestToolJsonSerializer.cs │ │ ├── MetadataBuilder.cs │ │ ├── MetadataBuilderFactory.cs │ │ └── Telemetry │ │ │ ├── Entities │ │ │ ├── SbomFile.cs │ │ │ ├── SbomTelemetry.cs │ │ │ └── Timing.cs │ │ │ ├── IRecorder.cs │ │ │ ├── TelemetryRecorder.cs │ │ │ └── TimingRecorder.cs │ ├── PackageDetails │ │ ├── ComponentDetailsUtils │ │ │ ├── IPackageManagerUtils.cs │ │ │ ├── MavenUtils.cs │ │ │ ├── NugetUtils.cs │ │ │ └── RubyGemsUtils.cs │ │ ├── IPackageDetailsFactory.cs │ │ ├── PackageDetails.cs │ │ ├── PackageDetailsFactory.cs │ │ └── ParsedPackageInformation.cs │ ├── Providers │ │ ├── EntityToJsonProviderBase.cs │ │ ├── ExternalDocumentReferenceProviders │ │ │ ├── CGExternalDocumentReferenceProvider.cs │ │ │ └── ExternalDocumentReferenceProvider.cs │ │ ├── FilesProviders │ │ │ ├── CGScannedExternalDocumentReferenceFileProvider.cs │ │ │ ├── DirectoryTraversingFileToJsonProvider.cs │ │ │ ├── ExternalDocumentReferenceFileProvider.cs │ │ │ ├── FileListBasedFileToJsonProvider.cs │ │ │ ├── FileToJsonProviderBase.cs │ │ │ ├── PathBasedFileToJsonProviderBase.cs │ │ │ └── SbomFileBasedFileToJsonProvider.cs │ │ ├── ISourcesProvider.cs │ │ ├── PackagesProviders │ │ │ ├── CGScannedPackagesProvider.cs │ │ │ ├── CommonPackagesProvider.cs │ │ │ └── SbomPackagesProvider.cs │ │ └── ProviderType.cs │ ├── README.md │ ├── Recorder │ │ └── SbomPackageDetailsRecorder.cs │ ├── SbomGenerator.cs │ ├── SbomValidator.cs │ ├── SignValidator │ │ ├── ISignValidationProvider.cs │ │ └── SignValidationProvider.cs │ ├── Utils │ │ ├── AssemblyConfig.cs │ │ ├── ChannelDeduplicator.cs │ │ ├── ComponentDetectionCliArgumentBuilder.cs │ │ ├── ComponentDetector.cs │ │ ├── ComponentDetectorCachedExecutor.cs │ │ ├── Constants.cs │ │ ├── Events.cs │ │ ├── ExternalDocumentReferenceEqualityComparer.cs │ │ ├── ExternalReferenceDeduplicator.cs │ │ ├── FileTypeUtils.cs │ │ ├── IAssemblyConfig.cs │ │ ├── IComponentDetector.cs │ │ ├── IFileTypeUtils.cs │ │ ├── InternalSbomFileInfoDeduplicator.cs │ │ ├── SbomFormatExtensions.cs │ │ └── ScannedComponentEqualityComparer.cs │ └── Workflows │ │ ├── Helpers │ │ ├── ExternalDocumentReferenceGenerator.cs │ │ ├── FileArrayGenerator.cs │ │ ├── FilesValidator.cs │ │ ├── IJsonArrayGenerator.cs │ │ ├── ISbomRedactor.cs │ │ ├── JsonDocumentCollection.cs │ │ ├── PackageArrayGenerator.cs │ │ ├── RelationshipsArrayGenerator.cs │ │ └── SbomRedactor.cs │ │ ├── IWorkflow.cs │ │ ├── SbomGenerationWorkflow.cs │ │ ├── SbomParserBasedValidationWorkflow.cs │ │ └── SbomRedactionWorkflow.cs ├── Microsoft.Sbom.Common │ ├── Config │ │ ├── Attributes │ │ │ ├── ComponentDetectorArgumentAttribute.cs │ │ │ ├── DefaultManifestInfoArgForGenerationAttribute.cs │ │ │ ├── DefaultManifestInfoArgForValidationAttribute.cs │ │ │ ├── DefaultNamespaceBaseUriAttribute.cs │ │ │ ├── DirectoryExistsAttribute.cs │ │ │ ├── DirectoryPathIsWritableAttribute.cs │ │ │ ├── FileExistsAttribute.cs │ │ │ ├── FilePathIsWritableAttribute.cs │ │ │ ├── IntRangeAttribute.cs │ │ │ ├── PackageSupplierAttribute.cs │ │ │ ├── PathAttribute.cs │ │ │ ├── ValidManifestInfoAttribute.cs │ │ │ ├── ValidUriAttribute.cs │ │ │ └── ValueRequiredAttribute.cs │ │ ├── Configuration.cs │ │ ├── ConfigurationSetting.cs │ │ ├── IConfiguration.cs │ │ ├── ISettingSourceable.cs │ │ ├── InputConfiguration.cs │ │ ├── ManifestToolActions.cs │ │ └── SettingSource.cs │ ├── Conformance │ │ ├── ConformanceEnforcerFactory.cs │ │ ├── ConformanceExtensions.cs │ │ ├── Enums │ │ │ └── NTIAMinErrorType.cs │ │ ├── Interfaces │ │ │ ├── IConformanceEnforcer.cs │ │ │ └── IConformanceErrorType.cs │ │ ├── InvalidElementInfo.cs │ │ ├── NTIAMinConformanceEnforcer.cs │ │ └── NoneConformanceEnforcer.cs │ ├── Constants.cs │ ├── ContextsResult.cs │ ├── ElementsResult.cs │ ├── EnvironmentWrapper.cs │ ├── Extensions │ │ ├── DictionaryExtensions.cs │ │ └── FileSystemUtilsExtension.cs │ ├── FileSystemUtils.cs │ ├── FileSystemUtilsProvider.cs │ ├── GeneratorUtils.cs │ ├── IEnvironmentWrapper.cs │ ├── IFileSystemUtils.cs │ ├── IFileSystemUtilsExtension.cs │ ├── IMetadataBuilderFactory.cs │ ├── IOSUtils.cs │ ├── IProcessExecutor.cs │ ├── ISbomConfigFactory.cs │ ├── InternalMetadataProviderIdentityExtensions.cs │ ├── JsonAsynchronousNodeKit │ │ ├── Constants.cs │ │ ├── Exceptions │ │ │ └── ParserException.cs │ │ ├── LargeJsonParser.cs │ │ ├── ParameterType.cs │ │ ├── ParserUtils.cs │ │ └── PropertyHandler.cs │ ├── Microsoft.Sbom.Common.csproj │ ├── OSUtils.cs │ ├── ProcessExecutor.cs │ ├── Properties │ │ └── AssemblyInfo.cs │ ├── Spdx30Entities │ │ ├── AnyLicenseInfo.cs │ │ ├── ContentIdentifier.cs │ │ ├── CreationInfo.cs │ │ ├── Element.cs │ │ ├── Enums │ │ │ ├── HashAlgorithm.cs │ │ │ ├── ProfileIdentifierType.cs │ │ │ └── RelationshipType.cs │ │ ├── ExternalIdentifier.cs │ │ ├── ExternalMap.cs │ │ ├── File.cs │ │ ├── FormatEnforcedSPDX30.cs │ │ ├── NTIAMinFile.cs │ │ ├── NTIAMinSpdxDocument.cs │ │ ├── NoAssertionElement.cs │ │ ├── NoneElement.cs │ │ ├── Organization.cs │ │ ├── Package.cs │ │ ├── PackageVerificationCode.cs │ │ ├── Person.cs │ │ ├── Relationship.cs │ │ ├── Snippet.cs │ │ ├── Software.cs │ │ ├── SpdxDocument.cs │ │ └── Tool.cs │ ├── UnixFileSystemUtils.cs │ ├── Utils │ │ ├── CommonSPDXUtils.cs │ │ ├── IdentifierUtils.cs │ │ ├── ListUtils.cs │ │ └── PathUtils.cs │ └── WindowsFileSystemUtils.cs ├── Microsoft.Sbom.Contracts │ ├── Contracts │ │ ├── Checksum.cs │ │ ├── Entities │ │ │ ├── AlgorithmNames.cs │ │ │ ├── Entity.cs │ │ │ ├── FileEntity.cs │ │ │ └── PackageEntity.cs │ │ ├── EntityError.cs │ │ ├── Enums │ │ │ ├── AlgorithmName.cs │ │ │ ├── ConformanceType.cs │ │ │ ├── EntityType.cs │ │ │ ├── ErrorType.cs │ │ │ └── FileType.cs │ │ ├── LicenseInfo.cs │ │ ├── MetadataCreationInfo.cs │ │ ├── RuntimeConfiguration.cs │ │ ├── SbomFile.cs │ │ ├── SbomGenerationResult.cs │ │ ├── SbomMetadata.cs │ │ ├── SbomPackage.cs │ │ ├── SbomReference.cs │ │ ├── SbomRelationship.cs │ │ ├── SbomSpecification.cs │ │ ├── SbomValidationResult.cs │ │ └── SpdxMetadata.cs │ ├── ISbomGenerator.cs │ ├── ISbomValidator.cs │ ├── Interfaces │ │ └── IAlgorithmNames.cs │ └── Microsoft.Sbom.Contracts.csproj ├── Microsoft.Sbom.DotNetTool │ ├── FormatValidationService.cs │ ├── GenerationService.cs │ ├── Microsoft.Sbom.DotNetTool.csproj │ ├── RedactService.cs │ └── ValidationService.cs ├── Microsoft.Sbom.Extensions.DependencyInjection │ ├── Microsoft.Sbom.Extensions.DependencyInjection.csproj │ ├── RemapComponentDetectionErrorsToWarningsLogger.cs │ └── ServiceCollectionExtensions.cs ├── Microsoft.Sbom.Extensions │ ├── Entities │ │ ├── ExternalDocumentReferenceInfo.cs │ │ ├── FileLocation.cs │ │ ├── GenerationData.cs │ │ ├── GenerationResult.cs │ │ ├── InternalSbomFileInfo.cs │ │ ├── ManifestData.cs │ │ ├── ManifestInfo.cs │ │ ├── Relationship.cs │ │ ├── RelationshipType.cs │ │ └── ResultMetadata.cs │ ├── Exceptions │ │ └── MissingHashValueException.cs │ ├── IInternalMetadataProvider.cs │ ├── IManifestConfigHandler.cs │ ├── IManifestGenerator.cs │ ├── IManifestInterface.cs │ ├── IManifestToolJsonSerializer.cs │ ├── IMetadataBuilder.cs │ ├── IMetadataProvider.cs │ ├── ISbomConfig.cs │ ├── ISbomConfigProvider.cs │ ├── ISbomPackageDetailsRecorder.cs │ ├── ISbomParser.cs │ ├── ISignValidator.cs │ ├── MetadataKey.cs │ ├── Microsoft.Sbom.Extensions.csproj │ ├── ParserStateResult.cs │ └── Properties │ │ └── AssemblyInfo.cs ├── Microsoft.Sbom.Parsers.Spdx22SbomParser │ ├── Constants.cs │ ├── Entities │ │ ├── Annotation.cs │ │ ├── Checksum.cs │ │ ├── CreationInfo.cs │ │ ├── Enums │ │ │ ├── ExternalRepositoryType.cs │ │ │ ├── ReferenceCategory.cs │ │ │ ├── SPDXFileType.cs │ │ │ └── SPDXRelationshipType.cs │ │ ├── ExternalReference.cs │ │ ├── ExtractedLicensingInfo.cs │ │ ├── FormatEnforcedSPDX2.cs │ │ ├── PackageVerificationCode.cs │ │ ├── Pointer.cs │ │ ├── Range.cs │ │ ├── SPDX22RequiredProperties.cs │ │ ├── SPDXPackage.cs │ │ ├── SPDXRelationship.cs │ │ ├── Snippet.cs │ │ ├── SpdxExternalDocumentReference.cs │ │ └── SpdxFile.cs │ ├── Exceptions │ │ └── MissingHashValueException.cs │ ├── Generator.cs │ ├── Microsoft.Sbom.Parsers.Spdx22SbomParser.csproj │ ├── Parser │ │ ├── ExternalDocumentReferencesResult.cs │ │ ├── FilesResult.cs │ │ ├── PackagesResult.cs │ │ ├── RelationshipsResult.cs │ │ └── SPDXParser.cs │ ├── Utils │ │ ├── SPDXExtensions.cs │ │ ├── SPDXToSbomFormatConverterExtensions.cs │ │ └── SPDXVersionParser.cs │ └── Validator.cs ├── Microsoft.Sbom.Parsers.Spdx30SbomParser │ ├── Constants.cs │ ├── Exceptions │ │ └── MissingHashValueException.cs │ ├── Generator.cs │ ├── Microsoft.Sbom.Parsers.Spdx30SbomParser.csproj │ ├── Parser │ │ ├── ParserResults.cs │ │ └── SPDX30Parser.cs │ ├── Utils │ │ ├── ElementSerializer.cs │ │ ├── SPDXExtensions.cs │ │ └── SPDXToSbomFormatConverterExtensions.cs │ └── Validator.cs ├── Microsoft.Sbom.Targets │ ├── GenerateSbom.cs │ ├── GenerateSbomTask.cs │ ├── Microsoft.Sbom.Targets.csproj │ ├── Microsoft.Sbom.Targets.targets │ ├── README.md │ ├── SbomCLIToolTask.cs │ └── SbomInputValidator.cs └── Microsoft.Sbom.Tool │ ├── FormatValidationService.cs │ ├── GenerationService.cs │ ├── Microsoft.Sbom.Tool.csproj │ ├── Program.cs │ ├── RedactService.cs │ └── ValidationService.cs └── test ├── .editorconfig ├── Directory.Build.props ├── Directory.Packages.props ├── Microsoft.Sbom.Adapters.Tests ├── ComponentDetectionToSbomPackageAdapterTests.cs └── Microsoft.Sbom.Adapters.Tests.csproj ├── Microsoft.Sbom.Api.Tests ├── ApiConfigurationBuilderTests.cs ├── Config │ ├── ConfigSanitizerTests.cs │ ├── ConfigurationBuilderTestsBase.cs │ ├── ConfigurationBuilderTestsForGeneration.cs │ ├── ConfigurationBuilderTestsForRedact.cs │ ├── ConfigurationBuilderTestsForValidation.cs │ ├── ConfigurationCLITests.cs │ ├── SBOMConfigTests.cs │ └── Validators │ │ ├── DirectoryPathIsWritableValidatorTests.cs │ │ └── ManifestInfoValidatorTests.cs ├── ConsoleCapture.cs ├── Converters │ ├── ComponentToExternalReferenceInfoConverterTests.cs │ ├── ExternalReferenceInfoToPathConverterTest.cs │ └── SbomToolManifestPathConverterTests.cs ├── Entities │ ├── FileValidationResultTest.cs │ └── output │ │ └── ValidationResultGeneratorTests.cs ├── Executors │ ├── ComponentToPackageInfoConverterTests.cs │ ├── DirectoryWalkerTests.cs │ ├── ExternalDocumentReferenceWriterTest.cs │ ├── FileHasherTests.cs │ ├── FileListEnumeratorTests.cs │ ├── HashValidatorTests.cs │ ├── LicenseInformationFetcherTests.cs │ ├── PackagesWalkerTests.cs │ ├── RelationshipGeneratorTest.cs │ ├── SBOMComponentsWalkerTests.cs │ └── SPDXSBOMReaderForExternalDocumentReferenceTests.cs ├── Filters │ ├── DownloadedRootPathFilterTests.cs │ └── ManifestFolderFilterTests.cs ├── FormatValidator │ ├── FormatValidatorTestStrings.cs │ ├── FormatValidatorTests.cs │ └── SpdxExemplars.cs ├── Hashing │ └── HashCodeGeneratorTests.cs ├── HttpRequestUtils.cs ├── Metadata │ ├── LocalMetadataProviderTest.cs │ └── SbomApiMetadataProviderTest.cs ├── Microsoft.Sbom.Api.Tests.csproj ├── Output │ ├── ManifestToolJsonSerializerTests.cs │ └── Telemetry │ │ └── TelemetryRecorderTests.cs ├── PackageDetails │ ├── MavenUtilsTests.cs │ ├── NugetUtilsTests.cs │ ├── RubyGemsUtilsTests.cs │ └── SampleMetadataFiles.cs ├── PathUtils.cs ├── SBOMGeneratorTest.cs ├── SignValidator │ └── SignValidationProviderTests.cs ├── TestManifestGenerator.cs ├── TestUtils.cs ├── Utils │ ├── ComponentDetectionCliArgumentBuilderTests.cs │ ├── ComponentDetectorCachedExecutorTest.cs │ ├── ExternalReferenceDeduplicatorTests.cs │ ├── FileSystemUtilsExtensionTest.cs │ ├── FileTypeUtilsTest.cs │ ├── IdentifierUtilsTests.cs │ ├── OSUtilsTest.cs │ └── SBOMFileDedeplicatorTests.cs ├── VersionSpecificPins │ └── Version_4_0 │ │ └── InterfaceConcretionTests.cs └── Workflows │ ├── Helpers │ ├── JsonDocumentCollectionTests.cs │ ├── RelationshipsArrayGeneratorTest.cs │ └── SbomRedactorTests.cs │ ├── ManifestGenerationWorkflowTests.cs │ ├── SbomParserBasedValidationWorkflowTests.cs │ ├── SbomRedactionWorkflowTests.cs │ └── ValidationWorkflowTestsBase.cs ├── Microsoft.Sbom.Common.Tests ├── CommonSPDXUtilsTests.cs └── Microsoft.Sbom.Common.Tests.csproj ├── Microsoft.Sbom.Extensions.DependencyInjection.Tests ├── Microsoft.Sbom.Extensions.DependencyInjection.Tests.csproj └── RemapComponentDetectionErrorsToWarningsLoggerTests.cs ├── Microsoft.Sbom.Parsers.Spdx22SbomParser.Tests ├── Microsoft.Sbom.Parsers.Spdx22SbomParser.Tests.csproj ├── Parser │ ├── GeneratorTests.cs │ ├── LargeJsonParserTests.cs │ ├── ParserResults.cs │ ├── SbomFileParserTests.cs │ ├── SbomPackageParserTests.cs │ ├── SbomParserTests.cs │ ├── SbomParserTestsBase.cs │ ├── SbomRelationshipParserTests.cs │ └── Strings │ │ ├── ExternalDocumentReferenceStrings.cs │ │ ├── RelationshipStrings.cs │ │ ├── SbomFileJsonStrings.cs │ │ ├── SbomPackageStrings.cs │ │ └── SbomParserStrings.cs └── Utils │ ├── InternalMetadataProviderIdentityExtensionsTests.cs │ ├── SPDXExtensionsTest.cs │ └── SbomFormatConverterTests.cs ├── Microsoft.Sbom.Parsers.Spdx30SbomParser.Tests ├── Microsoft.Sbom.Parsers.Spdx30SbomParser.Tests.csproj ├── Parser │ ├── GeneratorTests.cs │ ├── JsonStrings │ │ ├── SbomDocCreationJsonStrings.cs │ │ ├── SbomExternalMapJsonStrings.cs │ │ ├── SbomFileJsonStrings.cs │ │ ├── SbomFullDocWithFilesStrings.cs │ │ ├── SbomFullDocWithMetadataJsonStrings.cs │ │ ├── SbomFullDocWithPackagesStrings.cs │ │ ├── SbomPackageJsonStrings.cs │ │ └── SbomRelationshipJsonStrings.cs │ ├── SbomFileParserTests.cs │ ├── SbomMetadataParserTests.cs │ ├── SbomPackageParserTests.cs │ └── SbomParserTestsBase.cs └── Utils │ ├── SPDXExtensionsTest.cs │ └── SbomFormatConverterTests.cs ├── Microsoft.Sbom.Targets.E2E.Tests ├── GenerateSbomE2ETests.cs ├── Microsoft.Sbom.Targets.E2E.Tests.csproj └── ProjectSamples │ └── ProjectSample1 │ ├── ProjectSample1.csproj │ └── SampleLibrary.cs ├── Microsoft.Sbom.Targets.Tests ├── AbstractGenerateSbomTaskInputTests.cs ├── AbstractGenerateSbomTaskTests.cs ├── GenerateSbomTaskSPDX_2_2InputTests.cs ├── GenerateSbomTaskSPDX_2_2Tests.cs ├── Microsoft.Sbom.Targets.Tests.csproj └── Utility │ └── GeneratedSbomValidator.cs └── Microsoft.Sbom.Tool.Tests ├── IntegrationTests.cs └── Microsoft.Sbom.Tool.Tests.csproj /.github/CODEOWNERS: -------------------------------------------------------------------------------- 1 | # All PR reviews must be approved by one member of the sbom-pr-reviewers group. 2 | * @microsoft/sbom-pr-reviewers -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | updates: 3 | - package-ecosystem: "nuget" 4 | directory: "/" 5 | schedule: 6 | interval: "daily" 7 | open-pull-requests-limit: 30 # Default value of 5 is too low as we catch up 8 | 9 | - package-ecosystem: "github-actions" 10 | directory: "/" 11 | schedule: 12 | interval: "daily" 13 | 14 | - package-ecosystem: "docker" 15 | directory: "/" 16 | schedule: 17 | interval: "daily" 18 | -------------------------------------------------------------------------------- /.github/release-drafter.yml: -------------------------------------------------------------------------------- 1 | # release-drafter automatically creates a draft release for you each time you complete a PR in the main branch. 2 | # It uses GitHub labels to categorize changes (See categories) and draft the release. 3 | # release-drafter also generates a version for your release based on GitHub labels. You can add a label of 'major', 4 | # 'minor' or 'patch' to determine which number in the version to increment. 5 | # You may need to add these labels yourself. 6 | # See https://github.com/release-drafter/release-drafter 7 | name-template: 'v$RESOLVED_VERSION' 8 | tag-template: 'v$RESOLVED_VERSION' 9 | change-template: '- $TITLE by @$AUTHOR (#$NUMBER)' 10 | change-title-escapes: '\<*_&' # You can add # and @ to disable mentions, and add ` to disable code blocks. 11 | no-changes-template: '- No changes' 12 | categories: 13 | - title: '📝 Documentation' 14 | labels: 15 | - 'type:docs' 16 | - title: '🚀 New Features' 17 | labels: 18 | - 'type:feature' 19 | - title: '🐛 Bug Fixes' 20 | labels: 21 | - 'type:bug' 22 | - title: '🧰 Maintenance' 23 | labels: 24 | - 'type:ci' 25 | - 'type:refactor' 26 | version-resolver: 27 | major: 28 | labels: 29 | - 'version:major' 30 | minor: 31 | labels: 32 | - 'version:minor' 33 | patch: 34 | labels: 35 | - 'version:patch' 36 | default: patch 37 | template: | 38 | ## ⚙️ Changes 39 | $CHANGES 40 | -------------------------------------------------------------------------------- /.github/workflows/codeql-analysis.yml: -------------------------------------------------------------------------------- 1 | name: CodeQL 2 | 3 | on: 4 | push: 5 | branches: [ main ] 6 | pull_request: 7 | branches: [ main ] 8 | schedule: 9 | - cron: '27 10 * * 1' 10 | 11 | env: 12 | CODEQL_BUILD: True 13 | 14 | jobs: 15 | analyze: 16 | name: Analyze 17 | runs-on: ubuntu-latest 18 | permissions: 19 | actions: read 20 | contents: read 21 | security-events: write 22 | 23 | strategy: 24 | fail-fast: false 25 | matrix: 26 | language: [ 'csharp' ] 27 | 28 | steps: 29 | - name: Checkout repository 30 | uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 31 | 32 | - name: Initialize CodeQL 33 | uses: github/codeql-action/init@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18 34 | 35 | - name: Autobuild 36 | uses: github/codeql-action/autobuild@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18 37 | 38 | - name: Perform CodeQL Analysis 39 | uses: github/codeql-action/analyze@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18 40 | -------------------------------------------------------------------------------- /.github/workflows/create_release_tag.yml: -------------------------------------------------------------------------------- 1 | name: Create new tag 2 | 3 | on: 4 | workflow_dispatch: 5 | inputs: 6 | tag: 7 | description: 'Tag (example v0.1.5)' 8 | required: true 9 | 10 | permissions: 11 | contents: write 12 | 13 | jobs: 14 | create-tag: 15 | runs-on: ubuntu-latest 16 | steps: 17 | - uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 18 | with: 19 | script: | 20 | github.rest.git.createRef({ 21 | owner: context.repo.owner, 22 | repo: context.repo.repo, 23 | ref: 'refs/tags/${{ github.event.inputs.tag }}', 24 | sha: context.sha 25 | }) 26 | -------------------------------------------------------------------------------- /.github/workflows/gen-docs.yml: -------------------------------------------------------------------------------- 1 | name: Generate docs 2 | 3 | on: 4 | workflow_dispatch: 5 | push: 6 | branches: 7 | - main 8 | paths: 9 | - 'src/Microsoft.Sbom.Api/Config/Args/*.cs' 10 | - 'src/Microsoft.Sbom.Common/Config/IConfiguration.cs' 11 | 12 | permissions: 13 | contents: write 14 | 15 | jobs: 16 | gen-docs: 17 | runs-on: ubuntu-latest 18 | steps: 19 | - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 20 | 21 | - name: Setup .NET 22 | uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1 23 | 24 | - name: Generate docs 25 | run: | 26 | # Run CLI 27 | dotnet run -p src/Microsoft.Sbom.Tool generate -- -h 2> help.txt || true 28 | cat < docs/sbom-tool-arguments.md 29 | # Sbom tool arguments 30 | 31 | \`\`\`shell 32 | dotnet run -p './src/Microsoft.Sbom.Tool' generate -- -h 33 | \`\`\` 34 | 35 | \`\`\` 36 | $(tail --lines=+4 help.txt) 37 | \`\`\` 38 | EOF 39 | 40 | - name: Commit 41 | uses: stefanzweifel/git-auto-commit-action@b863ae1933cb653a53c021fe36dbb774e1fb9403 # v5.2.0 42 | with: 43 | commit_message: 'Auto update docs/*.md' 44 | file_pattern: 'docs/*.md' 45 | -------------------------------------------------------------------------------- /.github/workflows/pr-comment-api-change.md: -------------------------------------------------------------------------------- 1 | This PR changes files in the API project. Does it change _any_ of the API interfaces in _any way_? Please note that this includes the following types of changes: 2 | - Changing the signature of an existing interface method 3 | - Adding a new method to an existing interface 4 | - Adding a required data member to a class that an existing interface method consumes 5 | 6 | Because any of these changes can potentially break a downstream consumer with customized interface implementations, these changes need to be treated as breaking changes. Please do one of the following: 7 | 8 | ## Option 1 - Publish this as a breaking change 9 | 1. Update the documentation to show the new functionality 10 | 2. Bump the major version in the next release 11 | 3. Be sure to highlight the breaking changes in the release notes 12 | 13 | ## Option 2 - Refactor the changes to be non-breaking 14 | 1. Review [this commit](https://github.com/microsoft/sbom-tool/commit/4d0ce83e194ed6feace53666aeb6280f5b8b8769), which adds a new interface in a backward-compatible way 15 | 2. Refactor the change to follow this pattern so that existing interfaces are left completely intact 16 | 3. Bump the minor version in the next release 17 | -------------------------------------------------------------------------------- /.github/workflows/pr-comment-api-change.yml: -------------------------------------------------------------------------------- 1 | name: Check for API changes 2 | 3 | on: 4 | pull_request: 5 | paths: 6 | - 'src/Microsoft.Sbom.Api/**/*.cs' 7 | 8 | jobs: 9 | auto-comment: 10 | if: github.event.pull_request.head.repo.full_name == github.repository 11 | runs-on: ubuntu-latest 12 | permissions: 13 | pull-requests: write 14 | steps: 15 | - name: Checkout Repository 16 | uses: actions/checkout@v4 17 | - name: PR Comment 18 | run: 19 | gh pr comment $PRNUM --body-file .github/workflows/pr-comment-api-change.md 20 | env: 21 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 22 | GH_REPO: ${{ github.repository }} 23 | PRNUM: ${{ github.event.pull_request.number }} -------------------------------------------------------------------------------- /.github/workflows/release-drafter.yml: -------------------------------------------------------------------------------- 1 | name: Release Drafter 2 | 3 | on: 4 | push: 5 | branches: 6 | - main 7 | workflow_dispatch: 8 | 9 | permissions: 10 | contents: write 11 | pull-requests: read 12 | 13 | jobs: 14 | update_release_draft: 15 | runs-on: ubuntu-latest 16 | steps: 17 | - uses: release-drafter/release-drafter@b1476f6e6eb133afa41ed8589daba6dc69b4d3f5 # v6.1.0 18 | with: 19 | disable-autolabeler: true 20 | env: 21 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Microsoft Open Source Code of Conduct 2 | 3 | This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). 4 | 5 | Resources: 6 | 7 | - [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/) 8 | - [Microsoft Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) 9 | - Contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with questions or concerns 10 | -------------------------------------------------------------------------------- /Directory.Build.targets: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | preview.0 6 | v 7 | 8 | 9 | 10 | 11 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM mcr.microsoft.com/dotnet/sdk AS build-env 2 | COPY . /app 3 | WORKDIR /app/src/Microsoft.Sbom.Tool 4 | ARG RUNTIME=linux-x64 5 | RUN dotnet publish -f net8.0 -r $RUNTIME --self-contained true -p:DebugType=None -p:DebugSymbols=false -p:PublishSingleFile=true -p:IncludeAllContentForSelfExtract=true -o output 6 | 7 | FROM mcr.microsoft.com/dotnet/runtime-deps:7.0.20-bullseye-slim-amd64 8 | WORKDIR /app/src/Microsoft.Sbom.Tool 9 | COPY --from=build-env /app/src/Microsoft.Sbom.Tool/output . 10 | 11 | RUN apt update -y && apt install -y python golang nuget npm cargo ruby maven && rm -rf /var/lib/apt/lists/* 12 | RUN useradd -ms /bin/bash sbom 13 | USER sbom 14 | ENTRYPOINT ["./Microsoft.Sbom.Tool"] 15 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) Microsoft Corporation. 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE 22 | -------------------------------------------------------------------------------- /SUPPORT.md: -------------------------------------------------------------------------------- 1 | # Support 2 | 3 | ## How to file issues and get help 4 | 5 | This project uses GitHub Issues to track bugs and feature requests. Please search the existing 6 | issues before filing new issues to avoid duplicates. For new issues, file your bug or 7 | feature request as a new Issue. 8 | 9 | ## Microsoft Support Policy 10 | 11 | Support for this **PROJECT or PRODUCT** is limited to the resources listed above. 12 | -------------------------------------------------------------------------------- /docs/images/ado-artifacts-with-sbom.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/sbom-tool/b69d333c0b76cb27b6874eeae0303b18392cb7c1/docs/images/ado-artifacts-with-sbom.png -------------------------------------------------------------------------------- /docs/images/ado-artifacts-without-sbom.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/sbom-tool/b69d333c0b76cb27b6874eeae0303b18392cb7c1/docs/images/ado-artifacts-without-sbom.png -------------------------------------------------------------------------------- /docs/images/github-downloaded-folder-with-sbom.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/sbom-tool/b69d333c0b76cb27b6874eeae0303b18392cb7c1/docs/images/github-downloaded-folder-with-sbom.png -------------------------------------------------------------------------------- /docs/images/github-downloaded-folder-without-sbom.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/sbom-tool/b69d333c0b76cb27b6874eeae0303b18392cb7c1/docs/images/github-downloaded-folder-without-sbom.png -------------------------------------------------------------------------------- /docs/images/github-workflow-run-details.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/sbom-tool/b69d333c0b76cb27b6874eeae0303b18392cb7c1/docs/images/github-workflow-run-details.png -------------------------------------------------------------------------------- /global.json: -------------------------------------------------------------------------------- 1 | { 2 | "sdk": { 3 | "version": "8.0.100", 4 | "rollForward": "latestMajor" 5 | } 6 | } 7 | -------------------------------------------------------------------------------- /nuget.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | -------------------------------------------------------------------------------- /samples/About this sample.md: -------------------------------------------------------------------------------- 1 | # SBOM Sample 2 | 3 | The [manifest.spdx.json](manifest.spdx.json) linked in this folder is the SBOM for the sbom-tool itself. It was generated using the sbom-tool, and is distributed along with every release. 4 | 5 | The SBOM is compatible with the SPDX 2.2 format, more information about SPDX 2.2 format can be found [here](https://spdx.github.io/spdx-spec/v2.2.2/introduction/). 6 | -------------------------------------------------------------------------------- /snsKey.snk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/sbom-tool/b69d333c0b76cb27b6874eeae0303b18392cb7c1/snsKey.snk -------------------------------------------------------------------------------- /snsKeyPublic.snk: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/microsoft/sbom-tool/b69d333c0b76cb27b6874eeae0303b18392cb7c1/snsKeyPublic.snk -------------------------------------------------------------------------------- /src/Directory.Build.props: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | true 7 | snupkg 8 | 9 | 10 | 11 | true 12 | true 13 | $(AllowedOutputExtensionsInPackageBuildOutputFolder);.pdb 14 | 15 | 16 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Adapters/Adapters/ComponentDetection/ExtendedScanResult.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | namespace Microsoft.Sbom.Adapters.ComponentDetection; 5 | 6 | using System.Collections.Generic; 7 | using Microsoft.ComponentDetection.Contracts.BcdeModels; 8 | using Newtonsoft.Json; 9 | using Newtonsoft.Json.Serialization; 10 | 11 | /// 12 | /// A with license information. 13 | /// 14 | [JsonObject(MemberSerialization.OptOut, NamingStrategyType = typeof(CamelCaseNamingStrategy))] 15 | public sealed class ExtendedScanResult : ScanResult 16 | { 17 | /// 18 | /// Gets or sets the scanned components with license information. 19 | /// 20 | public new IEnumerable? ComponentsFound { get; init; } 21 | } 22 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Adapters/Adapters/ComponentDetection/Logging/LoggingHelper.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System; 5 | using Microsoft.ComponentDetection.Contracts.TypedComponent; 6 | using Microsoft.Sbom.Adapters.Report; 7 | 8 | namespace Microsoft.Sbom.Adapters.ComponentDetection.Logging; 9 | 10 | /// 11 | /// A set of static helper methods used by the component detection adapter for logging. 12 | /// 13 | public static class LoggingHelper 14 | { 15 | /// 16 | /// Used to log that a null component parameter was passed to the adapter. 17 | /// 18 | public static void LogNullComponent(this AdapterReport report, string adapter) 19 | { 20 | report.LogFailure($"Null component provided to '{adapter}' adapter."); 21 | } 22 | 23 | /// 24 | /// Logs that no conversion was found for a given . 25 | /// 26 | public static void LogNoConversionFound(this AdapterReport report, Type receivedType, TypedComponent component) 27 | { 28 | report.LogFailure($"No conversion has been defined for type {receivedType}. Could not convert component id '{component.Id}'."); 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Adapters/Adapters/ComponentDetection/VcpkgComponentExtensions.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | namespace Microsoft.Sbom.Adapters.ComponentDetection; 5 | 6 | using Microsoft.ComponentDetection.Contracts.TypedComponent; 7 | using Microsoft.Sbom.Contracts; 8 | 9 | /// 10 | /// Extensions methods for . 11 | /// 12 | internal static class VcpkgComponentExtensions 13 | { 14 | /// 15 | /// Converts a to an . 16 | /// 17 | /// The to convert. 18 | /// The converted . 19 | public static SbomPackage ToSbomPackage(this VcpkgComponent vcpkgComponent) => new() 20 | { 21 | Id = vcpkgComponent.Id, 22 | PackageUrl = vcpkgComponent.PackageUrl?.ToString(), 23 | PackageName = vcpkgComponent.Name, 24 | PackageSource = vcpkgComponent.DownloadLocation, 25 | PackageVersion = vcpkgComponent.Version, 26 | FilesAnalyzed = false, 27 | Type = "vcpkg", 28 | }; 29 | } 30 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Adapters/Microsoft.Sbom.Adapters.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Microsoft.Sbom.Adapters 5 | True 6 | Provides a set of adapters from external component formats to a single SBOM format. 7 | enable 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Adapters/Report/AdapterReport.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System.Collections.Generic; 5 | 6 | namespace Microsoft.Sbom.Adapters.Report; 7 | 8 | /// 9 | /// Contains a report of logging information recorded during adapter execution. 10 | /// 11 | public class AdapterReport 12 | { 13 | /// 14 | /// Set of reported items for an adapter. 15 | /// 16 | public readonly ICollection Report; 17 | 18 | /// 19 | public AdapterReport() 20 | { 21 | Report = new List(); 22 | } 23 | 24 | /// 25 | public void LogSuccess() 26 | { 27 | Report.Add(new AdapterReportItem(AdapterReportItemType.Success, string.Empty)); 28 | } 29 | 30 | /// 31 | public void LogFailure(string details) 32 | { 33 | Report.Add(new AdapterReportItem(AdapterReportItemType.Failure, details)); 34 | } 35 | 36 | /// 37 | public void LogWarning(string details) 38 | { 39 | Report.Add(new AdapterReportItem(AdapterReportItemType.Warning, details)); 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Adapters/Report/AdapterReportItem.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System; 5 | 6 | namespace Microsoft.Sbom.Adapters.Report; 7 | 8 | /// 9 | /// Represents the type of report being created. 10 | /// 11 | public enum AdapterReportItemType 12 | { 13 | Success = 0, 14 | Failure = 1, 15 | Warning = 2, 16 | } 17 | 18 | /// 19 | /// A single adapter report item. 20 | /// 21 | public class AdapterReportItem 22 | { 23 | public AdapterReportItemType Type { get; set; } 24 | 25 | public string Details { get; set; } 26 | 27 | public AdapterReportItem(AdapterReportItemType type, string details) 28 | { 29 | Type = type; 30 | Details = details ?? throw new ArgumentNullException(nameof(details)); 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Config/Args/CommonArgs.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using Microsoft.Sbom.Common.Config; 5 | using PowerArgs; 6 | using Serilog.Events; 7 | 8 | namespace Microsoft.Sbom.Api.Config.Args; 9 | 10 | /// 11 | /// Defines the common arguments used by all actions of the ManifestTool. 12 | /// 13 | public abstract class CommonArgs 14 | { 15 | /// 16 | /// Gets or sets the action currently being performed by the manifest tool. 17 | /// 18 | [ArgIgnore] 19 | public ManifestToolActions ManifestToolAction { get; set; } 20 | 21 | /// 22 | /// Gets or sets display this amount of detail in the logging output. 23 | /// 24 | [ArgDescription("Display this amount of detail in the logging output.")] 25 | public LogEventLevel? Verbosity { get; set; } 26 | } 27 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Config/Args/FormatValidationArgs.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using PowerArgs; 5 | 6 | namespace Microsoft.Sbom.Api.Config.Args; 7 | 8 | /// 9 | /// The command line arguments provided for the validate action in ManifestTool. 10 | /// 11 | public class FormatValidationArgs : CommonArgs 12 | { 13 | /// 14 | /// Gets or sets the file path of the SBOM to validate. 15 | /// 16 | [ArgShortcut("sp")] 17 | [ArgDescription("The file path of the SBOM to validate.")] 18 | public string? SbomPath { get; set; } 19 | } 20 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Config/Args/RedactArgs.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using PowerArgs; 5 | 6 | namespace Microsoft.Sbom.Api.Config.Args; 7 | 8 | /// 9 | /// The command line arguments provided for the redact action in ManifestTool. 10 | /// 11 | public class RedactArgs : CommonArgs 12 | { 13 | /// 14 | /// Gets or sets the file path of the SBOM to redact. 15 | /// 16 | [ArgShortcut("sp")] 17 | [ArgDescription("The file path of the SBOM to redact.")] 18 | public string? SbomPath { get; set; } 19 | 20 | /// 21 | /// Gets or sets the directory containing the sbom(s) to redact. 22 | /// 23 | [ArgShortcut("sd")] 24 | [ArgDescription("The directory containing the sbom(s) to redact.")] 25 | public string? SbomDir { get; set; } 26 | 27 | /// 28 | /// Gets or sets the directory where the redacted SBOM file(s) will be generated. 29 | /// 30 | [ArgShortcut("o")] 31 | [ArgDescription("Gets or sets the directory where the redacted SBOM file(s) will be generated.")] 32 | public string OutputPath { get; set; } 33 | } 34 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Config/ConfigFileParser.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System; 5 | using System.Text.Json; 6 | using System.Threading.Tasks; 7 | using Microsoft.Sbom.Common; 8 | 9 | namespace Microsoft.Sbom.Api.Config; 10 | 11 | /// 12 | /// Used to parse the configuration as a from a JSON file. 13 | /// 14 | public class ConfigFileParser 15 | { 16 | private readonly IFileSystemUtils fileSystemUtils; 17 | 18 | public ConfigFileParser(IFileSystemUtils fileSystemUtils) 19 | { 20 | this.fileSystemUtils = fileSystemUtils ?? throw new ArgumentNullException(nameof(fileSystemUtils)); 21 | } 22 | 23 | public async Task ParseFromJsonFile(string filePath) 24 | { 25 | if (string.IsNullOrEmpty(filePath)) 26 | { 27 | throw new ArgumentNullException($"{nameof(filePath)} cannot be emtpy."); 28 | } 29 | 30 | using var openStream = fileSystemUtils.OpenRead(filePath); 31 | return await JsonSerializer.DeserializeAsync(openStream); 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Config/ISbomService.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using Microsoft.Sbom.Api.Config.Args; 5 | 6 | namespace Microsoft.Sbom.Api.Config; 7 | 8 | /// 9 | /// Marker interface for an SBOM service. 10 | /// 11 | /// The type of arguments against which this service is run. 12 | #pragma warning disable CA1040 // Avoid empty interfaces 13 | public interface ISbomService 14 | #pragma warning restore CA1040 // Avoid empty interfaces 15 | where T : CommonArgs 16 | { 17 | } 18 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Config/Validators/FileExistsValidator.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System; 5 | using Microsoft.Sbom.Api.Utils; 6 | using Microsoft.Sbom.Common; 7 | using Microsoft.Sbom.Common.Config.Attributes; 8 | using Microsoft.Sbom.Common.Config.Validators; 9 | using PowerArgs; 10 | 11 | namespace Microsoft.Sbom.Api.Config.Validators; 12 | 13 | /// 14 | /// Validates if the file exists. 15 | /// 16 | public class FileExistsValidator : ConfigValidator 17 | { 18 | private readonly IFileSystemUtils fileSystemUtils; 19 | 20 | public FileExistsValidator(IFileSystemUtils fileSystemUtils, IAssemblyConfig assemblyConfig) 21 | : base(typeof(FileExistsAttribute), assemblyConfig) 22 | { 23 | this.fileSystemUtils = fileSystemUtils; 24 | } 25 | 26 | public override void ValidateInternal(string paramName, object paramValue, Attribute attribute) 27 | { 28 | if (paramValue != null && paramValue is string value && !string.IsNullOrEmpty(value)) 29 | { 30 | if (!fileSystemUtils.FileExists(value)) 31 | { 32 | throw new ValidationArgException($"{paramName} file not found for '{value}'"); 33 | } 34 | } 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Config/Validators/IntRangeValidator.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System; 5 | using Microsoft.Sbom.Api.Utils; 6 | using Microsoft.Sbom.Common.Config.Attributes; 7 | using Microsoft.Sbom.Common.Config.Validators; 8 | using PowerArgs; 9 | 10 | namespace Microsoft.Sbom.Api.Config.Validators; 11 | 12 | /// 13 | /// Validates if the integer property is in the provided inclusive range. 14 | /// 15 | public class IntRangeValidator : ConfigValidator 16 | { 17 | public IntRangeValidator(IAssemblyConfig assemblyConfig) 18 | : base(typeof(IntRangeAttribute), assemblyConfig) 19 | { 20 | } 21 | 22 | public override void ValidateInternal(string paramName, object paramValue, Attribute attribute) 23 | { 24 | if (paramValue != null && paramValue is int value) 25 | { 26 | var intRangeAttribute = attribute as IntRangeAttribute; 27 | 28 | if (value < intRangeAttribute.MinRange || value > intRangeAttribute.MaxRange) 29 | { 30 | throw new ValidationArgException($"The value for {paramName} should be equal to or between {intRangeAttribute.MinRange} and {intRangeAttribute.MaxRange}"); 31 | } 32 | } 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Config/ValueConverters/BoolConfigurationSettingAddingConverter.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using AutoMapper; 5 | using Microsoft.Sbom.Common.Config; 6 | 7 | namespace Microsoft.Sbom.Api.Config.ValueConverters; 8 | 9 | /// 10 | /// Converts a nullable bool member to a ConfigurationSetting decorated string member. 11 | /// 12 | internal class BoolConfigurationSettingAddingConverter : IValueConverter> 13 | { 14 | private readonly SettingSource settingSource; 15 | 16 | public BoolConfigurationSettingAddingConverter(SettingSource settingSource) 17 | { 18 | this.settingSource = settingSource; 19 | } 20 | 21 | public ConfigurationSetting Convert(bool sourceMember, ResolutionContext context) 22 | { 23 | return new ConfigurationSetting 24 | { 25 | Source = settingSource, 26 | Value = sourceMember 27 | }; 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Config/ValueConverters/ConformanceConfigurationSettingAddingConverter.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using AutoMapper; 5 | using Microsoft.Sbom.Common.Config; 6 | using Microsoft.Sbom.Contracts.Enums; 7 | 8 | namespace Microsoft.Sbom.Api.Config.ValueConverters; 9 | 10 | /// 11 | /// Converts a Conformance member to a ConfigurationSetting decorated string member. 12 | /// 13 | internal class ConformanceConfigurationSettingAddingConverter : IValueConverter> 14 | { 15 | private SettingSource settingSource; 16 | 17 | public ConformanceConfigurationSettingAddingConverter(SettingSource settingSource) 18 | { 19 | this.settingSource = settingSource; 20 | } 21 | 22 | public ConfigurationSetting Convert(ConformanceType? sourceMember, ResolutionContext context) 23 | { 24 | if (sourceMember == null) 25 | { 26 | settingSource = SettingSource.Default; 27 | } 28 | 29 | return new ConfigurationSetting 30 | { 31 | Source = settingSource, 32 | Value = sourceMember ?? ConformanceType.None 33 | }; 34 | } 35 | } 36 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Config/ValueConverters/HashAlgorithmNameConfigurationSettingAddingConverter.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using AutoMapper; 5 | using Microsoft.Sbom.Api.Utils; 6 | using Microsoft.Sbom.Common.Config; 7 | using Microsoft.Sbom.Contracts.Enums; 8 | 9 | namespace Microsoft.Sbom.Api.Config.ValueConverters; 10 | 11 | /// 12 | /// Converts an LogEventLevel member to a ConfigurationSetting decorated string member. 13 | /// 14 | internal class HashAlgorithmNameConfigurationSettingAddingConverter : IValueConverter> 15 | { 16 | private SettingSource settingSource; 17 | 18 | public HashAlgorithmNameConfigurationSettingAddingConverter(SettingSource settingSource) 19 | { 20 | this.settingSource = settingSource; 21 | } 22 | 23 | public ConfigurationSetting Convert(AlgorithmName sourceMember, ResolutionContext context) 24 | { 25 | if (sourceMember == null) 26 | { 27 | settingSource = SettingSource.Default; 28 | } 29 | 30 | return new ConfigurationSetting 31 | { 32 | Source = settingSource, 33 | Value = sourceMember ?? Constants.DefaultHashAlgorithmName 34 | }; 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Config/ValueConverters/LogEventLevelConfigurationSettingAddingConverter.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using AutoMapper; 5 | using Microsoft.Sbom.Common.Config; 6 | using Serilog.Events; 7 | using Constants = Microsoft.Sbom.Common.Constants; 8 | 9 | namespace Microsoft.Sbom.Api.Config.ValueConverters; 10 | 11 | /// 12 | /// Converts an LogEventLevel member to a ConfigurationSetting decorated string member. 13 | /// 14 | internal class LogEventLevelConfigurationSettingAddingConverter : IValueConverter> 15 | { 16 | private SettingSource settingSource; 17 | 18 | public LogEventLevelConfigurationSettingAddingConverter(SettingSource settingSource) 19 | { 20 | this.settingSource = settingSource; 21 | } 22 | 23 | public ConfigurationSetting Convert(LogEventLevel? sourceMember, ResolutionContext context) 24 | { 25 | if (sourceMember == null) 26 | { 27 | settingSource = SettingSource.Default; 28 | } 29 | 30 | return new ConfigurationSetting 31 | { 32 | Source = settingSource, 33 | Value = sourceMember ?? Constants.DefaultLogLevel 34 | }; 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Config/ValueConverters/NullableBoolConfigurationSettingAddingConverter.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using AutoMapper; 5 | using Microsoft.Sbom.Common.Config; 6 | 7 | namespace Microsoft.Sbom.Api.Config.ValueConverters; 8 | 9 | /// 10 | /// Converts a nullable bool member to a ConfigurationSetting decorated string member. 11 | /// 12 | internal class NullableBoolConfigurationSettingAddingConverter : IValueConverter> 13 | { 14 | private readonly SettingSource settingSource; 15 | 16 | public NullableBoolConfigurationSettingAddingConverter(SettingSource settingSource) 17 | { 18 | this.settingSource = settingSource; 19 | } 20 | 21 | public ConfigurationSetting Convert(bool? sourceMember, ResolutionContext context) 22 | { 23 | if (sourceMember == null) 24 | { 25 | return null; 26 | } 27 | 28 | return new ConfigurationSetting 29 | { 30 | Source = settingSource, 31 | Value = sourceMember.Value 32 | }; 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Config/ValueConverters/StringConfigurationSettingAddingConverter.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using AutoMapper; 5 | using Microsoft.Sbom.Common.Config; 6 | 7 | namespace Microsoft.Sbom.Api.Config.ValueConverters; 8 | 9 | /// 10 | /// Converts a string member to a ConfigurationSetting decorated string member. 11 | /// 12 | internal class StringConfigurationSettingAddingConverter : IValueConverter> 13 | { 14 | private readonly SettingSource settingSource; 15 | 16 | public StringConfigurationSettingAddingConverter(SettingSource settingSource) 17 | { 18 | this.settingSource = settingSource; 19 | } 20 | 21 | public ConfigurationSetting Convert(string sourceMember, ResolutionContext context) 22 | { 23 | if (string.IsNullOrEmpty(sourceMember)) 24 | { 25 | return null; 26 | } 27 | 28 | return new ConfigurationSetting 29 | { 30 | Source = settingSource, 31 | Value = sourceMember 32 | }; 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Converters/IManifestPathConverter.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | namespace Microsoft.Sbom.Api.Convertors; 5 | 6 | public interface IManifestPathConverter 7 | { 8 | /// 9 | /// Convert a file path from a relative path to a path format 10 | /// that the manifest implements. 11 | /// 12 | /// The relative path of the file. 13 | /// If true we will prepend a . before the path. 14 | /// The file path in the manifest format and boolean for if the path is outside the BuildDropPath. 15 | public (string, bool) Convert(string path, bool prependDotToPath = false); 16 | } 17 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Entities/ExitCode.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | namespace Microsoft.Sbom.Api; 5 | 6 | /// 7 | /// Defines the exit code returned by the ManifestTool executable. 8 | /// 9 | public enum ExitCode 10 | { 11 | Success = 0, 12 | GeneralError = 1, 13 | WriteAccessError = 2, 14 | ValidationError = 3, 15 | } 16 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Entities/output/ErrorContainer.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System.Collections.Generic; 5 | 6 | namespace Microsoft.Sbom.Api.Entities.Output; 7 | 8 | /// 9 | /// Error container for validation errors. 10 | /// 11 | /// 12 | public class ErrorContainer 13 | { 14 | /// 15 | /// Gets or sets the total count of errors. 16 | /// 17 | public int Count { get; set; } 18 | 19 | /// 20 | /// Gets or sets the list of errors. 21 | /// 22 | public IList Errors { get; set; } 23 | } 24 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Entities/output/Result.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System.Runtime.Serialization; 5 | 6 | namespace Microsoft.Sbom.Api.Entities.Output; 7 | 8 | /// 9 | /// The result of the validation. 10 | /// 11 | public enum Result 12 | { 13 | [EnumMember(Value = "Success")] 14 | Success = 0, 15 | 16 | [EnumMember(Value = "Failure")] 17 | Failure = 1 18 | } 19 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Entities/output/Summary.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using Microsoft.Sbom.Common.Config; 5 | 6 | namespace Microsoft.Sbom.Api.Entities.Output; 7 | 8 | /// 9 | /// The summary section specifies telemetry and other metadata about the validation. 10 | /// 11 | public class Summary 12 | { 13 | /// 14 | /// Gets or sets the total time it took to run the validation. 15 | /// 16 | public double TotalExecutionTimeInSeconds { get; set; } 17 | 18 | /// 19 | /// Gets or sets a representing the validation telemetry. 20 | /// 21 | public ValidationTelemetry ValidationTelemetery { get; set; } 22 | 23 | /// 24 | /// Gets or sets a list of representing each input parameter used 25 | /// in the validation. 26 | /// 27 | public IConfiguration Parameters { get; set; } 28 | } 29 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Entities/output/ValidationResult.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | namespace Microsoft.Sbom.Api.Entities.Output; 5 | 6 | /// 7 | /// The final result JSON that is serialized to the output location. 8 | /// 9 | public class ValidationResult 10 | { 11 | /// 12 | /// Gets or sets the of the validation. 13 | /// 14 | public Result Result { get; set; } 15 | 16 | /// 17 | /// Gets or sets a list of s. 18 | /// 19 | public ErrorContainer ValidationErrors { get; set; } 20 | 21 | /// 22 | /// Gets or sets metadata and telemetry for this validation. 23 | /// 24 | public Summary Summary { get; set; } 25 | } 26 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Entities/output/ValidationTelemetry.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | namespace Microsoft.Sbom.Api.Entities.Output; 5 | 6 | public class ValidationTelemetry 7 | { 8 | /// 9 | /// Gets or sets count of files that were successful. 10 | /// 11 | public int FilesSuccessfulCount { get; set; } 12 | 13 | /// 14 | /// Gets or sets total files in the manifest file. 15 | /// 16 | public int TotalFilesInManifest { get; set; } 17 | 18 | /// 19 | /// Gets or sets count of files that were validated. 20 | /// 21 | public int FilesValidatedCount { get; set; } 22 | 23 | /// 24 | /// Gets or sets count of files that were skipped. 25 | /// 26 | public int FilesSkippedCount { get; set; } 27 | 28 | /// 29 | /// Gets or sets count of files that failed validation. 30 | /// 31 | public int FilesFailedCount { get; set; } 32 | 33 | public int TotalPackagesInManifest { get; set; } 34 | } 35 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Exceptions/AccessDeniedValidationArgException.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System; 5 | using PowerArgs; 6 | 7 | namespace Microsoft.Sbom.Api.Exceptions; 8 | 9 | /// 10 | /// Exception during argument validation used to indicate when we don't have access to a path passed as argument. 11 | /// 12 | [Serializable] 13 | public class AccessDeniedValidationArgException : ValidationArgException 14 | { 15 | public AccessDeniedValidationArgException(string message) 16 | : base(message) 17 | { 18 | } 19 | 20 | public AccessDeniedValidationArgException(string message, Exception innerException) 21 | : base(message, innerException) 22 | { 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Exceptions/ClearlyDefinedResponseNotSuccessfulException.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System; 5 | 6 | namespace Microsoft.Sbom.Api.Exceptions; 7 | 8 | /// 9 | /// Exception thrown when response from ClearlyDefined is not successful. 10 | /// 11 | [Serializable] 12 | public class ClearlyDefinedResponseNotSuccessfulException : Exception 13 | { 14 | public ClearlyDefinedResponseNotSuccessfulException(string message) 15 | : base(message) 16 | { 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Exceptions/ClearlyDefinedResponseParsingException.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System; 5 | 6 | namespace Microsoft.Sbom.Api.Exceptions; 7 | 8 | /// 9 | /// Exception thrown while parsing a response from ClearlyDefined. 10 | /// 11 | [Serializable] 12 | public class ClearlyDefinedResponseParsingException : Exception 13 | { 14 | public ClearlyDefinedResponseParsingException(string message) 15 | : base(message) 16 | { 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Exceptions/ComponentDetectorException.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System; 5 | 6 | namespace Microsoft.Sbom.Api.Exceptions; 7 | 8 | /// 9 | /// Thrown when we encounter a problem while running the component detector. 10 | /// 11 | public class ComponentDetectorException : Exception 12 | { 13 | public ComponentDetectorException() 14 | { 15 | } 16 | 17 | public ComponentDetectorException(string message) 18 | : base(message) 19 | { 20 | } 21 | 22 | public ComponentDetectorException(string message, Exception innerException) 23 | : base(message, innerException) 24 | { 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Exceptions/ConfigurationException.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System; 5 | using Microsoft.Sbom.Common.Config; 6 | 7 | namespace Microsoft.Sbom.Api.Exceptions; 8 | 9 | /// 10 | /// Thrown when there is a problem in parsing the . 11 | /// 12 | public class ConfigurationException : Exception 13 | { 14 | public ConfigurationException() 15 | { 16 | } 17 | 18 | public ConfigurationException(string message) 19 | : base(message) 20 | { 21 | } 22 | 23 | public ConfigurationException(string message, Exception innerException) 24 | : base(message, innerException) 25 | { 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Exceptions/HashGenerationException.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System; 5 | 6 | namespace Microsoft.Sbom.Api.Exceptions; 7 | 8 | /// 9 | /// Thrown when the generated hash is invalid. 10 | /// 11 | public class HashGenerationException : Exception 12 | { 13 | public HashGenerationException() 14 | { 15 | } 16 | 17 | public HashGenerationException(string message) 18 | : base(message) 19 | { 20 | } 21 | 22 | public HashGenerationException(string message, Exception innerException) 23 | : base(message, innerException) 24 | { 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Exceptions/InvalidConverterException.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System; 5 | 6 | namespace Microsoft.Sbom.Api.Exceptions; 7 | 8 | /// 9 | /// Thrown when the instantiated 10 | /// cannot convert the . 11 | /// 12 | /// 13 | /// Thrown out of public classes implementing IPackageInfoConverter so it must also be public. 14 | /// 15 | public class InvalidConverterException : Exception 16 | { 17 | public InvalidConverterException() 18 | { 19 | } 20 | 21 | public InvalidConverterException(string message) 22 | : base(message) 23 | { 24 | } 25 | 26 | public InvalidConverterException(string message, Exception innerException) 27 | : base(message, innerException) 28 | { 29 | } 30 | } 31 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Exceptions/InvalidPathException.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System; 5 | 6 | namespace Microsoft.Sbom.Api.Exceptions; 7 | 8 | /// 9 | /// Thrown when the file path is invalid or inaccessible. 10 | /// 11 | public class InvalidPathException : Exception 12 | { 13 | public InvalidPathException() 14 | { 15 | } 16 | 17 | public InvalidPathException(string message) 18 | : base(message) 19 | { 20 | } 21 | 22 | public InvalidPathException(string message, Exception innerException) 23 | : base(message, innerException) 24 | { 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Exceptions/ManifestFolderExistsException.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System; 5 | 6 | namespace Microsoft.Sbom.Api.Exceptions; 7 | 8 | /// 9 | /// Thrown when manifest folder already exists in output path. 10 | /// 11 | public class ManifestFolderExistsException : Exception 12 | { 13 | public ManifestFolderExistsException() 14 | { 15 | } 16 | 17 | public ManifestFolderExistsException(string message) 18 | : base(message) 19 | { 20 | } 21 | 22 | public ManifestFolderExistsException(string message, Exception innerException) 23 | : base(message, innerException) 24 | { 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Exceptions/ManifestToolSerializerException.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System; 5 | 6 | namespace Microsoft.Sbom.Api.Exceptions; 7 | 8 | /// 9 | /// Thrown when the manifest tool is unable to serialize the SBOM component. 10 | /// 11 | public class ManifestToolSerializerException : Exception 12 | { 13 | public ManifestToolSerializerException() { } 14 | 15 | public ManifestToolSerializerException(string message) 16 | : base(message) { } 17 | 18 | public ManifestToolSerializerException(string message, Exception inner) 19 | : base(message, inner) { } 20 | } 21 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Exceptions/MissingGeneratorException.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System; 5 | 6 | namespace Microsoft.Sbom.Api.Exceptions; 7 | 8 | /// 9 | /// Thrown when we are unable to find a generator to serialize the SBOM. 10 | /// 11 | public class MissingGeneratorException : Exception 12 | { 13 | public MissingGeneratorException() 14 | { 15 | } 16 | 17 | public MissingGeneratorException(string message) 18 | : base(message) 19 | { 20 | } 21 | 22 | public MissingGeneratorException(string message, Exception innerException) 23 | : base(message, innerException) 24 | { 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Exceptions/PackageMetadataParsingException.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System; 5 | 6 | namespace Microsoft.Sbom.Api.Exceptions; 7 | 8 | /// 9 | /// Exception thrown while parsing a response from ClearlyDefined. 10 | /// 11 | [Serializable] 12 | public class PackageMetadataParsingException : Exception 13 | { 14 | public PackageMetadataParsingException(string message) 15 | : base(message) 16 | { 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Exceptions/SignValidatorNotFoundException.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System; 5 | 6 | namespace Microsoft.Sbom.Api.Exceptions; 7 | 8 | /// 9 | /// Thrown when the manifest tool cannot find a signature validator for the current 10 | /// operating system. 11 | /// 12 | public class SignValidatorNotFoundException : Exception 13 | { 14 | public SignValidatorNotFoundException() 15 | { 16 | } 17 | 18 | public SignValidatorNotFoundException(string message) 19 | : base(message) 20 | { 21 | } 22 | 23 | public SignValidatorNotFoundException(string message, Exception innerException) 24 | : base(message, innerException) 25 | { 26 | } 27 | } 28 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Exceptions/UnsupportedHashAlgorithmException.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System; 5 | 6 | namespace Microsoft.Sbom.Api.Exceptions; 7 | 8 | /// 9 | /// Thrown when we are provided a hash algorithm value that is currently not supported by our service. 10 | /// 11 | public class UnsupportedHashAlgorithmException : Exception 12 | { 13 | public UnsupportedHashAlgorithmException() 14 | { 15 | } 16 | 17 | public UnsupportedHashAlgorithmException(string message) 18 | : base(message) 19 | { 20 | } 21 | 22 | public UnsupportedHashAlgorithmException(string message, Exception innerException) 23 | : base(message, innerException) 24 | { 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Executors/ILicenseInformationService.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System.Collections.Generic; 5 | using System.Threading.Tasks; 6 | 7 | namespace Microsoft.Sbom.Api.Executors; 8 | 9 | public interface ILicenseInformationService 10 | { 11 | public Task> FetchLicenseInformationFromAPI(IList listOfComponentsForApi, int timeoutInSeconds); 12 | } 13 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Executors/ISbomReaderForExternalDocumentReference.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System.Threading.Channels; 5 | using Microsoft.Sbom.Api.Entities; 6 | using Microsoft.Sbom.Extensions.Entities; 7 | 8 | namespace Microsoft.Sbom.Api.Executors; 9 | 10 | /// 11 | /// Interface to read read SBOM file. Implement this class for different formats of SBOM file. 12 | /// 13 | public interface ISbomReaderForExternalDocumentReference 14 | { 15 | public (ChannelReader results, ChannelReader errors) ParseSbomFile(ChannelReader sbomFileLocation); 16 | } 17 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Executors/JsonSerializationStrategyFactory.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using Microsoft.Sbom.Api.Utils; 5 | 6 | namespace Microsoft.Sbom.Api.Workflows.Helpers; 7 | 8 | internal static class JsonSerializationStrategyFactory 9 | { 10 | public static IJsonSerializationStrategy GetStrategy(string manifestInfoSpdxVersion) 11 | { 12 | if (manifestInfoSpdxVersion == Constants.SPDX30ManifestInfo.Version) 13 | { 14 | return new Spdx30SerializationStrategy(); 15 | } 16 | else 17 | { 18 | return new Spdx22SerializationStrategy(); 19 | } 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Filters/IFilter.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | namespace Microsoft.Sbom.Api.Filters; 5 | 6 | /// 7 | /// A filter that, given a file path, returns whther it is valid. 8 | /// 9 | /// 10 | public interface IFilter 11 | where T : IFilter 12 | { 13 | public bool IsValid(string filePath); 14 | 15 | public void Init(); 16 | } 17 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Filters/ManifestFolderFilter.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System; 5 | using System.IO; 6 | using Microsoft.Sbom.Common; 7 | using Microsoft.Sbom.Common.Config; 8 | 9 | namespace Microsoft.Sbom.Api.Filters; 10 | 11 | public class ManifestFolderFilter : IFilter 12 | { 13 | private readonly IConfiguration configuration; 14 | private readonly IOSUtils osUtils; 15 | 16 | public ManifestFolderFilter( 17 | IConfiguration configuration, 18 | IOSUtils osUtils) 19 | { 20 | this.configuration = configuration ?? throw new ArgumentNullException(nameof(configuration)); 21 | this.osUtils = osUtils ?? throw new ArgumentNullException(nameof(osUtils)); 22 | 23 | Init(); 24 | } 25 | 26 | public bool IsValid(string filePath) 27 | { 28 | if (string.IsNullOrEmpty(filePath)) 29 | { 30 | return false; 31 | } 32 | 33 | var manifestFolderPath = new FileInfo(configuration.ManifestDirPath.Value).FullName; 34 | 35 | var normalizedPath = new FileInfo(filePath).FullName; 36 | 37 | return !normalizedPath.StartsWith(manifestFolderPath, osUtils.GetFileSystemStringComparisonType()); 38 | } 39 | 40 | public void Init() 41 | { 42 | } 43 | } 44 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/FormatValidator/FormatValidationResults.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | namespace Microsoft.Sbom.Api.FormatValidator; 5 | 6 | using System.Collections.Generic; 7 | 8 | public class FormatValidationResults 9 | { 10 | public FormatValidationStatus Status { get; private set; } = FormatValidationStatus.Unknown; 11 | 12 | // Update the validation status, without overwriting a previous NotValid status. 13 | public void AggregateValidationStatus(FormatValidationStatus newStatus) 14 | { 15 | // If status never set, always overwrite. 16 | if (Status == FormatValidationStatus.Unknown) 17 | { 18 | Status = newStatus; 19 | return; 20 | } 21 | 22 | // If previous status not valid, never overwrite. 23 | if (Status == FormatValidationStatus.NotValid) 24 | { 25 | return; 26 | } 27 | 28 | // If previous status valid, always overwrite. 29 | Status = newStatus; 30 | } 31 | 32 | public List Errors { get; set; } = new List(); 33 | } 34 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/FormatValidator/FormatValidationStatus.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | namespace Microsoft.Sbom.Api.FormatValidator; 5 | 6 | public enum FormatValidationStatus 7 | { 8 | Unknown, 9 | Valid, 10 | NotValid 11 | } 12 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/FormatValidator/IValidatedSbom.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | namespace Microsoft.Sbom.Api.FormatValidator; 5 | 6 | using System; 7 | using System.Threading.Tasks; 8 | using Microsoft.Sbom.Parsers.Spdx22SbomParser.Entities; 9 | 10 | public interface IValidatedSbom: IDisposable 11 | { 12 | public Task GetValidationResults(); 13 | 14 | public Task GetRawSPDXDocument(); 15 | } 16 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/FormatValidator/ValidatedSbomFactory.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | namespace Microsoft.Sbom.Api.FormatValidator; 5 | 6 | using System.IO; 7 | 8 | public class ValidatedSbomFactory 9 | { 10 | public virtual IValidatedSbom CreateValidatedSbom(string sbomFilePath) 11 | { 12 | var sbomStream = new StreamReader(sbomFilePath); 13 | var validatedSbom = new ValidatedSbom(sbomStream.BaseStream); 14 | return validatedSbom; 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Hashing/Algorithms/IHashAlgorithm.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System.IO; 5 | 6 | namespace Microsoft.Sbom.Api.Hashing.Algorithms; 7 | 8 | /// 9 | /// Provides a hashing algorithm implementation that can be used 10 | /// to generate the hash for a given string. 11 | /// 12 | internal interface IHashAlgorithm 13 | { 14 | /// 15 | /// Returns a byte array of the content using the current hash algorithm. 16 | /// 17 | /// The read stream of the content to be hashed. 18 | /// A byte array of the hash value. 19 | public byte[] ComputeHash(Stream inputStream); 20 | } 21 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Hashing/Algorithms/Sha1HashAlgorithm.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System.IO; 5 | using System.Security.Cryptography; 6 | 7 | namespace Microsoft.Sbom.Api.Hashing.Algorithms; 8 | 9 | /// 10 | /// The hash algorithm implementation of the hash type. 11 | /// 12 | #pragma warning disable CA5350 // Suppress Do Not Use Weak Cryptographic Algorithms as we use SHA1 intentionally 13 | public class Sha1HashAlgorithm : IHashAlgorithm 14 | { 15 | public byte[] ComputeHash(Stream stream) => SHA1.Create().ComputeHash(stream); 16 | } 17 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Hashing/Algorithms/Sha256HashAlgorithm.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System.IO; 5 | using System.Security.Cryptography; 6 | 7 | namespace Microsoft.Sbom.Api.Hashing.Algorithms; 8 | 9 | /// 10 | /// The hash algorithm implementation of the hash type. 11 | /// 12 | public class Sha256HashAlgorithm : IHashAlgorithm 13 | { 14 | public byte[] ComputeHash(Stream stream) => SHA256.Create().ComputeHash(stream); 15 | } 16 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Hashing/IHashAlgorithmProvider.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using Microsoft.Sbom.Contracts.Enums; 5 | 6 | namespace Microsoft.Sbom.Api.Hashing; 7 | 8 | public interface IHashAlgorithmProvider 9 | { 10 | public AlgorithmName Get(string algorithmName); 11 | } 12 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Hashing/IHashCodeGenerator.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using Microsoft.Sbom.Contracts; 5 | using Microsoft.Sbom.Contracts.Enums; 6 | 7 | namespace Microsoft.Sbom.Api.Hashing; 8 | 9 | public interface IHashCodeGenerator 10 | { 11 | /// 12 | /// Given a file path, returns a list of for the file 13 | /// for each hash algorithm name provided in . 14 | /// 15 | /// The path of the file. 16 | /// A list of the hash algorithms for which hashes will be generated. 17 | /// A list of . 18 | public Checksum[] GenerateHashes(string filePath, AlgorithmName[] hashAlgorithmNames); 19 | } 20 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Manifest/FileHashes/FileHashesDictionary.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System.Collections.Concurrent; 5 | 6 | namespace Microsoft.Sbom.Api.Manifest.FileHashes; 7 | 8 | /// 9 | /// A container for a concurrent dictionary that is used to store 10 | /// used in validation. 11 | /// 12 | public class FileHashesDictionary 13 | { 14 | public ConcurrentDictionary FileHashes { get; private set; } 15 | 16 | public FileHashesDictionary(ConcurrentDictionary fileHashes) 17 | { 18 | FileHashes = fileHashes; 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Manifest/IManifestParserProvider.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using Microsoft.Sbom.Extensions; 5 | using Microsoft.Sbom.Extensions.Entities; 6 | 7 | namespace Microsoft.Sbom.Api.Manifest; 8 | 9 | /// 10 | /// Provides a factory method to get a parser for a given SBOM format. 11 | /// 12 | public interface IManifestParserProvider 13 | { 14 | public IManifestInterface Get(ManifestInfo manifestInfo); 15 | 16 | public void Init(); 17 | } 18 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Manifest/ManifestConfigHandlers/SPDX22ManifestConfigHandler.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using Microsoft.Sbom.Common; 5 | using Microsoft.Sbom.Common.Config; 6 | using Microsoft.Sbom.Extensions.Entities; 7 | using Constants = Microsoft.Sbom.Api.Utils.Constants; 8 | 9 | namespace Microsoft.Sbom.Api.Manifest.ManifestConfigHandlers; 10 | 11 | /// 12 | /// Provides the ManifestConfig for the SPDX 2.2 format. 13 | /// 14 | public class SPDX22ManifestConfigHandler : BaseManifestConfigHandler 15 | { 16 | public SPDX22ManifestConfigHandler( 17 | IConfiguration configuration, 18 | IFileSystemUtils fileSystemUtils, 19 | IMetadataBuilderFactory metadataBuilderFactory) 20 | : base(configuration, fileSystemUtils, metadataBuilderFactory) 21 | { 22 | } 23 | 24 | /// 25 | protected override ManifestInfo ManifestInfo => Constants.SPDX22ManifestInfo; 26 | } 27 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Manifest/ManifestConfigHandlers/SPDX30ManifestConfigHandler.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using Microsoft.Sbom.Common; 5 | using Microsoft.Sbom.Common.Config; 6 | using Microsoft.Sbom.Extensions.Entities; 7 | using Constants = Microsoft.Sbom.Api.Utils.Constants; 8 | 9 | namespace Microsoft.Sbom.Api.Manifest.ManifestConfigHandlers; 10 | 11 | /// 12 | /// Provides the ManifestConfig for the SPDX 3.0 format. 13 | /// 14 | public class SPDX30ManifestConfigHandler : BaseManifestConfigHandler 15 | { 16 | public SPDX30ManifestConfigHandler( 17 | IConfiguration configuration, 18 | IFileSystemUtils fileSystemUtils, 19 | IMetadataBuilderFactory metadataBuilderFactory) 20 | : base(configuration, fileSystemUtils, metadataBuilderFactory) 21 | { 22 | } 23 | 24 | /// 25 | protected override ManifestInfo ManifestInfo => Constants.SPDX30ManifestInfo; 26 | } 27 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Output/FileOutputWriter.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System.IO; 5 | using System.Threading.Tasks; 6 | using Microsoft.Sbom.Common.Config; 7 | 8 | namespace Microsoft.Sbom.Api.Output; 9 | 10 | /// 11 | /// Writes a string to a file. 12 | /// TODO Use serilog. 13 | /// 14 | public class FileOutputWriter : IOutputWriter 15 | { 16 | private readonly IConfiguration configuration; 17 | 18 | public FileOutputWriter(IConfiguration configuration) 19 | { 20 | this.configuration = configuration; 21 | } 22 | 23 | public async Task WriteAsync(string output) 24 | { 25 | using var fs = new FileStream(configuration.OutputPath.Value, FileMode.Create); 26 | using var outputFile = new StreamWriter(fs); 27 | await outputFile.WriteAsync(output); 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Output/IOutputWriter.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System.Threading.Tasks; 5 | 6 | namespace Microsoft.Sbom.Api.Output; 7 | 8 | public interface IOutputWriter 9 | { 10 | /// 11 | /// Writes a string to a file asynchronously. 12 | /// 13 | /// 14 | /// 15 | public Task WriteAsync(string output); 16 | } 17 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Output/Telemetry/Entities/SbomFile.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using Microsoft.Sbom.Extensions.Entities; 5 | 6 | namespace Microsoft.Sbom.Api.Output.Telemetry.Entities; 7 | 8 | /// 9 | /// Represents a SBOM file object and contains additional properties 10 | /// related to the file. 11 | /// 12 | public class SbomFile 13 | { 14 | /// 15 | /// Gets or sets the name and version of the format of the generated SBOM. 16 | /// 17 | public ManifestInfo SbomFormatName { get; set; } 18 | 19 | /// 20 | /// Gets or sets the path where the final generated SBOM is placed. 21 | /// 22 | public string SbomFilePath { get; set; } 23 | 24 | /// 25 | /// Gets or sets the size of the SBOM file in bytes. 26 | /// 27 | public long FileSizeInBytes { get; set; } 28 | 29 | /// 30 | /// Gets or sets the total number of packages that were detected during the execution of the SBOM tool. 31 | /// 32 | public int TotalNumberOfPackages { get; set; } 33 | } 34 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Output/Telemetry/Entities/Timing.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System; 5 | 6 | namespace Microsoft.Sbom.Api.Output.Telemetry.Entities; 7 | 8 | /// 9 | /// Records various time spans for a given event. 10 | /// 11 | [Serializable] 12 | public class Timing 13 | { 14 | /// 15 | /// Gets or sets the name of the event. 16 | /// 17 | public string EventName { get; set; } 18 | 19 | /// 20 | /// Gets or sets the duration it took to execute the event. 21 | /// 22 | public string TimeSpan { get; set; } 23 | } 24 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/PackageDetails/ComponentDetailsUtils/IPackageManagerUtils.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using Microsoft.ComponentDetection.Contracts.BcdeModels; 5 | 6 | namespace Microsoft.Sbom.Api.PackageDetails; 7 | 8 | public interface IPackageManagerUtils 9 | where T : IPackageManagerUtils 10 | { 11 | /// 12 | /// Takes in a ScannedComponent object and attempts to find the corresponding .pom file. 13 | /// 14 | /// A single from a component detection scan. 15 | /// 16 | public string GetMetadataLocation(ScannedComponent scannedComponent); 17 | 18 | /// 19 | /// Takes in the path to a package metadata file (ex: .nuspec, .pom) file and returns a tuple consisting of the package name, version, and details such as its license and supplier. 20 | /// 21 | /// Path to a package metadata file. 22 | /// A tuple containing the name, version, and of the specified metadata file. 23 | public ParsedPackageInformation ParseMetadata(string pomLocation); 24 | } 25 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/PackageDetails/IPackageDetailsFactory.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System.Collections.Generic; 5 | using Microsoft.ComponentDetection.Contracts.BcdeModels; 6 | 7 | namespace Microsoft.Sbom.Api.PackageDetails; 8 | 9 | public interface IPackageDetailsFactory 10 | { 11 | /// 12 | /// Takes in a list of ScannedComponents and returns a dictionary where the key is the component name and version and the value is PackageDetails record which is made up of information found in the package files. 13 | /// 14 | /// An IEnumerable of ScannedComponents which is the output of a component-detection scan. 15 | /// 16 | public IDictionary<(string Name, string Version), PackageDetails> GetPackageDetailsDictionary(IEnumerable scannedComponents); 17 | } 18 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/PackageDetails/PackageDetails.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | namespace Microsoft.Sbom.Api.PackageDetails; 5 | 6 | /// 7 | /// Object used to define the information extracted from package metadata files. 8 | /// 9 | /// The license declared by the package in its own metadata file. 10 | /// The people/company who are listed in the package as the author or supplier. 11 | public record PackageDetails(string License, string Supplier); 12 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/PackageDetails/ParsedPackageInformation.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | namespace Microsoft.Sbom.Api.PackageDetails; 5 | 6 | /// 7 | /// Object used to define the information extracted from package metadata files. 8 | /// 9 | /// The name declared by the package in its own metadata file. 10 | /// The version of the package being described by the metadata file. 11 | /// The additional package details extracted from the metadata file. 12 | public record ParsedPackageInformation(string Name, string Version, PackageDetails PackageDetails); 13 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Providers/ISourcesProvider.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System.Collections.Generic; 5 | using System.Threading.Channels; 6 | using Microsoft.Sbom.Api.Entities; 7 | using Microsoft.Sbom.Extensions; 8 | 9 | namespace Microsoft.Sbom.Api.Providers; 10 | 11 | /// 12 | /// Provides a stream of serialized Json for a given source, like packages or files. 13 | /// 14 | public interface ISourcesProvider 15 | { 16 | /// 17 | /// Generate a stream for all the sources for each of the required configuration. 18 | /// 19 | /// The configurations for which to generate serialized Json. 20 | /// 21 | public (ChannelReader results, ChannelReader errors) Get(IList requiredConfigs); 22 | 23 | /// 24 | /// Returns true if this provider is suppored for the provided source. 25 | /// 26 | /// The type of the provider that is required. 27 | /// 28 | public bool IsSupported(ProviderType providerType); 29 | } 30 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Providers/ProviderType.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | namespace Microsoft.Sbom.Api.Providers; 5 | 6 | /// 7 | /// The type of provider for a given source. 8 | /// 9 | public enum ProviderType 10 | { 11 | /// 12 | /// Packages provider 13 | /// 14 | Packages, 15 | 16 | /// 17 | /// Files provider. 18 | /// 19 | Files, 20 | 21 | /// 22 | /// External Document Reference provider. 23 | /// 24 | ExternalDocumentReference 25 | } 26 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/SignValidator/ISignValidationProvider.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using Microsoft.Sbom.Extensions; 5 | 6 | namespace Microsoft.Sbom.Api.SignValidator; 7 | 8 | /// 9 | /// A type that provides a implementation based on the 10 | /// current operating system type. 11 | /// 12 | public interface ISignValidationProvider 13 | { 14 | public ISignValidator Get(); 15 | 16 | public void Init(); 17 | } 18 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Utils/Events.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | namespace Microsoft.Sbom.Api.Utils; 5 | 6 | internal static class Events 7 | { 8 | internal const string SbomGenerationWorkflow = "Total generation time"; 9 | internal const string SbomParseMetadata = "Total metadata parsing time"; 10 | internal const string FilesGeneration = "Files generation time"; 11 | internal const string PackagesGeneration = "Packages generation time"; 12 | internal const string RelationshipsGeneration = "Relationships generation time"; 13 | internal const string MetadataBuilder = "Metadata build time for {0} format"; 14 | internal const string ExternalDocumentReferenceGeneration = "External document reference generation time"; 15 | 16 | internal const string SbomValidationWorkflow = "Total validation time"; 17 | } 18 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Utils/ExternalReferenceDeduplicator.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using Microsoft.Sbom.Extensions.Entities; 5 | 6 | namespace Microsoft.Sbom.Api.Utils; 7 | 8 | /// 9 | /// Provides deduplication of ExternalDocumentReferenceInfo objects inside a channel. 10 | /// 11 | public class ExternalReferenceDeduplicator : ChannelDeduplicator 12 | { 13 | public override string GetKey(ExternalDocumentReferenceInfo obj) 14 | { 15 | return obj?.DocumentNamespace; 16 | } 17 | } 18 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Utils/FileTypeUtils.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System; 5 | using System.Collections.Generic; 6 | using Microsoft.Sbom.Contracts.Enums; 7 | 8 | namespace Microsoft.Sbom.Api.Utils; 9 | 10 | /// 11 | /// FileTypeUtils is used to get the FileType for a given filename. 12 | /// 13 | public class FileTypeUtils : IFileTypeUtils 14 | { 15 | public List GetFileTypesBy(string fileName) 16 | { 17 | if (!string.IsNullOrWhiteSpace(fileName) && fileName.EndsWith(Constants.SPDXFileExtension, StringComparison.OrdinalIgnoreCase)) 18 | { 19 | return new List { FileType.SPDX }; 20 | } 21 | 22 | return null; 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Utils/IComponentDetector.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System.Threading.Tasks; 5 | using Microsoft.ComponentDetection.Contracts.BcdeModels; 6 | using Microsoft.ComponentDetection.Orchestrator.Commands; 7 | 8 | namespace Microsoft.Sbom.Api.Utils; 9 | 10 | public interface IComponentDetector 11 | { 12 | public Task ScanAsync(ScanSettings args); 13 | } 14 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Utils/IFileTypeUtils.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System.Collections.Generic; 5 | using Microsoft.Sbom.Contracts.Enums; 6 | 7 | namespace Microsoft.Sbom.Api.Utils; 8 | 9 | public interface IFileTypeUtils 10 | { 11 | public List GetFileTypesBy(string fileName); 12 | } 13 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Utils/InternalSbomFileInfoDeduplicator.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using Microsoft.Sbom.Extensions.Entities; 5 | 6 | namespace Microsoft.Sbom.Api.Utils; 7 | 8 | /// 9 | /// Provides deduplication of InternalSbomFileInfo objects inside a channel. 10 | /// 11 | public class InternalSbomFileInfoDeduplicator : ChannelDeduplicator 12 | { 13 | public override string GetKey(InternalSbomFileInfo obj) 14 | { 15 | return obj?.Path; 16 | } 17 | } 18 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Utils/SbomFormatExtensions.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System; 5 | using Microsoft.Sbom.Contracts; 6 | using Microsoft.Sbom.Extensions.Entities; 7 | 8 | namespace Microsoft.Sbom.Api.Utils; 9 | 10 | /// 11 | /// Extension methods to convert SBOM format specificaitons from multiple formats. 12 | /// 13 | public static class SbomFormatExtensions 14 | { 15 | /// 16 | /// Converts a to a object. 17 | /// 18 | /// 19 | /// 20 | /// 21 | public static ManifestInfo ToManifestInfo(this SbomSpecification specification) 22 | { 23 | if (specification is null) 24 | { 25 | throw new ArgumentNullException(nameof(specification)); 26 | } 27 | 28 | return new ManifestInfo 29 | { 30 | Name = specification.Name, 31 | Version = specification.Version 32 | }; 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Workflows/Helpers/IJsonArrayGenerator.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System.Collections.Generic; 5 | using System.Threading.Tasks; 6 | using Microsoft.Sbom.Extensions; 7 | 8 | namespace Microsoft.Sbom.Api.Workflows.Helpers; 9 | 10 | /// 11 | /// Used to generate array objects to be written to the JSON serializer. 12 | /// 13 | public interface IJsonArrayGenerator 14 | where T : IJsonArrayGenerator 15 | { 16 | /// 17 | /// Generates all the JSON objects that need to be written to the SBOM. 18 | /// 19 | /// GeneratorResult with objects to write to the SBOM and failures. 20 | public Task GenerateAsync(IEnumerable targetConfigs, ISet elementsSpdxIdList); 21 | } 22 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Workflows/Helpers/ISbomRedactor.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System.Threading.Tasks; 5 | using Microsoft.Sbom.Api.FormatValidator; 6 | using Microsoft.Sbom.Parsers.Spdx22SbomParser.Entities; 7 | 8 | namespace Microsoft.Sbom.Api.Workflows.Helpers; 9 | 10 | /// 11 | /// SBOM redactor that removes file information from SBOMs 12 | /// 13 | public interface ISbomRedactor 14 | { 15 | public Task RedactSbomAsync(IValidatedSbom sbom); 16 | } 17 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Workflows/Helpers/JsonDocumentCollection.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System.Collections.Generic; 5 | using System.Text.Json; 6 | 7 | namespace Microsoft.Sbom.Api.Workflows.Helpers; 8 | 9 | public class JsonDocumentCollection 10 | { 11 | public Dictionary> SerializersToJson { get; } 12 | 13 | public JsonDocumentCollection() 14 | { 15 | SerializersToJson = new Dictionary>(); 16 | } 17 | 18 | public void AddJsonDocument(T key, JsonDocument document) 19 | { 20 | if (SerializersToJson.TryGetValue(key, out var jsonDocuments)) 21 | { 22 | jsonDocuments.Add(document); 23 | } 24 | else 25 | { 26 | SerializersToJson.Add(key, new List { document }); 27 | } 28 | } 29 | 30 | public void DisposeAllJsonDocuments() 31 | { 32 | foreach (var jsonDocuments in SerializersToJson.Values) 33 | { 34 | foreach (var document in jsonDocuments) 35 | { 36 | document?.Dispose(); 37 | } 38 | } 39 | 40 | SerializersToJson.Clear(); 41 | } 42 | } 43 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Api/Workflows/IWorkflow.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System.Threading.Tasks; 5 | 6 | namespace Microsoft.Sbom.Api.Workflows; 7 | 8 | /// 9 | /// Defines the workflow run for a given action. 10 | /// 11 | public interface IWorkflow 12 | where T : IWorkflow 13 | { 14 | public Task RunAsync(); 15 | } 16 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Common/Config/Attributes/ComponentDetectorArgumentAttribute.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System; 5 | 6 | namespace Microsoft.Sbom.Common.Config.Attributes; 7 | 8 | /// 9 | /// Attribute denoting that an property is a Component Detector argument. 10 | /// 11 | [AttributeUsage(AttributeTargets.Property)] 12 | public class ComponentDetectorArgumentAttribute : Attribute 13 | { 14 | /// 15 | /// Gets the name of the parameter to be specified when passing the value of the target to Component Detection. 16 | /// 17 | public string ParameterName { get; } = string.Empty; 18 | 19 | /// The name of the parameter to be specified when passing this argument to Component Detection. 20 | public ComponentDetectorArgumentAttribute(string parameterName) 21 | { 22 | ParameterName = parameterName; 23 | } 24 | 25 | public ComponentDetectorArgumentAttribute() 26 | { 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Common/Config/Attributes/DefaultNamespaceBaseUriAttribute.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System; 5 | 6 | namespace Microsoft.Sbom.Common.Config.Attributes; 7 | 8 | [AttributeUsage(AttributeTargets.Assembly)] 9 | public class DefaultNamespaceBaseUriAttribute : Attribute 10 | { 11 | /// 12 | /// Gets or sets the default value for the namespace base URI. 13 | /// 14 | public string DefaultBaseNamespaceUri { get; set; } 15 | 16 | public DefaultNamespaceBaseUriAttribute(string defaultBaseNamespaceUri) 17 | { 18 | if (string.IsNullOrEmpty(defaultBaseNamespaceUri)) 19 | { 20 | throw new ArgumentException($"'{nameof(defaultBaseNamespaceUri)}' cannot be null or empty.", nameof(defaultBaseNamespaceUri)); 21 | } 22 | 23 | DefaultBaseNamespaceUri = defaultBaseNamespaceUri; 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Common/Config/Attributes/DirectoryPathIsWritableAttribute.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System; 5 | 6 | namespace Microsoft.Sbom.Common.Config.Attributes; 7 | 8 | /// 9 | /// Checks if the directory path specified by the string parameter is writable by the current user. 10 | /// 11 | [AttributeUsage(AttributeTargets.Property, Inherited = false, AllowMultiple = true)] 12 | public sealed class DirectoryPathIsWritableAttribute : Attribute 13 | { 14 | /// 15 | /// Gets or sets the action for which this validation should run. Default is all. 16 | /// 17 | public ManifestToolActions ForAction { get; set; } 18 | 19 | public DirectoryPathIsWritableAttribute() 20 | { 21 | ForAction = ManifestToolActions.All; 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Common/Config/Attributes/FileExistsAttribute.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System; 5 | 6 | namespace Microsoft.Sbom.Common.Config.Attributes; 7 | 8 | /// 9 | /// Checks if the path specified by the string property is a valid file. 10 | /// 11 | [AttributeUsage(AttributeTargets.Property, Inherited = false, AllowMultiple = true)] 12 | public sealed class FileExistsAttribute : Attribute 13 | { 14 | /// 15 | /// Gets or sets the action for which this validation should run. Default is all. 16 | /// 17 | public ManifestToolActions ForAction { get; set; } 18 | 19 | public FileExistsAttribute() 20 | { 21 | ForAction = ManifestToolActions.All; 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Common/Config/Attributes/FilePathIsWritableAttribute.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System; 5 | 6 | namespace Microsoft.Sbom.Common.Config.Attributes; 7 | 8 | /// 9 | /// Checks if the filepath specified by the string parameter is writable by the current user. 10 | /// 11 | [AttributeUsage(AttributeTargets.Property, Inherited = false, AllowMultiple = true)] 12 | public sealed class FilePathIsWritableAttribute : Attribute 13 | { 14 | /// 15 | /// Gets or sets the action for which this validation should run. Default is all. 16 | /// 17 | public ManifestToolActions ForAction { get; set; } 18 | 19 | public FilePathIsWritableAttribute() 20 | { 21 | ForAction = ManifestToolActions.All; 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Common/Config/Attributes/IntRangeAttribute.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System; 5 | 6 | namespace Microsoft.Sbom.Common.Config.Attributes; 7 | 8 | /// 9 | /// Checks if the numeric value is equal to or between the min and max range. 10 | /// 11 | [AttributeUsage(AttributeTargets.Property, Inherited = false, AllowMultiple = false)] 12 | public sealed class IntRangeAttribute : Attribute 13 | { 14 | /// 15 | /// Gets or sets execute this validation only for the given action. Default is all. 16 | /// 17 | public ManifestToolActions ForAction { get; set; } 18 | 19 | /// 20 | /// Gets the inclusive minimum value of this integer. 21 | /// 22 | public int MinRange { get; } 23 | 24 | /// 25 | /// Gets the inclusive maximum value of this integer. 26 | /// 27 | public int MaxRange { get; } 28 | 29 | public IntRangeAttribute(int minRange, int maxRange) 30 | { 31 | this.MinRange = minRange; 32 | this.MaxRange = maxRange; 33 | ForAction = ManifestToolActions.All; 34 | } 35 | } 36 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Common/Config/Attributes/PackageSupplierAttribute.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System; 5 | 6 | namespace Microsoft.Sbom.Common.Config.Attributes; 7 | 8 | [AttributeUsage(AttributeTargets.Assembly)] 9 | public class PackageSupplierAttribute : Attribute 10 | { 11 | public string PackageSupplier { get; set; } 12 | 13 | public PackageSupplierAttribute(string packageSupplier) 14 | { 15 | if (string.IsNullOrEmpty(packageSupplier)) 16 | { 17 | throw new ArgumentException("Package supplier cannot be null or empty.", nameof(packageSupplier)); 18 | } 19 | 20 | PackageSupplier = packageSupplier; 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Common/Config/Attributes/PathAttribute.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System; 5 | 6 | namespace Microsoft.Sbom.Common.Config.Attributes; 7 | 8 | /// 9 | /// This attribute is used to mark a property as a path. 10 | /// 11 | [AttributeUsage(AttributeTargets.Property, Inherited = false, AllowMultiple = false)] 12 | public sealed class PathAttribute : Attribute 13 | { 14 | } 15 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Common/Config/Attributes/ValidManifestInfoAttribute.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System; 5 | 6 | namespace Microsoft.Sbom.Common.Config.Attributes; 7 | 8 | /// 9 | /// Validate if the property value is a valid ManifestInfo. 10 | /// 11 | [AttributeUsage(AttributeTargets.Property | AttributeTargets.Assembly, Inherited = false, AllowMultiple = false)] 12 | public sealed class ValidManifestInfoAttribute : Attribute; 13 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Common/Config/Attributes/ValidUriAttribute.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System; 5 | 6 | namespace Microsoft.Sbom.Common.Config.Attributes; 7 | 8 | /// 9 | /// Validate if the property value is a valid URI. 10 | /// 11 | [AttributeUsage(AttributeTargets.Property | AttributeTargets.Assembly, Inherited = false, AllowMultiple = false)] 12 | public sealed class ValidUriAttribute : Attribute 13 | { 14 | /// 15 | /// Gets or sets execute this validation only for the given action. Default is all. 16 | /// 17 | public ManifestToolActions ForAction { get; set; } 18 | 19 | /// 20 | /// Gets or sets the type of URI the value should be. 21 | /// 22 | public UriKind UriKind { get; set; } 23 | 24 | public ValidUriAttribute() 25 | { 26 | ForAction = ManifestToolActions.Generate; 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Common/Config/Attributes/ValueRequiredAttribute.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System; 5 | 6 | namespace Microsoft.Sbom.Common.Config.Attributes; 7 | 8 | /// 9 | /// Checks if the value of the property is not null or empty. 10 | /// 11 | [AttributeUsage(AttributeTargets.Property, Inherited = false, AllowMultiple = false)] 12 | public sealed class ValueRequiredAttribute : Attribute 13 | { 14 | /// 15 | /// Gets or sets the action for which this validation should run. Default is all. 16 | /// 17 | public ManifestToolActions ForAction { get; set; } 18 | 19 | public ValueRequiredAttribute() 20 | { 21 | ForAction = ManifestToolActions.All; 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Common/Config/ISettingSourceable.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | namespace Microsoft.Sbom.Common.Config; 5 | 6 | /// 7 | /// Adds a setting source property to an object that defines where that setting came from. 8 | /// 9 | public interface ISettingSourceable 10 | { 11 | /// 12 | /// Gets or sets the source where this setting came from. 13 | /// 14 | public SettingSource Source { get; set; } 15 | } 16 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Common/Config/ManifestToolActions.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System; 5 | 6 | namespace Microsoft.Sbom.Common.Config; 7 | 8 | [Flags] 9 | public enum ManifestToolActions 10 | { 11 | None = 0, 12 | Validate = 1, 13 | Generate = 2, 14 | Redact = 4, 15 | ValidateFormat = 8, 16 | All = Validate | Generate | Redact | ValidateFormat 17 | } 18 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Common/Config/SettingSource.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | namespace Microsoft.Sbom.Common.Config; 5 | 6 | /// 7 | /// Defines the source of the configuration setting. 8 | /// 9 | public enum SettingSource 10 | { 11 | /// 12 | /// The setting was set by the validator. 13 | /// 14 | Default = 0, 15 | 16 | /// 17 | /// The setting was set using a command line arg. 18 | /// 19 | CommandLine, 20 | 21 | /// 22 | /// The setting was set using the config json file. 23 | /// 24 | JsonConfig, 25 | 26 | /// 27 | /// The settings was set using the SBOM Api. 28 | /// 29 | SbomApi 30 | } 31 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Common/Conformance/ConformanceEnforcerFactory.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System; 5 | using Microsoft.Sbom.Contracts.Enums; 6 | using Microsoft.Sbom.Parsers.Spdx30SbomParser.Conformance.Interfaces; 7 | 8 | namespace Microsoft.Sbom.Common.Conformance; 9 | 10 | public static class ConformanceEnforcerFactory 11 | { 12 | public static IConformanceEnforcer Create(ConformanceType conformance) 13 | { 14 | return conformance.Name switch 15 | { 16 | "NTIAMin" => new NTIAMinConformanceEnforcer(), 17 | "None" => new NoneConformanceEnforcer(), 18 | _ => throw new ArgumentException($"Unsupported conformance: {conformance.Name}") 19 | }; 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Common/Conformance/ConformanceExtensions.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | namespace Microsoft.Sbom.Common.Conformance; 5 | 6 | internal static class ConformanceExtensions 7 | { 8 | /// 9 | /// Gets the common entity type that is used by the parser. 10 | /// 11 | internal static string GetCommonEntityType(this string entityType) 12 | { 13 | // For these special cases, remove the prefix from the type. 14 | switch (entityType) 15 | { 16 | case "software_File": 17 | return "File"; 18 | case "software_Package": 19 | return "Package"; 20 | default: 21 | return entityType; 22 | } 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Common/Conformance/Interfaces/IConformanceEnforcer.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System; 5 | using System.Collections.Generic; 6 | using System.Text.Json; 7 | using Microsoft.Sbom.Common; 8 | using Microsoft.Sbom.Common.Conformance; 9 | using Microsoft.Sbom.Contracts.Enums; 10 | 11 | namespace Microsoft.Sbom.Parsers.Spdx30SbomParser.Conformance.Interfaces; 12 | 13 | public interface IConformanceEnforcer 14 | { 15 | public ConformanceType Conformance { get; } 16 | 17 | public string GetConformanceEntityType(string entityType); 18 | 19 | public void AddInvalidElementsIfDeserializationFails(string jsonObjectAsString, JsonSerializerOptions jsonSerializerOptions, ISet invalidElements, Exception e); 20 | 21 | public void AddInvalidElements(ElementsResult elementsResult); 22 | } 23 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Common/Conformance/Interfaces/IConformanceErrorType.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | namespace Microsoft.Sbom.Parsers.Spdx30SbomParser.Conformance.Interfaces; 5 | 6 | public interface IConformanceErrorType 7 | { 8 | public string Name { get; set; } 9 | } 10 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Common/Conformance/NoneConformanceEnforcer.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System; 5 | using System.Collections.Generic; 6 | using System.Text.Json; 7 | using Microsoft.Sbom.Contracts.Enums; 8 | using Microsoft.Sbom.JsonAsynchronousNodeKit.Exceptions; 9 | using Microsoft.Sbom.Parsers.Spdx30SbomParser.Conformance.Interfaces; 10 | 11 | namespace Microsoft.Sbom.Common.Conformance; 12 | 13 | public class NoneConformanceEnforcer : IConformanceEnforcer 14 | { 15 | public ConformanceType Conformance => ConformanceType.None; 16 | 17 | public string GetConformanceEntityType(string entityType) 18 | { 19 | return entityType.GetCommonEntityType(); 20 | } 21 | 22 | public void AddInvalidElementsIfDeserializationFails(string jsonObjectAsString, JsonSerializerOptions jsonSerializerOptions, ISet invalidElements, Exception e) 23 | { 24 | throw new ParserException(e.Message); 25 | } 26 | 27 | public void AddInvalidElements(ElementsResult elementsResult) 28 | { 29 | return; 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Common/Constants.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using Serilog.Events; 5 | 6 | namespace Microsoft.Sbom.Common; 7 | 8 | public static class Constants 9 | { 10 | public const int DefaultStreamBufferSize = 4096; 11 | 12 | public const int MinParallelism = 2; 13 | public const int DefaultParallelism = 8; 14 | public const int MaxParallelism = 48; 15 | 16 | public const int DefaultLicenseFetchTimeoutInSeconds = 30; 17 | public const int MaxLicenseFetchTimeoutInSeconds = 86400; 18 | 19 | public const LogEventLevel DefaultLogLevel = LogEventLevel.Warning; 20 | 21 | public const string DefaultManifestInfoName = "SPDX"; 22 | public const string DefaultManifestInfoVersion = "2.2"; 23 | 24 | public const string SPDXContextHeaderName = "@context"; 25 | public const string SPDXGraphHeaderName = "@graph"; 26 | public const string SPDXRefFile = "SPDXRef-File"; 27 | public const string SPDXRefPackage = "SPDXRef-Package"; 28 | public const string SPDXRefExternalDocument = "DocumentRef"; 29 | public const string NoAssertionValue = "NOASSERTION"; 30 | } 31 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Common/ContextsResult.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System.Collections.Generic; 5 | using Microsoft.Sbom.JsonAsynchronousNodeKit; 6 | 7 | namespace Microsoft.Sbom.Common; 8 | 9 | public record ContextsResult : ParserStateResult 10 | { 11 | public ContextsResult(ParserStateResult result, List contexts) 12 | : base(result.FieldName, result.Result, result.ExplicitField, result.YieldReturn) 13 | { 14 | Contexts = contexts; 15 | } 16 | 17 | public IEnumerable Contexts { get; set; } 18 | } 19 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Common/EnvironmentWrapper.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System; 5 | using System.Collections; 6 | 7 | namespace Microsoft.Sbom.Common; 8 | 9 | /// 10 | /// Wrapper class for System.Environment to allow for testing. 11 | /// 12 | public class EnvironmentWrapper : IEnvironmentWrapper 13 | { 14 | /// 15 | /// Method to call System.Environment.GetEnvironmentVariables. 16 | /// 17 | /// A dictionary of available environment variables. 18 | public IDictionary GetEnvironmentVariables() 19 | { 20 | return Environment.GetEnvironmentVariables(); 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Common/FileSystemUtilsProvider.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System.Runtime.InteropServices; 5 | using Serilog; 6 | 7 | namespace Microsoft.Sbom.Common; 8 | 9 | /// 10 | /// Provides the for a given OS. 11 | /// 12 | public static class FileSystemUtilsProvider 13 | { 14 | /// 15 | /// Checks the OS to provide the correct . 16 | /// This is important due to the different file systems of operating systems. 17 | /// 18 | /// 19 | /// Logger to capture Exceptions 20 | /// 21 | public static IFileSystemUtils CreateInstance(ILogger logger) 22 | { 23 | var isWindows = RuntimeInformation.IsOSPlatform(OSPlatform.Windows); 24 | return isWindows ? new WindowsFileSystemUtils(logger) : new UnixFileSystemUtils(); 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Common/IEnvironmentWrapper.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System.Collections; 5 | 6 | namespace Microsoft.Sbom.Common; 7 | 8 | /// 9 | /// Wrapper interface for System.Environment to allow for testing. 10 | /// 11 | public interface IEnvironmentWrapper 12 | { 13 | /// 14 | /// Method to call System.Environment.GetEnvironmentVariables. 15 | /// 16 | /// A dictionary of available environment variables. 17 | public IDictionary GetEnvironmentVariables(); 18 | } 19 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Common/IFileSystemUtilsExtension.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | namespace Microsoft.Sbom.Common; 5 | 6 | /// 7 | /// FileSystemUtilsExtension class uses FileSystemUtils class to run additional more complex 8 | /// file system logic that can be reused. 9 | /// 10 | public interface IFileSystemUtilsExtension 11 | { 12 | /// 13 | /// Determines if the targetPath is a child of the sourcePath. 14 | /// 15 | public bool IsTargetPathInSource(string targetPath, string sourcePath); 16 | } 17 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Common/IMetadataBuilderFactory.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using Microsoft.Sbom.Extensions; 5 | using Microsoft.Sbom.Extensions.Entities; 6 | 7 | namespace Microsoft.Sbom.Common; 8 | 9 | /// 10 | /// Builds a object for a given SBOM format. 11 | /// 12 | public interface IMetadataBuilderFactory 13 | { 14 | /// 15 | /// Get the object for the given SBOM format. 16 | /// 17 | /// 18 | /// 19 | public IMetadataBuilder Get(ManifestInfo manifestInfo); 20 | } 21 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Common/IOSUtils.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System; 5 | using System.Runtime.InteropServices; 6 | 7 | namespace Microsoft.Sbom.Common; 8 | 9 | public interface IOSUtils 10 | { 11 | public OSPlatform GetCurrentOSPlatform(); 12 | 13 | public string GetEnvironmentVariable(string variableName); 14 | 15 | public StringComparer GetFileSystemStringComparer(); 16 | 17 | public StringComparison GetFileSystemStringComparisonType(); 18 | 19 | public bool IsCaseSensitiveOS(); 20 | } 21 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Common/IProcessExecutor.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | namespace Microsoft.Sbom.Common; 5 | 6 | public interface IProcessExecutor 7 | { 8 | public string? ExecuteCommand(string fileName, string arguments, int timeoutInMilliseconds); 9 | } 10 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Common/ISbomConfigFactory.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using Microsoft.Sbom.Extensions; 5 | using Microsoft.Sbom.Extensions.Entities; 6 | 7 | namespace Microsoft.Sbom.Common; 8 | 9 | /// 10 | /// Factory that instantiate ISbomConfig based on parameters. 11 | /// 12 | public interface ISbomConfigFactory 13 | { 14 | /// 15 | /// Gets new instance of ISbomConfig. 16 | /// 17 | public ISbomConfig Get( 18 | ManifestInfo manifestInfo, 19 | string manifestDirPath, 20 | string manifestFilePath, 21 | string manifestFileSha256HashPath, 22 | string catalogFilePath, 23 | string bsiFilePath, 24 | ISbomPackageDetailsRecorder recorder, 25 | IMetadataBuilder metadataBuilder); 26 | } 27 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Common/JsonAsynchronousNodeKit/Constants.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | namespace Microsoft.Sbom.JsonAsynchronousNodeKit; 5 | 6 | internal static class Constants 7 | { 8 | /// 9 | /// Converts a enum to the actual string 10 | /// representation of the token. 11 | /// 12 | internal static readonly string[] JsonTokenStrings = new string[] 13 | { 14 | string.Empty, // None 15 | "{", // StartObject 16 | "}", // EndObject 17 | "[", // StartArray 18 | "]", // EndArray 19 | "PropertyName", // PropertyName 20 | "Comment", // Comment 21 | "String", // String 22 | "Number", // Number 23 | "True", // True 24 | "False", // False 25 | "Null", // Null 26 | }; 27 | } 28 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Common/JsonAsynchronousNodeKit/Exceptions/ParserException.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | namespace Microsoft.Sbom.JsonAsynchronousNodeKit.Exceptions; 5 | 6 | using System; 7 | 8 | /// 9 | /// Thrown when the parser detects an error in the JSON file. 10 | /// 11 | public class ParserException : Exception 12 | { 13 | public ParserException() 14 | { 15 | } 16 | 17 | public ParserException(string message) 18 | : base(message) 19 | { 20 | } 21 | 22 | public ParserException(string message, Exception innerException) 23 | : base(message, innerException) 24 | { 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Common/JsonAsynchronousNodeKit/ParameterType.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | namespace Microsoft.Sbom.JsonAsynchronousNodeKit; 5 | 6 | public enum ParameterType 7 | { 8 | String, 9 | Int, 10 | Object, 11 | Array, 12 | Skip, 13 | } 14 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Common/JsonAsynchronousNodeKit/PropertyHandler.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | namespace Microsoft.Sbom.JsonAsynchronousNodeKit; 5 | 6 | public record PropertyHandler(ParameterType Type); 7 | 8 | #pragma warning disable SA1402 // File may only contain a single type 9 | public record PropertyHandler(ParameterType ParameterType) 10 | #pragma warning restore SA1402 // File may only contain a single type 11 | : PropertyHandler(ParameterType); 12 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Common/Microsoft.Sbom.Common.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | True 5 | Utility classes for SBOM generation. 6 | Microsoft.Sbom.Common 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Common/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using Microsoft.Sbom.Common; 5 | using Microsoft.Sbom.Common.Config.Attributes; 6 | 7 | [assembly: DefaultManifestInfoArgForGeneration(Constants.DefaultManifestInfoName, Constants.DefaultManifestInfoVersion)] 8 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Common/Spdx30Entities/AnyLicenseInfo.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | namespace Microsoft.Sbom.Common.Spdx30Entities; 5 | 6 | /// 7 | /// Class defintion is based on: https://spdx.github.io/spdx-spec/v3.0.1/model/SimpleLicensing/Classes/AnyLicenseInfo/ 8 | /// 9 | public class AnyLicenseInfo : Element 10 | { 11 | public AnyLicenseInfo() 12 | { 13 | SpdxId = "SPDXRef-AnyLicenseInfo"; 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Common/Spdx30Entities/ContentIdentifier.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System.Text.Json.Serialization; 5 | 6 | namespace Microsoft.Sbom.Common.Spdx30Entities; 7 | 8 | /// 9 | /// A ContentIdentifier is a canonical, unique, immutable identifier of the content of a software artifact, such as a package, a file, or a snippet. 10 | /// It can be used for verifying its identity and integrity. 11 | /// https://spdx.github.io/spdx-spec/v3.0.1/model/Software/Classes/ContentIdentifier/ 12 | /// 13 | public class ContentIdentifier : Software 14 | { 15 | private string contentIdentifierType; 16 | 17 | /// 18 | /// Gets or sets the content identifier type. 19 | /// Allowed types are Git Object ID and Software Hash Identifier (swhid). 20 | /// We will use swhid unless otherwise specified. 21 | /// 22 | [JsonRequired] 23 | [JsonPropertyName("contentIdentifierType")] 24 | public override string ContentIdentifierType 25 | { 26 | get => this.contentIdentifierType ?? "swhid"; 27 | set => this.contentIdentifierType = value; 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Common/Spdx30Entities/Enums/HashAlgorithm.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System.Diagnostics.CodeAnalysis; 5 | using System.Text.Json.Serialization; 6 | 7 | namespace Microsoft.Sbom.Common.Spdx30Entities.Enums; 8 | 9 | /// 10 | /// Defined hash algorithms: https://spdx.github.io/spdx-spec/v3.0.1/model/Core/Vocabularies/HashAlgorithm/ 11 | /// 12 | [JsonConverter(typeof(JsonStringEnumConverter))] 13 | [SuppressMessage( 14 | "StyleCop.CSharp.NamingRules", 15 | "SA1300:Element should begin with upper-case letter", 16 | Justification = "These are enum types that are case sensitive and defined by external code.")] 17 | public enum HashAlgorithm 18 | { 19 | adler32, 20 | blake2b256, 21 | blake2b384, 22 | blake2b512, 23 | blake3, 24 | crystalsDilithium, 25 | crystalsKyber, 26 | falcon, 27 | md2, 28 | md4, 29 | md5, 30 | md6, 31 | other, 32 | sha1, 33 | sha224, 34 | sha256, 35 | sha384, 36 | sha3_224, 37 | sha3_256, 38 | sha3_384, 39 | sha3_512, 40 | sha512 41 | } 42 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Common/Spdx30Entities/Enums/ProfileIdentifierType.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System.Diagnostics.CodeAnalysis; 5 | using System.Text.Json.Serialization; 6 | 7 | namespace Microsoft.Sbom.Common.Spdx30Entities.Enums; 8 | 9 | /// 10 | /// There are a set of profiles that have been defined by a profile team. 11 | /// https://spdx.github.io/spdx-spec/v3.0.1/model/Core/Vocabularies/ProfileIdentifierType/. 12 | /// 13 | [JsonConverter(typeof(JsonStringEnumConverter))] 14 | [SuppressMessage( 15 | "StyleCop.CSharp.NamingRules", 16 | "SA1300:Element should begin with upper-case letter", 17 | Justification = "These are enum types that are case sensitive and defined by external code.")] 18 | public enum ProfileIdentifierType 19 | { 20 | ai, 21 | build, 22 | core, 23 | dataset, 24 | expandedLicensing, 25 | extension, 26 | lite, 27 | security, 28 | simpleLicensing, 29 | software 30 | } 31 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Common/Spdx30Entities/File.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System.Text.Json.Serialization; 5 | 6 | namespace Microsoft.Sbom.Common.Spdx30Entities; 7 | 8 | /// 9 | /// Refers to any object that stores content on a computer. 10 | /// The type of content can optionally be provided in the contentType property. 11 | /// https://spdx.github.io/spdx-spec/v3.0.1/model/Software/Classes/File/ 12 | /// 13 | public class File : Software 14 | { 15 | public File() 16 | { 17 | Type = "software_File"; 18 | } 19 | 20 | [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)] 21 | [JsonPropertyName("mediaType")] 22 | public object MediaType { get; set; } 23 | 24 | [JsonRequired] 25 | [JsonPropertyName("name")] 26 | public override string Name { get; set; } 27 | } 28 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Common/Spdx30Entities/NTIAMinFile.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System.Collections.Generic; 5 | using System.Text.Json.Serialization; 6 | 7 | namespace Microsoft.Sbom.Common.Spdx30Entities; 8 | 9 | /// 10 | /// Refers to any object that stores content on a computer. 11 | /// The type of content can optionally be provided in the contentType property. 12 | /// https://spdx.github.io/spdx-spec/v3.0.1/model/Software/Classes/File/ 13 | /// An NTIAMin file specifically describes a file compliant with the NTIAMin SBOM standard. 14 | /// 15 | public class NTIAMinFile : File 16 | { 17 | public NTIAMinFile() 18 | { 19 | Type = "software_File"; 20 | } 21 | 22 | [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)] 23 | [JsonPropertyName("software_contentType")] 24 | public object ContentType { get; set; } 25 | 26 | /// 27 | /// Make verification code required for Files. This is an internal requirement, not a requirement from SPDX. 28 | /// 29 | [JsonRequired] 30 | [JsonPropertyName("verifiedUsing")] 31 | public override List VerifiedUsing { get; set; } 32 | } 33 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Common/Spdx30Entities/NTIAMinSpdxDocument.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System.Text.Json.Serialization; 5 | 6 | namespace Microsoft.Sbom.Common.Spdx30Entities; 7 | 8 | /// 9 | /// The SpdxDocument provides a convenient way to express information about collections of SPDX Elements that could potentially be serialized as complete units (e.g., all in-scope SPDX data within a single JSON-LD file). 10 | /// https://spdx.github.io/spdx-spec/v3.0.1/model/Core/Classes/SpdxDocument/ 11 | /// An NTIAMin SpdxDocument specifically describes a SpdxDocument entity compliant with the NTIAMin SBOM standard. 12 | /// 13 | public class NTIAMinSpdxDocument : SpdxDocument 14 | { 15 | public NTIAMinSpdxDocument() 16 | { 17 | Type = nameof(SpdxDocument); 18 | } 19 | 20 | [JsonRequired] 21 | [JsonPropertyName("name")] 22 | public override string Name { get; set; } 23 | } 24 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Common/Spdx30Entities/NoAssertionElement.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | namespace Microsoft.Sbom.Common.Spdx30Entities; 5 | 6 | public class NoAssertionElement : Element 7 | { 8 | public NoAssertionElement() 9 | { 10 | Name = Constants.NoAssertionValue; 11 | Type = nameof(Element); 12 | } 13 | } 14 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Common/Spdx30Entities/NoneElement.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | namespace Microsoft.Sbom.Common.Spdx30Entities; 5 | 6 | public class NoneElement : Element 7 | { 8 | public NoneElement() 9 | { 10 | Name = "NoneElement"; 11 | SpdxId = "SPDXRef-None"; 12 | Type = nameof(Element); 13 | } 14 | } 15 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Common/Spdx30Entities/Organization.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | namespace Microsoft.Sbom.Common.Spdx30Entities; 5 | 6 | /// 7 | /// https://spdx.github.io/spdx-spec/v3.0.1/model/Core/Classes/Organization/ 8 | /// 9 | public class Organization : Element 10 | { 11 | } 12 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Common/Spdx30Entities/Package.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System.Text.Json.Serialization; 5 | 6 | namespace Microsoft.Sbom.Common.Spdx30Entities; 7 | 8 | /// 9 | /// Represents a SPDX 3.0 Package. 10 | /// https://spdx.github.io/spdx-spec/v3.0.1/model/Software/Classes/Package/ 11 | /// 12 | public class Package : Software 13 | { 14 | public Package() 15 | { 16 | Type = "software_Package"; 17 | } 18 | 19 | /// 20 | /// Gets or sets the name and optional contact information of the person or organization that built this package. 21 | /// 22 | [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)] 23 | [JsonPropertyName("suppliedBy")] 24 | public virtual string SuppliedBy { get; set; } 25 | 26 | [JsonRequired] 27 | [JsonPropertyName("name")] 28 | public override string Name { get; set; } 29 | } 30 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Common/Spdx30Entities/Person.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | namespace Microsoft.Sbom.Common.Spdx30Entities; 5 | 6 | /// 7 | /// https://spdx.github.io/spdx-spec/v3.0.1/model/Core/Classes/Person/ 8 | /// 9 | public class Person : Element 10 | { 11 | } 12 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Common/Spdx30Entities/Snippet.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | namespace Microsoft.Sbom.Common.Spdx30Entities; 5 | 6 | /// 7 | /// https://spdx.github.io/spdx-spec/v3.0.1/model/Software/Classes/Snippet/ 8 | /// 9 | public class Snippet : Software 10 | { 11 | } 12 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Common/Spdx30Entities/Tool.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | namespace Microsoft.Sbom.Common.Spdx30Entities; 5 | 6 | /// 7 | /// A tool is an element of hardware and/or software utilized to carry out a particular function. 8 | /// https://spdx.github.io/spdx-spec/v3.0.1/model/Core/Classes/Tool/ 9 | /// 10 | public class Tool : Element 11 | { 12 | } 13 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Common/Utils/IdentifierUtils.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System; 5 | 6 | namespace Microsoft.Sbom.Common.Utils; 7 | 8 | /// 9 | /// Provides utility function to create short Guids. 10 | /// 11 | public static class IdentifierUtils 12 | { 13 | public static string GetShortGuid(Guid guid) 14 | { 15 | var base64Guid = Convert.ToBase64String(guid.ToByteArray()); 16 | 17 | // Replace URL unfriendly characters with better ones 18 | base64Guid = base64Guid.Replace('+', '-').Replace('/', '_'); 19 | 20 | // Remove the trailing == 21 | return base64Guid[0..^2]; 22 | } 23 | 24 | public static bool TryGetGuidFromShortGuid(string str, out Guid guid) 25 | { 26 | if (string.IsNullOrWhiteSpace(str)) 27 | { 28 | guid = Guid.Empty; 29 | return false; 30 | } 31 | 32 | try 33 | { 34 | str = str.Replace('_', '/').Replace('-', '+'); 35 | var byteArray = Convert.FromBase64String(str + "=="); 36 | guid = new Guid(byteArray); 37 | return true; 38 | } 39 | catch (Exception) 40 | { 41 | guid = Guid.Empty; 42 | return false; 43 | } 44 | } 45 | } 46 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Common/Utils/ListUtils.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | namespace Microsoft.Sbom.Common.Utils; 5 | 6 | using System; 7 | using System.Collections.Generic; 8 | 9 | public static class ListUtils 10 | { 11 | // RemoveAll only added in .NET 8.0. 12 | public static void RemoveAll(this IList list, Predicate predicate) 13 | { 14 | for (var i = 0; i < list.Count; i++) 15 | { 16 | if (predicate(list[i])) 17 | { 18 | list.RemoveAt(i--); 19 | } 20 | } 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Common/Utils/PathUtils.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System.IO; 5 | using System.Linq; 6 | using Microsoft.Sbom.Common.Config; 7 | using Microsoft.Sbom.Common.Config.Attributes; 8 | 9 | namespace Microsoft.Sbom.Common.Utils; 10 | 11 | /// 12 | /// Provides utility function to convert an IConfiguration object to use OS-specific path separators. 13 | /// 14 | public static class PathUtils 15 | { 16 | public static void ConvertToOSSpecificPathSeparators(IConfiguration configuration) 17 | { 18 | var pathProps = configuration.GetType().GetProperties().Where(p => p.GetCustomAttributes(typeof(PathAttribute), inherit: true).Any()); 19 | foreach (var pathProp in pathProps) 20 | { 21 | var path = pathProp.GetValue(configuration) as ConfigurationSetting; 22 | if (path != null) 23 | { 24 | path.Value = path.Value.Replace('\\', Path.DirectorySeparatorChar); 25 | pathProp.SetValue(configuration, path); 26 | } 27 | } 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Contracts/Contracts/Entities/AlgorithmNames.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System.Collections.Generic; 5 | using Microsoft.Sbom.Contracts.Enums; 6 | using Microsoft.Sbom.Contracts.Interfaces; 7 | 8 | namespace Microsoft.Sbom.Contracts.Entities; 9 | 10 | public class AlgorithmNames : IAlgorithmNames 11 | { 12 | public IList GetAlgorithmNames() 13 | { 14 | return new List 15 | { 16 | AlgorithmName.SHA1, 17 | AlgorithmName.SHA256, 18 | AlgorithmName.SHA512, 19 | AlgorithmName.MD5 20 | }; 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Contracts/Contracts/Entities/Entity.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using Microsoft.Sbom.Contracts.Enums; 5 | 6 | namespace Microsoft.Sbom.Contracts.Entities; 7 | 8 | /// 9 | /// Represents a single entity in a SBOM, such as a file or package. 10 | /// 11 | public abstract class Entity 12 | { 13 | /// 14 | /// Gets the type of the entity. 15 | /// 16 | public EntityType EntityType { get; private set; } 17 | 18 | public string Id { get; private set; } 19 | 20 | protected Entity(EntityType entityType, string id = null) 21 | { 22 | EntityType = entityType; 23 | Id = id; 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Contracts/Contracts/Entities/FileEntity.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System; 5 | using Microsoft.Sbom.Contracts.Enums; 6 | 7 | namespace Microsoft.Sbom.Contracts.Entities; 8 | 9 | /// 10 | /// Represents a single file in a SBOM. 11 | /// 12 | public class FileEntity : Entity 13 | { 14 | /// 15 | /// Gets the path of the file as included in the SBOM. 16 | /// 17 | public string Path { get; private set; } 18 | 19 | /// 20 | public FileEntity(string path, string id = null) 21 | : base(EntityType.File, id) 22 | { 23 | if (string.IsNullOrEmpty(path)) 24 | { 25 | throw new ArgumentException($"'{nameof(path)}' cannot be null or empty.", nameof(path)); 26 | } 27 | 28 | Path = path; 29 | } 30 | 31 | /// 32 | public override string ToString() 33 | { 34 | return $"FileEntity (Path={Path}{(Id == null ? string.Empty : $", Id={Id}")})"; 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Contracts/Contracts/EntityError.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using Microsoft.Sbom.Contracts.Entities; 5 | using Microsoft.Sbom.Contracts.Enums; 6 | 7 | namespace Microsoft.Sbom.Contracts; 8 | 9 | /// 10 | /// Represents a single error for a given entity. The entity could be a file or package. 11 | /// 12 | public class EntityError 13 | { 14 | /// 15 | /// Gets or sets the type of error. 16 | /// 17 | public ErrorType ErrorType { get; set; } 18 | 19 | /// 20 | /// Gets or sets the entity that encountered the error. 21 | /// 22 | public Entity Entity { get; set; } 23 | 24 | /// 25 | /// Gets or sets the details of the error. 26 | /// 27 | public string Details { get; set; } 28 | } 29 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Contracts/Contracts/Enums/EntityType.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System.Runtime.Serialization; 5 | 6 | namespace Microsoft.Sbom.Contracts.Enums; 7 | 8 | /// 9 | /// Represents an entity in a SBOM, like a package or file. 10 | /// 11 | public enum EntityType 12 | { 13 | /// 14 | /// The entity is unknown. 15 | /// 16 | [EnumMember(Value = "Unknown")] 17 | Unknown = 0, 18 | 19 | /// 20 | /// The entity is a file. 21 | /// 22 | [EnumMember(Value = "File")] 23 | File = 1, 24 | 25 | /// 26 | /// The entity is a package. 27 | /// 28 | [EnumMember(Value = "Package")] 29 | Package = 2 30 | } 31 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Contracts/Contracts/Enums/FileType.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System.Runtime.Serialization; 5 | 6 | namespace Microsoft.Sbom.Contracts.Enums; 7 | 8 | /// 9 | /// Represents the type of a file. 10 | /// 11 | public enum FileType 12 | { 13 | /// 14 | /// The file is an SPDX type. 15 | /// 16 | [EnumMember(Value = "SPDX")] 17 | SPDX = 0, 18 | } 19 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Contracts/Contracts/LicenseInfo.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | namespace Microsoft.Sbom.Contracts; 5 | 6 | /// 7 | /// Defines license strings for an entity. 8 | /// 9 | public class LicenseInfo 10 | { 11 | /// 12 | /// Gets or sets the declared license of this entity. This was explicitly declared 13 | /// by the owner of this entity. 14 | /// 15 | public string Declared { get; set; } 16 | 17 | /// 18 | /// Gets or sets the concluded license of this entity. This was inferred based on the 19 | /// context in which this entity exists. 20 | /// 21 | public string Concluded { get; set; } 22 | } 23 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Contracts/Contracts/MetadataCreationInfo.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System; 5 | using System.Collections.Generic; 6 | 7 | namespace Microsoft.Sbom.Contracts; 8 | 9 | /// 10 | /// An object that represents the creation information of an SPDX document. 11 | /// 12 | public class MetadataCreationInfo 13 | { 14 | /// 15 | /// The the SPDX document was created. 16 | /// 17 | public DateTime Created { get; set; } 18 | 19 | /// 20 | /// A list of key value pairs that represent the SPDX document creators. 21 | /// 22 | public IEnumerable Creators { get; set; } 23 | } 24 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Contracts/Contracts/SbomGenerationResult.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System.Collections.Generic; 5 | 6 | namespace Microsoft.Sbom.Contracts; 7 | 8 | /// 9 | /// Represents the result of a SBOM generation action. 10 | /// 11 | public class SbomGenerationResult 12 | { 13 | /// 14 | /// Gets or sets a value indicating whether is set to true if the SBOM generation was successful, that is when 15 | /// the list is empty. 16 | /// 17 | public bool IsSuccessful { get; set; } 18 | 19 | /// 20 | /// Gets a list of errors that were encountered during the SBOM generation. 21 | /// 22 | public IList Errors { get; private set; } 23 | 24 | public SbomGenerationResult(bool isSuccessful, IList errors) 25 | { 26 | IsSuccessful = isSuccessful; 27 | Errors = errors ?? new List(); 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Contracts/Contracts/SbomReference.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | namespace Microsoft.Sbom.Contracts; 5 | 6 | /// 7 | /// Represents a reference for a differnt SBOM in the current SBOM. 8 | /// 9 | public class SbomReference 10 | { 11 | /// 12 | /// Gets or sets the unique identifier that defines the referred SBOM. 13 | /// 14 | public string ExternalDocumentId { get; set; } 15 | 16 | /// 17 | /// Gets or sets a unique document id for the referred SBOM. 18 | /// 19 | public string Document { get; set; } 20 | 21 | /// 22 | /// Gets or sets checksum values for the external SBOM file. 23 | /// 24 | public Checksum Checksum { get; set; } 25 | } 26 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Contracts/Contracts/SbomRelationship.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | namespace Microsoft.Sbom.Contracts; 5 | 6 | /// 7 | /// Defines a relationship between SBOM elements. 8 | /// 9 | public class SbomRelationship 10 | { 11 | /// 12 | /// Defines the relationship between the source and target element. 13 | /// 14 | public string RelationshipType { get; set; } 15 | 16 | /// 17 | /// Gets or sets the id of the target element with whom the source element has a relationship. 18 | /// 19 | public string TargetElementId { get; set; } 20 | 21 | /// 22 | /// Gets or sets the id of the target element with whom the source element has a relationship. 23 | /// 24 | public string SourceElementId { get; set; } 25 | } 26 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Contracts/Contracts/SbomValidationResult.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | namespace Microsoft.Sbom.Contracts; 5 | 6 | using System.Collections.Generic; 7 | 8 | /// 9 | /// Represents the result of a SBOM validation action. 10 | /// 11 | public class SbomValidationResult 12 | { 13 | public bool IsSuccess { get; private set; } 14 | 15 | public IList Errors { get; private set; } 16 | 17 | public SbomValidationResult(bool isSuccess, IList errors) 18 | { 19 | this.IsSuccess = isSuccess; 20 | this.Errors = errors; 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Contracts/Interfaces/IAlgorithmNames.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System.Collections.Generic; 5 | using Microsoft.Sbom.Contracts.Enums; 6 | 7 | namespace Microsoft.Sbom.Contracts.Interfaces; 8 | 9 | /// 10 | /// The implemention of this interface should provide a list of hashing algorithms that can be 11 | /// used to generate or validate file hashes by the sbom tool. 12 | /// 13 | /// You can use this implementation to inject custom hashing algorithms to be used in the SBOM tool. 14 | /// 15 | public interface IAlgorithmNames 16 | { 17 | /// 18 | /// Returns a list of that this implementation provides. 19 | /// 20 | /// 21 | public IList GetAlgorithmNames(); 22 | } 23 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Contracts/Microsoft.Sbom.Contracts.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Microsoft.Sbom.Contracts 5 | True 6 | Contracts and interfaces for SBOM API 7 | 8 | 9 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.DotNetTool/Microsoft.Sbom.DotNetTool.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Highly scalable and enterprise ready .NET tool to create SBOMs for any variety of artifacts. 5 | Exe 6 | 7 | true 8 | sbom-tool 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Extensions.DependencyInjection/Microsoft.Sbom.Extensions.DependencyInjection.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | enable 5 | enable 6 | 7 | 8 | 9 | 10 | <_Parameter1>$(AssemblyName).Tests, PublicKey=$(StrongNameSigningPublicKey) 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Extensions/Entities/ExternalDocumentReferenceInfo.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System.Collections.Generic; 5 | using Microsoft.Sbom.Contracts; 6 | 7 | namespace Microsoft.Sbom.Extensions.Entities; 8 | 9 | /// 10 | /// Represents the property that is needed to generate External Document Reference. 11 | /// 12 | public class ExternalDocumentReferenceInfo // TODO: Move to Contracts 13 | { 14 | /// 15 | /// Gets or sets the name of the external SBOM document. 16 | /// 17 | public string ExternalDocumentName { get; set; } 18 | 19 | /// 20 | /// Gets or sets the document namespace of the external SBOM. 21 | /// 22 | public string DocumentNamespace { get; set; } 23 | 24 | /// 25 | /// Gets or sets checksums of the SBOM file. 26 | /// 27 | public IEnumerable Checksum { get; set; } 28 | 29 | /// 30 | /// Gets or sets iD of the root element that external document is describing. 31 | /// 32 | public string DescribedElementID { get; set; } 33 | 34 | /// 35 | /// Gets or sets the path of the external SBOM document. 36 | /// 37 | public string Path { get; set; } 38 | } 39 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Extensions/Entities/FileLocation.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System; 5 | 6 | namespace Microsoft.Sbom.Entities; 7 | 8 | /// 9 | /// A flag that denotes where the file is located, like on disk or inside an SBOM. 10 | /// 11 | [Flags] 12 | public enum FileLocation 13 | { 14 | /// 15 | /// File is not present anywhere. 16 | /// 17 | None, 18 | 19 | /// 20 | /// File is only present on disk. 21 | /// 22 | OnDisk, 23 | 24 | /// 25 | /// File is only present inside a SBOM. 26 | /// 27 | InSbomFile, 28 | 29 | /// 30 | /// File is present in both the SBOM and on disk. 31 | /// 32 | All = OnDisk | InSbomFile, 33 | } 34 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Extensions/Entities/GenerationResult.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System; 5 | using System.Text.Json; 6 | 7 | namespace Microsoft.Sbom.Extensions.Entities; 8 | 9 | /// 10 | /// A object that represents the generated along 11 | /// with additional metadata about the generated object. 12 | /// 13 | public class GenerationResult 14 | { 15 | private JsonDocument document; 16 | 17 | /// 18 | /// Gets or sets the entity object in the JSON format as expected by the current SBOM format. 19 | /// 20 | public JsonDocument Document 21 | { 22 | get { return document; } 23 | set { document = value ?? throw new Exception("JsonDocument cannot be null."); } 24 | } 25 | 26 | /// 27 | /// Gets or sets any additional metadata that needs to be returned about the current 28 | /// entity or SBOM. 29 | /// 30 | public ResultMetadata ResultMetadata { get; set; } 31 | } 32 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Extensions/Entities/ManifestData.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System.Collections.Generic; 5 | using Microsoft.Sbom.Contracts; 6 | 7 | namespace Microsoft.Sbom.Extensions.Entities; 8 | 9 | /// 10 | /// The manifest object that is returned by the parser. 11 | /// 12 | public class ManifestData // TODO: move to contracts 13 | { 14 | /// 15 | /// Gets or sets the count of the number of files in this manifest. 16 | /// 17 | public int Count { get; set; } 18 | 19 | /// 20 | /// Gets or sets a dictionary with the key as the relative path of a file, 21 | /// and as list of for that file. 22 | /// 23 | public IDictionary HashesMap { get; set; } 24 | 25 | /// 26 | /// Gets or sets the manifest info object that identifies the current manifest. 27 | /// 28 | public ManifestInfo ManifestInfo { get; set; } 29 | } 30 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Extensions/Entities/Relationship.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | namespace Microsoft.Sbom.Extensions.Entities; 5 | 6 | /// 7 | /// Defines relationships between elements in the current SBOM. 8 | /// 9 | public class Relationship 10 | { 11 | /// 12 | /// Gets or sets defines the type of the relationship between the source and the target element. 13 | /// 14 | public RelationshipType RelationshipType { get; set; } 15 | 16 | /// 17 | /// Gets or sets the id of the target element with whom the source element has a relationship. 18 | /// 19 | public string TargetElementId { get; set; } 20 | 21 | /// 22 | /// Gets or sets iD of the reference for the target element, if the element is referenced from external document. 23 | /// 24 | public string TargetElementExternalReferenceId { get; set; } 25 | 26 | /// 27 | /// Gets or sets the id of the target element with whom the source element has a relationship. 28 | /// 29 | public string SourceElementId { get; set; } 30 | } 31 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Extensions/Entities/ResultMetadata.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | namespace Microsoft.Sbom.Extensions.Entities; 5 | 6 | /// 7 | /// A list of metadata about the current entity being serialized. This can be 8 | /// identifiers generated for the entity or any additional metadata. 9 | /// 10 | public class ResultMetadata 11 | { 12 | /// 13 | /// Gets or sets the generated id of the current entity. 14 | /// 15 | public string EntityId { get; set; } 16 | 17 | /// 18 | /// Gets or sets the generated id of the current SBOM document. 19 | /// 20 | public string DocumentId { get; set; } 21 | 22 | /// 23 | /// get or set unique identifier (Id) of DependOn package 24 | /// 25 | public string DependOn { get; set; } 26 | } 27 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Extensions/Exceptions/MissingHashValueException.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System; 5 | 6 | namespace Microsoft.Sbom.Extensions.Exceptions; 7 | 8 | /// 9 | /// Thrown when a required hash value for a package or file is missing. 10 | /// 11 | public class MissingHashValueException : Exception 12 | { 13 | public MissingHashValueException() { } 14 | 15 | public MissingHashValueException(string message) 16 | : base(message) { } 17 | 18 | public MissingHashValueException(string message, Exception inner) 19 | : base(message, inner) { } 20 | } 21 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Extensions/IManifestConfigHandler.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | namespace Microsoft.Sbom.Extensions; 5 | 6 | /// 7 | /// Provides a object for a given 8 | /// SBOM format implementation. 9 | /// 10 | public interface IManifestConfigHandler 11 | { 12 | /// 13 | /// Tries to parse the SBOM configuration based on the internal implementation details. 14 | /// If the SBOM format is supported by the current implementation, populates the manifestConfig 15 | /// object and returns true, or else returns false. 16 | /// 17 | /// 18 | /// 19 | public bool TryGetManifestConfig(out ISbomConfig sbomConfig); 20 | } 21 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Extensions/IMetadataProvider.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System.Collections.Generic; 5 | using Microsoft.Sbom.Extensions.Entities; 6 | 7 | namespace Microsoft.Sbom.Extensions; 8 | 9 | /// 10 | /// Provides metadata about the environment where this SBOM was generated. 11 | /// 12 | public interface IMetadataProvider 13 | { 14 | /// 15 | /// Gets or sets stores the metadata that is generated by this metadata provider. 16 | /// 17 | public IDictionary MetadataDictionary { get; } 18 | 19 | /// 20 | /// Gets the namespace URI for the SBOM document that is unique within this build environment. 21 | /// 22 | public string GetDocumentNamespaceUri(); 23 | 24 | /// 25 | /// Gets the name of the build environment for which this provider should be used. 26 | /// 27 | public string BuildEnvironmentName { get; } 28 | } 29 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Extensions/ISignValidator.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System.Collections.Generic; 5 | using System.Runtime.InteropServices; 6 | 7 | namespace Microsoft.Sbom.Extensions; 8 | 9 | /// 10 | /// Validates the given manifest.json using the platform specific sign verification mechanism. 11 | /// 12 | public interface ISignValidator 13 | { 14 | /// 15 | /// Gets the OS Platform that this validator supports, ex. Windows or Linux. 16 | /// 17 | public OSPlatform SupportedPlatform { get; } 18 | 19 | /// 20 | /// Validates the given manifest.json using the platform specific sign verification mechanism. 21 | /// 22 | /// Property bag where the validation can add additional telemetry info 23 | /// true if valid, false otherwise. 24 | public bool Validate(IDictionary additionalTelemetry); 25 | } 26 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Extensions/Microsoft.Sbom.Extensions.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | True 5 | Contracts and interfaces for extending SBOM tool. 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Extensions/ParserStateResult.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | namespace Microsoft.Sbom.JsonAsynchronousNodeKit; 5 | 6 | #nullable enable 7 | 8 | public record ParserStateResult( 9 | string FieldName, 10 | object? Result, 11 | bool ExplicitField, 12 | bool YieldReturn); 13 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Extensions/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System; 5 | 6 | [assembly: CLSCompliant(true)] 7 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Parsers.Spdx22SbomParser/Entities/Annotation.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | namespace Microsoft.Sbom.Parsers.Spdx22SbomParser.Entities; 5 | 6 | using System; 7 | using System.Text.Json.Serialization; 8 | 9 | public class Annotation 10 | { 11 | [JsonPropertyName("annotationDate")] 12 | public DateTime AnnotationDate { get; set; } 13 | 14 | [JsonPropertyName("annotationType")] 15 | public string AnnotationType { get; set; } 16 | 17 | [JsonPropertyName("annotator")] 18 | public string Annotator { get; set; } 19 | 20 | [JsonPropertyName("comment")] 21 | public string Comment { get; set; } 22 | } 23 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Parsers.Spdx22SbomParser/Entities/Checksum.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System.Text.Json.Serialization; 5 | 6 | namespace Microsoft.Sbom.Parsers.Spdx22SbomParser.Entities; 7 | 8 | /// 9 | /// Represents the hash value of the file using the algorithm specified. 10 | /// 11 | public class Checksum 12 | { 13 | /// 14 | /// Gets or sets the name of the hash algorithm. 15 | /// 16 | [JsonPropertyName("algorithm")] 17 | 18 | public string Algorithm { get; set; } 19 | 20 | /// 21 | /// Gets or sets the string value of the computed hash. 22 | /// 23 | [JsonPropertyName("checksumValue")] 24 | public string ChecksumValue { get; set; } 25 | } 26 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Parsers.Spdx22SbomParser/Entities/CreationInfo.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System.Collections.Generic; 5 | using System.Text.Json.Serialization; 6 | 7 | namespace Microsoft.Sbom.Parsers.Spdx22SbomParser.Entities; 8 | 9 | /// 10 | /// Used to define creation information about the SBOM. 11 | /// 12 | public class CreationInfo 13 | { 14 | [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)] 15 | [JsonPropertyName("comment")] 16 | public string Comment { get; set; } 17 | 18 | /// 19 | /// Gets or sets a string that specifies the time the SBOM was created on. 20 | /// 21 | [JsonPropertyName("created")] 22 | public string Created { get; set; } 23 | 24 | /// 25 | /// Gets or sets a list of strings that specify metadata about the creators of this 26 | /// SBOM. This could be the person or organization name, or tool name, etc. 27 | /// 28 | [JsonPropertyName("creators")] 29 | public IEnumerable Creators { get; set; } 30 | 31 | [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)] 32 | [JsonPropertyName("licenseListVersion")] 33 | public string LicenseListVersion { get; set; } 34 | } 35 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Parsers.Spdx22SbomParser/Entities/Enums/ExternalRepositoryType.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System.Diagnostics.CodeAnalysis; 5 | using System.Text.Json.Serialization; 6 | 7 | namespace Microsoft.Sbom.Parsers.Spdx22SbomParser.Entities.Enums; 8 | 9 | /// 10 | /// Type of the external reference. These are defined in an appendix in the SPDX specification. 11 | /// https://spdx.github.io/spdx-spec/v2.2.2/external-repository-identifiers/. 12 | /// 13 | [JsonConverter(typeof(JsonStringEnumConverter))] 14 | [SuppressMessage( 15 | "StyleCop.CSharp.NamingRules", 16 | "SA1300:Element should begin with upper-case letter", 17 | Justification = "These are enum types that are case sensitive and defined by external code.")] 18 | public enum ExternalRepositoryType 19 | { 20 | cpe22, 21 | cpe23, 22 | swh, 23 | maven_central, 24 | npm, 25 | nuget, 26 | bower, 27 | purl, 28 | idstring 29 | } 30 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Parsers.Spdx22SbomParser/Entities/Enums/ReferenceCategory.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System.Text.Json.Serialization; 5 | 6 | namespace Microsoft.Sbom.Parsers.Spdx22SbomParser.Entities.Enums; 7 | 8 | /// 9 | /// Defines a Category for an external package reference. 10 | /// 11 | [JsonConverter(typeof(JsonStringEnumConverter))] 12 | public enum ReferenceCategory 13 | { 14 | OTHER, 15 | SECURITY, 16 | PACKAGE_MANAGER, 17 | PERSISTENT_ID 18 | } 19 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Parsers.Spdx22SbomParser/Entities/Enums/SPDXFileType.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System.Text.Json.Serialization; 5 | 6 | namespace Microsoft.Sbom.Parsers.Spdx22SbomParser.Entities.Enums; 7 | 8 | /// 9 | /// This field provides information about the type of file identified. 10 | /// Full definition here: https://spdx.github.io/spdx-spec/v2.2.2/file-information/#83-file-type-field. 11 | /// 12 | [JsonConverter(typeof(JsonStringEnumConverter))] 13 | public enum SPDXFileType 14 | { 15 | /// 16 | /// The file is an SPDX type. 17 | /// 18 | SPDX, 19 | } 20 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Parsers.Spdx22SbomParser/Entities/ExtractedLicensingInfo.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | namespace Microsoft.Sbom.Parsers.Spdx22SbomParser.Entities; 5 | 6 | using System.Collections.Generic; 7 | using System.Text.Json.Serialization; 8 | 9 | public class ExtractedLicensingInfo 10 | { 11 | [JsonPropertyName("licenseId")] 12 | public string LicenseId { get; set; } 13 | 14 | [JsonPropertyName("extractedText")] 15 | public string ExtractedText { get; set; } 16 | 17 | [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)] 18 | [JsonPropertyName("comment")] 19 | public string Comment { get; set; } 20 | 21 | [JsonPropertyName("name")] 22 | public string Name { get; set; } 23 | 24 | [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)] 25 | [JsonPropertyName("seeAlsos")] 26 | public IEnumerable SeeAlsos { get; set; } 27 | } 28 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Parsers.Spdx22SbomParser/Entities/PackageVerificationCode.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System.Collections.Generic; 5 | using System.Text.Json.Serialization; 6 | 7 | namespace Microsoft.Sbom.Parsers.Spdx22SbomParser.Entities; 8 | 9 | /// 10 | /// Used to specify a hash code that describes all the individual 11 | /// files within this package. 12 | /// 13 | public class PackageVerificationCode 14 | { 15 | /// 16 | /// Gets or sets the actual package verification code as a hex encoded value. 17 | /// 18 | [JsonRequired] 19 | [JsonPropertyName("packageVerificationCodeValue")] 20 | public string PackageVerificationCodeValue { get; set; } 21 | 22 | /// 23 | /// Gets or sets files that were excluded when calculating the package verification code. 24 | /// 25 | [JsonPropertyName("packageVerificationCodeExcludedFiles")] 26 | [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)] 27 | public List PackageVerificationCodeExcludedFiles { get; set; } 28 | } 29 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Parsers.Spdx22SbomParser/Entities/Pointer.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | namespace Microsoft.Sbom.Parsers.Spdx22SbomParser.Entities; 5 | 6 | using System.Text.Json.Serialization; 7 | 8 | public class Pointer 9 | { 10 | [JsonPropertyName("offset")] 11 | public int Offset { get; set; } 12 | 13 | [JsonPropertyName("reference")] 14 | public string Reference { get; set; } 15 | } 16 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Parsers.Spdx22SbomParser/Entities/Range.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | namespace Microsoft.Sbom.Parsers.Spdx22SbomParser.Entities; 5 | 6 | using System.Text.Json.Serialization; 7 | 8 | public class Range 9 | { 10 | [JsonPropertyName("endPointer")] 11 | public Pointer EndPointer { get; set; } 12 | 13 | [JsonPropertyName("startPointer")] 14 | public Pointer StartPointer { get; set; } 15 | } 16 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Parsers.Spdx22SbomParser/Entities/SPDX22RequiredProperties.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | namespace Microsoft.Sbom.Parsers.Spdx22SbomParser.Entities; 5 | 6 | using System.Text.Json.Serialization; 7 | 8 | // This class uses JSON serialization attributes to enforce the SPDX 2.x format 9 | // Metadata fields tagged as required are required by the SPDX 2.x specification. 10 | public class SPDX22RequiredProperties 11 | { 12 | // These attributes are required by the SPDX 2.x spec. 13 | [JsonRequired] 14 | [JsonPropertyName("spdxVersion")] 15 | public string Version { get; set; } 16 | 17 | [JsonRequired] 18 | [JsonPropertyName("dataLicense")] 19 | public string DataLicense { get; set; } 20 | 21 | [JsonRequired] 22 | [JsonPropertyName("SPDXID")] 23 | public string SPDXID { get; set; } 24 | 25 | [JsonRequired] 26 | [JsonPropertyName("name")] 27 | public string Name { get; set; } 28 | 29 | [JsonRequired] 30 | [JsonPropertyName("documentNamespace")] 31 | public string DocumentNamespace { get; set; } 32 | 33 | [JsonRequired] 34 | [JsonPropertyName("creationInfo")] 35 | public CreationInfo CreationInfo { get; set; } 36 | } 37 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Parsers.Spdx22SbomParser/Entities/SPDXRelationship.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System.Text.Json.Serialization; 5 | 6 | namespace Microsoft.Sbom.Parsers.Spdx22SbomParser.Entities; 7 | 8 | /// 9 | /// Defines relationships between elements in the current SBOM. 10 | /// 11 | public class SPDXRelationship 12 | { 13 | /// 14 | /// Gets or sets defines the type of the relationship between the source and the target element. 15 | /// 16 | [JsonPropertyName("relationshipType")] 17 | public string RelationshipType { get; set; } 18 | 19 | /// 20 | /// Gets or sets the id of the target element with whom the source element has a relationship. 21 | /// 22 | [JsonRequired] 23 | [JsonPropertyName("relatedSpdxElement")] 24 | public string TargetElementId { get; set; } 25 | 26 | /// 27 | /// Gets or sets the id of the target element with whom the source element has a relationship. 28 | /// 29 | [JsonRequired] 30 | [JsonPropertyName("spdxElementId")] 31 | public string SourceElementId { get; set; } 32 | } 33 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Parsers.Spdx22SbomParser/Entities/Snippet.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | namespace Microsoft.Sbom.Parsers.Spdx22SbomParser.Entities; 5 | 6 | using System.Collections.Generic; 7 | using System.Text.Json.Serialization; 8 | 9 | public class Snippet 10 | { 11 | [JsonPropertyName("SPDXID")] 12 | public string SPDXID { get; set; } 13 | 14 | [JsonPropertyName("comment")] 15 | public string Comment { get; set; } 16 | 17 | [JsonPropertyName("copyrightText")] 18 | public string CopyrightText { get; set; } 19 | 20 | [JsonPropertyName("licenseComments")] 21 | public string LicenseComments { get; set; } 22 | 23 | [JsonPropertyName("licenseConcluded")] 24 | public string LicenseConcluded { get; set; } 25 | 26 | [JsonIgnore(Condition = JsonIgnoreCondition.WhenWritingNull)] 27 | [JsonPropertyName("licenseInfoInSnippets")] 28 | public IEnumerable LicenseInfoInSnippets { get; set; } 29 | 30 | [JsonPropertyName("name")] 31 | public string Name { get; set; } 32 | 33 | [JsonPropertyName("ranges")] 34 | public IEnumerable Ranges { get; set; } 35 | 36 | [JsonPropertyName("snippetFromFile")] 37 | public string SnippetFromFile { get; set; } 38 | } 39 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Parsers.Spdx22SbomParser/Entities/SpdxExternalDocumentReference.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System.Text.Json.Serialization; 5 | 6 | namespace Microsoft.Sbom.Parsers.Spdx22SbomParser.Entities; 7 | 8 | /// 9 | /// SPDX 2.2 format External Document reference. 10 | /// 11 | public class SpdxExternalDocumentReference 12 | { 13 | /// 14 | /// Gets or sets unique Identifier for ExternalDocumentReference in SPDX document. 15 | /// 16 | [JsonPropertyName("externalDocumentId")] 17 | public string ExternalDocumentId { get; set; } 18 | 19 | /// 20 | /// Gets or sets document namespace of the input SBOM. 21 | /// 22 | [JsonPropertyName("spdxDocument")] 23 | public string SpdxDocument { get; set; } 24 | 25 | /// 26 | /// Gets or sets checksum values for External SBOM file. 27 | /// 28 | [JsonPropertyName("checksum")] 29 | public Checksum Checksum { get; set; } 30 | } 31 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Parsers.Spdx22SbomParser/Exceptions/MissingHashValueException.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System; 5 | 6 | namespace Microsoft.Sbom.Parsers.Spdx22SbomParser.Exceptions; 7 | 8 | internal class MissingHashValueException : Exception 9 | { 10 | public MissingHashValueException() 11 | { 12 | } 13 | 14 | public MissingHashValueException(string message) 15 | : base(message) 16 | { 17 | } 18 | 19 | public MissingHashValueException(string message, Exception innerException) 20 | : base(message, innerException) 21 | { 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Parsers.Spdx22SbomParser/Microsoft.Sbom.Parsers.Spdx22SbomParser.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Microsoft.Sbom.Parsers.Spdx22SbomParser 5 | True 6 | SPDX2.2 parser for SBOM tool. 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | <_Parameter1>$(AssemblyName).Tests, PublicKey=$(StrongNameSigningPublicKey) 18 | 19 | 20 | 21 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Parsers.Spdx22SbomParser/Parser/ExternalDocumentReferencesResult.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System.Collections.Generic; 5 | using System.Linq; 6 | using Microsoft.Sbom.JsonAsynchronousNodeKit; 7 | using Microsoft.Sbom.Parsers.Spdx22SbomParser.Entities; 8 | 9 | namespace Microsoft.Sbom.Parser; 10 | 11 | public record class ExternalDocumentReferencesResult : ParserStateResult 12 | { 13 | public ExternalDocumentReferencesResult(ParserStateResult result) 14 | : base(result.FieldName, result.Result, result.ExplicitField, result.YieldReturn) 15 | { 16 | } 17 | 18 | public IEnumerable References => ((IEnumerable)this.Result!).Select(r => (SpdxExternalDocumentReference)r); 19 | } 20 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Parsers.Spdx22SbomParser/Parser/FilesResult.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System.Collections.Generic; 5 | using System.Linq; 6 | using Microsoft.Sbom.JsonAsynchronousNodeKit; 7 | using Microsoft.Sbom.Parsers.Spdx22SbomParser.Entities; 8 | 9 | namespace Microsoft.Sbom.Parser; 10 | 11 | public record FilesResult : ParserStateResult 12 | { 13 | public FilesResult(ParserStateResult result) 14 | : base(result.FieldName, result.Result, result.ExplicitField, result.YieldReturn) 15 | { 16 | } 17 | 18 | public IEnumerable Files => ((IEnumerable)this.Result!).Select(r => (SPDXFile)r); 19 | } 20 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Parsers.Spdx22SbomParser/Parser/PackagesResult.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System.Collections.Generic; 5 | using System.Linq; 6 | using Microsoft.Sbom.JsonAsynchronousNodeKit; 7 | using Microsoft.Sbom.Parsers.Spdx22SbomParser.Entities; 8 | 9 | namespace Microsoft.Sbom.Parser; 10 | 11 | public record PackagesResult : ParserStateResult 12 | { 13 | public PackagesResult(ParserStateResult result) 14 | : base(result.FieldName, result.Result, result.ExplicitField, result.YieldReturn) 15 | { 16 | } 17 | 18 | public IEnumerable Packages => ((IEnumerable)this.Result!).Select(r => (SPDXPackage)r); 19 | } 20 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Parsers.Spdx22SbomParser/Parser/RelationshipsResult.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System.Collections.Generic; 5 | using System.Linq; 6 | using Microsoft.Sbom.JsonAsynchronousNodeKit; 7 | using Microsoft.Sbom.Parsers.Spdx22SbomParser.Entities; 8 | 9 | namespace Microsoft.Sbom.Parser; 10 | 11 | public record RelationshipsResult : ParserStateResult 12 | { 13 | public RelationshipsResult(ParserStateResult result) 14 | : base(result.FieldName, result.Result, result.ExplicitField, result.YieldReturn) 15 | { 16 | } 17 | 18 | public IEnumerable Relationships => ((IEnumerable)this.Result!).Select(r => (SPDXRelationship)r); 19 | } 20 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Parsers.Spdx22SbomParser/Utils/SPDXVersionParser.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | namespace Microsoft.Sbom.Utils; 5 | 6 | using System; 7 | 8 | public static class SPDXVersionParser 9 | { 10 | // SPDX versions are of the form "SPDX-m.n". We only care about the major version. 11 | public static bool VersionMatchesRequiredVersion(string spdxVersionString, int requiredMajorVersion) 12 | { 13 | if (string.IsNullOrEmpty(spdxVersionString)) 14 | { 15 | return false; 16 | } 17 | 18 | var spdxTag = "SPDX-"; 19 | var start = spdxVersionString.IndexOf(spdxTag, StringComparison.InvariantCulture); 20 | if (start == -1) 21 | { 22 | return false; 23 | } 24 | 25 | start += spdxTag.Length; 26 | 27 | var end = spdxVersionString.IndexOf('.', start); 28 | if (!int.TryParse(spdxVersionString[start..end], out var majorVersion)) 29 | { 30 | return false; 31 | } 32 | 33 | return majorVersion == requiredMajorVersion; 34 | } 35 | } 36 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Parsers.Spdx22SbomParser/Validator.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System; 5 | using System.IO; 6 | using Microsoft.Sbom.Extensions; 7 | using Microsoft.Sbom.Extensions.Entities; 8 | using Microsoft.Sbom.Parser; 9 | 10 | namespace Microsoft.Sbom.Parsers.Spdx22SbomParser; 11 | 12 | /// 13 | /// Validates files in a folder against their checksums stored in an SPDX 2.2 SBOM. 14 | /// 15 | public class Validator : IManifestInterface 16 | { 17 | public string Version { get; set; } 18 | 19 | private readonly ManifestInfo spdxManifestInfo = new() 20 | { 21 | Name = Constants.SPDXName, 22 | Version = Constants.SPDXVersion 23 | }; 24 | 25 | public ManifestData ParseManifest(string manifest) 26 | => throw new NotImplementedException($"Currently we don't support parsing complete SPDX 2.2 SBOMs"); 27 | 28 | public ManifestInfo[] RegisterManifest() => new[] { spdxManifestInfo }; 29 | 30 | public ISbomParser CreateParser(Stream stream) => new SPDXParser(stream); 31 | } 32 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Parsers.Spdx30SbomParser/Exceptions/MissingHashValueException.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System; 5 | 6 | namespace Microsoft.Sbom.Parsers.Spdx30SbomParser.Exceptions; 7 | 8 | internal class MissingHashValueException : Exception 9 | { 10 | public MissingHashValueException() 11 | { 12 | } 13 | 14 | public MissingHashValueException(string message) 15 | : base(message) 16 | { 17 | } 18 | 19 | public MissingHashValueException(string message, Exception innerException) 20 | : base(message, innerException) 21 | { 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Parsers.Spdx30SbomParser/Microsoft.Sbom.Parsers.Spdx30SbomParser.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Microsoft.Sbom.Parsers.Spdx30SbomParser 5 | True 6 | SPDX3.0 parser for SBOM tool. 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | <_Parameter1>$(AssemblyName).Tests, PublicKey=$(StrongNameSigningPublicKey) 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Parsers.Spdx30SbomParser/Parser/ParserResults.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | namespace Microsoft.Sbom.Parser; 5 | 6 | using System.Collections.Generic; 7 | using Microsoft.Sbom.Common.Conformance; 8 | using Microsoft.Sbom.Common.Spdx30Entities; 9 | 10 | public class ParserResults 11 | { 12 | public FormatEnforcedSPDX30 FormatEnforcedSPDX3Result { get; set; } 13 | 14 | public HashSet InvalidConformanceElements { get; set; } = []; 15 | 16 | public int FilesCount = 0; 17 | public int PackagesCount = 0; 18 | public int ReferencesCount = 0; 19 | public int RelationshipsCount = 0; 20 | } 21 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Parsers.Spdx30SbomParser/Utils/ElementSerializer.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System; 5 | using System.Collections.Generic; 6 | using System.Text.Json; 7 | using System.Text.Json.Serialization; 8 | using Microsoft.Sbom.Common.Spdx30Entities; 9 | 10 | public class ElementSerializer : JsonConverter> 11 | { 12 | public override List Read(ref Utf8JsonReader reader, Type typeToConvert, JsonSerializerOptions options) => 13 | throw new NotImplementedException("Deserialization of Elements into specific subtypes is not implemented yet."); 14 | 15 | public override void Write(Utf8JsonWriter writer, List elements, JsonSerializerOptions options) 16 | { 17 | writer.WriteStartArray(); 18 | 19 | foreach (var element in elements) 20 | { 21 | JsonSerializer.Serialize(writer, element, element.GetType(), options); 22 | } 23 | 24 | writer.WriteEndArray(); 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Parsers.Spdx30SbomParser/Validator.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System; 5 | using System.IO; 6 | using Microsoft.Sbom.Extensions; 7 | using Microsoft.Sbom.Extensions.Entities; 8 | using Microsoft.Sbom.Parser; 9 | 10 | namespace Microsoft.Sbom.Parsers.Spdx30SbomParser; 11 | 12 | /// 13 | /// Validates files in a folder against their checksums stored in an SPDX 3.0 SBOM. 14 | /// 15 | public class Validator : IManifestInterface 16 | { 17 | public string Version { get; set; } 18 | 19 | private readonly ManifestInfo spdxManifestInfo = new() 20 | { 21 | Name = Constants.SPDXName, 22 | Version = Constants.SPDXVersion 23 | }; 24 | 25 | public ManifestData ParseManifest(string manifest) 26 | => throw new NotImplementedException($"Currently we don't support parsing complete SPDX 3.0 SBOMs"); 27 | 28 | public ManifestInfo[] RegisterManifest() => new[] { spdxManifestInfo }; 29 | 30 | public ISbomParser CreateParser(Stream stream) => new SPDX30Parser(stream); 31 | } 32 | -------------------------------------------------------------------------------- /src/Microsoft.Sbom.Tool/Microsoft.Sbom.Tool.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Exe 5 | Microsoft.Sbom.Tool 6 | win-x64;osx-x64;osx-arm64;linux-x64 7 | true 8 | true 9 | Highly scalable and enterprise ready tool to create SBOMs for any variety of artifacts. 10 | 11 | 12 | 13 | true 14 | true 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | -------------------------------------------------------------------------------- /test/Directory.Build.props: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | true 6 | true 7 | false 8 | $(NoWarn);CS1591 9 | 10 | 11 | 12 | True 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | -------------------------------------------------------------------------------- /test/Directory.Packages.props: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | Compile 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | -------------------------------------------------------------------------------- /test/Microsoft.Sbom.Adapters.Tests/Microsoft.Sbom.Adapters.Tests.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Exe 5 | false 6 | Microsoft.Sbom.Adapters.Tests 7 | 8 | 9 | 10 | TRACE 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | -------------------------------------------------------------------------------- /test/Microsoft.Sbom.Api.Tests/Microsoft.Sbom.Api.Tests.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Exe 5 | false 6 | Microsoft.Sbom.Api.Tests 7 | 8 | 9 | 10 | TRACE 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | -------------------------------------------------------------------------------- /test/Microsoft.Sbom.Api.Tests/TestUtils.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System.IO; 5 | 6 | namespace Microsoft.Sbom.Api.Tests; 7 | 8 | internal class TestUtils 9 | { 10 | public static Stream GenerateStreamFromString(string s) 11 | { 12 | var stream = new MemoryStream(); 13 | var writer = new StreamWriter(stream); 14 | writer.Write(s); 15 | writer.Flush(); 16 | stream.Position = 0; 17 | return stream; 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /test/Microsoft.Sbom.Api.Tests/Utils/FileTypeUtilsTest.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using Microsoft.Sbom.Api.Utils; 5 | using Microsoft.Sbom.Contracts.Enums; 6 | using Microsoft.VisualStudio.TestTools.UnitTesting; 7 | 8 | namespace Microsoft.Sbom.Api.Tests.Utils; 9 | 10 | [TestClass] 11 | public class FileTypeUtilsTest 12 | { 13 | private readonly FileTypeUtils fileTypeUtils = new FileTypeUtils(); 14 | 15 | [TestMethod] 16 | public void When_GetFileTypeBy_WithSpdxFile_ThenReturnSPDXType() 17 | { 18 | var types = fileTypeUtils.GetFileTypesBy("random.spdx.json"); 19 | Assert.AreEqual(1, types.Count); 20 | Assert.AreEqual(FileType.SPDX, types[0]); 21 | } 22 | 23 | [TestMethod] 24 | public void When_GetFileTypeBy_WithNonNullFile_ThenReturnNull() 25 | { 26 | var types = fileTypeUtils.GetFileTypesBy("random"); 27 | Assert.IsNull(types); 28 | } 29 | 30 | [TestMethod] 31 | public void When_GetFileTypeBy_WithNullFile_ThenReturnNull() 32 | { 33 | var types = fileTypeUtils.GetFileTypesBy(null); 34 | Assert.IsNull(types); 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /test/Microsoft.Sbom.Api.Tests/Utils/IdentifierUtilsTests.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System; 5 | using Microsoft.Sbom.Common.Utils; 6 | using Microsoft.VisualStudio.TestTools.UnitTesting; 7 | 8 | namespace Microsoft.Sbom.Api.Utils.Tests; 9 | 10 | [TestClass] 11 | public class IdentifierUtilsTests 12 | { 13 | [TestMethod] 14 | public void TryGetGuidFromShortGuidTest_Succeeds() 15 | { 16 | var shortGuid = IdentifierUtils.GetShortGuid(Guid.NewGuid()); 17 | Assert.IsNotNull(shortGuid); 18 | 19 | Assert.IsTrue(IdentifierUtils.TryGetGuidFromShortGuid(shortGuid, out var guid)); 20 | Assert.IsFalse(guid.Equals(Guid.Empty)); 21 | } 22 | 23 | [TestMethod] 24 | public void TryGetGuidFromShortGuidTest_BadString_Fails_DoesntThrow() 25 | { 26 | Assert.IsFalse(IdentifierUtils.TryGetGuidFromShortGuid(string.Empty, out var guid1)); 27 | Assert.IsTrue(guid1.Equals(Guid.Empty)); 28 | 29 | Assert.IsFalse(IdentifierUtils.TryGetGuidFromShortGuid(null, out var guid2)); 30 | Assert.IsTrue(guid2.Equals(Guid.Empty)); 31 | 32 | Assert.IsFalse(IdentifierUtils.TryGetGuidFromShortGuid("asdf", out var guid3)); 33 | Assert.IsTrue(guid3.Equals(Guid.Empty)); 34 | } 35 | } 36 | -------------------------------------------------------------------------------- /test/Microsoft.Sbom.Api.Tests/Workflows/Helpers/JsonDocumentCollectionTests.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System; 5 | using System.IO; 6 | using System.Text.Json; 7 | using Microsoft.Sbom.Api.Workflows.Helpers; 8 | using Microsoft.Sbom.Extensions; 9 | using Microsoft.VisualStudio.TestTools.UnitTesting; 10 | using Moq; 11 | 12 | namespace Microsoft.Sbom.Api.Workflows.Tests; 13 | 14 | [TestClass] 15 | public class JsonDocumentCollectionTests 16 | { 17 | [TestMethod] 18 | public void JsonDocumentDisposalSucceeds() 19 | { 20 | var jsonDoc = JsonDocument.Parse("{\"hello\":\"world\"}"); 21 | var dummySerializer = new Mock().Object; 22 | var jsonDocumentCollection = new JsonDocumentCollection(); 23 | jsonDocumentCollection.AddJsonDocument(dummySerializer, jsonDoc); 24 | 25 | jsonDocumentCollection.DisposeAllJsonDocuments(); 26 | 27 | using var stream = new MemoryStream(); 28 | using var utfJsonWriter = new Utf8JsonWriter(stream); 29 | Assert.ThrowsException(() => jsonDoc.WriteTo(utfJsonWriter)); 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /test/Microsoft.Sbom.Common.Tests/Microsoft.Sbom.Common.Tests.csproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | Exe 5 | false 6 | $(NoWarn);NU1605 7 | Microsoft.Sbom.Common.Tests 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | -------------------------------------------------------------------------------- /test/Microsoft.Sbom.Extensions.DependencyInjection.Tests/Microsoft.Sbom.Extensions.DependencyInjection.Tests.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Exe 5 | false 6 | Microsoft.Sbom.DependencyInjection.Tests 7 | 8 | 9 | 10 | TRACE 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | -------------------------------------------------------------------------------- /test/Microsoft.Sbom.Parsers.Spdx22SbomParser.Tests/Microsoft.Sbom.Parsers.Spdx22SbomParser.Tests.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Exe 5 | false 6 | $(NoWarn);NU1605 7 | Microsoft.Sbom.Parsers.Spdx22SbomParser.Tests 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | -------------------------------------------------------------------------------- /test/Microsoft.Sbom.Parsers.Spdx22SbomParser.Tests/Parser/LargeJsonParserTests.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | using System.Collections; 5 | using System.IO; 6 | using System.Text; 7 | using Microsoft.Sbom.JsonAsynchronousNodeKit.Exceptions; 8 | using Microsoft.Sbom.Parser.Strings; 9 | using Microsoft.VisualStudio.TestTools.UnitTesting; 10 | 11 | namespace Microsoft.Sbom.Parser; 12 | 13 | [TestClass] 14 | public class LargeJsonParserTests 15 | { 16 | [TestMethod] 17 | public void LargeJsonParser_RequiresFullEnumeration() 18 | { 19 | var bytes = Encoding.UTF8.GetBytes(SbomPackageStrings.GoodJsonWith3PackagesString); 20 | using var stream = new MemoryStream(bytes); 21 | 22 | var parser = new SPDXParser(stream); 23 | 24 | var result = parser.Next(); 25 | Assert.AreEqual(SPDXParser.PackagesProperty, result.FieldName); 26 | if (result.Result is IEnumerable enumerable) 27 | { 28 | Assert.IsNotNull(enumerable); 29 | Assert.IsTrue(enumerable.GetEnumerator().MoveNext()); 30 | 31 | _ = Assert.ThrowsException(parser.Next); 32 | } 33 | else 34 | { 35 | Assert.Fail(); 36 | } 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /test/Microsoft.Sbom.Parsers.Spdx22SbomParser.Tests/Parser/ParserResults.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | namespace Microsoft.Sbom.Parser; 5 | 6 | using System.Collections.Generic; 7 | using Microsoft.Sbom.Parsers.Spdx22SbomParser.Entities; 8 | 9 | public class ParserResults 10 | { 11 | public IEnumerable? Files { get; set; } 12 | 13 | public IEnumerable? Packages { get; set; } 14 | 15 | public IEnumerable? References { get; set; } 16 | 17 | public IEnumerable? Relationships { get; set; } 18 | 19 | public int? FilesCount = null; 20 | public int? PackagesCount = null; 21 | public int? ReferencesCount = null; 22 | public int? RelationshipsCount = null; 23 | } 24 | -------------------------------------------------------------------------------- /test/Microsoft.Sbom.Parsers.Spdx30SbomParser.Tests/Microsoft.Sbom.Parsers.Spdx30SbomParser.Tests.csproj: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | Exe 5 | false 6 | $(NoWarn);NU1605 7 | Microsoft.Sbom.Parsers.Spdx30SbomParser.Tests 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | -------------------------------------------------------------------------------- /test/Microsoft.Sbom.Parsers.Spdx30SbomParser.Tests/Parser/JsonStrings/SbomExternalMapJsonStrings.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | namespace Microsoft.Sbom.Parser.JsonStrings; 5 | 6 | public static class SbomExternalMapJsonStrings 7 | { 8 | [System.Diagnostics.CodeAnalysis.SuppressMessage("Style", "JSON002:Probable JSON string detected", Justification = "Need to use JSON string")] 9 | public const string ExternalMapJsonString = 10 | @" 11 | { 12 | ""externalSpdxId"": ""sample-namespace"", 13 | ""creationInfo"": ""_:creationinfo"", 14 | ""spdxId"": ""DocumentRef-sample-external-doc-sha1Value"", 15 | ""verifiedUsing"": [ 16 | { 17 | ""algorithm"": ""sha1"", 18 | ""hashValue"": ""sha1value"", 19 | ""creationInfo"": ""_:creationinfo"", 20 | ""spdxId"": ""SPDXRef-PackageVerificationCode-B1565820A5CDAC40E0520D23F9D0B1497F240DDC51D72EAC6423D97D952D444F"", 21 | ""type"": ""PackageVerificationCode"" 22 | } 23 | ], 24 | ""type"": ""ExternalMap"" 25 | }"; 26 | } 27 | -------------------------------------------------------------------------------- /test/Microsoft.Sbom.Targets.E2E.Tests/ProjectSamples/ProjectSample1/ProjectSample1.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | Library 4 | true 5 | net8.0 6 | ProjectSample 7 | 1.2.4 8 | false 9 | true 10 | true 11 | false 12 | CA1515 13 | 14 | 15 | 16 | 17 | $(NoWarn);NU1507;NU5128 18 | 19 | 20 | 21 | 22 | 23 | -------------------------------------------------------------------------------- /test/Microsoft.Sbom.Targets.E2E.Tests/ProjectSamples/ProjectSample1/SampleLibrary.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | public class SampleLibrary 5 | { 6 | } 7 | -------------------------------------------------------------------------------- /test/Microsoft.Sbom.Targets.Tests/GenerateSbomTaskSPDX_2_2InputTests.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | namespace Microsoft.Sbom.Targets.Tests; 5 | 6 | using Microsoft.VisualStudio.TestTools.UnitTesting; 7 | 8 | /// 9 | /// Class to test the generation of SBOM using SPDX 2.2 specification. 10 | /// 11 | [TestClass] 12 | public class GenerateSbomTaskSPDX_2_2InputTests : AbstractGenerateSbomTaskInputTests 13 | { 14 | internal override string SbomSpecification => "SPDX:2.2"; 15 | 16 | [ClassInitialize] 17 | public static void Setup(TestContext testContext) => ClassSetup(nameof(GenerateSbomTaskSPDX_2_2InputTests)); 18 | 19 | [ClassCleanup(ClassCleanupBehavior.EndOfClass)] 20 | public static void TearDown() => ClassTearDown(); 21 | } 22 | -------------------------------------------------------------------------------- /test/Microsoft.Sbom.Targets.Tests/GenerateSbomTaskSPDX_2_2Tests.cs: -------------------------------------------------------------------------------- 1 | // Copyright (c) Microsoft. All rights reserved. 2 | // Licensed under the MIT license. See LICENSE file in the project root for full license information. 3 | 4 | namespace Microsoft.Sbom.Targets.Tests; 5 | 6 | using Microsoft.VisualStudio.TestTools.UnitTesting; 7 | 8 | /// 9 | /// Class to test the generation of SBOM using SPDX 2.2 specification. 10 | /// 11 | [TestClass] 12 | public class GenerateSbomTaskSPDX_2_2Tests : AbstractGenerateSbomTaskTests 13 | { 14 | internal override string SbomSpecificationName => "SPDX"; 15 | 16 | internal override string SbomSpecificationVersion => "2.2"; 17 | 18 | [ClassInitialize] 19 | public static void Setup(TestContext testContext) => ClassSetup(nameof(GenerateSbomTaskSPDX_2_2Tests)); 20 | 21 | [ClassCleanup(ClassCleanupBehavior.EndOfClass)] 22 | public static void TearDown() => ClassTearDown(); 23 | } 24 | -------------------------------------------------------------------------------- /test/Microsoft.Sbom.Tool.Tests/Microsoft.Sbom.Tool.Tests.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Exe 5 | false 6 | Microsoft.Sbom.Tools.Tests 7 | 8 | 9 | 10 | TRACE 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | --------------------------------------------------------------------------------