Merge pull request #16 from blackducksoftware/dev

v1.0.16 - Added --unmap option. Fixed issue with SBOM naming causing …
blackducksoftware · Nov 22, 2024 · 61bf56c · 61bf56c
2 parents 11e5c2c + 106391d
commit 61bf56c
Show file tree

Hide file tree

Showing 6 changed files with 31 additions and 12 deletions.
diff --git a/README.md b/README.md
@@ -1,4 +1,4 @@
-# Black Duck SCA Scan Yocto Script - bd_scan_yocto_via_sbom.py v1.0.15
+# Black Duck SCA Scan Yocto Script - bd_scan_yocto_via_sbom.py v1.0.16
 
 # PROVISION OF THIS SCRIPT
 This script is provided under the MIT license (see LICENSE file).
@@ -167,6 +167,7 @@ There are several additional options to modify the behaviour of this utility inc
      --logfile LOGFILE     Logging output file
      --recipe_report REPFILE
                            Output specified file with a list of recipes including those not matched in the BOM
+     --no_unmap            Do not unmap previous code locations (scans) when running the initial scan (default is to unmap)
 
 ### MINIMUM REQUIRED OPTIONS
 

diff --git a/pyproject.toml b/pyproject.toml
@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "bd_scan_yocto_via_sbom"
-version = "1.0.15"
+version = "1.0.16"
 authors = [
   { name="Matthew Brady", email="[email protected]" },
 ]

diff --git a/yocto_import_sbom/BOMClass.py b/yocto_import_sbom/BOMClass.py
@@ -4,6 +4,7 @@
 import requests
 import time
 import os
+import json
 from pathlib import Path
 
 from .ComponentListClass import ComponentList
@@ -184,7 +185,12 @@ def upload_sbom(conf, bom, sbom):
             if response.status_code == 201:
                 return True
             else:
-                raise Exception(f"Return code {response.status_code}")
+                # Try to extract meaningful error message
+                repjson = response.content.decode('utf8')
+                err = json.loads(repjson)
+                err_text = err['errorMessage']
+
+                raise Exception(f"Return code {response.status_code} - error {err_text}")
 
         except Exception as e:
             logging.error("Unable to POST SPDX data")

diff --git a/yocto_import_sbom/ConfigClass.py b/yocto_import_sbom/ConfigClass.py
@@ -4,7 +4,7 @@
 import sys
 from .OEClass import OE
 
-script_version = "v1.0.15"
+script_version = "v1.0.16"
 
 class Config:
     def __init__(self):
@@ -91,7 +91,7 @@ def __init__(self):
         parser.add_argument("--debug", help="Debug logging mode", action='store_true')
         parser.add_argument("--logfile", help="Logging output file", default="")
         parser.add_argument("--recipe_report", help="Output recipe report to file", default="")
-
+        parser.add_argument("--no_unmap", help="Do not unmap previous scans when running new scan", action='store_true')
 
         args = parser.parse_args()
 
@@ -129,6 +129,7 @@ def __init__(self):
         self.cve_check_dir = ''
         self.license_dir = ''
         self.recipe_report = ''
+        self.unmap = True
 
         terminate = False
         if args.debug:
@@ -138,23 +139,26 @@ def __init__(self):
         if args.logfile:
             if os.path.exists(args.logfile):
                 logging.error(f"Specified logfile '{args.logfile}' already exists - EXITING")
-                return
+                sys.exit(2)
             logging.basicConfig(encoding='utf-8',
                                 handlers=[logging.FileHandler(args.logfile), logging.StreamHandler(sys.stdout)],
                                 level=loglevel)
         else:
             logging.basicConfig(level=loglevel)
 
         logging.info(f"Black Duck Yocto scan via SBOM utility - {script_version}")
+        logging.info('')
+        logging.info("--- PHASE 0 - CONFIG -----------------------------------------------------")
+
         logging.info("SUPPLIED ARGUMENTS:")
         for arg in vars(args):
             logging.info(f"--{arg}={getattr(args, arg)}")
 
-        logging.info('')
-        logging.info("--- PHASE 0 - CONFIG -----------------------------------------------------")
-
         bd_connect = True
         if args.output:
+            if os.path.exists(args.output):
+                logging.error(f"Specified SBOM output file '{args.output}' already exists - EXITING")
+                sys.exit(2)
             self.output_file = args.output
             bd_connect = False
 
@@ -290,6 +294,9 @@ def __init__(self):
         if args.detect_opts != '':
             self.detect_opts = args.detect_opts.replace('detect', '--detect')
 
+        if args.no_unmap:
+            self.unmap = False
+
         if terminate:
             sys.exit(2)
         return
diff --git a/yocto_import_sbom/SBOMClass.py b/yocto_import_sbom/SBOMClass.py
@@ -27,7 +27,7 @@ def __init__(self, proj, ver):
                 ],
                 "licenseListVersion": "3.13"
             },
-            "name": self.quote(f"{proj}-{ver}"),
+            "name": self.quote(f"{proj}-{ver}-" + mytime.strftime("%Y%m%dT%H%M%S")),
             "documentDescribes": [
                 self.quote(f"SPDXRef-package-{self.package_id}")
             ],

diff --git a/yocto_import_sbom/main.py b/yocto_import_sbom/main.py
@@ -19,8 +19,13 @@ def main():
     logging.info("")
     logging.info("--- PHASE 1 - PROCESS PROJECT --------------------------------------------")
     bom = BOM(conf)
-    if conf.detect_opts != '':
-        if not bom.run_detect_sigscan(conf, empty_dir.name, extra_opt='--detect.tools=DETECTOR'):
+
+    if conf.output_file == '':
+        extra_opt = '--detect.tools=DETECTOR'
+        if conf.unmap:
+            extra_opt += ' --detect.project.codelocation.unmap=true'
+        if not bom.run_detect_sigscan(conf, empty_dir.name,
+                                      extra_opt=extra_opt):
             logging.error("Unable to run Detect to initialise project")
             sys.exit(2)