feat: New command line sbomgen

This merge introduces a new command line tool called "sbomgen"

The motivation for creating a new tool is to maintain the functionality of the existing command
line tool while making improvements to the sbom generator ecosystem.
- Use the existing spdx golang-tools
- Use the existing parsers project

The result is a more streamlined implementation of the spdx-sbom-generator

.github/workflows/build-pr.yml

@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        go: [ "^1.17", "^1.18" ]
+        go: [ "^1.20" ]
     steps:
       - name: Checkout Repository
         uses: actions/checkout@v3
@@ -26,21 +26,3 @@ jobs:
         run: make check-headers
       - name: Build
         run: make build
-  generate:
-    name: Generate sbom file
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout the repository
-        uses: actions/checkout@v2
-      - name: gh-action-spdx-sbom-generator
-        uses: niravpatel27/gh-action-spdx-sbom-generator@v1.0.0
-        with:
-          version: '0.0.3'
-      - name: Check if sbom file generated
-        run: |
-          if [ ! -f "bom-go-mod.spdx" ]; then
-            echo "::error::bom-go-mod.spdx is missing. Must generate using the spdx-sbom-generator cli."
-            exit 1
-          else
-             echo "Success!"
-          fi

cmd/sbomgen/sbomgen.go

@@ -0,0 +1,124 @@
+// SPDX-License-Identifier: Apache-2.0
+
+package main
+
+import (
+	"os"
+	"strings"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/spdx/spdx-sbom-generator/pkg/runner"
+	"github.com/spdx/spdx-sbom-generator/pkg/runner/options"
+	"github.com/spf13/cobra"
+)
+
+const jsonLogFormat = "json"
+const defaultLogLevel = "info"
+
+// provided through ldflags on build
+var (
+	version string
+)
+
+var rootCmd = &cobra.Command{
+	Use:   "sbomgen",
+	Short: "Output Package Manager dependency on SPDX format",
+	Long:  "Output Package Manager dependency on SPDX format",
+	Run:   generate,
+}
+
+func main() {
+	if version == "" {
+		version = "source-code"
+	}
+
+	if err := rootCmd.Execute(); err != nil {
+		log.Fatal(err)
+	}
+}
+func init() {
+	rootCmd.Flags().StringP("path", "p", ".", "the path to package file or the path to a directory which will be recursively analyzed for the package files (default '.')")
+	rootCmd.Flags().BoolP("include-license-text", "i", false, " Include full license text (default: false)")
+	rootCmd.Flags().StringP("schema", "s", "2.3", "<version> Target schema version (default: '2.3')")
+	rootCmd.Flags().StringP("output-dir", "o", "", "<output> directory to write SPDX doc (default: if not specified, doc is written to stdout)")
+	rootCmd.Flags().StringP("format", "f", "spdx", "output file format (default: spdx)")
+	rootCmd.Flags().StringP("global-settings", "g", "", "Alternate path for the global settings file for Java Maven (default 'mvn settings.xml')")
+
+	//rootCmd.MarkFlagRequired("path")
+	cobra.OnInitialize(setupLogger)
+}
+
+func parseOutputFormat(formatOption string) options.OutputFormat {
+	switch processedFormatOption := strings.ToLower(formatOption); processedFormatOption {
+	case "spdx":
+		return options.OutputFormatSpdx
+	case "json":
+		return options.OutputFormatJson
+	default:
+		return options.OutputFormatSpdx
+	}
+}
+
+func setupLogger() {
+	log.SetFormatter(&log.TextFormatter{
+		ForceColors:   true,
+		FullTimestamp: true,
+	})
+	if os.Getenv("LOG_FORMAT") == jsonLogFormat {
+		log.SetFormatter(&log.JSONFormatter{})
+	}
+
+	level := os.Getenv("LOG_LEVEL")
+	if level == "" {
+		level = defaultLogLevel
+	}
+
+	logLevel, err := log.ParseLevel(level)
+	if err != nil {
+		logLevel = log.DebugLevel
+	}
+
+	log.SetLevel(logLevel)
+}
+
+func generate(cmd *cobra.Command, args []string) {
+	log.Info("Starting to generate SPDX ...")
+	checkOpt := func(opt string) string {
+		cmdOpt, err := cmd.Flags().GetString(opt)
+		if err != nil {
+			log.Fatalf("Failed to read command option %v", err)
+		}
+
+		return cmdOpt
+	}
+	path := checkOpt("path")
+	outputDir := checkOpt("output-dir")
+	schema := checkOpt("schema")
+	format := parseOutputFormat(checkOpt("format"))
+	license, err := cmd.Flags().GetBool("include-license-text")
+	if err != nil {
+		log.Fatalf("Failed to read command option: %v", err)
+	}
+	globalSettingFile := checkOpt("global-settings")
+
+	opts := options.Options{
+		SchemaVersion:     schema,
+		Indent:            4,
+		Version:           version,
+		License:           license,
+		Depth:             "",
+		Slug:              "",
+		OutputDir:         outputDir,
+		Format:            format,
+		GlobalSettingFile: globalSettingFile,
+		Path:              path,
+		Plugins:           options.DefaultPlugins,
+	}
+
+	err = runner.NewWithOptions(opts).CreateSBOM()
+
+	if err != nil {
+		log.Fatalf("error creating SBOM, err: %s", err.Error())
+	}
+
+}

go.mod

@@ -2,49 +2,61 @@
 
 module github.com/spdx/spdx-sbom-generator
 
-go 1.17
+go 1.20
 
 require (
-	github.com/go-enry/go-license-detector/v4 v4.2.0
-	github.com/go-git/go-git/v5 v5.1.0
+	github.com/go-enry/go-license-detector/v4 v4.3.1
+	github.com/go-git/go-git/v5 v5.7.0
 	github.com/google/uuid v1.2.0
-	github.com/sirupsen/logrus v1.8.1
-	github.com/spf13/cobra v1.1.3
-	github.com/stretchr/testify v1.6.1
-	github.com/vifraa/gopom v0.1.0
-	golang.org/x/mod v0.4.2
+	github.com/opensbom-generator/parsers v0.0.0-20230627202907-fc5a182b1325
+	github.com/sirupsen/logrus v1.9.3
+	github.com/spdx/tools-golang v0.5.2
+	github.com/spf13/cobra v1.7.0
+	github.com/stretchr/testify v1.8.4
+	github.com/vifraa/gopom v0.2.1
+	golang.org/x/mod v0.11.0
 )
 
 require (
+	github.com/Microsoft/go-winio v0.6.0 // indirect
+	github.com/ProtonMail/go-crypto v0.0.0-20230518184743-7afd39499903 // indirect
+	github.com/acomagu/bufpipe v1.0.4 // indirect
+	github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 // indirect
+	github.com/blang/semver/v4 v4.0.0 // indirect
+	github.com/cloudflare/circl v1.3.3 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/dgryski/go-minhash v0.0.0-20170608043002-7fe510aff544 // indirect
-	github.com/ekzhu/minhash-lsh v0.0.0-20171225071031-5c06ee8586a1 // indirect
-	github.com/emirpasic/gods v1.12.0 // indirect
-	github.com/go-git/gcfg v1.5.0 // indirect
-	github.com/go-git/go-billy/v5 v5.0.0 // indirect
+	github.com/dgryski/go-minhash v0.0.0-20190315135803-ad340ca03076 // indirect
+	github.com/ekzhu/minhash-lsh v0.0.0-20190924033628-faac2c6342f8 // indirect
+	github.com/emirpasic/gods v1.18.1 // indirect
+	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
+	github.com/go-git/go-billy/v5 v5.4.1 // indirect
+	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/hhatto/gorst v0.0.0-20181029133204-ca9f730cac5b // indirect
-	github.com/imdario/mergo v0.3.9 // indirect
-	github.com/inconshreveable/mousetrap v1.0.0 // indirect
+	github.com/imdario/mergo v0.3.15 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
-	github.com/jdkato/prose v1.1.0 // indirect
-	github.com/kevinburke/ssh_config v0.0.0-20190725054713-01f96b0aa0cd // indirect
-	github.com/mitchellh/go-homedir v1.1.0 // indirect
-	github.com/montanaflynn/stats v0.0.0-20151014174947-eeaced052adb // indirect
+	github.com/jdkato/prose v1.2.1 // indirect
+	github.com/kevinburke/ssh_config v1.2.0 // indirect
+	github.com/montanaflynn/stats v0.6.6 // indirect
+	github.com/pelletier/go-toml/v2 v2.0.8 // indirect
+	github.com/pjbgf/sha1cd v0.3.0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/russross/blackfriday/v2 v2.0.1 // indirect
-	github.com/sergi/go-diff v1.1.0 // indirect
-	github.com/shogo82148/go-shuffle v0.0.0-20170808115208-59829097ff3b // indirect
-	github.com/shurcooL/sanitized_anchor_name v1.0.0 // indirect
+	github.com/russross/blackfriday/v2 v2.1.0 // indirect
+	github.com/sergi/go-diff v1.2.0 // indirect
+	github.com/shogo82148/go-shuffle v1.0.1 // indirect
+	github.com/skeema/knownhosts v1.1.1 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/xanzy/ssh-agent v0.2.1 // indirect
-	golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073 // indirect
-	golang.org/x/exp v0.0.0-20191030013958-a1ab85dbe136 // indirect
-	golang.org/x/net v0.0.0-20200301022130-244492dfa37a // indirect
-	golang.org/x/sys v0.0.0-20220712014510-0a85c31ab51e // indirect
-	golang.org/x/text v0.3.6 // indirect
-	gonum.org/v1/gonum v0.7.0 // indirect
-	gopkg.in/neurosnap/sentences.v1 v1.0.6 // indirect
+	github.com/xanzy/ssh-agent v0.3.3 // indirect
+	golang.org/x/crypto v0.10.0 // indirect
+	golang.org/x/exp v0.0.0-20221006183845-316c7553db56 // indirect
+	golang.org/x/net v0.11.0 // indirect
+	golang.org/x/sys v0.9.0 // indirect
+	golang.org/x/text v0.10.0 // indirect
+	golang.org/x/tools v0.9.3 // indirect
+	gonum.org/v1/gonum v0.8.2 // indirect
+	gopkg.in/neurosnap/sentences.v1 v1.0.7 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
-	gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+	sigs.k8s.io/release-utils v0.7.4 // indirect
 )