feat: expose sbom generation functionality (#114)

* fix gitignore for bin directory Signed-off-by: nscuro <nscuro@protonmail.com> * introduce public generator api Signed-off-by: nscuro <nscuro@protonmail.com> * migrate `bin` generation logic to public api Signed-off-by: nscuro <nscuro@protonmail.com> * move `main.go` to `cmd` directory to avoid warnings during `go get` Signed-off-by: nscuro <nscuro@protonmail.com> * refactor to not use global logger instance anymore Signed-off-by: nscuro <nscuro@protonmail.com> * migrate `mod` generation logic to public api Signed-off-by: nscuro <nscuro@protonmail.com> * introduce `bomtest` package for shared testing funcs Signed-off-by: nscuro <nscuro@protonmail.com> * move `bin` e2e tests to generator package Signed-off-by: nscuro <nscuro@protonmail.com> * revert 6699cea and 8aec93d keep the e2e tests for testing the generation logic for now. we may change this in the future, but for now it'd cause too much refactoring work. Signed-off-by: nscuro <nscuro@protonmail.com> * re-add basic tests for `bin` generator and its options Signed-off-by: nscuro <nscuro@protonmail.com> * basic tests for `mod` generator Signed-off-by: nscuro <nscuro@protonmail.com> * documentation Signed-off-by: nscuro <nscuro@protonmail.com> * migrate `app` generation logic to public api Signed-off-by: nscuro <nscuro@protonmail.com> * fix `TestModWhy` i know, i know... this test should be deterministic. Signed-off-by: nscuro <nscuro@protonmail.com> * add changelog entry Signed-off-by: nscuro <nscuro@protonmail.com> * more godoc Signed-off-by: nscuro <nscuro@protonmail.com> * use logger for go command output as well Signed-off-by: nscuro <nscuro@protonmail.com> * move generator tests to `pkg` still need a solution to strip dynamic data from generated boms before comparing them to snapshots though Signed-off-by: nscuro <nscuro@protonmail.com> * address gosec findings Signed-off-by: nscuro <nscuro@protonmail.com> * address gosec findings Signed-off-by: nscuro <nscuro@protonmail.com> * test+redact dynamic properties before comparing to snapshot Signed-off-by: nscuro <nscuro@protonmail.com> * implement redacting of stdlib versions for snapshot tests Signed-off-by: nscuro <nscuro@protonmail.com> * make linter happy Signed-off-by: nscuro <nscuro@protonmail.com> * re-add missing logic for bin Signed-off-by: nscuro <nscuro@protonmail.com> * regenerate example sboms Signed-off-by: nscuro <nscuro@protonmail.com> * ensure bom file is closed before validating it with cdx cli Signed-off-by: nscuro <nscuro@protonmail.com> * remove internal reproducible flag Signed-off-by: nscuro <nscuro@protonmail.com> * add disclaimer Signed-off-by: nscuro <nscuro@protonmail.com> Closes #99 Closes #108
CycloneDX · Jan 26, 2022 · bc4414e · bc4414e
1 parent 1dbc2db
commit bc4414e
Show file tree

Hide file tree

Showing 94 changed files with 4,464 additions and 2,070 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,5 +1,5 @@
 # Binaries for programs and plugins
-bin/
+/bin/
 *.exe
 *.exe~
 *.dll

diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -25,10 +25,11 @@ builds:
       -s
       -w
       -X github.com/CycloneDX/cyclonedx-gomod/internal/version.Version={{ .Tag }}
+    main: ./cmd/cyclonedx-gomod
     mod_timestamp: "{{ .CommitTimestamp }}"
     hooks:
       post:
-        - cmd: ./bin/cyclonedx-gomod app -licenses -packages -std -json -output "{{ .ProjectName }}_{{ .Version }}_{{ .Target }}.bom.json"
+        - cmd: ./bin/cyclonedx-gomod app -main ./cmd/cyclonedx-gomod -licenses -packages -std -json -output "{{ .ProjectName }}_{{ .Version }}_{{ .Target }}.bom.json"
           env:
             - GOARCH={{ .Arch }}
             - GOOS={{ .Os }}

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,15 @@
 # Changelog
 
+## v1.2.0 (unreleased)
+
+### Enhancements
+
+* Expose SBOM generation functionality ([#99](https://github.com/CycloneDX/cyclonedx-gomod/issues/99), [#108](https://github.com/CycloneDX/cyclonedx-gomod/issues/108) via [#114](https://github.com/CycloneDX/cyclonedx-gomod/pull/114))
+
+### Dependency Updates
+
+* Update `github.com/rs/zerolog` from `v1.26.0` to `v1.26.1` (via [#107](https://github.com/CycloneDX/cyclonedx-gomod/pull/107))
+
 ## v1.1.0
 
 ### Enhancements

diff --git a/Makefile b/Makefile
@@ -6,11 +6,11 @@ LDFLAGS="-s -w -X github.com/CycloneDX/cyclonedx-gomod/internal/version.Version=
 
 build:
 	mkdir -p ./bin
-	CGO_ENABLED=0 go build -v -ldflags=${LDFLAGS} -o ./bin/cyclonedx-gomod
+	CGO_ENABLED=0 go build -v -ldflags=${LDFLAGS} -o ./bin/cyclonedx-gomod ./cmd/cyclonedx-gomod
 .PHONY: build
 
 install:
-	CGO_ENABLED=0 go install -v -ldflags=${LDFLAGS}
+	CGO_ENABLED=0 go install -v -ldflags=${LDFLAGS} ./cmd/cyclonedx-gomod
 .PHONY: install
 
 unit-test:

diff --git a/README.md b/README.md
@@ -2,6 +2,7 @@
 
 [![Build Status](https://github.com/CycloneDX/cyclonedx-gomod/actions/workflows/ci.yml/badge.svg)](https://github.com/CycloneDX/cyclonedx-gomod/actions/workflows/ci.yml)
 [![Go Report Card](https://goreportcard.com/badge/github.com/CycloneDX/cyclonedx-gomod)](https://goreportcard.com/report/github.com/CycloneDX/cyclonedx-gomod)
+[![Go Reference](https://pkg.go.dev/badge/github.com/CycloneDX/cyclonedx-gomod.svg)](https://pkg.go.dev/github.com/CycloneDX/cyclonedx-gomod)
 [![Latest GitHub release](https://img.shields.io/github/v/release/CycloneDX/cyclonedx-gomod?sort=semver)](https://github.com/CycloneDX/cyclonedx-gomod/releases/latest)
 [![License](https://img.shields.io/badge/license-Apache%202.0-brightgreen.svg)](LICENSE)  
 [![Website](https://img.shields.io/badge/https://-cyclonedx.org-blue.svg)](https://cyclonedx.org/)
@@ -18,7 +19,7 @@ Prebuilt binaries are available on the [releases](https://github.com/CycloneDX/c
 ### From Source
 
 ```shell
-go install github.com/CycloneDX/cyclonedx-gomod@v1.1.0
+go install github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@latest
 ```
 
 Building from source requires Go 1.17 or newer.
@@ -265,6 +266,22 @@ $ docker run -it --rm \
 > We generally recommend using a [precompiled binary](https://github.com/CycloneDX/cyclonedx-gomod/releases) 
 > and running it in the same environment in which you're building your application in.
 
+### Library Usage
+
+Starting with `v1.2.0`, *cyclonedx-gomod* can be used as a library as well:
+
+```shell
+go get -v github.com/CycloneDX/cyclonedx-gomod
+```
+
+Refer to the [documentation](https://pkg.go.dev/github.com/CycloneDX/cyclonedx-gomod) for details and examples.
+
+> Be warned that *cyclonedx-gomod* is and will continue to be primarily a CLI tool.  
+> While we'll only introduce breaking changes to the exposed APIs in accordance with semver,
+> we will not invest in supporting older versions. If you intend on depending on our API,
+> please assess if you'll be able to keep up. For example, we will move to the newest Go version
+> shortly after its GA, and will almost definitely use backwards-incompatible features going forward.
+
 ## Important Notes
 
 ### Vendoring

diff --git a/main.go → cmd/cyclonedx-gomod/main.go b/main.go → cmd/cyclonedx-gomod/main.go
@@ -20,11 +20,12 @@ package main
 import (
 	"context"
 	"fmt"
-	"github.com/CycloneDX/cyclonedx-gomod/internal/cli/options"
-	"github.com/rs/zerolog/log"
 	"os"
 
+	"github.com/rs/zerolog/log"
+
 	"github.com/CycloneDX/cyclonedx-gomod/internal/cli"
+	"github.com/CycloneDX/cyclonedx-gomod/internal/cli/options"
 )
 
 func main() {

diff --git a/e2e/cmd_app_test.go b/e2e/cmd_app_test.go
diff --git a/e2e/cmd_bin_test.go b/e2e/cmd_bin_test.go