populate metadata.tools.tool.externalReferences #171

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

.composer-require-checker.json

@@ -9,6 +9,7 @@
     "Composer\\Package\\PackageInterface",
     "Composer\\Package\\RootPackage",
     "Composer\\Package\\RootPackageInterface",
+    "Composer\\PartialComposer",
     "Composer\\Plugin\\Capability\\CommandProvider",
     "Composer\\Plugin\\Capable",
     "Composer\\Plugin\\PluginInterface",

HISTORY.md

@@ -22,6 +22,7 @@ All notable changes to this project will be documented in this file.
   * Support for CycloneDX Spec v1.4 (via [#250])
   * SBOM results
     * might have `metadata.timestamp` populated ([#112] via [#250])
+    * might have `metadata.tools.tool.eexternalReferences` populated ([#171] via [#250])
     * might have `component.author` populated ([#261] via [#250])
   * CLI
     * New option `omit` (via [#250])
@@ -37,6 +38,7 @@ All notable changes to this project will be documented in this file.
 [#128]: https://github.com/CycloneDX/cyclonedx-php-composer/issues/128
 [#153]: https://github.com/CycloneDX/cyclonedx-php-composer/issues/153
 [#154]: https://github.com/CycloneDX/cyclonedx-php-composer/issues/154
+[#171]: https://github.com/CycloneDX/cyclonedx-php-composer/issues/171
 [#250]: https://github.com/CycloneDX/cyclonedx-php-composer/pull/250
 [#261]: https://github.com/CycloneDX/cyclonedx-php-composer/issues/261
 

src/Builder.php

@@ -35,7 +35,6 @@
 use Generator;
 use PackageUrl\PackageUrl;
 use RuntimeException;
-use stdClass;
 
 /**
  * @internal
@@ -283,44 +282,9 @@ private function createExternalReferencesFromPackage(CompletePackageInterface $p
     }
 
     /**
-     * @psalm-param null|non-empty-string $versionOverride
-     *
      * @psalm-suppress MissingThrowsDocblock
      */
-    public function createThisTool(?string $versionOverride): Models\Tool
-    {
-        // TODO load from actual package ... if available and locked
-        // use $this->createToolFromPackage()
-
-        /** @var stdClass */
-        $thisPackageManifest = json_decode(file_get_contents(__DIR__.'/../composer.json'), false, 512, \JSON_THROW_ON_ERROR);
-
-        $thisPackageManifest->version = $versionOverride
-            ?? trim(file_get_contents(__DIR__.'/../semver.txt'));
-
-        return $this->createToolFromManifest($thisPackageManifest);
-    }
-
-    private function createToolFromManifest(stdClass $package): Models\Tool
-    {
-        \assert(\is_string($package->name));
-        \assert(null === $package->version || \is_string($package->version));
-
-        [$group, $name] = $this->getGroupAndName($package->name);
-
-        $tool = new Models\Tool();
-        $tool->setName($name);
-        $tool->setVendor($group);
-        $tool->setVersion($package->version);
-        $tool->getExternalReferences()->addItems();
-
-        return $tool;
-    }
-
-    /**
-     * @psalm-suppress MissingThrowsDocblock
-     */
-    private function createToolFromPackage(PackageInterface $package): Models\Tool
+    public function createToolFromPackage(PackageInterface $package): Models\Tool
     {
         [$group, $name] = $this->getGroupAndName($package->getName());
         $distUrl = $package->getDistUrl();
@@ -331,7 +295,11 @@ private function createToolFromPackage(PackageInterface $package): Models\Tool
         $tool->setName($name);
         $tool->setVendor($group);
         $tool->setVersion($package->getFullPrettyVersion());
-        $tool->getExternalReferences()->addItems();
+        if ($package instanceof CompletePackageInterface) {
+            $tool->getExternalReferences()->addItems(
+                ...iterator_to_array($this->createExternalReferencesFromPackage($package))
+            );
+        }
         if ($distUrl) {
             $tool->getExternalReferences()->addItems(
                 new Models\ExternalReference(

src/MakeBom/Command.php

@@ -118,18 +118,29 @@ private function generateBom(IOInterface $io, Spec $spec): string
             $this->options->mainComponentVersion,
         );
 
-        $composer = (new ComposerFactory())->createComposer($io, $this->options->composerFile, fullLoad: true);
+        $subjectComposer = (new ComposerFactory())->createComposer($io, $this->options->composerFile, fullLoad: true);
         /** @psalm-suppress RedundantConditionGivenDocblockType -- as with lowest-compatible dependencies this is needed  */
-        \assert($composer instanceof \Composer\Composer);
-        $bom = $builder->createBomFromComposer($composer);
-        unset($composer);
+        \assert($subjectComposer instanceof \Composer\Composer);
+        $bom = $builder->createBomFromComposer($subjectComposer);
+        unset($subjectComposer);
 
         if (!$this->options->outputReproducible) {
             $bom->getMetadata()->setTimestamp(new DateTime());
         }
+
+        $selfComposer = (new ComposerFactory())->createComposer($io, __DIR__.'/../../composer.json',
+            fullLoad: false, disablePlugins: true, disableScripts: true);
+        /** @psalm-suppress RedundantConditionGivenDocblockType -- as with lowest-compatible dependencies this is needed  */
+        \assert($selfComposer instanceof \Composer\PartialComposer);
         $bom->getMetadata()->getTools()->addItems(
-            $builder->createThisTool($this->options->getToolVersionOverride())
+            $builder->createToolFromPackage(
+                $selfComposer->getPackage()
+            )->setVersion(
+                $this->options->getToolVersionOverride()
+                    ?? trim(file_get_contents(__DIR__.'/../../semver.txt')
+                    ))
         );
+        unset($selfComposer);
 
         $io->writeError('<info>serialize BOM...</info>', verbosity: IOInterface::VERBOSE);
         /** @var Serialization\Serializer */