Add supplier/license info for cargo and pip

microsoft · sebasgomez238 · Jan 12, 2024 · Jan 12, 2024 · Jan 12, 2024 · Jan 12, 2024
commit 90eeee8e134d793fb32c360866e3b562adb38a8d
diff --git a/Directory.Packages.props b/Directory.Packages.props
@@ -7,7 +7,7 @@
         </PackageVersion>
     </ItemDefinitionGroup>
     <PropertyGroup>
-        <ComponentDetectionPackageVersion>4.0.11</ComponentDetectionPackageVersion>
+        <ComponentDetectionPackageVersion>4.0.12-preview.0.12</ComponentDetectionPackageVersion>
     </PropertyGroup>
     <ItemGroup>
         <PackageVersion Include="AutoMapper" Version="10.1.1" />
@@ -32,8 +32,8 @@
         <PackageVersion Include="Mono.Posix.NETStandard" Version="1.0.0" Condition="'$(TargetFramework)' == 'net6.0'"/>
         <PackageVersion Include="Moq" Version="4.17.2" />
         <PackageVersion Include="Newtonsoft.Json" Version="13.0.3" />
-        <PackageVersion Include="NuGet.Configuration" Version="6.7.0" />
-        <PackageVersion Include="NuGet.Frameworks" Version="6.7.0" />
+        <PackageVersion Include="NuGet.Configuration" Version="6.8.0" />
+        <PackageVersion Include="NuGet.Frameworks" Version="6.8.0" />
         <PackageVersion Include="packageurl-dotnet" Version="1.1.0" />
         <PackageVersion Include="PowerArgs" Version="3.6.0" />
         <PackageVersion Include="Scrutor" Version="4.2.0" />

@@ -23,10 +23,12 @@ internal static class CargoComponentExtensions
         PackageUrl = cargoComponent.PackageUrl?.ToString(),
         PackageName = cargoComponent.Name,
         PackageVersion = cargoComponent.Version,
-        LicenseInfo = string.IsNullOrWhiteSpace(component.LicenseConcluded) ? null : new LicenseInfo
+        LicenseInfo = new LicenseInfo
         {
-            Concluded = component.LicenseConcluded,
+            Concluded = string.IsNullOrEmpty(component.LicenseConcluded) ? null : component.LicenseConcluded,
+            Declared = string.IsNullOrEmpty(cargoComponent.License) ? null : cargoComponent.License,
         },
+        Supplier = string.IsNullOrEmpty(cargoComponent.Author) ? null : $"Organization: {cargoComponent.Author}",
         FilesAnalyzed = false,
         Type = "cargo",
     };

@@ -23,10 +23,12 @@ internal static class PipComponentExtensions
         PackageUrl = pipComponent.PackageUrl?.ToString(),
         PackageName = pipComponent.Name,
         PackageVersion = pipComponent.Version,
-        LicenseInfo = string.IsNullOrWhiteSpace(component.LicenseConcluded) ? null : new LicenseInfo
+        LicenseInfo = new LicenseInfo
         {
-            Concluded = component.LicenseConcluded,
+            Concluded = string.IsNullOrEmpty(component.LicenseConcluded) ? null : component.LicenseConcluded,
+            Declared = string.IsNullOrEmpty(pipComponent.License) ? null : pipComponent.License,
         },
+        Supplier = string.IsNullOrEmpty(pipComponent.Author) ? null : $"Organization: {pipComponent.Author}",
         FilesAnalyzed = false,
         Type = "python",
     };

@@ -78,6 +78,7 @@ public ComponentDetectionBaseWalker(
         // Enable SPDX22 and ConanLock detector which is disabled by default.
         cliArgumentBuilder.AddDetectorArg("SPDX22SBOM", "EnableIfDefaultOff");
         cliArgumentBuilder.AddDetectorArg("ConanLock", "EnableIfDefaultOff");
+        cliArgumentBuilder.AddDetectorArg("RustCli", "EnableIfDefaultOff");
 
         if (sbomConfigs.TryGet(Constants.SPDX22ManifestInfo, out var spdxSbomConfig))
         {

@@ -29,6 +29,8 @@ protected override IEnumerable<ScannedComponent> FilterScannedComponents(ScanRes
         return result
             .ComponentsFound
             .Where(component => !(component.Component is SpdxComponent)) // We exclude detected SBOMs from packages section and reference them as an ExternalReference
+            .GroupBy(component => component.Component.Id)
+            .Select(group => group.FirstOrDefault(component => component.DetectorId == "RustCli") ?? group.First())
             .Distinct(new ScannedComponentEqualityComparer())
             .ToList();
     }

diff --git a/src/Microsoft.Sbom.Extensions.DependencyInjection/ServiceCollectionExtensions.cs b/src/Microsoft.Sbom.Extensions.DependencyInjection/ServiceCollectionExtensions.cs
@@ -2,31 +2,8 @@
 // Licensed under the MIT license. See LICENSE file in the project root for full license information.
 
 using System.Collections.Concurrent;
-using Microsoft.ComponentDetection.Common;
-using Microsoft.ComponentDetection.Contracts;
-using Microsoft.ComponentDetection.Detectors.CocoaPods;
-using Microsoft.ComponentDetection.Detectors.Conan;
-using Microsoft.ComponentDetection.Detectors.Dockerfile;
-using Microsoft.ComponentDetection.Detectors.Go;
-using Microsoft.ComponentDetection.Detectors.Gradle;
-using Microsoft.ComponentDetection.Detectors.Ivy;
-using Microsoft.ComponentDetection.Detectors.Linux;
-using Microsoft.ComponentDetection.Detectors.Maven;
-using Microsoft.ComponentDetection.Detectors.Npm;
-using Microsoft.ComponentDetection.Detectors.NuGet;
-using Microsoft.ComponentDetection.Detectors.Pip;
-using Microsoft.ComponentDetection.Detectors.Pnpm;
-using Microsoft.ComponentDetection.Detectors.Poetry;
-using Microsoft.ComponentDetection.Detectors.Ruby;
-using Microsoft.ComponentDetection.Detectors.Rust;
-using Microsoft.ComponentDetection.Detectors.Spdx;
-using Microsoft.ComponentDetection.Detectors.Vcpkg;
-using Microsoft.ComponentDetection.Detectors.Yarn;
-using Microsoft.ComponentDetection.Detectors.Yarn.Parsers;
 using Microsoft.ComponentDetection.Orchestrator;
-using Microsoft.ComponentDetection.Orchestrator.Experiments;
-using Microsoft.ComponentDetection.Orchestrator.Services;
-using Microsoft.ComponentDetection.Orchestrator.Services.GraphTranslation;
+using Microsoft.ComponentDetection.Orchestrator.Extensions;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Http;
 using Microsoft.Extensions.Logging;
@@ -212,10 +189,7 @@ public static IServiceCollection AddSbomTool(this IServiceCollection services, L
 
                 return manifestData;
             })
-            .ConfigureLoggingProviders()
-            .ConfigureComponentDetectors()
-            .ConfigureComponentDetectionSharedServices()
-            .ConfigureComponentDetectionCommandLineServices()
+            .AddComponentDetection()
             .AddHttpClient<LicenseInformationService>();
 
         return services;
@@ -240,74 +214,4 @@ public static IServiceCollection ConfigureLoggingProviders(this IServiceCollecti
 
         return services;
     }
-
-    public static IServiceCollection ConfigureComponentDetectionCommandLineServices(this IServiceCollection services)
-    {
-        services.AddSingleton<IScanExecutionService, ScanExecutionService>();
-        services.AddSingleton<IDetectorProcessingService, DetectorProcessingService>();
-        services.AddSingleton<IDetectorRestrictionService, DetectorRestrictionService>();
-        services.AddSingleton<IArgumentHelper, ArgumentHelper>();
-
-        return services;
-    }
-
-    public static IServiceCollection ConfigureComponentDetectionSharedServices(this IServiceCollection services)
-    {
-        services.AddSingleton<IFileWritingService, FileWritingService>();
-        services.AddSingleton<IArgumentHelper, ArgumentHelper>();
-        services.AddSingleton<ICommandLineInvocationService, CommandLineInvocationService>();
-        services.AddSingleton<IComponentStreamEnumerableFactory, ComponentStreamEnumerableFactory>();
-        services.AddSingleton<IConsoleWritingService, ConsoleWritingService>();
-        services.AddSingleton<IDockerService, DockerService>();
-        services.AddSingleton<IEnvironmentVariableService, EnvironmentVariableService>();
-        services.AddSingleton<IObservableDirectoryWalkerFactory, FastDirectoryWalkerFactory>();
-        services.AddSingleton<IFileUtilityService, FileUtilityService>();
-        services.AddSingleton<IFileWritingService, FileWritingService>();
-        services.AddSingleton<IGraphTranslationService, DefaultGraphTranslationService>();
-        services.AddSingleton<IPathUtilityService, PathUtilityService>();
-        services.AddSingleton<ISafeFileEnumerableFactory, SafeFileEnumerableFactory>();
-        services.AddSingleton<IExperimentService, ExperimentService>();
-
-        return services;
-    }
-
-    public static IServiceCollection ConfigureComponentDetectors(this IServiceCollection services)
-    {
-        services.AddSingleton<IComponentDetector, PodComponentDetector>();
-        services.AddSingleton<IComponentDetector, ConanLockComponentDetector>();
-        services.AddSingleton<IComponentDetector, CondaLockComponentDetector>();
-        services.AddSingleton<IComponentDetector, DockerfileComponentDetector>();
-        services.AddSingleton<IComponentDetector, GoComponentDetector>();
-        services.AddSingleton<IComponentDetector, GradleComponentDetector>();
-        services.AddSingleton<IComponentDetector, IvyDetector>();
-        services.AddSingleton<ILinuxScanner, LinuxScanner>();
-        services.AddSingleton<IComponentDetector, LinuxContainerDetector>();
-        services.AddSingleton<IMavenCommandService, MavenCommandService>();
-        services.AddSingleton<IMavenStyleDependencyGraphParserService, MavenStyleDependencyGraphParserService>();
-        services.AddSingleton<IComponentDetector, MvnCliComponentDetector>();
-        services.AddSingleton<IComponentDetector, NpmComponentDetector>();
-        services.AddSingleton<IComponentDetector, NpmComponentDetectorWithRoots>();
-        services.AddSingleton<IComponentDetector, NpmLockfile3Detector>();
-        services.AddSingleton<IComponentDetector, NuGetComponentDetector>();
-        services.AddSingleton<IComponentDetector, NuGetPackagesConfigDetector>();
-        services.AddSingleton<IComponentDetector, NuGetProjectModelProjectCentricComponentDetector>();
-        services.AddSingleton<IPyPiClient, PyPiClient>();
-        services.AddSingleton<ISimplePyPiClient, SimplePyPiClient>();
-        services.AddSingleton<IPythonCommandService, PythonCommandService>();
-        services.AddSingleton<IPythonResolver, PythonResolver>();
-        services.AddSingleton<ISimplePythonResolver, SimplePythonResolver>();
-        services.AddSingleton<IComponentDetector, PipComponentDetector>();
-        services.AddSingleton<IComponentDetector, SimplePipComponentDetector>();
-        services.AddSingleton<IComponentDetector, PnpmComponentDetector>();
-        services.AddSingleton<IComponentDetector, PoetryComponentDetector>();
-        services.AddSingleton<IComponentDetector, RubyComponentDetector>();
-        services.AddSingleton<IComponentDetector, RustCrateDetector>();
-        services.AddSingleton<IComponentDetector, Spdx22ComponentDetector>();
-        services.AddSingleton<IComponentDetector, VcpkgComponentDetector>();
-        services.AddSingleton<IYarnLockParser, YarnLockParser>();
-        services.AddSingleton<IYarnLockFileFactory, YarnLockFileFactory>();
-        services.AddSingleton<IComponentDetector, YarnLockComponentDetector>();
-
-        return services;
-    }
 }
diff --git a/src/Microsoft.Sbom.Tool/Program.cs b/src/Microsoft.Sbom.Tool/Program.cs
@@ -69,7 +69,7 @@ await Host.CreateDefaultBuilder(args)
                             inputConfiguration.ToConfiguration();
                             return inputConfiguration;
                         })
-
+                        .ConfigureLoggingProviders()
                         .AddSbomTool();
                 })
                 .RunConsoleAsync(x => x.SuppressStatusMessages = true);