SBOM/template data reading

README.md

@@ -6,7 +6,7 @@
 
 # Introduction 
 
-The Continuous Clearing Tool scans and collects the 3rd party OSS components used in a NPM/NuGet/Maven/Debian project and uploads it to SW360 and Fossology by accepting respective project ID for license clearing. 
+The Continuous Clearing Tool scans and collects the 3rd party OSS components used in a NPM/NuGet/Maven/Debian and Python project and uploads it to SW360 and Fossology by accepting respective project ID for license clearing. 
 
 The tool helps the developer/project manager to enable the clearing process faster by reducing the 
 manual effort of creating SW360 and FOSSology workflows.

TestFiles/IntegrationTestFiles/SystemTest1stIterationData/Nuget-Assets/project.assets.json

@@ -0,0 +1,151 @@
+{
+  "version": 3,
+  "targets": {
+    "net6.0": {
+      "Newtonsoft.Json/13.0.3": {
+        "type": "package",
+        "compile": {
+          "lib/net6.0/Newtonsoft.Json.dll": {
+            "related": ".xml"
+          }
+        },
+        "runtime": {
+          "lib/net6.0/Newtonsoft.Json.dll": {
+            "related": ".xml"
+          }
+        }
+      },
+      "SonarAnalyzer.CSharp/9.5.0.73987": {
+        "type": "package"
+      }
+    }
+  },
+  "libraries": {
+    "Newtonsoft.Json/13.0.3": {
+      "sha512": "HrC5BXdl00IP9zeV+0Z848QWPAoCr9P3bDEZguI+gkLcBKAOxix/tLEAAHC+UvDNPv4a2d18lOReHMOagPa+zQ==",
+      "type": "package",
+      "path": "newtonsoft.json/13.0.3",
+      "files": [
+        ".nupkg.metadata",
+        ".signature.p7s",
+        "LICENSE.md",
+        "README.md",
+        "lib/net20/Newtonsoft.Json.dll",
+        "lib/net20/Newtonsoft.Json.xml",
+        "lib/net35/Newtonsoft.Json.dll",
+        "lib/net35/Newtonsoft.Json.xml",
+        "lib/net40/Newtonsoft.Json.dll",
+        "lib/net40/Newtonsoft.Json.xml",
+        "lib/net45/Newtonsoft.Json.dll",
+        "lib/net45/Newtonsoft.Json.xml",
+        "lib/net6.0/Newtonsoft.Json.dll",
+        "lib/net6.0/Newtonsoft.Json.xml",
+        "lib/netstandard1.0/Newtonsoft.Json.dll",
+        "lib/netstandard1.0/Newtonsoft.Json.xml",
+        "lib/netstandard1.3/Newtonsoft.Json.dll",
+        "lib/netstandard1.3/Newtonsoft.Json.xml",
+        "lib/netstandard2.0/Newtonsoft.Json.dll",
+        "lib/netstandard2.0/Newtonsoft.Json.xml",
+        "newtonsoft.json.13.0.3.nupkg.sha512",
+        "newtonsoft.json.nuspec",
+        "packageIcon.png"
+      ]
+    },
+    "SonarAnalyzer.CSharp/9.5.0.73987": {
+      "sha512": "gmcKNWJ7kZqERbOcMnwyGtflOz5LhLwN17bPvs7AUqy8np8pdlFhDNKYmhuhfnFo0lRctLbS2Fr6HJM9QPsymw==",
+      "type": "package",
+      "path": "sonaranalyzer.csharp/9.5.0.73987",
+      "hasTools": true,
+      "files": [
+        ".nupkg.metadata",
+        ".signature.p7s",
+        "analyzers/Google.Protobuf.dll",
+        "analyzers/SonarAnalyzer.CFG.dll",
+        "analyzers/SonarAnalyzer.CSharp.dll",
+        "analyzers/SonarAnalyzer.dll",
+        "images/sonarsource_64.png",
+        "license/THIRD-PARTY-NOTICES.txt",
+        "sonaranalyzer.csharp.9.5.0.73987.nupkg.sha512",
+        "sonaranalyzer.csharp.nuspec",
+        "tools/install.ps1",
+        "tools/uninstall.ps1"
+      ]
+    }
+  },
+  "projectFileDependencyGroups": {
+    "net6.0": [
+      "Newtonsoft.Json >= 13.0.3",
+      "SonarAnalyzer.CSharp >= 9.5.0.73987"
+    ]
+  },
+  "packageFolders": {
+    "": {}
+  },
+  "project": {
+    "version": "1.0.0",
+    "restore": {
+      "projectUniqueName": "D:\\Nuget-SBOM\\ProjectAssets\\ProjectAssets\\ProjectAssets\\ProjectAssets.csproj",
+      "projectName": "ProjectAssets",
+      "projectPath": "D:\\Nuget-SBOM\\ProjectAssets\\ProjectAssets\\ProjectAssets\\ProjectAssets.csproj",
+      "packagesPath": "",
+      "outputPath": "D:\\Nuget-SBOM\\ProjectAssets\\ProjectAssets\\ProjectAssets\\obj\\",
+      "projectStyle": "PackageReference",
+      "configFilePaths": [
+        "C:\\Users\\z004neay\\AppData\\Roaming\\NuGet\\NuGet.Config",
+        "C:\\Program Files (x86)\\NuGet\\Config\\Microsoft.VisualStudio.Offline.config"
+      ],
+      "originalTargetFrameworks": [
+        "net6.0"
+      ],
+      "sources": {
+        "C:\\Program Files (x86)\\Microsoft SDKs\\NuGetPackages\\": {},
+        "https://api.nuget.org/v3/index.json": {}
+      },
+      "frameworks": {
+        "net6.0": {
+          "targetAlias": "net6.0",
+          "projectReferences": {}
+        }
+      },
+      "warningProperties": {
+        "warnAsError": [
+          "NU1605"
+        ]
+      }
+    },
+    "frameworks": {
+      "net6.0": {
+        "targetAlias": "net6.0",
+        "dependencies": {
+          "Newtonsoft.Json": {
+            "target": "Package",
+            "version": "[13.0.3, )"
+          },
+          "SonarAnalyzer.CSharp": {
+            "include": "Runtime, Build, Native, ContentFiles, Analyzers, BuildTransitive",
+            "suppressParent": "All",
+            "target": "Package",
+            "version": "[9.5.0.73987, )"
+          }
+        },
+        "imports": [
+          "net461",
+          "net462",
+          "net47",
+          "net471",
+          "net472",
+          "net48",
+          "net481"
+        ],
+        "assetTargetFallback": true,
+        "warn": true,
+        "frameworkReferences": {
+          "Microsoft.NETCore.App": {
+            "privateAssets": "all"
+          }
+        },
+        "runtimeIdentifierGraphPath": "C:\\Program Files\\dotnet\\sdk\\7.0.202\\RuntimeIdentifierGraph.json"
+      }
+    }
+  }
+}

TestFiles/IntegrationTestFiles/SystemTest1stIterationData/Template-Nuget/Template_Nuget.cdx.json

@@ -0,0 +1,69 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.4",
+  "serialNumber": "urn:uuid:43858d10-328d-40d3-8184-ad4f0b5ea53c",
+  "version": 1,
+  "metadata": {
+    "timestamp": "2023-07-11T12:11:14Z",
+    "tools": [
+      {
+        "vendor": "anchore",
+        "name": "syft",
+        "version": "0.84.1"
+      }
+    ],
+    "component": {
+      "bom-ref": "f8e285590963f51a",
+      "type": "container",
+      "name": "",
+      "version": "sha256:b75774030c2c10178aad29230221cad47aa607c72895aa4af389b3f1f01f71f4"
+    }
+  },
+  "components": [
+    {
+      "bom-ref": "pkg:nuget/[email protected]",
+      "type": "library",
+      "publisher": "",
+      "name": "System.Memory",
+      "version": "4.5.4",
+      "licenses": [
+        {
+          "license": {
+            "id": "GPL-2.0-only"
+          }
+        }
+      ],
+      "cpe": "",
+      "purl": "pkg:nuget/[email protected]",
+      "properties": [
+        {
+          "name": "syft:package:foundBy",
+          "value": "Testing Properties"
+        }
+      ]
+    },
+    {
+      "bom-ref": "pkg:nuget/[email protected]",
+      "type": "library",
+      "publisher": "",
+      "name": "Newtonsoft.Json",
+      "version": "13.0.3",
+      "licenses": [
+        {
+          "license": {
+            "id": "GPL-2.0-only"
+          }
+        }
+      ],
+      "cpe": "",
+      "purl": "pkg:nuget/[email protected]",
+      "properties": [
+        {
+          "name": "syft:package:foundBy",
+          "value": "Testing Properties"
+        }
+      ]
+    }
+  ]
+}

doc/UsageDoc/CA_UsageDocument.md

@@ -46,7 +46,7 @@
 <!--te-->
 # Introduction
 
-The Continuous Clearing Tool helps the Project Manager/Developer to automate the sw360 clearing process of 3rd party components. This tool scans and identifies the third-party components used in a NPM, NUGET, MAVEN and Debian projects and makes an entry in SW360, if it is not present. Continuous Clearing Tool links the components to the respective project and creates job for code scan in FOSSology.
+The SBOM Continuous Clearing Tool helps the Project Manager/Developer to automate the sw360 clearing process of 3rd party components. This tool scans and identifies the third-party components used in a NPM, NUGET, MAVEN , Debian and Python projects and makes an entry in SW360, if it is not present. Continuous Clearing Tool links the components to the respective project and creates job for code scan in FOSSology.
 
 Continuous Clearing Tool reduces the effort in creating components in SW360 and identifying the matching source codes from the public repository. Tool eliminates the manual error while creating component and identifying correct version of source code from public repository. Continuous Clearing Tool harmonize the creation of 3P components in SW360 by filling necessary information.
 
@@ -153,10 +153,13 @@ Continuous Clearing Tool reduces the effort in creating components in SW360 and
          * **Note** : Incase your project has internal dependencies, compile the project **prior to running the clearing tool**
 
                  mvn clean install -DskipTests=true 
-
+
+       - **Project Type :** **Python** 
+
+          * Input file repository should contain **poetry.lock** file. 
 
      - **Project Type :**  **Debian** 
-
+       
    	      **Note** : below steps is required only if you have `tar` file to process , otherwise you can keep `CycloneDx.json` file in the InputDirectory.
           *  Create `InputImage` directory for keeping `tar` images and `InputDirectory` for resulted file storing .
 
@@ -202,6 +205,7 @@ Continuous Clearing Tool reduces the effort in creating components in SW360 and
   "BomFilePath":"/mnt/Output/<SW360 Project Name>_Bom.cdx.json",
 //IdentifierBomFilePath : For multiple project type 
   "IdentifierBomFilePath": "",
+  "CycloneDxSBomTemplatePath": "/PathToSBOMTemplateFile",
   "ArtifactoryUploadApiKey": "<Insert ArtifactoryUploadApiKey in a secure way>",//This should be Jfrog Key
   "ArtifactoryUploadUser": "<Insert ArtifactoryUploadUser>",//This should be Jfrog user name
   "RemoveDevDependency": true,
@@ -241,6 +245,11 @@ Continuous Clearing Tool reduces the effort in creating components in SW360 and
     "Include": [ "*.json" ],
     "Exclude": [],
     "ExcludedComponents": []
+  },
+  "Python": {
+    "Include": [ "poetry.lock", "*.cdx.json" ],
+    "Exclude": [],
+    "ExcludedComponents": []
   }
 }
 ```
@@ -250,7 +259,7 @@ Description for the settings in `appSettings.json` file
 |S.No| Argument name   |Description  | Is it Mandatory    | Example |
 |--|--|--|--|--|
 | 1 |--packagefilepath   | Path to the package-lock.json file or to the directory where the project is present in case we have multiple package-lock.json files.                                      |Yes ,For Docker run /mnt/Input | D:\Clearing Automation |
-| 2 |--cycloneDxbomfilePath | Path to the cycloneDx BOM file. This should not be used along with the package file path(arg no 1).Please note to give only  one type of input at a time.                           |No if the first argument is provided| D:\ExternalToolOutput|
+| 2 |--cylonedxsbomtemplatepath | Path to the SBOM cycloneDx BOM file. Can be passed along with packagefilepath.                           |No if the first argument is provided| D:\ExternalToolOutput|
 | 3 |--bomfolderpath | Path to keep the generated boms  |  Yes , For Docker run /mnt/Output    | D:\Clearing Automation\BOM
 |  4| --sw360token  |  SW360 Auth Token |  Yes| Refer the SW360 Doc [here](https://www.eclipse.org/sw360/docs/development/restapi/access).Make sure you pass this credential in a secured way. |
 | 5 | --sw360projectid |  Project ID from SW360 project URL of the project  |  Yes| Obtained from SW360 |

src/LCT.Common/CommonAppSettings.cs

@@ -52,6 +52,7 @@ public CommonAppSettings(IFolderAction iFolderAction)
         private string m_LogFolderPath;
         private string m_FOSSURL;
         private string m_ArtifactoryUser;
+        private string m_CycloneDxSBomTemplatePath;
 
 
         public bool RemoveDevDependency { get; set; } = true;
@@ -65,7 +66,7 @@ public CommonAppSettings(IFolderAction iFolderAction)
         public Config Debian { get; set; }
         public Config Python { get; set; }
         public string CaVersion { get; set; }
-        public string CycloneDxBomFilePath { get; set; }
+        public string CycloneDxSBomTemplatePath { get; set; }
         public string[] InternalRepoList { get; set; }
         public bool EnableFossTrigger { get; set; } = true;
         public string JfrogNpmDestRepoName { get; set; }
@@ -122,7 +123,7 @@ public string PackageFilePath
             set
             {
                 if (!AppDomain.CurrentDomain.FriendlyName.Contains("SW360PackageCreator") &&
-                    !AppDomain.CurrentDomain.FriendlyName.Contains("ArtifactoryUploader") && string.IsNullOrEmpty(CycloneDxBomFilePath))
+                    !AppDomain.CurrentDomain.FriendlyName.Contains("ArtifactoryUploader"))
                 {
                     folderAction.ValidateFolderPath(value);
                     m_PackageFilePath = value;
@@ -276,6 +277,19 @@ public string BomFilePath
             }
         }
 
+        public string SBomTemplatePath
+        {
+            get
+            {
+                return m_CycloneDxSBomTemplatePath;
+            }
+            set
+            {
+                m_CycloneDxSBomTemplatePath = value;
+                _fileOperations.ValidateFilePath(m_CycloneDxSBomTemplatePath);
+            }
+        }
+
         public string ArtifactoryUploadUser
         {
             get

src/LCT.Common/Constants/Dataconstant.cs

@@ -4,6 +4,7 @@
 //  SPDX-License-Identifier: MIT
 // -------------------------------------------------------------------------------------------------------------------- 
 
+using System.Collections.Generic;
 using System.Diagnostics.CodeAnalysis;
 
 namespace LCT.Common.Constants
@@ -14,6 +15,15 @@ namespace LCT.Common.Constants
     [ExcludeFromCodeCoverage]
     public static class Dataconstant
     {
+        private static Dictionary<string, string> purlids = new Dictionary<string, string>
+         {
+        {"NPM", "pkg:npm"},
+        {"NUGET", "pkg:nuget"},
+        {"DEBIAN", "pkg:deb/debian"},
+        {"MAVEN", "pkg:maven"},
+        {"PYTHON", "pkg:pypi"},
+         };
+
         public const string Created = "Created";
         public const string NewlyCreated = "Newly Created";
         public const string Uploaded = "Uploaded";
@@ -31,10 +41,6 @@ public static class Dataconstant
         public const string ReleaseAttachmentComment = "Attached by CA Tool";
         public const char ForwardSlash = '/';
         public const string SourceURLSuffix = "/srcfiles?fileinfo=1";
-        public const string DebianPackage = "pkg:deb/debian";
-        public const string NpmPackage = "pkg:npm";
-        public const string MavenPackage = "pkg:maven";
-        public const string PythonPackage = "pkg:pypi";
         public const string Cdx_ArtifactoryRepoUrl = "internal:siemens:clearing:repo-url";
         public const string Cdx_ProjectType = "internal:siemens:clearing:project-type";
         public const string Cdx_ClearingState = "internal:siemens:clearing:clearing-state";
@@ -43,6 +49,10 @@ public static class Dataconstant
         public const string Cdx_FossologyUrl = "internal:siemens:clearing:fossology:url";
         public const string Cdx_IsDevelopment = "internal:siemens:clearing:development";
         public const string Cdx_IdentifierType = "internal:siemens:clearing:identifier-type";
-        public const string Cdx_IsDevelopmentDependency = "internal:siemens:clearing:development";
+
+        public static Dictionary<string, string> PurlCheck()
+        {
+            return purlids;
+        }
     }
 }

src/LCT.Common/Constants/FileConstant.cs

@@ -44,7 +44,7 @@ public static class FileConstant
         public const string DebianCombinedPatchExtension = "-debian-combined.tar.bz2";
         public const string DSCFileExtension = ".dsc";
         public static readonly string ContainerDir = Path.Combine(@"/app/opt/PatchedFiles");
-        public const string DockerImage = "clearingautomationtool";
+        public const string DockerImage = "ghcr.io/siemens/continuous-clearing";
         public static readonly string DockerCMDTool = Path.Combine(@"/bin/bash");
         public const string appSettingFileName = "appSettings.json";
         public const string CycloneDXFileExtension = ".cdx.json";