github.com/paketo-buildpacks/packit@v1.3.2-0.20211206231111-86b75c657449/paketosbom/sbom.go (about)

     1  // Package paketosbom implements a standardized SBoM format that can be used in
     2  // Paketo Buildpacks.
     3  //
     4  // Deprecated: this package is frozen and will be removed in the next major
     5  // release of packit.
     6  package paketosbom
     7  
     8  import (
     9  	"fmt"
    10  	"strings"
    11  	"time"
    12  )
    13  
    14  // BOMMetadata represents how the Paketo-specific implementation of
    15  // the Software Bill of Materials metadata components should be structured and named.
    16  type BOMMetadata struct {
    17  	Architecture    string      `toml:"arch,omitempty"`
    18  	CPE             string      `toml:"cpe,omitempty"`
    19  	DeprecationDate time.Time   `toml:"deprecation-date,omitempty"`
    20  	Licenses        []string    `toml:"licenses,omitempty"`
    21  	PURL            string      `toml:"purl,omitempty"`
    22  	Checksum        BOMChecksum `toml:"checksum,omitempty"`
    23  	Summary         string      `toml:"summary,omitempty"`
    24  	URI             string      `toml:"uri,omitempty"`
    25  	Version         string      `toml:"version,omitempty"`
    26  	Source          BOMSource   `toml:"source,omitempty"`
    27  }
    28  
    29  type BOMSource struct {
    30  	Name            string      `toml:"name,omitempty"`
    31  	Checksum        BOMChecksum `toml:"checksum,omitempty"`
    32  	UpstreamVersion string      `toml:"upstream-version,omitempty"`
    33  	URI             string      `toml:"uri,omitempty"`
    34  }
    35  
    36  type BOMChecksum struct {
    37  	Algorithm ChecksumAlgorithm `toml:"algorithm,omitempty"`
    38  	Hash      string            `toml:"hash,omitempty"`
    39  }
    40  
    41  type ChecksumAlgorithm interface {
    42  	alg() algorithm
    43  }
    44  
    45  type algorithm string
    46  
    47  func (a algorithm) alg() algorithm {
    48  	return a
    49  }
    50  
    51  // GetBOMChecksumAlgorithm takes in an algorithm string, and reasonably tries
    52  // to figure out the equivalent CycloneDX-supported algorithm field name.
    53  // It returns an error if no reasonable supported format is found.
    54  // Supported formats:
    55  // { 'MD5'| 'SHA-1'| 'SHA-256'| 'SHA-384'| 'SHA-512'| 'SHA3-256'| 'SHA3-384'| 'SHA3-512'| 'BLAKE2b-256'| 'BLAKE2b-384'| 'BLAKE2b-512'| 'BLAKE3'}
    56  func GetBOMChecksumAlgorithm(alg string) (algorithm, error) {
    57  	for _, a := range []algorithm{SHA256, SHA1, SHA384, SHA512, SHA3256, SHA3384, SHA3512, BLAKE2B256, BLAKE2B384, BLAKE2B512, BLAKE3, MD5} {
    58  		if strings.EqualFold(string(a), alg) || strings.EqualFold(strings.ReplaceAll(string(a), "-", ""), alg) {
    59  			return a, nil
    60  		}
    61  	}
    62  
    63  	return "", fmt.Errorf("failed to get supported BOM checksum algorithm: %s is not valid", alg)
    64  }
    65  
    66  const (
    67  	SHA256     algorithm = "SHA-256"
    68  	SHA1       algorithm = "SHA-1"
    69  	SHA384     algorithm = "SHA-384"
    70  	SHA512     algorithm = "SHA-512"
    71  	SHA3256    algorithm = "SHA3-256"
    72  	SHA3384    algorithm = "SHA3-384"
    73  	SHA3512    algorithm = "SHA3-512"
    74  	BLAKE2B256 algorithm = "BLAKE2b-256"
    75  	BLAKE2B384 algorithm = "BLAKE2b-384"
    76  	BLAKE2B512 algorithm = "BLAKE2b-512"
    77  	BLAKE3     algorithm = "BLAKE3"
    78  	MD5        algorithm = "MD5"
    79  )