refactor: sbom_manager (#4237)

refactored sbom_manager to have similar structure to vex_manager.

 *  swid parsing is moved to sbomparse class

Author: mastersans

cve_bin_tool/cli.py

@@ -70,8 +70,8 @@
 from cve_bin_tool.merge import MergeReports
 from cve_bin_tool.output_engine import OutputEngine
 from cve_bin_tool.package_list_parser import PackageListParser
-from cve_bin_tool.sbom_detection import sbom_detection
-from cve_bin_tool.sbom_manager import SBOMManager
+from cve_bin_tool.sbom_manager.parse import SBOMParse
+from cve_bin_tool.sbom_manager.sbom_detection import sbom_detection
 from cve_bin_tool.util import ProductInfo
 from cve_bin_tool.version import VERSION
 from cve_bin_tool.version_scanner import VersionScanner
@@ -1048,13 +1048,13 @@ def main(argv=None):
         if args["sbom_file"]:
             sbom_root = args["sbom_file"]
             # Process SBOM file
-            sbom_list = SBOMManager(
+            sbom_list = SBOMParse(
                 args["sbom_file"],
                 sbom_type=args["sbom"],
                 logger=LOGGER,
                 validate=not args["disable_validation_check"],
             )
-            parsed_data = sbom_list.scan_file()
+            parsed_data = sbom_list.parse_sbom()
             LOGGER.info(
                 f"The number of products to process from SBOM - {len(parsed_data)}"
             )

cve_bin_tool/output_engine/__init__.py

@@ -13,20 +13,13 @@
 from pathlib import Path
 from typing import IO, Any
 
-from lib4sbom.data.package import SBOMPackage
-from lib4sbom.data.relationship import SBOMRelationship
-from lib4sbom.generator import SBOMGenerator
-from lib4sbom.sbom import SBOM
-
-from ..cve_scanner import CVEData
-from ..cvedb import CVEDB
-from ..error_handler import ErrorHandler, ErrorMode
-from ..log import LOGGER
-from ..util import ProductInfo, Remarks, VersionInfo
-from ..version import VERSION
-from .console import output_console
-from .html import output_html
-from .util import (
+from cve_bin_tool.cve_scanner import CVEData
+from cve_bin_tool.cvedb import CVEDB
+from cve_bin_tool.error_handler import ErrorHandler, ErrorMode
+from cve_bin_tool.log import LOGGER
+from cve_bin_tool.output_engine.console import output_console
+from cve_bin_tool.output_engine.html import output_html
+from cve_bin_tool.output_engine.util import (
     add_extension_if_not,
     format_output,
     format_path,
@@ -35,6 +28,9 @@
     get_cve_summary,
     intermediate_output,
 )
+from cve_bin_tool.sbom_manager.generate import SBOMGenerate
+from cve_bin_tool.util import ProductInfo, Remarks, VersionInfo
+from cve_bin_tool.version import VERSION
 
 
 def output_json(
@@ -794,13 +790,15 @@ def output_cves(self, outfile, output_type="console"):
         if self.vex_filename != "":
             self.generate_vex(self.all_cve_data, self.vex_filename)
         if self.sbom_filename != "":
-            self.generate_sbom(
+            sbomgen = SBOMGenerate(
                 self.all_product_data,
-                filename=self.sbom_filename,
-                sbom_type=self.sbom_type,
-                sbom_format=self.sbom_format,
-                sbom_root=self.sbom_root,
+                self.sbom_filename,
+                self.sbom_type,
+                self.sbom_format,
+                self.sbom_root,
+                self.logger,
             )
+            sbomgen.generate_sbom()
 
     def generate_vex(self, all_cve_data: dict[ProductInfo, CVEData], filename: str):
         """Generate a vex file and create vulnerability entry."""
@@ -906,78 +904,6 @@ def generate_vex(self, all_cve_data: dict[ProductInfo, CVEData], filename: str):
         with open(filename, "w") as outfile:
             json.dump(vex_output, outfile, indent="   ")
 
-    def generate_sbom(
-        self,
-        all_product_data,
-        filename="",
-        sbom_type="spdx",
-        sbom_format="tag",
-        sbom_root="CVE-SCAN",
-    ):
-        """Create SBOM package and generate SBOM file."""
-        # Create SBOM
-        sbom_relationships = []
-        my_package = SBOMPackage()
-        sbom_relationship = SBOMRelationship()
-
-        # Create root package
-        my_package.initialise()
-        root_package = f'CVEBINTOOL-{Path(sbom_root).name.replace(".", "-")}'
-        parent = f"SBOM_{root_package}"
-        my_package.set_name(root_package)
-        my_package.set_type("application")
-        my_package.set_filesanalysis(False)
-        my_package.set_downloadlocation(sbom_root)
-        license = "NOASSERTION"
-        my_package.set_licensedeclared(license)
-        my_package.set_licenseconcluded(license)
-        my_package.set_supplier("UNKNOWN", "NOASSERTION")
-
-        # Store package data
-        self.sbom_packages[(my_package.get_name(), my_package.get_value("version"))] = (
-            my_package.get_package()
-        )
-        sbom_relationship.initialise()
-        sbom_relationship.set_relationship(parent, "DESCRIBES", root_package)
-        sbom_relationships.append(sbom_relationship.get_relationship())
-
-        # Add dependent products
-        for product_data in all_product_data:
-            my_package.initialise()
-            my_package.set_name(product_data.product)
-            my_package.set_version(product_data.version)
-            if product_data.vendor.casefold() != "UNKNOWN".casefold():
-                my_package.set_supplier("Organization", product_data.vendor)
-            my_package.set_licensedeclared(license)
-            my_package.set_licenseconcluded(license)
-            if not (
-                (my_package.get_name(), my_package.get_value("version"))
-                in self.sbom_packages
-                and product_data.vendor == "unknown"
-            ):
-                location = product_data.location
-                my_package.set_evidence(location)  # Set location directly
-                self.sbom_packages[
-                    (my_package.get_name(), my_package.get_value("version"))
-                ] = my_package.get_package()
-            sbom_relationship.initialise()
-            sbom_relationship.set_relationship(
-                root_package, "DEPENDS_ON", product_data.product
-            )
-            sbom_relationships.append(sbom_relationship.get_relationship())
-
-        # Generate SBOM
-        my_sbom = SBOM()
-        my_sbom.add_packages(self.sbom_packages)
-        my_sbom.add_relationships(sbom_relationships)
-        my_generator = SBOMGenerator(
-            sbom_type=sbom_type,
-            format=sbom_format,
-            application="cve-bin-tool",
-            version=VERSION,
-        )
-        my_generator.generate(parent, my_sbom.get_sbom(), filename=filename)
-
     def output_file_wrapper(self, output_types=["console"]):
         """Call output_file method for all output types."""
         for output_type in output_types: