add sbom generation using cdxgen (system)

mxmehl · mxmehl · commit 26932554cdc7 · 2024-09-19T13:46:25.000+02:00
diff --git a/complassist/_sbom_generate.py b/complassist/_sbom_generate.py
@@ -182,8 +182,15 @@ def _run_syft(directory: str, tmpfile: str) -> tuple[int, str, str]:
     return _run_program("syft", "scan", f"dir:{directory}", "-o", f"cyclonedx-json={tmpfile}")
 
 
+def _run_cdxgen(directory: str, tmpfile: str) -> tuple[int, str, str]:
+    """Run cdxgen to generate SBOM"""
+    _, cdxgen_version, _ = _run_program("cdxgen", "--version")
+    logging.info("Running cdxgen %s to generate SBOM", cdxgen_version)
+    return _run_program("cdxgen", "-r", "-o", tmpfile)
+
+
 def sbom_gen_system_program(
-    program: Literal["syft"], directory: str, output: str = ""
+    program: Literal["syft", "cdxgen"], directory: str, output: str = ""
 ) -> str:
     """
     Generates a CycloneDX Software Bill of Materials (SBOM) for the project
@@ -211,6 +218,8 @@ def sbom_gen_system_program(
     with NamedTemporaryFile() as tmpfile:
         if program == "syft":
             code, stdout, stderr = _run_syft(directory=directory, tmpfile=tmpfile.name)
+        elif program == "cdxgen":
+            code, stdout, stderr = _run_cdxgen(directory=directory, tmpfile=tmpfile.name)
         else:
             logging.critical("Unsupported program provided for SBOM generation")
             sys.exit(1)
diff --git a/complassist/main.py b/complassist/main.py
@@ -56,7 +56,7 @@
     "-g",
     "--generator",
     help="SBOM Generator to use",
-    choices=["cdxgen-docker", "syft"],
+    choices=["syft", "cdxgen", "cdxgen-docker"],
     required=True,
 )
 parser_sbom_gen.add_argument(
@@ -270,9 +270,9 @@ def main():  # pylint: disable=too-many-branches, too-many-statements
         if args.sbom_command == "generate":
             if args.generator == "cdxgen-docker":
                 sbom_gen_cdxgen_docker(directory=args.directory, output=args.output)
-            elif args.generator == "syft":
+            else:
                 sbom_gen_system_program(
-                    program="syft", directory=args.directory, output=args.output
+                    program=args.generator, directory=args.directory, output=args.output
                 )
 
         # Enrich SBOM by ClearlyDefined data
