From 5221f2a1513f185ab1cbb331ac0a94abdc5a6de1 Mon Sep 17 00:00:00 2001 From: Niklas Date: Mon, 6 Sep 2021 21:58:00 +0200 Subject: [PATCH] refactor: remove version normalization (#60) * add missing license headers Signed-off-by: nscuro * remove version normalization altogether Signed-off-by: nscuro Fixes #58 --- README.md | 3 --- internal/cli/cmd/app/app.go | 2 -- internal/cli/cmd/app/app_test.go | 17 +++++++++++++++++ internal/cli/cmd/app/options_test.go | 17 +++++++++++++++++ internal/cli/cmd/bin/bin.go | 4 ++-- internal/cli/cmd/mod/mod.go | 2 -- internal/cli/options/options.go | 2 -- internal/sbom/sbom.go | 18 ------------------ internal/sbom/sbom_test.go | 21 --------------------- 9 files changed, 36 insertions(+), 50 deletions(-) diff --git a/README.md b/README.md index 98ecb782..ac8245f5 100644 --- a/README.md +++ b/README.md @@ -86,7 +86,6 @@ FLAGS -licenses=false Resolve module licenses -main main.go Path to the application's main file, relative to MODPATH -noserial=false Omit serial number - -novprefix=false Omit "v" prefix from versions -output - Output file path (or - for STDOUT) -reproducible=false Make the SBOM reproducible by omitting dynamic content -serial ... Serial number @@ -116,7 +115,6 @@ FLAGS -json=false Output in JSON -licenses=false Resolve module licenses -noserial=false Omit serial number - -novprefix=false Omit "v" prefix from versions -output - Output file path (or - for STDOUT) -reproducible=false Make the SBOM reproducible by omitting dynamic content -serial ... Serial number @@ -141,7 +139,6 @@ FLAGS -json=false Output in JSON -licenses=false Resolve module licenses -noserial=false Omit serial number - -novprefix=false Omit "v" prefix from versions -output - Output file path (or - for STDOUT) -reproducible=false Make the SBOM reproducible by omitting dynamic content -serial ... Serial number diff --git a/internal/cli/cmd/app/app.go b/internal/cli/cmd/app/app.go index 8ce3e0c7..c0589017 100644 --- a/internal/cli/cmd/app/app.go +++ b/internal/cli/cmd/app/app.go @@ -111,8 +111,6 @@ func Exec(options Options) error { return err } - sbom.NormalizeVersions(modules, options.NoVersionPrefix) - mainComponent, err := modconv.ToComponent(modules[0], modconv.WithComponentType(cdx.ComponentTypeApplication), modconv.WithFiles(options.IncludeFiles), diff --git a/internal/cli/cmd/app/app_test.go b/internal/cli/cmd/app/app_test.go index 7666b866..2dc1ded1 100644 --- a/internal/cli/cmd/app/app_test.go +++ b/internal/cli/cmd/app/app_test.go @@ -1,3 +1,20 @@ +// This file is part of CycloneDX GoMod +// +// Licensed under the Apache License, Version 2.0 (the “License”); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an “AS IS” BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// SPDX-License-Identifier: Apache-2.0 +// Copyright (c) OWASP Foundation. All Rights Reserved. + package app import ( diff --git a/internal/cli/cmd/app/options_test.go b/internal/cli/cmd/app/options_test.go index 6ff57485..7495f106 100644 --- a/internal/cli/cmd/app/options_test.go +++ b/internal/cli/cmd/app/options_test.go @@ -1,3 +1,20 @@ +// This file is part of CycloneDX GoMod +// +// Licensed under the Apache License, Version 2.0 (the “License”); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an “AS IS” BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// SPDX-License-Identifier: Apache-2.0 +// Copyright (c) OWASP Foundation. All Rights Reserved. + package app import ( diff --git a/internal/cli/cmd/bin/bin.go b/internal/cli/cmd/bin/bin.go index 1ed73375..15f2cb89 100644 --- a/internal/cli/cmd/bin/bin.go +++ b/internal/cli/cmd/bin/bin.go @@ -47,6 +47,8 @@ func New() *ffcli.Command { When license resolution is enabled, all modules (including the main module) will be downloaded to the module cache using "go mod download". +For the download of the main module to work, its version has to be provided +via the -version flag. Please note that data embedded in binaries shouldn't be trusted, unless there's solid evidence that the binaries haven't been modified @@ -92,8 +94,6 @@ func Exec(binOptions BinOptions) error { } } - sbom.NormalizeVersions(modules, binOptions.NoVersionPrefix) - // Make all modules a direct dependency of the main module for i := 1; i < len(modules); i++ { modules[0].Dependencies = append(modules[0].Dependencies, &modules[i]) diff --git a/internal/cli/cmd/mod/mod.go b/internal/cli/cmd/mod/mod.go index a18f6b37..1624e1d2 100644 --- a/internal/cli/cmd/mod/mod.go +++ b/internal/cli/cmd/mod/mod.go @@ -102,8 +102,6 @@ func Exec(options ModOptions) error { log.Warn().Err(err).Msg("failed to determine version of main module") } - sbom.NormalizeVersions(modules, options.NoVersionPrefix) - mainComponent, err := modconv.ToComponent(modules[0], modconv.WithComponentType(cdx.ComponentType(options.ComponentType)), modconv.WithLicenses(options.ResolveLicenses), diff --git a/internal/cli/options/options.go b/internal/cli/options/options.go index 2b1b6bb3..30dfadf3 100644 --- a/internal/cli/options/options.go +++ b/internal/cli/options/options.go @@ -66,7 +66,6 @@ func (o OutputOptions) Validate() error { type SBOMOptions struct { IncludeStd bool NoSerialNumber bool - NoVersionPrefix bool Reproducible bool ResolveLicenses bool SerialNumber string @@ -75,7 +74,6 @@ type SBOMOptions struct { func (s *SBOMOptions) RegisterFlags(fs *flag.FlagSet) { fs.BoolVar(&s.IncludeStd, "std", false, "Include Go standard library as component and dependency of the module") fs.BoolVar(&s.NoSerialNumber, "noserial", false, "Omit serial number") - fs.BoolVar(&s.NoVersionPrefix, "novprefix", false, "Omit \"v\" prefix from versions") fs.BoolVar(&s.Reproducible, "reproducible", false, "Make the SBOM reproducible by omitting dynamic content") fs.BoolVar(&s.ResolveLicenses, "licenses", false, "Resolve module licenses") fs.StringVar(&s.SerialNumber, "serial", "", "Serial number") diff --git a/internal/sbom/sbom.go b/internal/sbom/sbom.go index 04adfeaf..a6246fb5 100644 --- a/internal/sbom/sbom.go +++ b/internal/sbom/sbom.go @@ -188,21 +188,3 @@ func NewProperty(name, value string) cdx.Property { Value: value, } } - -func NormalizeVersions(modules []gomod.Module, trimPrefix bool) { - for i, module := range modules { - NormalizeVersion(&modules[i], trimPrefix) - - if module.Replace != nil { - NormalizeVersion(modules[i].Replace, trimPrefix) - } - } -} - -func NormalizeVersion(module *gomod.Module, trimPrefix bool) { - module.Version = strings.TrimSuffix(module.Version, "+incompatible") - - if trimPrefix { - module.Version = strings.TrimPrefix(module.Version, "v") - } -} diff --git a/internal/sbom/sbom_test.go b/internal/sbom/sbom_test.go index 1903040b..8f2024f1 100644 --- a/internal/sbom/sbom_test.go +++ b/internal/sbom/sbom_test.go @@ -21,7 +21,6 @@ import ( "testing" cdx "github.com/CycloneDX/cyclonedx-go" - "github.com/CycloneDX/cyclonedx-gomod/internal/gomod" "github.com/stretchr/testify/require" ) @@ -78,23 +77,3 @@ func TestNewProperty(t *testing.T) { require.Equal(t, "cdx:gomod:name", property.Name) require.Equal(t, "value", property.Value) } - -func TestNormalizeVersion(t *testing.T) { - t.Run("With trimPrefix", func(t *testing.T) { - module := gomod.Module{ - Version: "v1.0.0+incompatible", - } - - NormalizeVersion(&module, true) - require.Equal(t, "1.0.0", module.Version) - }) - - t.Run("Without trimPrefix", func(t *testing.T) { - module := gomod.Module{ - Version: "v1.0.0+incompatible", - } - - NormalizeVersion(&module, false) - require.Equal(t, "v1.0.0", module.Version) - }) -}