made script for generating sbom csv

deathtenk · deathtenk · commit a084afc6212e · 2026-01-27T10:58:57.000-05:00
diff --git a/Makefile b/Makefile
@@ -23,7 +23,7 @@ resources/public/admin:
 # All other phony targets run lrsql instances that can be used and tested
 # during development. All start up with fixed DB properties and seed creds.
 
-.phony: clean-dev, ci, ephemeral, ephemeral-prod, sqlite, postgres, mariadb, mysql, bench, bench-async, keycloak-demo, ephemeral-oidc, superset-demo, clamav-demo, test-sqlite, test-postgres, test-postgres-14, test-postgres-15, test-postgres-16, test-postgres-17, test-postgres-18, test-mariadb, test-mariadb-10.6, test-mariadb-10.11, test-mariadb-11.4, test-mariadb-11.7.2, test-mariadb-11.8, test-mysql, test-mysql-8.0.44, test-mysql-8.4, test-mysql-9.5.0
+.phony: clean-dev, ci, ephemeral, ephemeral-prod, sqlite, postgres, mariadb, mysql, bench, bench-async, keycloak-demo, ephemeral-oidc, superset-demo, clamav-demo, test-sqlite, test-postgres, test-postgres-14, test-postgres-15, test-postgres-16, test-postgres-17, test-postgres-18, test-mariadb, test-mariadb-10.6, test-mariadb-10.11, test-mariadb-11.4, test-mariadb-11.7.2, test-mariadb-11.8, test-mysql, test-mysql-8.0.44, test-mysql-8.4, test-mysql-9.5.0, sbom, sbom-csv
 
 clean-dev:
 	rm -rf *.db *.log resources/public tmp
@@ -364,6 +364,16 @@ run-jar-mysql: target/bundle
 pom.xml:
 	clojure -Adb-sqlite:db-postgres -Spom
 
+sbom: pom.xml
+	mvn -q org.cyclonedx:cyclonedx-maven-plugin:makeAggregateBom \
+	  -DoutputFormat=json \
+	  -DoutputName=lrsql \
+	  -DschemaVersion=1.6 \
+	  -DprojectType=application
+
+sbom-csv: sbom
+	jq -r -f ./dev-resources/sbom/sbom_flat.jq ./target/lrsql.json > ./target/lrsql-sbom.csv
+
 # TODO: Add a local vulnerability checker.
 # Note that we removed our previous one that used nvd-clojure as that app was
 # becoming too unreliable; perhaps look into clj-watson?
diff --git a/dev-resources/sbom/sbom_flat.jq b/dev-resources/sbom/sbom_flat.jq
@@ -0,0 +1,17 @@
+def pkg_name(c):
+  if (c.group? // "") != "" then "\(c.group)/\(c.name)" else (c.name // "") end;
+
+[
+  .metadata.component?,
+  .components[]?
+]
+| map(select(. != null))
+| map({
+    package: pkg_name(.),
+    source: (.purl // .["bom-ref"] // .author // .publisher // "unknown"),
+    version: (.version // "unknown")
+  })
+| unique
+| sort_by(.package, .version)
+| (["package","source","version"] | @csv),
+  (.[] | [ .package, .source, .version ] | @csv)
