Add new command sbom:cyclonedx

extensions/commands/recipe/README.md

@@ -36,3 +36,73 @@ updating moltenvk/1.2.0 to moltenvk/1.2.2 in conan-center-index/recipes/qt/6.x.x
 updating libjpeg-turbo/2.1.4 to libjpeg-turbo/2.1.5 in conan-center-index/recipes/qt/6.x.x/conanfile.py:386
 Successfully bumped the dependencies of recipe conan-center-index/recipes/qt/6.x.x/conanfile.py
 ```
+
+#### [Create SBOM](cmd_create_sbom.py)
+
+For the graph JSON passed as parameter it creates an SBOM in CycloneDX 1.4 JSON format.
+
+**Parameters**
+- **graph_json**: Path to Conan generated graph JSON output file.
+
+```
+$ conan graph info -f json --requires=openssl/3.1.1 > openssl_graph.json
+$ conan recipe:create-sbom ./openssl_graph.json
+{
+    "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json",
+    "bomFormat": "CycloneDX",
+    "specVersion": "1.4",
+    "version": 1,
+    "dependencies": [
+        {
+            "ref": "1"
+        },
+        {
+            "ref": "2"
+        }
+    ],
+    "components": [
+        {
+            "type": "library",
+            "bom-ref": "1",
+            "purl": "pkg:conan/[email protected]?repository_url=conancenter&rref=3a25e05b364f335633143656dc265841",
+            "licenses": [
+                {
+                    "license": {
+                        "id": "Apache-2.0"
+                    }
+                }
+            ],
+            "name": "openssl",
+            "version": "3.1.1",
+            "description": "A toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols",
+            "externalReferences": [
+                {
+                    "url": "https://github.com/openssl/openssl",
+                    "type": "website"
+                }
+            ]
+        },
+        {
+            "type": "library",
+            "bom-ref": "2",
+            "purl": "pkg:conan/[email protected]?prev=724b61ab750aa7f88abacafc926395d3&repository_url=https://center.conan.io&rref=13c96f538b52e1600c40b88994de240f",
+            "licenses": [
+                {
+                    "license": {
+                        "id": "Zlib"
+                    }
+                }
+            ],
+            "name": "zlib",
+            "version": "1.2.13",
+            "description": "A Massively Spiffy Yet Delicately Unobtrusive Compression Library (Also Free, Not to Mention Unencumbered by Patents)",
+            "externalReferences": [
+                {
+                    "url": "https://zlib.net",
+                    "type": "website"
+                }
+            ]
+        }
+    ]
+}
+```

extensions/commands/recipe/cmd_create_sbom.py

@@ -0,0 +1,86 @@
+import json
+from packageurl import PackageURL
+
+from conan.api.output import cli_out_write
+from conan.api.conan_api import ConanAPI
+from conan.cli.command import conan_command
+
+
+def licenses(id):
+    """
+    see https://cyclonedx.org/docs/1.4/json/#components_items_licenses
+    """
+    if id is None:
+        return []
+    else:
+        return [{"license": {
+            "id": id
+        }}]
+
+
+def package_url(node: dict) -> PackageURL:
+    """
+    Creates a PURL following https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst#conan
+    """
+    qualifiers = {
+        "prev": node["prev"]
+    }
+    if node["user"]:
+        qualifiers["user"] = node["user"]
+    if node["channel"]:
+        qualifiers["channel"] = node["channel"]
+    if "#" in node["ref"]:
+        qualifiers["rref"] = node["ref"].split("#")[1]
+    qualifiers["repository_url"] = node["remote"] if node["remote"] else "https://center.conan.io"
+    return PackageURL(
+        type="conan",
+        name=node["name"],
+        version=node["version"],
+        qualifiers=qualifiers)
+
+
+def component(n: dict) -> dict:
+    """
+    see https://cyclonedx.org/docs/1.4/json/#components
+    """
+    result = {
+        "type": "library",
+        "bom-ref": n["id"],
+        "purl": package_url(n).to_string(),
+        "licenses": licenses(n["license"]),
+        "name": n["name"],
+        "version": n["version"]
+    }
+    if n["description"]:
+        result["description"] = n["description"]
+    if n["homepage"]:
+        result["externalReferences"] = [{
+            "url": n["homepage"],
+            "type": "website"
+        }]
+    return result
+
+
+@conan_command(group="Recipe")
+def create_sbom(conan_api: ConanAPI, parser, *args):
+    """
+    creates an SBOM in CycloneDX 1.4 JSON format from a Conan graph JSON
+    """
+    parser.add_argument("graph_json", help="Path to Conan generated graph JSON output file.")
+    args = parser.parse_args(*args)
+    with open(args.graph_json, 'r') as f:
+        data = json.load(f)
+    deps = data["graph"]["nodes"]
+    deps.pop("0")
+    cyclonedx = {
+        "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json",  # https not allowed here, see schema
+        "bomFormat": "CycloneDX",
+        "specVersion": "1.4",
+        "version": 1,
+        "dependencies": [{
+            "ref": n
+        } for n in deps],
+        "components": [component(n) for n in deps.values()]
+    }
+    json_result = json.dumps(cyclonedx, indent=4)
+    cli_out_write(json_result)