Add format 'cyclonedx' as output format for the graph command

conan/cli/commands/graph.py

@@ -4,7 +4,7 @@
 from conan.cli import make_abs_path
 from conan.cli.args import common_graph_args, validate_common_graph_args
 from conan.cli.command import conan_command, conan_subcommand
-from conan.cli.formatters.graph import format_graph_html, format_graph_json, format_graph_dot
+from conan.cli.formatters.graph import format_graph_html, format_graph_json, format_graph_dot, format_graph_cyclonedx
 from conan.cli.formatters.graph.graph_info_text import format_graph_info
 from conan.cli.printers.graph import print_graph_packages, print_graph_basic
 from conan.internal.deploy import do_deploys
@@ -106,6 +106,7 @@ def graph_build_order_merge(conan_api, parser, subparser, *args):
 @conan_subcommand(formatters={"text": format_graph_info,
                               "html": format_graph_html,
                               "json": format_graph_json,
+                              "cyclonedx": format_graph_cyclonedx,
                               "dot": format_graph_dot})
 def graph_info(conan_api, parser, subparser, *args):
     """

conan/cli/formatters/graph/__init__.py

@@ -1,3 +1,4 @@
 from .graph import format_graph_html
 from .graph import format_graph_dot
 from .graph import format_graph_json
+from .graph import format_graph_cyclonedx

conan/cli/formatters/graph/graph.py

@@ -144,3 +144,44 @@ def format_graph_json(result):
     cli_out_write(json_result)
     if graph.error:
         raise graph.error
+
+
+def format_graph_cyclonedx(result):
+    """
+    # creates a CycloneDX JSON according to https://cyclonedx.org/docs/1.4/json/
+    """
+    def licenses(conanfilelic):
+        def entry(id):
+            return {"license": {
+                "id": id
+            }}
+        if conanfilelic is None:
+            return []
+        elif isinstance(conanfilelic, str):
+            return [entry(conanfilelic)]
+        else:
+            return [entry(i) for i in conanfilelic]
+
+    result["graph"].serialize()  # fills ids
+    deps = result["graph"].nodes[1:]  # first node is app itself
+    cyclonedx = {
+        "bomFormat": "CycloneDX",
+        "specVersion": "1.4",
+        "version": 1,
+        "dependencies": [n.id for n in deps],
+        "components": [
+            {
+                "type": "library",
+                "bom-ref": n.id,
+                "purl": n.package_url().to_string(),
+                "licenses": licenses(n.conanfile.license),
+                "name": n.name,
+                "version": n.conanfile.version,
+                "supplier": {
+                    "url": [n.conanfile.homepage]
+                }
+            } for n in deps
+        ]
+    }
+    json_result = json.dumps(cyclonedx, indent=4)
+    cli_out_write(json_result)

conans/client/graph/graph.py

@@ -1,5 +1,7 @@
 from collections import OrderedDict
 
+from packageurl import PackageURL
+
 from conans.model.package_ref import PkgReference
 from conans.model.recipe_ref import RecipeReference
 
@@ -229,6 +231,29 @@ def serialize(self):
         result["test"] = self.test
         return result
 
+    def package_url(self):
+        """
+        Creates a PURL following https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst
+        """
+        qualifiers = {
+            "prev": self.prev
+        }
+        if self.ref.user:
+            qualifiers["user"] = self.ref.user
+        if self.ref.channel:
+            qualifiers["channel"] = self.ref.channel
+        if self.ref.revision:
+            qualifiers["rref"] = self.ref.revision
+        if self.remote:
+            qualifiers["repository_url"] = self.remote
+        else:
+            qualifiers["repository_url"] = "https://center.conan.io"
+        return PackageURL(
+            type="conan",
+            name=self.name,
+            version=str(self.ref.version),
+            qualifiers=qualifiers)
+
     def overrides(self):
 
         def transitive_subgraph():

conans/requirements.txt

@@ -7,3 +7,4 @@ fasteners>=0.15
 distro>=1.4.0, <=1.8.0; sys_platform == 'linux' or sys_platform == 'linux2'
 Jinja2>=3.0, <4.0.0
 python-dateutil>=2.8.0, <3
+packageurl-python>=0.10.0