Adds a small SBOM for testing, updates launch config, deduplicates an…

…d sorts purls.

.vscode/launch.json

@@ -7,7 +7,7 @@
 		{
 			"type": "lldb",
 			"request": "launch",
-			"name": "Debug executable 'trustier' (railsgoat)",
+			"name": "Debug executable 'trustier' (very small SBOM), output to file",
 			"cargo": {
 				"args": [
 					"build",
@@ -20,14 +20,15 @@
 				}
 			},
 			"args": [
-				"./tests/_TESTDATA_/railsgoat.cyclonedx.json"
+				"--output-file=output/trustier.json",
+				"./tests/_TESTDATA_/small.cyclonedx.json"
 			],
 			"cwd": "${workspaceFolder}"
 		},
 		{
 			"type": "lldb",
 			"request": "launch",
-			"name": "Debug unit tests in executable 'trustier' (railsgoat)",
+			"name": "Debug unit tests in executable 'trustier' (very small SBOM)",
 			"cargo": {
 				"args": [
 					"test",
@@ -41,14 +42,14 @@
 				}
 			},
 			"args": [
-				"./tests/_TESTDATA_/railsgoat.cyclonedx.json"
+				"./tests/_TESTDATA_/small.cyclonedx.json"
 			],
 			"cwd": "${workspaceFolder}"
 		},
 		{
 			"type": "lldb",
 			"request": "launch",
-			"name": "Debug executable 'trustier' (juiceshop)",
+			"name": "Debug executable 'trustier' (railsgoat)",
 			"cargo": {
 				"args": [
 					"build",
@@ -61,17 +62,18 @@
 				}
 			},
 			"args": [
-				"./tests/_TESTDATA_/juiceshop.cyclonedx.json"
+				"./tests/_TESTDATA_/railsgoat.cyclonedx.json"
 			],
 			"cwd": "${workspaceFolder}"
 		},
 		{
 			"type": "lldb",
 			"request": "launch",
-			"name": "Debug executable 'trustier' (juiceshop), output to file",
+			"name": "Debug unit tests in executable 'trustier' (railsgoat)",
 			"cargo": {
 				"args": [
-					"build",
+					"test",
+					"--no-run",
 					"--bin=trustier",
 					"--package=trustier"
 				],
@@ -81,19 +83,17 @@
 				}
 			},
 			"args": [
-				"--output-file=output/trustier.json",
-				"./tests/_TESTDATA_/juiceshop.cyclonedx.json"
+				"./tests/_TESTDATA_/railsgoat.cyclonedx.json"
 			],
 			"cwd": "${workspaceFolder}"
 		},
 		{
 			"type": "lldb",
 			"request": "launch",
-			"name": "Debug unit tests in executable 'trustier' (juiceshop)",
+			"name": "Debug executable 'trustier' (juiceshop)",
 			"cargo": {
 				"args": [
-					"test",
-					"--no-run",
+					"build",
 					"--bin=trustier",
 					"--package=trustier"
 				],
@@ -110,7 +110,7 @@
 		{
 			"type": "lldb",
 			"request": "launch",
-			"name": "Debug executable 'trustier' (trustier)",
+			"name": "Debug executable 'trustier' (juiceshop), output to file",
 			"cargo": {
 				"args": [
 					"build",
@@ -123,17 +123,19 @@
 				}
 			},
 			"args": [
-				"./tests/_TESTDATA_/trustier.cyclonedx.json"
+				"--output-file=output/trustier.json",
+				"./tests/_TESTDATA_/juiceshop.cyclonedx.json"
 			],
 			"cwd": "${workspaceFolder}"
 		},
 		{
 			"type": "lldb",
 			"request": "launch",
-			"name": "Debug executable 'trustier' (trustier), output to file",
+			"name": "Debug unit tests in executable 'trustier' (juiceshop)",
 			"cargo": {
 				"args": [
-					"build",
+					"test",
+					"--no-run",
 					"--bin=trustier",
 					"--package=trustier"
 				],
@@ -143,19 +145,17 @@
 				}
 			},
 			"args": [
-				"--output-file=output/trustier.json",
-				"./tests/_TESTDATA_/trustier.cyclonedx.json"
+				"./tests/_TESTDATA_/juiceshop.cyclonedx.json"
 			],
 			"cwd": "${workspaceFolder}"
 		},
 		{
 			"type": "lldb",
 			"request": "launch",
-			"name": "Debug unit tests in executable 'trustier' (trustier)",
+			"name": "Debug executable 'trustier' (trustier)",
 			"cargo": {
 				"args": [
-					"test",
-					"--no-run",
+					"build",
 					"--bin=trustier",
 					"--package=trustier"
 				],
@@ -172,7 +172,7 @@
 		{
 			"type": "lldb",
 			"request": "launch",
-			"name": "Debug executable 'trustier' (trustier small SBOM), output to file",
+			"name": "Debug executable 'trustier' (trustier), output to file",
 			"cargo": {
 				"args": [
 					"build",
@@ -186,7 +186,7 @@
 			},
 			"args": [
 				"--output-file=output/trustier.json",
-				"./tests/_TESTDATA_/trustier.small.cyclonedx.json"
+				"./tests/_TESTDATA_/trustier.cyclonedx.json"
 			],
 			"cwd": "${workspaceFolder}"
 		},
@@ -207,9 +207,9 @@
 				}
 			},
 			"args": [
-				"./tests/_TESTDATA_/trustier.small.cyclonedx.json"
+				"./tests/_TESTDATA_/trustier.cyclonedx.json"
 			],
 			"cwd": "${workspaceFolder}"
-		}
+		},
 	]
 }

README.md

@@ -6,6 +6,7 @@
 ![GitHub release (latest by date)](https://img.shields.io/github/v/release/devops-kung-fu/trustier)
 
 ## Table of Contents
+
 - [Overview](#overview)
 - [Installation](#installation)
 - [Usage](#usage)
@@ -14,6 +15,7 @@
 - [License](#license)
 
 ## Overview
+
 `trustier` is an application that enriches CycloneDX Software Bill of Materials with activity, provenance, and activity information from [Trusty](https://trustypkg.dev).
 
 The team at [Stacklok](https://stacklok.com) created [Trusty](https://trustypkg.dev) which they describe as a search for an open source packages to understand their trustworthiness based on activity, provenance, and more. Brought to you by the founders of projects such as Kubernetes and Sigstore.
@@ -52,14 +54,13 @@ Sources:
 
 ## Installation
 
-
 ## Application Arguments
 
-| Argument         | Description                                                                 |
-|------------------|-----------------------------------------------------------------------------|
-| `<SBOM>`  | The SBOM (Software Bill of Materials) to process. This argument is required.|
-| `--ratelimit <MS>` | The time in milliseconds to pause before making requests to https://trustypkg.dev. Defaults to 500 ms. |
-| `--output_file <FILE>` | Optional file name to write JSON output to. If not provided, output will be printed to the console. |
+| Argument               | Description                                                                                            |
+| ---------------------- | ------------------------------------------------------------------------------------------------------ |
+| `<SBOM>`               | The SBOM (Software Bill of Materials) to process. This argument is required.                           |
+| `--ratelimit <MS>`     | The time in milliseconds to pause before making requests to https://trustypkg.dev. Defaults to 500 ms. |
+| `--output_file <FILE>` | Optional file name to write JSON output to. If not provided, output will be printed to the console.    |
 
 ## Example Usage
 
@@ -74,6 +75,14 @@ trustier sbom_file.json --ratelimit 1000
 trustier sbom_file.json --output_file output.json
 ```
 
+## Troubleshooting
+
+During testing, we found there were some required fields needed in the SBOM in order to be considered valid. Ensure at minimum you have the following fields in your components:
+
+- `name`
+- `purl`
+- `type`
+
 ## Credits
 
 A big thank-you to our friends at [Flaticon](https://www.flaticon.com) for the `trustier` logo.

src/main.rs

@@ -45,8 +45,8 @@ fn main() {
 
     let bom = match Bom::parse_from_json_v1_5(file_contents.as_bytes()) {
         Ok(bom) => bom,
-        Err(_) => {
-            eprintln!("Failed to parse BOM");
+        Err(e) => {
+            eprintln!("Error parsing SBOM: {}", e);
             return;
         }
     };
@@ -93,7 +93,6 @@ async fn process_sbom(
             .iter()
             .filter_map(|component| component.purl.as_ref().map(|purl| purl.to_string()))
             .collect::<Vec<_>>()
-        //TODO: may have to dedupe
     } else {
         Vec::new()
     };
@@ -108,7 +107,7 @@ async fn process_sbom(
                 .red()
         );
         println!(
-            r"* Removed {} out of {} detected Purls in the SBOM",
+            r"* Removed {} out of {} detected Purls in the SBOM. Some may have been duplicates or unsupported ecosystems.",
             original_count - collected_purls.len(),
             original_count
         );
@@ -156,7 +155,7 @@ async fn fetch_purl_bodies(
                     purl.ty()
                 );
 
-                println!("* Fetching trust information for {}:", p);
+                println!("* Fetching information for {}:", p);
 
                 let body = surf::get(url).await?.body_string().await?;
 
@@ -190,6 +189,9 @@ fn filter_purls(collected_purls: &mut Vec<String>) {
         Err(_) => false,
     });
 
+    collected_purls.sort();
+    collected_purls.dedup();
+
     //if any of the collected purls contain the word cargo, replace it with crates (trustypkg.dev only supports crates, sboms contain cargo)
     for purl in collected_purls.iter_mut() {
         if purl.contains("cargo") {

tests/_TESTDATA_/small.cyclonedx.json

@@ -0,0 +1,39 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.4",
+  "serialNumber": "urn:uuid:e3528bf6-0024-4fbd-9223-f4760bbf54ab",
+  "version": 1,
+  "metadata": {
+    "timestamp": "2024-09-02T17:26:27Z",
+    "tools": [{ "vendor": "dkfm" }],
+    "component": { "bom-ref": "af63bd4c8601b7f1", "type": "file", "name": "." }
+  },
+  "components": [
+    {
+      "name": "qs",
+      "type": "library",
+      "purl": "pkg:npm/[email protected]"
+    },
+    {
+      "name": "pycrypto",
+      "type": "library",
+      "purl": "pkg:pypi/[email protected]"
+    },
+    {
+      "name": "pycryptopayapi",
+      "type": "library",
+      "purl": "pkg:pypi/[email protected]"
+    },
+    {
+      "name": "body-parser",
+      "type": "library",
+      "purl": "pkg:npm/[email protected]"
+    },
+    {
+      "name": "qs",
+      "type": "library",
+      "purl": "pkg:npm/[email protected]"
+    }
+  ]
+}