feat: sbom auto detection for command line (#3734)

Author: mastersans

cve_bin_tool/cli.py

@@ -68,6 +68,7 @@
 from cve_bin_tool.merge import MergeReports
 from cve_bin_tool.output_engine import OutputEngine
 from cve_bin_tool.package_list_parser import PackageListParser
+from cve_bin_tool.sbom_detection import sbom_detection
 from cve_bin_tool.sbom_manager import SBOMManager
 from cve_bin_tool.util import ProductInfo
 from cve_bin_tool.version import VERSION
@@ -192,7 +193,7 @@ def main(argv=None):
     input_group.add_argument(
         "--sbom",
         action="store",
-        default="spdx",
+        default="",
         choices=["spdx", "cyclonedx", "swid"],
         help="specify type of software bill of materials (sbom) (default: spdx)",
     )
@@ -887,7 +888,14 @@ def main(argv=None):
         and args["directory"]
         and Path(args["directory"]).is_file()
     ):
-        if (
+        type = sbom_detection(args["directory"])
+        if not args["sbom_file"] and not args["sbom"] and type is not None:
+            LOGGER.info("Using CVE Binary Tool SBOM Auto Detection")
+            args["sbom"] = type
+            args["sbom_file"] = args["directory"]
+            args["directory"] = ""
+
+        elif (
             args["directory"].endswith(".csv")
             or args["directory"].endswith(".json")
             or args["directory"].endswith(".vex")

cve_bin_tool/sbom_detection.py

@@ -0,0 +1,52 @@
+# Copyright (C) 2024 Intel Corporation
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+import json
+
+import defusedxml.ElementTree as ET
+
+from cve_bin_tool.validator import validate_cyclonedx, validate_swid
+
+
+def sbom_detection(file_path: str) -> str:
+    """
+    Identifies SBOM type of file based on its format and schema.
+
+    Args:
+        file_path (str): The path to the file.
+
+    Returns:
+        str: The detected SBOM type (spdx, cyclonedx, swid) or None.
+    """
+    try:
+        with open(file_path) as file:
+            if ".spdx" in file_path:
+                return "spdx"
+
+            elif file_path.endswith(".json"):
+                data = json.load(file)
+                if (
+                    "bomFormat" in data
+                    and "specVersion" in data
+                    and data["bomFormat"] == "CycloneDX"
+                ):
+                    return "cyclonedx"
+
+                else:
+                    return None
+
+            elif file_path.endswith(".xml"):
+                tree = ET.parse(file_path)
+                root = tree.getroot()
+                root_tag = root.tag.split("}")[-1] if "}" in root.tag else root.tag
+                if root_tag == "bom" and validate_cyclonedx(file_path):
+                    return "cyclonedx"
+                elif root_tag == "SoftwareIdentity" and validate_swid(file_path):
+                    return "swid"
+                else:
+                    return None
+            else:
+                return None
+
+    except (json.JSONDecodeError, ET.ParseError):
+        return None

test/test_cli.py

@@ -595,7 +595,7 @@ def test_EPSS_percentile(self, capsys, caplog):
         if my_test_filename_pathlib.exists():
             my_test_filename_pathlib.unlink()
 
-    @pytest.mark.skip(reason="Temporarily disabled -- may need data changes")
+    # @pytest.mark.skip(reason="Temporarily disabled -- may need data changes")
     def test_SBOM(self, caplog):
         # check sbom file option
         SBOM_PATH = Path(__file__).parent.resolve() / "sbom"
@@ -617,6 +617,23 @@ def test_SBOM(self, caplog):
             "There are 1 products with known CVEs detected",
         ) in caplog.record_tuples
 
+    def test_sbom_detection(self, caplog):
+        SBOM_PATH = Path(__file__).parent.resolve() / "sbom"
+
+        with caplog.at_level(logging.INFO):
+            main(
+                [
+                    "cve-bin-tool",
+                    str(SBOM_PATH / "swid_test.xml"),
+                ]
+            )
+
+        assert (
+            "cve_bin_tool",
+            logging.INFO,
+            "Using CVE Binary Tool SBOM Auto Detection",
+        ) in caplog.record_tuples
+
     @pytest.mark.skipif(not LONG_TESTS(), reason="Skipping long tests")
     def test_console_output_depending_reportlab_existence(self, caplog):
         import subprocess
@@ -701,7 +718,6 @@ def test_console_output_depending_reportlab_existence(self, caplog):
             "severity : high",
             "input_file : test/test_json.py",
             "update : daily",
-            "sbom : spdx",
             "log_level : info",
             "nvd_api_key : ",
             "offline : False",

test/test_sbom.py

@@ -7,6 +7,7 @@
 import pytest
 
 from cve_bin_tool.input_engine import TriageData
+from cve_bin_tool.sbom_detection import sbom_detection
 from cve_bin_tool.sbom_manager import Remarks, SBOMManager
 from cve_bin_tool.util import ProductInfo
 
@@ -142,3 +143,23 @@ def test_invalid_xml(self, filename: str, sbom_type: str, validate: bool):
         """
         sbom_engine = SBOMManager(filename, sbom_type, validate=validate)
         assert sbom_engine.scan_file() == {}
+
+    @pytest.mark.parametrize(
+        "filename, expected_sbom_type",
+        (
+            (str(SBOM_PATH / "cyclonedx_test.json"), "cyclonedx"),
+            (str(SBOM_PATH / "cyclonedx_test2.json"), "cyclonedx"),
+            (str(SBOM_PATH / "cyclonedx_mixed_test.json"), "cyclonedx"),
+            (str(SBOM_PATH / "cyclonedx_test.xml"), "cyclonedx"),
+            (str(SBOM_PATH / "spdx_test.spdx"), "spdx"),
+            (str(SBOM_PATH / "spdx_test.spdx.rdf"), "spdx"),
+            (str(SBOM_PATH / "spdx_test.spdx.yaml"), "spdx"),
+            (str(SBOM_PATH / "spdx_test.spdx.rdf"), "spdx"),
+            (str(SBOM_PATH / "spdx_test.spdx.yml"), "spdx"),
+            (str(SBOM_PATH / "spdx_mixed_test.spdx.json"), "spdx"),
+            (str(SBOM_PATH / "swid_test.xml"), "swid"),
+            (str(SBOM_PATH / "bad.csv"), None),
+        ),
+    )
+    def test_sbom_detection(self, filename: str, expected_sbom_type: str):
+        assert sbom_detection(filename) == expected_sbom_type