# Copyright 2022 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. """SBOM generation""" load( "@rules_license//rules:gather_metadata.bzl", "gather_metadata_info", "gather_metadata_info_and_write", "write_metadata_info", ) load( "@rules_license//rules/private:gathering_providers.bzl", "TransitiveLicensesInfo", ) # This rule is proof of concept, and may not represent the final # form of a rule for compliance validation. def _generate_sbom_impl(ctx): # Gather all licenses and write information to one place licenses_file = ctx.actions.declare_file("_%s_licenses_info.json" % ctx.label.name) write_metadata_info(ctx, ctx.attr.deps, licenses_file) # Now turn the big blob of data into something consumable. inputs = [licenses_file] outputs = [ctx.outputs.out] args = ctx.actions.args() args.add("--licenses_info", licenses_file.path) args.add("--out", ctx.outputs.out.path) ctx.actions.run( mnemonic = "CreateSBOM", progress_message = "Creating SBOM for %s" % ctx.label, inputs = inputs, outputs = outputs, executable = ctx.executable._sbom_generator, arguments = [args], ) outputs.append(licenses_file) # also make the json file available. return [DefaultInfo(files = depset(outputs))] _generate_sbom = rule( implementation = _generate_sbom_impl, attrs = { "deps": attr.label_list( aspects = [gather_metadata_info], ), "out": attr.output(mandatory = True), "_sbom_generator": attr.label( default = Label("@rules_license//tools:write_sbom"), executable = True, allow_files = True, cfg = "exec", ), }, ) def generate_sbom(**kwargs): _generate_sbom(**kwargs) def _manifest_impl(ctx): # Gather all licenses and make it available as deps for downstream rules # Additionally write the list of license filenames to a file that can # also be used as an input to downstream rules. licenses_file = ctx.actions.declare_file(ctx.attr.out.name) mappings = get_licenses_mapping(ctx.attr.deps, ctx.attr.warn_on_legacy_licenses) ctx.actions.write( output = licenses_file, content = "\n".join([",".join([f.path, p]) for (f, p) in mappings.items()]), ) return [DefaultInfo(files = depset(mappings.keys()))] _manifest = rule( implementation = _manifest_impl, doc = """Internal tmplementation method for manifest().""", attrs = { "deps": attr.label_list( doc = """List of targets to collect license files for.""", aspects = [gather_metadata_info], ), "out": attr.output( doc = """Output file.""", mandatory = True, ), "warn_on_legacy_licenses": attr.bool(default = False), }, ) def manifest(name, deps, out = None, **kwargs): if not out: out = name + ".manifest" _manifest(name = name, deps = deps, out = out, **kwargs) def get_licenses_mapping(deps, warn = False): """Creates list of entries representing all licenses for the deps. Args: deps: a list of deps which should have TransitiveLicensesInfo providers. This requires that you have run the gather_licenses_info aspect over them warn: boolean, if true, display output about legacy targets that need update Returns: {File:package_name} """ tls = [] for dep in deps: lds = dep[TransitiveLicensesInfo].licenses tls.append(lds) ds = depset(transitive = tls) # Ignore any legacy licenses that may be in the report mappings = {} for lic in ds.to_list(): if type(lic.license_text) == "File": mappings[lic.license_text] = lic.package_name elif warn: # buildifier: disable=print print("Legacy license %s not included, rule needs updating" % lic.license_text) return mappings