Initial work on SBOM support for PHAR

Author: sebastianbergmann

build.xml

@@ -133,6 +133,7 @@
 
         <exec executable="${basedir}/build/scripts/phar-manifest.php" failonerror="true">
             <arg path="${basedir}/build/tmp/phar/manifest.txt"/>
+            <arg path="${basedir}/build/tmp/phar/sbom.xml"/>
         </exec>
 
         <copy file="${basedir}/vendor/phpunit/php-code-coverage/LICENSE" tofile="${basedir}/build/tmp/phar/php-code-coverage/LICENSE"/>

build/scripts/phar-manifest.php

@@ -1,10 +1,10 @@
 #!/usr/bin/env php
 <?php declare(strict_types=1);
-if ($argc !== 2) {
+if ($argc !== 3) {
     fwrite(
         STDERR,
         sprintf(
-            '%s /path/to/manifest.txt' . PHP_EOL,
+            '%s /path/to/manifest.txt /path/to/sbom.xml' . PHP_EOL,
             $argv[0]
         )
     );
@@ -16,6 +16,7 @@
 $version      = version();
 
 manifest($argv[1], $version, $dependencies);
+sbom($argv[2], $version, $dependencies);
 
 function manifest(string $outputFilename, string $version, array $dependencies): void
 {
@@ -34,6 +35,53 @@ function manifest(string $outputFilename, string $version, array $dependencies):
     file_put_contents($outputFilename, $buffer);
 }
 
+function sbom(string $outputFilename, string $version, array $dependencies): void
+{
+    $writer = new XMLWriter;
+
+    $writer->openMemory();
+    $writer->setIndent(true);
+    $writer->startDocument();
+
+    $writer->startElement('bom');
+    $writer->writeAttribute('xmlns', 'https://cyclonedx.org/schema/bom/1.4');
+
+    $writer->startElement('components');
+
+    writeComponent(
+        $writer,
+        'phpunit',
+        'phpunit',
+        $version,
+        'The PHP Unit Testing framework',
+        ['BSD-3-Clause']
+    );
+
+    foreach ($dependencies as $dependency) {
+        [$group, $name]    = explode('/', $dependency['name']);
+        $dependencyVersion = $dependency['version'];
+
+        if (!preg_match('/^[v= ]*(([0-9]+)(\\.([0-9]+)(\\.([0-9]+)(-([0-9]+))?(-?([a-zA-Z-+][a-zA-Z0-9.\\-:]*)?)?)?)?)$/', $dependencyVersion)) {
+            $dependencyVersion .=  '@' . $dependency['source']['reference'];
+        }
+
+        writeComponent(
+            $writer,
+            $group,
+            $name,
+            $dependencyVersion,
+            $dependency['description'],
+            $dependency['license']
+        );
+    }
+
+    $writer->endElement();
+    $writer->endElement();
+    $writer->endDocument();
+
+    file_put_contents($outputFilename, $writer->outputMemory());
+}
+
 function dependencies(): array
 {
     return json_decode(
@@ -57,3 +105,36 @@ function version(): string
 
     return $branch . '@' . $hash;
 }
+
+function writeComponent(XMLWriter $writer, string $group, string $name, string $version, string $description, array $licenses): void
+{
+    $writer->startElement('component');
+    $writer->writeAttribute('type', 'library');
+
+    $writer->writeElement('group', $group);
+    $writer->writeElement('name', $name);
+    $writer->writeElement('version', $version);
+    $writer->writeElement('description', $description);
+
+    $writer->startElement('licenses');
+
+    foreach ($licenses as $license) {
+        $writer->startElement('license');
+        $writer->writeElement('id', $license);
+        $writer->endElement();
+    }
+
+    $writer->endElement();
+
+    $writer->writeElement(
+        'purl',
+        sprintf(
+            'pkg:composer/%s/%s@%s',
+            $group,
+            $name,
+            $version
+        )
+    );
+
+    $writer->endElement();
+}

build/templates/binary-phar-autoload.php.in

@@ -52,14 +52,16 @@ if (__FILE__ === realpath($_SERVER['SCRIPT_NAME'])) {
     $execute = false;
 }
 
-$options = getopt('', array('prepend:', 'manifest'));
+$options = getopt('', array('prepend:', 'manifest', 'sbom'));
 
 if (isset($options['prepend'])) {
     require $options['prepend'];
 }
 
 if (isset($options['manifest'])) {
     $printManifest = true;
+} elseif (isset($options['sbom'])) {
+    $printSbom = true;
 }
 
 unset($options);
@@ -96,6 +98,12 @@ if ($execute) {
         exit;
     }
 
+    if (isset($printSbom)) {
+        print file_get_contents(__PHPUNIT_PHAR_ROOT__ . '/sbom.xml');
+
+        exit;
+    }
+
     unset($execute);
 
     PHPUnit\TextUI\Command::main();