Merge multiple dt projects

[viveksahu26]

closes #61

Add support for merging SBOMs directly using Project IDs from Dependency Track using sbomasm dtAssemble command.

dt assemble command

To upload the generated assembled SBOM:

$ go run main.go assemble dt -u "http://localhost:8080/" -k "odt_gE4888494dddddd1UUhsgk7" -n "mega-app" -v "1.0.0" -t "application" -o 51be3730-16da-48a9-8a4f-d1071ac1c9de   f7456070-a1cc-41de-afeb-f557993d9aba 11903ba9-a585-4dfb-9a0c-f348345a5473

Mixing of local files and project IDs:

go run main.go assemble dt -u "http://localhost:8080/" -k "odt_gEB8881Njjsjdddddhsgk7" -n "mega-app" -v "1.0.0" -t "application" -o new-finalsbom.json f7456070-a1cc-41de-afeb-f557993d9aba 11903ba9-a585-4dfb-9a0c-f348345a5473  samples/cdx/sbomex-cdx.json 

dt edit command

go run main.go edit dt -u "http://localhost:8080/" -k "odt_gEB8881N5Hewdddddddd1UUhsgk7"   --subject document --author "fred ([email protected])" --author "jane ([email protected])" --supplier "interlynk.io (https://interlynk.io)" --tool "sbomasm edit (v1.0.0)" --license "CC0-1.0" --repository "github.com/interlynk/cool-app" --timestamp  --output  dt-new-final-product.spdx.json 11903ba9-a585-4dfb-9a0c-f348345a5473

dt assemble help

go run main.go assemble dt -h                                                                                   130 ↵ ──(Wed,Sep04)─┘
The dt command will help assembling sboms into a final sbom.

Basic Example:
    $ sbomasm dt -u "http://localhost:8080/" -k "odt_gwiwooi29i1N5Hewkkddkkeiwi3ii" -n "mega-app" -v "1.0.0" -t "application" -o finalsbom.json 11903ba9-a585-4dfb-9a0c-f348345a5473 34103ba2-rt63-2fga-3a8b-t625261g6262

Usage:
  sbomasm assemble dt [flags]

Flags:
  -k, --api-key string             dependency track api key, requires VIEW_PORTFOLIO for scoring and PORTFOLIO_MANAGEMENT for tagging
  -a, --assemblyMerge              assembly merge
  -f, --flatMerge                  flat merge
  -h, --help                       help for dt
  -m, --hierMerge                  hierarchical merge
  -j, --json                       output in json format (default true)
  -n, --name string                name of the assembled sbom
  -o, --output string              path to file or project id for newly assembled sbom, defaults to stdout
  -g, --outputSpecCdx              output in cdx format (default true)
  -s, --outputSpecSpdx             output in spdx format
  -e, --outputSpecVersion string   spec version of the output sbom
  -t, --type string                product type of the assembled sbom (application, framework, library, container, device, firmware)
  -u, --url string                 dependency track url https://localhost:8080/
  -v, --version string             version of the assembled sbom
  -x, --xml                        output in xml format

Global Flags:
  -d, --debug   debug output

and

dt edit command help

go run main.go edit dt -h                                                                                             ──(Wed,Sep04)─┘
The dt command allows you to modify an existing Software Bill of Materials (SBOM) using data from Dependency Track.

Usage
    sbomasm edit dt [flags] <project-ids>
    
Basic Example:
    # Edit an sbom to add app-name and version to the primary component 
	$ sbomasm edit dt -u "http://localhost:8080/" -k "odt_gEB8881Nhhhkkk5HewiZkkkUUhsgk7"   --subject document --author "fred ([email protected])" --author "jane ([email protected])" --supplier "interlynk.io (https://interlynk.io)" --tool "sbomasm edit (v1.0.0)" --license "CC0-1.0" --repository "github.com/interlynk/cool-app" --timestamp  --output  dt-new-final-product.spdx.json 11903ba9-a585-4dfb-9a0c-f348345a5473

    # Edit an sbom to add created-at timestamp and supplier information only for missing fields
    $ sbomasm edit dt  -u "http://localhost:8080/" -k "odt_gwiwooi29i1N5Hewkkddkkueiwi3ii"--missing --subject document --timestamp --supplier "interlynk ([email protected])" 11903ba9-a585-4dfb-9a0c-f348345a5473 34103ba2-rt63-2fga-3a8b-t625261g6262

Usage:
  sbomasm edit dt [flags]

Flags:
  -k, --api-key string       dependency track api key, requires VIEW_PORTFOLIO for scoring and PORTFOLIO_MANAGEMENT for tagging
  -a, --append               append to field instead of replacing
      --author strings       author to add e.g 'name (email)'
      --copyright string     copyright to add e.g 'Copyright © 2024'
      --cpe string           cpe to add e.g 'cpe:2.3:a:microsoft:internet_explorer:8.*:sp?:*:*:*:*:*:*'
      --description string   description to add e.g 'this is a cool app'
      --hash strings         checksum to add e.g 'MD5 (hash'
  -h, --help                 help for dt
      --license strings      license to add e.g 'MIT'
      --lifecycle strings    lifecycle to add e.g 'build'
  -m, --missing              edit only missing fields
      --name string          name of the entity
  -o, --output string        path to edited sbom, defaults to stdout
      --purl string          purl to add e.g 'pkg:deb/debian/[email protected]'
      --repository string    repository to add e.g 'github.com/interlynk-io/sbomasm'
      --search string        search string to find the entity
      --subject string       subject to edit (document, primary-component, component-name-version) (default "document")
      --supplier string      supplier to add e.g 'name (email)'
      --timestamp            add created-at timestamp
      --tool strings         tool to add e.g 'sbomasm (v1.0.0)'
      --type string          type to add e.g 'application'
  -u, --url string           dependency track url https://localhost:8080/
      --version string       version of the entity

Global Flags:
  -d, --debug   debug output

[riteshnoronha]

Here is what i would like, sbomasm has two commands

• assemble
• edit

we want to provide both these functionalities to dt. I would classify DT as an input-output source hence we should augment the current commands to take in DT related information. In sbomqs i made the mistake of making it a separate command.

e.g

This command indicates that dt is in input source from where to get the input files from project-ids. We should allow mixing of project-ids and file-names. If file-names are provided that means they are local files. The output assembled file is now stored in the file-system.

sbomasm assemble -n "mega cdx app" -v "1.0.0" -t "application" --dt-hosturl"http://localhost:8080" --dt-api-key "asadasdas" -o final-product.cdx.json sbom1.json <project-id1> <project-id2> <project-id3> .....

The following command is the same as above except the output is pushed back to DT

sbomasm assemble -n "mega cdx app" -v "1.0.0" -t "application" --dt-hosturl"http://localhost:8080" --dt-api-key "asadasdas" --dt-output <project-id-5> sbom1.json <project-id1> <project-id2> <project-id3> .....

Now this can also be replicated to edit command at a later date.

[viveksahu26]

added those changes

[riteshnoronha]

as mentioned below in the comments.

[riteshnoronha]

Some basic changes else looks good.

[riteshnoronha]

Lets not do edit for this release. I need to think more about this.

[viveksahu26]

okay for this release our main focus is dt assemble and not dt edit, right ?

[riteshnoronha]

Please remove all debug stmts