add flag to show sbom files during a package inspect command (#678)

* add flag to show sbom files during a package inspect command * update docs for new inspect command flag
zarf-dev · Aug 22, 2022 · bb4bc71 · bb4bc71
1 parent 3ff6977
commit bb4bc71
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 1 deletion.
diff --git a/docs/4-user-guide/1-the-zarf-cli/100-cli-commands/zarf_package_inspect.md b/docs/4-user-guide/1-the-zarf-cli/100-cli-commands/zarf_package_inspect.md
@@ -15,6 +15,7 @@ zarf package inspect [PACKAGE] [flags]
 
 ```
   -h, --help            help for inspect
+  -s, --sbom            View SBOM contents while inspecting the package.
       --tmpdir string   Specify the temporary directory to use for intermediate files
 ```
 
@@ -29,4 +30,3 @@ zarf package inspect [PACKAGE] [flags]
 ### SEE ALSO
 
 * [zarf package](zarf_package.md)	 - Zarf package commands for creating, deploying, and inspecting packages
-
diff --git a/src/cmd/package.go b/src/cmd/package.go
@@ -129,4 +129,5 @@ func init() {
 	packageDeployCmd.Flags().StringVar(&config.DeployOptions.SGetKeyPath, "sget", "", "Path to public sget key file for remote packages signed via cosign")
 
 	packageInspectCmd.Flags().StringVar(&config.CommonOptions.TempDirectory, "tmpdir", "", "Specify the temporary directory to use for intermediate files")
+	packageInspectCmd.Flags().BoolVarP(&packager.ViewSBOM, "sbom", "s", false, "View SBOM contents while inspecting the package.")
 }
diff --git a/src/internal/packager/inspect.go b/src/internal/packager/inspect.go
@@ -1,15 +1,20 @@
 package packager
 
 import (
+	"fmt"
 	"io/ioutil"
 	"path/filepath"
 
+	"github.com/AlecAivazis/survey/v2"
 	"github.com/defenseunicorns/zarf/src/config"
 	"github.com/defenseunicorns/zarf/src/internal/message"
 	"github.com/defenseunicorns/zarf/src/internal/utils"
 	"github.com/mholt/archiver/v3"
 )
 
+// ViewSBOM indicates if image SBOM information should be displayed when inspecting a package
+var ViewSBOM bool
+
 // Inspect list the contents of a package
 func Inspect(packageName string) {
 	tempPath := createPaths()
@@ -39,4 +44,28 @@ func Inspect(packageName string) {
 	}
 
 	message.Infof("The package was built with Zarf CLI version %s\n", config.GetBuildData().Version)
+
+	if ViewSBOM {
+		err = archiver.Extract(packageName, "sboms", tempPath.base)
+		if err != nil {
+			message.Fatalf(err, "Unable to extract sbom information from the package.")
+		}
+
+		sbomViewFiles, _ := filepath.Glob(tempPath.sboms + "/sbom-viewer-*")
+		if len(sbomViewFiles) > 1 {
+			link := sbomViewFiles[0]
+			msg := fmt.Sprintf("This package has %d images with software bill-of-materials (SBOM) included. You can view them now in the zarf-sbom folder in this directory or to go directly to one, open this in your browser: %s\n\n", len(sbomViewFiles), link)
+			message.Note(msg)
+
+			// Use survey.Input to hang until user input
+			var value string
+			prompt := &survey.Input{
+				Message: "Hit the 'enter' key when you are done viewing the SBOM files",
+				Default: "",
+			}
+			_ = survey.AskOne(prompt, &value)
+		} else {
+			message.Note("There were no images with software bill-of-materials (SBOM) included.")
+		}
+	}
 }