Add support for fetching SBOMs (#2869)

Fixes: #2864.
google · Aug 16, 2023 · 0c562f6 · 0c562f6
1 parent 1a4b106
commit 0c562f6
Show file tree

Hide file tree

Showing 6 changed files with 435 additions and 0 deletions.
diff --git a/github/dependency_graph.go b/github/dependency_graph.go
@@ -0,0 +1,80 @@
+// Copyright 2023 The go-github AUTHORS. All rights reserved.
+//
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package github
+
+import (
+	"context"
+	"fmt"
+)
+
+type DependencyGraphService service
+
+// SBOM represents a software bill of materials, which describes the
+// packages/libraries that a repository depends on.
+type SBOM struct {
+	SBOM *SBOMInfo `json:"sbom,omitempty"`
+}
+
+// CreationInfo represents when the SBOM was created and who created it.
+type CreationInfo struct {
+	Created  *Timestamp `json:"created,omitempty"`
+	Creators []string   `json:"creators,omitempty"`
+}
+
+// RepoDependencies represents the dependencies of a repo.
+type RepoDependencies struct {
+	SPDXID *string `json:"SPDXID,omitempty"`
+	// Package name
+	Name             *string `json:"name,omitempty"`
+	VersionInfo      *string `json:"versionInfo,omitempty"`
+	DownloadLocation *string `json:"downloadLocation,omitempty"`
+	FilesAnalyzed    *bool   `json:"filesAnalyzed,omitempty"`
+	LicenseConcluded *string `json:"licenseConcluded,omitempty"`
+	LicenseDeclared  *string `json:"licenseDeclared,omitempty"`
+}
+
+// SBOMInfo represents a software bill of materials (SBOM) using SPDX.
+// SPDX is an open standard for SBOMs that
+// identifies and catalogs components, licenses, copyrights, security
+// references, and other metadata relating to software.
+type SBOMInfo struct {
+	SPDXID       *string       `json:"SPDXID,omitempty"`
+	SPDXVersion  *string       `json:"spdxVersion,omitempty"`
+	CreationInfo *CreationInfo `json:"creationInfo,omitempty"`
+
+	// Repo name
+	Name              *string  `json:"name,omitempty"`
+	DataLicense       *string  `json:"dataLicense,omitempty"`
+	DocumentDescribes []string `json:"documentDescribes,omitempty"`
+	DocumentNamespace *string  `json:"documentNamespace,omitempty"`
+
+	// List of packages dependencies
+	Packages []*RepoDependencies `json:"packages,omitempty"`
+}
+
+func (s SBOM) String() string {
+	return Stringify(s)
+}
+
+// GetSBOM fetches the software bill of materials for a repository.
+//
+// GitHub API docs: https://docs.github.com/en/rest/dependency-graph/sboms
+func (s *DependencyGraphService) GetSBOM(ctx context.Context, owner, repo string) (*SBOM, *Response, error) {
+	u := fmt.Sprintf("repos/%v/%v/dependency-graph/sbom", owner, repo)
+
+	req, err := s.client.NewRequest("GET", u, nil)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	var sbom *SBOM
+	resp, err := s.client.Do(ctx, req, &sbom)
+	if err != nil {
+		return nil, resp, err
+	}
+
+	return sbom, resp, nil
+}
diff --git a/github/dependency_graph_test.go b/github/dependency_graph_test.go
@@ -0,0 +1,79 @@
+// Copyright 2023 The go-github AUTHORS. All rights reserved.
+//
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package github
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"testing"
+	"time"
+
+	"github.com/google/go-cmp/cmp"
+)
+
+func TestDependencyGraphService_GetSBOM(t *testing.T) {
+	client, mux, _, teardown := setup()
+	defer teardown()
+
+	mux.HandleFunc("/repos/owner/repo/dependency-graph/sbom", func(w http.ResponseWriter, r *http.Request) {
+		testMethod(t, r, "GET")
+		fmt.Fprint(w, `{
+   "sbom":{
+      "creationInfo":{
+         "created":"2021-09-01T00:00:00Z"
+      },
+      "name":"owner/repo",
+      "packages":[
+                {
+                "name":"rubygems:rails",
+                "versionInfo":"1.0.0"
+                }
+            ]
+        }
+    }`)
+	})
+
+	ctx := context.Background()
+	sbom, _, err := client.DependencyGraph.GetSBOM(ctx, "owner", "repo")
+	if err != nil {
+		t.Errorf("DependencyGraph.GetSBOM returned error: %v", err)
+	}
+
+	testTime := time.Date(2021, 9, 1, 0, 0, 0, 0, time.UTC)
+	want := &SBOM{
+		&SBOMInfo{
+			CreationInfo: &CreationInfo{
+				Created: &Timestamp{testTime},
+			},
+			Name: String("owner/repo"),
+			Packages: []*RepoDependencies{
+				{
+					Name:        String("rubygems:rails"),
+					VersionInfo: String("1.0.0"),
+				},
+			},
+		},
+	}
+
+	if !cmp.Equal(sbom, want) {
+		t.Errorf("DependencyGraph.GetSBOM returned %+v, want %+v", sbom, want)
+	}
+
+	const methodName = "GetSBOM"
+	testBadOptions(t, methodName, func() (err error) {
+		_, _, err = client.DependencyGraph.GetSBOM(ctx, "\n", "\n")
+		return err
+	})
+
+	testNewRequestAndDoFailure(t, methodName, client, func() (*Response, error) {
+		got, resp, err := client.DependencyGraph.GetSBOM(ctx, "owner", "repo")
+		if got != nil {
+			t.Errorf("testNewRequestAndDoFailure %v = %#v, want nil", methodName, got)
+		}
+		return resp, err
+	})
+}
diff --git a/github/github-accessors.go b/github/github-accessors.go