diff --git a/bin/patch-sbom-root b/bin/patch-sbom-root index 1a55b5d..87725df 100755 --- a/bin/patch-sbom-root +++ b/bin/patch-sbom-root @@ -2,6 +2,7 @@ set -euo pipefail # Patch the root component of a bombon-generated CycloneDX SBOM. +# shellcheck disable=SC2086 # # bombon uses the symlinkJoin derivation name (e.g. "postgres-closure") as the # root component, which carries no meaningful metadata. This script rewrites it diff --git a/bin/sbom-score b/bin/sbom-score index 43e7d4d..f93e356 100755 --- a/bin/sbom-score +++ b/bin/sbom-score @@ -38,14 +38,18 @@ raw_output=$("$sbomqs_cmd" score "$sbom_file" --json 2>/dev/null) || { } # Transform sbomqs output into our structured format +# sbomqs v2.0.4 uses .sbom_quality_score (not .avg_score) and +# .comprehenssive[] (note double 's') with per-feature entries instead of +# per-category .scores[]. We aggregate features by category. echo "$raw_output" | jq --arg image "$image" ' .files[0] as $f | { image: $image, - score: $f.avg_score, + score: $f.sbom_quality_score, num_components: $f.num_components, categories: [ - $f.scores[]? | {category: .category, score: .score, max_score: .max_score} + $f.comprehenssive // [] | group_by(.category)[] | + {category: .[0].category, score: ((map(.score) | add) / length)} ] } ' diff --git a/spec/sbom_report_spec.sh b/spec/sbom_report_spec.sh index 90679c4..ed531c6 100644 --- a/spec/sbom_report_spec.sh +++ b/spec/sbom_report_spec.sh @@ -5,21 +5,21 @@ Describe "bin/sbom-report" # Score result for postgres (improved) cat > "$RESULTS_DIR/score-postgres.json" <<'JSON' -{"image":"postgres","score":7.2,"num_components":24,"categories":[{"category":"Licensing","score":6.5,"max_score":10.0}]} +{"image":"postgres","score":7.2,"num_components":24,"categories":[{"category":"Licensing","score":6.5}]} JSON # Score result for redis (regressed) cat > "$RESULTS_DIR/score-redis.json" <<'JSON' -{"image":"redis","score":6.0,"num_components":8,"categories":[{"category":"Licensing","score":5.0,"max_score":10.0}]} +{"image":"redis","score":6.0,"num_components":8,"categories":[{"category":"Licensing","score":5.0}]} JSON # Baseline scores cat > "$RESULTS_DIR/baseline-postgres.json" <<'JSON' -{"image":"postgres","score":7.0,"num_components":24,"categories":[{"category":"Licensing","score":6.0,"max_score":10.0}]} +{"image":"postgres","score":7.0,"num_components":24,"categories":[{"category":"Licensing","score":6.0}]} JSON cat > "$RESULTS_DIR/baseline-redis.json" <<'JSON' -{"image":"redis","score":6.5,"num_components":8,"categories":[{"category":"Licensing","score":5.5,"max_score":10.0}]} +{"image":"redis","score":6.5,"num_components":8,"categories":[{"category":"Licensing","score":5.5}]} JSON # Compare result for postgres diff --git a/spec/sbom_score_spec.sh b/spec/sbom_score_spec.sh index 66ab12f..18b8520 100644 --- a/spec/sbom_score_spec.sh +++ b/spec/sbom_score_spec.sh @@ -29,12 +29,12 @@ JSON Describe "sbomqs integration" # Mock sbomqs to avoid requiring the real binary in tests mock_sbomqs() { - # Create a fake sbomqs that outputs realistic JSON + # Create a fake sbomqs that outputs realistic v2.0.4 JSON MOCK_SBOMQS="$(mktemp)" cat > "$MOCK_SBOMQS" <<'SCRIPT' #!/bin/sh cat <<'MOCK' -{"files":[{"avg_score":7.2,"num_components":24,"scores":[{"category":"Licensing","score":6.5,"max_score":10.0},{"category":"Structural","score":8.1,"max_score":10.0},{"category":"Completeness","score":7.0,"max_score":10.0}]}]} +{"files":[{"sbom_quality_score":7.2,"num_components":24,"comprehenssive":[{"category":"Licensing","feature":"comp_with_license","score":6.0,"description":"complete","ignored":false},{"category":"Licensing","feature":"comp_valid_license","score":7.0,"description":"complete","ignored":false},{"category":"Structural","feature":"has_components","score":8.1,"description":"complete","ignored":false},{"category":"Completeness","feature":"comp_with_supplier","score":7.0,"description":"complete","ignored":false}]}]} MOCK SCRIPT chmod +x "$MOCK_SBOMQS"