refactor: cleanup and cosmetics (#81)

* cleanup and cosmetics

Signed-off-by: nscuro <nscuro@protonmail.com>

* ensure forward slashes for application subpaths

Signed-off-by: nscuro <nscuro@protonmail.com>

Author: nscuro

internal/cli/cmd/app/app.go

@@ -86,7 +86,7 @@ Examples:
 				options.ModuleDir = args[0]
 			}
 
-			cliUtil.ConfigureLogger(options.LogOptions)
+			options.LogOptions.ConfigureLogger()
 
 			return Exec(options)
 		},
@@ -173,7 +173,7 @@ func Exec(options Options) error {
 	enrichWithApplicationDetails(bom, options.ModuleDir, options.Main)
 
 	if options.IncludeStd {
-		err = cliUtil.AddStdComponent(bom)
+		err = cliUtil.AddStdComponent(bom, "")
 		if err != nil {
 			return fmt.Errorf("failed to add stdlib component: %w", err)
 		}
@@ -270,7 +270,7 @@ func enrichWithApplicationDetails(bom *cdx.BOM, moduleDir, mainPkgDir string) {
 		mainPkgDirRel = strings.TrimSuffix(mainPkgDirRel, string(os.PathSeparator))
 
 		oldPURL := bom.Metadata.Component.PackageURL
-		newPURL := oldPURL + "#" + mainPkgDirRel
+		newPURL := oldPURL + "#" + filepath.ToSlash(mainPkgDirRel)
 
 		log.Debug().
 			Str("old", oldPURL).

internal/cli/cmd/bin/bin.go

@@ -45,7 +45,7 @@ func New() *ffcli.Command {
 		ShortUsage: "cyclonedx-gomod bin [FLAGS...] BINARY_PATH",
 		LongHelp: `Generate SBOMs for binaries.
 
-Although the binary is never executed, it must be executable.
+Although the binary is never executed by cyclonedx-gomod, it must be executable.
 This is a requirement by the "go version -m" command that is used to provide this functionality.
 
 When license detection is enabled, all modules (including the main module) 
@@ -68,7 +68,7 @@ Example:
 				options.BinaryPath = args[0]
 			}
 
-			cliUtil.ConfigureLogger(options.LogOptions)
+			options.LogOptions.ConfigureLogger()
 
 			return Exec(options)
 		},
@@ -81,7 +81,7 @@ func Exec(options Options) error {
 		return err
 	}
 
-	modules, hashes, err := gomod.LoadModulesFromBinary(options.BinaryPath)
+	goVersion, modules, hashes, err := gomod.LoadModulesFromBinary(options.BinaryPath)
 	if err != nil {
 		return fmt.Errorf("failed to extract modules: %w", err)
 	} else if len(modules) == 0 {
@@ -149,6 +149,13 @@ func Exec(options Options) error {
 	bom.Dependencies = &dependencyGraph
 	bom.Compositions = createCompositions(*mainComponent, components)
 
+	if options.IncludeStd {
+		err = cliUtil.AddStdComponent(bom, goVersion)
+		if err != nil {
+			return fmt.Errorf("failed to add stdlib component: %w", err)
+		}
+	}
+
 	return cliUtil.WriteBOM(bom, options.OutputOptions)
 }
 

internal/cli/cmd/mod/mod.go

@@ -60,7 +60,7 @@ Examples:
 				options.ModuleDir = args[0]
 			}
 
-			cliUtil.ConfigureLogger(options.LogOptions)
+			options.LogOptions.ConfigureLogger()
 
 			return Exec(options)
 		},
@@ -142,7 +142,7 @@ func Exec(options Options) error {
 	bom.Dependencies = &dependencyGraph
 
 	if options.IncludeStd {
-		err = cliUtil.AddStdComponent(bom)
+		err = cliUtil.AddStdComponent(bom, "")
 		if err != nil {
 			return fmt.Errorf("failed to add stdlib component: %w", err)
 		}

internal/cli/cmd/mod/options.go

@@ -85,8 +85,7 @@ func (m Options) Validate() error {
 		for i := range allowedComponentTypes {
 			allowed[i] = string(allowedComponentTypes[i])
 		}
-
-		errs = append(errs, fmt.Errorf("invalid component type: \"%s\" (allowed: %s)", m.ComponentType, strings.Join(allowed, ",")))
+		errs = append(errs, fmt.Errorf("component type: \"%s\" is invalid (allowed: %s)", m.ComponentType, strings.Join(allowed, ",")))
 	}
 
 	if len(errs) > 0 {

internal/cli/cmd/mod/options_test.go

@@ -36,6 +36,6 @@ func TestModOptions_Validate(t *testing.T) {
 		require.ErrorAs(t, err, &validationError)
 
 		require.Len(t, validationError.Errors, 1)
-		require.Contains(t, validationError.Errors[0].Error(), "invalid component type")
+		require.Contains(t, validationError.Errors[0].Error(), "component type: \"foobar\" is invalid")
 	})
 }

internal/cli/options/options.go

@@ -20,6 +20,9 @@ package options
 import (
 	"flag"
 	"fmt"
+	"github.com/rs/zerolog"
+	"github.com/rs/zerolog/log"
+	"os"
 
 	"github.com/google/uuid"
 )
@@ -44,6 +47,20 @@ type LogOptions struct {
 	Verbose bool
 }
 
+// ConfigureLogger configures the global logger according to LogOptions.
+func (l LogOptions) ConfigureLogger() {
+	log.Logger = log.Output(zerolog.ConsoleWriter{
+		Out:     os.Stderr,
+		NoColor: os.Getenv("CI") != "",
+	})
+
+	if l.Verbose {
+		zerolog.SetGlobalLevel(zerolog.DebugLevel)
+	} else {
+		zerolog.SetGlobalLevel(zerolog.InfoLevel)
+	}
+}
+
 func (l *LogOptions) RegisterFlags(fs *flag.FlagSet) {
 	fs.BoolVar(&l.Verbose, "verbose", false, "Enable verbose output")
 }
@@ -71,15 +88,18 @@ func (o OutputOptions) Validate() error {
 type SBOMOptions struct {
 	IncludeStd      bool
 	NoSerialNumber  bool
-	Reproducible    bool // Make the SBOM reproducible by omitting dynamic content
 	ResolveLicenses bool
 	SerialNumber    string
+
+	// Make SBOM reproducible by omitting dynamic content.
+	// Only used internally for testing.
+	Reproducible bool
 }
 
 func (s *SBOMOptions) RegisterFlags(fs *flag.FlagSet) {
 	fs.BoolVar(&s.IncludeStd, "std", false, "Include Go standard library as component and dependency of the module")
 	fs.BoolVar(&s.NoSerialNumber, "noserial", false, "Omit serial number")
-	// .Reproducible is used for testing only and intentionally omitted here
+	// Reproducible is used for testing only and intentionally omitted here
 	fs.BoolVar(&s.ResolveLicenses, "licenses", false, "Perform license detection")
 	fs.StringVar(&s.SerialNumber, "serial", "", "Serial number")
 }

internal/cli/util/util.go

@@ -27,7 +27,6 @@ import (
 	"github.com/CycloneDX/cyclonedx-gomod/internal/cli/options"
 	"github.com/CycloneDX/cyclonedx-gomod/internal/sbom"
 	"github.com/google/uuid"
-	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
 )
 
@@ -51,15 +50,16 @@ func AddCommonMetadata(bom *cdx.BOM, sbomOptions options.SBOMOptions) error {
 	return nil
 }
 
-func AddStdComponent(bom *cdx.BOM) error {
+func AddStdComponent(bom *cdx.BOM, goVersion string) error {
 	log.Debug().
 		Msg("adding std component")
 
-	stdComponent, err := sbom.BuildStdComponent()
+	stdComponent, err := sbom.BuildStdComponent(goVersion)
 	if err != nil {
 		return fmt.Errorf("failed to build std component: %w", err)
 	}
 
+	// Append std to components
 	*bom.Components = append(*bom.Components, *stdComponent)
 
 	// Add std to dependency graph
@@ -81,21 +81,7 @@ func AddStdComponent(bom *cdx.BOM) error {
 	return nil
 }
 
-func ConfigureLogger(logOptions options.LogOptions) {
-	log.Logger = log.Output(zerolog.ConsoleWriter{
-		Out:     os.Stderr,
-		NoColor: os.Getenv("CI") != "",
-	})
-
-	if logOptions.Verbose {
-		zerolog.SetGlobalLevel(zerolog.DebugLevel)
-	} else {
-		zerolog.SetGlobalLevel(zerolog.InfoLevel)
-	}
-}
-
-// SetSerialNumber sets the serial number of a given BOM according to the
-// provided SBOMOptions.
+// SetSerialNumber sets the serial number of a given BOM according to the provided SBOMOptions.
 func SetSerialNumber(bom *cdx.BOM, sbomOptions options.SBOMOptions) error {
 	if sbomOptions.NoSerialNumber {
 		return nil

internal/gocmd/gocmd.go

@@ -51,6 +51,7 @@ func GetVersion() (string, error) {
 }
 
 // GetEnv executes `go env -json` and returns the result as a map.
+// See https://pkg.go.dev/cmd/go#hdr-Print_Go_environment_information.
 func GetEnv() (map[string]string, error) {
 	buf := new(bytes.Buffer)
 	err := executeGoCommand([]string{"env", "-json"}, withStdout(buf))
@@ -67,9 +68,9 @@ func GetEnv() (map[string]string, error) {
 	return env, nil
 }
 
-// GetModule executes `go list -json -m` and writes the output to a given writer.
+// ListModule executes `go list -json -m` and writes the output to a given writer.
 // See https://golang.org/ref/mod#go-list-m
-func GetModule(moduleDir string, writer io.Writer) error {
+func ListModule(moduleDir string, writer io.Writer) error {
 	return executeGoCommand([]string{"list", "-mod", "readonly", "-json", "-m"}, withDir(moduleDir), withStdout(writer))
 }
 
@@ -80,6 +81,7 @@ func ListModules(moduleDir string, writer io.Writer) error {
 }
 
 // ListPackage executes `go list -json -e <PATTERN>` and writes the output to a given writer.
+// See // See https://golang.org/cmd/go/#hdr-List_packages_or_modules.
 func ListPackage(moduleDir, packagePattern string, writer io.Writer) error {
 	return executeGoCommand([]string{"list", "-json", "-e", packagePattern},
 		withDir(moduleDir),
@@ -88,7 +90,7 @@ func ListPackage(moduleDir, packagePattern string, writer io.Writer) error {
 }
 
 // ListPackages executes `go list -deps -json <PATTERN>` and writes the output to a given writer.
-// See https://golang.org/cmd/go/#hdr-List_packages_or_modules
+// See https://golang.org/cmd/go/#hdr-List_packages_or_modules.
 func ListPackages(moduleDir, packagePattern string, writer io.Writer) error {
 	return executeGoCommand([]string{"list", "-deps", "-json", packagePattern},
 		withDir(moduleDir),
@@ -98,19 +100,19 @@ func ListPackages(moduleDir, packagePattern string, writer io.Writer) error {
 }
 
 // ListVendoredModules executes `go mod vendor -v` and writes the output to a given writer.
-// See https://golang.org/ref/mod#go-mod-vendor
+// See https://golang.org/ref/mod#go-mod-vendor.
 func ListVendoredModules(moduleDir string, writer io.Writer) error {
 	return executeGoCommand([]string{"mod", "vendor", "-v", "-e"}, withDir(moduleDir), withStderr(writer))
 }
 
 // GetModuleGraph executes `go mod graph` and writes the output to a given writer.
-// See https://golang.org/ref/mod#go-mod-graph
+// See https://golang.org/ref/mod#go-mod-graph.
 func GetModuleGraph(moduleDir string, writer io.Writer) error {
 	return executeGoCommand([]string{"mod", "graph"}, withDir(moduleDir), withStdout(writer))
 }
 
 // ModWhy executes `go mod why -m -vendor` and writes the output to a given writer.
-// See https://golang.org/ref/mod#go-mod-why
+// See https://golang.org/ref/mod#go-mod-why.
 func ModWhy(moduleDir string, modules []string, writer io.Writer) error {
 	return executeGoCommand(
 		append([]string{"mod", "why", "-m", "-vendor"}, modules...),
@@ -121,11 +123,13 @@ func ModWhy(moduleDir string, modules []string, writer io.Writer) error {
 }
 
 // LoadModulesFromBinary executes `go version -m` and writes the output to a given writer.
+// See https://golang.org/ref/mod#go-version-m.
 func LoadModulesFromBinary(binaryPath string, writer io.Writer) error {
 	return executeGoCommand([]string{"version", "-m", binaryPath}, withStdout(writer))
 }
 
 // DownloadModules executes `go mod download -json` and writes the output to the given writers.
+// See https://golang.org/ref/mod#go-mod-download.
 func DownloadModules(modules []string, stdout, stderr io.Writer) error {
 	return executeGoCommand(
 		append([]string{"mod", "download", "-json"}, modules...),
@@ -167,5 +171,10 @@ func executeGoCommand(args []string, options ...commandOption) error {
 		Str("dir", cmd.Dir).
 		Msg("executing command")
 
-	return cmd.Run()
+	err := cmd.Run()
+	if err != nil {
+		return fmt.Errorf("command `%s` failed: %w", cmd.String(), err)
+	}
+
+	return nil
 }

internal/gocmd/gocmd_test.go

@@ -45,9 +45,9 @@ func TestGetEnv(t *testing.T) {
 	require.Contains(t, env, "GOVERSION")
 }
 
-func TestGetModuleName(t *testing.T) {
+func TestListModule(t *testing.T) {
 	buf := new(bytes.Buffer)
-	err := GetModule("../../", buf)
+	err := ListModule("../../", buf)
 	require.NoError(t, err)
 
 	mod := make(map[string]interface{})
@@ -57,7 +57,7 @@ func TestGetModuleName(t *testing.T) {
 	assert.Equal(t, true, mod["Main"])
 }
 
-func TestGetModuleList(t *testing.T) {
+func TestListModules(t *testing.T) {
 	buf := new(bytes.Buffer)
 	err := ListModules("../../", buf)
 	require.NoError(t, err)

internal/gomod/binary.go

@@ -26,21 +26,22 @@ import (
 	"github.com/CycloneDX/cyclonedx-gomod/internal/gocmd"
 )
 
-func LoadModulesFromBinary(binaryPath string) ([]Module, map[string]string, error) {
+func LoadModulesFromBinary(binaryPath string) (string, []Module, map[string]string, error) {
 	buf := new(bytes.Buffer)
 	if err := gocmd.LoadModulesFromBinary(binaryPath, buf); err != nil {
-		return nil, nil, err
+		return "", nil, nil, err
 	}
 
-	modules, hashes := parseModulesFromBinary(buf)
+	goVersion, modules, hashes := parseModulesFromBinary(binaryPath, buf)
 
 	sortModules(modules)
 
-	return modules, hashes, nil
+	return goVersion, modules, hashes, nil
 }
 
-func parseModulesFromBinary(reader io.Reader) ([]Module, map[string]string) {
-	modules := make([]Module, 0)
+func parseModulesFromBinary(binaryPath string, reader io.Reader) (string, []Module, map[string]string) {
+	var goVersion string
+	var modules []Module
 	hashes := make(map[string]string)
 
 	moduleIndex := 0
@@ -53,6 +54,10 @@ func parseModulesFromBinary(reader io.Reader) ([]Module, map[string]string) {
 
 		fields := strings.Fields(line)
 		switch fields[0] {
+		case binaryPath + ":":
+			if len(fields) == 2 && strings.HasPrefix(fields[1], "go") {
+				goVersion = strings.TrimPrefix(fields[1], "go")
+			}
 		case "mod": // Main module
 			modules = append(modules, Module{
 				Path:    fields[1],
@@ -77,9 +82,11 @@ func parseModulesFromBinary(reader io.Reader) ([]Module, map[string]string) {
 				Version: fields[2],
 			}
 			modules[moduleIndex-1].Replace = &module
-			hashes[module.Coordinates()] = fields[3]
+			if len(fields) == 4 {
+				hashes[module.Coordinates()] = fields[3]
+			}
 		}
 	}
 
-	return modules, hashes
+	return goVersion, modules, hashes
 }