bomctl · jho 8000 ward-lm · Nov 21, 2024 · Nov 13, 2024 · Nov 13, 2024 · Nov 13, 2024
@@ -148,6 +148,12 @@ represents an application within the container image.
 bomctl fetch https://raw.githubusercontent.com/bomctl/bomctl-playground/main/examples/bomctl-container-image/bomctl_bomctl_v0.3.0.cdx.json
 ```
 
+Alternatively, use the following syntax to directly fetch the most recent dependency graph SBOM of a GitHub repository (In this case, the bomctl repository). This syntax works for both public and private repositories, although credentials will need to be provided via `--netrc` to access a private repo.
+
+```shell
+bomctl fetch https://github.com/bomctl/bomctl
+```
+
 ### Import
 
 Import SBOM files from either standard input or the local file system.

@@ -37,8 +37,8 @@ func fetchCmd() *cobra.Command {
 	fetchCmd := &cobra.Command{
 		Use:   "fetch [flags] SBOM_URL...",
 		Args:  cobra.MinimumNArgs(fetchMinArgs),
-		Short: "Fetch SBOM file(s) from HTTP(S), OCI, or Git URLs",
-		Long:  "Fetch SBOM file(s) from HTTP(S), OCI, or Git URLs",
+		Short: "Fetch SBOM file(s) from HTTP(S), OCI, Git, or GitHub URLs",
+		Long:  "Fetch SBOM file(s) from HTTP(S), OCI, Git, or GitHub URLs",
 		Run: func(cmd *cobra.Command, args []string) {
 			opts.Options = optionsFromContext(cmd)
 			backend := backendFromContext(cmd)

@@ -8,6 +8,7 @@ require (
 	github.com/go-git/go-billy/v5 v5.6.0
 	github.com/go-git/go-git/v5 v5.12.0
 	github.com/google/go-cmp v0.6.0
+	github.com/google/go-github/v66 v66.0.0
 	github.com/google/uuid v1.6.0
 	github.com/jdx/go-netrc v1.0.0
 	github.com/opencontainers/go-digest v1.0.0
@@ -19,11 +20,18 @@ require (
 	github.com/spf13/pflag v1.0.5
 	github.com/spf13/viper v1.19.0
 	github.com/stretchr/testify v1.9.0
+	golang.org/x/oauth2 v0.18.0
 	golang.org/x/term v0.26.0
 	google.golang.org/protobuf v1.35.2
 	oras.land/oras-go/v2 v2.5.0
 )
 
+require (
+	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/google/go-querystring v1.1.0 // indirect
+	google.golang.org/appengine v1.6.8 // indirect
+)
+
 require (
 	ariga.io/atlas v0.28.1 // indirect
 	dario.cat/mergo v1.0.1 // indirect

@@ -85,9 +85,19 @@ github.com/go-test/deep v1.0.3 h1:ZrJSEWsXzPOxaZnFteGEfooLba+ju3FYIbOrS+rQd68=
 github.com/go-test/deep v1.0.3/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
+github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
+github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-github/v66 v66.0.0 h1:ADJsaXj9UotwdgK8/iFZtv7MLc8E8WBl62WLd/D/9+M=
+github.com/google/go-github/v66 v66.0.0/go.mod h1:+4SO9Zkuyf8ytMj0csN1NR/5OTR+MfqPp8P8dVlcvY4=
+github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
+github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
 github.com/google/pprof v0.0.0-20240409012703-83162a5b38cd h1:gbpYu9NMq8jhDVbvlGkMFWCjLFlqqEZjEmObmhUy6Vo=
 github.com/google/pprof v0.0.0-20240409012703-83162a5b38cd/go.mod h1:kf6iHlnVGwgKolg33glAes7Yg/8iWP8ukqeldJSO7jw=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
@@ -235,6 +245,8 @@ golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
 golang.org/x/net v0.30.0 h1:AcW1SDZMkb8IpzCdQUaIq2sP4sZ4zw+55h6ynffypl4=
 golang.org/x/net v0.30.0/go.mod h1:2wGyMJ5iFasEhkwi13ChkO/t1ECNC4X4eBKkVFyYFlU=
+golang.org/x/oauth2 v0.18.0 h1:09qnuIAgzdx1XplqJvW6CQqMCtGZykZWcXzPMPUusvI=
+golang.org/x/oauth2 v0.18.0/go.mod h1:Wf7knwG0MPoWIMMBgFlEaSUDaKskp0dCfrlJRJXbBi8=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -266,6 +278,7 @@ golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
@@ -278,6 +291,11 @@ golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.26.0 h1:v/60pFQmzmT9ExmjDv2gGIfi3OqfKoEP6I5+umXlbnQ=
 golang.org/x/tools v0.26.0/go.mod h1:TPVVj70c7JJ3WCazhD8OdXcZg/og+b9+tH/KxylGwH0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM=
+google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds=
+google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
+google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.35.2 h1:8Ar7bF+apOIoThw1EdZl0p1oWvMqTHmpA2fRTyZO8io=
 google.golang.org/protobuf v1.35.2/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

@@ -42,7 +42,7 @@ exists second.cdx.json
 exists second-1.json
 
 # fetch --alias
-[net] exec bomctl fetch --cache-dir $WORK --alias third https://github.com/bomctl/bomctl/releases/download/v0.4.1/bomctl_0.4.1_darwin_amd64.tar.gz.spdx.json
+[net] exec bomctl fetch --cache-dir $WORK --alias third https://raw.githubusercontent.com/bomctl/bomctl-playground/main/examples/bomctl_0.1.3_darwin_amd64.tar.gz.cdx.json
 cmp stderr fetch_alias.txt
 ! stdout .
 
@@ -51,7 +51,7 @@ cmp stdout fetch_alias_list.txt
 ! stderr .
 
 # fetch --tag
-[net] exec bomctl fetch --cache-dir $WORK --tag fourth https://github.com/bomctl/bomctl/releases/download/v0.4.1/bomctl_0.4.1_darwin_arm64.tar.gz.spdx.json
+[net] exec bomctl fetch --cache-dir $WORK --tag fourth https://raw.githubusercontent.com/bomctl/bomctl/main/internal/e2e/testdata/merge_A.cdx.json
 cmp stderr fetch_tag.txt
 ! stdout .
 
@@ -63,7 +63,7 @@ cmp stdout fetch_tag_list.txt
 INFO  fetch: Fetching from HTTP URL url=https://raw.githubusercontent.com/bomctl/bomctl-playground/main/examples/bomctl-container-image/bomctl_bomctl_v0.3.0.cdx.json
 INFO  fetch: Fetching from HTTP URL url=https://raw.githubusercontent.com/bomctl/bomctl-playground/main/examples/bomctl-container-image/app/bomctl_0.3.0_linux_amd64.tar.gz.spdx.json
 -- fetch_alias.txt --
-INFO  fetch: Fetching from HTTP URL url=https://github.com/bomctl/bomctl/releases/download/v0.4.1/bomctl_0.4.1_darwin_amd64.tar.gz.spdx.json
+INFO  fetch: Fetching from HTTP URL url=https://raw.githubusercontent.com/bomctl/bomctl-playground/main/examples/bomctl_0.1.3_darwin_amd64.tar.gz.cdx.json
 -- fetch_alias_list.txt --
 
 ID      : urn:uuid:f360ad8b-dc41-4256-afed-337a04dff5db
@@ -76,17 +76,17 @@ Alias   :
 Version : 0
 # Nodes : 81
 
-ID      : https://anchore.com/syft/file/bomctl_0.4.1_darwin_amd64.tar.gz-c7628350-c94b-4684-a68e-60da899682bc#DOCUMENT
+ID      : urn:uuid:22ff1e59-cd6e-485a-83d1-24e64f87c5db
 Alias   : third
-Version : 0
+Version : 1
 # Nodes : 81
 
 -- fetch_tag.txt --
-INFO  fetch: Fetching from HTTP URL url=https://github.com/bomctl/bomctl/releases/download/v0.4.1/bomctl_0.4.1_darwin_arm64.tar.gz.spdx.json
+INFO  fetch: Fetching from HTTP URL url=https://raw.githubusercontent.com/bomctl/bomctl/main/internal/e2e/testdata/merge_A.cdx.json
 -- fetch_tag_list.txt --
 
-ID      : https://anchore.com/syft/file/bomctl_0.4.1_darwin_arm64.tar.gz-35920d56-4519-40d4-82af-d695799d1df6#DOCUMENT
+ID      : urn:uuid:3de02d44-f9c6-4a94-bf48-eb92730dc3b5
 Alias   : 
-Version : 0
-# Nodes : 81
+Version : 1
+# Nodes : 5
 
@@ -24,6 +24,7 @@ import (
 	"fmt"
 
 	"github.com/bomctl/bomctl/internal/pkg/client/git"
+	"github.com/bomctl/bomctl/internal/pkg/client/github"
 	"github.com/bomctl/bomctl/internal/pkg/client/http"
 	"github.com/bomctl/bomctl/internal/pkg/client/oci"
 	"github.com/bomctl/bomctl/internal/pkg/netutil"
@@ -42,7 +43,7 @@ type Client interface {
 }
 
 func New(sbomURL string) (Client, error) {
-	for _, client := range []Client{&git.Client{}, &http.Client{}, &oci.Client{}} {
+	for _, client := range []Client{&github.Client{}, &git.Client{}, &http.Client{}, &oci.Client{}} {
 		if url := client.Parse(sbomURL); url != nil {
 			return client, nil
 		}

@@ -0,0 +1,87 @@
+// -----------------------------------------------------------------------------
+// SPDX-FileCopyrightText: Copyright © 2024 bomctl a Series of LF Projects, LLC
+// SPDX-FileName: internal/pkg/client/github/client.go
+// SPDX-FileType: SOURCE
+// SPDX-License-Identifier: Apache-2.0
+// -----------------------------------------------------------------------------
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// -----------------------------------------------------------------------------
+
+package github
+
+import (
+	"fmt"
+	"regexp"
+	"strings"
+
+	"github.com/google/go-github/v66/github"
+
+	"github.com/bomctl/bomctl/internal/pkg/netutil"
+)
+
+type Client struct {
+	ghClient github.Client
+}
+
+func (*Client) Name() string {
+	return "github"
+}
+
+func (*Client) RegExp() *regexp.Regexp {
+	return regexp.MustCompile(
+		fmt.Sprintf("^%s%s%s%s$",
+			`((?P<scheme>https?|git|ssh):\/\/)?`,
+			`((?P<username>[^:]+)(?::(?P<password>[^@]+))?(?:@))?`,
+			`(?P<hostname>github(\.[A-Za-z0-9_-]+)*\.com+)(?::(?P<port>\d+))?`,
+			`(?:[\/:](?P<path>.+))`,
+		),
+	)
+}
+
+func (client *Client) Parse(rawURL string) *netutil.URL {
+	results := map[string]string{}
+	pattern := client.RegExp()
+	match := pattern.FindStringSubmatch(rawURL)
+
+	for idx, name := range match {
+		results[pattern.SubexpNames()[idx]] = name
+	}
+
+	if results["scheme"] == "" {
+		results["scheme"] = "https"
+	}
+
+	// Ensure required map fields are present.
+	for _, required := range []string{"scheme", "hostname", "path"} {
+		if value, ok := results[required]; !ok || value == "" {
+			return nil
+		}
+	}
+
+	const length = 2
+
+	pathComponents := strings.Split(results["path"], "/")
+
+	if len(pathComponents) != length {
+		return nil
+	}
+
+	return &netutil.URL{
+		Scheme:   results["scheme"],
+		Username: results["username"],
+		Password: results["password"],
+		Hostname: results["hostname"],
+		Path:     results["path"],
+		Port:     results["port"],
+	}
+}