Initial release of example code using the Tidelift API for reports

This is an initial release of a bunch of example code which reads
a CycloneDX SBOM and then calls Tidelift APIs to get information
about the packages/releases in use within that SBOM.

.github/workflows/.goreleaser.yml

@@ -0,0 +1,34 @@
+name: goreleaser
+
+on:
+  push:
+    tags:
+      - '*'
+
+permissions:
+  contents: write
+
+jobs:
+  goreleaser:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      -
+        name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+            go-version: '1.22.3'
+      -
+        name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v5
+        with:
+          distribution: goreleaser
+          # 'latest', 'nightly', or a semver
+          version: '~> v1'
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.gitignore

@@ -0,0 +1,4 @@
+tidelift-sbom-info
+bin/*
+
+dist/

.goreleaser.yaml

@@ -0,0 +1,64 @@
+# This is an example .goreleaser.yml file with some sensible defaults.
+# Make sure to check the documentation at https://goreleaser.com
+
+# The lines below are called `modelines`. See `:help modeline`
+# Feel free to remove those if you don't want/need to use them.
+# yaml-language-server: $schema=https://goreleaser.com/static/schema.json
+# vim: set ts=2 sw=2 tw=0 fo=cnqoj
+
+version: 1
+
+before:
+  hooks:
+    # You may remove this if you don't use go modules.
+    - go mod tidy
+    # you may remove this if you don't need go generate
+    # - go generate ./...
+
+builds:
+  - main: ./cmd/tidelift-sbom-analyzer
+    id: "tidelift-sbom-analyzer"
+    binary: tidelift-sbom-analyzer
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+      - windows
+      - darwin
+  - main: ./cmd/tidelift-sbom-vulnerability-reporter
+    id: "tidelift-sbom-vulnerability-reporter"
+    binary: tidelift-sbom-vulnerability-reporter
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+      - windows
+      - darwin      
+
+archives:
+  - format: tar.gz
+    wrap_in_directory: false
+    # this name template makes the OS and Arch compatible with the results of `uname`.
+    name_template: >-
+      {{ .ProjectName }}_
+      {{- title .Os }}_
+      {{- if eq .Arch "amd64" }}x86_64
+      {{- else if eq .Arch "386" }}i386
+      {{- else }}{{ .Arch }}{{ end }}
+      {{- if .Arm }}v{{ .Arm }}{{ end }}
+    # use zip for windows archives
+    format_overrides:
+      - goos: windows
+        format: zip
+
+changelog:
+  sort: asc
+  filters:
+    exclude:
+      - "^docs:"
+      - "^test:"
+
+release:
+  draft: true
+  replace_existing_draft: true
+  replace_existing_artifacts: true

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 Tidelift, Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

Makefile

@@ -0,0 +1,43 @@
+CMDS = $(shell find cmd/  -mindepth 1  -maxdepth 1 -type d)
+SRC = $(shell find . -type f -name '*.go')
+
+GOLANGCI_LINT:=$(shell command -v golangci-lint 2> /dev/null)
+
+all: build
+
+all-cross: build-windows build-linux-x86 build-linux-arm build-mac-arm
+
+build: $(SRC)
+	for d in $(CMDS) ; do pushd $$d > /dev/null ; CGO_ENABLED=0 go build -o ../../bin/ ; popd > /dev/null ; done
+
+build-windows: $(SRC)
+	mkdir -p bin/windows || /bin/true
+	for d in $(CMDS) ; do pushd $$d > /dev/null ; GOOS=windows GOARCH=amd64 CGO_ENABLED=0 go build -o ../../bin/windows ; popd > /dev/null ; done
+
+build-linux-x86: $(SRC)
+	mkdir -p bin/linux-x86 || /bin/true
+	for d in $(CMDS) ; do pushd $$d > /dev/null ; GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -o ../../bin/linux-x86 ; popd > /dev/null ; done
+
+build-linux-arm: $(SRC)
+	mkdir -p bin/linux-arm || /bin/true
+	for d in $(CMDS) ; do pushd $$d > /dev/null ; GOOS=linux GOARCH=arm64 CGO_ENABLED=0 go build -o ../../bin/linux-arm ; popd > /dev/null ; done
+
+build-mac-arm: $(SRC)
+	mkdir -p bin/mac-arm || /bin/true
+	for d in $(CMDS) ; do pushd $$d > /dev/null ; GOOS=darwin GOARCH=arm64 CGO_ENABLED=0 go build -o ../../bin/mac-arm ; popd > /dev/null ; done
+
+clean:
+	go clean
+	rm -f bin/*
+
+linter_installed:
+ifndef GOLANGCI_LINT
+	$(error "golangci-lint is not available, please install https://github.com/golangci/golangci-lint")
+endif
+
+lint: linter_installed
+	# https://github.com/golangci/golangci-lint#disabled-by-default-linters--e--enable
+	golangci-lint run
+
+fix: linter_installed
+	golangci-lint run --fix

README.md

@@ -0,0 +1,36 @@
+This repository contains some examples of using the Tidelift APIs to gather
+information about open source library components.
+
+The examples all use a cyclonedx sbom as their entry point and then provide
+different outputs depending on the specific example.
+
+Tagged releases are published on GitHub at
+https://github.com/tidelift/tidelift-sbom-info/releases and can be downloaded and
+run in your environment.
+
+## Current Commands
+
+* `tidelift-sbom-analyzer`: This takes a cyclonedx file as the first argument and
+then outputs a CSV file with Tidelift's recommendations about the packages in the
+SBOM. Takes an optional argument of `-o output.csv` to write the output to a file.
+
+* `tidelift-sbom-vulnerability-reporter`: This takes a cyclonedx file as the first
+argument and then outputs a JSON file with information about any known vulnerabilities
+in releases that are listed in the SBOM. Takes an optional argument of
+`-o output.json` to write the output to a file.
+
+## Contributing
+
+While this is primarily intended to guide others in the use of the Tidelift API,
+contributions to adapt and enhance the existing tools are always welcome. Additional
+commands to provide different types of data are also welcome.
+
+## Building from source
+
+If you want to build from source, you can do so by running `make build`. The commands
+then all live in the `bin/` subdirectory.
+
+If you need/want to build for an architecture that you're not running on, you can
+do any of `make build-windows`, `make linux-x86`, `make linux-arm`, `make mac-arm`,
+or `make all-cross` to build binaries for a different OS (or all) which then live
+in the named subdirectories of the `bin/` subdirectory.

cmd/tidelift-sbom-analyzer/main.go

@@ -0,0 +1,116 @@
+package main
+
+//go:generate oapi-codegen --package=tidelift_api_gen -generate=types -include-tags Packages,Releases,Vulnerabilities -o ../../internal/tidelift-api-gen/tidelift.gen.go https://tidelift.com/api/depci/subscriber-api.json
+
+import (
+	"encoding/csv"
+	"flag"
+	"fmt"
+	"os"
+
+	"github.com/package-url/packageurl-go"
+	log "github.com/sirupsen/logrus"
+	cyclonedx "github.com/tidelift/tidelift-sbom-info/internal/cyclonedx"
+	api "github.com/tidelift/tidelift-sbom-info/internal/tidelift-api-gen"
+	utils "github.com/tidelift/tidelift-sbom-info/internal/utils"
+)
+
+func main() {
+	var debug bool
+	var outputFile string
+	flag.BoolVar(&debug, "debug", false, "Show debug logging")
+	flag.StringVar(&outputFile, "output", "", "Write output to a file (defaults to stdout)")
+
+	flag.Usage = func() {
+		fmt.Fprintln(flag.CommandLine.Output(), "Display a CSV containing recommendations from Tidelift for the packages in an SBOM.")
+		fmt.Fprintln(flag.CommandLine.Output(), "")
+		fmt.Fprintln(flag.CommandLine.Output(), "Usage:")
+		fmt.Fprintln(flag.CommandLine.Output(), "  tidelift-sbom-analyzer [SOURCE]")
+		fmt.Fprintln(flag.CommandLine.Output(), "")
+		fmt.Fprintln(flag.CommandLine.Output(), "Flags:")
+		flag.PrintDefaults()
+	}
+
+	flag.Parse()
+
+	if _, keyExists := os.LookupEnv("TIDELIFT_API_KEY"); !keyExists {
+		log.Fatalf("Error: TIDELIFT_API_KEY environment variable is required.")
+	}
+
+	if flag.NArg() != 1 {
+		fmt.Fprintln(os.Stderr, "Error: need to pass cyclonedx file as argument")
+		flag.Usage()
+		os.Exit(1)
+	}
+
+	if debug {
+		log.SetLevel(log.DebugLevel)
+	} else {
+		log.SetLevel(log.WarnLevel)
+	}
+
+	purls, err := cyclonedx.SupportedPurlsFromBomFile(flag.Arg(0))
+	if err != nil {
+		log.Fatalf("Error: %s", err)
+	}
+
+	packageInfo, missingPackages := utils.GetPackageInfo(purls)
+	releaseInfo, missingReleases := utils.GetReleaseInfo(purls)
+	log.Debug(fmt.Sprintf("Unable to look up %d packages and %d releases (may be internal packages)", len(missingPackages), len(missingReleases)))
+
+	if err := writeContentsReport(outputFile, purls, packageInfo, releaseInfo); err != nil {
+		log.Fatalf("Error: %s", err)
+	}
+}
+
+func writeContentsReport(outputFile string, purls []packageurl.PackageURL, packageInfo []api.PackageDetail, releaseInfo []api.ReleaseDetail) error {
+	var writer *csv.Writer
+	if outputFile != "" {
+		f, err := os.Create(outputFile)
+		if err != nil {
+			return err
+		}
+		writer = csv.NewWriter(f)
+		defer f.Close()
+	} else {
+		writer = csv.NewWriter(os.Stdout)
+	}
+
+	if err := writer.Write([]string{"platform", "name", "version", "purl", "license", "appears_maintained", "tidelift_recommended", "nearest_recommended_version"}); err != nil {
+		return err
+	}
+
+	for _, purl := range purls {
+		var isRecommended = ""
+		var recommendedRelease = ""
+		var license = ""
+		releasePurlString := purl.ToString()
+		pkgPurlString := utils.ReleasePurlToPackagePurl(purl).String()
+
+		for _, r := range releaseInfo {
+			if *r.Purl == releasePurlString {
+				if r.NearestRecommendedRelease != nil {
+					recommendedRelease = string(*r.NearestRecommendedRelease.Version)
+				}
+				license = *r.License.Expression
+				isRecommended = string(*r.TideliftRecommendation)
+				break
+			}
+		}
+
+		var isMaintained = ""
+		for _, p := range packageInfo {
+			if p.Purl == pkgPurlString {
+				isMaintained = string(p.QualityChecks.PackageAppearsMaintained.Status)
+				break
+			}
+		}
+
+		if err := writer.Write([]string{utils.TideliftPlatformFromPurl(purl), utils.TideliftPackageNameFromPurl(purl), purl.Version, releasePurlString, license, isMaintained, isRecommended, recommendedRelease}); err != nil {
+			return err
+		}
+	}
+
+	writer.Flush()
+	return nil
+}