chore(workflows): add standalone SBOM diffing script for local testing

ThorbenLindhauer · ThorbenLindhauer · commit 583276c7f46c · 2023-09-29T11:09:05.000+02:00
related to camunda/camunda-bpm-platform#2781
diff --git a/common/.gitignore b/common/.gitignore
@@ -0,0 +1 @@
+sbom-workspace
diff --git a/common/README.md b/common/README.md
@@ -13,3 +13,15 @@ git push ...
 ``` 
 
 Make sure to commit and push the changes to the `dist` directory to the repository.
+
+# How to test
+
+Run `npm run test` to run the unit tests
+
+# How to try SBOM diffing
+
+1. Generate two SBOMs that you want to compare
+   1. For example, use `mvn org.cyclonedx:cyclonedx-maven-plugin:2.7.9:makeAggregateBom` to generate an SBOM for a maven (multi-module) project
+1. Run `npm run diff-sboms <path to base SBOM> <path to comparing SBOM> <output file path>` to generate an SBOM diff
+   1. Hint: The `sbom-workspace` subdirectory is in `.gitignore`, so you can put files there
+   1. In Visual Studio Code, you can run the script from the Javascript Debugger Console to attach a debugger and put breakpoints in the business logic
diff --git a/common/diff-sboms-standalone.js b/common/diff-sboms-standalone.js
@@ -0,0 +1,50 @@
+const diffSBOMs = require('./src/sbom-diff/differ.js');
+const formatTemplate = require('./src/sbom-diff/format-handlebars-template.js');
+const fs = require('fs');
+
+const readFile = function(path) {
+    return fs.readFileSync(path, 'utf8')
+}
+
+const writeFile = function(path, content) {
+    fs.writeFileSync(path, content); // default encoding is utf8
+}
+
+var args = process.argv.slice(2); // first two arguments are the executable and the JS file
+
+if (args.length != 3) {
+    throw new Error('Requires three arguments: <path to base SBOM> <path to comparing SBOM> <path to output file>');
+}
+
+const baseSbomPath = args[0];
+const headSbomPath = args[1];
+const outPath = args[2];
+
+const baseSbom = readFile(baseSbomPath);
+const headSbom = readFile(headSbomPath);
+
+const licenseList = readFile('../java-dependency-check/licenses.json');
+
+const commentTemplate = readFile('../java-dependency-check/diff.hbs');
+
+const partialPaths = [
+    'componentDetails:../java-dependency-check/component-details.hbs',
+    'componentDiff:../java-dependency-check/component-diff.hbs',
+    'componentTree:../java-dependency-check/component-tree.hbs',
+    'componentVersion:../java-dependency-check/component-version.hbs'
+];
+
+const partials = partialPaths.reduce(
+    (result, input) => {
+        [ partialId, partialPath ] = input.split(':');
+        result[partialId.trim()] = readFile(partialPath.trim());
+        return result;
+    }, 
+    {}
+);
+
+diffSBOMs(baseSbom, headSbom, '^org\\.camunda', licenseList)
+    .then(rootComponentDiff => formatTemplate(rootComponentDiff, commentTemplate, partials)
+        .then(diff => writeFile(outPath, diff.fullDiff)));
+
+
