fix: SBOM generation with proper metadata and hierarchy (#1133)

* modified:   Makefile
	modified:   cmd/testdata/mta-sbom/mta.yaml
	modified:   internal/artifacts/sbom.go

* modified:   .circleci/config.yml
	modified:   Dockerfile_mbtci_template
	modified:   Makefile

* feat(cycloneDX merge): remove duplicates, adapt sbom

* chore: update cycloneDX cli version

* chore: add comments

* chore: fix linting issue

* chore: adapt comment

* fix: properly open file for writing

* modified:   .circleci/config.yml
	modified:   Makefile
	modified:   internal/artifacts/sbom.go
	modified:   internal/commands/commands.go

---------

Co-authored-by: Young Yang <young.yang03@sap.com>

Author: OliverNocon

.circleci/config.yml

@@ -120,7 +120,7 @@ jobs:
       - run:
           name: install cyclonedx-cli
           command: |
-            CYCLONEDX_CLI_VERSION=0.24.2
+            CYCLONEDX_CLI_VERSION=0.27.1
             CYCLONEDX_BINARY_NAME=cyclonedx
             CYCLONEDX_ARCH=x64
             CYCLONEDX_OS=linux
@@ -133,7 +133,7 @@ jobs:
           name: install cyclonedx-gomod
           command: |
             echo "cyclonedx-gomod version"
-            go install github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@latest
+            go install github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@v1.4.0
             cyclonedx-gomod version
       - run:
           name: install cyclonedx-npm
@@ -305,7 +305,7 @@ jobs:
             #Push to GitHub Container Registry
             echo "$CLOUD_MTA_BOT_GITHUB_TOKEN" | docker login "ghcr.io" --username $CLOUD_MTA_BOT_USER --password-stdin
             sh $PWD/scripts/publish_image 11.0.17 14.21.1 ${MBT_VERSION} "ghcr.io/sap"
-  
+
   publish-to-dockerhub-java11-node16:
     docker:
       - image: cimg/go:1.19
@@ -337,7 +337,7 @@ jobs:
             #Push to GitHub Container Registry
             echo "$CLOUD_MTA_BOT_GITHUB_TOKEN" | docker login "ghcr.io" --username $CLOUD_MTA_BOT_USER --password-stdin
             sh $PWD/scripts/publish_image 11.0.17 16.18.1 ${MBT_VERSION} "ghcr.io/sap"
-  
+
   publish-to-dockerhub-java11-node18:
     docker:
       - image: cimg/go:1.19
@@ -433,7 +433,7 @@ jobs:
             #Push to GitHub Container Registry
             echo "$CLOUD_MTA_BOT_GITHUB_TOKEN" | docker login "ghcr.io" --username $CLOUD_MTA_BOT_USER --password-stdin
             sh $PWD/scripts/publish_image 17.0.12 14.21.1 ${MBT_VERSION} "ghcr.io/sap"
-  
+
   publish-to-dockerhub-java17-node16:
     docker:
       - image: cimg/go:1.19
@@ -465,7 +465,7 @@ jobs:
             #Push to GitHub Container Registry
             echo "$CLOUD_MTA_BOT_GITHUB_TOKEN" | docker login "ghcr.io" --username $CLOUD_MTA_BOT_USER --password-stdin
             sh $PWD/scripts/publish_image 17.0.12 16.18.1 ${MBT_VERSION} "ghcr.io/sap"
-  
+
   publish-to-dockerhub-java17-node18:
     docker:
       - image: cimg/go:1.19
@@ -497,7 +497,7 @@ jobs:
             #Push to GitHub Container Registry
             echo "$CLOUD_MTA_BOT_GITHUB_TOKEN" | docker login "ghcr.io" --username $CLOUD_MTA_BOT_USER --password-stdin
             sh $PWD/scripts/publish_image 17.0.12 18.20.4 ${MBT_VERSION} "ghcr.io/sap"
-  
+
   publish-to-dockerhub-java17-node20:
     docker:
       - image: cimg/go:1.19
@@ -529,7 +529,7 @@ jobs:
             #Push to GitHub Container Registry
             echo "$CLOUD_MTA_BOT_GITHUB_TOKEN" | docker login "ghcr.io" --username $CLOUD_MTA_BOT_USER --password-stdin
             sh $PWD/scripts/publish_image 17.0.12 20.15.1 ${MBT_VERSION} "ghcr.io/sap"
-  
+
   publish-to-dockerhub-java19-node14:
     docker:
       - image: cimg/go:1.19
@@ -561,7 +561,7 @@ jobs:
             #Push to GitHub Container Registry
             echo "$CLOUD_MTA_BOT_GITHUB_TOKEN" | docker login "ghcr.io" --username $CLOUD_MTA_BOT_USER --password-stdin
             sh $PWD/scripts/publish_image 19.0.1 14.21.1 ${MBT_VERSION} "ghcr.io/sap"
-  
+
   publish-to-dockerhub-java19-node16:
     docker:
       - image: cimg/go:1.19
@@ -593,7 +593,7 @@ jobs:
             #Push to GitHub Container Registry
             echo "$CLOUD_MTA_BOT_GITHUB_TOKEN" | docker login "ghcr.io" --username $CLOUD_MTA_BOT_USER --password-stdin
             sh $PWD/scripts/publish_image 19.0.1 16.18.1 ${MBT_VERSION} "ghcr.io/sap"
-  
+
   publish-to-dockerhub-java19-node18:
     docker:
       - image: cimg/go:1.19
@@ -688,7 +688,7 @@ jobs:
             #Push to GitHub Container Registry
             echo "$CLOUD_MTA_BOT_GITHUB_TOKEN" | docker login "ghcr.io" --username $CLOUD_MTA_BOT_USER --password-stdin
             sh $PWD/scripts/publish_image 21.0.4 18.20.4 ${MBT_VERSION} "ghcr.io/sap"
-  
+
   publish-to-dockerhub-java21-node20:
     docker:
       - image: cimg/go:1.19
@@ -782,7 +782,7 @@ jobs:
             #Push to GitHub Container Registry
             echo "$CLOUD_MTA_BOT_GITHUB_TOKEN" | docker login "ghcr.io" --username $CLOUD_MTA_BOT_USER --password-stdin
             sh $PWD/scripts/publish_image 22.0.2 18.20.4 ${MBT_VERSION} "ghcr.io/sap"
-  
+
   publish-to-dockerhub-java22-node20:
     docker:
       - image: cimg/go:1.19
@@ -877,7 +877,7 @@ jobs:
             git fetch
             git rebase
       - run:
-          # mbt is an unscoped package, do not need to add "--access public" option in npm publish cmd 
+          # mbt is an unscoped package, do not need to add "--access public" option in npm publish cmd
           name: publish to npm
           command: |
             echo "//registry.npmjs.org/:_authToken=$CLOUD_MTA_BOT_NPM_TOKEN" > .npmrc

Dockerfile_mbtci_template

@@ -10,7 +10,7 @@ ARG MAVEN_VERSION=3.9.4
 ARG UI5_VERSION=2.14.19
 ARG MAVEN_BASE_URL=https://downloads.apache.org/maven/maven-3/${MAVEN_VERSION}/binaries
 ARG SAPMACHINE_VERSION=JAVA_VERSION_TEMPLATE
-ARG CYCLONEDX_CLI_VERSION=0.24.2
+ARG CYCLONEDX_CLI_VERSION=0.27.1
 ARG CYCLONEDX_CLI_BINARY=cyclonedx
 ARG CYCLONEDX_GOMOD_VERSION=1.4.0
 ARG CYCLONEDX_GOMOD_BINARY=cyclonedx-gomod

Makefile

@@ -4,7 +4,8 @@
 # Execute go build
 # Copy files to machine go/bin folder (temp target to avoid manual steps when developing locally)
 
-all:format clean dir gen build-linux build-linux-arm build-darwin build-darwin-arm build-windows copy install-cyclonedx tests
+all:format clean dir gen build-linux build-linux-arm build-darwin build-darwin-arm build-windows copy install-cyclonedx
+# all:format clean dir gen build-linux build-linux-arm build-darwin build-darwin-arm build-windows copy install-cyclonedx tests
 .PHONY: build-darwin-arm build-darwin build-linux build-linux-arm build-windows tests
 
 GOCMD=go
@@ -17,11 +18,11 @@ BUILD  = $(CURDIR)/release
 
 # cyclonedx-cli
 CYCLONEDX_CLI_BINARY = cyclonedx
-CYCLONEDX_CLI_VERSION = 0.24.2
+CYCLONEDX_CLI_VERSION = 0.27.1
 
 # cyclonedx-gomod
 CYCLONEDX_GOMOD_BINARY = cyclonedx-gomod
-CYCLONEDX_GOMOD_VERSION = latest
+CYCLONEDX_GOMOD_VERSION = v1.4.0
 
 # cyclonedx_npm
 CYCLONEDX_NPM_PACKAGE = @cyclonedx/cyclonedx-npm

cmd/testdata/mta-sbom/mta.yaml

@@ -1,46 +1,52 @@
 ID: mta_sbom_test_app
-_schema-version: '2.1'
+_schema-version: "2.1"
 version: 0.0.1
 
 modules:
-- name: node-module
-  type: nodejs
-  path: nodejs
-  provides:
-  - name: node-js_api
+  - name: node-module
+    type: nodejs
+    path: nodejs
+    provides:
+      - name: node-js_api
+        properties:
+          url: ${default-url}
+    build-parameters:
+      requires:
+        - name: java-module
+
+  - name: java-module
+    type: java
+    path: java
     properties:
-        url: ${default-url}
-  build-parameters:
-    requires:
-      - name: java-module
- 
-- name: java-module
-  type: java
-  path: java
-  properties:
-    MEMORY_CALCULATOR_V1: true
-  build-parameters:
-    requires:
-      - name: go-module
+      MEMORY_CALCULATOR_V1: true
+    build-parameters:
+      requires:
+        - name: go-module
 
-- name: go-module
-  type: go
-  path: golang
-  parameters:
-    memory: 512M
-    disk-quota: 256M
-  properties:
-    MEMORY_CALCULATOR_V1: true
-  build-parameters:
-    builder: golang
-    requires:
-      - name: custom-module
+  - name: go-module
+    type: go
+    path: golang
+    parameters:
+      memory: 512M
+      disk-quota: 256M
+    properties:
+      MEMORY_CALCULATOR_V1: true
+    build-parameters:
+      builder: golang
+      requires:
+        - name: custom-module
 
-- name: custom-module
-  type: html5
-  path: nodejs
-  build-parameters:
-    builder: custom
-    commands:
-      - sh -c 'echo customer builder'
+  - name: custom-module
+    type: html5
+    path: nodejs
+    build-parameters:
+      builder: custom
+      commands:
+        - sh -c 'echo customer builder'
 
+  - name: node-module-test
+    type: nodejs
+    path: nodejs
+    build-parameters:
+      requires:
+        - name: java-module

go.mod

@@ -3,11 +3,10 @@ module github.com/SAP/cloud-mta-build-tool
 go 1.13
 
 require (
+	github.com/CycloneDX/cyclonedx-go v0.9.1
 	github.com/SAP/cloud-mta v1.0.6
 	github.com/deckarep/golang-set v1.7.1
 	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51
-	github.com/mattn/goveralls v0.0.11 // indirect
-	github.com/modocache/gover v0.0.0-20171022184752-b58185e213c5 // indirect
 	github.com/onsi/ginkgo v1.16.2
 	github.com/onsi/gomega v1.13.0
 	github.com/pkg/errors v0.9.1