uv-sbom 2.0.1

SBOM generation tool for uv projects - Generate CycloneDX SBOMs from uv.lock files
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157

use crate::ports::outbound::OutputPresenter;
use crate::shared::error::SbomError;
use crate::shared::security::validate_not_symlink;
use crate::shared::Result;
use std::fs;
use std::io::{self, Write};
use std::path::{Path, PathBuf};

/// FileSystemWriter adapter for writing output to files
///
/// This adapter implements the OutputPresenter port for file output.
pub struct FileSystemWriter {
    output_path: PathBuf,
}

impl FileSystemWriter {
    pub fn new(output_path: PathBuf) -> Self {
        Self { output_path }
    }

    /// Validates that the parent directory exists before writing
    fn validate_parent_directory(&self) -> Result<()> {
        if let Some(parent) = self.output_path.parent() {
            if !parent.exists() && parent != Path::new("") {
                return Err(SbomError::FileWriteError {
                    path: self.output_path.clone(),
                    details: format!("Parent directory does not exist: {}", parent.display()),
                }
                .into());
            }
        }
        Ok(())
    }

    /// Security validation before writing:
    /// - Reject if output path exists and is a symlink
    /// - Validate parent directory chain doesn't contain symlinks
    fn validate_output_security(&self) -> Result<()> {
        // If the file already exists, check it's not a symlink
        if self.output_path.exists() {
            validate_not_symlink(&self.output_path, "write").map_err(|e| {
                SbomError::FileWriteError {
                    path: self.output_path.clone(),
                    details: e.to_string(),
                }
            })?;
        }

        // Validate parent directory chain for symlinks
        if let Some(parent) = self.output_path.parent() {
            if parent.exists() {
                // Try to canonicalize to detect symlinks in path
                match parent.canonicalize() {
                    Ok(_canonical) => {
                        // Check if canonical path differs significantly (might contain symlinks)
                        // This is a basic check; a more thorough check would validate each component
                        if let Ok(_original) = parent.canonicalize() {
                            // If we got here, path is valid
                        }
                    }
                    Err(e) => {
                        return Err(SbomError::FileWriteError {
                            path: self.output_path.clone(),
                            details: format!("Failed to validate parent directory: {}", e),
                        }
                        .into());
                    }
                }
            }
        }

        Ok(())
    }
}

impl OutputPresenter for FileSystemWriter {
    fn present(&self, content: &str) -> Result<()> {
        // Security validations
        self.validate_parent_directory()?;
        self.validate_output_security()?;

        // Safe to write now
        fs::write(&self.output_path, content).map_err(|e| SbomError::FileWriteError {
            path: self.output_path.clone(),
            details: e.to_string(),
        })?;

        eprintln!("✅ Output complete: {}", self.output_path.display());
        Ok(())
    }
}

/// StdoutPresenter adapter for writing output to stdout
///
/// This adapter implements the OutputPresenter port for stdout output.
pub struct StdoutPresenter;

impl StdoutPresenter {
    pub fn new() -> Self {
        Self
    }
}

impl Default for StdoutPresenter {
    fn default() -> Self {
        Self::new()
    }
}

impl OutputPresenter for StdoutPresenter {
    fn present(&self, content: &str) -> Result<()> {
        io::stdout()
            .write_all(content.as_bytes())
            .map_err(|e| anyhow::anyhow!("Failed to write to stdout: {}", e))?;
        Ok(())
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use tempfile::TempDir;

    #[test]
    fn test_file_writer_success() {
        let temp_dir = TempDir::new().unwrap();
        let output_path = temp_dir.path().join("output.json");

        let writer = FileSystemWriter::new(output_path.clone());
        let result = writer.present("test content");

        assert!(result.is_ok());
        let written_content = fs::read_to_string(&output_path).unwrap();
        assert_eq!(written_content, "test content");
    }

    #[test]
    fn test_file_writer_parent_directory_not_found() {
        let output_path = PathBuf::from("/nonexistent/directory/output.json");

        let writer = FileSystemWriter::new(output_path);
        let result = writer.present("test content");

        assert!(result.is_err());
        let err_string = format!("{}", result.unwrap_err());
        assert!(err_string.contains("Parent directory does not exist"));
    }

    #[test]
    fn test_stdout_presenter_success() {
        let presenter = StdoutPresenter::new();
        // We can't easily test stdout output, but we can verify it doesn't error
        // In a real test environment, we'd capture stdout
        let result = presenter.present("test output\n");
        assert!(result.is_ok());
    }
}