uv-sbom 2.0.1

SBOM generation tool for uv projects - Generate CycloneDX SBOMs from uv.lock files
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93

use crate::sbom_generation::domain::SbomMetadata;
use chrono::Utc;
use uuid::Uuid;

/// SbomGenerator service for generating SBOM metadata
///
/// This service contains pure business logic for SBOM metadata generation.
/// It creates metadata conforming to CycloneDX specification.
pub struct SbomGenerator;

impl SbomGenerator {
    /// Generates SBOM metadata with current timestamp and unique serial number
    ///
    /// # Arguments
    /// * `tool_name` - Name of the tool generating the SBOM
    /// * `tool_version` - Version of the tool
    ///
    /// # Returns
    /// SbomMetadata with generated timestamp and UUID serial number
    pub fn generate_metadata(tool_name: &str, tool_version: &str) -> SbomMetadata {
        let timestamp = Utc::now().to_rfc3339();
        let serial_number = format!("urn:uuid:{}", Uuid::new_v4());

        SbomMetadata::new(
            timestamp,
            tool_name.to_string(),
            tool_version.to_string(),
            serial_number,
        )
    }

    /// Generates SBOM metadata with default tool information (uv-sbom)
    ///
    /// This uses the compile-time version from Cargo.toml
    pub fn generate_default_metadata() -> SbomMetadata {
        Self::generate_metadata("uv-sbom", env!("CARGO_PKG_VERSION"))
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_generate_metadata() {
        let metadata = SbomGenerator::generate_metadata("test-tool", "1.0.0");

        assert_eq!(metadata.tool_name(), "test-tool");
        assert_eq!(metadata.tool_version(), "1.0.0");
        assert!(metadata.serial_number().starts_with("urn:uuid:"));
        assert!(!metadata.timestamp().is_empty());
    }

    #[test]
    fn test_generate_default_metadata() {
        let metadata = SbomGenerator::generate_default_metadata();

        assert_eq!(metadata.tool_name(), "uv-sbom");
        assert_eq!(metadata.tool_version(), env!("CARGO_PKG_VERSION"));
        assert!(metadata.serial_number().starts_with("urn:uuid:"));
    }

    #[test]
    fn test_generate_metadata_timestamp_format() {
        let metadata = SbomGenerator::generate_metadata("test-tool", "1.0.0");
        let timestamp = metadata.timestamp();

        // RFC3339 format should contain 'T' and timezone info
        assert!(timestamp.contains('T'));
        assert!(timestamp.contains('+') || timestamp.contains('Z'));
    }

    #[test]
    fn test_generate_metadata_unique_serial_numbers() {
        let metadata1 = SbomGenerator::generate_metadata("test-tool", "1.0.0");
        let metadata2 = SbomGenerator::generate_metadata("test-tool", "1.0.0");

        // Each generation should create a unique UUID
        assert_ne!(metadata1.serial_number(), metadata2.serial_number());
    }

    #[test]
    fn test_generate_metadata_uuid_format() {
        let metadata = SbomGenerator::generate_metadata("test-tool", "1.0.0");
        let serial = metadata.serial_number();

        // Verify UUID format: urn:uuid:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
        assert!(serial.starts_with("urn:uuid:"));
        let uuid_part = serial.strip_prefix("urn:uuid:").unwrap();
        assert_eq!(uuid_part.len(), 36); // UUID v4 length with hyphens
        assert_eq!(uuid_part.matches('-').count(), 4);
    }
}