uv-sbom 2.3.0

SBOM generation tool for uv projects - Generate CycloneDX SBOMs from uv.lock files
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68

use crate::sbom_generation::domain::LicenseInfo;
use crate::shared::Result;
use async_trait::async_trait;

/// Type alias for PyPI metadata: (license, license_expression, classifiers, description, sha256_hash)
pub type PyPiMetadata = (
    Option<String>,
    Option<String>,
    Vec<String>,
    Option<String>,
    Option<String>,
);

/// LicenseRepository port for fetching license information
///
/// This port abstracts the external data source (e.g., PyPI API)
/// used to retrieve license and description information for packages.
///
/// # Async Support
/// All methods are async for efficient parallel license fetching.
/// Implementations must be `Send + Sync` to support concurrent access.
#[async_trait]
pub trait LicenseRepository: Send + Sync {
    /// Fetches license information for a specific package version
    ///
    /// # Arguments
    /// * `package_name` - Name of the package
    /// * `version` - Version of the package
    ///
    /// # Returns
    /// PyPiMetadata tuple containing:
    /// - Optional license field from package metadata
    /// - Optional license_expression field from package metadata
    /// - List of classifiers from package metadata
    /// - Optional package description/summary
    ///
    /// # Errors
    /// Returns an error if:
    /// - The network request fails
    /// - The API returns an error status code
    /// - The response cannot be parsed
    async fn fetch_license_info(&self, package_name: &str, version: &str) -> Result<PyPiMetadata>;

    /// Enriches a package with license information from the repository
    ///
    /// This is a convenience method that fetches raw data and converts
    /// it to a LicenseInfo domain object using license priority rules.
    ///
    /// # Arguments
    /// * `package_name` - Name of the package
    /// * `version` - Version of the package
    ///
    /// # Returns
    /// A LicenseInfo object with the selected license and description
    async fn enrich_with_license(&self, package_name: &str, version: &str) -> Result<LicenseInfo> {
        let (license, license_expression, classifiers, description, sha256_hash) =
            self.fetch_license_info(package_name, version).await?;

        use crate::sbom_generation::policies::LicensePriority;
        Ok(LicensePriority::create_license_info(
            license,
            license_expression,
            &classifiers,
            description,
        )
        .with_sha256_hash(sha256_hash))
    }
}