feat(cli): add merge subcommand

We add the merge subcommand which runs against a download directory and
creates combined archive files, which can be used as input to license
clearing tools that only support a single archive per component.

Signed-off-by: Felix Moessbauer <[email protected]>

Author: fmoessbauer

README.md

@@ -9,20 +9,22 @@ Source packages are especially relevant for security as CVEs in the Debian ecosy
 ## Usage
 
 ```
-usage: debsbom [-h] [--version] [-v] [--progress] {generate,download} ...
+usage: debsbom [-h] [--version] [-v] [--progress] {generate,download,merge} ...
 
 SBOM tool for Debian systems.
 
 positional arguments:
-  {generate,download}  sub command help
-    generate           generate a SBOM for a Debian system
-    download           download referenced packages
+  {generate,download,merge}
+                        sub command help
+    generate            generate a SBOM for a Debian system
+    download            download referenced packages
+    merge               merge referenced source packages
 
 options:
-  -h, --help           show this help message and exit
-  --version            show program's version number and exit
-  -v, --verbose        be more verbose
-  --progress           report progress
+  -h, --help            show this help message and exit
+  --version             show program's version number and exit
+  -v, --verbose         be more verbose
+  --progress            report progress
 ```
 
 ## Limitations

src/debsbom/cli.py

@@ -13,6 +13,8 @@
 from urllib.parse import urlparse
 from pathlib import Path
 
+from debsbom.download import Compression, SourceArchiveMerger
+
 from .dpkg import package
 from .generate import Debsbom, SBOMType
 from .download import PackageDownloader, PackageResolver, PersistentResolverCache
@@ -198,6 +200,42 @@ def setup_parser(parser):
         parser.add_argument("--binaries", help="download binary packages", action="store_true")
 
 
+class MergeCmd:
+    """
+    Processes an SBOM and merges the .orig and .debian tarballs. The tarballs have to be
+    downloaded first.
+    """
+
+    @staticmethod
+    def run(args):
+        pkgdir = Path(args.pkgdir)
+        outdir = Path(args.outdir or args.pkgdir)
+        compress = Compression.from_tool(args.compress if args.compress != "no" else None)
+        resolver = PackageResolver.create(Path(args.bomfile))
+        merger = SourceArchiveMerger(pkgdir, outdir, compress)
+        pkgs = list(resolver.sources())
+        for idx, pkg in enumerate(pkgs):
+            if args.progress:
+                progress_cb(idx, len(pkgs), pkg.name)
+            merger.merge(pkg)
+
+    @staticmethod
+    def setup_parser(parser):
+        parser.add_argument("bomfile", help="sbom file to process")
+        parser.add_argument(
+            "--pkgdir", default="downloads", help="directory with downloaded packages"
+        )
+        parser.add_argument(
+            "--outdir", default="downloads", help="directory to store the merged files"
+        )
+        parser.add_argument(
+            "--compress",
+            help="compress merged tarballs (default: gzip)",
+            choices=["no"] + [c.tool for c in Compression.formats()],
+            default="gzip",
+        )
+
+
 def main():
     parser = argparse.ArgumentParser(
         prog="debsbom",
@@ -217,13 +255,16 @@ def main():
         subparser.add_parser("generate", help="generate a SBOM for a Debian system")
     )
     DownloadCmd.setup_parser(subparser.add_parser("download", help="download referenced packages"))
+    MergeCmd.setup_parser(subparser.add_parser("merge", help="merge referenced source packages"))
     args = parser.parse_args()
 
     try:
         if args.cmd == "generate":
             GenerateCmd.run(args)
         elif args.cmd == "download":
             DownloadCmd.run(args)
+        elif args.cmd == "merge":
+            MergeCmd.run(args)
     except Exception as e:
         print("debsbom: error: {}".format(e))
         if args.verbose >= 1: