Allow whitelisting dependencies in the list command

[AeroqualHayden]

I'm currently using the list command like so

sbom-utility \
    license list \
    --config-license /my-custom-policy-v0.1.0.json \
    -i /my-sbom.json \
    -o /license-error-summary.json \
    --where "usage-policy=needs-review|deny|UNDEFINED"

My use case for this is filtering out all the items in my SBOM that are not "approved" license categories.
This tool very conveniently returns a non zero status code when anything makes it though the filter, and gets displayed as a nice summary table. This is great, because it allows for easy human review, and should slot into a CI pipeline easily.

I'd like to do just that, and put this in my CI pipeline, so that I can prevent packages with unapproved licenses from making it into my repo. The only issue is that there's no way to whitelist packages that make it though the filter. This would be useful when you're using a package with a paid license and you want to allow that package at a particular version though ("allow My.Package.Name v1.2.*"), but you don't want to approve all packages with whatever that license type is.

Currently the solution to that is to parse the summary text table and try to filter that, which is a bit brittle. My hope was that the issue #76 resolves that by making the output JSON easier to parse in a program, and I can do my own whitelist and then draw a different summary table for the CI.

What would be ideal is some way to specify a file/filter that contains some whitelist of packages/versions that are allowed, similar to the config-license input. This way, I wouldn't need my own tool, I could make the license checking happen all using CycloneDx tooling. Not sure what the best way to achieve this is though, probably needs a bit more thought. I tried to have a punt at using more regex in the where clause, but I found it didn't work as the regex module in go doesn't allow the reverse lookahead, so I can't specify "everything that needs review and is undefined BUT isn't package blah).

Not sure if there's an easier way to do this either!

[mrutkows]

@AeroqualHayden I believe that I grasp the need and have personally had similar "whitelisting" thoughts in the past. However, I had hoped via being able to provide a custom policy config. as well as the regex. that most of those needs could be met.

I do know that diff. regex. impls. always have their drawbacks, especially Go... would it be possible for you to share the policy config and sbom input files you used on the command above and perhaps share the actual output and desired output (so I can assure fidelity with what you are seeing). Want to understand the issue and give it some thought and discuss with you more if possible.

and thanks for providing an interesting issue ;)

My initial reaction/belief is that a new input flag would be needed to provide the "whitelist" to the policy command.

[mrutkows]

As a stopgap, perhaps multiple calls in the CI to get the UNDEFINED list separately from the needs-review|deny list could be done?

[mrutkows]

@AeroqualHayden If you can give me a concrete test (SBOM, policy config.) and the desired output, I can perhaps look at it today (but my window is short this week).

[AeroqualHayden]

Thanks for having a think about this @mrutkows, really appreciate it!

I've just pinched the SBOM from this repo (https://github.com/CycloneDX/sbom-utility/blob/main/license.json), and modified some of the usagePolicy/annotationRefs to suit my requirements. As far as I'm aware, aside from adding different license types, that's about all you can/need to do with this file.

Here's an example file that I get if I ran an SBOM for an example .NET app through with the policy above: https://gist.github.com/AeroqualHayden/52c608f41d436c05102424bb3fd48da5
I might use a command like this to achieve that output:

sbom-utility \
    license list \
    --config-license example-license-policy-v0.0.1.json \
    -i sbom-net.json \
    -o license-error-summary.json \
    --where "usage-policy=needs-review|deny|UNDEFINED" \
    --format json \
    --summary 

The where filter does a good job of getting rid of most of the stuff that's fine (bye bye MIT licensed things!), but I'm left with all the things that need review. What I'd love, is to be able to do is keep using that where filter and that schema, but add and extra layer of filters that let me say "ignore Microsoft.NETCore.Platforms at version 2.x.x, I know what I'm doing here, and I'm OK with including it". Maybe you can add that to the schema and I've missed that, I'm not sure!

If I had all those filters in place, then anything that did appear in the summary text view would be cause for breaking the CI build, because it's some new dependency that has a license nobody was aware of. I could write that extra filter myself, now I have some handy new JSON outputs, but I thought it would be pretty cool if I could use all the CycloneDX tools to create/collate/analyse the SBOMs all in a single script.

I don't have an SBOM handy right at the moment, but I can have a go a generating one tomorrow if required. The input SBOM isn't that critical, as any old input with something "undefined" in it will be a good example.

Not sure how you would provide the whitelist, maybe another JSON file that lets you list the package reference and version?

[mrutkows]

@AeroqualHayden Hmm, have some time to think about this now that it is "end of year" vacation and all... was wondering if you have tried (for now) using a regex expression (OR'ed) on the where clause that would look for specific packages/version patterns?

In parallel, I am thinking about the best way to attack this still that maintains existing code patterns for all commands.

Also, would appreciate if you could attach the input SBOM (i.e.,sbom-net.json) and perhaps my-custom-policy-v0.1.0.json as well, so I can use that to test any code changes against?