As part of #616, we want to flag differences in major version of
Renovate.

To do so, we should parse this out of the Renovate data, where available.

This is a step towards #36.

As part of a prefactor to allow for further instrumentation in #621, we
should pass a `context.Context` to our parsing code.

As we're not using the variable that was being passed in, even though it
generally should have the same value.

When importing a set of debug logs/Report, we can't automagically
determine the `platform` for the Repo Key, as it's not provided in the
export.

Instead of hardcoding this, and requiring post-processing by the user,
we can instead provide a `--platform` parameter on the import which
makes this easier.

As spotted in #558, the binaries we're building don't have a valid
version:

```
./dmd --version
dmd version (devel) (Built from Git SHA f25ab912)
```

We should make sure that we prioritise the - default behaviour[0] - of
`goreleaser` to set `main.version`, `main.commit` and `main.date`, and
then fall back to `versioninfo` to pick up any `go install`s.

We ignore `main.date`, as we don't care about it, and instead populate
`main.short`.

Closes #558.

[0]: https://goreleaser.com/cookbooks/using-main.version/

It's easier if it's made explicit as a field, especially ahead of
changes in #530.

As a follow-up to #370, we should then wire in the references to the new
cookbook.

As part of #260, we want to be able to look up dependencies in
https://Ecosyste.ms via their pURL, which we need to expose as part of
the `renovate` package, instead of it being inside the
`renovate-to-sbom` command.

Jamie Tanna authored 1 year ago and Jamie Tanna committed 1 year ago

As part of #412, it is noted that GitHub validates the pURL types[0]
that are sent to it, only allowing "known" pURL types to be consumed.

To make `renovate-to-sbom` a little more strict, we can use a new flag,
`only-include-known-purl-types`, which will trim the dependency output
to ensure that

This also adds a log notification to make sure it's visible that they're
being skipped.

We can use a `map` of `struct{}` to:

- make sure we have an indication of the pURL `type`s that are skipped
- are removing duplicates in the list of names
- reduce the allocations with a `struct{}`

Closes #412.

[0]: https://github.com/package-url/purl-spec/issues/286

To make it possible to generate SBOMs from Renovate data, we can create
a CLI to consume Renovate debug log, or renovate-graph exports, and then
produce an SBOM for that data.

This takes advantage of the internal handling we have in DMD for the
Renovate exports, and converts it to the underlying SPDX or CycloneDX
models.

This introduces:

- The scaffolding for the CLI
- The ability to convert Renovate's `PackageManager`/`Datasource`
  combination to a Package URL via the new `PurlTypeDeriver` type
- Support for the latest SPDX and CycloneDX specs (with JSON output)
- The ability to add new formats

Closes #55.