aamedina · August 21, 2023 21:34
diff --git a/sbom.clj b/sbom.clj
 (in-ns 'dev)

 ; this function creates a database suitable for testing the system with a complete datomic schema derived from loaded RDF models (SPDX etc)

 (def boot-db (db/test-bootstrap (:db system)))

 ; make-test-db forks the boot-db with tx-data parsed from the SPDX SBOM (RDF/XML) and lightly massages it for Datomic:
 ; note how any conforming SPDX RDF SBOM can be ingested 

 (def sbom (make-test-db boot-db [(rdf/parse "https://github.com/spdx/spdx-spec/raw/development/v2.3.1/examples/SPDXRdfExample-v2.3.spdx.rdf.xml")]))

 ; use a lookup ref to pull the attributes of the SpdxDocument entity that describes this package
 (d/pull sbom '[*] [:rdfa/uri "http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301#SPDXRef-DOCUMENT"])

 ; =>

 {:rdf/type [{:db/id 83562883722763, :db/ident :spdx/SpdxDocument}],
 :spdx/name ["SPDX-Tools-v2.0"],
 :spdx/annotation
 [{:db/id 136339441939109}
  {:db/id 136339441939114}
  {:db/id 136339441939145}],
 :rdfa/uri
 "http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301#SPDXRef-DOCUMENT",
 :spdx/externalDocumentRef [{:db/id 136339441939131}],
 :db/id 136339441939130,
 :rdfs/comment
 ["This document was created using SPDX 2.0 using licenses from the web site."],
 :spdx/creationInfo [{:db/id 136339441939148}],
 :spdx/specVersion ["SPDX-2.3"],
 :spdx/relationship
 [{:db/id 136339441939158}
  {:db/id 136339441939162}
  {:db/id 136339441939167}
  {:db/id 136339441939193}],
 :spdx/hasExtractedLicensingInfo
 [{:db/id 136339441939116}
  {:db/id 136339441939119}
  {:db/id 136339441939125}
  {:db/id 136339441939132}
  {:db/id 136339441939133}],
 :spdx/dataLicense [{:db/id 92358976769109}]}

 ;; the :db/id identifies each node in the graph and can be queried with Datalog

 (comment
 ; find me all packages in the sbom built before 2013 
 ; (there is only one in this example SBOM graph)
 
 (d/q '[:find (pull ?e [*])
        :where
        [?e :rdf/type :spdx/Package]
        [?e :spdx/builtDate ?date]
        [(< ?date #inst "2013")]]
      sbom)
 ; =>
 [[{:rdf/type [{:db/id 92358976753691, :db/ident :spdx/Package}],
   :spdx/builtDate [#inst "2011-01-29T18:30:22.000-00:00"],
   :spdx/name ["glibc"],
   :spdx/description
   ["The GNU C Library defines functions that are specified by the ISO C standard, as well as additional features specific to POSIX and other derivatives of the Unix operating system, and extensions specific to GNU systems."],
   :spdx/sourceInfo
   ["uses glibc-2_11-branch from git://sourceware.org/git/glibc.git."],
   :spdx/originator
   ["Organization: ExampleCodeInspect ([email protected])"],
   :spdx/annotation [{:db/id 136339441939205}],
   :spdx/primaryPackagePurpose
   [{:db/id 74766790709537, :db/ident :spdx/purpose_source}],
   :spdx/attributionText
   ["The GNU C Library is free software.  See the file COPYING.LIB for copying conditions, and LICENSES for notices about a few contributions that require these additional notices to be distributed.  License copyright years may be listed using range notation, e.g., 1996-2015, indicating that every year in the range, inclusive, is a copyrightable year that would otherwise be listed individually."],
   :spdx/filesAnalyzed [true],
   :spdx/checksum
   [{:db/id 136339441939103}
    {:db/id 136339441939115}
    {:db/id 136339441939142}
    {:db/id 136339441939197}],
   :rdfa/uri
   "http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301#SPDXRef-Package",
   :spdx/licenseInfoFromFiles
   [{:db/id 136339441939119}
    {:db/id 136339441939120}
    {:db/id 136339441939133}],
   :spdx/downloadLocation [{:db/id 136339441939199}],
   :spdx/licenseDeclared [{:db/id 136339441939123}],
   :spdx/copyrightText ["Copyright 2008-2010 John Smith"],
   :spdx/validUntilDate [#inst "2014-01-29T18:30:22.000-00:00"],
   :spdx/packageFileName ["glibc-2.11.1.tar.gz"],
   :spdx/licenseConcluded [{:db/id 136339441939179}],
   :spdx/licenseComments
   ["The license for this project changed with the release of version x.y.  The version of the project included here post-dates the license change."],
   :db/id 136339441939153,
   :spdx/externalRef
   [{:db/id 136339441939104} {:db/id 136339441939195}],
   :spdx/supplier ["Person: Jane Doe ([email protected])"],
   :spdx/releaseDate [#inst "2012-01-29T18:30:22.000-00:00"],
   :spdx/relationship
   [{:db/id 136339441939134}
    {:db/id 136339441939176}
    {:db/id 136339441939180}
    {:db/id 136339441939194}
    {:db/id 136339441939203}],
   :spdx/versionInfo ["2.11.1"],
   :spdx/summary ["GNU C library."],
   :doap/homepage [{:db/id 136339441939200}],
   :spdx/packageVerificationCode [{:db/id 136339441939187}]}]])
	(in-ns 'dev)

	; this function creates a database suitable for testing the system with a complete datomic schema derived from loaded RDF models (SPDX etc)

	(def boot-db (db/test-bootstrap (:db system)))

	; make-test-db forks the boot-db with tx-data parsed from the SPDX SBOM (RDF/XML) and lightly massages it for Datomic:
	; note how any conforming SPDX RDF SBOM can be ingested

	(def sbom (make-test-db boot-db [(rdf/parse "https://github.com/spdx/spdx-spec/raw/development/v2.3.1/examples/SPDXRdfExample-v2.3.spdx.rdf.xml")]))

	; use a lookup ref to pull the attributes of the SpdxDocument entity that describes this package
	(d/pull sbom '[*] [:rdfa/uri "http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301#SPDXRef-DOCUMENT"])

	; =>

	{:rdf/type [{:db/id 83562883722763, :db/ident :spdx/SpdxDocument}],
	:spdx/name ["SPDX-Tools-v2.0"],
	:spdx/annotation
	[{:db/id 136339441939109}
	{:db/id 136339441939114}
	{:db/id 136339441939145}],
	:rdfa/uri
	"http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301#SPDXRef-DOCUMENT",
	:spdx/externalDocumentRef [{:db/id 136339441939131}],
	:db/id 136339441939130,
	:rdfs/comment
	["This document was created using SPDX 2.0 using licenses from the web site."],
	:spdx/creationInfo [{:db/id 136339441939148}],
	:spdx/specVersion ["SPDX-2.3"],
	:spdx/relationship
	[{:db/id 136339441939158}
	{:db/id 136339441939162}
	{:db/id 136339441939167}
	{:db/id 136339441939193}],
	:spdx/hasExtractedLicensingInfo
	[{:db/id 136339441939116}
	{:db/id 136339441939119}
	{:db/id 136339441939125}
	{:db/id 136339441939132}
	{:db/id 136339441939133}],
	:spdx/dataLicense [{:db/id 92358976769109}]}

	;; the :db/id identifies each node in the graph and can be queried with Datalog

	(comment
	; find me all packages in the sbom built before 2013
	; (there is only one in this example SBOM graph)

	(d/q '[:find (pull ?e [*])
	:where
	[?e :rdf/type :spdx/Package]
	[?e :spdx/builtDate ?date]
	[(< ?date #inst "2013")]]
	sbom)
	; =>
	[[{:rdf/type [{:db/id 92358976753691, :db/ident :spdx/Package}],
	:spdx/builtDate [#inst "2011-01-29T18:30:22.000-00:00"],
	:spdx/name ["glibc"],
	:spdx/description
	["The GNU C Library defines functions that are specified by the ISO C standard, as well as additional features specific to POSIX and other derivatives of the Unix operating system, and extensions specific to GNU systems."],
	:spdx/sourceInfo
	["uses glibc-2_11-branch from git://sourceware.org/git/glibc.git."],
	:spdx/originator
	["Organization: ExampleCodeInspect ([email protected])"],
	:spdx/annotation [{:db/id 136339441939205}],
	:spdx/primaryPackagePurpose
	[{:db/id 74766790709537, :db/ident :spdx/purpose_source}],
	:spdx/attributionText
	["The GNU C Library is free software. See the file COPYING.LIB for copying conditions, and LICENSES for notices about a few contributions that require these additional notices to be distributed. License copyright years may be listed using range notation, e.g., 1996-2015, indicating that every year in the range, inclusive, is a copyrightable year that would otherwise be listed individually."],
	:spdx/filesAnalyzed [true],
	:spdx/checksum
	[{:db/id 136339441939103}
	{:db/id 136339441939115}
	{:db/id 136339441939142}
	{:db/id 136339441939197}],
	:rdfa/uri
	"http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301#SPDXRef-Package",
	:spdx/licenseInfoFromFiles
	[{:db/id 136339441939119}
	{:db/id 136339441939120}
	{:db/id 136339441939133}],
	:spdx/downloadLocation [{:db/id 136339441939199}],
	:spdx/licenseDeclared [{:db/id 136339441939123}],
	:spdx/copyrightText ["Copyright 2008-2010 John Smith"],
	:spdx/validUntilDate [#inst "2014-01-29T18:30:22.000-00:00"],
	:spdx/packageFileName ["glibc-2.11.1.tar.gz"],
	:spdx/licenseConcluded [{:db/id 136339441939179}],
	:spdx/licenseComments
	["The license for this project changed with the release of version x.y. The version of the project included here post-dates the license change."],
	:db/id 136339441939153,
	:spdx/externalRef
	[{:db/id 136339441939104} {:db/id 136339441939195}],
	:spdx/supplier ["Person: Jane Doe ([email protected])"],
	:spdx/releaseDate [#inst "2012-01-29T18:30:22.000-00:00"],
	:spdx/relationship
	[{:db/id 136339441939134}
	{:db/id 136339441939176}
	{:db/id 136339441939180}
	{:db/id 136339441939194}
	{:db/id 136339441939203}],
	:spdx/versionInfo ["2.11.1"],
	:spdx/summary ["GNU C library."],
	:doap/homepage [{:db/id 136339441939200}],
	:spdx/packageVerificationCode [{:db/id 136339441939187}]}]])