Full featured branch

[zeb33n]

What type of PR is this?

/kind feature

What this PR does / why we need it:

Adds the todot sub command for bom document. This command dumps the contents of the provided spdx file as a string of dotlang to stdout. This output can then be piped into a file for visualization by graphvis or other related programs. This overcomes the visualization limitations of bom document outline detailed here kubernetes-sigs#530.

todot comes with a few cli arguments to help filter large SBOMs into a more digestible graph.

• --find finds the reverse dependencies of a given package
• --subgraph promotes a node with the given SPXDID to root ignoniring all nodes that arent decendants of the given node.
• --depth the recursive depth.

for example the sbom.

SPDXVersion: SPDX-2.2
SPDXID: Document
DocumentName: Document


##### Package: glib

PackageName: glib
SPDXID: package-glib


##### Package: gnome

PackageName: gnome
SPDXID: package-gnome

##### Package: python

PackageName: python
SPDXID: package-python

##### Package: sqlite

PackageName: sqlite
SPDXID: package-sqlite

Relationship: package-glib CONTAINS package-python
Relationship: package-gnome CONTAINS package-python
Relationship: package-python CONTAINS package-sqlite

Will produce the dot
bom document todot file.spdx > file.dot

digraph {
"Document";
"Document" -> "package-gnome";
"package-gnome" [label="gnome" tooltip="SPXID: package-gnome\nversion: \nlicense: \nSupplier-Org:\nSupplier-Person: \nOriginator-Org: \nOriginator-Person: \nURL: " fontname = "monospace"];
"package-gnome" -> "package-python";
"package-python" [label="python" tooltip="SPXID: package-python\nversion: \nlicense: \nSupplier-Org:\nSupplier-Person: \nOriginator-Org: \nOriginator-Person: \nURL: " fontname = "monospace"];
"package-python" -> "package-sqlite";
"package-sqlite" [label="sqlite" tooltip="SPXID: package-sqlite\nversion: \nlicense: \nSupplier-Org:\nSupplier-Person: \nOriginator-Org: \nOriginator-Person: \nURL: " fontname = "monospace"];
"Document" -> "package-glib";
"package-glib" [label="glib" tooltip="SPXID: package-glib\nversion: \nlicense: \nSupplier-Org:\nSupplier-Person: \nOriginator-Org: \nOriginator-Person: \nURL: " fontname = "monospace"];
"package-glib" -> "package-python";
}

which when rendered with graphviz produces the following .png
dot -Tpng file.dot > file.png

Which issue(s) this PR fixes:

Fixes kubernetes-sigs#530

Special notes for your reviewer:

Does this PR introduce a user-facing change?

added the `todot` subcommand to `document`. This dumps a representation of the spdx graph to stdout as dotlang. 

[ziswiler]

MR description:

subgraph promotes a node with the given SPXDID

SPDXID

to root ignoniring

ignoring

all nodes that arent

aren't

decendants

descendants

of the given node.

[ziswiler]

Commits should be squashed at the end.

[zeb33n]

MR description:

subgraph promotes a node with the given SPXDID

SPDXID

to root ignoniring

ignoring

all nodes that arent

aren't

decendants

descendants

of the given node.

thanks applied this to the upstream PR