ci: test few more things to verify if we are getting more info

Signed-off-by: Sonu Saha <[email protected]>

Author: ahasunos

Diff for: .github/workflows/sbom.yml

@@ -1,14 +1,10 @@
 name: Download SBOM from Insights and Convert to CSV
 
-# on:
-#   workflow_dispatch:
-
-
 # # NOTE: We would probably want to run this workflow on every push to main and not on pull requests
-# # on:
-# #   push:
-# #     branches:
-# #       - main
+# on:
+#   push:
+#     branches:
+#       - main
 
 on:
   pull_request:
@@ -47,14 +43,38 @@ jobs:
 
     - name: Convert SBOM to CSV using jq
       run: |
+        echo "name,SPDXID,versionInfo,downloadLocation,externalRefs,license,source_code_url,vendor" > "${FILE_PREFIX}-sbom.csv"
         jq -r '
           .sbom.packages[] | [
             .name,
             .SPDXID,
             .versionInfo,
             .downloadLocation,
-            ( .externalRefs[]? | .referenceLocator )
-          ] | @csv' "${FILE_PREFIX}-sbom.json" > "${FILE_PREFIX}-sbom.csv"
+            ( .externalRefs[]? | .referenceLocator ),
+            "None", "None", "None"
+          ] | @csv' "${FILE_PREFIX}-sbom.json" >> "${FILE_PREFIX}-sbom.csv"
+
+    - name: Enrich SBOM CSV with RubyGems Data
+      run: |
+        TEMP_CSV="${FILE_PREFIX}-sbom-temp.csv"
+        echo "name,SPDXID,versionInfo,downloadLocation,externalRefs,license,source_code_url,vendor" > "$TEMP_CSV"
+        tail -n +2 "${FILE_PREFIX}-sbom.csv" | while IFS=, read -r name SPDXID versionInfo downloadLocation externalRefs license source_code_url vendor; do
+          if [[ "$downloadLocation" == *"rubygems.org"* ]]; then
+            gem_name=$(echo "$name" | tr -d '"')
+            version=$(echo "$versionInfo" | tr -d '"')
+            api_url="https://rubygems.org/api/v2/rubygems/${gem_name}/versions/${version}.json"
+            response=$(curl -s "$api_url")
+            new_license=$(echo "$response" | jq -r '.licenses[0] // "None"')
+            new_source_code_url=$(echo "$response" | jq -r '.source_code_uri // "None"')
+            new_vendor=$(echo "$response" | jq -r '.authors // "None"')
+          else
+            new_license="None"
+            new_source_code_url="None"
+            new_vendor="None"
+          fi
+          echo "$name,$SPDXID,$versionInfo,$downloadLocation,$externalRefs,$new_license,$new_source_code_url,$new_vendor" >> "$TEMP_CSV"
+        done
+        mv "$TEMP_CSV" "${FILE_PREFIX}-sbom.csv"
 
     - name: Verify SBOM CSV File
       run: |