feat: extend firmware upload to handle SBOM and SBOM only cases

SBOM file can be also uploaded next to the firmware image. To upload only the
SBOM the current workaround is to upload an empty file.

Author: martonilles

onekey_client/cli/firmware_upload.py

@@ -32,7 +32,12 @@
 )
 @click.option("--version", help="Firmware version")
 @click.option("--name", help="Firmware name")
-@click.argument("filename", type=click.Path(exists=True, path_type=Path))
+@click.option(
+    "--sbom", help="Firmware SBOM", type=click.Path(exists=True, path_type=Path)
+)
+@click.argument(
+    "filename", type=click.Path(exists=True, path_type=Path), required=False
+)
 @click.pass_obj
 def upload_firmware(
     client: Client,
@@ -42,17 +47,23 @@ def upload_firmware(
     analysis_configuration_name: str,
     version: str | None,
     name: str | None,
-    filename: Path,
+    sbom: Path | None,
+    filename: Path | None,
 ):
-    """Upload a firmware to the ONEKEY platform."""
+    """Upload a firmware / SBOM to the ONEKEY platform."""
+    if filename is None and sbom is None:
+        error = "Either `--sbom` or `FILENAME` or both must be provided"
+        raise click.BadParameter(error)
+
     product_group_id = _get_product_group_id_by_name(client, product_group_name)
     analysis_configuration_id = _get_analysis_configuration_id_by_name(
         client, analysis_configuration_name
     )
 
     if name is None:
+        postfix = filename.name if filename is not None else sbom.stem
         name = (
-            f"{vendor_name}-{product_name}-{filename.name}"
+            f"{vendor_name}-{product_name}-{postfix}"
             if version is None
             else f"{vendor_name}-{product_name}-{version}"
         )
@@ -67,7 +78,9 @@ def upload_firmware(
     )
 
     try:
-        res = client.upload_firmware(metadata, filename, enable_monitoring=False)
+        res = client.upload_firmware(
+            metadata, filename, sbom_path=sbom, enable_monitoring=False
+        )
         click.echo(res["id"])
     except QueryError as e:
         click.echo("Error during firmware upload:")

onekey_client/client.py

@@ -188,11 +188,14 @@ def query(self, query: str, variables: dict | None = None, timeout=60):
     def upload_firmware(
         self,
         metadata: m.FirmwareMetadata,
-        path: Path,
+        path: Path | None,
         *,
+        sbom_path: Path | None = None,
         enable_monitoring: bool,
         timeout=60,
     ):
+        assert path is not None or sbom_path is not None
+
         variables = {
             "firmware": {
                 "name": metadata.name,
@@ -215,9 +218,12 @@ def upload_firmware(
             raise errors.QueryError(res["createFirmwareUpload"]["errors"])
 
         upload_url = res["createFirmwareUpload"]["uploadUrl"]
-        return self._post_with_token(
-            upload_url, files={"firmware": path.open("rb")}, timeout=timeout
-        )
+
+        files = {}
+        files["firmware"] = path.open("rb") if path is not None else b""
+        if sbom_path is not None:
+            files["sbom"] = sbom_path.open("rb")
+        return self._post_with_token(upload_url, files=files, timeout=timeout)
 
     @_tenant_required
     def get_product_groups(self):