From 6be8050f581d286ba5da55f7ef14d35a7b395016 Mon Sep 17 00:00:00 2001 From: Paul Rosca Date: Fri, 16 Feb 2024 13:11:06 +0200 Subject: [PATCH] feat: add support for CycloneDX 1.5 Closes #55. --- acceptance.bats | 5 + go.mod | 2 +- go.sum | 8 +- testing/sbom.cyclonedx-1.5.json | 192 ++++++++++++++++++++++++++++++++ 4 files changed, 204 insertions(+), 3 deletions(-) create mode 100644 testing/sbom.cyclonedx-1.5.json diff --git a/acceptance.bats b/acceptance.bats index 6e625fe..73eb6ab 100644 --- a/acceptance.bats +++ b/acceptance.bats @@ -5,6 +5,11 @@ [ "$status" -eq 0 ] } +@test "Not fail when testing a JavaScript CycloneDX 1.5 SBOM" { + run ./parlay ecosystems enrich testing/sbom.cyclonedx-1.5.json + [ "$status" -eq 0 ] +} + @test "Not fail when testing an SBOM on stdin" { run bash -c "cat testing/sbom.cyclonedx.json | ./parlay ecosystems enrich -" [ "$status" -eq 0 ] diff --git a/go.mod b/go.mod index f4372b1..ca9edd7 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/snyk/parlay go 1.20 require ( - github.com/CycloneDX/cyclonedx-go v0.7.1 + github.com/CycloneDX/cyclonedx-go v0.8.0 github.com/deepmap/oapi-codegen v1.12.4 github.com/edoardottt/depsdev v0.0.3 github.com/google/uuid v1.3.0 diff --git a/go.sum b/go.sum index bb7fd38..2c7bfc7 100644 --- a/go.sum +++ b/go.sum @@ -38,8 +38,8 @@ cloud.google.com/go/storage v1.14.0/go.mod h1:GrKmX003DSIwi9o29oFT7YDnHYwZoctc3f dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= -github.com/CycloneDX/cyclonedx-go v0.7.1 h1:5w1SxjGm9MTMNTuRbEPyw21ObdbaagTWF/KfF0qHTRE= -github.com/CycloneDX/cyclonedx-go v0.7.1/go.mod h1:N/nrdWQI2SIjaACyyDs/u7+ddCkyl/zkNs8xFsHF2Ps= +github.com/CycloneDX/cyclonedx-go v0.8.0 h1:FyWVj6x6hoJrui5uRQdYZcSievw3Z32Z88uYzG/0D6M= +github.com/CycloneDX/cyclonedx-go v0.8.0/go.mod h1:K2bA+324+Og0X84fA8HhN2X066K7Bxz4rpMQ4ZhjtSk= github.com/RaveNoX/go-jsoncommentstrip v1.0.0/go.mod h1:78ihd09MekBnJnxpICcwzCMzGrKSKYe4AqU6PDYYpjk= github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 h1:aM1rlcoLz8y5B2r4tTLMiVTrMtpfY0O8EScKJxaSaEc= github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092/go.mod h1:rYqSE9HbjzpHTI74vwPvae4ZVYZd1lue2ta6xHPdblA= @@ -216,6 +216,10 @@ github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcU github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/subosito/gotenv v1.4.2 h1:X1TuBLAMDFbaTAChgCBLu3DU3UPyELpnF2jjJ2cz/S8= github.com/subosito/gotenv v1.4.2/go.mod h1:ayKnFf/c6rvx/2iiLrJUk1e6plDbT3edrFNGqEflhK0= +github.com/terminalstatic/go-xsd-validate v0.1.5 h1:RqpJnf6HGE2CB/lZB1A8BYguk8uRtcvYAPLCF15qguo= +github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f h1:J9EGpcZtP0E/raorCMxlFGSTBrsSlaDGf3jU/qvAE2c= +github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 h1:EzJWgHovont7NscjpAxXsDA8S8BMYve8Y5+7cuRE7R0= +github.com/xeipuuv/gojsonschema v1.2.0 h1:LhYJRs+L4fBtjZUfuSZIKGeVu0QRy8e5Xi7D17UxZ74= github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= diff --git a/testing/sbom.cyclonedx-1.5.json b/testing/sbom.cyclonedx-1.5.json new file mode 100644 index 0000000..675decc --- /dev/null +++ b/testing/sbom.cyclonedx-1.5.json @@ -0,0 +1,192 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.5", + "serialNumber": "urn:uuid:2bc89cc4-93e1-42cc-a0b6-5f6a305161fe", + "version": 1, + "metadata": { + "timestamp": "2024-02-19T15:41:53.826Z", + "tools": { + "components": [ + { + "group": "@cyclonedx", + "name": "cdxgen", + "version": "10.1.2", + "purl": "pkg:npm/%40cyclonedx/cdxgen@10.1.2", + "type": "application", + "bom-ref": "pkg:npm/@cyclonedx/cdxgen@10.1.2", + "author": "OWASP Foundation", + "publisher": "OWASP Foundation" + } + ] + }, + "authors": [ + { + "name": "OWASP Foundation" + } + ], + "lifecycles": [ + { + "phase": "build" + } + ], + "component": { + "group": "", + "name": "parlay-test", + "version": "0.1.0", + "type": "application", + "purl": "pkg:npm/parlay-test@0.1.0", + "bom-ref": "pkg:npm/parlay-test@0.1.0", + "components": [] + } + }, + "components": [ + { + "group": "", + "name": "react", + "version": "18.2.0", + "scope": "required", + "hashes": [ + { + "alg": "SHA-512", + "content": "ff722331d6f62fd41b05d5a25b97b73f6fe7a70301694f661c24825333659f464261b71f4ec19b4c9ad4fe419e99d1f6216981da2a19fb3931b66aba834f5f19" + } + ], + "purl": "pkg:npm/react@18.2.0", + "type": "framework", + "bom-ref": "pkg:npm/react@18.2.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 1, + "value": "/Users/roscapaul/Documents/Playground/parlay-test/package-lock.json" + } + ] + }, + "occurrences": [ + { + "location": "src/index.js#1" + } + ] + }, + "properties": [ + { + "name": "SrcFile", + "value": "/Users/roscapaul/Documents/Playground/parlay-test/package-lock.json" + }, + { + "name": "ResolvedUrl", + "value": "https://registry.npmjs.org/react/-/react-18.2.0.tgz" + }, + { + "name": "ImportedModules", + "value": "react" + } + ] + }, + { + "group": "", + "name": "loose-envify", + "version": "1.4.0", + "scope": "optional", + "hashes": [ + { + "alg": "SHA-512", + "content": "972bb13c6aff59f86b95e9b608bfd472751cd7372a280226043cee918ed8e45ff242235d928ebe7d12debe5c351e03324b0edfeb5d54218e34f04b71452a0add" + } + ], + "purl": "pkg:npm/loose-envify@1.4.0", + "type": "library", + "bom-ref": "pkg:npm/loose-envify@1.4.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 1, + "value": "/Users/roscapaul/Documents/Playground/parlay-test/package-lock.json" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/Users/roscapaul/Documents/Playground/parlay-test/package-lock.json" + }, + { + "name": "ResolvedUrl", + "value": "https://registry.npmjs.org/loose-envify/-/loose-envify-1.4.0.tgz" + } + ] + }, + { + "group": "", + "name": "js-tokens", + "version": "4.0.0", + "scope": "optional", + "hashes": [ + { + "alg": "SHA-512", + "content": "45d2547e5704ddc5332a232a420b02bb4e853eef5474824ed1b7986cf84737893a6a9809b627dca02b53f5b7313a9601b690f690233a49bce0e026aeb16fcf29" + } + ], + "purl": "pkg:npm/js-tokens@4.0.0", + "type": "library", + "bom-ref": "pkg:npm/js-tokens@4.0.0", + "evidence": { + "identity": { + "field": "purl", + "confidence": 1, + "methods": [ + { + "technique": "manifest-analysis", + "confidence": 1, + "value": "/Users/roscapaul/Documents/Playground/parlay-test/package-lock.json" + } + ] + } + }, + "properties": [ + { + "name": "SrcFile", + "value": "/Users/roscapaul/Documents/Playground/parlay-test/package-lock.json" + }, + { + "name": "ResolvedUrl", + "value": "https://registry.npmjs.org/js-tokens/-/js-tokens-4.0.0.tgz" + } + ] + } + ], + "services": [], + "dependencies": [ + { + "ref": "pkg:npm/js-tokens@4.0.0", + "dependsOn": [] + }, + { + "ref": "pkg:npm/loose-envify@1.4.0", + "dependsOn": [ + "pkg:npm/js-tokens@4.0.0" + ] + }, + { + "ref": "pkg:npm/react@18.2.0", + "dependsOn": [ + "pkg:npm/loose-envify@1.4.0" + ] + }, + { + "ref": "pkg:npm/parlay-test@0.1.0", + "dependsOn": [ + "pkg:npm/react@18.2.0" + ] + } + ] +}