Update cyclonedx to v1.4 (#820)

cmd/attest.go

@@ -9,7 +9,7 @@ import (
 	"os"
 	"strings"
 
-	"github.com/anchore/syft/internal/formats/cyclonedx13json"
+	"github.com/anchore/syft/internal/formats/cyclonedxjson"
 	"github.com/anchore/syft/internal/formats/spdx22json"
 	"github.com/anchore/syft/internal/formats/syftjson"
 
@@ -56,7 +56,7 @@ const (
 var attestFormats = []sbom.FormatID{
 	syftjson.ID,
 	spdx22json.ID,
-	cyclonedx13json.ID,
+	cyclonedxjson.ID,
 }
 
 var (
@@ -227,7 +227,7 @@ func formatPredicateType(format sbom.Format) string {
 	switch format.ID() {
 	case spdx22json.ID:
 		return in_toto.PredicateSPDX
-	case cyclonedx13json.ID:
+	case cyclonedxjson.ID:
 		// Tentative see https://github.com/in-toto/attestation/issues/82
 		return "https://cyclonedx.org/bom"
 	case syftjson.ID:

go.mod

@@ -3,7 +3,7 @@ module github.com/anchore/syft
 go 1.17
 
 require (
-	github.com/CycloneDX/cyclonedx-go v0.4.0
+	github.com/CycloneDX/cyclonedx-go v0.5.0
 	github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d
 	github.com/acobaugh/osrelease v0.1.0
 	github.com/adrg/xdg v0.2.1

go.sum

@@ -186,8 +186,8 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03
 github.com/BurntSushi/toml v0.4.1 h1:GaI7EiDXDRfa8VshkTj7Fym7ha+y8/XxIgD2okUIjLw=
 github.com/BurntSushi/toml v0.4.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
-github.com/CycloneDX/cyclonedx-go v0.4.0 h1:Wz4QZ9B4RXGWIWTypVLEOVJgOdFfy5mcS5PGNzUkZxU=
-github.com/CycloneDX/cyclonedx-go v0.4.0/go.mod h1:rmRcf//gT7PIzovatusbWi377xqCg1FS4jyST0GH20E=
+github.com/CycloneDX/cyclonedx-go v0.5.0 h1:RWCnu2OrWUTF5C9DA3L0qVziUD2HlxSUWcL2OXlxfqE=
+github.com/CycloneDX/cyclonedx-go v0.5.0/go.mod h1:nQXAzrejxO39b14JFz2SvsUElegYfwBDowIzqjdUMk4=
 github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ=
 github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24/go.mod h1:4UJr5HIiMZrwgkSPdsjy2uOQExX/WEILpIrO9UPGuXs=
 github.com/GoogleCloudPlatform/cloudsql-proxy v0.0.0-20191009163259-e802c2cb94ae/go.mod h1:mjwGPas4yKduTyubHvD1Atl9r1rUq8DfVy+gkVvZ+oo=
@@ -436,8 +436,8 @@ github.com/bmizerany/perks v0.0.0-20141205001514-d9a9656a3a4b/go.mod h1:ac9efd0D
 github.com/bombsimon/wsl/v3 v3.3.0/go.mod h1:st10JtZYLE4D5sC7b8xV4zTKZwAQjCH/Hy2Pm1FNZIc=
 github.com/bradfitz/gomemcache v0.0.0-20190913173617-a41fca850d0b/go.mod h1:H0wQNHz2YrLsuXOZozoeDmnHXkNCRmMW0gwFWDfEZDA=
 github.com/bradleyfalzon/ghinstallation/v2 v2.0.3/go.mod h1:tlgi+JWCXnKFx/Y4WtnDbZEINo31N5bcvnCoqieefmk=
-github.com/bradleyjkemp/cupaloy/v2 v2.6.0 h1:knToPYa2xtfg42U3I6punFEjaGFKWQRXJwj0JTv4mTs=
-github.com/bradleyjkemp/cupaloy/v2 v2.6.0/go.mod h1:bm7JXdkRd4BHJk9HpwqAI8BoAY1lps46Enkdqw6aRX0=
+github.com/bradleyjkemp/cupaloy/v2 v2.7.0 h1:AT0vOjO68RcLyenLCHOGZzSNiuto7ziqzq6Q1/3xzMQ=
+github.com/bradleyjkemp/cupaloy/v2 v2.7.0/go.mod h1:bm7JXdkRd4BHJk9HpwqAI8BoAY1lps46Enkdqw6aRX0=
 github.com/breml/bidichk v0.1.1/go.mod h1:zbfeitpevDUGI7V91Uzzuwrn4Vls8MoBMrwtt78jmso=
 github.com/bshuster-repo/logrus-logstash-hook v0.4.1/go.mod h1:zsTqEiSzDgAa/8GZR7E1qaXrhYNDKBYy5/dWPTIflbk=
 github.com/buger/jsonparser v0.0.0-20180808090653-f4dd9f5a6b44/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s=

internal/formats/cyclonedxjson/decoder_test.go

@@ -1,4 +1,4 @@
-package cyclonedx13json
+package cyclonedxjson
 
 import (
 	"fmt"

internal/formats/cyclonedxjson/encoder.go

@@ -1,4 +1,4 @@
-package cyclonedx13json
+package cyclonedxjson
 
 import (
 	"io"

internal/formats/cyclonedxjson/encoder_test.go

@@ -1,4 +1,4 @@
-package cyclonedx13json
+package cyclonedxjson
 
 import (
 	"flag"

internal/formats/cyclonedxjson/format.go

@@ -1,4 +1,4 @@
-package cyclonedx13json
+package cyclonedxjson
 
 import (
 	"github.com/CycloneDX/cyclonedx-go"

internal/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden

@@ -1,10 +1,10 @@
 {
   "bomFormat": "CycloneDX",
-  "specVersion": "1.3",
-  "serialNumber": "urn:uuid:195a66a2-6d39-472e-b62b-0cafb9bfedd4",
+  "specVersion": "1.4",
+  "serialNumber": "urn:uuid:498e659b-0758-4a7f-816e-91bee18df634",
   "version": 1,
   "metadata": {
-    "timestamp": "2022-02-25T12:54:25-05:00",
+    "timestamp": "2022-03-08T12:30:39Z",
     "tools": [
       {
         "vendor": "anchore",
@@ -15,8 +15,7 @@
     "component": {
       "bom-ref": "163686ac6e30c752",
       "type": "file",
-      "name": "/some/path",
-      "version": ""
+      "name": "/some/path"
     }
   },
   "components": [

internal/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden

@@ -1,10 +1,10 @@
 {
   "bomFormat": "CycloneDX",
-  "specVersion": "1.3",
-  "serialNumber": "urn:uuid:78116a1b-b709-4734-8411-d0e339308edd",
+  "specVersion": "1.4",
+  "serialNumber": "urn:uuid:342c3d2c-d26e-47b6-94d6-92fbf41da945",
   "version": 1,
   "metadata": {
-    "timestamp": "2022-02-25T12:54:25-05:00",
+    "timestamp": "2022-03-08T12:30:39Z",
     "tools": [
       {
         "vendor": "anchore",
@@ -13,7 +13,7 @@
       }
     ],
     "component": {
-      "bom-ref": "4f9453fd20e0cf80",
+      "bom-ref": "711095b1cdf90cce",
       "type": "container",
       "name": "user-image-input",
       "version": "sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368"
@@ -52,7 +52,7 @@
         },
         {
           "name": "syft:location:0:layerID",
-          "value": "sha256:41e7295da66c405eb3a4df29188dcf80f622f9304d487033a86d4a22e3f01abe"
+          "value": "sha256:16e64541f2ddf59a90391ce7bb8af90313f7d373f2105d88f3d3267b72e0ebab"
         },
         {
           "name": "syft:location:0:path",
@@ -81,7 +81,7 @@
         },
         {
           "name": "syft:location:0:layerID",
-          "value": "sha256:68a2c166dcb3acf6b7303e995ca1fe7d794bd3b5852a0b4048f9c96b796086aa"
+          "value": "sha256:de6c235f76ea24c8503ec08891445b5d6a8bdf8249117ed8d8b0b6fb3ebe4f67"
         },
         {
           "name": "syft:location:0:path",

internal/formats/cyclonedxxml/decoder_test.go

@@ -1,4 +1,4 @@
-package cyclonedx13xml
+package cyclonedxxml
 
 import (
 	"fmt"

internal/formats/cyclonedxxml/encoder.go

@@ -1,4 +1,4 @@
-package cyclonedx13xml
+package cyclonedxxml
 
 import (
 	"io"

internal/formats/cyclonedxxml/encoder_test.go

@@ -1,4 +1,4 @@
-package cyclonedx13xml
+package cyclonedxxml
 
 import (
 	"flag"

internal/formats/cyclonedxxml/format.go

@@ -1,4 +1,4 @@
-package cyclonedx13xml
+package cyclonedxxml
 
 import (
 	"github.com/CycloneDX/cyclonedx-go"

internal/formats/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden

@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<bom xmlns="http://cyclonedx.org/schema/bom/1.3" serialNumber="urn:uuid:dd1d1863-04be-414c-9b2a-bdc0e0f25e9f" version="1">
+<bom xmlns="http://cyclonedx.org/schema/bom/1.4" serialNumber="urn:uuid:892f8304-0142-45b1-b411-cade3c53057f" version="1">
   <metadata>
-    <timestamp>2022-02-25T12:54:44-05:00</timestamp>
+    <timestamp>2022-03-08T12:30:33Z</timestamp>
     <tools>
       <tool>
         <vendor>anchore</vendor>
@@ -11,7 +11,6 @@
     </tools>
     <component bom-ref="163686ac6e30c752" type="file">
       <name>/some/path</name>
-      <version></version>
     </component>
   </metadata>
   <components>

internal/formats/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden

@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<bom xmlns="http://cyclonedx.org/schema/bom/1.3" serialNumber="urn:uuid:153353a9-d9f4-40f6-be23-3d56487930c1" version="1">
+<bom xmlns="http://cyclonedx.org/schema/bom/1.4" serialNumber="urn:uuid:5fa94827-eb85-4f32-a62d-76fb6e89a2dd" version="1">
   <metadata>
-    <timestamp>2022-02-25T12:54:44-05:00</timestamp>
+    <timestamp>2022-03-08T12:30:33Z</timestamp>
     <tools>
       <tool>
         <vendor>anchore</vendor>
@@ -9,7 +9,7 @@
         <version>[not provided]</version>
       </tool>
     </tools>
-    <component bom-ref="4f9453fd20e0cf80" type="container">
+    <component bom-ref="711095b1cdf90cce" type="container">
       <name>user-image-input</name>
       <version>sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368</version>
     </component>
@@ -30,7 +30,7 @@
         <property name="syft:package:language">python</property>
         <property name="syft:package:metadataType">PythonPackageMetadata</property>
         <property name="syft:package:type">python</property>
-        <property name="syft:location:0:layerID">sha256:41e7295da66c405eb3a4df29188dcf80f622f9304d487033a86d4a22e3f01abe</property>
+        <property name="syft:location:0:layerID">sha256:16e64541f2ddf59a90391ce7bb8af90313f7d373f2105d88f3d3267b72e0ebab</property>
         <property name="syft:location:0:path">/somefile-1.txt</property>
       </properties>
     </component>
@@ -43,7 +43,7 @@
         <property name="syft:package:foundBy">the-cataloger-2</property>
         <property name="syft:package:metadataType">DpkgMetadata</property>
         <property name="syft:package:type">deb</property>
-        <property name="syft:location:0:layerID">sha256:68a2c166dcb3acf6b7303e995ca1fe7d794bd3b5852a0b4048f9c96b796086aa</property>
+        <property name="syft:location:0:layerID">sha256:de6c235f76ea24c8503ec08891445b5d6a8bdf8249117ed8d8b0b6fb3ebe4f67</property>
         <property name="syft:location:0:path">/somefile-2.txt</property>
         <property name="syft:metadata:installedSize">0</property>
       </properties>

schema/cyclonedx/Makefile

@@ -4,4 +4,4 @@ validate-schema:
 	go run ../../main.go ubuntu:latest -vv -o cyclonedx > bom.xml
 	xmllint --noout --schema ./cyclonedx.xsd bom.xml
 	go run ../../main.go ubuntu:latest -vv -o cyclonedx-json > bom.json
-	../../.tmp/yajsv -s bom-1.3.schema.json bom.json
+	../../.tmp/yajsv -s cyclonedx.json bom.json

syft/formats.go

@@ -4,8 +4,8 @@ import (
 	"bytes"
 	"strings"
 
-	"github.com/anchore/syft/internal/formats/cyclonedx13json"
-	"github.com/anchore/syft/internal/formats/cyclonedx13xml"
+	"github.com/anchore/syft/internal/formats/cyclonedxjson"
+	"github.com/anchore/syft/internal/formats/cyclonedxxml"
 	"github.com/anchore/syft/internal/formats/spdx22json"
 	"github.com/anchore/syft/internal/formats/spdx22tagvalue"
 	"github.com/anchore/syft/internal/formats/syftjson"
@@ -19,8 +19,8 @@ const (
 	JSONFormatID          = syftjson.ID
 	TextFormatID          = text.ID
 	TableFormatID         = table.ID
-	CycloneDxXMLFormatID  = cyclonedx13xml.ID
-	CycloneDxJSONFormatID = cyclonedx13json.ID
+	CycloneDxXMLFormatID  = cyclonedxxml.ID
+	CycloneDxJSONFormatID = cyclonedxjson.ID
 	SPDXTagValueFormatID  = spdx22tagvalue.ID
 	SPDXJSONFormatID      = spdx22json.ID
 )
@@ -30,8 +30,8 @@ var formats []sbom.Format
 func init() {
 	formats = []sbom.Format{
 		syftjson.Format(),
-		cyclonedx13xml.Format(),
-		cyclonedx13json.Format(),
+		cyclonedxxml.Format(),
+		cyclonedxjson.Format(),
 		spdx22tagvalue.Format(),
 		spdx22json.Format(),
 		table.Format(),
@@ -68,9 +68,9 @@ func FormatByName(name string) sbom.Format {
 	case "json", "syftjson":
 		return FormatByID(syftjson.ID)
 	case "cyclonedx", "cyclone", "cyclonedxxml":
-		return FormatByID(cyclonedx13xml.ID)
+		return FormatByID(cyclonedxxml.ID)
 	case "cyclonedxjson":
-		return FormatByID(cyclonedx13json.ID)
+		return FormatByID(cyclonedxjson.ID)
 	case "spdx", "spdxtv", "spdxtagvalue":
 		return FormatByID(spdx22tagvalue.ID)
 	case "spdxjson":

syft/formats_test.go

@@ -1,8 +1,12 @@
 package syft
 
 import (
-	"github.com/anchore/syft/internal/formats/cyclonedx13json"
-	"github.com/anchore/syft/internal/formats/cyclonedx13xml"
+	"io"
+	"os"
+	"testing"
+
+	"github.com/anchore/syft/internal/formats/cyclonedxjson"
+	"github.com/anchore/syft/internal/formats/cyclonedxxml"
 	"github.com/anchore/syft/internal/formats/spdx22json"
 	"github.com/anchore/syft/internal/formats/spdx22tagvalue"
 	"github.com/anchore/syft/internal/formats/syftjson"
@@ -10,9 +14,6 @@ import (
 	"github.com/anchore/syft/internal/formats/text"
 	"github.com/anchore/syft/syft/sbom"
 	"github.com/stretchr/testify/require"
-	"io"
-	"os"
-	"testing"
 
 	"github.com/stretchr/testify/assert"
 )
@@ -89,25 +90,25 @@ func TestFormatByName(t *testing.T) {
 		// Cyclonedx JSON
 		{
 			name: "cyclonedx-json",
-			want: cyclonedx13json.ID,
+			want: cyclonedxjson.ID,
 		},
 		{
 			name: "cyclonedx-1-json",
-			want: cyclonedx13json.ID,
+			want: cyclonedxjson.ID,
 		},
 
 		// Cyclonedx XML
 		{
 			name: "cyclonedx",
-			want: cyclonedx13xml.ID,
+			want: cyclonedxxml.ID,
 		},
 		{
 			name: "cyclonedx-xml",
-			want: cyclonedx13xml.ID,
+			want: cyclonedxxml.ID,
 		},
 		{
 			name: "cyclonedx-1-xml",
-			want: cyclonedx13xml.ID,
+			want: cyclonedxxml.ID,
 		},
 
 		// Syft Table

test/integration/encode_decode_cycle_test.go

@@ -2,13 +2,14 @@ package integration
 
 import (
 	"bytes"
-	"github.com/anchore/syft/internal/formats/cyclonedx13json"
-	"github.com/anchore/syft/internal/formats/cyclonedx13xml"
+	"regexp"
+	"testing"
+
+	"github.com/anchore/syft/internal/formats/cyclonedxjson"
+	"github.com/anchore/syft/internal/formats/cyclonedxxml"
 	"github.com/anchore/syft/internal/formats/syftjson"
 	"github.com/anchore/syft/syft/sbom"
 	"github.com/stretchr/testify/require"
-	"regexp"
-	"testing"
 
 	"github.com/anchore/syft/syft"
 
@@ -34,7 +35,7 @@ func TestEncodeDecodeEncodeCycleComparison(t *testing.T) {
 			json:         true,
 		},
 		{
-			formatOption: cyclonedx13json.ID,
+			formatOption: cyclonedxjson.ID,
 			redactor: func(in []byte) []byte {
 				in = regexp.MustCompile("\"(timestamp|serialNumber|bom-ref)\": \"[^\"]+\",").ReplaceAll(in, []byte{})
 				return in
@@ -42,7 +43,7 @@ func TestEncodeDecodeEncodeCycleComparison(t *testing.T) {
 			json: true,
 		},
 		{
-			formatOption: cyclonedx13xml.ID,
+			formatOption: cyclonedxxml.ID,
 			redactor: func(in []byte) []byte {
 				in = regexp.MustCompile("(serialNumber|bom-ref)=\"[^\"]+\"").ReplaceAll(in, []byte{})
 				in = regexp.MustCompile("<timestamp>[^<]+</timestamp>").ReplaceAll(in, []byte{})