From 730d3e3187a7b223ae6aa4fd756cc005b736528c Mon Sep 17 00:00:00 2001
From: Christopher Angelo Phillips <32073428+spiffcs@users.noreply.github.com>
Date: Thu, 8 Dec 2022 11:36:08 -0500
Subject: [PATCH] chore: update latest cyclonedx library (#1390)

---
 go.mod                                          |  2 +-
 go.sum                                          |  7 +++----
 syft/formats/common/cyclonedxhelpers/decoder.go |  2 +-
 .../common/cyclonedxhelpers/decoder_test.go     | 17 ++++++++---------
 syft/formats/common/cyclonedxhelpers/format.go  |  6 ++++--
 5 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/go.mod b/go.mod
index 6c5726309..960aca3f1 100644
--- a/go.mod
+++ b/go.mod
@@ -3,7 +3,7 @@ module github.com/anchore/syft
 go 1.18
 
 require (
-	github.com/CycloneDX/cyclonedx-go v0.5.2
+	github.com/CycloneDX/cyclonedx-go v0.7.0
 	github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d
 	github.com/acobaugh/osrelease v0.1.0
 	github.com/adrg/xdg v0.3.3
diff --git a/go.sum b/go.sum
index c3d67565d..93493416e 100644
--- a/go.sum
+++ b/go.sum
@@ -153,8 +153,8 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03
 github.com/BurntSushi/toml v0.4.1 h1:GaI7EiDXDRfa8VshkTj7Fym7ha+y8/XxIgD2okUIjLw=
 github.com/BurntSushi/toml v0.4.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
-github.com/CycloneDX/cyclonedx-go v0.5.2 h1:CkdGw2R/tZWmEbSypJVZG+3+2SAsDjJirfIrG/RbIVg=
-github.com/CycloneDX/cyclonedx-go v0.5.2/go.mod h1:nQCiF4Tvrg5Ieu8qPhYMvzPGMu5I7fANZkrSsJjl5mg=
+github.com/CycloneDX/cyclonedx-go v0.7.0 h1:jNxp8hL7UpcvPDFXjY+Y1ibFtsW+e5zyF9QoSmhK/zg=
+github.com/CycloneDX/cyclonedx-go v0.7.0/go.mod h1:W5Z9w8pTTL+t+yG3PCiFRGlr8PUlE0pGWzKSJbsyXkg=
 github.com/DataDog/zstd v1.4.5 h1:EndNeuB0l9syBZhut0wns3gV1hL8zX8LIu6ZiVHWLIQ=
 github.com/DataDog/zstd v1.4.5/go.mod h1:1jcaCB/ufaK+sKp1NBhlGmpz41jOoPQ35bpF36t7BBo=
 github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24/go.mod h1:4UJr5HIiMZrwgkSPdsjy2uOQExX/WEILpIrO9UPGuXs=
@@ -401,8 +401,7 @@ github.com/bmatcuk/doublestar/v4 v4.0.2/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTS
 github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869/go.mod h1:Ekp36dRnpXw/yCqJaO+ZrUyxD+3VXMFFr56k5XYrpB4=
 github.com/bombsimon/wsl/v3 v3.3.0/go.mod h1:st10JtZYLE4D5sC7b8xV4zTKZwAQjCH/Hy2Pm1FNZIc=
 github.com/bradfitz/gomemcache v0.0.0-20190913173617-a41fca850d0b/go.mod h1:H0wQNHz2YrLsuXOZozoeDmnHXkNCRmMW0gwFWDfEZDA=
-github.com/bradleyjkemp/cupaloy/v2 v2.7.0 h1:AT0vOjO68RcLyenLCHOGZzSNiuto7ziqzq6Q1/3xzMQ=
-github.com/bradleyjkemp/cupaloy/v2 v2.7.0/go.mod h1:bm7JXdkRd4BHJk9HpwqAI8BoAY1lps46Enkdqw6aRX0=
+github.com/bradleyjkemp/cupaloy/v2 v2.8.0 h1:any4BmKE+jGIaMpnU8YgH/I2LPiLBufr6oMMlVBbn9M=
 github.com/breml/bidichk v0.1.1/go.mod h1:zbfeitpevDUGI7V91Uzzuwrn4Vls8MoBMrwtt78jmso=
 github.com/bshuster-repo/logrus-logstash-hook v0.4.1/go.mod h1:zsTqEiSzDgAa/8GZR7E1qaXrhYNDKBYy5/dWPTIflbk=
 github.com/buger/jsonparser v0.0.0-20180808090653-f4dd9f5a6b44/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s=
diff --git a/syft/formats/common/cyclonedxhelpers/decoder.go b/syft/formats/common/cyclonedxhelpers/decoder.go
index fa234a221..fcdeefc95 100644
--- a/syft/formats/common/cyclonedxhelpers/decoder.go
+++ b/syft/formats/common/cyclonedxhelpers/decoder.go
@@ -216,7 +216,7 @@ func collectRelationships(bom *cyclonedx.BOM, s *sbom.SBOM, idMap map[string]int
 		}
 
 		for _, t := range *d.Dependencies {
-			to, toExists := idMap[t.Ref].(artifact.Identifiable)
+			to, toExists := idMap[t].(artifact.Identifiable)
 			if !toExists {
 				continue
 			}
diff --git a/syft/formats/common/cyclonedxhelpers/decoder_test.go b/syft/formats/common/cyclonedxhelpers/decoder_test.go
index c2f64775e..ae50206d6 100644
--- a/syft/formats/common/cyclonedxhelpers/decoder_test.go
+++ b/syft/formats/common/cyclonedxhelpers/decoder_test.go
@@ -173,12 +173,8 @@ func Test_decode(t *testing.T) {
 				},
 				Dependencies: &[]cyclonedx.Dependency{
 					{
-						Ref: "p1",
-						Dependencies: &[]cyclonedx.Dependency{
-							{
-								Ref: "p2",
-							},
-						},
+						Ref:          "p1",
+						Dependencies: &[]string{"p2"},
 					},
 				},
 			},
@@ -263,8 +259,9 @@ func Test_decode(t *testing.T) {
 
 func Test_missingDataDecode(t *testing.T) {
 	bom := &cyclonedx.BOM{
-		Metadata:   nil,
-		Components: &[]cyclonedx.Component{},
+		Metadata:    nil,
+		Components:  &[]cyclonedx.Component{},
+		SpecVersion: cyclonedx.SpecVersion1_4,
 	}
 
 	_, err := ToSyftModel(bom)
@@ -287,7 +284,9 @@ func Test_missingDataDecode(t *testing.T) {
 }
 
 func Test_missingComponentsDecode(t *testing.T) {
-	bom := &cyclonedx.BOM{}
+	bom := &cyclonedx.BOM{
+		SpecVersion: cyclonedx.SpecVersion1_4,
+	}
 	bomBytes, _ := json.Marshal(&bom)
 	decode := GetDecoder(cyclonedx.BOMFileFormatJSON)
 
diff --git a/syft/formats/common/cyclonedxhelpers/format.go b/syft/formats/common/cyclonedxhelpers/format.go
index d15f44a19..e4bd055e2 100644
--- a/syft/formats/common/cyclonedxhelpers/format.go
+++ b/syft/formats/common/cyclonedxhelpers/format.go
@@ -157,8 +157,10 @@ func toDependencies(relationships []artifact.Relationship) []cyclonedx.Dependenc
 			continue
 		}
 
-		innerDeps := []cyclonedx.Dependency{}
-		innerDeps = append(innerDeps, cyclonedx.Dependency{Ref: deriveBomRef(*fromPkg)})
+		// ind dep
+
+		innerDeps := []string{}
+		innerDeps = append(innerDeps, deriveBomRef(*fromPkg))
 		result = append(result, cyclonedx.Dependency{
 			Ref:          deriveBomRef(*toPkg),
 			Dependencies: &innerDeps,