Use SBOM descriptor version (#1011)

* Use SBOM descriptor version Signed-off-by: Jonas Xavier <jonasx@anchore.com> * Update tests Signed-off-by: Jonas Xavier <jonasx@anchore.com> * CycloneDX extract tools metadata in decoding stage Signed-off-by: Jonas Xavier <jonasx@anchore.com> * add descriptor to spdx tag-value test Signed-off-by: Jonas Xavier <jonasx@anchore.com> * remove comment Signed-off-by: Jonas Xavier <jonasx@anchore.com>
2026-02-12 02:26:42 +01:00 · 2022-05-25 14:40:08 -07:00 · 2022-05-25 14:40:08 -07:00 · 7cb8e1fc14
commit 7cb8e1fc14
parent c990f425a6
19 changed files with 88 additions and 69 deletions
--- a/internal/formats/common/cyclonedxhelpers/decoder.go
+++ b/internal/formats/common/cyclonedxhelpers/decoder.go
@ -45,17 +45,17 @@ func GetDecoder(format cyclonedx.BOMFileFormat) sbom.Decoder {
 }

 func toSyftModel(bom *cyclonedx.BOM) (*sbom.SBOM, error) {
-	meta := source.Metadata{}
-	if bom.Metadata != nil && bom.Metadata.Component != nil {
-		meta = decodeMetadata(bom.Metadata.Component)
+	if bom == nil {
+		return nil, fmt.Errorf("no content defined in CycloneDX BOM")
 	}
+
 	s := &sbom.SBOM{
 		Artifacts: sbom.Artifacts{
 			PackageCatalog:    pkg.NewCatalog(),
 			LinuxDistribution: linuxReleaseFromComponents(*bom.Components),
 		},
-		Source: meta,
-		//Descriptor:    sbom.Descriptor{},
+		Source:     extractComponents(bom.Metadata),
+		Descriptor: extractDescriptor(bom.Metadata),
 	}

 	idMap := make(map[string]interface{})
@ -205,27 +205,45 @@ func collectRelationships(bom *cyclonedx.BOM, s *sbom.SBOM, idMap map[string]int
 	}
 }

-func decodeMetadata(component *cyclonedx.Component) source.Metadata {
-	switch component.Type {
+func extractComponents(meta *cyclonedx.Metadata) source.Metadata {
+	if meta == nil || meta.Component == nil {
+		return source.Metadata{}
+	}
+	c := meta.Component
+
+	image := source.ImageMetadata{
+		UserInput:      c.Name,
+		ID:             c.BOMRef,
+		ManifestDigest: c.Version,
+	}
+
+	switch c.Type {
 	case cyclonedx.ComponentTypeContainer:
 		return source.Metadata{
-			Scheme: source.ImageScheme,
-			ImageMetadata: source.ImageMetadata{
-				UserInput:      component.Name,
-				ID:             component.BOMRef,
-				ManifestDigest: component.Version,
-			},
+			Scheme:        source.ImageScheme,
+			ImageMetadata: image,
 		}
 	case cyclonedx.ComponentTypeFile:
 		return source.Metadata{
-			Scheme: source.FileScheme, // or source.DirectoryScheme
-			Path:   component.Name,
-			ImageMetadata: source.ImageMetadata{
-				UserInput:      component.Name,
-				ID:             component.BOMRef,
-				ManifestDigest: component.Version,
-			},
+			Scheme:        source.FileScheme, // or source.DirectoryScheme
+			Path:          c.Name,
+			ImageMetadata: image,
 		}
 	}
 	return source.Metadata{}
 }
+
+// if there is more than one tool in meta.Tools' list the last item will be used
+// as descriptor. If there is a way to know which tool to use here please fix it.
+func extractDescriptor(meta *cyclonedx.Metadata) (desc sbom.Descriptor) {
+	if meta == nil || meta.Tools == nil {
+		return
+	}
+
+	for _, t := range *meta.Tools {
+		desc.Name = t.Name
+		desc.Version = t.Version
+	}
+
+	return
+}
--- a/internal/formats/common/cyclonedxhelpers/format.go
+++ b/internal/formats/common/cyclonedxhelpers/format.go
@ -8,7 +8,6 @@ import (

 	"github.com/anchore/syft/internal"
 	"github.com/anchore/syft/internal/log"
-	"github.com/anchore/syft/internal/version"
 	"github.com/anchore/syft/syft/artifact"
 	"github.com/anchore/syft/syft/linux"
 	"github.com/anchore/syft/syft/sbom"
@ -17,13 +16,12 @@ import (

 func ToFormatModel(s sbom.SBOM) *cyclonedx.BOM {
 	cdxBOM := cyclonedx.NewBOM()
-	versionInfo := version.FromBuild()

 	// NOTE(jonasagx): cycloneDX requires URN uuids (URN returns the RFC 2141 URN form of uuid):
 	// https://github.com/CycloneDX/specification/blob/master/schema/bom-1.3-strict.schema.json#L36
 	// "pattern": "^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$"
 	cdxBOM.SerialNumber = uuid.New().URN()
-	cdxBOM.Metadata = toBomDescriptor(internal.ApplicationName, versionInfo.Version, s.Source)
+	cdxBOM.Metadata = toBomDescriptor(internal.ApplicationName, s.Descriptor.Version, s.Source)

 	packages := s.Artifacts.PackageCatalog.Sorted()
 	components := make([]cyclonedx.Component, len(packages))
--- a/internal/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden
+++ b/internal/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden
@ -1,15 +1,15 @@
 {
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
-  "serialNumber": "urn:uuid:dec3f6b4-8458-48bb-b60d-dfd312f6ec4e",
+  "serialNumber": "urn:uuid:3ea3363f-3945-4859-9ba1-9a395983d248",
  "version": 1,
  "metadata": {
-    "timestamp": "2022-04-01T11:48:04-04:00",
+    "timestamp": "2022-05-23T12:05:00-07:00",
    "tools": [
      {
        "vendor": "anchore",
        "name": "syft",
-        "version": "[not provided]"
+        "version": "v0.42.0-bogus"
      }
    ],
    "component": {
--- a/internal/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden
+++ b/internal/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden
@ -1,19 +1,19 @@
 {
  "bomFormat": "CycloneDX",
  "specVersion": "1.4",
-  "serialNumber": "urn:uuid:054d973e-fe99-4762-92e4-eaf01997ae41",
+  "serialNumber": "urn:uuid:c825402b-bbfa-4ad5-81b1-6a8332a6a8b6",
  "version": 1,
  "metadata": {
-    "timestamp": "2022-04-01T11:48:04-04:00",
+    "timestamp": "2022-05-23T12:05:01-07:00",
    "tools": [
      {
        "vendor": "anchore",
        "name": "syft",
-        "version": "[not provided]"
+        "version": "v0.42.0-bogus"
      }
    ],
    "component": {
-      "bom-ref": "e777314b02b362e4",
+      "bom-ref": "e779c1ed804ba529",
      "type": "container",
      "name": "user-image-input",
      "version": "sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368"
@ -53,7 +53,7 @@
        },
        {
          "name": "syft:location:0:layerID",
-          "value": "sha256:fb6beecb75b39f4bb813dbf177e501edd5ddb3e69bb45cedeb78c676ee1b7a59"
+          "value": "sha256:cd8f3884f1211d65c19ce5bbc5174bcd2ce8ba96b63e5b3693969a53279c4405"
        },
        {
          "name": "syft:location:0:path",
@ -83,7 +83,7 @@
        },
        {
          "name": "syft:location:0:layerID",
-          "value": "sha256:319b588ce64253a87b533c8ed01cf0025e0eac98e7b516e12532957e1244fdec"
+          "value": "sha256:42d2ea51c688e6dc7be81a305acbe006d27a6ef0c26ae3888fd0d4ce44f69265"
        },
        {
          "name": "syft:location:0:path",
--- a/internal/formats/cyclonedxjson/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden
+++ b/internal/formats/cyclonedxjson/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden
--- a/internal/formats/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden
+++ b/internal/formats/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden
@ -1,12 +1,12 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<bom xmlns="http://cyclonedx.org/schema/bom/1.4" serialNumber="urn:uuid:554fd820-210b-40c8-8c0b-75690274e21c" version="1">
+<bom xmlns="http://cyclonedx.org/schema/bom/1.4" serialNumber="urn:uuid:a259c072-aaaf-4a3f-a707-49f691b1e9d9" version="1">
  <metadata>
-    <timestamp>2022-04-01T11:57:46-04:00</timestamp>
+    <timestamp>2022-05-23T12:02:41-07:00</timestamp>
    <tools>
      <tool>
        <vendor>anchore</vendor>
        <name>syft</name>
-        <version>[not provided]</version>
+        <version>v0.42.0-bogus</version>
      </tool>
    </tools>
    <component bom-ref="163686ac6e30c752" type="file">
--- a/internal/formats/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden
+++ b/internal/formats/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden
@ -1,15 +1,15 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<bom xmlns="http://cyclonedx.org/schema/bom/1.4" serialNumber="urn:uuid:1535f940-172f-4d97-8280-d5a5764d1557" version="1">
+<bom xmlns="http://cyclonedx.org/schema/bom/1.4" serialNumber="urn:uuid:155802bd-09e5-4b95-9485-826b94447495" version="1">
  <metadata>
-    <timestamp>2022-04-01T11:57:46-04:00</timestamp>
+    <timestamp>2022-05-23T12:02:42-07:00</timestamp>
    <tools>
      <tool>
        <vendor>anchore</vendor>
        <name>syft</name>
-        <version>[not provided]</version>
+        <version>v0.42.0-bogus</version>
      </tool>
    </tools>
-    <component bom-ref="e777314b02b362e4" type="container">
+    <component bom-ref="e779c1ed804ba529" type="container">
      <name>user-image-input</name>
      <version>sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368</version>
    </component>
@ -30,7 +30,7 @@
        <property name="syft:package:language">python</property>
        <property name="syft:package:metadataType">PythonPackageMetadata</property>
        <property name="syft:package:type">python</property>
-        <property name="syft:location:0:layerID">sha256:fb6beecb75b39f4bb813dbf177e501edd5ddb3e69bb45cedeb78c676ee1b7a59</property>
+        <property name="syft:location:0:layerID">sha256:cd8f3884f1211d65c19ce5bbc5174bcd2ce8ba96b63e5b3693969a53279c4405</property>
        <property name="syft:location:0:path">/somefile-1.txt</property>
      </properties>
    </component>
@ -43,7 +43,7 @@
        <property name="syft:package:foundBy">the-cataloger-2</property>
        <property name="syft:package:metadataType">DpkgMetadata</property>
        <property name="syft:package:type">deb</property>
-        <property name="syft:location:0:layerID">sha256:319b588ce64253a87b533c8ed01cf0025e0eac98e7b516e12532957e1244fdec</property>
+        <property name="syft:location:0:layerID">sha256:42d2ea51c688e6dc7be81a305acbe006d27a6ef0c26ae3888fd0d4ce44f69265</property>
        <property name="syft:location:0:path">/somefile-2.txt</property>
        <property name="syft:metadata:installedSize">0</property>
      </properties>
--- a/internal/formats/cyclonedxxml/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden
+++ b/internal/formats/cyclonedxxml/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden
--- a/internal/formats/github/encoder.go
+++ b/internal/formats/github/encoder.go
@ -10,7 +10,6 @@ import (
 	"github.com/anchore/packageurl-go"
 	"github.com/anchore/syft/internal"
 	"github.com/anchore/syft/internal/log"
-	"github.com/anchore/syft/internal/version"
 	"github.com/anchore/syft/syft/pkg"
 	"github.com/anchore/syft/syft/sbom"
 	"github.com/anchore/syft/syft/source"
@ -19,8 +18,8 @@ import (
 // toGithubModel converts the provided SBOM to a GitHub dependency model
 func toGithubModel(s *sbom.SBOM) DependencySnapshot {
 	scanTime := time.Now().Format(time.RFC3339) // TODO is there a record of this somewhere?
-	v := version.FromBuild().Version
-	if v == "[not provided]" {
+	v := s.Descriptor.Version
+	if v == "[not provided]" || v == "" {
 		v = "0.0.0-dev"
 	}
 	return DependencySnapshot{
--- a/internal/formats/spdx22json/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden
+++ b/internal/formats/spdx22json/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden
@ -3,15 +3,15 @@
 "name": "/some/path",
 "spdxVersion": "SPDX-2.2",
 "creationInfo": {
-  "created": "2022-04-01T15:48:39.459232Z",
+  "created": "2022-05-23T19:10:22.25645Z",
  "creators": [
   "Organization: Anchore, Inc",
-   "Tool: syft-[not provided]"
+   "Tool: syft-v0.42.0-bogus"
  ],
-  "licenseListVersion": "3.16"
+  "licenseListVersion": "3.17"
 },
 "dataLicense": "CC0-1.0",
- "documentNamespace": "https://anchore.com/syft/dir/some/path-8d335d81-29c9-4236-84f1-2292ea92aaf5",
+ "documentNamespace": "https://anchore.com/syft/dir/some/path-81dbcbfa-251d-4ad5-9b01-be91afb16469",
 "packages": [
  {
   "SPDXID": "SPDXRef-b85dbb4e6ece5082",
--- a/internal/formats/spdx22json/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden
+++ b/internal/formats/spdx22json/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden
@ -3,15 +3,15 @@
 "name": "user-image-input",
 "spdxVersion": "SPDX-2.2",
 "creationInfo": {
-  "created": "2022-04-01T15:48:39.465643Z",
+  "created": "2022-05-23T19:10:22.412847Z",
  "creators": [
   "Organization: Anchore, Inc",
-   "Tool: syft-[not provided]"
+   "Tool: syft-v0.42.0-bogus"
  ],
-  "licenseListVersion": "3.16"
+  "licenseListVersion": "3.17"
 },
 "dataLicense": "CC0-1.0",
- "documentNamespace": "https://anchore.com/syft/image/user-image-input-e64e0be8-5031-4eec-842d-e59fb6deb518",
+ "documentNamespace": "https://anchore.com/syft/image/user-image-input-c9945597-78ce-4e9b-89d2-68b8e4e4ccb9",
 "packages": [
  {
   "SPDXID": "SPDXRef-2a46171f91c8d4bc",
--- a/internal/formats/spdx22json/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden
+++ b/internal/formats/spdx22json/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden
--- a/internal/formats/spdx22json/to_format_model.go
+++ b/internal/formats/spdx22json/to_format_model.go
@ -11,7 +11,6 @@ import (
 	"github.com/anchore/syft/internal/formats/spdx22json/model"
 	"github.com/anchore/syft/internal/log"
 	"github.com/anchore/syft/internal/spdxlicense"
-	"github.com/anchore/syft/internal/version"
 	"github.com/anchore/syft/syft/artifact"
 	"github.com/anchore/syft/syft/file"
 	"github.com/anchore/syft/syft/pkg"
@ -34,7 +33,7 @@ func toFormatModel(s sbom.SBOM) *model.Document {
 			Creators: []string{
 				// note: key-value format derived from the JSON example document examples: https://github.com/spdx/spdx-spec/blob/v2.2/examples/SPDXJSONExample-v2.2.spdx.json
 				"Organization: Anchore, Inc",
-				"Tool: " + internal.ApplicationName + "-" + version.FromBuild().Version,
+				"Tool: " + internal.ApplicationName + "-" + s.Descriptor.Version,
 			},
 			LicenseListVersion: spdxlicense.Version,
 		},
--- a/internal/formats/spdx22tagvalue/encoder_test.go
+++ b/internal/formats/spdx22tagvalue/encoder_test.go
@ -53,7 +53,13 @@ func TestSPDXJSONSPDXIDs(t *testing.T) {
 			Source: source.Metadata{
 				Scheme: source.DirectoryScheme,
 			},
-			Descriptor: sbom.Descriptor{},
+			Descriptor: sbom.Descriptor{
+				Name:    "syft",
+				Version: "v0.42.0-bogus",
+				Configuration: map[string]string{
+					"config-key": "config-value",
+				},
+			},
 		},
 		true,
 		spdxTagValueRedactor,
--- a/internal/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden
+++ b/internal/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden
@ -2,11 +2,11 @@ SPDXVersion: SPDX-2.2
 DataLicense: CC0-1.0
 SPDXID: SPDXRef-DOCUMENT
 DocumentName: .
-DocumentNamespace: https://anchore.com/syft/dir/8fbb3714-785d-4e3e-95cf-44a258bc65b0
-LicenseListVersion: 3.16
+DocumentNamespace: https://anchore.com/syft/dir/422d92b9-57e8-44ee-8039-f75c1d19be87
+LicenseListVersion: 3.17
 Creator: Organization: Anchore, Inc
-Creator: Tool: syft-[not provided]
-Created: 2022-05-02T15:27:05Z
+Creator: Tool: syft-v0.42.0-bogus
+Created: 2022-05-24T22:52:02Z

 ##### Package: @at-sign

--- a/internal/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden
+++ b/internal/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden
@ -2,11 +2,11 @@ SPDXVersion: SPDX-2.2
 DataLicense: CC0-1.0
 SPDXID: SPDXRef-DOCUMENT
 DocumentName: /some/path
-DocumentNamespace: https://anchore.com/syft/dir/some/path-d227b0f2-4ee8-4e10-ac43-019db86d16ff
-LicenseListVersion: 3.16
+DocumentNamespace: https://anchore.com/syft/dir/some/path-c6b20d03-1478-4513-9feb-1ec427d4b547
+LicenseListVersion: 3.17
 Creator: Organization: Anchore, Inc
-Creator: Tool: syft-[not provided]
-Created: 2022-04-01T15:48:44Z
+Creator: Tool: syft-v0.42.0-bogus
+Created: 2022-05-24T22:51:02Z

 ##### Package: package-2

--- a/internal/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden
+++ b/internal/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden
@ -2,11 +2,11 @@ SPDXVersion: SPDX-2.2
 DataLicense: CC0-1.0
 SPDXID: SPDXRef-DOCUMENT
 DocumentName: user-image-input
-DocumentNamespace: https://anchore.com/syft/image/user-image-input-49f98c61-3418-4427-9e00-8b1c735e9799
-LicenseListVersion: 3.16
+DocumentNamespace: https://anchore.com/syft/image/user-image-input-12a877bc-fe9b-40ef-aa9c-4d34f108d0d6
+LicenseListVersion: 3.17
 Creator: Organization: Anchore, Inc
-Creator: Tool: syft-[not provided]
-Created: 2022-04-01T15:48:44Z
+Creator: Tool: syft-v0.42.0-bogus
+Created: 2022-05-24T22:51:02Z

 ##### Package: package-2

--- a/internal/formats/spdx22tagvalue/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden
+++ b/internal/formats/spdx22tagvalue/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden
--- a/internal/formats/spdx22tagvalue/to_format_model.go
+++ b/internal/formats/spdx22tagvalue/to_format_model.go
@ -9,7 +9,6 @@ import (
 	"github.com/anchore/syft/internal"
 	"github.com/anchore/syft/internal/formats/common/spdxhelpers"
 	"github.com/anchore/syft/internal/spdxlicense"
-	"github.com/anchore/syft/internal/version"
 	"github.com/anchore/syft/syft/pkg"
 	"github.com/spdx/tools-golang/spdx"
 )
@ -69,7 +68,7 @@ func toFormatModel(s sbom.SBOM) *spdx.Document2_2 {
 			// Cardinality: mandatory, one or many
 			CreatorPersons:       nil,
 			CreatorOrganizations: []string{"Anchore, Inc"},
-			CreatorTools:         []string{internal.ApplicationName + "-" + version.FromBuild().Version},
+			CreatorTools:         []string{internal.ApplicationName + "-" + s.Descriptor.Version},

 			// 2.9: Created: data format YYYY-MM-DDThh:mm:ssZ
 			// Cardinality: mandatory, one