From b83cc8485ab765260e9caa9a6c1083ff95b47c90 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 14 Dec 2023 17:18:37 -0500 Subject: [PATCH] chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.7.2 to 0.8.0 (#2413) --- README.md | 2 +- go.mod | 2 +- go.sum | 4 ++-- .../format/common/cyclonedxhelpers/decoder.go | 19 ++++++++++++++++--- syft/format/common/cyclonedxhelpers/format.go | 13 ++++++++----- .../common/cyclonedxhelpers/format_test.go | 15 ++++++++------- .../TestCycloneDxDirectoryEncoder.golden | 17 ++++++++++------- .../snapshot/TestCycloneDxImageEncoder.golden | 17 ++++++++++------- .../TestCycloneDxDirectoryEncoder.golden | 12 +++++++----- .../snapshot/TestCycloneDxImageEncoder.golden | 12 +++++++----- 10 files changed, 70 insertions(+), 43 deletions(-) diff --git a/README.md b/README.md index 1919c357d..d75f248be 100644 --- a/README.md +++ b/README.md @@ -121,7 +121,7 @@ syft --scope all-layers ### Supported sources -Syft can generate a SBOM from a variety of sources: +Syft can generate an SBOM from a variety of sources: ``` # catalog a container image archive (from the result of `docker image save ...`, `podman save ...`, or `skopeo copy` commands) diff --git a/go.mod b/go.mod index cc2486c03..b062ccc8e 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/anchore/syft go 1.21.0 require ( - github.com/CycloneDX/cyclonedx-go v0.7.2 + github.com/CycloneDX/cyclonedx-go v0.8.0 github.com/Masterminds/semver v1.5.0 github.com/Masterminds/sprig/v3 v3.2.3 github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d diff --git a/go.sum b/go.sum index 42a6cfb80..e7b2b29de 100644 --- a/go.sum +++ b/go.sum @@ -58,8 +58,8 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03 github.com/BurntSushi/toml v0.4.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= -github.com/CycloneDX/cyclonedx-go v0.7.2 h1:kKQ0t1dPOlugSIYVOMiMtFqeXI2wp/f5DBIdfux8gnQ= -github.com/CycloneDX/cyclonedx-go v0.7.2/go.mod h1:K2bA+324+Og0X84fA8HhN2X066K7Bxz4rpMQ4ZhjtSk= +github.com/CycloneDX/cyclonedx-go v0.8.0 h1:FyWVj6x6hoJrui5uRQdYZcSievw3Z32Z88uYzG/0D6M= +github.com/CycloneDX/cyclonedx-go v0.8.0/go.mod h1:K2bA+324+Og0X84fA8HhN2X066K7Bxz4rpMQ4ZhjtSk= github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ= github.com/DataDog/zstd v1.4.5 h1:EndNeuB0l9syBZhut0wns3gV1hL8zX8LIu6ZiVHWLIQ= github.com/DataDog/zstd v1.4.5/go.mod h1:1jcaCB/ufaK+sKp1NBhlGmpz41jOoPQ35bpF36t7BBo= diff --git a/syft/format/common/cyclonedxhelpers/decoder.go b/syft/format/common/cyclonedxhelpers/decoder.go index 37de22a9a..6af03df16 100644 --- a/syft/format/common/cyclonedxhelpers/decoder.go +++ b/syft/format/common/cyclonedxhelpers/decoder.go @@ -249,9 +249,22 @@ func extractDescriptor(meta *cyclonedx.Metadata) (desc sbom.Descriptor) { return } - for _, t := range *meta.Tools { - desc.Name = t.Name - desc.Version = t.Version + // handle 1.5 component element + if meta.Tools.Components != nil { + for _, t := range *meta.Tools.Components { + desc.Name = t.Name + desc.Version = t.Version + return + } + } + + // handle pre-1.5 tool element + if meta.Tools.Tools != nil { + for _, t := range *meta.Tools.Tools { + desc.Name = t.Name + desc.Version = t.Version + return + } } return diff --git a/syft/format/common/cyclonedxhelpers/format.go b/syft/format/common/cyclonedxhelpers/format.go index b5d964877..548a65c24 100644 --- a/syft/format/common/cyclonedxhelpers/format.go +++ b/syft/format/common/cyclonedxhelpers/format.go @@ -114,11 +114,14 @@ func formatCPE(cpeString string) string { func toBomDescriptor(name, version string, srcMetadata source.Description) *cyclonedx.Metadata { return &cyclonedx.Metadata{ Timestamp: time.Now().Format(time.RFC3339), - Tools: &[]cyclonedx.Tool{ - { - Vendor: "anchore", - Name: name, - Version: version, + Tools: &cyclonedx.ToolsChoice{ + Components: &[]cyclonedx.Component{ + { + Type: cyclonedx.ComponentTypeApplication, + Author: "anchore", + Name: name, + Version: version, + }, }, }, Properties: toBomProperties(srcMetadata), diff --git a/syft/format/common/cyclonedxhelpers/format_test.go b/syft/format/common/cyclonedxhelpers/format_test.go index b792dea1b..25428823b 100644 --- a/syft/format/common/cyclonedxhelpers/format_test.go +++ b/syft/format/common/cyclonedxhelpers/format_test.go @@ -168,13 +168,14 @@ func Test_toBomDescriptor(t *testing.T) { want: &cyclonedx.Metadata{ Timestamp: "", Lifecycles: nil, - Tools: &[]cyclonedx.Tool{ - { - Vendor: "anchore", - Name: "test-image", - Version: "1.0.0", - Hashes: nil, - ExternalReferences: nil, + Tools: &cyclonedx.ToolsChoice{ + Components: &[]cyclonedx.Component{ + { + Type: cyclonedx.ComponentTypeApplication, + Author: "anchore", + Name: "test-image", + Version: "1.0.0", + }, }, }, Authors: nil, diff --git a/syft/format/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden b/syft/format/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden index 8328af486..4f1190ece 100644 --- a/syft/format/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden +++ b/syft/format/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden @@ -6,13 +6,16 @@ "version": 1, "metadata": { "timestamp": "timestamp:redacted", - "tools": [ - { - "vendor": "anchore", - "name": "syft", - "version": "v0.42.0-bogus" - } - ], + "tools": { + "components": [ + { + "type": "application", + "author": "anchore", + "name": "syft", + "version": "v0.42.0-bogus" + } + ] + }, "component": { "bom-ref":"redacted", "type": "file", diff --git a/syft/format/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden b/syft/format/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden index d8aef04cf..3b4844b02 100644 --- a/syft/format/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden +++ b/syft/format/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden @@ -6,13 +6,16 @@ "version": 1, "metadata": { "timestamp": "timestamp:redacted", - "tools": [ - { - "vendor": "anchore", - "name": "syft", - "version": "v0.42.0-bogus" - } - ], + "tools": { + "components": [ + { + "type": "application", + "author": "anchore", + "name": "syft", + "version": "v0.42.0-bogus" + } + ] + }, "component": { "bom-ref":"redacted", "type": "container", diff --git a/syft/format/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden b/syft/format/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden index 85f455aea..c56f6724b 100644 --- a/syft/format/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden +++ b/syft/format/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden @@ -3,11 +3,13 @@ redacted - - anchore - syft - v0.42.0-bogus - + + + anchore + syft + v0.42.0-bogus + + some/path diff --git a/syft/format/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden b/syft/format/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden index 750bf8630..8e0c8800f 100644 --- a/syft/format/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden +++ b/syft/format/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden @@ -3,11 +3,13 @@ redacted - - anchore - syft - v0.42.0-bogus - + + + anchore + syft + v0.42.0-bogus + + user-image-input