chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.7.2 to 0.8.0 (#2413)

README.md

@@ -121,7 +121,7 @@ syft <image> --scope all-layers
 
 ### Supported sources
 
-Syft can generate a SBOM from a variety of sources:
+Syft can generate an SBOM from a variety of sources:
 
 ```
 # catalog a container image archive (from the result of `docker image save ...`, `podman save ...`, or `skopeo copy` commands)

go.mod

@@ -3,7 +3,7 @@ module github.com/anchore/syft
 go 1.21.0
 
 require (
-	github.com/CycloneDX/cyclonedx-go v0.7.2
+	github.com/CycloneDX/cyclonedx-go v0.8.0
 	github.com/Masterminds/semver v1.5.0
 	github.com/Masterminds/sprig/v3 v3.2.3
 	github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d

go.sum

@@ -58,8 +58,8 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03
 github.com/BurntSushi/toml v0.4.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
 github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
-github.com/CycloneDX/cyclonedx-go v0.7.2 h1:kKQ0t1dPOlugSIYVOMiMtFqeXI2wp/f5DBIdfux8gnQ=
+github.com/CycloneDX/cyclonedx-go v0.8.0 h1:FyWVj6x6hoJrui5uRQdYZcSievw3Z32Z88uYzG/0D6M=
-github.com/CycloneDX/cyclonedx-go v0.7.2/go.mod h1:K2bA+324+Og0X84fA8HhN2X066K7Bxz4rpMQ4ZhjtSk=
+github.com/CycloneDX/cyclonedx-go v0.8.0/go.mod h1:K2bA+324+Og0X84fA8HhN2X066K7Bxz4rpMQ4ZhjtSk=
 github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ=
 github.com/DataDog/zstd v1.4.5 h1:EndNeuB0l9syBZhut0wns3gV1hL8zX8LIu6ZiVHWLIQ=
 github.com/DataDog/zstd v1.4.5/go.mod h1:1jcaCB/ufaK+sKp1NBhlGmpz41jOoPQ35bpF36t7BBo=

syft/format/common/cyclonedxhelpers/decoder.go

@@ -249,9 +249,22 @@ func extractDescriptor(meta *cyclonedx.Metadata) (desc sbom.Descriptor) {
 		return
 	}
 
-	for _, t := range *meta.Tools {
+	// handle 1.5 component element
+	if meta.Tools.Components != nil {
+		for _, t := range *meta.Tools.Components {
 			desc.Name = t.Name
 			desc.Version = t.Version
+			return
+		}
+	}
+
+	// handle pre-1.5 tool element
+	if meta.Tools.Tools != nil {
+		for _, t := range *meta.Tools.Tools {
+			desc.Name = t.Name
+			desc.Version = t.Version
+			return
+		}
 	}
 
 	return

syft/format/common/cyclonedxhelpers/format.go

@@ -114,13 +114,16 @@ func formatCPE(cpeString string) string {
 func toBomDescriptor(name, version string, srcMetadata source.Description) *cyclonedx.Metadata {
 	return &cyclonedx.Metadata{
 		Timestamp: time.Now().Format(time.RFC3339),
-		Tools: &[]cyclonedx.Tool{
+		Tools: &cyclonedx.ToolsChoice{
+			Components: &[]cyclonedx.Component{
 				{
-				Vendor:  "anchore",
+					Type:    cyclonedx.ComponentTypeApplication,
+					Author:  "anchore",
 					Name:    name,
 					Version: version,
 				},
 			},
+		},
 		Properties: toBomProperties(srcMetadata),
 		Component:  toBomDescriptorComponent(srcMetadata),
 	}

syft/format/common/cyclonedxhelpers/format_test.go

@@ -168,13 +168,14 @@ func Test_toBomDescriptor(t *testing.T) {
 			want: &cyclonedx.Metadata{
 				Timestamp:  "",
 				Lifecycles: nil,
-				Tools: &[]cyclonedx.Tool{
+				Tools: &cyclonedx.ToolsChoice{
+					Components: &[]cyclonedx.Component{
 						{
-						Vendor:             "anchore",
+							Type:    cyclonedx.ComponentTypeApplication,
+							Author:  "anchore",
 							Name:    "test-image",
 							Version: "1.0.0",
-						Hashes:             nil,
+						},
-						ExternalReferences: nil,
 					},
 				},
 				Authors: nil,

syft/format/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden

@@ -6,13 +6,16 @@
   "version": 1,
   "metadata": {
     "timestamp": "timestamp:redacted",
-    "tools": [
+    "tools": {
+      "components": [
         {
-        "vendor": "anchore",
+          "type": "application",
+          "author": "anchore",
           "name": "syft",
           "version": "v0.42.0-bogus"
         }
-    ],
+      ]
+    },
     "component": {
       "bom-ref":"redacted",
       "type": "file",

syft/format/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden

@@ -6,13 +6,16 @@
   "version": 1,
   "metadata": {
     "timestamp": "timestamp:redacted",
-    "tools": [
+    "tools": {
+      "components": [
         {
-        "vendor": "anchore",
+          "type": "application",
+          "author": "anchore",
           "name": "syft",
           "version": "v0.42.0-bogus"
         }
-    ],
+      ]
+    },
     "component": {
       "bom-ref":"redacted",
       "type": "container",

syft/format/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden

@@ -3,11 +3,13 @@
   <metadata>
     <timestamp>redacted</timestamp>
     <tools>
-      <tool>
+      <components>
-        <vendor>anchore</vendor>
+        <component type="application">
+          <author>anchore</author>
           <name>syft</name>
           <version>v0.42.0-bogus</version>
-      </tool>
+        </component>
+      </components>
     </tools>
     <component bom-ref="redacted" type="file">
       <name>some/path</name>

syft/format/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden

@@ -3,11 +3,13 @@
   <metadata>
     <timestamp>redacted</timestamp>
     <tools>
-      <tool>
+      <components>
-        <vendor>anchore</vendor>
+        <component type="application">
+          <author>anchore</author>
           <name>syft</name>
           <version>v0.42.0-bogus</version>
-      </tool>
+        </component>
+      </components>
     </tools>
     <component bom-ref="redacted" type="container">
       <name>user-image-input</name>