oss/syft
2
0
Fork 0
mirror of https://github.com/anchore/syft.git synced 2025-11-17 16:33:21 +01:00
Code Issues Packages Projects Releases Wiki Activity
syft/schema/cyclonedx/README.md
Rajan Agaskar ae0683074e
feat: update syft to generate cyclone-dx 1.6 by default (#2978) 
- Resolves #2974
- add detailed instructions re: updating schemas (a necessary task
  when a new CycloneDX spec version becomes available).
- The DefaultVersion constant has been updated to "1.6" -- it's not
  clear to me how this is used at this time (it may be redundant given
  other code), but effectively unless a specific spec version is
  configured, `syft` will emit the "most recent" spec version available
  for cyclonedx. Users who wish to pin back to a "older" specVersion
  (e.g. to preserve compatibilty with utilities that have not yet bumped
  to latest) can either set this in a syft config file or pass a
  name@spec_version pair to the output flag (e.g. `-o
  cyclonedx-json@1.5=some-1.5-spec-bom.cdx.json`)
- Regenerate relevant .golden files (there seems to be a way to do this
  via flags, but I couldn't quite figure out the right set to pass
  correctly, esp. since (as a relative go novice) I found it difficult
  to run just a single test file. I ended up "brute-forcing it" by
  changing the *updateSnapshot val to "true" and running it in Goland.
  A brief comment giving an example of regenerating fixtures usage would
  be helpful.

Signed-off-by: Rajan Agaskar <ragaskar@gmail.com>
2024-06-21 08:51:27 -07:00

19 lines
1.2 KiB
Markdown
Raw Blame History

# CycloneDX Schemas
`syft` generates a CycloneDX Bom output. We want to be able to validate the CycloneDX schemas
(and dependent schemas) against generated syft output. The best way to do this is with `xmllint`,
however, this tool does not know how to deal with references from HTTP, only the local filesystem.
For this reason we've included a copy of all schemas needed to validate `syft` output, modified
to reference local copies of dependent schemas.
You can get the latest schemas from the [CycloneDX specifications repo](https://github.com/CycloneDX/specification/tree/master/schema).
When the spec version is bumped an approach to determining prior modifications is to compare the
prior spec version (e.g. if updating to 1.7, compare the files in this directory against the 1.6
equivalents).
One can also update the schemas and observe the errors in order to make the necessary updates.
At the time of writing, the cyclonedx.xsd needed modifications to link to the local spdx.xsd,
and also to changes the minOccurs for a license tag to 0. (The json schema does not require
modification for the generated file to lint properly, but can simply be copy/pasted).
Reference in New Issue View Git Blame Copy Permalink