Update cyclonedx to v1.4 (#820)

anchore · Mar 8, 2022 · 39737a2 · 39737a2
1 parent f261728
commit 39737a2
Show file tree

Hide file tree

Showing 31 changed files with 3,691 additions and 2,142 deletions.
diff --git a/cmd/attest.go b/cmd/attest.go
@@ -9,7 +9,7 @@ import (
 	"os"
 	"strings"
 
-	"github.com/anchore/syft/internal/formats/cyclonedx13json"
+	"github.com/anchore/syft/internal/formats/cyclonedxjson"
 	"github.com/anchore/syft/internal/formats/spdx22json"
 	"github.com/anchore/syft/internal/formats/syftjson"
 
@@ -56,7 +56,7 @@ const (
 var attestFormats = []sbom.FormatID{
 	syftjson.ID,
 	spdx22json.ID,
-	cyclonedx13json.ID,
+	cyclonedxjson.ID,
 }
 
 var (
@@ -227,7 +227,7 @@ func formatPredicateType(format sbom.Format) string {
 	switch format.ID() {
 	case spdx22json.ID:
 		return in_toto.PredicateSPDX
-	case cyclonedx13json.ID:
+	case cyclonedxjson.ID:
 		// Tentative see https://github.com/in-toto/attestation/issues/82
 		return "https://cyclonedx.org/bom"
 	case syftjson.ID:

diff --git a/go.mod b/go.mod
@@ -3,7 +3,7 @@ module github.com/anchore/syft
 go 1.17
 
 require (
-	github.com/CycloneDX/cyclonedx-go v0.4.0
+	github.com/CycloneDX/cyclonedx-go v0.5.0
 	github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d
 	github.com/acobaugh/osrelease v0.1.0
 	github.com/adrg/xdg v0.2.1

diff --git a/go.sum b/go.sum
@@ -186,8 +186,8 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03
 github.com/BurntSushi/toml v0.4.1 h1:GaI7EiDXDRfa8VshkTj7Fym7ha+y8/XxIgD2okUIjLw=
 github.com/BurntSushi/toml v0.4.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
-github.com/CycloneDX/cyclonedx-go v0.4.0 h1:Wz4QZ9B4RXGWIWTypVLEOVJgOdFfy5mcS5PGNzUkZxU=
-github.com/CycloneDX/cyclonedx-go v0.4.0/go.mod h1:rmRcf//gT7PIzovatusbWi377xqCg1FS4jyST0GH20E=
+github.com/CycloneDX/cyclonedx-go v0.5.0 h1:RWCnu2OrWUTF5C9DA3L0qVziUD2HlxSUWcL2OXlxfqE=
+github.com/CycloneDX/cyclonedx-go v0.5.0/go.mod h1:nQXAzrejxO39b14JFz2SvsUElegYfwBDowIzqjdUMk4=
 github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ=
 github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24/go.mod h1:4UJr5HIiMZrwgkSPdsjy2uOQExX/WEILpIrO9UPGuXs=
 github.com/GoogleCloudPlatform/cloudsql-proxy v0.0.0-20191009163259-e802c2cb94ae/go.mod h1:mjwGPas4yKduTyubHvD1Atl9r1rUq8DfVy+gkVvZ+oo=
@@ -436,8 +436,8 @@ github.com/bmizerany/perks v0.0.0-20141205001514-d9a9656a3a4b/go.mod h1:ac9efd0D
 github.com/bombsimon/wsl/v3 v3.3.0/go.mod h1:st10JtZYLE4D5sC7b8xV4zTKZwAQjCH/Hy2Pm1FNZIc=
 github.com/bradfitz/gomemcache v0.0.0-20190913173617-a41fca850d0b/go.mod h1:H0wQNHz2YrLsuXOZozoeDmnHXkNCRmMW0gwFWDfEZDA=
 github.com/bradleyfalzon/ghinstallation/v2 v2.0.3/go.mod h1:tlgi+JWCXnKFx/Y4WtnDbZEINo31N5bcvnCoqieefmk=
-github.com/bradleyjkemp/cupaloy/v2 v2.6.0 h1:knToPYa2xtfg42U3I6punFEjaGFKWQRXJwj0JTv4mTs=
-github.com/bradleyjkemp/cupaloy/v2 v2.6.0/go.mod h1:bm7JXdkRd4BHJk9HpwqAI8BoAY1lps46Enkdqw6aRX0=
+github.com/bradleyjkemp/cupaloy/v2 v2.7.0 h1:AT0vOjO68RcLyenLCHOGZzSNiuto7ziqzq6Q1/3xzMQ=
+github.com/bradleyjkemp/cupaloy/v2 v2.7.0/go.mod h1:bm7JXdkRd4BHJk9HpwqAI8BoAY1lps46Enkdqw6aRX0=
 github.com/breml/bidichk v0.1.1/go.mod h1:zbfeitpevDUGI7V91Uzzuwrn4Vls8MoBMrwtt78jmso=
 github.com/bshuster-repo/logrus-logstash-hook v0.4.1/go.mod h1:zsTqEiSzDgAa/8GZR7E1qaXrhYNDKBYy5/dWPTIflbk=
 github.com/buger/jsonparser v0.0.0-20180808090653-f4dd9f5a6b44/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s=

diff --git a/...l/formats/cyclonedx13json/decoder_test.go → ...nal/formats/cyclonedxjson/decoder_test.go b/...l/formats/cyclonedx13json/decoder_test.go → ...nal/formats/cyclonedxjson/decoder_test.go
@@ -1,4 +1,4 @@
-package cyclonedx13json
+package cyclonedxjson
 
 import (
 	"fmt"

diff --git a/internal/formats/cyclonedx13json/encoder.go → internal/formats/cyclonedxjson/encoder.go b/internal/formats/cyclonedx13json/encoder.go → internal/formats/cyclonedxjson/encoder.go
@@ -1,4 +1,4 @@
-package cyclonedx13json
+package cyclonedxjson
 
 import (
 	"io"

diff --git a/...l/formats/cyclonedx13json/encoder_test.go → ...nal/formats/cyclonedxjson/encoder_test.go b/...l/formats/cyclonedx13json/encoder_test.go → ...nal/formats/cyclonedxjson/encoder_test.go
@@ -1,4 +1,4 @@
-package cyclonedx13json
+package cyclonedxjson
 
 import (
 	"flag"

diff --git a/internal/formats/cyclonedx13json/format.go → internal/formats/cyclonedxjson/format.go b/internal/formats/cyclonedx13json/format.go → internal/formats/cyclonedxjson/format.go
@@ -1,4 +1,4 @@
-package cyclonedx13json
+package cyclonedxjson
 
 import (
 	"github.com/CycloneDX/cyclonedx-go"

diff --git a/...son/test-fixtures/image-simple/Dockerfile → ...son/test-fixtures/image-simple/Dockerfile b/...son/test-fixtures/image-simple/Dockerfile → ...son/test-fixtures/image-simple/Dockerfile
diff --git a/...son/test-fixtures/image-simple/file-1.txt → ...son/test-fixtures/image-simple/file-1.txt b/...son/test-fixtures/image-simple/file-1.txt → ...son/test-fixtures/image-simple/file-1.txt
diff --git a/...son/test-fixtures/image-simple/file-2.txt → ...son/test-fixtures/image-simple/file-2.txt b/...son/test-fixtures/image-simple/file-2.txt → ...son/test-fixtures/image-simple/file-2.txt
diff --git a/...shot/TestCycloneDxDirectoryEncoder.golden → ...shot/TestCycloneDxDirectoryEncoder.golden b/...shot/TestCycloneDxDirectoryEncoder.golden → ...shot/TestCycloneDxDirectoryEncoder.golden
@@ -1,10 +1,10 @@
 {
   "bomFormat": "CycloneDX",
-  "specVersion": "1.3",
-  "serialNumber": "urn:uuid:195a66a2-6d39-472e-b62b-0cafb9bfedd4",
+  "specVersion": "1.4",
+  "serialNumber": "urn:uuid:498e659b-0758-4a7f-816e-91bee18df634",
   "version": 1,
   "metadata": {
-    "timestamp": "2022-02-25T12:54:25-05:00",
+    "timestamp": "2022-03-08T12:30:39Z",
     "tools": [
       {
         "vendor": "anchore",
@@ -15,8 +15,7 @@
     "component": {
       "bom-ref": "163686ac6e30c752",
       "type": "file",
-      "name": "/some/path",
-      "version": ""
+      "name": "/some/path"
     }
   },
   "components": [

diff --git a/...snapshot/TestCycloneDxImageEncoder.golden → ...snapshot/TestCycloneDxImageEncoder.golden b/...snapshot/TestCycloneDxImageEncoder.golden → ...snapshot/TestCycloneDxImageEncoder.golden
@@ -1,10 +1,10 @@
 {
   "bomFormat": "CycloneDX",
-  "specVersion": "1.3",
-  "serialNumber": "urn:uuid:78116a1b-b709-4734-8411-d0e339308edd",
+  "specVersion": "1.4",
+  "serialNumber": "urn:uuid:342c3d2c-d26e-47b6-94d6-92fbf41da945",
   "version": 1,
   "metadata": {
-    "timestamp": "2022-02-25T12:54:25-05:00",
+    "timestamp": "2022-03-08T12:30:39Z",
     "tools": [
       {
         "vendor": "anchore",
@@ -13,7 +13,7 @@
       }
     ],
     "component": {
-      "bom-ref": "4f9453fd20e0cf80",
+      "bom-ref": "711095b1cdf90cce",
       "type": "container",
       "name": "user-image-input",
       "version": "sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368"
@@ -52,7 +52,7 @@
         },
         {
           "name": "syft:location:0:layerID",
-          "value": "sha256:41e7295da66c405eb3a4df29188dcf80f622f9304d487033a86d4a22e3f01abe"
+          "value": "sha256:16e64541f2ddf59a90391ce7bb8af90313f7d373f2105d88f3d3267b72e0ebab"
         },
         {
           "name": "syft:location:0:path",
@@ -81,7 +81,7 @@
         },
         {
           "name": "syft:location:0:layerID",
-          "value": "sha256:68a2c166dcb3acf6b7303e995ca1fe7d794bd3b5852a0b4048f9c96b796086aa"
+          "value": "sha256:de6c235f76ea24c8503ec08891445b5d6a8bdf8249117ed8d8b0b6fb3ebe4f67"
         },
         {
           "name": "syft:location:0:path",

diff --git a/...t/stereoscope-fixture-image-simple.golden → ...t/stereoscope-fixture-image-simple.golden b/...t/stereoscope-fixture-image-simple.golden → ...t/stereoscope-fixture-image-simple.golden
diff --git a/...al/formats/cyclonedx13xml/decoder_test.go → ...rnal/formats/cyclonedxxml/decoder_test.go b/...al/formats/cyclonedx13xml/decoder_test.go → ...rnal/formats/cyclonedxxml/decoder_test.go
@@ -1,4 +1,4 @@
-package cyclonedx13xml
+package cyclonedxxml
 
 import (
 	"fmt"

diff --git a/internal/formats/cyclonedx13xml/encoder.go → internal/formats/cyclonedxxml/encoder.go b/internal/formats/cyclonedx13xml/encoder.go → internal/formats/cyclonedxxml/encoder.go
@@ -1,4 +1,4 @@
-package cyclonedx13xml
+package cyclonedxxml
 
 import (
 	"io"

diff --git a/...al/formats/cyclonedx13xml/encoder_test.go → ...rnal/formats/cyclonedxxml/encoder_test.go b/...al/formats/cyclonedx13xml/encoder_test.go → ...rnal/formats/cyclonedxxml/encoder_test.go
@@ -1,4 +1,4 @@
-package cyclonedx13xml
+package cyclonedxxml
 
 import (
 	"flag"

diff --git a/internal/formats/cyclonedx13xml/format.go → internal/formats/cyclonedxxml/format.go b/internal/formats/cyclonedx13xml/format.go → internal/formats/cyclonedxxml/format.go
@@ -1,4 +1,4 @@
-package cyclonedx13xml
+package cyclonedxxml
 
 import (
 	"github.com/CycloneDX/cyclonedx-go"

diff --git a/...xml/test-fixtures/image-simple/Dockerfile → ...xml/test-fixtures/image-simple/Dockerfile b/...xml/test-fixtures/image-simple/Dockerfile → ...xml/test-fixtures/image-simple/Dockerfile
diff --git a/...xml/test-fixtures/image-simple/file-1.txt → ...xml/test-fixtures/image-simple/file-1.txt b/...xml/test-fixtures/image-simple/file-1.txt → ...xml/test-fixtures/image-simple/file-1.txt
diff --git a/...xml/test-fixtures/image-simple/file-2.txt → ...xml/test-fixtures/image-simple/file-2.txt b/...xml/test-fixtures/image-simple/file-2.txt → ...xml/test-fixtures/image-simple/file-2.txt
diff --git a/...shot/TestCycloneDxDirectoryEncoder.golden → ...shot/TestCycloneDxDirectoryEncoder.golden b/...shot/TestCycloneDxDirectoryEncoder.golden → ...shot/TestCycloneDxDirectoryEncoder.golden
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<bom xmlns="http://cyclonedx.org/schema/bom/1.3" serialNumber="urn:uuid:dd1d1863-04be-414c-9b2a-bdc0e0f25e9f" version="1">
+<bom xmlns="http://cyclonedx.org/schema/bom/1.4" serialNumber="urn:uuid:892f8304-0142-45b1-b411-cade3c53057f" version="1">
   <metadata>
-    <timestamp>2022-02-25T12:54:44-05:00</timestamp>
+    <timestamp>2022-03-08T12:30:33Z</timestamp>
     <tools>
       <tool>
         <vendor>anchore</vendor>
@@ -11,7 +11,6 @@
     </tools>
     <component bom-ref="163686ac6e30c752" type="file">
       <name>/some/path</name>
-      <version></version>
     </component>
   </metadata>
   <components>

diff --git a/...snapshot/TestCycloneDxImageEncoder.golden → ...snapshot/TestCycloneDxImageEncoder.golden b/...snapshot/TestCycloneDxImageEncoder.golden → ...snapshot/TestCycloneDxImageEncoder.golden
@@ -1,15 +1,15 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<bom xmlns="http://cyclonedx.org/schema/bom/1.3" serialNumber="urn:uuid:153353a9-d9f4-40f6-be23-3d56487930c1" version="1">
+<bom xmlns="http://cyclonedx.org/schema/bom/1.4" serialNumber="urn:uuid:5fa94827-eb85-4f32-a62d-76fb6e89a2dd" version="1">
   <metadata>
-    <timestamp>2022-02-25T12:54:44-05:00</timestamp>
+    <timestamp>2022-03-08T12:30:33Z</timestamp>
     <tools>
       <tool>
         <vendor>anchore</vendor>
         <name>syft</name>
         <version>[not provided]</version>
       </tool>
     </tools>
-    <component bom-ref="4f9453fd20e0cf80" type="container">
+    <component bom-ref="711095b1cdf90cce" type="container">
       <name>user-image-input</name>
       <version>sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368</version>
     </component>
@@ -30,7 +30,7 @@
         <property name="syft:package:language">python</property>
         <property name="syft:package:metadataType">PythonPackageMetadata</property>
         <property name="syft:package:type">python</property>
-        <property name="syft:location:0:layerID">sha256:41e7295da66c405eb3a4df29188dcf80f622f9304d487033a86d4a22e3f01abe</property>
+        <property name="syft:location:0:layerID">sha256:16e64541f2ddf59a90391ce7bb8af90313f7d373f2105d88f3d3267b72e0ebab</property>
         <property name="syft:location:0:path">/somefile-1.txt</property>
       </properties>
     </component>
@@ -43,7 +43,7 @@
         <property name="syft:package:foundBy">the-cataloger-2</property>
         <property name="syft:package:metadataType">DpkgMetadata</property>
         <property name="syft:package:type">deb</property>
-        <property name="syft:location:0:layerID">sha256:68a2c166dcb3acf6b7303e995ca1fe7d794bd3b5852a0b4048f9c96b796086aa</property>
+        <property name="syft:location:0:layerID">sha256:de6c235f76ea24c8503ec08891445b5d6a8bdf8249117ed8d8b0b6fb3ebe4f67</property>
         <property name="syft:location:0:path">/somefile-2.txt</property>
         <property name="syft:metadata:installedSize">0</property>
       </properties>

diff --git a/...t/stereoscope-fixture-image-simple.golden → ...t/stereoscope-fixture-image-simple.golden b/...t/stereoscope-fixture-image-simple.golden → ...t/stereoscope-fixture-image-simple.golden
diff --git a/schema/cyclonedx/Makefile b/schema/cyclonedx/Makefile
@@ -4,4 +4,4 @@ validate-schema:
 	go run ../../main.go ubuntu:latest -vv -o cyclonedx > bom.xml
 	xmllint --noout --schema ./cyclonedx.xsd bom.xml
 	go run ../../main.go ubuntu:latest -vv -o cyclonedx-json > bom.json
-	../../.tmp/yajsv -s bom-1.3.schema.json bom.json
+	../../.tmp/yajsv -s cyclonedx.json bom.json