From 06473f1975058e6605a2fb1ea96017da6217419a Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 11 Dec 2023 13:15:09 +0000 Subject: [PATCH 1/3] chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.7.2 to 0.8.0 Bumps [github.com/CycloneDX/cyclonedx-go](https://github.com/CycloneDX/cyclonedx-go) from 0.7.2 to 0.8.0. - [Release notes](https://github.com/CycloneDX/cyclonedx-go/releases) - [Changelog](https://github.com/CycloneDX/cyclonedx-go/blob/master/.goreleaser.yml) - [Commits](https://github.com/CycloneDX/cyclonedx-go/compare/v0.7.2...v0.8.0) --- updated-dependencies: - dependency-name: github.com/CycloneDX/cyclonedx-go dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 7a57f097efc..91f21f32a52 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/anchore/syft go 1.21.0 require ( - github.com/CycloneDX/cyclonedx-go v0.7.2 + github.com/CycloneDX/cyclonedx-go v0.8.0 github.com/Masterminds/semver v1.5.0 github.com/Masterminds/sprig/v3 v3.2.3 github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d diff --git a/go.sum b/go.sum index 4bb8ed4adb0..81220a21ac5 100644 --- a/go.sum +++ b/go.sum @@ -58,8 +58,8 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03 github.com/BurntSushi/toml v0.4.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= -github.com/CycloneDX/cyclonedx-go v0.7.2 h1:kKQ0t1dPOlugSIYVOMiMtFqeXI2wp/f5DBIdfux8gnQ= -github.com/CycloneDX/cyclonedx-go v0.7.2/go.mod h1:K2bA+324+Og0X84fA8HhN2X066K7Bxz4rpMQ4ZhjtSk= +github.com/CycloneDX/cyclonedx-go v0.8.0 h1:FyWVj6x6hoJrui5uRQdYZcSievw3Z32Z88uYzG/0D6M= +github.com/CycloneDX/cyclonedx-go v0.8.0/go.mod h1:K2bA+324+Og0X84fA8HhN2X066K7Bxz4rpMQ4ZhjtSk= github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ= github.com/DataDog/zstd v1.4.5 h1:EndNeuB0l9syBZhut0wns3gV1hL8zX8LIu6ZiVHWLIQ= github.com/DataDog/zstd v1.4.5/go.mod h1:1jcaCB/ufaK+sKp1NBhlGmpz41jOoPQ35bpF36t7BBo= From 64d942469354b9ac07a1972c835c68edcd5616eb Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Thu, 14 Dec 2023 14:46:25 -0500 Subject: [PATCH 2/3] docs: update README typo Signed-off-by: Keith Zantow --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1919c357dab..d75f248bee4 100644 --- a/README.md +++ b/README.md @@ -121,7 +121,7 @@ syft --scope all-layers ### Supported sources -Syft can generate a SBOM from a variety of sources: +Syft can generate an SBOM from a variety of sources: ``` # catalog a container image archive (from the result of `docker image save ...`, `podman save ...`, or `skopeo copy` commands) From c4dfb7b31e0aaa426c2e3c3e40dec506a4b29158 Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Thu, 14 Dec 2023 15:59:16 -0500 Subject: [PATCH 3/3] chore: update cyclonedx tool metadata and tests Signed-off-by: Keith Zantow --- .../format/common/cyclonedxhelpers/decoder.go | 19 ++++++++++++++++--- syft/format/common/cyclonedxhelpers/format.go | 13 ++++++++----- .../common/cyclonedxhelpers/format_test.go | 15 ++++++++------- .../TestCycloneDxDirectoryEncoder.golden | 17 ++++++++++------- .../snapshot/TestCycloneDxImageEncoder.golden | 17 ++++++++++------- .../TestCycloneDxDirectoryEncoder.golden | 12 +++++++----- .../snapshot/TestCycloneDxImageEncoder.golden | 12 +++++++----- 7 files changed, 66 insertions(+), 39 deletions(-) diff --git a/syft/format/common/cyclonedxhelpers/decoder.go b/syft/format/common/cyclonedxhelpers/decoder.go index 37de22a9ad8..6af03df16f6 100644 --- a/syft/format/common/cyclonedxhelpers/decoder.go +++ b/syft/format/common/cyclonedxhelpers/decoder.go @@ -249,9 +249,22 @@ func extractDescriptor(meta *cyclonedx.Metadata) (desc sbom.Descriptor) { return } - for _, t := range *meta.Tools { - desc.Name = t.Name - desc.Version = t.Version + // handle 1.5 component element + if meta.Tools.Components != nil { + for _, t := range *meta.Tools.Components { + desc.Name = t.Name + desc.Version = t.Version + return + } + } + + // handle pre-1.5 tool element + if meta.Tools.Tools != nil { + for _, t := range *meta.Tools.Tools { + desc.Name = t.Name + desc.Version = t.Version + return + } } return diff --git a/syft/format/common/cyclonedxhelpers/format.go b/syft/format/common/cyclonedxhelpers/format.go index b5d96487741..548a65c24ef 100644 --- a/syft/format/common/cyclonedxhelpers/format.go +++ b/syft/format/common/cyclonedxhelpers/format.go @@ -114,11 +114,14 @@ func formatCPE(cpeString string) string { func toBomDescriptor(name, version string, srcMetadata source.Description) *cyclonedx.Metadata { return &cyclonedx.Metadata{ Timestamp: time.Now().Format(time.RFC3339), - Tools: &[]cyclonedx.Tool{ - { - Vendor: "anchore", - Name: name, - Version: version, + Tools: &cyclonedx.ToolsChoice{ + Components: &[]cyclonedx.Component{ + { + Type: cyclonedx.ComponentTypeApplication, + Author: "anchore", + Name: name, + Version: version, + }, }, }, Properties: toBomProperties(srcMetadata), diff --git a/syft/format/common/cyclonedxhelpers/format_test.go b/syft/format/common/cyclonedxhelpers/format_test.go index b792dea1b83..25428823bcb 100644 --- a/syft/format/common/cyclonedxhelpers/format_test.go +++ b/syft/format/common/cyclonedxhelpers/format_test.go @@ -168,13 +168,14 @@ func Test_toBomDescriptor(t *testing.T) { want: &cyclonedx.Metadata{ Timestamp: "", Lifecycles: nil, - Tools: &[]cyclonedx.Tool{ - { - Vendor: "anchore", - Name: "test-image", - Version: "1.0.0", - Hashes: nil, - ExternalReferences: nil, + Tools: &cyclonedx.ToolsChoice{ + Components: &[]cyclonedx.Component{ + { + Type: cyclonedx.ComponentTypeApplication, + Author: "anchore", + Name: "test-image", + Version: "1.0.0", + }, }, }, Authors: nil, diff --git a/syft/format/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden b/syft/format/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden index 8328af48678..4f1190eceab 100644 --- a/syft/format/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden +++ b/syft/format/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden @@ -6,13 +6,16 @@ "version": 1, "metadata": { "timestamp": "timestamp:redacted", - "tools": [ - { - "vendor": "anchore", - "name": "syft", - "version": "v0.42.0-bogus" - } - ], + "tools": { + "components": [ + { + "type": "application", + "author": "anchore", + "name": "syft", + "version": "v0.42.0-bogus" + } + ] + }, "component": { "bom-ref":"redacted", "type": "file", diff --git a/syft/format/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden b/syft/format/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden index d8aef04cfd6..3b4844b0231 100644 --- a/syft/format/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden +++ b/syft/format/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden @@ -6,13 +6,16 @@ "version": 1, "metadata": { "timestamp": "timestamp:redacted", - "tools": [ - { - "vendor": "anchore", - "name": "syft", - "version": "v0.42.0-bogus" - } - ], + "tools": { + "components": [ + { + "type": "application", + "author": "anchore", + "name": "syft", + "version": "v0.42.0-bogus" + } + ] + }, "component": { "bom-ref":"redacted", "type": "container", diff --git a/syft/format/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden b/syft/format/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden index 85f455aeadb..c56f6724b02 100644 --- a/syft/format/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden +++ b/syft/format/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden @@ -3,11 +3,13 @@ redacted - - anchore - syft - v0.42.0-bogus - + + + anchore + syft + v0.42.0-bogus + + some/path diff --git a/syft/format/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden b/syft/format/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden index 750bf863085..8e0c8800fa6 100644 --- a/syft/format/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden +++ b/syft/format/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden @@ -3,11 +3,13 @@ redacted - - anchore - syft - v0.42.0-bogus - + + + anchore + syft + v0.42.0-bogus + + user-image-input