From 781a647ba8c86638f80799b03a21a592d098ce22 Mon Sep 17 00:00:00 2001
From: nscuro <nscuro@protonmail.com>
Date: Sat, 17 Jun 2023 16:28:50 +0200
Subject: [PATCH] feat(spec1-5): add additional external reference types

Signed-off-by: nscuro <nscuro@protonmail.com>
---
 convert.go   | 28 +++++++++++++++++++++++++---
 cyclonedx.go | 48 +++++++++++++++++++++++++++++++-----------------
 2 files changed, 56 insertions(+), 20 deletions(-)

diff --git a/convert.go b/convert.go
index 162b2fd..46c3c3c 100644
--- a/convert.go
+++ b/convert.go
@@ -84,6 +84,10 @@ func (b *BOM) convert(specVersion SpecVersion) {
 		}
 	}
 
+	if b.ExternalReferences != nil {
+		convertExternalReferences(b.ExternalReferences, specVersion)
+	}
+
 	b.SpecVersion = specVersion
 	b.XMLNS = xmlNamespaces[specVersion]
 	b.JSONSchema = jsonSchemas[specVersion]
@@ -141,9 +145,15 @@ func convertExternalReferences(extRefs *[]ExternalReference, specVersion SpecVer
 		return
 	}
 
-	if specVersion < SpecVersion1_3 {
-		for i := range *extRefs {
-			(*extRefs)[i].Hashes = nil
+	for i := range *extRefs {
+		extRef := &(*extRefs)[i]
+
+		if !specVersion.supportsExternalReferenceType(extRef.Type) {
+			extRef.Type = ERTypeOther
+		}
+
+		if specVersion < SpecVersion1_3 {
+			extRef.Hashes = nil
 		}
 	}
 }
@@ -290,6 +300,18 @@ func (sv SpecVersion) supportsComponentType(cType ComponentType) bool {
 	return false
 }
 
+func (sv SpecVersion) supportsExternalReferenceType(ert ExternalReferenceType) bool {
+	switch ert {
+	case ERTypeAttestation, ERTypeCertificationReport, ERTypeCodifiedInfrastructure, ERTypeComponentAnalysisReport,
+		ERTypeDistributionIntake, ERTypeDynamicAnalysisReport, ERTypeExploitabilityStatement, ERTypeMaturityReport,
+		ERTypePentestReport, ERTypeQualityMetrics, ERTypeRuntimeAnalysisReport, ERTypeStaticAnalysisReport,
+		ERTypeThreatModel, ERTypeVulnerabilityAssertion:
+		return sv >= SpecVersion1_5
+	}
+
+	return sv >= SpecVersion1_1
+}
+
 func (sv SpecVersion) supportsHashAlgorithm(algo HashAlgorithm) bool {
 	switch algo {
 	case HashAlgoMD5, HashAlgoSHA1, HashAlgoSHA256, HashAlgoSHA384, HashAlgoSHA512, HashAlgoSHA3_256, HashAlgoSHA3_512:
diff --git a/cyclonedx.go b/cyclonedx.go
index 0b3b914..d911c8f 100644
--- a/cyclonedx.go
+++ b/cyclonedx.go
@@ -213,23 +213,37 @@ type ExternalReference struct {
 type ExternalReferenceType string
 
 const (
-	ERTypeAdvisories      ExternalReferenceType = "advisories"
-	ERTypeBOM             ExternalReferenceType = "bom"
-	ERTypeBuildMeta       ExternalReferenceType = "build-meta"
-	ERTypeBuildSystem     ExternalReferenceType = "build-system"
-	ERTypeChat            ExternalReferenceType = "chat"
-	ERTypeDistribution    ExternalReferenceType = "distribution"
-	ERTypeDocumentation   ExternalReferenceType = "documentation"
-	ERTypeLicense         ExternalReferenceType = "license"
-	ERTypeMailingList     ExternalReferenceType = "mailing-list"
-	ERTypeOther           ExternalReferenceType = "other"
-	ERTypeIssueTracker    ExternalReferenceType = "issue-tracker"
-	ERTypeReleaseNotes    ExternalReferenceType = "release-notes"
-	ERTypeSecurityContact ExternalReferenceType = "security-contact"
-	ERTypeSocial          ExternalReferenceType = "social"
-	ERTypeSupport         ExternalReferenceType = "support"
-	ERTypeVCS             ExternalReferenceType = "vcs"
-	ERTypeWebsite         ExternalReferenceType = "website"
+	ERTypeAdvisories              ExternalReferenceType = "advisories"
+	ERTypeAttestation             ExternalReferenceType = "attestation"
+	ERTypeBOM                     ExternalReferenceType = "bom"
+	ERTypeBuildMeta               ExternalReferenceType = "build-meta"
+	ERTypeBuildSystem             ExternalReferenceType = "build-system"
+	ERTypeCertificationReport     ExternalReferenceType = "certification-report"
+	ERTypeChat                    ExternalReferenceType = "chat"
+	ERTypeCodifiedInfrastructure  ExternalReferenceType = "codified-infrastructure"
+	ERTypeComponentAnalysisReport ExternalReferenceType = "component-analysis-report"
+	ERTypeDistribution            ExternalReferenceType = "distribution"
+	ERTypeDistributionIntake      ExternalReferenceType = "distribution-intake"
+	ERTypeDocumentation           ExternalReferenceType = "documentation"
+	ERTypeDynamicAnalysisReport   ExternalReferenceType = "dynamic-analysis-report"
+	ERTypeExploitabilityStatement ExternalReferenceType = "exploitability-statement"
+	ERTypeIssueTracker            ExternalReferenceType = "issue-tracker"
+	ERTypeLicense                 ExternalReferenceType = "license"
+	ERTypeMailingList             ExternalReferenceType = "mailing-list"
+	ERTypeMaturityReport          ExternalReferenceType = "maturity-report"
+	ERTypeOther                   ExternalReferenceType = "other"
+	ERTypePentestReport           ExternalReferenceType = "pentest-report"
+	ERTypeQualityMetrics          ExternalReferenceType = "quality-metrics"
+	ERTypeReleaseNotes            ExternalReferenceType = "release-notes"
+	ERTypeRuntimeAnalysisReport   ExternalReferenceType = "runtime-analysis-report"
+	ERTypeSecurityContact         ExternalReferenceType = "security-contact"
+	ERTypeSocial                  ExternalReferenceType = "social"
+	ERTypeStaticAnalysisReport    ExternalReferenceType = "static-analysis-report"
+	ERTypeSupport                 ExternalReferenceType = "support"
+	ERTypeThreatModel             ExternalReferenceType = "threat-model"
+	ERTypeVCS                     ExternalReferenceType = "vcs"
+	ERTypeVulnerabilityAssertion  ExternalReferenceType = "vulnerability-assertion"
+	ERTypeWebsite                 ExternalReferenceType = "website"
 )
 
 type Hash struct {