Skip to content

Commit

Permalink
feat: output sboms conforming to spec v1.4 (#125)
Browse files Browse the repository at this point in the history
* build(deps): bump github.com/CycloneDX/cyclonedx-go from 0.4.0 to 0.5.0

Bumps [github.com/CycloneDX/cyclonedx-go](https://github.com/CycloneDX/cyclonedx-go) from 0.4.0 to 0.5.0.
- [Release notes](https://github.com/CycloneDX/cyclonedx-go/releases)
- [Changelog](https://github.com/CycloneDX/cyclonedx-go/blob/master/.goreleaser.yml)
- [Commits](CycloneDX/cyclonedx-go@v0.4.0...v0.5.0)

---
updated-dependencies:
- dependency-name: github.com/CycloneDX/cyclonedx-go
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* test: update snapshots for spec v1.4

Signed-off-by: nscuro <nscuro@protonmail.com>

* set external references in tool metadata

Signed-off-by: nscuro <nscuro@protonmail.com>

* update supported spec version in readme

Signed-off-by: nscuro <nscuro@protonmail.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Closes #124
  • Loading branch information
nscuro committed Feb 8, 2022
1 parent 83487fb commit 89f78c2
Show file tree
Hide file tree
Showing 21 changed files with 33 additions and 25 deletions.
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ Building from source requires Go 1.17 or newer.

## Compatibility

*cyclonedx-gomod* aims to produce SBOMs according to the latest CycloneDX specification, which currently is [1.3](https://cyclonedx.org/docs/1.3/).
*cyclonedx-gomod* aims to produce SBOMs according to the latest CycloneDX specification, which currently is [1.4](https://cyclonedx.org/docs/1.4/).
You can use the [CycloneDX CLI](https://github.com/CycloneDX/cyclonedx-cli#convert-command) to convert between multiple BOM formats or specification versions.

## Usage
Expand Down
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ module github.com/CycloneDX/cyclonedx-gomod
go 1.17

require (
github.com/CycloneDX/cyclonedx-go v0.4.0
github.com/CycloneDX/cyclonedx-go v0.5.0
github.com/bradleyjkemp/cupaloy/v2 v2.7.0
github.com/go-enry/go-license-detector/v4 v4.3.0
github.com/go-git/go-git/v5 v5.4.2
Expand Down
5 changes: 2 additions & 3 deletions go.sum
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
github.com/CycloneDX/cyclonedx-go v0.4.0 h1:Wz4QZ9B4RXGWIWTypVLEOVJgOdFfy5mcS5PGNzUkZxU=
github.com/CycloneDX/cyclonedx-go v0.4.0/go.mod h1:rmRcf//gT7PIzovatusbWi377xqCg1FS4jyST0GH20E=
github.com/CycloneDX/cyclonedx-go v0.5.0 h1:RWCnu2OrWUTF5C9DA3L0qVziUD2HlxSUWcL2OXlxfqE=
github.com/CycloneDX/cyclonedx-go v0.5.0/go.mod h1:nQXAzrejxO39b14JFz2SvsUElegYfwBDowIzqjdUMk4=
github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA=
github.com/Microsoft/go-winio v0.4.16 h1:FtSW/jqD+l4ba5iPBj9CODVtgfYAD8w2wS923g/cFDk=
github.com/Microsoft/go-winio v0.4.16/go.mod h1:XB6nPKklQyQ7GC9LdcBEcBl8PF76WugXOPRXwdLnMv0=
Expand All @@ -14,7 +14,6 @@ github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239 h1:kFOfPq6dUM1hTo
github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c=
github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
github.com/bradleyjkemp/cupaloy/v2 v2.6.0/go.mod h1:bm7JXdkRd4BHJk9HpwqAI8BoAY1lps46Enkdqw6aRX0=
github.com/bradleyjkemp/cupaloy/v2 v2.7.0 h1:AT0vOjO68RcLyenLCHOGZzSNiuto7ziqzq6Q1/3xzMQ=
github.com/bradleyjkemp/cupaloy/v2 v2.7.0/go.mod h1:bm7JXdkRd4BHJk9HpwqAI8BoAY1lps46Enkdqw6aRX0=
github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
Expand Down
10 changes: 10 additions & 0 deletions internal/sbom/sbom.go
Original file line number Diff line number Diff line change
Expand Up @@ -120,6 +120,16 @@ func BuildToolMetadata(logger zerolog.Logger) (*cdx.Tool, error) {
Name: version.Name,
Version: version.Version,
Hashes: &toolHashes,
ExternalReferences: &[]cdx.ExternalReference{
{
Type: cdx.ERTypeVCS,
URL: "https://github.com/CycloneDX/cyclonedx-gomod",
},
{
Type: cdx.ERTypeWebsite,
URL: "https://cyclonedx.org",
},
},
}, nil
}

Expand Down
6 changes: 3 additions & 3 deletions internal/testutil/testutil.go
Original file line number Diff line number Diff line change
Expand Up @@ -161,8 +161,8 @@ func RequireValidSBOM(t *testing.T, bom *cdx.BOM, fileFormat cdx.BOMFileFormat)
bomFile, err := os.Create(filepath.Join(t.TempDir(), fmt.Sprintf("bom.%s", inputFormat)))
require.NoError(t, err)
defer func() {
if err := bomFile.Close(); err != nil {
fmt.Printf("failed to close bom file: %v", err)
if err := bomFile.Close(); err != nil && err.Error() != "file already closed" {
fmt.Printf("failed to close bom file: %v\n", err)
}
}()

Expand All @@ -172,7 +172,7 @@ func RequireValidSBOM(t *testing.T, bom *cdx.BOM, fileFormat cdx.BOMFileFormat)
require.NoError(t, err)
require.NoError(t, bomFile.Close())

valCmd := exec.Command("cyclonedx", "validate", "--input-file", bomFile.Name(), "--input-format", inputFormat, "--input-version", "v1_3", "--fail-on-errors") // #nosec G204
valCmd := exec.Command("cyclonedx", "validate", "--input-file", bomFile.Name(), "--input-format", inputFormat, "--input-version", "v1_4", "--fail-on-errors") // #nosec G204
valOut, err := valCmd.CombinedOutput()
if !assert.NoError(t, err) {
// Provide some context when test is failing
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.3" version="1">
<bom xmlns="http://cyclonedx.org/schema/bom/1.4" version="1">
<metadata>
<component bom-ref="pkg:golang/testmod-simple@v0.0.0-20210716183230-c7ea7c975ab8?type=module" type="application">
<name>testmod-simple</name>
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.3" version="1">
<bom xmlns="http://cyclonedx.org/schema/bom/1.4" version="1">
<metadata>
<component bom-ref="pkg:golang/testmod-simple@v0.0.0-20210901192510-dc2d14d2351d?type=module#cmd/purl" type="application">
<name>testmod-simple</name>
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.3" version="1">
<bom xmlns="http://cyclonedx.org/schema/bom/1.4" version="1">
<metadata>
<component bom-ref="pkg:golang/testmod-simple@v0.0.0-20210901192510-dc2d14d2351d?type=module#cmd/uuid" type="application">
<name>testmod-simple</name>
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.3" version="1">
<bom xmlns="http://cyclonedx.org/schema/bom/1.4" version="1">
<metadata>
<component bom-ref="pkg:golang/testmod-vendored@v0.0.0-20210716185931-5c9f3d791930?type=module" type="application">
<name>testmod-vendored</name>
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.3" version="1">
<bom xmlns="http://cyclonedx.org/schema/bom/1.4" version="1">
<metadata>
<component bom-ref="pkg:golang/testmod-vendored@v0.0.0-20210716185931-5c9f3d791930?type=module" type="application">
<name>testmod-vendored</name>
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.3" version="1">
<bom xmlns="http://cyclonedx.org/schema/bom/1.4" version="1">
<metadata>
<component bom-ref="pkg:golang/testmod-vendored@v0.0.0-20210716185931-5c9f3d791930?type=module" type="application">
<name>testmod-vendored</name>
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.3" version="1">
<bom xmlns="http://cyclonedx.org/schema/bom/1.4" version="1">
<metadata>
<component bom-ref="pkg:golang/testmod-simple@v0.0.0-20210716183230-c7ea7c975ab8?type=module" type="application">
<name>testmod-simple</name>
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.3" version="1">
<bom xmlns="http://cyclonedx.org/schema/bom/1.4" version="1">
<metadata>
<component bom-ref="pkg:golang/testmod-simple@v0.0.0-20210716183230-c7ea7c975ab8?type=module" type="application">
<name>testmod-simple</name>
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.3" version="1">
<bom xmlns="http://cyclonedx.org/schema/bom/1.4" version="1">
<metadata>
<component bom-ref="pkg:golang/testmod-simple@(devel)?type=module" type="application">
<name>testmod-simple</name>
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.3" version="1">
<bom xmlns="http://cyclonedx.org/schema/bom/1.4" version="1">
<metadata>
<component bom-ref="pkg:golang/testmod-simple@v0.0.0-20210716183230-c7ea7c975ab8?type=module" type="application">
<name>testmod-simple</name>
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.3" version="1">
<bom xmlns="http://cyclonedx.org/schema/bom/1.4" version="1">
<metadata>
<component bom-ref="pkg:golang/testmod-simple@v0.0.0-20210716183230-c7ea7c975ab8?type=module" type="application">
<name>testmod-simple</name>
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.3" version="1">
<bom xmlns="http://cyclonedx.org/schema/bom/1.4" version="1">
<metadata>
<component bom-ref="pkg:golang/testmod-local@v0.0.0-20210716185356-32d6b8adc872?type=module" type="application">
<name>testmod-local</name>
Expand All @@ -10,7 +10,6 @@
<components>
<component bom-ref="pkg:golang/testmod-local-dependency?type=module" type="library">
<name>testmod-local-dependency</name>
<version></version>
<scope>required</scope>
<hashes>
<hash alg="SHA-256">0fc77332094208335c4c70c9580b2a9c29ec4e7da87267a62e0dcfdc19608c85</hash>
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.3" version="1">
<bom xmlns="http://cyclonedx.org/schema/bom/1.4" version="1">
<metadata>
<component bom-ref="pkg:golang/testmod-simple@v0.0.0-20210901192510-dc2d14d2351d?type=module" type="application">
<name>testmod-simple</name>
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.3" version="1">
<bom xmlns="http://cyclonedx.org/schema/bom/1.4" version="1">
<metadata>
<component bom-ref="pkg:golang/testmod-simple@v0.0.0-20210716190707-a62fcff56e7e?type=module" type="application">
<name>testmod-simple</name>
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.3" version="1">
<bom xmlns="http://cyclonedx.org/schema/bom/1.4" version="1">
<metadata>
<component bom-ref="pkg:golang/testmod-nodeps@v0.0.0-20210716190350-6880323ad03d?type=module" type="application">
<name>testmod-nodeps</name>
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.3" version="1">
<bom xmlns="http://cyclonedx.org/schema/bom/1.4" version="1">
<metadata>
<component bom-ref="pkg:golang/testmod-vendored@v0.0.0-20210716185931-5c9f3d791930?type=module" type="application">
<name>testmod-vendored</name>
Expand Down

0 comments on commit 89f78c2

Please sign in to comment.