feat: output sboms conforming to spec v1.4 (#125)

* build(deps): bump github.com/CycloneDX/cyclonedx-go from 0.4.0 to 0.5.0 Bumps [github.com/CycloneDX/cyclonedx-go](https://github.com/CycloneDX/cyclonedx-go) from 0.4.0 to 0.5.0. - [Release notes](https://github.com/CycloneDX/cyclonedx-go/releases) - [Changelog](https://github.com/CycloneDX/cyclonedx-go/blob/master/.goreleaser.yml) - [Commits](CycloneDX/cyclonedx-go@v0.4.0...v0.5.0) --- updated-dependencies: - dependency-name: github.com/CycloneDX/cyclonedx-go dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * test: update snapshots for spec v1.4 Signed-off-by: nscuro <nscuro@protonmail.com> * set external references in tool metadata Signed-off-by: nscuro <nscuro@protonmail.com> * update supported spec version in readme Signed-off-by: nscuro <nscuro@protonmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Closes #124
CycloneDX · Feb 8, 2022 · 89f78c2 · 89f78c2
1 parent 83487fb
commit 89f78c2
Show file tree

Hide file tree

Showing 21 changed files with 33 additions and 25 deletions.
diff --git a/README.md b/README.md
@@ -26,7 +26,7 @@ Building from source requires Go 1.17 or newer.
 
 ## Compatibility
 
-*cyclonedx-gomod* aims to produce SBOMs according to the latest CycloneDX specification, which currently is [1.3](https://cyclonedx.org/docs/1.3/). 
+*cyclonedx-gomod* aims to produce SBOMs according to the latest CycloneDX specification, which currently is [1.4](https://cyclonedx.org/docs/1.4/). 
 You can use the [CycloneDX CLI](https://github.com/CycloneDX/cyclonedx-cli#convert-command) to convert between multiple BOM formats or specification versions. 
 
 ## Usage

diff --git a/go.mod b/go.mod
@@ -3,7 +3,7 @@ module github.com/CycloneDX/cyclonedx-gomod
 go 1.17
 
 require (
-	github.com/CycloneDX/cyclonedx-go v0.4.0
+	github.com/CycloneDX/cyclonedx-go v0.5.0
 	github.com/bradleyjkemp/cupaloy/v2 v2.7.0
 	github.com/go-enry/go-license-detector/v4 v4.3.0
 	github.com/go-git/go-git/v5 v5.4.2

diff --git a/go.sum b/go.sum
@@ -1,6 +1,6 @@
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/CycloneDX/cyclonedx-go v0.4.0 h1:Wz4QZ9B4RXGWIWTypVLEOVJgOdFfy5mcS5PGNzUkZxU=
-github.com/CycloneDX/cyclonedx-go v0.4.0/go.mod h1:rmRcf//gT7PIzovatusbWi377xqCg1FS4jyST0GH20E=
+github.com/CycloneDX/cyclonedx-go v0.5.0 h1:RWCnu2OrWUTF5C9DA3L0qVziUD2HlxSUWcL2OXlxfqE=
+github.com/CycloneDX/cyclonedx-go v0.5.0/go.mod h1:nQXAzrejxO39b14JFz2SvsUElegYfwBDowIzqjdUMk4=
 github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA=
 github.com/Microsoft/go-winio v0.4.16 h1:FtSW/jqD+l4ba5iPBj9CODVtgfYAD8w2wS923g/cFDk=
 github.com/Microsoft/go-winio v0.4.16/go.mod h1:XB6nPKklQyQ7GC9LdcBEcBl8PF76WugXOPRXwdLnMv0=
@@ -14,7 +14,6 @@ github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239 h1:kFOfPq6dUM1hTo
 github.com/anmitsu/go-shlex v0.0.0-20161002113705-648efa622239/go.mod h1:2FmKhYUyUczH0OGQWaF5ceTx0UBShxjsH6f8oGKYe2c=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
-github.com/bradleyjkemp/cupaloy/v2 v2.6.0/go.mod h1:bm7JXdkRd4BHJk9HpwqAI8BoAY1lps46Enkdqw6aRX0=
 github.com/bradleyjkemp/cupaloy/v2 v2.7.0 h1:AT0vOjO68RcLyenLCHOGZzSNiuto7ziqzq6Q1/3xzMQ=
 github.com/bradleyjkemp/cupaloy/v2 v2.7.0/go.mod h1:bm7JXdkRd4BHJk9HpwqAI8BoAY1lps46Enkdqw6aRX0=
 github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=

diff --git a/internal/sbom/sbom.go b/internal/sbom/sbom.go
@@ -120,6 +120,16 @@ func BuildToolMetadata(logger zerolog.Logger) (*cdx.Tool, error) {
 		Name:    version.Name,
 		Version: version.Version,
 		Hashes:  &toolHashes,
+		ExternalReferences: &[]cdx.ExternalReference{
+			{
+				Type: cdx.ERTypeVCS,
+				URL:  "https://github.com/CycloneDX/cyclonedx-gomod",
+			},
+			{
+				Type: cdx.ERTypeWebsite,
+				URL:  "https://cyclonedx.org",
+			},
+		},
 	}, nil
 }
 

diff --git a/internal/testutil/testutil.go b/internal/testutil/testutil.go
@@ -161,8 +161,8 @@ func RequireValidSBOM(t *testing.T, bom *cdx.BOM, fileFormat cdx.BOMFileFormat)
 	bomFile, err := os.Create(filepath.Join(t.TempDir(), fmt.Sprintf("bom.%s", inputFormat)))
 	require.NoError(t, err)
 	defer func() {
-		if err := bomFile.Close(); err != nil {
-			fmt.Printf("failed to close bom file: %v", err)
+		if err := bomFile.Close(); err != nil && err.Error() != "file already closed" {
+			fmt.Printf("failed to close bom file: %v\n", err)
 		}
 	}()
 
@@ -172,7 +172,7 @@ func RequireValidSBOM(t *testing.T, bom *cdx.BOM, fileFormat cdx.BOMFileFormat)
 	require.NoError(t, err)
 	require.NoError(t, bomFile.Close())
 
-	valCmd := exec.Command("cyclonedx", "validate", "--input-file", bomFile.Name(), "--input-format", inputFormat, "--input-version", "v1_3", "--fail-on-errors") // #nosec G204
+	valCmd := exec.Command("cyclonedx", "validate", "--input-file", bomFile.Name(), "--input-format", inputFormat, "--input-version", "v1_4", "--fail-on-errors") // #nosec G204
 	valOut, err := valCmd.CombinedOutput()
 	if !assert.NoError(t, err) {
 		// Provide some context when test is failing

diff --git a/pkg/generate/app/testdata/snapshots/TestGenerator_Generate-Simple b/pkg/generate/app/testdata/snapshots/TestGenerator_Generate-Simple
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<bom xmlns="http://cyclonedx.org/schema/bom/1.3" version="1">
+<bom xmlns="http://cyclonedx.org/schema/bom/1.4" version="1">
   <metadata>
     <component bom-ref="pkg:golang/testmod-simple@v0.0.0-20210716183230-c7ea7c975ab8?type=module" type="application">
       <name>testmod-simple</name>

diff --git a/pkg/generate/app/testdata/snapshots/TestGenerator_Generate-SimpleMultiCommandPURL b/pkg/generate/app/testdata/snapshots/TestGenerator_Generate-SimpleMultiCommandPURL
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<bom xmlns="http://cyclonedx.org/schema/bom/1.3" version="1">
+<bom xmlns="http://cyclonedx.org/schema/bom/1.4" version="1">
   <metadata>
     <component bom-ref="pkg:golang/testmod-simple@v0.0.0-20210901192510-dc2d14d2351d?type=module#cmd/purl" type="application">
       <name>testmod-simple</name>

diff --git a/pkg/generate/app/testdata/snapshots/TestGenerator_Generate-SimpleMultiCommandUUID b/pkg/generate/app/testdata/snapshots/TestGenerator_Generate-SimpleMultiCommandUUID
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<bom xmlns="http://cyclonedx.org/schema/bom/1.3" version="1">
+<bom xmlns="http://cyclonedx.org/schema/bom/1.4" version="1">
   <metadata>
     <component bom-ref="pkg:golang/testmod-simple@v0.0.0-20210901192510-dc2d14d2351d?type=module#cmd/uuid" type="application">
       <name>testmod-simple</name>

diff --git a/pkg/generate/app/testdata/snapshots/TestGenerator_Generate-SimpleVendor b/pkg/generate/app/testdata/snapshots/TestGenerator_Generate-SimpleVendor
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<bom xmlns="http://cyclonedx.org/schema/bom/1.3" version="1">
+<bom xmlns="http://cyclonedx.org/schema/bom/1.4" version="1">
   <metadata>
     <component bom-ref="pkg:golang/testmod-vendored@v0.0.0-20210716185931-5c9f3d791930?type=module" type="application">
       <name>testmod-vendored</name>

diff --git a/pkg/generate/app/testdata/snapshots/TestGenerator_Generate-SimpleVendorWithFiles b/pkg/generate/app/testdata/snapshots/TestGenerator_Generate-SimpleVendorWithFiles
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<bom xmlns="http://cyclonedx.org/schema/bom/1.3" version="1">
+<bom xmlns="http://cyclonedx.org/schema/bom/1.4" version="1">
   <metadata>
     <component bom-ref="pkg:golang/testmod-vendored@v0.0.0-20210716185931-5c9f3d791930?type=module" type="application">
       <name>testmod-vendored</name>

diff --git a/pkg/generate/app/testdata/snapshots/TestGenerator_Generate-SimpleVendorWithPackages b/pkg/generate/app/testdata/snapshots/TestGenerator_Generate-SimpleVendorWithPackages
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<bom xmlns="http://cyclonedx.org/schema/bom/1.3" version="1">
+<bom xmlns="http://cyclonedx.org/schema/bom/1.4" version="1">
   <metadata>
     <component bom-ref="pkg:golang/testmod-vendored@v0.0.0-20210716185931-5c9f3d791930?type=module" type="application">
       <name>testmod-vendored</name>

diff --git a/pkg/generate/app/testdata/snapshots/TestGenerator_Generate-SimpleWithFiles b/pkg/generate/app/testdata/snapshots/TestGenerator_Generate-SimpleWithFiles
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<bom xmlns="http://cyclonedx.org/schema/bom/1.3" version="1">
+<bom xmlns="http://cyclonedx.org/schema/bom/1.4" version="1">
   <metadata>
     <component bom-ref="pkg:golang/testmod-simple@v0.0.0-20210716183230-c7ea7c975ab8?type=module" type="application">
       <name>testmod-simple</name>

diff --git a/pkg/generate/app/testdata/snapshots/TestGenerator_Generate-SimpleWithPackages b/pkg/generate/app/testdata/snapshots/TestGenerator_Generate-SimpleWithPackages
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<bom xmlns="http://cyclonedx.org/schema/bom/1.3" version="1">
+<bom xmlns="http://cyclonedx.org/schema/bom/1.4" version="1">
   <metadata>
     <component bom-ref="pkg:golang/testmod-simple@v0.0.0-20210716183230-c7ea7c975ab8?type=module" type="application">
       <name>testmod-simple</name>

diff --git a/pkg/generate/bin/testdata/snapshots/TestGenerator_Generate-Simple b/pkg/generate/bin/testdata/snapshots/TestGenerator_Generate-Simple
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<bom xmlns="http://cyclonedx.org/schema/bom/1.3" version="1">
+<bom xmlns="http://cyclonedx.org/schema/bom/1.4" version="1">
   <metadata>
     <component bom-ref="pkg:golang/testmod-simple@(devel)?type=module" type="application">
       <name>testmod-simple</name>

diff --git a/pkg/generate/bin/testdata/snapshots/TestGenerator_Generate-Simple1.18 b/pkg/generate/bin/testdata/snapshots/TestGenerator_Generate-Simple1.18
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<bom xmlns="http://cyclonedx.org/schema/bom/1.3" version="1">
+<bom xmlns="http://cyclonedx.org/schema/bom/1.4" version="1">
   <metadata>
     <component bom-ref="pkg:golang/testmod-simple@v0.0.0-20210716183230-c7ea7c975ab8?type=module" type="application">
       <name>testmod-simple</name>

diff --git a/pkg/generate/mod/testdata/snapshots/TestGenerator_Generate-Simple b/pkg/generate/mod/testdata/snapshots/TestGenerator_Generate-Simple
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<bom xmlns="http://cyclonedx.org/schema/bom/1.3" version="1">
+<bom xmlns="http://cyclonedx.org/schema/bom/1.4" version="1">
   <metadata>
     <component bom-ref="pkg:golang/testmod-simple@v0.0.0-20210716183230-c7ea7c975ab8?type=module" type="application">
       <name>testmod-simple</name>

diff --git a/pkg/generate/mod/testdata/snapshots/TestGenerator_Generate-SimpleLocal b/pkg/generate/mod/testdata/snapshots/TestGenerator_Generate-SimpleLocal
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<bom xmlns="http://cyclonedx.org/schema/bom/1.3" version="1">
+<bom xmlns="http://cyclonedx.org/schema/bom/1.4" version="1">
   <metadata>
     <component bom-ref="pkg:golang/testmod-local@v0.0.0-20210716185356-32d6b8adc872?type=module" type="application">
       <name>testmod-local</name>
@@ -10,7 +10,6 @@
   <components>
     <component bom-ref="pkg:golang/testmod-local-dependency?type=module" type="library">
       <name>testmod-local-dependency</name>
-      <version></version>
       <scope>required</scope>
       <hashes>
         <hash alg="SHA-256">0fc77332094208335c4c70c9580b2a9c29ec4e7da87267a62e0dcfdc19608c85</hash>

diff --git a/pkg/generate/mod/testdata/snapshots/TestGenerator_Generate-SimpleMultiCommand b/pkg/generate/mod/testdata/snapshots/TestGenerator_Generate-SimpleMultiCommand
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<bom xmlns="http://cyclonedx.org/schema/bom/1.3" version="1">
+<bom xmlns="http://cyclonedx.org/schema/bom/1.4" version="1">
   <metadata>
     <component bom-ref="pkg:golang/testmod-simple@v0.0.0-20210901192510-dc2d14d2351d?type=module" type="application">
       <name>testmod-simple</name>

diff --git a/pkg/generate/mod/testdata/snapshots/TestGenerator_Generate-SimpleNested b/pkg/generate/mod/testdata/snapshots/TestGenerator_Generate-SimpleNested
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<bom xmlns="http://cyclonedx.org/schema/bom/1.3" version="1">
+<bom xmlns="http://cyclonedx.org/schema/bom/1.4" version="1">
   <metadata>
     <component bom-ref="pkg:golang/testmod-simple@v0.0.0-20210716190707-a62fcff56e7e?type=module" type="application">
       <name>testmod-simple</name>

diff --git a/pkg/generate/mod/testdata/snapshots/TestGenerator_Generate-SimpleNoDependencies b/pkg/generate/mod/testdata/snapshots/TestGenerator_Generate-SimpleNoDependencies
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<bom xmlns="http://cyclonedx.org/schema/bom/1.3" version="1">
+<bom xmlns="http://cyclonedx.org/schema/bom/1.4" version="1">
   <metadata>
     <component bom-ref="pkg:golang/testmod-nodeps@v0.0.0-20210716190350-6880323ad03d?type=module" type="application">
       <name>testmod-nodeps</name>

diff --git a/pkg/generate/mod/testdata/snapshots/TestGenerator_Generate-SimpleVendor b/pkg/generate/mod/testdata/snapshots/TestGenerator_Generate-SimpleVendor
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<bom xmlns="http://cyclonedx.org/schema/bom/1.3" version="1">
+<bom xmlns="http://cyclonedx.org/schema/bom/1.4" version="1">
   <metadata>
     <component bom-ref="pkg:golang/testmod-vendored@v0.0.0-20210716185931-5c9f3d791930?type=module" type="application">
       <name>testmod-vendored</name>