chore(deps): bump py-serializable to >=1.0.3 to resolve issues with…

… deserialization to XML Signed-off-by: Paul Horton <paul.horton@owasp.org>
CycloneDX · Apr 4, 2024 · 0398051 · 0398051
1 parent fdece59
commit 0398051
Show file tree

Hide file tree

Showing 51 changed files with 169 additions and 56 deletions.
diff --git a/cyclonedx/model/component.py b/cyclonedx/model/component.py
@@ -873,7 +873,7 @@ def __repr__(self) -> str:
 
 
 @serializable.serializable_class
-class OmniBorId(serializable.helpers.BaseHelper):
+class OmniborId(serializable.helpers.BaseHelper):
     """
     Helper class that allows us to perform validation on data strings that must conform to
     https://www.iana.org/assignments/uri-schemes/prov/gitoid.
@@ -883,7 +883,7 @@ class OmniBorId(serializable.helpers.BaseHelper):
     _VALID_OMNIBOR_ID_REGEX = re.compile(r'^gitoid:(blob|tree|commit|tag):sha(1|256):([a-z0-9]+)$')
 
     def __init__(self, id: str) -> None:
-        if OmniBorId._VALID_OMNIBOR_ID_REGEX.match(id) is None:
+        if OmniborId._VALID_OMNIBOR_ID_REGEX.match(id) is None:
             raise InvalidOmniBorIdException(
                 f'Supplied value "{id} does not meet format specification.'
             )
@@ -897,27 +897,27 @@ def id(self) -> str:
 
     @classmethod
     def serialize(cls, o: Any) -> str:
-        if isinstance(o, OmniBorId):
+        if isinstance(o, OmniborId):
             return str(o)
         raise SerializationOfUnexpectedValueException(
             f'Attempt to serialize a non-OmniBorId: {o!r}')
 
     @classmethod
-    def deserialize(cls, o: Any) -> 'OmniBorId':
+    def deserialize(cls, o: Any) -> 'OmniborId':
         try:
-            return OmniBorId(id=str(o))
+            return OmniborId(id=str(o))
         except ValueError as err:
             raise CycloneDxDeserializationException(
                 f'OmniBorId string supplied does not parse: {o!r}'
             ) from err
 
     def __eq__(self, other: Any) -> bool:
-        if isinstance(other, OmniBorId):
+        if isinstance(other, OmniborId):
             return hash(other) == hash(self)
         return False
 
     def __lt__(self, other: Any) -> bool:
-        if isinstance(other, OmniBorId):
+        if isinstance(other, OmniborId):
             return self._id < other._id
         return NotImplemented
 
@@ -984,7 +984,7 @@ def __init__(self, *,
                  components: Optional[Iterable['Component']] = None, evidence: Optional[ComponentEvidence] = None,
                  modified: bool = False, manufacturer: Optional[OrganizationalEntity] = None,
                  authors: Optional[Iterable[OrganizationalContact]] = None,
-                 omnibor_ids: Optional[Iterable[OmniBorId]] = None,
+                 omnibor_ids: Optional[Iterable[OmniborId]] = None,
                  # swhid: Optional[Iterable[str]] = None,
                  # Deprecated in v1.6
                  author: Optional[str] = None,
@@ -1362,9 +1362,9 @@ def purl(self, purl: Optional[PackageURL]) -> None:
     @property
     @serializable.json_name('omniborId')
     @serializable.view(SchemaVersion1Dot6)
-    @serializable.xml_array(serializable.XmlArraySerializationType.FLAT, 'omniborId')
+    @serializable.xml_array(serializable.XmlArraySerializationType.FLAT, child_name='omniborId')
     @serializable.xml_sequence(16)
-    def omnibor_ids(self) -> 'SortedSet[OmniBorId]':
+    def omnibor_ids(self) -> 'SortedSet[OmniborId]':
         """
         Specifies the OmniBOR Artifact ID. The OmniBOR, if specified, MUST be valid and conform to the specification
         defined at: https://www.iana.org/assignments/uri-schemes/prov/gitoid
@@ -1376,7 +1376,7 @@ def omnibor_ids(self) -> 'SortedSet[OmniBorId]':
         return self._omnibor_ids
 
     @omnibor_ids.setter
-    def omnibor_ids(self, omnibor_ids: Iterable[OmniBorId]) -> None:
+    def omnibor_ids(self, omnibor_ids: Iterable[OmniborId]) -> None:
         self._omnibor_ids = SortedSet(omnibor_ids)
 
     # @property
@@ -1606,7 +1606,8 @@ def __hash__(self) -> int:
             self.type, self.mime_type, self.supplier, self.author, self.publisher, self.group, self.name,
             self.version, self.description, self.scope, tuple(self.hashes), tuple(self.licenses), self.copyright,
             self.cpe, self.purl, self.swid, self.pedigree, tuple(self.external_references), tuple(self.properties),
-            tuple(self.components), self.evidence, self.release_notes, self.modified
+            tuple(self.components), self.evidence, self.release_notes, self.modified, tuple(self.authors),
+            tuple(self.omnibor_ids),
         ))
 
     def __repr__(self) -> str:

diff --git a/pyproject.toml b/pyproject.toml
@@ -69,7 +69,7 @@ keywords = [
 [tool.poetry.dependencies]
 python = "^3.8"
 packageurl-python = ">=0.11, <2"
-py-serializable =  ">=0.16, <2"
+py-serializable =  ">=1.0.3, <2"
 sortedcontainers = "^2.4.0"
 license-expression = "^30"
 jsonschema = { version = "^4.18", extras=['format'], optional=true }

diff --git a/tests/_data/models.py b/tests/_data/models.py
@@ -52,7 +52,7 @@
     ComponentScope,
     ComponentType,
     Diff,
-    OmniBorId,
+    OmniborId,
     Patch,
     PatchClassification,
     Pedigree,
@@ -130,7 +130,7 @@ def get_bom_with_component_setuptools_with_v16_fields() -> Bom:
     component = get_component_setuptools_simple()
     component.manufacturer = get_org_entity_1()
     component.authors = [get_org_contact_1(), get_org_contact_2()]
-    component.omnibor_ids = [OmniBorId('gitoid:blob:sha1:261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64')]
+    component.omnibor_ids = [OmniborId('gitoid:blob:sha1:261eeb9e9f8b2b4b0d119366dda99c6fd7d35c64')]
     # component.swhid = 'swh:1:cnt:94a9ed024d3859793618152ea559a168bbcbb5e2'
     return _make_bom(components=[component])
 
@@ -276,7 +276,8 @@ def get_bom_just_complete_metadata() -> Bom:
     bom = _make_bom()
     bom.metadata.authors = [get_org_contact_1(), get_org_contact_2()]
     bom.metadata.component = get_component_setuptools_complete()
-    bom.metadata.manufacture = get_org_entity_1()
+    bom.metadata.component.manufacturer = get_org_entity_1()
+    bom.metadata.manufacture = get_org_entity_1()  # Deprecated from v1.6 onwards
     bom.metadata.supplier = get_org_entity_2()
     bom.metadata.licenses = [DisjunctiveLicense(
         id='Apache-2.0',
@@ -572,7 +573,8 @@ def get_org_contact_2() -> OrganizationalContact:
 
 def get_org_entity_1() -> OrganizationalEntity:
     return OrganizationalEntity(
-        name='CycloneDX', urls=[XsUri('https://cyclonedx.org')], contacts=[get_org_contact_1(), get_org_contact_2()]
+        name='CycloneDX', urls=[XsUri('https://cyclonedx.org'), XsUri('https://cyclonedx.org/docs')],
+        contacts=[get_org_contact_1(), get_org_contact_2()]
     )
 
 

diff --git a/tests/_data/snapshots/get_bom_just_complete_metadata-1.2.json.bin b/tests/_data/snapshots/get_bom_just_complete_metadata-1.2.json.bin
@@ -219,7 +219,8 @@
         ],
         "name": "CycloneDX",
         "url": [
-          "https://cyclonedx.org"
+          "https://cyclonedx.org",
+          "https://cyclonedx.org/docs"
         ]
       },
       "swid": {
@@ -249,7 +250,8 @@
       ],
       "name": "CycloneDX",
       "url": [
-        "https://cyclonedx.org"
+        "https://cyclonedx.org",
+        "https://cyclonedx.org/docs"
       ]
     },
     "supplier": {

diff --git a/tests/_data/snapshots/get_bom_just_complete_metadata-1.2.xml.bin b/tests/_data/snapshots/get_bom_just_complete_metadata-1.2.xml.bin
@@ -24,6 +24,7 @@
       <supplier>
         <name>CycloneDX</name>
         <url>https://cyclonedx.org</url>
+        <url>https://cyclonedx.org/docs</url>
         <contact>
           <name>A N Other</name>
           <email>someone@somewhere.tld</email>
@@ -183,6 +184,7 @@
     <manufacture>
       <name>CycloneDX</name>
       <url>https://cyclonedx.org</url>
+      <url>https://cyclonedx.org/docs</url>
       <contact>
         <name>A N Other</name>
         <email>someone@somewhere.tld</email>

diff --git a/tests/_data/snapshots/get_bom_just_complete_metadata-1.3.json.bin b/tests/_data/snapshots/get_bom_just_complete_metadata-1.3.json.bin
@@ -263,7 +263,8 @@
         ],
         "name": "CycloneDX",
         "url": [
-          "https://cyclonedx.org"
+          "https://cyclonedx.org",
+          "https://cyclonedx.org/docs"
         ]
       },
       "swid": {
@@ -306,7 +307,8 @@
       ],
       "name": "CycloneDX",
       "url": [
-        "https://cyclonedx.org"
+        "https://cyclonedx.org",
+        "https://cyclonedx.org/docs"
       ]
     },
     "properties": [

diff --git a/tests/_data/snapshots/get_bom_just_complete_metadata-1.3.xml.bin b/tests/_data/snapshots/get_bom_just_complete_metadata-1.3.xml.bin
@@ -24,6 +24,7 @@
       <supplier>
         <name>CycloneDX</name>
         <url>https://cyclonedx.org</url>
+        <url>https://cyclonedx.org/docs</url>
         <contact>
           <name>A N Other</name>
           <email>someone@somewhere.tld</email>
@@ -205,6 +206,7 @@
     <manufacture>
       <name>CycloneDX</name>
       <url>https://cyclonedx.org</url>
+      <url>https://cyclonedx.org/docs</url>
       <contact>
         <name>A N Other</name>
         <email>someone@somewhere.tld</email>

diff --git a/tests/_data/snapshots/get_bom_just_complete_metadata-1.4.json.bin b/tests/_data/snapshots/get_bom_just_complete_metadata-1.4.json.bin
@@ -320,7 +320,8 @@
         ],
         "name": "CycloneDX",
         "url": [
-          "https://cyclonedx.org"
+          "https://cyclonedx.org",
+          "https://cyclonedx.org/docs"
         ]
       },
       "swid": {
@@ -363,7 +364,8 @@
       ],
       "name": "CycloneDX",
       "url": [
-        "https://cyclonedx.org"
+        "https://cyclonedx.org",
+        "https://cyclonedx.org/docs"
       ]
     },
     "properties": [

diff --git a/tests/_data/snapshots/get_bom_just_complete_metadata-1.4.xml.bin b/tests/_data/snapshots/get_bom_just_complete_metadata-1.4.xml.bin
@@ -50,6 +50,7 @@
       <supplier>
         <name>CycloneDX</name>
         <url>https://cyclonedx.org</url>
+        <url>https://cyclonedx.org/docs</url>
         <contact>
           <name>A N Other</name>
           <email>someone@somewhere.tld</email>
@@ -273,6 +274,7 @@
     <manufacture>
       <name>CycloneDX</name>
       <url>https://cyclonedx.org</url>
+      <url>https://cyclonedx.org/docs</url>
       <contact>
         <name>A N Other</name>
         <email>someone@somewhere.tld</email>

diff --git a/tests/_data/snapshots/get_bom_just_complete_metadata-1.5.json.bin b/tests/_data/snapshots/get_bom_just_complete_metadata-1.5.json.bin
@@ -320,7 +320,8 @@
         ],
         "name": "CycloneDX",
         "url": [
-          "https://cyclonedx.org"
+          "https://cyclonedx.org",
+          "https://cyclonedx.org/docs"
         ]
       },
       "swid": {
@@ -363,7 +364,8 @@
       ],
       "name": "CycloneDX",
       "url": [
-        "https://cyclonedx.org"
+        "https://cyclonedx.org",
+        "https://cyclonedx.org/docs"
       ]
     },
     "properties": [

diff --git a/tests/_data/snapshots/get_bom_just_complete_metadata-1.5.xml.bin b/tests/_data/snapshots/get_bom_just_complete_metadata-1.5.xml.bin
@@ -50,6 +50,7 @@
       <supplier>
         <name>CycloneDX</name>
         <url>https://cyclonedx.org</url>
+        <url>https://cyclonedx.org/docs</url>
         <contact>
           <name>A N Other</name>
           <email>someone@somewhere.tld</email>
@@ -273,6 +274,7 @@
     <manufacture>
       <name>CycloneDX</name>
       <url>https://cyclonedx.org</url>
+      <url>https://cyclonedx.org/docs</url>
       <contact>
         <name>A N Other</name>
         <email>someone@somewhere.tld</email>

diff --git a/tests/_data/snapshots/get_bom_just_complete_metadata-1.6.json.bin b/tests/_data/snapshots/get_bom_just_complete_metadata-1.6.json.bin
@@ -95,6 +95,24 @@
           }
         }
       ],
+      "manufacturer": {
+        "contact": [
+          {
+            "email": "someone@somewhere.tld",
+            "name": "A N Other",
+            "phone": "+44 (0)1234 567890"
+          },
+          {
+            "email": "paul.horton@owasp.org",
+            "name": "Paul Horton"
+          }
+        ],
+        "name": "CycloneDX",
+        "url": [
+          "https://cyclonedx.org",
+          "https://cyclonedx.org/docs"
+        ]
+      },
       "name": "setuptools",
       "pedigree": {
         "ancestors": [
@@ -320,7 +338,8 @@
         ],
         "name": "CycloneDX",
         "url": [
-          "https://cyclonedx.org"
+          "https://cyclonedx.org",
+          "https://cyclonedx.org/docs"
         ]
       },
       "swid": {
@@ -363,7 +382,8 @@
       ],
       "name": "CycloneDX",
       "url": [
-        "https://cyclonedx.org"
+        "https://cyclonedx.org",
+        "https://cyclonedx.org/docs"
       ]
     },
     "properties": [

diff --git a/tests/_data/snapshots/get_bom_just_complete_metadata-1.6.xml.bin b/tests/_data/snapshots/get_bom_just_complete_metadata-1.6.xml.bin
@@ -50,6 +50,7 @@
       <supplier>
         <name>CycloneDX</name>
         <url>https://cyclonedx.org</url>
+        <url>https://cyclonedx.org/docs</url>
         <contact>
           <name>A N Other</name>
           <email>someone@somewhere.tld</email>
@@ -60,6 +61,20 @@
           <email>paul.horton@owasp.org</email>
         </contact>
       </supplier>
+      <manufacturer>
+        <name>CycloneDX</name>
+        <url>https://cyclonedx.org</url>
+        <url>https://cyclonedx.org/docs</url>
+        <contact>
+          <name>A N Other</name>
+          <email>someone@somewhere.tld</email>
+          <phone>+44 (0)1234 567890</phone>
+        </contact>
+        <contact>
+          <name>Paul Horton</name>
+          <email>paul.horton@owasp.org</email>
+        </contact>
+      </manufacturer>
       <author>Test Author</author>
       <publisher>CycloneDX</publisher>
       <name>setuptools</name>
@@ -273,6 +288,7 @@
     <manufacture>
       <name>CycloneDX</name>
       <url>https://cyclonedx.org</url>
+      <url>https://cyclonedx.org/docs</url>
       <contact>
         <name>A N Other</name>
         <email>someone@somewhere.tld</email>

diff --git a/tests/_data/snapshots/get_bom_with_component_setuptools_complete-1.2.json.bin b/tests/_data/snapshots/get_bom_with_component_setuptools_complete-1.2.json.bin
@@ -203,7 +203,8 @@
         ],
         "name": "CycloneDX",
         "url": [
-          "https://cyclonedx.org"
+          "https://cyclonedx.org",
+          "https://cyclonedx.org/docs"
         ]
       },
       "swid": {

diff --git a/tests/_data/snapshots/get_bom_with_component_setuptools_complete-1.2.xml.bin b/tests/_data/snapshots/get_bom_with_component_setuptools_complete-1.2.xml.bin
@@ -15,6 +15,7 @@
       <supplier>
         <name>CycloneDX</name>
         <url>https://cyclonedx.org</url>
+        <url>https://cyclonedx.org/docs</url>
         <contact>
           <name>A N Other</name>
           <email>someone@somewhere.tld</email>

diff --git a/tests/_data/snapshots/get_bom_with_component_setuptools_complete-1.3.json.bin b/tests/_data/snapshots/get_bom_with_component_setuptools_complete-1.3.json.bin
@@ -247,7 +247,8 @@
         ],
         "name": "CycloneDX",
         "url": [
-          "https://cyclonedx.org"
+          "https://cyclonedx.org",
+          "https://cyclonedx.org/docs"
         ]
       },
       "swid": {

diff --git a/tests/_data/snapshots/get_bom_with_component_setuptools_complete-1.3.xml.bin b/tests/_data/snapshots/get_bom_with_component_setuptools_complete-1.3.xml.bin
@@ -15,6 +15,7 @@
       <supplier>
         <name>CycloneDX</name>
         <url>https://cyclonedx.org</url>
+        <url>https://cyclonedx.org/docs</url>
         <contact>
           <name>A N Other</name>
           <email>someone@somewhere.tld</email>