Skip to content

Commit

Permalink
chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.6.0 to 0.7…
Browse files Browse the repository at this point in the history
….0 (#2974)

Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
Co-authored-by: masahiro331 <m_fujimura@r.recruit.co.jp>
  • Loading branch information
3 people authored Jan 3, 2023
1 parent 6e6171f commit 02aa8c2
Show file tree
Hide file tree
Showing 7 changed files with 65 additions and 100 deletions.
2 changes: 1 addition & 1 deletion go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ module github.com/aquasecurity/trivy
go 1.19

require (
github.com/CycloneDX/cyclonedx-go v0.6.0
github.com/CycloneDX/cyclonedx-go v0.7.0
github.com/Masterminds/sprig/v3 v3.2.3
github.com/NYTimes/gziphandler v1.1.1
github.com/alicebob/miniredis/v2 v2.23.0
Expand Down
7 changes: 3 additions & 4 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -107,8 +107,8 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03
github.com/BurntSushi/toml v1.2.1 h1:9F2/+DoOYIOksmaJFPw1tGFy1eDnIJXg+UHjuD8lTak=
github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
github.com/CycloneDX/cyclonedx-go v0.6.0 h1:SizWGbZzFTC/O/1yh072XQBMxfvsoWqd//oKCIyzFyE=
github.com/CycloneDX/cyclonedx-go v0.6.0/go.mod h1:nQCiF4Tvrg5Ieu8qPhYMvzPGMu5I7fANZkrSsJjl5mg=
github.com/CycloneDX/cyclonedx-go v0.7.0 h1:jNxp8hL7UpcvPDFXjY+Y1ibFtsW+e5zyF9QoSmhK/zg=
github.com/CycloneDX/cyclonedx-go v0.7.0/go.mod h1:W5Z9w8pTTL+t+yG3PCiFRGlr8PUlE0pGWzKSJbsyXkg=
github.com/DATA-DOG/go-sqlmock v1.5.0 h1:Shsta01QNfFxHCfpW6YH2STWB0MudeXXEWMr20OEh60=
github.com/GoogleCloudPlatform/docker-credential-gcr v2.0.5+incompatible h1:juIaKLLVhqzP55d8x4cSVgwyQv76Z55/fRv/UBr2KkQ=
github.com/GoogleCloudPlatform/docker-credential-gcr v2.0.5+incompatible/go.mod h1:BB1eHdMLYEFuFdBlRMb0N7YGVdM5s6Pt0njxgvfbGGs=
Expand Down Expand Up @@ -365,8 +365,7 @@ github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnweb
github.com/bmatcuk/doublestar v1.3.4 h1:gPypJ5xD31uhX6Tf54sDPUOBXTqKH4c9aPY66CyQrS0=
github.com/bmatcuk/doublestar v1.3.4/go.mod h1:wiQtGV+rzVYxB7WIlirSN++5HPtPlXEo9MEoZQC/PmE=
github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869/go.mod h1:Ekp36dRnpXw/yCqJaO+ZrUyxD+3VXMFFr56k5XYrpB4=
github.com/bradleyjkemp/cupaloy/v2 v2.7.0 h1:AT0vOjO68RcLyenLCHOGZzSNiuto7ziqzq6Q1/3xzMQ=
github.com/bradleyjkemp/cupaloy/v2 v2.7.0/go.mod h1:bm7JXdkRd4BHJk9HpwqAI8BoAY1lps46Enkdqw6aRX0=
github.com/bradleyjkemp/cupaloy/v2 v2.8.0 h1:any4BmKE+jGIaMpnU8YgH/I2LPiLBufr6oMMlVBbn9M=
github.com/briandowns/spinner v1.12.0 h1:72O0PzqGJb6G3KgrcIOtL/JAGGZ5ptOMCn9cUHmqsmw=
github.com/briandowns/spinner v1.12.0/go.mod h1:QOuQk7x+EaDASo80FEXwlwiA+j/PPIcX3FScO+3/ZPQ=
github.com/bshuster-repo/logrus-logstash-hook v0.4.1/go.mod h1:zsTqEiSzDgAa/8GZR7E1qaXrhYNDKBYy5/dWPTIflbk=
Expand Down
9 changes: 6 additions & 3 deletions pkg/fanal/types/sbom.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,8 @@ package types
// cf. https://tinygo.org/docs/reference/lang-support/stdlib/
type CycloneDX struct {
// JSON specific fields
BOMFormat string `json:"bomFormat" xml:"-"`
SpecVersion string `json:"specVersion" xml:"-"`
BOMFormat string `json:"bomFormat" xml:"-"`
SpecVersion SpecVersion `json:"specVersion" xml:"-"`

SerialNumber string `json:"serialNumber,omitempty" xml:"serialNumber,attr,omitempty"`
Version int `json:"version" xml:"version,attr"`
Expand All @@ -30,4 +30,7 @@ type Component struct {
PackageURL string `json:"purl,omitempty" xml:"purl,omitempty"`
}

type ComponentType string
type (
ComponentType string
SpecVersion int
)
22 changes: 11 additions & 11 deletions pkg/rekortest/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ var (
Data: &cyclonedx.BOM{
BOMFormat: cyclonedx.BOMFormat,
SerialNumber: "urn:uuid:6453fd82-71f4-47c8-ad12-01775619c443",
SpecVersion: "1.4",
SpecVersion: cyclonedx.SpecVersion1_4,
Version: 1,
Metadata: &cyclonedx.Metadata{
Timestamp: "2022-09-15T13:53:49+00:00",
Expand Down Expand Up @@ -106,14 +106,14 @@ var (
Dependencies: &[]cyclonedx.Dependency{
{
Ref: "pkg:oci/alpine@sha256:bc41182d7ef5ffc53a40b044e725193bc10142a1243f395ee852a8d9730fc2ad?repository_url=index.docker.io%2Flibrary%2Falpine&6arch=amd64",
Dependencies: &[]cyclonedx.Dependency{
{Ref: "fad4eb97-3d2a-4499-ace7-2c94444148a7"},
Dependencies: &[]string{
"fad4eb97-3d2a-4499-ace7-2c94444148a7",
},
},
{
Ref: "fad4eb97-3d2a-4499-ace7-2c94444148a7",
Dependencies: &[]cyclonedx.Dependency{
{Ref: "pkg:apk/alpine/musl@1.2.3-r0?distro=3.16.2"},
Dependencies: &[]string{
"pkg:apk/alpine/musl@1.2.3-r0?distro=3.16.2",
},
},
},
Expand All @@ -138,7 +138,7 @@ var (
Data: &cyclonedx.BOM{
BOMFormat: cyclonedx.BOMFormat,
SerialNumber: "urn:uuid:8b16c9a3-e957-4c85-b43d-7dd05ea0421c",
SpecVersion: "1.4",
SpecVersion: cyclonedx.SpecVersion1_4,
Version: 1,
Metadata: &cyclonedx.Metadata{
Timestamp: "2022-10-21T09:50:08+00:00",
Expand Down Expand Up @@ -182,14 +182,14 @@ var (
Dependencies: &[]cyclonedx.Dependency{
{
Ref: "ef8385d7-a56f-495a-a220-7b0a2e940d39",
Dependencies: &[]cyclonedx.Dependency{
{Ref: "bb8b7541-2b08-4692-9363-8f79da5c1a31"},
Dependencies: &[]string{
"bb8b7541-2b08-4692-9363-8f79da5c1a31",
},
},
{
Ref: "bb8b7541-2b08-4692-9363-8f79da5c1a31",
Dependencies: &[]cyclonedx.Dependency{
{Ref: "pkg:golang/github.com/spf13/cobra@1.5.0"},
Dependencies: &[]string{
"pkg:golang/github.com/spf13/cobra@1.5.0",
},
},
},
Expand All @@ -205,7 +205,7 @@ var (
Predicate: &attestation.CosignPredicate{
Data: &cyclonedx.BOM{
BOMFormat: cyclonedx.BOMFormat,
SpecVersion: "1.4",
SpecVersion: cyclonedx.SpecVersion1_4,
Version: 2,
},
},
Expand Down
8 changes: 4 additions & 4 deletions pkg/sbom/cyclonedx/marshal.go
Original file line number Diff line number Diff line change
Expand Up @@ -193,12 +193,12 @@ func externalRef(bomLink string, bomRef string) (string, error) {
func (e *Marshaler) marshalComponents(r types.Report, bomRef string) (*[]cdx.Component, *[]cdx.Dependency, *[]cdx.Vulnerability, error) {
var components []cdx.Component
var dependencies []cdx.Dependency
var metadataDependencies []cdx.Dependency
var metadataDependencies []string
libraryUniqMap := map[string]struct{}{}
vulnMap := map[string]cdx.Vulnerability{}
for _, result := range r.Results {
bomRefMap := map[string]string{}
var componentDependencies []cdx.Dependency
var componentDependencies []string
for _, pkg := range result.Packages {
pkgComponent, err := pkgToCdxComponent(result.Type, r.Metadata, pkg)
if err != nil {
Expand All @@ -207,7 +207,7 @@ func (e *Marshaler) marshalComponents(r types.Report, bomRef string) (*[]cdx.Com
pkgID := packageID(result.Target, pkg.Name, utils.FormatVersion(pkg), pkg.FilePath)
if _, ok := bomRefMap[pkgID]; !ok {
bomRefMap[pkgID] = pkgComponent.BOMRef
componentDependencies = append(componentDependencies, cdx.Dependency{Ref: pkgComponent.BOMRef})
componentDependencies = append(componentDependencies, pkgComponent.BOMRef)
}

// When multiple lock files have the same dependency with the same name and version,
Expand Down Expand Up @@ -288,7 +288,7 @@ func (e *Marshaler) marshalComponents(r types.Report, bomRef string) (*[]cdx.Com
)

// Dependency graph from #1 to #2
metadataDependencies = append(metadataDependencies, cdx.Dependency{Ref: resultComponent.BOMRef})
metadataDependencies = append(metadataDependencies, resultComponent.BOMRef)
}
}
vulns := maps.Values(vulnMap)
Expand Down
110 changes: 37 additions & 73 deletions pkg/sbom/cyclonedx/marshal_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -169,7 +169,7 @@ func TestMarshaler_Marshal(t *testing.T) {
want: &cdx.BOM{
XMLNS: "http://cyclonedx.org/schema/bom/1.4",
BOMFormat: "CycloneDX",
SpecVersion: "1.4",
SpecVersion: cdx.SpecVersion1_4,
SerialNumber: "urn:uuid:3ff14136-e09f-4df9-80ea-000000000001",
Version: 1,
Metadata: &cdx.Metadata{
Expand Down Expand Up @@ -379,65 +379,43 @@ func TestMarshaler_Marshal(t *testing.T) {
Dependencies: &[]cdx.Dependency{
{
Ref: "3ff14136-e09f-4df9-80ea-000000000002",
Dependencies: &[]cdx.Dependency{
{
Ref: "pkg:rpm/centos/binutils@2.30-93.el8?arch=aarch64&distro=centos-8.3.2011",
},
Dependencies: &[]string{
"pkg:rpm/centos/binutils@2.30-93.el8?arch=aarch64&distro=centos-8.3.2011",
},
},
{
Ref: "3ff14136-e09f-4df9-80ea-000000000003",
Dependencies: &[]cdx.Dependency{
{
Ref: "pkg:gem/actionpack@7.0.0",
},
{
Ref: "pkg:gem/actioncontroller@7.0.0",
},
Dependencies: &[]string{
"pkg:gem/actionpack@7.0.0",
"pkg:gem/actioncontroller@7.0.0",
},
},
{
Ref: "3ff14136-e09f-4df9-80ea-000000000004",
Dependencies: &[]cdx.Dependency{
{
Ref: "pkg:gem/actionpack@7.0.0",
},
Dependencies: &[]string{
"pkg:gem/actionpack@7.0.0",
},
},
{
Ref: "3ff14136-e09f-4df9-80ea-000000000005",
Dependencies: &[]cdx.Dependency{
{
Ref: "pkg:nuget/Newtonsoft.Json@9.0.1",
},
Dependencies: &[]string{
"pkg:nuget/Newtonsoft.Json@9.0.1",
},
},
{
Ref: "3ff14136-e09f-4df9-80ea-000000000006",
Dependencies: &[]cdx.Dependency{
{
Ref: "pkg:golang/golang.org/x/crypto@v0.0.0-20210421170649-83a5a9bb288b",
},
Dependencies: &[]string{
"pkg:golang/golang.org/x/crypto@v0.0.0-20210421170649-83a5a9bb288b",
},
},
{
Ref: "pkg:oci/rails@sha256:a27fd8080b517143cbbbab9dfb7c8571c40d67d534bbdee55bd6c473f432b177?repository_url=index.docker.io%2Flibrary%2Frails&arch=arm64",
Dependencies: &[]cdx.Dependency{
{
Ref: "3ff14136-e09f-4df9-80ea-000000000002",
},
{
Ref: "3ff14136-e09f-4df9-80ea-000000000003",
},
{
Ref: "3ff14136-e09f-4df9-80ea-000000000004",
},
{
Ref: "3ff14136-e09f-4df9-80ea-000000000005",
},
{
Ref: "3ff14136-e09f-4df9-80ea-000000000006",
},
Dependencies: &[]string{
"3ff14136-e09f-4df9-80ea-000000000002",
"3ff14136-e09f-4df9-80ea-000000000003",
"3ff14136-e09f-4df9-80ea-000000000004",
"3ff14136-e09f-4df9-80ea-000000000005",
"3ff14136-e09f-4df9-80ea-000000000006",
},
},
},
Expand Down Expand Up @@ -664,7 +642,7 @@ func TestMarshaler_Marshal(t *testing.T) {
want: &cdx.BOM{
XMLNS: "http://cyclonedx.org/schema/bom/1.4",
BOMFormat: "CycloneDX",
SpecVersion: "1.4",
SpecVersion: cdx.SpecVersion1_4,
SerialNumber: "urn:uuid:3ff14136-e09f-4df9-80ea-000000000001",
Version: 1,
Metadata: &cdx.Metadata{
Expand Down Expand Up @@ -796,24 +774,16 @@ func TestMarshaler_Marshal(t *testing.T) {
Dependencies: &[]cdx.Dependency{
{
Ref: "3ff14136-e09f-4df9-80ea-000000000003",
Dependencies: &[]cdx.Dependency{
{
Ref: "pkg:rpm/centos/acl@1:2.2.53-1.el8?arch=aarch64&distro=centos-8.3.2011",
},
Dependencies: &[]string{
"pkg:rpm/centos/acl@1:2.2.53-1.el8?arch=aarch64&distro=centos-8.3.2011",
},
},
{
Ref: "3ff14136-e09f-4df9-80ea-000000000002",
Dependencies: &[]cdx.Dependency{
{
Ref: "3ff14136-e09f-4df9-80ea-000000000003",
},
{
Ref: "pkg:gem/actionpack@7.0.0?file_path=tools%2Fproject-john%2Fspecifications%2Factionpack.gemspec",
},
{
Ref: "pkg:gem/actionpack@7.0.1?file_path=tools%2Fproject-doe%2Fspecifications%2Factionpack.gemspec",
},
Dependencies: &[]string{
"3ff14136-e09f-4df9-80ea-000000000003",
"pkg:gem/actionpack@7.0.0?file_path=tools%2Fproject-john%2Fspecifications%2Factionpack.gemspec",
"pkg:gem/actionpack@7.0.1?file_path=tools%2Fproject-doe%2Fspecifications%2Factionpack.gemspec",
},
},
},
Expand Down Expand Up @@ -918,7 +888,7 @@ func TestMarshaler_Marshal(t *testing.T) {
want: &cdx.BOM{
XMLNS: "http://cyclonedx.org/schema/bom/1.4",
BOMFormat: "CycloneDX",
SpecVersion: "1.4",
SpecVersion: cdx.SpecVersion1_4,
SerialNumber: "urn:uuid:3ff14136-e09f-4df9-80ea-000000000001",
Version: 1,
Metadata: &cdx.Metadata{
Expand Down Expand Up @@ -976,18 +946,14 @@ func TestMarshaler_Marshal(t *testing.T) {
Dependencies: &[]cdx.Dependency{
{
Ref: "3ff14136-e09f-4df9-80ea-000000000003",
Dependencies: &[]cdx.Dependency{
{
Ref: "pkg:gem/actioncable@6.1.4.1",
},
Dependencies: &[]string{
"pkg:gem/actioncable@6.1.4.1",
},
},
{
Ref: "3ff14136-e09f-4df9-80ea-000000000002",
Dependencies: &[]cdx.Dependency{
{
Ref: "3ff14136-e09f-4df9-80ea-000000000003",
},
Dependencies: &[]string{
"3ff14136-e09f-4df9-80ea-000000000003",
},
},
},
Expand Down Expand Up @@ -1021,7 +987,7 @@ func TestMarshaler_Marshal(t *testing.T) {
want: &cdx.BOM{
XMLNS: "http://cyclonedx.org/schema/bom/1.4",
BOMFormat: "CycloneDX",
SpecVersion: "1.4",
SpecVersion: cdx.SpecVersion1_4,
SerialNumber: "urn:uuid:3ff14136-e09f-4df9-80ea-000000000001",
Version: 1,
Metadata: &cdx.Metadata{
Expand Down Expand Up @@ -1075,10 +1041,8 @@ func TestMarshaler_Marshal(t *testing.T) {
Dependencies: &[]cdx.Dependency{
{
Ref: "3ff14136-e09f-4df9-80ea-000000000002",
Dependencies: &[]cdx.Dependency{
{
Ref: "pkg:npm/ruby-typeprof@0.20.1?file_path=usr%2Flocal%2Flib%2Fruby%2Fgems%2F3.1.0%2Fgems%2Ftypeprof-0.21.1%2Fvscode%2Fpackage.json",
},
Dependencies: &[]string{
"pkg:npm/ruby-typeprof@0.20.1?file_path=usr%2Flocal%2Flib%2Fruby%2Fgems%2F3.1.0%2Fgems%2Ftypeprof-0.21.1%2Fvscode%2Fpackage.json",
},
},
},
Expand All @@ -1095,7 +1059,7 @@ func TestMarshaler_Marshal(t *testing.T) {
want: &cdx.BOM{
XMLNS: "http://cyclonedx.org/schema/bom/1.4",
BOMFormat: "CycloneDX",
SpecVersion: "1.4",
SpecVersion: cdx.SpecVersion1_4,
SerialNumber: "urn:uuid:3ff14136-e09f-4df9-80ea-000000000001",
Version: 1,
Metadata: &cdx.Metadata{
Expand Down Expand Up @@ -1124,7 +1088,7 @@ func TestMarshaler_Marshal(t *testing.T) {
Dependencies: &[]cdx.Dependency{
{
Ref: "3ff14136-e09f-4df9-80ea-000000000002",
Dependencies: new([]cdx.Dependency),
Dependencies: new([]string),
},
},
},
Expand Down Expand Up @@ -1265,7 +1229,7 @@ func TestMarshaler_MarshalVulnerabilities(t *testing.T) {
want: &cdx.BOM{
XMLNS: "http://cyclonedx.org/schema/bom/1.4",
BOMFormat: "CycloneDX",
SpecVersion: "1.4",
SpecVersion: cdx.SpecVersion1_4,
Version: 1,
Metadata: &cdx.Metadata{
Timestamp: "2021-08-25T12:20:30+00:00",
Expand Down Expand Up @@ -1458,7 +1422,7 @@ func TestMarshaler_MarshalVulnerabilities(t *testing.T) {
want: &cdx.BOM{
XMLNS: "http://cyclonedx.org/schema/bom/1.4",
BOMFormat: "CycloneDX",
SpecVersion: "1.4",
SpecVersion: cdx.SpecVersion1_4,
Version: 1,
Metadata: &cdx.Metadata{
Timestamp: "2021-08-25T12:20:30+00:00",
Expand Down
7 changes: 3 additions & 4 deletions pkg/sbom/cyclonedx/unmarshal.go
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@ func (c *CycloneDX) UnmarshalJSON(b []byte) error {
// Keep the original SBOM
c.CycloneDX = &ftypes.CycloneDX{
BOMFormat: bom.BOMFormat,
SpecVersion: bom.SpecVersion,
SpecVersion: ftypes.SpecVersion(bom.SpecVersion),
SerialNumber: bom.SerialNumber,
Version: bom.Version,
Metadata: metadata,
Expand Down Expand Up @@ -242,10 +242,9 @@ func dependencyMap(deps *[]cdx.Dependency) map[string][]string {
if _, ok := depMap[dep.Ref]; ok {
continue
}

var refs []string
for _, d := range lo.FromPtr(dep.Dependencies) {
refs = append(refs, d.Ref)
if dep.Dependencies != nil {
refs = append(refs, *dep.Dependencies...)
}

depMap[dep.Ref] = refs
Expand Down

0 comments on commit 02aa8c2

Please sign in to comment.