From 02aa8c2c5081df8ee0b496da7d5752e974c67501 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 3 Jan 2023 15:15:07 +0200 Subject: [PATCH] chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.6.0 to 0.7.0 (#2974) Co-authored-by: DmitriyLewen Co-authored-by: masahiro331 --- go.mod | 2 +- go.sum | 7 +- pkg/fanal/types/sbom.go | 9 ++- pkg/rekortest/server.go | 22 +++--- pkg/sbom/cyclonedx/marshal.go | 8 +-- pkg/sbom/cyclonedx/marshal_test.go | 110 ++++++++++------------------- pkg/sbom/cyclonedx/unmarshal.go | 7 +- 7 files changed, 65 insertions(+), 100 deletions(-) diff --git a/go.mod b/go.mod index 0a9408ccf1f..4405b4cee4f 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/aquasecurity/trivy go 1.19 require ( - github.com/CycloneDX/cyclonedx-go v0.6.0 + github.com/CycloneDX/cyclonedx-go v0.7.0 github.com/Masterminds/sprig/v3 v3.2.3 github.com/NYTimes/gziphandler v1.1.1 github.com/alicebob/miniredis/v2 v2.23.0 diff --git a/go.sum b/go.sum index 74b34e68efc..653cc11ba29 100644 --- a/go.sum +++ b/go.sum @@ -107,8 +107,8 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03 github.com/BurntSushi/toml v1.2.1 h1:9F2/+DoOYIOksmaJFPw1tGFy1eDnIJXg+UHjuD8lTak= github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= -github.com/CycloneDX/cyclonedx-go v0.6.0 h1:SizWGbZzFTC/O/1yh072XQBMxfvsoWqd//oKCIyzFyE= -github.com/CycloneDX/cyclonedx-go v0.6.0/go.mod h1:nQCiF4Tvrg5Ieu8qPhYMvzPGMu5I7fANZkrSsJjl5mg= +github.com/CycloneDX/cyclonedx-go v0.7.0 h1:jNxp8hL7UpcvPDFXjY+Y1ibFtsW+e5zyF9QoSmhK/zg= +github.com/CycloneDX/cyclonedx-go v0.7.0/go.mod h1:W5Z9w8pTTL+t+yG3PCiFRGlr8PUlE0pGWzKSJbsyXkg= github.com/DATA-DOG/go-sqlmock v1.5.0 h1:Shsta01QNfFxHCfpW6YH2STWB0MudeXXEWMr20OEh60= github.com/GoogleCloudPlatform/docker-credential-gcr v2.0.5+incompatible h1:juIaKLLVhqzP55d8x4cSVgwyQv76Z55/fRv/UBr2KkQ= github.com/GoogleCloudPlatform/docker-credential-gcr v2.0.5+incompatible/go.mod h1:BB1eHdMLYEFuFdBlRMb0N7YGVdM5s6Pt0njxgvfbGGs= @@ -365,8 +365,7 @@ github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnweb github.com/bmatcuk/doublestar v1.3.4 h1:gPypJ5xD31uhX6Tf54sDPUOBXTqKH4c9aPY66CyQrS0= github.com/bmatcuk/doublestar v1.3.4/go.mod h1:wiQtGV+rzVYxB7WIlirSN++5HPtPlXEo9MEoZQC/PmE= github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869/go.mod h1:Ekp36dRnpXw/yCqJaO+ZrUyxD+3VXMFFr56k5XYrpB4= -github.com/bradleyjkemp/cupaloy/v2 v2.7.0 h1:AT0vOjO68RcLyenLCHOGZzSNiuto7ziqzq6Q1/3xzMQ= -github.com/bradleyjkemp/cupaloy/v2 v2.7.0/go.mod h1:bm7JXdkRd4BHJk9HpwqAI8BoAY1lps46Enkdqw6aRX0= +github.com/bradleyjkemp/cupaloy/v2 v2.8.0 h1:any4BmKE+jGIaMpnU8YgH/I2LPiLBufr6oMMlVBbn9M= github.com/briandowns/spinner v1.12.0 h1:72O0PzqGJb6G3KgrcIOtL/JAGGZ5ptOMCn9cUHmqsmw= github.com/briandowns/spinner v1.12.0/go.mod h1:QOuQk7x+EaDASo80FEXwlwiA+j/PPIcX3FScO+3/ZPQ= github.com/bshuster-repo/logrus-logstash-hook v0.4.1/go.mod h1:zsTqEiSzDgAa/8GZR7E1qaXrhYNDKBYy5/dWPTIflbk= diff --git a/pkg/fanal/types/sbom.go b/pkg/fanal/types/sbom.go index 51856c64642..b63f9c31b55 100644 --- a/pkg/fanal/types/sbom.go +++ b/pkg/fanal/types/sbom.go @@ -7,8 +7,8 @@ package types // cf. https://tinygo.org/docs/reference/lang-support/stdlib/ type CycloneDX struct { // JSON specific fields - BOMFormat string `json:"bomFormat" xml:"-"` - SpecVersion string `json:"specVersion" xml:"-"` + BOMFormat string `json:"bomFormat" xml:"-"` + SpecVersion SpecVersion `json:"specVersion" xml:"-"` SerialNumber string `json:"serialNumber,omitempty" xml:"serialNumber,attr,omitempty"` Version int `json:"version" xml:"version,attr"` @@ -30,4 +30,7 @@ type Component struct { PackageURL string `json:"purl,omitempty" xml:"purl,omitempty"` } -type ComponentType string +type ( + ComponentType string + SpecVersion int +) diff --git a/pkg/rekortest/server.go b/pkg/rekortest/server.go index 72103b5229a..1b2276f5df6 100644 --- a/pkg/rekortest/server.go +++ b/pkg/rekortest/server.go @@ -50,7 +50,7 @@ var ( Data: &cyclonedx.BOM{ BOMFormat: cyclonedx.BOMFormat, SerialNumber: "urn:uuid:6453fd82-71f4-47c8-ad12-01775619c443", - SpecVersion: "1.4", + SpecVersion: cyclonedx.SpecVersion1_4, Version: 1, Metadata: &cyclonedx.Metadata{ Timestamp: "2022-09-15T13:53:49+00:00", @@ -106,14 +106,14 @@ var ( Dependencies: &[]cyclonedx.Dependency{ { Ref: "pkg:oci/alpine@sha256:bc41182d7ef5ffc53a40b044e725193bc10142a1243f395ee852a8d9730fc2ad?repository_url=index.docker.io%2Flibrary%2Falpine&6arch=amd64", - Dependencies: &[]cyclonedx.Dependency{ - {Ref: "fad4eb97-3d2a-4499-ace7-2c94444148a7"}, + Dependencies: &[]string{ + "fad4eb97-3d2a-4499-ace7-2c94444148a7", }, }, { Ref: "fad4eb97-3d2a-4499-ace7-2c94444148a7", - Dependencies: &[]cyclonedx.Dependency{ - {Ref: "pkg:apk/alpine/musl@1.2.3-r0?distro=3.16.2"}, + Dependencies: &[]string{ + "pkg:apk/alpine/musl@1.2.3-r0?distro=3.16.2", }, }, }, @@ -138,7 +138,7 @@ var ( Data: &cyclonedx.BOM{ BOMFormat: cyclonedx.BOMFormat, SerialNumber: "urn:uuid:8b16c9a3-e957-4c85-b43d-7dd05ea0421c", - SpecVersion: "1.4", + SpecVersion: cyclonedx.SpecVersion1_4, Version: 1, Metadata: &cyclonedx.Metadata{ Timestamp: "2022-10-21T09:50:08+00:00", @@ -182,14 +182,14 @@ var ( Dependencies: &[]cyclonedx.Dependency{ { Ref: "ef8385d7-a56f-495a-a220-7b0a2e940d39", - Dependencies: &[]cyclonedx.Dependency{ - {Ref: "bb8b7541-2b08-4692-9363-8f79da5c1a31"}, + Dependencies: &[]string{ + "bb8b7541-2b08-4692-9363-8f79da5c1a31", }, }, { Ref: "bb8b7541-2b08-4692-9363-8f79da5c1a31", - Dependencies: &[]cyclonedx.Dependency{ - {Ref: "pkg:golang/github.com/spf13/cobra@1.5.0"}, + Dependencies: &[]string{ + "pkg:golang/github.com/spf13/cobra@1.5.0", }, }, }, @@ -205,7 +205,7 @@ var ( Predicate: &attestation.CosignPredicate{ Data: &cyclonedx.BOM{ BOMFormat: cyclonedx.BOMFormat, - SpecVersion: "1.4", + SpecVersion: cyclonedx.SpecVersion1_4, Version: 2, }, }, diff --git a/pkg/sbom/cyclonedx/marshal.go b/pkg/sbom/cyclonedx/marshal.go index 429c25f4c93..69326c4bd49 100644 --- a/pkg/sbom/cyclonedx/marshal.go +++ b/pkg/sbom/cyclonedx/marshal.go @@ -193,12 +193,12 @@ func externalRef(bomLink string, bomRef string) (string, error) { func (e *Marshaler) marshalComponents(r types.Report, bomRef string) (*[]cdx.Component, *[]cdx.Dependency, *[]cdx.Vulnerability, error) { var components []cdx.Component var dependencies []cdx.Dependency - var metadataDependencies []cdx.Dependency + var metadataDependencies []string libraryUniqMap := map[string]struct{}{} vulnMap := map[string]cdx.Vulnerability{} for _, result := range r.Results { bomRefMap := map[string]string{} - var componentDependencies []cdx.Dependency + var componentDependencies []string for _, pkg := range result.Packages { pkgComponent, err := pkgToCdxComponent(result.Type, r.Metadata, pkg) if err != nil { @@ -207,7 +207,7 @@ func (e *Marshaler) marshalComponents(r types.Report, bomRef string) (*[]cdx.Com pkgID := packageID(result.Target, pkg.Name, utils.FormatVersion(pkg), pkg.FilePath) if _, ok := bomRefMap[pkgID]; !ok { bomRefMap[pkgID] = pkgComponent.BOMRef - componentDependencies = append(componentDependencies, cdx.Dependency{Ref: pkgComponent.BOMRef}) + componentDependencies = append(componentDependencies, pkgComponent.BOMRef) } // When multiple lock files have the same dependency with the same name and version, @@ -288,7 +288,7 @@ func (e *Marshaler) marshalComponents(r types.Report, bomRef string) (*[]cdx.Com ) // Dependency graph from #1 to #2 - metadataDependencies = append(metadataDependencies, cdx.Dependency{Ref: resultComponent.BOMRef}) + metadataDependencies = append(metadataDependencies, resultComponent.BOMRef) } } vulns := maps.Values(vulnMap) diff --git a/pkg/sbom/cyclonedx/marshal_test.go b/pkg/sbom/cyclonedx/marshal_test.go index 6d87987e559..5bb9ce8df4f 100644 --- a/pkg/sbom/cyclonedx/marshal_test.go +++ b/pkg/sbom/cyclonedx/marshal_test.go @@ -169,7 +169,7 @@ func TestMarshaler_Marshal(t *testing.T) { want: &cdx.BOM{ XMLNS: "http://cyclonedx.org/schema/bom/1.4", BOMFormat: "CycloneDX", - SpecVersion: "1.4", + SpecVersion: cdx.SpecVersion1_4, SerialNumber: "urn:uuid:3ff14136-e09f-4df9-80ea-000000000001", Version: 1, Metadata: &cdx.Metadata{ @@ -379,65 +379,43 @@ func TestMarshaler_Marshal(t *testing.T) { Dependencies: &[]cdx.Dependency{ { Ref: "3ff14136-e09f-4df9-80ea-000000000002", - Dependencies: &[]cdx.Dependency{ - { - Ref: "pkg:rpm/centos/binutils@2.30-93.el8?arch=aarch64&distro=centos-8.3.2011", - }, + Dependencies: &[]string{ + "pkg:rpm/centos/binutils@2.30-93.el8?arch=aarch64&distro=centos-8.3.2011", }, }, { Ref: "3ff14136-e09f-4df9-80ea-000000000003", - Dependencies: &[]cdx.Dependency{ - { - Ref: "pkg:gem/actionpack@7.0.0", - }, - { - Ref: "pkg:gem/actioncontroller@7.0.0", - }, + Dependencies: &[]string{ + "pkg:gem/actionpack@7.0.0", + "pkg:gem/actioncontroller@7.0.0", }, }, { Ref: "3ff14136-e09f-4df9-80ea-000000000004", - Dependencies: &[]cdx.Dependency{ - { - Ref: "pkg:gem/actionpack@7.0.0", - }, + Dependencies: &[]string{ + "pkg:gem/actionpack@7.0.0", }, }, { Ref: "3ff14136-e09f-4df9-80ea-000000000005", - Dependencies: &[]cdx.Dependency{ - { - Ref: "pkg:nuget/Newtonsoft.Json@9.0.1", - }, + Dependencies: &[]string{ + "pkg:nuget/Newtonsoft.Json@9.0.1", }, }, { Ref: "3ff14136-e09f-4df9-80ea-000000000006", - Dependencies: &[]cdx.Dependency{ - { - Ref: "pkg:golang/golang.org/x/crypto@v0.0.0-20210421170649-83a5a9bb288b", - }, + Dependencies: &[]string{ + "pkg:golang/golang.org/x/crypto@v0.0.0-20210421170649-83a5a9bb288b", }, }, { Ref: "pkg:oci/rails@sha256:a27fd8080b517143cbbbab9dfb7c8571c40d67d534bbdee55bd6c473f432b177?repository_url=index.docker.io%2Flibrary%2Frails&arch=arm64", - Dependencies: &[]cdx.Dependency{ - { - Ref: "3ff14136-e09f-4df9-80ea-000000000002", - }, - { - Ref: "3ff14136-e09f-4df9-80ea-000000000003", - }, - { - Ref: "3ff14136-e09f-4df9-80ea-000000000004", - }, - { - Ref: "3ff14136-e09f-4df9-80ea-000000000005", - }, - { - Ref: "3ff14136-e09f-4df9-80ea-000000000006", - }, + Dependencies: &[]string{ + "3ff14136-e09f-4df9-80ea-000000000002", + "3ff14136-e09f-4df9-80ea-000000000003", + "3ff14136-e09f-4df9-80ea-000000000004", + "3ff14136-e09f-4df9-80ea-000000000005", + "3ff14136-e09f-4df9-80ea-000000000006", }, }, }, @@ -664,7 +642,7 @@ func TestMarshaler_Marshal(t *testing.T) { want: &cdx.BOM{ XMLNS: "http://cyclonedx.org/schema/bom/1.4", BOMFormat: "CycloneDX", - SpecVersion: "1.4", + SpecVersion: cdx.SpecVersion1_4, SerialNumber: "urn:uuid:3ff14136-e09f-4df9-80ea-000000000001", Version: 1, Metadata: &cdx.Metadata{ @@ -796,24 +774,16 @@ func TestMarshaler_Marshal(t *testing.T) { Dependencies: &[]cdx.Dependency{ { Ref: "3ff14136-e09f-4df9-80ea-000000000003", - Dependencies: &[]cdx.Dependency{ - { - Ref: "pkg:rpm/centos/acl@1:2.2.53-1.el8?arch=aarch64&distro=centos-8.3.2011", - }, + Dependencies: &[]string{ + "pkg:rpm/centos/acl@1:2.2.53-1.el8?arch=aarch64&distro=centos-8.3.2011", }, }, { Ref: "3ff14136-e09f-4df9-80ea-000000000002", - Dependencies: &[]cdx.Dependency{ - { - Ref: "3ff14136-e09f-4df9-80ea-000000000003", - }, - { - Ref: "pkg:gem/actionpack@7.0.0?file_path=tools%2Fproject-john%2Fspecifications%2Factionpack.gemspec", - }, - { - Ref: "pkg:gem/actionpack@7.0.1?file_path=tools%2Fproject-doe%2Fspecifications%2Factionpack.gemspec", - }, + Dependencies: &[]string{ + "3ff14136-e09f-4df9-80ea-000000000003", + "pkg:gem/actionpack@7.0.0?file_path=tools%2Fproject-john%2Fspecifications%2Factionpack.gemspec", + "pkg:gem/actionpack@7.0.1?file_path=tools%2Fproject-doe%2Fspecifications%2Factionpack.gemspec", }, }, }, @@ -918,7 +888,7 @@ func TestMarshaler_Marshal(t *testing.T) { want: &cdx.BOM{ XMLNS: "http://cyclonedx.org/schema/bom/1.4", BOMFormat: "CycloneDX", - SpecVersion: "1.4", + SpecVersion: cdx.SpecVersion1_4, SerialNumber: "urn:uuid:3ff14136-e09f-4df9-80ea-000000000001", Version: 1, Metadata: &cdx.Metadata{ @@ -976,18 +946,14 @@ func TestMarshaler_Marshal(t *testing.T) { Dependencies: &[]cdx.Dependency{ { Ref: "3ff14136-e09f-4df9-80ea-000000000003", - Dependencies: &[]cdx.Dependency{ - { - Ref: "pkg:gem/actioncable@6.1.4.1", - }, + Dependencies: &[]string{ + "pkg:gem/actioncable@6.1.4.1", }, }, { Ref: "3ff14136-e09f-4df9-80ea-000000000002", - Dependencies: &[]cdx.Dependency{ - { - Ref: "3ff14136-e09f-4df9-80ea-000000000003", - }, + Dependencies: &[]string{ + "3ff14136-e09f-4df9-80ea-000000000003", }, }, }, @@ -1021,7 +987,7 @@ func TestMarshaler_Marshal(t *testing.T) { want: &cdx.BOM{ XMLNS: "http://cyclonedx.org/schema/bom/1.4", BOMFormat: "CycloneDX", - SpecVersion: "1.4", + SpecVersion: cdx.SpecVersion1_4, SerialNumber: "urn:uuid:3ff14136-e09f-4df9-80ea-000000000001", Version: 1, Metadata: &cdx.Metadata{ @@ -1075,10 +1041,8 @@ func TestMarshaler_Marshal(t *testing.T) { Dependencies: &[]cdx.Dependency{ { Ref: "3ff14136-e09f-4df9-80ea-000000000002", - Dependencies: &[]cdx.Dependency{ - { - Ref: "pkg:npm/ruby-typeprof@0.20.1?file_path=usr%2Flocal%2Flib%2Fruby%2Fgems%2F3.1.0%2Fgems%2Ftypeprof-0.21.1%2Fvscode%2Fpackage.json", - }, + Dependencies: &[]string{ + "pkg:npm/ruby-typeprof@0.20.1?file_path=usr%2Flocal%2Flib%2Fruby%2Fgems%2F3.1.0%2Fgems%2Ftypeprof-0.21.1%2Fvscode%2Fpackage.json", }, }, }, @@ -1095,7 +1059,7 @@ func TestMarshaler_Marshal(t *testing.T) { want: &cdx.BOM{ XMLNS: "http://cyclonedx.org/schema/bom/1.4", BOMFormat: "CycloneDX", - SpecVersion: "1.4", + SpecVersion: cdx.SpecVersion1_4, SerialNumber: "urn:uuid:3ff14136-e09f-4df9-80ea-000000000001", Version: 1, Metadata: &cdx.Metadata{ @@ -1124,7 +1088,7 @@ func TestMarshaler_Marshal(t *testing.T) { Dependencies: &[]cdx.Dependency{ { Ref: "3ff14136-e09f-4df9-80ea-000000000002", - Dependencies: new([]cdx.Dependency), + Dependencies: new([]string), }, }, }, @@ -1265,7 +1229,7 @@ func TestMarshaler_MarshalVulnerabilities(t *testing.T) { want: &cdx.BOM{ XMLNS: "http://cyclonedx.org/schema/bom/1.4", BOMFormat: "CycloneDX", - SpecVersion: "1.4", + SpecVersion: cdx.SpecVersion1_4, Version: 1, Metadata: &cdx.Metadata{ Timestamp: "2021-08-25T12:20:30+00:00", @@ -1458,7 +1422,7 @@ func TestMarshaler_MarshalVulnerabilities(t *testing.T) { want: &cdx.BOM{ XMLNS: "http://cyclonedx.org/schema/bom/1.4", BOMFormat: "CycloneDX", - SpecVersion: "1.4", + SpecVersion: cdx.SpecVersion1_4, Version: 1, Metadata: &cdx.Metadata{ Timestamp: "2021-08-25T12:20:30+00:00", diff --git a/pkg/sbom/cyclonedx/unmarshal.go b/pkg/sbom/cyclonedx/unmarshal.go index d99ef98b25c..fbe902bdf92 100644 --- a/pkg/sbom/cyclonedx/unmarshal.go +++ b/pkg/sbom/cyclonedx/unmarshal.go @@ -72,7 +72,7 @@ func (c *CycloneDX) UnmarshalJSON(b []byte) error { // Keep the original SBOM c.CycloneDX = &ftypes.CycloneDX{ BOMFormat: bom.BOMFormat, - SpecVersion: bom.SpecVersion, + SpecVersion: ftypes.SpecVersion(bom.SpecVersion), SerialNumber: bom.SerialNumber, Version: bom.Version, Metadata: metadata, @@ -242,10 +242,9 @@ func dependencyMap(deps *[]cdx.Dependency) map[string][]string { if _, ok := depMap[dep.Ref]; ok { continue } - var refs []string - for _, d := range lo.FromPtr(dep.Dependencies) { - refs = append(refs, d.Ref) + if dep.Dependencies != nil { + refs = append(refs, *dep.Dependencies...) } depMap[dep.Ref] = refs