refactor(cyclonedx): add intermediate representation (#4490)

aquasecurity · Jun 1, 2023 · 48b2e15 · 48b2e15
1 parent c15f269
commit 48b2e15
Show file tree

Hide file tree

Showing 17 changed files with 1,195 additions and 2,141 deletions.
diff --git a/docs/docs/references/configuration/cli/trivy_sbom.md b/docs/docs/references/configuration/cli/trivy_sbom.md
@@ -12,9 +12,6 @@ trivy sbom [flags] SBOM_PATH
   # Scan CycloneDX and show the result in tables
   $ trivy sbom /path/to/report.cdx
 
-  # Scan CycloneDX and generate a CycloneDX report
-  $ trivy sbom --format cyclonedx /path/to/report.cdx
-
   # Scan CycloneDX-type attestation and show the result in tables
   $ trivy sbom /path/to/report.cdx.intoto.jsonl
 

diff --git a/docs/docs/target/sbom.md b/docs/docs/target/sbom.md
@@ -28,10 +28,6 @@ Trivy supports CycloneDX as an input.
 $ trivy sbom /path/to/cyclonedx.json
 ```
 
-!!! note
-    If you want to generate a CycloneDX report from a CycloneDX input, please be aware that the output stores references to your original CycloneDX report and contains only detected vulnerabilities, not components.
-    The report is called [BOV](https://cyclonedx.org/capabilities/sbom/).
-
 ## SPDX
 Trivy supports the SPDX SBOM as an input.
 

diff --git a/integration/client_server_test.go b/integration/client_server_test.go
@@ -418,7 +418,7 @@ func TestClientServerWithCycloneDX(t *testing.T) {
 				Input:  "testdata/fixtures/images/fluentd-multiple-lockfiles.tar.gz",
 			},
 			wantComponentsCount:   161,
-			wantDependenciesCount: 80,
+			wantDependenciesCount: 162,
 		},
 	}
 

diff --git a/integration/sbom_test.go b/integration/sbom_test.go
@@ -30,16 +30,30 @@ func TestSBOM(t *testing.T) {
 			name: "centos7 cyclonedx",
 			args: args{
 				input:        "testdata/fixtures/sbom/centos-7-cyclonedx.json",
-				format:       "cyclonedx",
+				format:       "json",
 				artifactType: "cyclonedx",
 			},
-			golden: "testdata/centos-7-cyclonedx.json.golden",
+			golden: "testdata/centos-7.json.golden",
+			override: types.Report{
+				ArtifactName: "testdata/fixtures/sbom/centos-7-cyclonedx.json",
+				ArtifactType: ftypes.ArtifactType("cyclonedx"),
+				Results: types.Results{
+					{
+						Target: "testdata/fixtures/sbom/centos-7-cyclonedx.json (centos 7.6.1810)",
+						Vulnerabilities: []types.DetectedVulnerability{
+							{PkgRef: "pkg:rpm/centos/bash@4.2.46-31.el7?arch=x86_64&distro=centos-7.6.1810"},
+							{PkgRef: "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810"},
+							{PkgRef: "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810"},
+						},
+					},
+				},
+			},
 		},
 		{
 			name: "fluentd-multiple-lockfiles cyclonedx",
 			args: args{
 				input:        "testdata/fixtures/sbom/fluentd-multiple-lockfiles-cyclonedx.json",
-				format:       "cyclonedx",
+				format:       "json",
 				artifactType: "cyclonedx",
 			},
 			golden: "testdata/fluentd-multiple-lockfiles-cyclonedx.json.golden",
@@ -48,10 +62,24 @@ func TestSBOM(t *testing.T) {
 			name: "centos7 in in-toto attestation",
 			args: args{
 				input:        "testdata/fixtures/sbom/centos-7-cyclonedx.intoto.jsonl",
-				format:       "cyclonedx",
+				format:       "json",
 				artifactType: "cyclonedx",
 			},
-			golden: "testdata/centos-7-cyclonedx.json.golden",
+			golden: "testdata/centos-7.json.golden",
+			override: types.Report{
+				ArtifactName: "testdata/fixtures/sbom/centos-7-cyclonedx.intoto.jsonl",
+				ArtifactType: ftypes.ArtifactType("cyclonedx"),
+				Results: types.Results{
+					{
+						Target: "testdata/fixtures/sbom/centos-7-cyclonedx.intoto.jsonl (centos 7.6.1810)",
+						Vulnerabilities: []types.DetectedVulnerability{
+							{PkgRef: "pkg:rpm/centos/bash@4.2.46-31.el7?arch=x86_64&distro=centos-7.6.1810"},
+							{PkgRef: "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810"},
+							{PkgRef: "pkg:rpm/centos/openssl-libs@1.0.2k-16.el7?arch=x86_64&epoch=1&distro=centos-7.6.1810"},
+						},
+					},
+				},
+			},
 		},
 		{
 			name: "centos7 spdx tag-value",
@@ -131,8 +159,6 @@ func TestSBOM(t *testing.T) {
 
 			// Compare want and got
 			switch tt.args.format {
-			case "cyclonedx":
-				compareCycloneDX(t, tt.golden, outputFile)
 			case "json":
 				compareSBOMReports(t, tt.golden, outputFile, tt.override)
 			default:
@@ -146,8 +172,12 @@ func TestSBOM(t *testing.T) {
 func compareSBOMReports(t *testing.T, wantFile, gotFile string, overrideWant types.Report) {
 	want := readReport(t, wantFile)
 
-	want.ArtifactName = overrideWant.ArtifactName
-	want.ArtifactType = overrideWant.ArtifactType
+	if overrideWant.ArtifactName != "" {
+		want.ArtifactName = overrideWant.ArtifactName
+	}
+	if overrideWant.ArtifactType != "" {
+		want.ArtifactType = overrideWant.ArtifactType
+	}
 	want.Metadata.ImageID = ""
 	want.Metadata.ImageConfig = v1.ConfigFile{}
 	want.Metadata.DiffIDs = nil