fix: unmarshal bom on v1.5 return invalid specification version

Signed-off-by: chenk <hen.keinan@gmail.com>
aquasecurity · Jun 25, 2023 · 68ed51f · 68ed51f
1 parent 2721fa3
commit 68ed51f
Show file tree

Hide file tree

Showing 6 changed files with 25 additions and 19 deletions.
diff --git a/go.mod b/go.mod
@@ -7,7 +7,7 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.0
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0
 	github.com/BurntSushi/toml v1.3.2
-	github.com/CycloneDX/cyclonedx-go v0.7.2-0.20230624153550-72ea02c17d71
+	github.com/CycloneDX/cyclonedx-go v0.7.2-0.20230625092137-07e2f29defc3
 	github.com/GoogleCloudPlatform/docker-credential-gcr v2.0.5+incompatible
 	github.com/Masterminds/sprig/v3 v3.2.3
 	github.com/NYTimes/gziphandler v1.1.1

diff --git a/go.sum b/go.sum
@@ -235,8 +235,8 @@ github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbi
 github.com/BurntSushi/toml v1.3.2 h1:o7IhLm0Msx3BaB+n3Ag7L8EVlByGnpq14C4YWiu/gL8=
 github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
-github.com/CycloneDX/cyclonedx-go v0.7.2-0.20230624153550-72ea02c17d71 h1:uWQ35D4m7wBKmsU5RkRcDIlf5cEcHrLDECVgyc+Isu4=
-github.com/CycloneDX/cyclonedx-go v0.7.2-0.20230624153550-72ea02c17d71/go.mod h1:fGXSp1lCDfMQ8KR1EjxT4ewc5HHhGczRF2pWhLSWohs=
+github.com/CycloneDX/cyclonedx-go v0.7.2-0.20230625092137-07e2f29defc3 h1:NqeV+ZMqpcosu0Xg2VW14Ru9ayBs/toe2oihS7sN6Xo=
+github.com/CycloneDX/cyclonedx-go v0.7.2-0.20230625092137-07e2f29defc3/go.mod h1:fGXSp1lCDfMQ8KR1EjxT4ewc5HHhGczRF2pWhLSWohs=
 github.com/DATA-DOG/go-sqlmock v1.5.0 h1:Shsta01QNfFxHCfpW6YH2STWB0MudeXXEWMr20OEh60=
 github.com/GoogleCloudPlatform/docker-credential-gcr v2.0.5+incompatible h1:juIaKLLVhqzP55d8x4cSVgwyQv76Z55/fRv/UBr2KkQ=
 github.com/GoogleCloudPlatform/docker-credential-gcr v2.0.5+incompatible/go.mod h1:BB1eHdMLYEFuFdBlRMb0N7YGVdM5s6Pt0njxgvfbGGs=

diff --git a/integration/k8s_test.go b/integration/k8s_test.go
@@ -98,7 +98,7 @@ func TestK8s(t *testing.T) {
 		require.NoError(t, err)
 
 		assert.Equal(t, got.Metadata.Component.Name, "kind-kind-test")
-		assert.Equal(t, got.Metadata.Component.Type, cdx.ComponentType("container"))
+		assert.Equal(t, got.Metadata.Component.Type, cdx.ComponentType("platform"))
 
 		// Has components
 		assert.True(t, len(*got.Components) > 0)

diff --git a/pkg/rekortest/server.go b/pkg/rekortest/server.go
@@ -50,7 +50,7 @@ var (
 			Data: &cyclonedx.BOM{
 				BOMFormat:    cyclonedx.BOMFormat,
 				SerialNumber: "urn:uuid:6453fd82-71f4-47c8-ad12-01775619c443",
-				SpecVersion:  cyclonedx.SpecVersion1_4,
+				SpecVersion:  cyclonedx.SpecVersion1_5,
 				Version:      1,
 				Metadata: &cyclonedx.Metadata{
 					Timestamp: "2022-09-15T13:53:49+00:00",
@@ -138,7 +138,7 @@ var (
 			Data: &cyclonedx.BOM{
 				BOMFormat:    cyclonedx.BOMFormat,
 				SerialNumber: "urn:uuid:8b16c9a3-e957-4c85-b43d-7dd05ea0421c",
-				SpecVersion:  cyclonedx.SpecVersion1_4,
+				SpecVersion:  cyclonedx.SpecVersion1_5,
 				Version:      1,
 				Metadata: &cyclonedx.Metadata{
 					Timestamp: "2022-10-21T09:50:08+00:00",
@@ -205,7 +205,7 @@ var (
 		Predicate: &attestation.CosignPredicate{
 			Data: &cyclonedx.BOM{
 				BOMFormat:   cyclonedx.BOMFormat,
-				SpecVersion: cyclonedx.SpecVersion1_4,
+				SpecVersion: cyclonedx.SpecVersion1_5,
 				Version:     2,
 			},
 		},

diff --git a/pkg/sbom/cyclonedx/core/cyclonedx_test.go b/pkg/sbom/cyclonedx/core/cyclonedx_test.go
@@ -132,10 +132,11 @@ func TestMarshaler_CoreComponent(t *testing.T) {
 			},
 
 			want: &cdx.BOM{
-				XMLNS:        "http://cyclonedx.org/schema/bom/1.4",
+				XMLNS:        "http://cyclonedx.org/schema/bom/1.5",
 				BOMFormat:    "CycloneDX",
 				SerialNumber: "urn:uuid:3ff14136-e09f-4df9-80ea-000000000001",
-				SpecVersion:  cdx.SpecVersion1_4,
+				JSONSchema:   "http://cyclonedx.org/schema/bom-1.5.schema.json",
+				SpecVersion:  cdx.SpecVersion1_5,
 				Version:      1,
 				Metadata: &cdx.Metadata{
 					Timestamp: "2021-08-25T12:20:30+00:00",

diff --git a/pkg/sbom/cyclonedx/marshal_test.go b/pkg/sbom/cyclonedx/marshal_test.go
@@ -182,9 +182,10 @@ func TestMarshaler_Marshal(t *testing.T) {
 				},
 			},
 			want: &cdx.BOM{
-				XMLNS:        "http://cyclonedx.org/schema/bom/1.4",
+				XMLNS:        "http://cyclonedx.org/schema/bom/1.5",
 				BOMFormat:    "CycloneDX",
-				SpecVersion:  cdx.SpecVersion1_4,
+				SpecVersion:  cdx.SpecVersion1_5,
+				JSONSchema: "http://cyclonedx.org/schema/bom-1.5.schema.json",
 				SerialNumber: "urn:uuid:3ff14136-e09f-4df9-80ea-000000000001",
 				Version:      1,
 				Metadata: &cdx.Metadata{
@@ -726,9 +727,10 @@ func TestMarshaler_Marshal(t *testing.T) {
 				},
 			},
 			want: &cdx.BOM{
-				XMLNS:        "http://cyclonedx.org/schema/bom/1.4",
+				XMLNS:        "http://cyclonedx.org/schema/bom/1.5",
 				BOMFormat:    "CycloneDX",
-				SpecVersion:  cdx.SpecVersion1_4,
+				SpecVersion:  cdx.SpecVersion1_5,
+				JSONSchema: "http://cyclonedx.org/schema/bom-1.5.schema.json",
 				SerialNumber: "urn:uuid:3ff14136-e09f-4df9-80ea-000000000001",
 				Version:      1,
 				Metadata: &cdx.Metadata{
@@ -1060,9 +1062,10 @@ func TestMarshaler_Marshal(t *testing.T) {
 				},
 			},
 			want: &cdx.BOM{
-				XMLNS:        "http://cyclonedx.org/schema/bom/1.4",
+				XMLNS:        "http://cyclonedx.org/schema/bom/1.5",
 				BOMFormat:    "CycloneDX",
-				SpecVersion:  cdx.SpecVersion1_4,
+				SpecVersion:  cdx.SpecVersion1_5,
+				JSONSchema: "http://cyclonedx.org/schema/bom-1.5.schema.json",
 				SerialNumber: "urn:uuid:3ff14136-e09f-4df9-80ea-000000000001",
 				Version:      1,
 				Metadata: &cdx.Metadata{
@@ -1187,9 +1190,10 @@ func TestMarshaler_Marshal(t *testing.T) {
 				},
 			},
 			want: &cdx.BOM{
-				XMLNS:        "http://cyclonedx.org/schema/bom/1.4",
+				XMLNS:        "http://cyclonedx.org/schema/bom/1.5",
 				BOMFormat:    "CycloneDX",
-				SpecVersion:  cdx.SpecVersion1_4,
+				SpecVersion:  cdx.SpecVersion1_5,
+				JSONSchema: "http://cyclonedx.org/schema/bom-1.5.schema.json",
 				SerialNumber: "urn:uuid:3ff14136-e09f-4df9-80ea-000000000001",
 				Version:      1,
 				Metadata: &cdx.Metadata{
@@ -1267,9 +1271,10 @@ func TestMarshaler_Marshal(t *testing.T) {
 				Results:       types.Results{},
 			},
 			want: &cdx.BOM{
-				XMLNS:        "http://cyclonedx.org/schema/bom/1.4",
+				XMLNS:        "http://cyclonedx.org/schema/bom/1.5",
 				BOMFormat:    "CycloneDX",
-				SpecVersion:  cdx.SpecVersion1_4,
+				SpecVersion:  cdx.SpecVersion1_5,
+				JSONSchema: "http://cyclonedx.org/schema/bom-1.5.schema.json",
 				SerialNumber: "urn:uuid:3ff14136-e09f-4df9-80ea-000000000001",
 				Version:      1,
 				Metadata: &cdx.Metadata{