aquasecurity · knqyf263 · Jan 3, 2023 · Oct 1, 2022 · Oct 3, 2022 · Oct 3, 2022
@@ -3,7 +3,7 @@ module github.com/aquasecurity/trivy
 go 1.19
 
 require (
-	github.com/CycloneDX/cyclonedx-go v0.6.0
+	github.com/CycloneDX/cyclonedx-go v0.7.0
 	github.com/Masterminds/sprig/v3 v3.2.3
 	github.com/NYTimes/gziphandler v1.1.1
 	github.com/alicebob/miniredis/v2 v2.23.0

@@ -107,8 +107,8 @@ github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03
 github.com/BurntSushi/toml v1.2.1 h1:9F2/+DoOYIOksmaJFPw1tGFy1eDnIJXg+UHjuD8lTak=
 github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
-github.com/CycloneDX/cyclonedx-go v0.6.0 h1:SizWGbZzFTC/O/1yh072XQBMxfvsoWqd//oKCIyzFyE=
-github.com/CycloneDX/cyclonedx-go v0.6.0/go.mod h1:nQCiF4Tvrg5Ieu8qPhYMvzPGMu5I7fANZkrSsJjl5mg=
+github.com/CycloneDX/cyclonedx-go v0.7.0 h1:jNxp8hL7UpcvPDFXjY+Y1ibFtsW+e5zyF9QoSmhK/zg=
+github.com/CycloneDX/cyclonedx-go v0.7.0/go.mod h1:W5Z9w8pTTL+t+yG3PCiFRGlr8PUlE0pGWzKSJbsyXkg=
 github.com/DATA-DOG/go-sqlmock v1.5.0 h1:Shsta01QNfFxHCfpW6YH2STWB0MudeXXEWMr20OEh60=
 github.com/GoogleCloudPlatform/docker-credential-gcr v2.0.5+incompatible h1:juIaKLLVhqzP55d8x4cSVgwyQv76Z55/fRv/UBr2KkQ=
 github.com/GoogleCloudPlatform/docker-credential-gcr v2.0.5+incompatible/go.mod h1:BB1eHdMLYEFuFdBlRMb0N7YGVdM5s6Pt0njxgvfbGGs=
@@ -365,8 +365,7 @@ github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnweb
 github.com/bmatcuk/doublestar v1.3.4 h1:gPypJ5xD31uhX6Tf54sDPUOBXTqKH4c9aPY66CyQrS0=
 github.com/bmatcuk/doublestar v1.3.4/go.mod h1:wiQtGV+rzVYxB7WIlirSN++5HPtPlXEo9MEoZQC/PmE=
 github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869/go.mod h1:Ekp36dRnpXw/yCqJaO+ZrUyxD+3VXMFFr56k5XYrpB4=
-github.com/bradleyjkemp/cupaloy/v2 v2.7.0 h1:AT0vOjO68RcLyenLCHOGZzSNiuto7ziqzq6Q1/3xzMQ=
-github.com/bradleyjkemp/cupaloy/v2 v2.7.0/go.mod h1:bm7JXdkRd4BHJk9HpwqAI8BoAY1lps46Enkdqw6aRX0=
+github.com/bradleyjkemp/cupaloy/v2 v2.8.0 h1:any4BmKE+jGIaMpnU8YgH/I2LPiLBufr6oMMlVBbn9M=
 github.com/briandowns/spinner v1.12.0 h1:72O0PzqGJb6G3KgrcIOtL/JAGGZ5ptOMCn9cUHmqsmw=
 github.com/briandowns/spinner v1.12.0/go.mod h1:QOuQk7x+EaDASo80FEXwlwiA+j/PPIcX3FScO+3/ZPQ=
 github.com/bshuster-repo/logrus-logstash-hook v0.4.1/go.mod h1:zsTqEiSzDgAa/8GZR7E1qaXrhYNDKBYy5/dWPTIflbk=

@@ -7,8 +7,8 @@ package types
 // cf. https://tinygo.org/docs/reference/lang-support/stdlib/
 type CycloneDX struct {
 	// JSON specific fields
-	BOMFormat   string `json:"bomFormat" xml:"-"`
-	SpecVersion string `json:"specVersion" xml:"-"`
+	BOMFormat   string      `json:"bomFormat" xml:"-"`
+	SpecVersion SpecVersion `json:"specVersion" xml:"-"`
 
 	SerialNumber string      `json:"serialNumber,omitempty" xml:"serialNumber,attr,omitempty"`
 	Version      int         `json:"version" xml:"version,attr"`
@@ -30,4 +30,7 @@ type Component struct {
 	PackageURL string        `json:"purl,omitempty" xml:"purl,omitempty"`
 }
 
-type ComponentType string
+type (
+	ComponentType string
+	SpecVersion   int
+)
@@ -50,7 +50,7 @@ var (
 			Data: &cyclonedx.BOM{
 				BOMFormat:    cyclonedx.BOMFormat,
 				SerialNumber: "urn:uuid:6453fd82-71f4-47c8-ad12-01775619c443",
-				SpecVersion:  "1.4",
+				SpecVersion:  cyclonedx.SpecVersion1_4,
 				Version:      1,
 				Metadata: &cyclonedx.Metadata{
 					Timestamp: "2022-09-15T13:53:49+00:00",
@@ -106,14 +106,14 @@ var (
 				Dependencies: &[]cyclonedx.Dependency{
 					{
 						Ref: "pkg:oci/alpine@sha256:bc41182d7ef5ffc53a40b044e725193bc10142a1243f395ee852a8d9730fc2ad?repository_url=index.docker.io%2Flibrary%2Falpine&6arch=amd64",
-						Dependencies: &[]cyclonedx.Dependency{
-							{Ref: "fad4eb97-3d2a-4499-ace7-2c94444148a7"},
+						Dependencies: &[]string{
+							"fad4eb97-3d2a-4499-ace7-2c94444148a7",
 						},
 					},
 					{
 						Ref: "fad4eb97-3d2a-4499-ace7-2c94444148a7",
-						Dependencies: &[]cyclonedx.Dependency{
-							{Ref: "pkg:apk/alpine/musl@1.2.3-r0?distro=3.16.2"},
+						Dependencies: &[]string{
+							"pkg:apk/alpine/musl@1.2.3-r0?distro=3.16.2",
 						},
 					},
 				},
@@ -138,7 +138,7 @@ var (
 			Data: &cyclonedx.BOM{
 				BOMFormat:    cyclonedx.BOMFormat,
 				SerialNumber: "urn:uuid:8b16c9a3-e957-4c85-b43d-7dd05ea0421c",
-				SpecVersion:  "1.4",
+				SpecVersion:  cyclonedx.SpecVersion1_4,
 				Version:      1,
 				Metadata: &cyclonedx.Metadata{
 					Timestamp: "2022-10-21T09:50:08+00:00",
@@ -182,14 +182,14 @@ var (
 				Dependencies: &[]cyclonedx.Dependency{
 					{
 						Ref: "ef8385d7-a56f-495a-a220-7b0a2e940d39",
-						Dependencies: &[]cyclonedx.Dependency{
-							{Ref: "bb8b7541-2b08-4692-9363-8f79da5c1a31"},
+						Dependencies: &[]string{
+							"bb8b7541-2b08-4692-9363-8f79da5c1a31",
 						},
 					},
 					{
 						Ref: "bb8b7541-2b08-4692-9363-8f79da5c1a31",
-						Dependencies: &[]cyclonedx.Dependency{
-							{Ref: "pkg:golang/github.com/spf13/cobra@1.5.0"},
+						Dependencies: &[]string{
+							"pkg:golang/github.com/spf13/cobra@1.5.0",
 						},
 					},
 				},
@@ -205,7 +205,7 @@ var (
 		Predicate: &attestation.CosignPredicate{
 			Data: &cyclonedx.BOM{
 				BOMFormat:   cyclonedx.BOMFormat,
-				SpecVersion: "1.4",
+				SpecVersion: cyclonedx.SpecVersion1_4,
 				Version:     2,
 			},
 		},

@@ -193,12 +193,12 @@ func externalRef(bomLink string, bomRef string) (string, error) {
 func (e *Marshaler) marshalComponents(r types.Report, bomRef string) (*[]cdx.Component, *[]cdx.Dependency, *[]cdx.Vulnerability, error) {
 	var components []cdx.Component
 	var dependencies []cdx.Dependency
-	var metadataDependencies []cdx.Dependency
+	var metadataDependencies []string
 	libraryUniqMap := map[string]struct{}{}
 	vulnMap := map[string]cdx.Vulnerability{}
 	for _, result := range r.Results {
 		bomRefMap := map[string]string{}
-		var componentDependencies []cdx.Dependency
+		var componentDependencies []string
 		for _, pkg := range result.Packages {
 			pkgComponent, err := pkgToCdxComponent(result.Type, r.Metadata, pkg)
 			if err != nil {
@@ -207,7 +207,7 @@ func (e *Marshaler) marshalComponents(r types.Report, bomRef string) (*[]cdx.Com
 			pkgID := packageID(result.Target, pkg.Name, utils.FormatVersion(pkg), pkg.FilePath)
 			if _, ok := bomRefMap[pkgID]; !ok {
 				bomRefMap[pkgID] = pkgComponent.BOMRef
-				componentDependencies = append(componentDependencies, cdx.Dependency{Ref: pkgComponent.BOMRef})
+				componentDependencies = append(componentDependencies, pkgComponent.BOMRef)
 			}
 
 			// When multiple lock files have the same dependency with the same name and version,
@@ -288,7 +288,7 @@ func (e *Marshaler) marshalComponents(r types.Report, bomRef string) (*[]cdx.Com
 			)
 
 			// Dependency graph from #1 to #2
-			metadataDependencies = append(metadataDependencies, cdx.Dependency{Ref: resultComponent.BOMRef})
+			metadataDependencies = append(metadataDependencies, resultComponent.BOMRef)
 		}
 	}
 	vulns := maps.Values(vulnMap)

@@ -169,7 +169,7 @@ func TestMarshaler_Marshal(t *testing.T) {
 			want: &cdx.BOM{
 				XMLNS:        "http://cyclonedx.org/schema/bom/1.4",
 				BOMFormat:    "CycloneDX",
-				SpecVersion:  "1.4",
+				SpecVersion:  cdx.SpecVersion1_4,
 				SerialNumber: "urn:uuid:3ff14136-e09f-4df9-80ea-000000000001",
 				Version:      1,
 				Metadata: &cdx.Metadata{
@@ -379,65 +379,43 @@ func TestMarshaler_Marshal(t *testing.T) {
 				Dependencies: &[]cdx.Dependency{
 					{
 						Ref: "3ff14136-e09f-4df9-80ea-000000000002",
-						Dependencies: &[]cdx.Dependency{
-							{
-								Ref: "pkg:rpm/centos/binutils@2.30-93.el8?arch=aarch64&distro=centos-8.3.2011",
-							},
+						Dependencies: &[]string{
+							"pkg:rpm/centos/binutils@2.30-93.el8?arch=aarch64&distro=centos-8.3.2011",
 						},
 					},
 					{
 						Ref: "3ff14136-e09f-4df9-80ea-000000000003",
-						Dependencies: &[]cdx.Dependency{
-							{
-								Ref: "pkg:gem/actionpack@7.0.0",
-							},
-							{
-								Ref: "pkg:gem/actioncontroller@7.0.0",
-							},
+						Dependencies: &[]string{
+							"pkg:gem/actionpack@7.0.0",
+							"pkg:gem/actioncontroller@7.0.0",
 						},
 					},
 					{
 						Ref: "3ff14136-e09f-4df9-80ea-000000000004",
-						Dependencies: &[]cdx.Dependency{
-							{
-								Ref: "pkg:gem/actionpack@7.0.0",
-							},
+						Dependencies: &[]string{
+							"pkg:gem/actionpack@7.0.0",
 						},
 					},
 					{
 						Ref: "3ff14136-e09f-4df9-80ea-000000000005",
-						Dependencies: &[]cdx.Dependency{
-							{
-								Ref: "pkg:nuget/Newtonsoft.Json@9.0.1",
-							},
+						Dependencies: &[]string{
+							"pkg:nuget/Newtonsoft.Json@9.0.1",
 						},
 					},
 					{
 						Ref: "3ff14136-e09f-4df9-80ea-000000000006",
-						Dependencies: &[]cdx.Dependency{
-							{
-								Ref: "pkg:golang/golang.org/x/crypto@v0.0.0-20210421170649-83a5a9bb288b",
-							},
+						Dependencies: &[]string{
+							"pkg:golang/golang.org/x/crypto@v0.0.0-20210421170649-83a5a9bb288b",
 						},
 					},
 					{
 						Ref: "pkg:oci/rails@sha256:a27fd8080b517143cbbbab9dfb7c8571c40d67d534bbdee55bd6c473f432b177?repository_url=index.docker.io%2Flibrary%2Frails&arch=arm64",
-						Dependencies: &[]cdx.Dependency{
-							{
-								Ref: "3ff14136-e09f-4df9-80ea-000000000002",
-							},
-							{
-								Ref: "3ff14136-e09f-4df9-80ea-000000000003",
-							},
-							{
-								Ref: "3ff14136-e09f-4df9-80ea-000000000004",
-							},
-							{
-								Ref: "3ff14136-e09f-4df9-80ea-000000000005",
-							},
-							{
-								Ref: "3ff14136-e09f-4df9-80ea-000000000006",
-							},
+						Dependencies: &[]string{
+							"3ff14136-e09f-4df9-80ea-000000000002",
+							"3ff14136-e09f-4df9-80ea-000000000003",
+							"3ff14136-e09f-4df9-80ea-000000000004",
+							"3ff14136-e09f-4df9-80ea-000000000005",
+							"3ff14136-e09f-4df9-80ea-000000000006",
 						},
 					},
 				},
@@ -664,7 +642,7 @@ func TestMarshaler_Marshal(t *testing.T) {
 			want: &cdx.BOM{
 				XMLNS:        "http://cyclonedx.org/schema/bom/1.4",
 				BOMFormat:    "CycloneDX",
-				SpecVersion:  "1.4",
+				SpecVersion:  cdx.SpecVersion1_4,
 				SerialNumber: "urn:uuid:3ff14136-e09f-4df9-80ea-000000000001",
 				Version:      1,
 				Metadata: &cdx.Metadata{
@@ -796,24 +774,16 @@ func TestMarshaler_Marshal(t *testing.T) {
 				Dependencies: &[]cdx.Dependency{
 					{
 						Ref: "3ff14136-e09f-4df9-80ea-000000000003",
-						Dependencies: &[]cdx.Dependency{
-							{
-								Ref: "pkg:rpm/centos/acl@1:2.2.53-1.el8?arch=aarch64&distro=centos-8.3.2011",
-							},
+						Dependencies: &[]string{
+							"pkg:rpm/centos/acl@1:2.2.53-1.el8?arch=aarch64&distro=centos-8.3.2011",
 						},
 					},
 					{
 						Ref: "3ff14136-e09f-4df9-80ea-000000000002",
-						Dependencies: &[]cdx.Dependency{
-							{
-								Ref: "3ff14136-e09f-4df9-80ea-000000000003",
-							},
-							{
-								Ref: "pkg:gem/actionpack@7.0.0?file_path=tools%2Fproject-john%2Fspecifications%2Factionpack.gemspec",
-							},
-							{
-								Ref: "pkg:gem/actionpack@7.0.1?file_path=tools%2Fproject-doe%2Fspecifications%2Factionpack.gemspec",
-							},
+						Dependencies: &[]string{
+							"3ff14136-e09f-4df9-80ea-000000000003",
+							"pkg:gem/actionpack@7.0.0?file_path=tools%2Fproject-john%2Fspecifications%2Factionpack.gemspec",
+							"pkg:gem/actionpack@7.0.1?file_path=tools%2Fproject-doe%2Fspecifications%2Factionpack.gemspec",
 						},
 					},
 				},
@@ -917,7 +887,7 @@ func TestMarshaler_Marshal(t *testing.T) {
 			want: &cdx.BOM{
 				XMLNS:        "http://cyclonedx.org/schema/bom/1.4",
 				BOMFormat:    "CycloneDX",
-				SpecVersion:  "1.4",
+				SpecVersion:  cdx.SpecVersion1_4,
 				SerialNumber: "urn:uuid:3ff14136-e09f-4df9-80ea-000000000001",
 				Version:      1,
 				Metadata: &cdx.Metadata{
@@ -975,18 +945,14 @@ func TestMarshaler_Marshal(t *testing.T) {
 				Dependencies: &[]cdx.Dependency{
 					{
 						Ref: "3ff14136-e09f-4df9-80ea-000000000003",
-						Dependencies: &[]cdx.Dependency{
-							{
-								Ref: "pkg:gem/actioncable@6.1.4.1",
-							},
+						Dependencies: &[]string{
+							"pkg:gem/actioncable@6.1.4.1",
 						},
 					},
 					{
 						Ref: "3ff14136-e09f-4df9-80ea-000000000002",
-						Dependencies: &[]cdx.Dependency{
-							{
-								Ref: "3ff14136-e09f-4df9-80ea-000000000003",
-							},
+						Dependencies: &[]string{
+							"3ff14136-e09f-4df9-80ea-000000000003",
 						},
 					},
 				},
@@ -1020,7 +986,7 @@ func TestMarshaler_Marshal(t *testing.T) {
 			want: &cdx.BOM{
 				XMLNS:        "http://cyclonedx.org/schema/bom/1.4",
 				BOMFormat:    "CycloneDX",
-				SpecVersion:  "1.4",
+				SpecVersion:  cdx.SpecVersion1_4,
 				SerialNumber: "urn:uuid:3ff14136-e09f-4df9-80ea-000000000001",
 				Version:      1,
 				Metadata: &cdx.Metadata{
@@ -1074,10 +1040,8 @@ func TestMarshaler_Marshal(t *testing.T) {
 				Dependencies: &[]cdx.Dependency{
 					{
 						Ref: "3ff14136-e09f-4df9-80ea-000000000002",
-						Dependencies: &[]cdx.Dependency{
-							{
-								Ref: "pkg:npm/ruby-typeprof@0.20.1?file_path=usr%2Flocal%2Flib%2Fruby%2Fgems%2F3.1.0%2Fgems%2Ftypeprof-0.21.1%2Fvscode%2Fpackage.json",
-							},
+						Dependencies: &[]string{
+							"pkg:npm/ruby-typeprof@0.20.1?file_path=usr%2Flocal%2Flib%2Fruby%2Fgems%2F3.1.0%2Fgems%2Ftypeprof-0.21.1%2Fvscode%2Fpackage.json",
 						},
 					},
 				},
@@ -1094,7 +1058,7 @@ func TestMarshaler_Marshal(t *testing.T) {
 			want: &cdx.BOM{
 				XMLNS:        "http://cyclonedx.org/schema/bom/1.4",
 				BOMFormat:    "CycloneDX",
-				SpecVersion:  "1.4",
+				SpecVersion:  cdx.SpecVersion1_4,
 				SerialNumber: "urn:uuid:3ff14136-e09f-4df9-80ea-000000000001",
 				Version:      1,
 				Metadata: &cdx.Metadata{
@@ -1123,7 +1087,7 @@ func TestMarshaler_Marshal(t *testing.T) {
 				Dependencies: &[]cdx.Dependency{
 					{
 						Ref:          "3ff14136-e09f-4df9-80ea-000000000002",
-						Dependencies: new([]cdx.Dependency),
+						Dependencies: new([]string),
 					},
 				},
 			},
@@ -1264,7 +1228,7 @@ func TestMarshaler_MarshalVulnerabilities(t *testing.T) {
 			want: &cdx.BOM{
 				XMLNS:       "http://cyclonedx.org/schema/bom/1.4",
 				BOMFormat:   "CycloneDX",
-				SpecVersion: "1.4",
+				SpecVersion: cdx.SpecVersion1_4,
 				Version:     1,
 				Metadata: &cdx.Metadata{
 					Timestamp: "2021-08-25T12:20:30+00:00",
@@ -1457,7 +1421,7 @@ func TestMarshaler_MarshalVulnerabilities(t *testing.T) {
 			want: &cdx.BOM{
 				XMLNS:       "http://cyclonedx.org/schema/bom/1.4",
 				BOMFormat:   "CycloneDX",
-				SpecVersion: "1.4",
+				SpecVersion: cdx.SpecVersion1_4,
 				Version:     1,
 				Metadata: &cdx.Metadata{
 					Timestamp: "2021-08-25T12:20:30+00:00",

@@ -72,7 +72,7 @@ func (c *CycloneDX) UnmarshalJSON(b []byte) error {
 	// Keep the original SBOM
 	c.CycloneDX = &ftypes.CycloneDX{
 		BOMFormat:    bom.BOMFormat,
-		SpecVersion:  bom.SpecVersion,
+		SpecVersion:  ftypes.SpecVersion(bom.SpecVersion),
 		SerialNumber: bom.SerialNumber,
 		Version:      bom.Version,
 		Metadata:     metadata,
@@ -242,10 +242,9 @@ func dependencyMap(deps *[]cdx.Dependency) map[string][]string {
 		if _, ok := depMap[dep.Ref]; ok {
 			continue
 		}
-
 		var refs []string
-		for _, d := range lo.FromPtr(dep.Dependencies) {
-			refs = append(refs, d.Ref)
+		if dep.Dependencies != nil {
+			refs = append(refs, *dep.Dependencies...)
 		}
 
 		depMap[dep.Ref] = refs