fix: update to latest contracts with cyclonedx-python-lib

Signed-off-by: Paul Horton <paul.horton@owasp.org>
madpah · Mar 2, 2023 · fda01e0 · fda01e0
1 parent 8e3d05a
commit fda01e0
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 184 deletions.
diff --git a/vexy/client.py b/vexy/client.py
@@ -20,6 +20,7 @@
 
 import argparse
 import enum
+import json
 import sys
 from datetime import datetime
 from importlib import import_module
@@ -28,8 +29,10 @@
 from string import printable
 from typing import Dict, Optional, Set, cast
 from urllib.parse import quote
+from xml.etree import ElementTree
 
 import yaml
+from cyclonedx.exception import CycloneDxException
 from cyclonedx.model import ExternalReference, ExternalReferenceType, Tool, XsUri
 from cyclonedx.model.bom import Bom
 from cyclonedx.output import BaseOutput, OutputFormat, SchemaVersion
@@ -69,31 +72,31 @@ class _CLI_OUTPUT_FORMAT(enum.Enum):
 ThisTool = Tool(vendor='Vexy', name='vexy', version=__ThisToolVersion or 'UNKNOWN')
 ThisTool.external_references.update([
     ExternalReference(
-        reference_type=ExternalReferenceType.BUILD_SYSTEM,
+        type_=ExternalReferenceType.BUILD_SYSTEM,
         url=XsUri('https://github.com/madpah/vexy/actions')
     ),
     ExternalReference(
-        reference_type=ExternalReferenceType.DISTRIBUTION,
+        type_=ExternalReferenceType.DISTRIBUTION,
         url=XsUri('https://pypi.org/project/vexy/')
     ),
     ExternalReference(
-        reference_type=ExternalReferenceType.DOCUMENTATION,
+        type_=ExternalReferenceType.DOCUMENTATION,
         url=XsUri('https://vexy.readthedocs.io/')
     ),
     ExternalReference(
-        reference_type=ExternalReferenceType.ISSUE_TRACKER,
+        type_=ExternalReferenceType.ISSUE_TRACKER,
         url=XsUri('https://github.com/madpah/vexy/issues')
     ),
     ExternalReference(
-        reference_type=ExternalReferenceType.LICENSE,
+        type_=ExternalReferenceType.LICENSE,
         url=XsUri('https://github.com/madpah/vexy/blob/main/LICENSE')
     ),
     ExternalReference(
-        reference_type=ExternalReferenceType.RELEASE_NOTES,
+        type_=ExternalReferenceType.RELEASE_NOTES,
         url=XsUri('https://github.com/madpah/vexy/blob/main/CHANGELOG.md')
     ),
     ExternalReference(
-        reference_type=ExternalReferenceType.VCS,
+        type_=ExternalReferenceType.VCS,
         url=XsUri('https://github.com/madpah/vexy')
     )
 ])
@@ -149,16 +152,22 @@ def execute(self) -> None:
             )
             progress.start_task(task_id=task_parse)
 
-            parser: BaseParser
-            if str(self._arguments.input_source.name).endswith('.json'):
-                parser = CycloneDxJsonParser(input_file=self._arguments.input_source)
-            elif str(self._arguments.input_source.name).endswith('.xml'):
-                parser = CycloneDxXmlParser(input_file=self._arguments.input_source)
+            # parser: BaseParser
+            input_bom: Bom
+            try:
+                with self._arguments.input_source as input_bom_fh:
+                    if str(self._arguments.input_source.name).endswith('.json'):
+                        input_bom = Bom.from_json(data=json.loads(input_bom_fh.read()))
+
+                    elif str(self._arguments.input_source.name).endswith('.xml'):
+                        input_bom = Bom.from_xml(data=ElementTree.fromstring(input_bom_fh.read()))
+            except CycloneDxException as e:
+                print(f'Failure validating input BOM: {e}')
+                return
 
-            parser.parse_bom()
             progress.update(
                 task_id=task_parse, completed=100,
-                description=f'Parsed {len(parser.bom.components)} Components from CycloneDX SBOM'
+                description=f'Parsed {len(input_bom.components)} Components from CycloneDX SBOM'
             )
 
             vex = Bom()
@@ -169,7 +178,7 @@ def execute(self) -> None:
                     f'Consulting {data_source.source_name()} for known vulnerabilities', total=100,
                     visible=not self._is_quiet()
                 )
-                data_source.process_components(components=parser.bom.components)
+                data_source.process_components(components=input_bom.components)
                 progress.update(
                     task_id=data_source_tasks[data_source.__class__], completed=25,
                     description=f'{data_source.source_name()}: Querying for {len(data_source.valid_components)} '
@@ -187,7 +196,7 @@ def execute(self) -> None:
                 i: int = 1
                 for v in vulnerabilities:
                     for a in v.affects:
-                        a.ref = f'{parser.bom.urn()}#{quote(a.ref, safe=printable)}'
+                        a.ref = f'{input_bom.urn()}#{quote(a.ref, safe=printable)}'
                     vex.vulnerabilities.add(v)
                     progress.update(
                         task_id=data_source_tasks[data_source.__class__],

diff --git a/vexy/parser/__init__.py b/vexy/parser/__init__.py
diff --git a/vexy/parser/cyclonedx.py b/vexy/parser/cyclonedx.py