Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Support for CycloneDX v1.6 #576

Merged
merged 34 commits into from
Apr 9, 2024
Merged

feat: Support for CycloneDX v1.6 #576

merged 34 commits into from
Apr 9, 2024

Conversation

madpah
Copy link
Collaborator

@madpah madpah commented Apr 3, 2024
edited
Loading

Work in progress to add initial support for CycloneDX v1.6 specification (still in draft as this PR starts).

Resolves #577 whilst NOT resolving #578 currently.

This means new fields and values introduced by CycloneDX v1.6 are being added / supported, and fields marked as Deprecated in v1.6 are being marked as such, but any gap notes in #578 is not being addressed by this PR currently.

Whilst producing this PR gaps in v1.5 were captured in #578 and for v1.4 in #581 .

Summary of Changes

  • Deprecated bom.metadata.manufacture
  • Added bom.metadata.manufacturer
    • Set bom.metadata.component.manufacturer if bom.metadata.manufacture used?
  • Added .component.manufacturer
  • Added .component.authors
  • Deprecated .component.author
    • Set .component.manufacturer or .component.authors if .component.author used?
  • Added .component.omniborId
    • Add validation to ensure is a valid GitOID - Basic Regex validation added
  • Added .component.swhid
    • Add validation? - Basic Regex validation added
  • Added .component.cryptoProperties
  • Added .component.tags
  • Added model for postalAddress
    • Added address to OrganizationalEntity
  • Component.Version max length 1024 restriction raises a Warning if exceeded
  • Added acknowledgement attribute to licenseChoiceType.expression via add acknowledgement to LicenseExpression #582

@madpah
added draft v1.6 schemas and boilerplate for v1.6
41ca1e0 
Signed-off-by: Paul Horton <paul.horton@owasp.org>
@madpah madpah added documentation Improvements or additions to documentation enhancement New feature or request schema 1.6 labels Apr 3, 2024
@madpah madpah self-assigned this Apr 3, 2024
@madpah
re-generated test snapshots for v1.6
8132c3e 
Signed-off-by: Paul Horton <paul.horton@owasp.org>
@codacy-production Codacy Production
Copy link

codacy-production bot commented Apr 3, 2024
edited
Loading

Coverage summary from Codacy

See diff coverage on Codacy

Coverage variation Diff coverage
-0.75% 90.27% (target: 80.00%)
Coverage variation details
Coverable lines Covered lines Coverage
Common ancestor commit (35749c6) 3424 3204 93.57%
Head commit (42c6f25) 4434 (+1010) 4116 (+912) 92.83% (-0.75%)

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details
Coverable lines Covered lines Diff coverage
Pull request (#576) 1130 1020 90.27%

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

See your quality gate settings    Change summary preferences

You may notice some variations in coverage metrics with the latest Coverage engine update. For more details, visit the documentation

@madpah
note bom.metadata.manufacture as deprecated
240dfaa 
Signed-off-by: Paul Horton <paul.horton@owasp.org>
@madpah
work on bom.metadata for v1.6
6192ed8 
Signed-off-by: Paul Horton <paul.horton@owasp.org>
@madpah
Deprecated .component.author. Added .component.authors and `.comp…
6227c08 
…onent.manufacturer`

Signed-off-by: Paul Horton <paul.horton@owasp.org>
@madpah
work to add .component.omniborid - but tests deserialisation tests …
af7b92b 
…fail due to schema differences (`.component.author` not in 1.6)

Signed-off-by: Paul Horton <paul.horton@owasp.org>
@madpah
work to get deserialization tests passing
fdece59 
Signed-off-by: Paul Horton <paul.horton@owasp.org>
@madpah madpah mentioned this pull request Apr 4, 2024
Closed
@madpah
chore(deps): bump py-serializable to >=1.0.3 to resolve issues with…
0398051 
… deserialization to XML

Signed-off-by: Paul Horton <paul.horton@owasp.org>
@madpah
imports tidied
875a338 
Signed-off-by: Paul Horton <paul.horton@owasp.org>
madpah added 14 commits April 5, 2024 08:28
@madpah
properly added .component.swhid
ee80ea3 
Signed-off-by: Paul Horton <paul.horton@owasp.org>
@madpah
add .component.cryptoProperties - with test failures for SchemaVers…
1e71dc3 
…ion < 1.6

Signed-off-by: Paul Horton <paul.horton@owasp.org>
@madpah
typing and bandit ignores
96a6dc9 
Signed-off-by: Paul Horton <paul.horton@owasp.org>
@madpah
coding standards
b23df1f 
Signed-off-by: Paul Horton <paul.horton@owasp.org>
@madpah
test filtering
14f699f 
Signed-off-by: Paul Horton <paul.horton@owasp.org>
@madpah
coding standards
a3e09d1 
Signed-off-by: Paul Horton <paul.horton@owasp.org>
@madpah
additional tests to increase code coverage
f504daa 
Signed-off-by: Paul Horton <paul.horton@owasp.org>
@madpah
corrected CryptoMode enum
71e4bc6 
Signed-off-by: Paul Horton <paul.horton@owasp.org>
@madpah
coding standards
d294620 
Signed-off-by: Paul Horton <paul.horton@owasp.org>
@madpah
Added address to organizationalEntity
318d723 
Signed-off-by: Paul Horton <paul.horton@owasp.org>
@madpah
Added address to organizationalEntity
1327558 
Signed-off-by: Paul Horton <paul.horton@owasp.org>
@madpah
raise UserWarning in .component.version has length > 1024
abebd4f 
Signed-off-by: Paul Horton <paul.horton@owasp.org>
@madpah
coding standards and typing
5c97c2d 
Signed-off-by: Paul Horton <paul.horton@owasp.org>
@madpah
add acknowledgement to LicenseExpression (#582)
ddd7847 
Signed-off-by: Paul Horton <paul.horton@owasp.org>
jkowalleck
jkowalleck requested changes Apr 8, 2024
View reviewed changes
tests/test_output_json.py Outdated Show resolved Hide resolved
tests/__init__.py Outdated Show resolved Hide resolved
@madpah
more proper way to filter test cases
0a2ca2c 
Signed-off-by: Paul Horton <paul.horton@owasp.org>
@madpah
update schema to published versions
0449de2 
Signed-off-by: Paul Horton <paul.horton@owasp.org>
@madpah madpah marked this pull request as ready for review April 9, 2024 06:58
@madpah madpah requested a review from a team as a code owner April 9, 2024 06:58
@madpah
Copy link
Collaborator Author

madpah commented Apr 9, 2024

@jkowalleck - ready for review. Kept this PR to the minimum requirements to support v1.6 without resolving gaps in v1.5 or v1.4 schema support as noted in #578 and #581 .

If we can ship this as is, happy to tackle the gaps separately.

@madpah madpah requested a review from jkowalleck April 9, 2024 07:03
@jkowalleck
fetch schema 1.6 JSON
289e81a 
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
@jkowalleck
fetch test data for CDX 1.6
618a292 
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
@jkowalleck
reformat
e0184cc 
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
@jkowalleck
reformat
e10ffee 
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
jkowalleck
jkowalleck reviewed Apr 9, 2024
View reviewed changes
cyclonedx/model/__init__.py Show resolved Hide resolved
cyclonedx/model/__init__.py Show resolved Hide resolved
cyclonedx/model/bom.py Show resolved Hide resolved
@jkowalleck
refactor
62c1d9a 
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
@jkowalleck
style
0843234 
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
@jkowalleck
refactor
b4a133a 
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
jkowalleck and others added 2 commits April 9, 2024 16:45
@jkowalleck
docs
42c6f25 
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
chore(release): 7.0.0-alpha.1
27833f7 
Automatically generated by python-semantic-release

Signed-off-by: semantic-release <semantic-release>
@madpah madpah merged commit 8bbdf46 into main Apr 9, 2024
2 of 3 checks passed
@madpah madpah deleted the feat/support-cyclonedx-1.6 branch April 10, 2024 06:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jkowalleck jkowalleck jkowalleck approved these changes

Assignees

@madpah madpah

Labels
breaking change documentation Improvements or additions to documentation enhancement New feature or request schema 1.6
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support for CycloneDX 1.6
2 participants
@madpah @jkowalleck