Merge pull request #426 from CycloneDX/Add_validations_external_refer…

…ences External References and Metadata Validations
CycloneDX · Jun 15, 2024 · 66423fe · 66423fe
2 parents 024b725 + bd29da2
commit 66423fe
Show file tree

Hide file tree

Showing 6 changed files with 61 additions and 16 deletions.
diff --git a/src/main/java/org/cyclonedx/generators/AbstractBomGenerator.java b/src/main/java/org/cyclonedx/generators/AbstractBomGenerator.java
@@ -6,6 +6,7 @@
 import org.cyclonedx.Version;
 import org.cyclonedx.model.Bom;
 import org.cyclonedx.util.serializer.EvidenceSerializer;
+import org.cyclonedx.util.serializer.ExternalReferenceSerializer;
 import org.cyclonedx.util.serializer.InputTypeSerializer;
 import org.cyclonedx.util.serializer.LicenseChoiceSerializer;
 import org.cyclonedx.util.serializer.LifecycleSerializer;
@@ -63,5 +64,9 @@ protected void setupObjectMapper(boolean isXml) {
     SimpleModule signatoryModule = new SimpleModule();
     signatoryModule.addSerializer(new SignatorySerializer(isXml));
     mapper.registerModule(signatoryModule);
+
+    SimpleModule externalSerializer = new SimpleModule();
+    externalSerializer.addSerializer(new ExternalReferenceSerializer(getSchemaVersion()));
+    mapper.registerModule(externalSerializer);
   }
 }
diff --git a/src/main/java/org/cyclonedx/model/Bom.java b/src/main/java/org/cyclonedx/model/Bom.java
@@ -100,7 +100,7 @@ public class Bom extends ExtensibleElement {
     @VersionFilter(Version.VERSION_15)
     private List<Annotation> annotations;
 
-    @VersionFilter(Version.VERSION_13)
+    @JsonInclude(JsonInclude.Include.NON_EMPTY)
     private List<Property> properties;
 
     @JacksonXmlProperty(isAttribute = true)
@@ -241,6 +241,7 @@ public void setAnnotations(List<Annotation> annotations) {
     @JacksonXmlElementWrapper(localName = "properties")
     @JacksonXmlProperty(localName = "property")
     @JsonInclude(JsonInclude.Include.NON_EMPTY)
+    @VersionFilter(Version.VERSION_13)
     public List<Property> getProperties() {
         return properties;
     }

diff --git a/src/main/java/org/cyclonedx/model/Component.java b/src/main/java/org/cyclonedx/model/Component.java
@@ -412,6 +412,7 @@ public void setPedigree(Pedigree pedigree) {
     @JacksonXmlElementWrapper(localName = "externalReferences")
     @JacksonXmlProperty(localName = "reference")
     @JsonDeserialize(using = ExternalReferencesDeserializer.class)
+    @VersionFilter(Version.VERSION_11)
     public List<ExternalReference> getExternalReferences() {
         return externalReferences;
     }

diff --git a/src/main/java/org/cyclonedx/model/ExternalReference.java b/src/main/java/org/cyclonedx/model/ExternalReference.java
@@ -25,16 +25,13 @@
 import com.fasterxml.jackson.annotation.JsonInclude;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.annotation.JsonPropertyOrder;
-import com.fasterxml.jackson.databind.annotation.JsonSerialize;
 import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlElementWrapper;
 import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlProperty;
 import org.cyclonedx.Version;
-import org.cyclonedx.util.serializer.ExternalReferenceSerializer;
 
 @SuppressWarnings("unused")
 @JsonIgnoreProperties(ignoreUnknown = true)
 @JsonInclude(JsonInclude.Include.NON_NULL)
-@JsonSerialize(using = ExternalReferenceSerializer.class)
 @JsonPropertyOrder({"url", "comment", "hashes"})
 public class ExternalReference {
 

diff --git a/src/main/java/org/cyclonedx/util/serializer/ExternalReferenceSerializer.java b/src/main/java/org/cyclonedx/util/serializer/ExternalReferenceSerializer.java
@@ -26,20 +26,25 @@
 import com.fasterxml.jackson.databind.ser.std.StdSerializer;
 import com.fasterxml.jackson.dataformat.xml.ser.ToXmlGenerator;
 import org.apache.commons.collections4.CollectionUtils;
+import org.cyclonedx.Version;
 import org.cyclonedx.model.ExternalReference;
 import org.cyclonedx.model.ExternalReference.Type;
 import org.cyclonedx.model.Hash;
+import org.cyclonedx.model.VersionFilter;
 import org.cyclonedx.util.BomUtils;
 
 public class ExternalReferenceSerializer
     extends StdSerializer<ExternalReference>
 {
-  public ExternalReferenceSerializer() {
-    this(null);
+  private final Version version;
+
+  public ExternalReferenceSerializer(final Version version) {
+    this(null, version);
   }
 
-  public ExternalReferenceSerializer(final Class<ExternalReference> t) {
+  public ExternalReferenceSerializer(final Class<ExternalReference> t, final Version version) {
     super(t);
+    this.version = version;
   }
 
   @Override
@@ -53,6 +58,10 @@ public void serialize(
       return;
     }
 
+    if(!shouldSerializeField(extRef.getType())) {
+      return;
+    }
+
     if (gen instanceof ToXmlGenerator) {
       serializeXml((ToXmlGenerator) gen, extRef);
     }
@@ -114,4 +123,22 @@ private void serializeJson(final JsonGenerator gen, final ExternalReference extR
     }
     gen.writeEndObject();
   }
+
+  private boolean shouldSerializeField(Object obj) {
+    try {
+      if (obj instanceof Type) {
+        Type type = (Type) obj;
+        VersionFilter filter = type.getClass().getField(type.name()).getAnnotation(VersionFilter.class);
+        return filter == null || filter.value().getVersion() <= version.getVersion();
+      }
+      return true;
+    }catch (NoSuchFieldException e) {
+      return false;
+    }
+  }
+
+  @Override
+  public Class<ExternalReference> handledType() {
+    return ExternalReference.class;
+  }
 }
diff --git a/src/main/java/org/cyclonedx/util/serializer/MetadataSerializer.java b/src/main/java/org/cyclonedx/util/serializer/MetadataSerializer.java
@@ -1,15 +1,18 @@
 package org.cyclonedx.util.serializer;
 
 import java.io.IOException;
+import java.lang.reflect.Field;
 import java.util.List;
 
 import com.fasterxml.jackson.core.JsonGenerator;
 import com.fasterxml.jackson.databind.SerializerProvider;
 import com.fasterxml.jackson.databind.ser.std.StdSerializer;
 import com.fasterxml.jackson.dataformat.xml.ser.ToXmlGenerator;
+import org.apache.commons.collections4.CollectionUtils;
 import org.cyclonedx.Version;
 import org.cyclonedx.model.Metadata;
 import org.cyclonedx.model.Property;
+import org.cyclonedx.model.VersionFilter;
 import org.cyclonedx.model.metadata.ToolInformation;
 
 public class MetadataSerializer
@@ -45,20 +48,20 @@ private void createMetadataInfo(final Metadata metadata, final JsonGenerator jso
   {
     jsonGenerator.writeStartObject();
 
-    if (metadata.getTimestamp() != null) {
+    if (metadata.getTimestamp() != null && shouldSerializeField(metadata, "timestamp")) {
       jsonGenerator.writeFieldName("timestamp");
       new CustomDateSerializer().serialize(metadata.getTimestamp(), jsonGenerator, serializerProvider);
     }
 
-    if(metadata.getLifecycles() != null) {
+    if(metadata.getLifecycles() != null && shouldSerializeField(metadata, "lifecycles")) {
       jsonGenerator.writeFieldName("lifecycles");
       new LifecycleSerializer(isXml).serialize(metadata.getLifecycles(), jsonGenerator, serializerProvider);
     }
 
     //Tools
     parseTools(metadata, jsonGenerator);
 
-    if (metadata.getAuthors() != null) {
+    if (metadata.getAuthors() != null && shouldSerializeField(metadata, "author")) {
       if (isXml) {
         ToXmlGenerator xmlGenerator = (ToXmlGenerator) jsonGenerator;
         writeArrayFieldXML(metadata.getAuthors(), xmlGenerator, "author");
@@ -68,28 +71,28 @@ private void createMetadataInfo(final Metadata metadata, final JsonGenerator jso
       }
     }
 
-    if(metadata.getComponent() != null) {
+    if(metadata.getComponent() != null && shouldSerializeField(metadata, "component")) {
       jsonGenerator.writeObjectField("component", metadata.getComponent());
     }
 
-    if(metadata.getManufacture() != null) {
+    if(metadata.getManufacture() != null && shouldSerializeField(metadata, "manufacture")) {
       jsonGenerator.writeObjectField("manufacture", metadata.getManufacture());
     }
 
-    if(metadata.getManufacturer() != null) {
+    if(metadata.getManufacturer() != null && shouldSerializeField(metadata, "manufacturer")) {
       jsonGenerator.writeObjectField("manufacturer", metadata.getManufacturer());
     }
 
-    if(metadata.getSupplier() != null) {
+    if(metadata.getSupplier() != null && shouldSerializeField(metadata, "supplier")) {
       jsonGenerator.writeObjectField("supplier", metadata.getSupplier());
     }
 
-    if(metadata.getLicenses() != null) {
+    if(metadata.getLicenses() != null && shouldSerializeField(metadata, "licenses")) {
       jsonGenerator.writeFieldName("licenses");
       new LicenseChoiceSerializer(isXml, version).serialize(metadata.getLicenses(), jsonGenerator, serializerProvider);
     }
 
-    if(metadata.getProperties()!=null) {
+    if (CollectionUtils.isNotEmpty(metadata.getProperties()) && shouldSerializeField(metadata, "properties")) {
       if (isXml) {
         ToXmlGenerator xmlGenerator = (ToXmlGenerator) jsonGenerator;
         xmlGenerator.writeFieldName("properties");
@@ -165,6 +168,17 @@ private <T> void writeArrayFieldXML(List<T> items, ToXmlGenerator xmlGenerator,
     }
   }
 
+  private boolean shouldSerializeField(Object obj, String fieldName) {
+    try {
+      Field field = obj.getClass().getDeclaredField(fieldName);
+      VersionFilter filter = field.getAnnotation(VersionFilter.class);
+      return filter == null || filter.value().getVersion() <= version.getVersion();
+    } catch (NoSuchFieldException e) {
+      // If the field does not exist, assume it should be serialized
+      return true;
+    }
+  }
+
   @Override
   public Class<Metadata> handledType() {
     return Metadata.class;