Merge pull request #413 from CycloneDX/issue408_externalReference

Fix Issue with Serialization for ExternalReferences at Bom Level

src/main/java/org/cyclonedx/model/Bom.java

@@ -79,7 +79,6 @@ public class Bom extends ExtensibleElement {
     private DependencyList dependencies;
 
     @VersionFilter(Version.VERSION_11)
-    @JsonDeserialize(using = ExternalReferencesDeserializer.class)
     private List<ExternalReference> externalReferences;
 
     @VersionFilter(Version.VERSION_13)
@@ -179,6 +178,9 @@ public void addDependency(Dependency dependency) {
         dependencies.add(dependency);
     }
 
+    @JacksonXmlElementWrapper(localName = "externalReferences")
+    @JacksonXmlProperty(localName = "reference")
+    @JsonDeserialize(using = ExternalReferencesDeserializer.class)
     public List<ExternalReference> getExternalReferences() {
         return externalReferences;
     }

src/test/java/org/cyclonedx/BomJsonGeneratorTest.java

@@ -365,6 +365,37 @@ private void assertLicenseInformation(Bom bom, Version version) {
         assertNull(license9.getBomRef());
     }
 
+    @Test
+    public void testIssue408Regression_externalReferenceBom() throws Exception {
+        Version version = Version.VERSION_16;
+        Bom bom = createCommonJsonBom("/regression/issue408-external-reference.json");
+        assertExternalReferenceInfo(bom);
+
+        BomJsonGenerator generator = BomGeneratorFactory.createJson(version, bom);
+        File loadedFile = writeToFile(generator.toJsonString());
+
+        JsonParser parser = new JsonParser();
+        assertTrue(parser.isValid(loadedFile, version));
+    }
+
+    @Test
+    public void testIssue408Regression_xmlToJson_externalReferenceBom() throws Exception {
+        Version version = Version.VERSION_16;
+        Bom bom = createCommonXmlBom("/regression/issue408-external-reference.xml");
+        assertExternalReferenceInfo(bom);
+
+        BomJsonGenerator generator = BomGeneratorFactory.createJson(version, bom);
+        File loadedFile = writeToFile(generator.toJsonString());
+
+        JsonParser parser = new JsonParser();
+        assertTrue(parser.isValid(loadedFile, version));
+    }
+
+    private void assertExternalReferenceInfo(Bom bom) {
+        assertEquals(3, bom.getExternalReferences().size());
+        assertEquals(3, bom.getComponents().get(0).getExternalReferences().size());
+    }
+
     private File writeToFile(String jsonString) throws Exception {
         try (FileWriter writer = new FileWriter(tempFile.getAbsolutePath())) {
             writer.write(jsonString);

src/test/java/org/cyclonedx/BomXmlGeneratorTest.java

@@ -490,6 +490,37 @@ private void assertLicenseInformation(Bom bom, Version version) {
         assertNull(license9.getBomRef());
     }
 
+    @Test
+    public void testIssue408Regression_externalReferenceBom() throws Exception {
+        Version version = Version.VERSION_16;
+        Bom bom = createCommonBomXml("/regression/issue408-external-reference.xml");
+        assertExternalReferenceInfo(bom);
+
+        BomXmlGenerator generator = BomGeneratorFactory.createXml(version, bom);
+        File loadedFile = writeToFile(generator.toXmlString());
+
+        XmlParser parser = new XmlParser();
+        assertTrue(parser.isValid(loadedFile, version));
+    }
+
+    @Test
+    public void testIssue408Regression_jsonToXml_externalReferenceBom() throws Exception {
+        Version version = Version.VERSION_16;
+        Bom bom = createCommonJsonBom("/regression/issue408-external-reference.json");
+        assertExternalReferenceInfo(bom);
+
+        BomXmlGenerator generator = BomGeneratorFactory.createXml(version, bom);
+        File loadedFile = writeToFile(generator.toXmlString());
+
+        XmlParser parser = new XmlParser();
+        assertTrue(parser.isValid(loadedFile, version));
+    }
+
+    private void assertExternalReferenceInfo(Bom bom) {
+        assertEquals(3, bom.getExternalReferences().size());
+        assertEquals(3, bom.getComponents().get(0).getExternalReferences().size());
+    }
+
     private File writeToFile(String xmlString) throws Exception {
         try (FileWriter writer = new FileWriter(tempFile.getAbsolutePath())) {
             writer.write(xmlString);

src/test/resources/regression/issue408-external-reference.json

@@ -0,0 +1,60 @@
+{
+  "bomFormat" : "CycloneDX",
+  "specVersion" : "1.6",
+  "serialNumber" : "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+  "version" : 1,
+  "components" : [
+    {
+      "group" : "org.example",
+      "name" : "mylibrary",
+      "version" : "1.0.0",
+      "externalReferences" : [
+        {
+          "type" : "advisories",
+          "url" : "https://example.org/security/feed/csaf",
+          "comment" : "Security advisories from the vendor"
+        },
+        {
+          "type" : "bom",
+          "url" : "https://example.org/support/sbom/portal-server/1.0.0",
+          "comment" : "An external SBOM that describes what this component includes",
+          "hashes" : [
+            {
+              "alg" : "SHA-256",
+              "content" : "f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b"
+            }
+          ]
+        },
+        {
+          "type" : "documentation",
+          "url" : "https://example.org/support/documentation/portal-server/1.0.0",
+          "comment" : "Vendor provided documentation for the product"
+        }
+      ],
+      "type" : "library"
+    }
+  ],
+  "externalReferences" : [
+    {
+      "type" : "advisories",
+      "url" : "https://example.org/security/feed/csaf",
+      "comment" : "Security advisories from the vendor"
+    },
+    {
+      "type" : "bom",
+      "url" : "https://example.org/support/sbom/portal-server/1.0.0",
+      "comment" : "An external SBOM that describes what this component includes",
+      "hashes" : [
+        {
+          "alg" : "SHA-256",
+          "content" : "f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b"
+        }
+      ]
+    },
+    {
+      "type" : "documentation",
+      "url" : "https://example.org/support/documentation/portal-server/1.0.0",
+      "comment" : "Vendor provided documentation for the product"
+    }
+  ]
+}

src/test/resources/regression/issue408-external-reference.xml

@@ -0,0 +1,44 @@
+<?xml version="1.0"?>
+<bom serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1" xmlns="http://cyclonedx.org/schema/bom/1.3">
+    <components>
+        <component type="library">
+            <group>org.example</group>
+            <name>mylibrary</name>
+            <version>1.0.0</version>
+            <externalReferences>
+                <reference type="advisories">
+                    <url>https://example.org/security/feed/csaf</url>
+                    <comment>Security advisories from the vendor</comment>
+                </reference>
+                <reference type="bom">
+                    <url>https://example.org/support/sbom/portal-server/1.0.0</url>
+                    <comment>An external SBOM that describes what this component includes</comment>
+                    <hashes>
+                        <hash alg="SHA-256">f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b</hash>
+                    </hashes>
+                </reference>
+                <reference type="documentation">
+                    <url>https://example.org/support/documentation/portal-server/1.0.0</url>
+                    <comment>Vendor provided documentation for the product</comment>
+                </reference>
+            </externalReferences>
+        </component>
+    </components>
+    <externalReferences>
+        <reference type="advisories">
+            <url>https://example.org/security/feed/csaf</url>
+            <comment>Security advisories from the vendor</comment>
+        </reference>
+        <reference type="bom">
+            <url>https://example.org/support/sbom/portal-server/1.0.0</url>
+            <comment>An external SBOM that describes what this component includes</comment>
+            <hashes>
+                <hash alg="SHA-256">f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b</hash>
+            </hashes>
+        </reference>
+        <reference type="documentation">
+            <url>https://example.org/support/documentation/portal-server/1.0.0</url>
+            <comment>Vendor provided documentation for the product</comment>
+        </reference>
+    </externalReferences>
+</bom>