From 45db721ae0b2f730d33f35b7429e342a1d77edc0 Mon Sep 17 00:00:00 2001 From: Steve Springett Date: Sat, 23 Mar 2024 20:36:09 -0500 Subject: [PATCH] Added support for concluded value. Updated test cases. Signed-off-by: Steve Springett --- schema/bom-1.6.proto | 2 ++ schema/bom-1.6.schema.json | 5 +++++ schema/bom-1.6.xsd | 5 +++++ tools/src/test/resources/1.6/valid-evidence-1.6.json | 3 +++ tools/src/test/resources/1.6/valid-evidence-1.6.textproto | 3 +++ tools/src/test/resources/1.6/valid-evidence-1.6.xml | 3 +++ 6 files changed, 21 insertions(+) diff --git a/schema/bom-1.6.proto b/schema/bom-1.6.proto index 3e6ee48c..d469b069 100644 --- a/schema/bom-1.6.proto +++ b/schema/bom-1.6.proto @@ -729,6 +729,8 @@ message EvidenceIdentity { repeated EvidenceMethods methods = 3; // The object in the BOM identified by its bom-ref. This is often a component or service, but may be any object type supporting bom-refs. Tools used for analysis should already be defined in the BOM, either in the metadata/tools, components, or formulation. repeated string tools = 4; + // The value of the field (cpe, purl, etc) that has been concluded based on the aggregate of all methods (if available). + optional string concludedValue = 5; } message EvidenceMethods { diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index 6e959ac9..6c97e88e 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -4441,6 +4441,11 @@ "title": "Confidence", "description": "The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence." }, + "concludedValue": { + "type": "string", + "title": "Concluded Value", + "description": "The value of the field (cpe, purl, etc) that has been concluded based on the aggregate of all methods (if available)." + }, "methods": { "type": "array", "title": "Methods", diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index b904975e..6b4212ab 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -2354,6 +2354,11 @@ limitations under the License. The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence. + + + The value of the field (cpe, purl, etc) that has been concluded based on the aggregate of all methods (if available). + + The methods used to extract and/or analyze the evidence. diff --git a/tools/src/test/resources/1.6/valid-evidence-1.6.json b/tools/src/test/resources/1.6/valid-evidence-1.6.json index b4e0e71f..b80656bb 100644 --- a/tools/src/test/resources/1.6/valid-evidence-1.6.json +++ b/tools/src/test/resources/1.6/valid-evidence-1.6.json @@ -117,6 +117,7 @@ { "field": "group", "confidence": 0.1, + "concludedValue": "com.example", "methods": [ { "technique": "filename", @@ -128,6 +129,7 @@ { "field": "name", "confidence": 0.1, + "concludedValue": "example-project", "methods": [ { "technique": "filename", @@ -139,6 +141,7 @@ { "field": "version", "confidence": 0.1, + "concludedValue": "1.0.0", "methods": [ { "technique": "filename", diff --git a/tools/src/test/resources/1.6/valid-evidence-1.6.textproto b/tools/src/test/resources/1.6/valid-evidence-1.6.textproto index ca1a4289..216e9bb5 100644 --- a/tools/src/test/resources/1.6/valid-evidence-1.6.textproto +++ b/tools/src/test/resources/1.6/valid-evidence-1.6.textproto @@ -122,6 +122,7 @@ components [ value: "example-project-1.0.0.jar" } ] + concludedValue: "com.example" }, { field: EVIDENCE_FIELD_NAME @@ -133,6 +134,7 @@ components [ value: "example-project-1.0.0.jar" } ] + concludedValue: "example-project" }, { field: EVIDENCE_FIELD_VERSION @@ -144,6 +146,7 @@ components [ value: "example-project-1.0.0.jar" } ] + concludedValue: "1.0.0" } ] } diff --git a/tools/src/test/resources/1.6/valid-evidence-1.6.xml b/tools/src/test/resources/1.6/valid-evidence-1.6.xml index 336d96c3..32d96983 100644 --- a/tools/src/test/resources/1.6/valid-evidence-1.6.xml +++ b/tools/src/test/resources/1.6/valid-evidence-1.6.xml @@ -97,6 +97,7 @@ group 0.1 + com.example filename @@ -108,6 +109,7 @@ name 0.1 + example-project filename @@ -119,6 +121,7 @@ version 0.1 + 1.0.0 filename