chore: update cyclonedx tool metadata and tests

Signed-off-by: Keith Zantow <kzantow@gmail.com>
anchore · Dec 14, 2023 · a5e3cc9 · a5e3cc9
1 parent 64d9424
commit a5e3cc9
Show file tree

Hide file tree

Showing 7 changed files with 67 additions and 40 deletions.
diff --git a/syft/format/common/cyclonedxhelpers/decoder.go b/syft/format/common/cyclonedxhelpers/decoder.go
@@ -245,13 +245,26 @@ func extractComponents(meta *cyclonedx.Metadata) source.Description {
 // if there is more than one tool in meta.Tools' list the last item will be used
 // as descriptor. If there is a way to know which tool to use here please fix it.
 func extractDescriptor(meta *cyclonedx.Metadata) (desc sbom.Descriptor) {
-	if meta == nil || meta.Tools == nil {
+	if meta == nil {
 		return
 	}
 
-	for _, t := range *meta.Tools {
-		desc.Name = t.Name
-		desc.Version = t.Version
+	if meta.Component != nil {
+		desc.Name = meta.Component.Name
+		desc.Version = meta.Component.Version
+		return
+	}
+
+	// handle original tool element
+	if meta.Tools != nil && meta.Tools.Tools != nil {
+		tools := *meta.Tools.Tools
+
+		for _, t := range tools {
+			desc.Name = t.Name
+			desc.Version = t.Version
+		}
+
+		return
 	}
 
 	return

diff --git a/syft/format/common/cyclonedxhelpers/format.go b/syft/format/common/cyclonedxhelpers/format.go
@@ -114,11 +114,14 @@ func formatCPE(cpeString string) string {
 func toBomDescriptor(name, version string, srcMetadata source.Description) *cyclonedx.Metadata {
 	return &cyclonedx.Metadata{
 		Timestamp: time.Now().Format(time.RFC3339),
-		Tools: &[]cyclonedx.Tool{
-			{
-				Vendor:  "anchore",
-				Name:    name,
-				Version: version,
+		Tools: &cyclonedx.ToolsChoice{
+			Components: &[]cyclonedx.Component{
+				{
+					Type:    cyclonedx.ComponentTypeApplication,
+					Author:  "anchore",
+					Name:    name,
+					Version: version,
+				},
 			},
 		},
 		Properties: toBomProperties(srcMetadata),

diff --git a/syft/format/common/cyclonedxhelpers/format_test.go b/syft/format/common/cyclonedxhelpers/format_test.go
@@ -168,13 +168,14 @@ func Test_toBomDescriptor(t *testing.T) {
 			want: &cyclonedx.Metadata{
 				Timestamp:  "",
 				Lifecycles: nil,
-				Tools: &[]cyclonedx.Tool{
-					{
-						Vendor:             "anchore",
-						Name:               "test-image",
-						Version:            "1.0.0",
-						Hashes:             nil,
-						ExternalReferences: nil,
+				Tools: &cyclonedx.ToolsChoice{
+					Components: &[]cyclonedx.Component{
+						{
+							Type:    cyclonedx.ComponentTypeApplication,
+							Author:  "anchore",
+							Name:    "test-image",
+							Version: "1.0.0",
+						},
 					},
 				},
 				Authors: nil,

diff --git a/syft/format/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden b/syft/format/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden
@@ -6,13 +6,16 @@
   "version": 1,
   "metadata": {
     "timestamp": "timestamp:redacted",
-    "tools": [
-      {
-        "vendor": "anchore",
-        "name": "syft",
-        "version": "v0.42.0-bogus"
-      }
-    ],
+    "tools": {
+      "components": [
+        {
+          "type": "application",
+          "author": "anchore",
+          "name": "syft",
+          "version": "v0.42.0-bogus"
+        }
+      ]
+    },
     "component": {
       "bom-ref":"redacted",
       "type": "file",

diff --git a/syft/format/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden b/syft/format/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden
@@ -6,13 +6,16 @@
   "version": 1,
   "metadata": {
     "timestamp": "timestamp:redacted",
-    "tools": [
-      {
-        "vendor": "anchore",
-        "name": "syft",
-        "version": "v0.42.0-bogus"
-      }
-    ],
+    "tools": {
+      "components": [
+        {
+          "type": "application",
+          "author": "anchore",
+          "name": "syft",
+          "version": "v0.42.0-bogus"
+        }
+      ]
+    },
     "component": {
       "bom-ref":"redacted",
       "type": "container",

diff --git a/syft/format/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden b/syft/format/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden
@@ -3,11 +3,13 @@
   <metadata>
     <timestamp>redacted</timestamp>
     <tools>
-      <tool>
-        <vendor>anchore</vendor>
-        <name>syft</name>
-        <version>v0.42.0-bogus</version>
-      </tool>
+      <components>
+        <component type="application">
+          <author>anchore</author>
+          <name>syft</name>
+          <version>v0.42.0-bogus</version>
+        </component>
+      </components>
     </tools>
     <component bom-ref="redacted" type="file">
       <name>some/path</name>

diff --git a/syft/format/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden b/syft/format/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden
@@ -3,11 +3,13 @@
   <metadata>
     <timestamp>redacted</timestamp>
     <tools>
-      <tool>
-        <vendor>anchore</vendor>
-        <name>syft</name>
-        <version>v0.42.0-bogus</version>
-      </tool>
+      <components>
+        <component type="application">
+          <author>anchore</author>
+          <name>syft</name>
+          <version>v0.42.0-bogus</version>
+        </component>
+      </components>
     </tools>
     <component bom-ref="redacted" type="container">
       <name>user-image-input</name>