Merge pull request #320 from andreas-hilti/cdx1.6_workaround

workaround for incorrect Protobuf Tools serialization

src/CycloneDX.Core/BomUtils.cs

@@ -282,6 +282,12 @@ public static Bom Copy(this Bom bom)
         {
             var protoBom = Protobuf.Serializer.SerializeForDeepCopy(bom);
             var bomCopy = Protobuf.Serializer.Deserialize(protoBom);
+            // workaround for the incorrect Protobuf serialization of Tools
+            if (bom?.Metadata?.Tools?.Tools?.Count > 0 || bom?.Metadata?.Tools?.Components?.Count > 0 || bom?.Metadata?.Tools?.Services?.Count > 0)
+            {
+                var serializedTools = Json.Serializer.Serialize(bom.Metadata.Tools);
+                bomCopy.Metadata.Tools = Json.Serializer.DeserializeToolChoices(serializedTools);
+            }
             return bomCopy;
         }
 

src/CycloneDX.Core/Json/Serializer.Deserialization.cs

@@ -47,5 +47,11 @@ public static Bom Deserialize(string jsonString)
             Contract.Requires(!string.IsNullOrEmpty(jsonString));
             return JsonSerializer.Deserialize<Bom>(jsonString, _options);
         }
+
+        public static ToolChoices DeserializeToolChoices(string jsonString)
+        {
+            Contract.Requires(!string.IsNullOrEmpty(jsonString));
+            return JsonSerializer.Deserialize<ToolChoices>(jsonString, _options);
+        }
     }
 }

src/CycloneDX.Core/Json/Serializer.Serialization.cs

@@ -84,6 +84,12 @@ internal static string Serialize(Tool tool)
         }
         #pragma warning restore 618
 
+        internal static string Serialize(ToolChoices toolChoices)
+        {
+            Contract.Requires(toolChoices != null);
+            return JsonSerializer.Serialize(toolChoices, _options);
+        }
+
         internal static string Serialize(Models.Vulnerabilities.Vulnerability vulnerability)
         {
             Contract.Requires(vulnerability != null);

src/CycloneDX.Core/Models/ToolChoices.cs

@@ -33,12 +33,12 @@ public class ToolChoices : IXmlSerializable
         public List<Tool> Tools { get; set; }
         #pragma warning restore 618
 
-        [ProtoMember(2)]
+        [ProtoMember(6)]
         public List<Component> Components { get; set; }
 
         public bool ShouldSerializeComponents() => Components?.Count > 0;
 
-        [ProtoMember(3)]
+        [ProtoMember(7)]
         public List<Service> Services { get; set; }
 
         public bool ShouldSerializeServices() => Services?.Count > 0;

tests/CycloneDX.Core.Tests/Json/v1.5/__snapshots__/SerializationTests.JsonRoundTripAsyncTest_valid-metadata-tool-1.5.json.snap

@@ -42,6 +42,5 @@
         }
       ]
     }
-  },
-  "components": []
+  }
 }

tests/CycloneDX.Core.Tests/Json/v1.5/__snapshots__/SerializationTests.JsonRoundTripTest_valid-metadata-tool-1.5.json.snap

@@ -42,6 +42,5 @@
         }
       ]
     }
-  },
-  "components": []
+  }
 }

tests/CycloneDX.Core.Tests/Protobuf/v1.5/__snapshots__/ValidationTests.ValidProtobufTest_valid-vulnerability-1.5.json.snap

@@ -70,8 +70,23 @@ vulnerabilities {
     }
   }
   tools {
-    name: "\010\001:\004SnykB\020Snyk CLI (Linux)J\0071.729.0bD\010\003\022@2eaf8c62831a1658c95d41fdc683cd177c147733c64a93e59cb2362829e45b7d"
-    version: "\022\n\n\010Acme Inc\"\021Acme BOM Analyzer:\033https://example.com/analyze"
+    components {
+      type: CLASSIFICATION_APPLICATION
+      group: "Snyk"
+      name: "Snyk CLI (Linux)"
+      version: "1.729.0"
+      hashes {
+        alg: HASH_ALG_SHA_256
+        value: "2eaf8c62831a1658c95d41fdc683cd177c147733c64a93e59cb2362829e45b7d"
+      }
+    }
+    services {
+      provider {
+        name: "Acme Inc"
+      }
+      name: "Acme BOM Analyzer"
+      endpoints: "https://example.com/analyze"
+    }
   }
   analysis {
     state: IMPACT_ANALYSIS_STATE_NOT_AFFECTED