Fixed evidence identity. Updated test cases

Signed-off-by: Steve Springett <[email protected]>
CycloneDX · Dec 27, 2023 · 55a7aad · 55a7aad
1 parent 335dfab
commit 55a7aad
Show file tree

Hide file tree

Showing 5 changed files with 219 additions and 85 deletions.
diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json
@@ -1461,8 +1461,8 @@
       "additionalProperties": false,
       "properties": {
         "identity": {
-          "type": "object",
-          "description": "Evidence that substantiates the identity of a component.",
+          "type": ["array", "object"],
+          "description": "Evidence that substantiates the identity of a component. The identify may be an object or an array of identity objects. Support for specifying identify as a single object was introduced in CycloneDX v1.5. Arrays were introduced in v1.6. It is RECOMMENDED that all implementations use arrays, even if only one identity object is specified.",
           "required": [ "field" ],
           "additionalProperties": false,
           "properties": {

diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd
@@ -2173,9 +2173,12 @@ limitations under the License.
 
     <xs:complexType name="componentEvidenceType">
         <xs:sequence>
-            <xs:element name="identity" minOccurs="0" maxOccurs="1">
+            <xs:element name="identity" minOccurs="0" maxOccurs="unbounded">
                 <xs:annotation>
-                    <xs:documentation>Evidence that substantiates the identity of a component.</xs:documentation>
+                    <xs:documentation>Evidence that substantiates the identity of a component. The identify may be an
+                        object or an array of identity objects. Support for specifying identify as a single object was
+                        introduced in CycloneDX v1.5. Arrays were introduced in v1.6. It is RECOMMENDED that all
+                        implementations use arrays, even if only one identity object is specified.</xs:documentation>
                 </xs:annotation>
                 <xs:complexType>
                     <xs:sequence>

diff --git a/tools/src/test/resources/1.6/valid-evidence-1.6.json b/tools/src/test/resources/1.6/valid-evidence-1.6.json
@@ -105,6 +105,50 @@
           }
         ]
       }
+    },
+    {
+      "type": "application",
+      "group": "com.example",
+      "name": "example-project",
+      "version": "1.0.0",
+      "purl": "pkg:maven/com.example/[email protected]",
+      "evidence": {
+        "identity": [
+          {
+            "field": "group",
+            "confidence": 0.1,
+            "methods": [
+              {
+                "technique": "filename",
+                "confidence": 0.1,
+                "value": "example-project-1.0.0.jar"
+              }
+            ]
+          },
+          {
+            "field": "name",
+            "confidence": 0.1,
+            "methods": [
+              {
+                "technique": "filename",
+                "confidence": 0.1,
+                "value": "example-project-1.0.0.jar"
+              }
+            ]
+          },
+          {
+            "field": "version",
+            "confidence": 0.1,
+            "methods": [
+              {
+                "technique": "filename",
+                "confidence": 0.1,
+                "value": "example-project-1.0.0.jar"
+              }
+            ]
+          }
+        ]
+      }
     }
   ]
 }
diff --git a/tools/src/test/resources/1.6/valid-evidence-1.6.textproto b/tools/src/test/resources/1.6/valid-evidence-1.6.textproto
@@ -4,99 +4,145 @@
 spec_version: "1.6"
 version: 1
 serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"
-components {
-  type: CLASSIFICATION_APPLICATION
-  group: "com.google.code.findbugs"
-  name: "findbugs-project"
-  version: "3.0.0"
-  licenses {
-    license {
-      id: "LGPL-3.0-or-later"
-      url: "https://www.gnu.org/licenses/lgpl-3.0-standalone.html"
+components [
+  {
+    type: CLASSIFICATION_APPLICATION
+    group: "com.google.code.findbugs"
+    name: "findbugs-project"
+    version: "3.0.0"
+    licenses {
+      license {
+        id: "LGPL-3.0-or-later"
+        url: "https://www.gnu.org/licenses/lgpl-3.0-standalone.html"
+      }
     }
-  }
-  purl: "pkg:maven/com.google.code.findbugs/[email protected]"
-  evidence {
-    identity: {
-      field: EVIDENCE_FIELD_PURL,
-      confidence: 1,
-      methods: [
-        {
-          technique: EVIDENCE_TECHNIQUE_FILENAME,
-          confidence: 0.1,
-          value: "findbugs-project-3.0.0.jar"
-        },
+    purl: "pkg:maven/com.google.code.findbugs/[email protected]"
+    evidence {
+      identity: {
+        field: EVIDENCE_FIELD_PURL,
+        confidence: 1,
+        methods: [
+          {
+            technique: EVIDENCE_TECHNIQUE_FILENAME,
+            confidence: 0.1,
+            value: "findbugs-project-3.0.0.jar"
+          },
+          {
+            technique: EVIDENCE_TECHNIQUE_AST_FINGERPRINT
+            confidence: 0.9,
+            value: "61e4bc08251761c3a73b606b9110a65899cb7d44f3b14c81ebc1e67c98e1d9ab"
+          },
+          {
+            technique: EVIDENCE_TECHNIQUE_HASH_COMPARISON
+            confidence: 0.7,
+            value: "7c547a9d67cc7bc315c93b6e2ff8e4b6b41ae5be454ac249655ecb5ca2a85abf"
+          }
+        ],
+        tools: [
+          "bom-ref-of-tool-that-performed-analysis",
+          "bom-ref-of-tool-that-performed-analysis"
+        ]
+      },
+      occurrences: [
         {
-          technique: EVIDENCE_TECHNIQUE_AST_FINGERPRINT
-          confidence: 0.9,
-          value: "61e4bc08251761c3a73b606b9110a65899cb7d44f3b14c81ebc1e67c98e1d9ab"
+          bom_ref: "d6bf237e-4e11-4713-9f62-56d18d5e2079"
+          location: "/path/to/component"
         },
         {
-          technique: EVIDENCE_TECHNIQUE_HASH_COMPARISON
-          confidence: 0.7,
-          value: "7c547a9d67cc7bc315c93b6e2ff8e4b6b41ae5be454ac249655ecb5ca2a85abf"
+          bom_ref: "b574d5d1-e3cf-4dcd-9ba5-f3507eb1b175"
+          location: "/another/path/to/component"
         }
       ],
-      tools: [
-        "bom-ref-of-tool-that-performed-analysis",
-        "bom-ref-of-tool-that-performed-analysis"
-      ]
-    },
-    occurrences: [
-      {
-        bom_ref: "d6bf237e-4e11-4713-9f62-56d18d5e2079"
-        location: "/path/to/component"
+      callstack: {
+        frames: [
+          {
+            package: "com.apache.logging.log4j.core"
+            module: "Logger.class"
+            function: "logMessage"
+            parameters: [
+              "com.acme.HelloWorld", "Level.INFO", "null", "Hello World"
+            ],
+            line: 150
+            column: 17
+            fullFilename: "/path/to/log4j-core-2.14.0.jar!/org/apache/logging/log4j/core/Logger.class"
+          },
+          {
+            module: "HelloWorld.class"
+            function: "main"
+            line: 20
+            column: 12
+            fullFilename: "/path/to/HelloWorld.class"
+          }
+        ]
       },
-      {
-        bom_ref: "b574d5d1-e3cf-4dcd-9ba5-f3507eb1b175"
-        location: "/another/path/to/component"
+      licenses {
+        license {
+          id: "Apache-2.0"
+          url: "http://www.apache.org/licenses/LICENSE-2.0"
+        }
+      }
+      licenses {
+        license {
+          id: "LGPL-2.1-only"
+          url: "https://opensource.org/licenses/LGPL-2.1"
+        }
+      }
+      copyright {
+        text: "Copyright 2012 Google Inc. All Rights Reserved."
+      }
+      copyright {
+        text: "Copyright (C) 2004,2005 Dave Brosius <[email protected]>"
+      }
+      copyright {
+        text: "Copyright (C) 2005 William Pugh"
+      }
+      copyright {
+        text: "Copyright (C) 2004,2005 University of Maryland"
       }
-    ],
-    callstack: {
-      frames: [
+    }
+  },
+  {
+    type: CLASSIFICATION_APPLICATION
+    group: "com.example"
+    name: "example-project"
+    version: "1.0.0"
+    purl: "pkg:maven/com.example/[email protected]"
+    evidence: {
+      identity: [
+        {
+          field: EVIDENCE_FIELD_GROUP
+          confidence: 0.1
+          methods: [
+            {
+              technique: EVIDENCE_TECHNIQUE_FILENAME
+              confidence: 0.1
+              value: "example-project-1.0.0.jar"
+            }
+          ]
+        },
         {
-          package: "com.apache.logging.log4j.core"
-          module: "Logger.class"
-          function: "logMessage"
-          parameters: [
-            "com.acme.HelloWorld", "Level.INFO", "null", "Hello World"
-          ],
-          line: 150
-          column: 17
-          fullFilename: "/path/to/log4j-core-2.14.0.jar!/org/apache/logging/log4j/core/Logger.class"
+          field: EVIDENCE_FIELD_NAME
+          confidence: 0.1
+          methods: [
+            {
+              technique: EVIDENCE_TECHNIQUE_FILENAME
+              confidence: 0.1
+              value: "example-project-1.0.0.jar"
+            }
+          ]
         },
         {
-          module: "HelloWorld.class"
-          function: "main"
-          line: 20
-          column: 12
-          fullFilename: "/path/to/HelloWorld.class"
+          field: EVIDENCE_FIELD_VERSION
+          confidence: 0.1
+          methods: [
+            {
+              technique: EVIDENCE_TECHNIQUE_FILENAME
+              confidence: 0.1
+              value: "example-project-1.0.0.jar"
+            }
+          ]
         }
       ]
-    },
-    licenses {
-      license {
-        id: "Apache-2.0"
-        url: "http://www.apache.org/licenses/LICENSE-2.0"
-      }
-    }
-    licenses {
-      license {
-        id: "LGPL-2.1-only"
-        url: "https://opensource.org/licenses/LGPL-2.1"
-      }
-    }
-    copyright {
-      text: "Copyright 2012 Google Inc. All Rights Reserved."
-    }
-    copyright {
-      text: "Copyright (C) 2004,2005 Dave Brosius <[email protected]>"
-    }
-    copyright {
-      text: "Copyright (C) 2005 William Pugh"
-    }
-    copyright {
-      text: "Copyright (C) 2004,2005 University of Maryland"
     }
   }
-}
+]
diff --git a/tools/src/test/resources/1.6/valid-evidence-1.6.xml b/tools/src/test/resources/1.6/valid-evidence-1.6.xml
@@ -88,5 +88,46 @@
                 </copyright>
             </evidence>
         </component>
+        <component type="application">
+            <group>com.example</group>
+            <name>example-project</name>
+            <version>1.0.0</version>
+            <purl>pkg:maven/com.example/[email protected]</purl>
+            <evidence>
+                <identity>
+                    <field>group</field>
+                    <confidence>0.1</confidence>
+                    <methods>
+                        <method>
+                            <technique>filename</technique>
+                            <confidence>0.1</confidence>
+                            <value>example-project-1.0.0.jar</value>
+                        </method>
+                    </methods>
+                </identity>
+                <identity>
+                    <field>name</field>
+                    <confidence>0.1</confidence>
+                    <methods>
+                        <method>
+                            <technique>filename</technique>
+                            <confidence>0.1</confidence>
+                            <value>example-project-1.0.0.jar</value>
+                        </method>
+                    </methods>
+                </identity>
+                <identity>
+                    <field>version</field>
+                    <confidence>0.1</confidence>
+                    <methods>
+                        <method>
+                            <technique>filename</technique>
+                            <confidence>0.1</confidence>
+                            <value>example-project-1.0.0.jar</value>
+                        </method>
+                    </methods>
+                </identity>
+            </evidence>
+        </component>
     </components>
 </bom>