diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json index c9ab597d..fde826bd 100644 --- a/schema/bom-1.6.schema.json +++ b/schema/bom-1.6.schema.json @@ -1461,8 +1461,8 @@ "additionalProperties": false, "properties": { "identity": { - "type": "object", - "description": "Evidence that substantiates the identity of a component.", + "type": ["array", "object"], + "description": "Evidence that substantiates the identity of a component. The identify may be an object or an array of identity objects. Support for specifying identify as a single object was introduced in CycloneDX v1.5. Arrays were introduced in v1.6. It is RECOMMENDED that all implementations use arrays, even if only one identity object is specified.", "required": [ "field" ], "additionalProperties": false, "properties": { diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd index 5e218c47..b6e10d9d 100644 --- a/schema/bom-1.6.xsd +++ b/schema/bom-1.6.xsd @@ -2173,9 +2173,12 @@ limitations under the License. - + - Evidence that substantiates the identity of a component. + Evidence that substantiates the identity of a component. The identify may be an + object or an array of identity objects. Support for specifying identify as a single object was + introduced in CycloneDX v1.5. Arrays were introduced in v1.6. It is RECOMMENDED that all + implementations use arrays, even if only one identity object is specified. diff --git a/tools/src/test/resources/1.6/valid-evidence-1.6.json b/tools/src/test/resources/1.6/valid-evidence-1.6.json index 2d6187dc..b4e0e71f 100644 --- a/tools/src/test/resources/1.6/valid-evidence-1.6.json +++ b/tools/src/test/resources/1.6/valid-evidence-1.6.json @@ -105,6 +105,50 @@ } ] } + }, + { + "type": "application", + "group": "com.example", + "name": "example-project", + "version": "1.0.0", + "purl": "pkg:maven/com.example/example-project@1.0.0", + "evidence": { + "identity": [ + { + "field": "group", + "confidence": 0.1, + "methods": [ + { + "technique": "filename", + "confidence": 0.1, + "value": "example-project-1.0.0.jar" + } + ] + }, + { + "field": "name", + "confidence": 0.1, + "methods": [ + { + "technique": "filename", + "confidence": 0.1, + "value": "example-project-1.0.0.jar" + } + ] + }, + { + "field": "version", + "confidence": 0.1, + "methods": [ + { + "technique": "filename", + "confidence": 0.1, + "value": "example-project-1.0.0.jar" + } + ] + } + ] + } } ] } diff --git a/tools/src/test/resources/1.6/valid-evidence-1.6.textproto b/tools/src/test/resources/1.6/valid-evidence-1.6.textproto index d9bcf194..c0704d7f 100644 --- a/tools/src/test/resources/1.6/valid-evidence-1.6.textproto +++ b/tools/src/test/resources/1.6/valid-evidence-1.6.textproto @@ -4,99 +4,145 @@ spec_version: "1.6" version: 1 serial_number: "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" -components { - type: CLASSIFICATION_APPLICATION - group: "com.google.code.findbugs" - name: "findbugs-project" - version: "3.0.0" - licenses { - license { - id: "LGPL-3.0-or-later" - url: "https://www.gnu.org/licenses/lgpl-3.0-standalone.html" +components [ + { + type: CLASSIFICATION_APPLICATION + group: "com.google.code.findbugs" + name: "findbugs-project" + version: "3.0.0" + licenses { + license { + id: "LGPL-3.0-or-later" + url: "https://www.gnu.org/licenses/lgpl-3.0-standalone.html" + } } - } - purl: "pkg:maven/com.google.code.findbugs/findbugs-project@3.0.0" - evidence { - identity: { - field: EVIDENCE_FIELD_PURL, - confidence: 1, - methods: [ - { - technique: EVIDENCE_TECHNIQUE_FILENAME, - confidence: 0.1, - value: "findbugs-project-3.0.0.jar" - }, + purl: "pkg:maven/com.google.code.findbugs/findbugs-project@3.0.0" + evidence { + identity: { + field: EVIDENCE_FIELD_PURL, + confidence: 1, + methods: [ + { + technique: EVIDENCE_TECHNIQUE_FILENAME, + confidence: 0.1, + value: "findbugs-project-3.0.0.jar" + }, + { + technique: EVIDENCE_TECHNIQUE_AST_FINGERPRINT + confidence: 0.9, + value: "61e4bc08251761c3a73b606b9110a65899cb7d44f3b14c81ebc1e67c98e1d9ab" + }, + { + technique: EVIDENCE_TECHNIQUE_HASH_COMPARISON + confidence: 0.7, + value: "7c547a9d67cc7bc315c93b6e2ff8e4b6b41ae5be454ac249655ecb5ca2a85abf" + } + ], + tools: [ + "bom-ref-of-tool-that-performed-analysis", + "bom-ref-of-tool-that-performed-analysis" + ] + }, + occurrences: [ { - technique: EVIDENCE_TECHNIQUE_AST_FINGERPRINT - confidence: 0.9, - value: "61e4bc08251761c3a73b606b9110a65899cb7d44f3b14c81ebc1e67c98e1d9ab" + bom_ref: "d6bf237e-4e11-4713-9f62-56d18d5e2079" + location: "/path/to/component" }, { - technique: EVIDENCE_TECHNIQUE_HASH_COMPARISON - confidence: 0.7, - value: "7c547a9d67cc7bc315c93b6e2ff8e4b6b41ae5be454ac249655ecb5ca2a85abf" + bom_ref: "b574d5d1-e3cf-4dcd-9ba5-f3507eb1b175" + location: "/another/path/to/component" } ], - tools: [ - "bom-ref-of-tool-that-performed-analysis", - "bom-ref-of-tool-that-performed-analysis" - ] - }, - occurrences: [ - { - bom_ref: "d6bf237e-4e11-4713-9f62-56d18d5e2079" - location: "/path/to/component" + callstack: { + frames: [ + { + package: "com.apache.logging.log4j.core" + module: "Logger.class" + function: "logMessage" + parameters: [ + "com.acme.HelloWorld", "Level.INFO", "null", "Hello World" + ], + line: 150 + column: 17 + fullFilename: "/path/to/log4j-core-2.14.0.jar!/org/apache/logging/log4j/core/Logger.class" + }, + { + module: "HelloWorld.class" + function: "main" + line: 20 + column: 12 + fullFilename: "/path/to/HelloWorld.class" + } + ] }, - { - bom_ref: "b574d5d1-e3cf-4dcd-9ba5-f3507eb1b175" - location: "/another/path/to/component" + licenses { + license { + id: "Apache-2.0" + url: "http://www.apache.org/licenses/LICENSE-2.0" + } + } + licenses { + license { + id: "LGPL-2.1-only" + url: "https://opensource.org/licenses/LGPL-2.1" + } + } + copyright { + text: "Copyright 2012 Google Inc. All Rights Reserved." + } + copyright { + text: "Copyright (C) 2004,2005 Dave Brosius " + } + copyright { + text: "Copyright (C) 2005 William Pugh" + } + copyright { + text: "Copyright (C) 2004,2005 University of Maryland" } - ], - callstack: { - frames: [ + } + }, + { + type: CLASSIFICATION_APPLICATION + group: "com.example" + name: "example-project" + version: "1.0.0" + purl: "pkg:maven/com.example/example-project@1.0.0" + evidence: { + identity: [ + { + field: EVIDENCE_FIELD_GROUP + confidence: 0.1 + methods: [ + { + technique: EVIDENCE_TECHNIQUE_FILENAME + confidence: 0.1 + value: "example-project-1.0.0.jar" + } + ] + }, { - package: "com.apache.logging.log4j.core" - module: "Logger.class" - function: "logMessage" - parameters: [ - "com.acme.HelloWorld", "Level.INFO", "null", "Hello World" - ], - line: 150 - column: 17 - fullFilename: "/path/to/log4j-core-2.14.0.jar!/org/apache/logging/log4j/core/Logger.class" + field: EVIDENCE_FIELD_NAME + confidence: 0.1 + methods: [ + { + technique: EVIDENCE_TECHNIQUE_FILENAME + confidence: 0.1 + value: "example-project-1.0.0.jar" + } + ] }, { - module: "HelloWorld.class" - function: "main" - line: 20 - column: 12 - fullFilename: "/path/to/HelloWorld.class" + field: EVIDENCE_FIELD_VERSION + confidence: 0.1 + methods: [ + { + technique: EVIDENCE_TECHNIQUE_FILENAME + confidence: 0.1 + value: "example-project-1.0.0.jar" + } + ] } ] - }, - licenses { - license { - id: "Apache-2.0" - url: "http://www.apache.org/licenses/LICENSE-2.0" - } - } - licenses { - license { - id: "LGPL-2.1-only" - url: "https://opensource.org/licenses/LGPL-2.1" - } - } - copyright { - text: "Copyright 2012 Google Inc. All Rights Reserved." - } - copyright { - text: "Copyright (C) 2004,2005 Dave Brosius " - } - copyright { - text: "Copyright (C) 2005 William Pugh" - } - copyright { - text: "Copyright (C) 2004,2005 University of Maryland" } } -} +] diff --git a/tools/src/test/resources/1.6/valid-evidence-1.6.xml b/tools/src/test/resources/1.6/valid-evidence-1.6.xml index 6efdda27..336d96c3 100644 --- a/tools/src/test/resources/1.6/valid-evidence-1.6.xml +++ b/tools/src/test/resources/1.6/valid-evidence-1.6.xml @@ -88,5 +88,46 @@ + + com.example + example-project + 1.0.0 + pkg:maven/com.example/example-project@1.0.0 + + + group + 0.1 + + + filename + 0.1 + example-project-1.0.0.jar + + + + + name + 0.1 + + + filename + 0.1 + example-project-1.0.0.jar + + + + + version + 0.1 + + + filename + 0.1 + example-project-1.0.0.jar + + + + +