Use SBOM descriptor version (#1011)

* Use SBOM descriptor version Signed-off-by: Jonas Xavier <[email protected]> * Update tests Signed-off-by: Jonas Xavier <[email protected]> * CycloneDX extract tools metadata in decoding stage Signed-off-by: Jonas Xavier <[email protected]> * add descriptor to spdx tag-value test Signed-off-by: Jonas Xavier <[email protected]> * remove comment Signed-off-by: Jonas Xavier <[email protected]>
anchore · May 25, 2022 · 7cb8e1f · 7cb8e1f
1 parent c990f42
commit 7cb8e1f
Show file tree

Hide file tree

Showing 19 changed files with 88 additions and 69 deletions.
diff --git a/internal/formats/common/cyclonedxhelpers/decoder.go b/internal/formats/common/cyclonedxhelpers/decoder.go
@@ -45,17 +45,17 @@ func GetDecoder(format cyclonedx.BOMFileFormat) sbom.Decoder {
 }
 
 func toSyftModel(bom *cyclonedx.BOM) (*sbom.SBOM, error) {
-	meta := source.Metadata{}
-	if bom.Metadata != nil && bom.Metadata.Component != nil {
-		meta = decodeMetadata(bom.Metadata.Component)
+	if bom == nil {
+		return nil, fmt.Errorf("no content defined in CycloneDX BOM")
 	}
+
 	s := &sbom.SBOM{
 		Artifacts: sbom.Artifacts{
 			PackageCatalog:    pkg.NewCatalog(),
 			LinuxDistribution: linuxReleaseFromComponents(*bom.Components),
 		},
-		Source: meta,
-		//Descriptor:    sbom.Descriptor{},
+		Source:     extractComponents(bom.Metadata),
+		Descriptor: extractDescriptor(bom.Metadata),
 	}
 
 	idMap := make(map[string]interface{})
@@ -205,27 +205,45 @@ func collectRelationships(bom *cyclonedx.BOM, s *sbom.SBOM, idMap map[string]int
 	}
 }
 
-func decodeMetadata(component *cyclonedx.Component) source.Metadata {
-	switch component.Type {
+func extractComponents(meta *cyclonedx.Metadata) source.Metadata {
+	if meta == nil || meta.Component == nil {
+		return source.Metadata{}
+	}
+	c := meta.Component
+
+	image := source.ImageMetadata{
+		UserInput:      c.Name,
+		ID:             c.BOMRef,
+		ManifestDigest: c.Version,
+	}
+
+	switch c.Type {
 	case cyclonedx.ComponentTypeContainer:
 		return source.Metadata{
-			Scheme: source.ImageScheme,
-			ImageMetadata: source.ImageMetadata{
-				UserInput:      component.Name,
-				ID:             component.BOMRef,
-				ManifestDigest: component.Version,
-			},
+			Scheme:        source.ImageScheme,
+			ImageMetadata: image,
 		}
 	case cyclonedx.ComponentTypeFile:
 		return source.Metadata{
-			Scheme: source.FileScheme, // or source.DirectoryScheme
-			Path:   component.Name,
-			ImageMetadata: source.ImageMetadata{
-				UserInput:      component.Name,
-				ID:             component.BOMRef,
-				ManifestDigest: component.Version,
-			},
+			Scheme:        source.FileScheme, // or source.DirectoryScheme
+			Path:          c.Name,
+			ImageMetadata: image,
 		}
 	}
 	return source.Metadata{}
 }
+
+// if there is more than one tool in meta.Tools' list the last item will be used
+// as descriptor. If there is a way to know which tool to use here please fix it.
+func extractDescriptor(meta *cyclonedx.Metadata) (desc sbom.Descriptor) {
+	if meta == nil || meta.Tools == nil {
+		return
+	}
+
+	for _, t := range *meta.Tools {
+		desc.Name = t.Name
+		desc.Version = t.Version
+	}
+
+	return
+}
diff --git a/internal/formats/common/cyclonedxhelpers/format.go b/internal/formats/common/cyclonedxhelpers/format.go
@@ -8,7 +8,6 @@ import (
 
 	"github.com/anchore/syft/internal"
 	"github.com/anchore/syft/internal/log"
-	"github.com/anchore/syft/internal/version"
 	"github.com/anchore/syft/syft/artifact"
 	"github.com/anchore/syft/syft/linux"
 	"github.com/anchore/syft/syft/sbom"
@@ -17,13 +16,12 @@ import (
 
 func ToFormatModel(s sbom.SBOM) *cyclonedx.BOM {
 	cdxBOM := cyclonedx.NewBOM()
-	versionInfo := version.FromBuild()
 
 	// NOTE(jonasagx): cycloneDX requires URN uuids (URN returns the RFC 2141 URN form of uuid):
 	// https://github.com/CycloneDX/specification/blob/master/schema/bom-1.3-strict.schema.json#L36
 	// "pattern": "^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$"
 	cdxBOM.SerialNumber = uuid.New().URN()
-	cdxBOM.Metadata = toBomDescriptor(internal.ApplicationName, versionInfo.Version, s.Source)
+	cdxBOM.Metadata = toBomDescriptor(internal.ApplicationName, s.Descriptor.Version, s.Source)
 
 	packages := s.Artifacts.PackageCatalog.Sorted()
 	components := make([]cyclonedx.Component, len(packages))

diff --git a/internal/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden b/internal/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden
@@ -1,15 +1,15 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.4",
-  "serialNumber": "urn:uuid:dec3f6b4-8458-48bb-b60d-dfd312f6ec4e",
+  "serialNumber": "urn:uuid:3ea3363f-3945-4859-9ba1-9a395983d248",
   "version": 1,
   "metadata": {
-    "timestamp": "2022-04-01T11:48:04-04:00",
+    "timestamp": "2022-05-23T12:05:00-07:00",
     "tools": [
       {
         "vendor": "anchore",
         "name": "syft",
-        "version": "[not provided]"
+        "version": "v0.42.0-bogus"
       }
     ],
     "component": {

diff --git a/internal/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden b/internal/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden
@@ -1,19 +1,19 @@
 {
   "bomFormat": "CycloneDX",
   "specVersion": "1.4",
-  "serialNumber": "urn:uuid:054d973e-fe99-4762-92e4-eaf01997ae41",
+  "serialNumber": "urn:uuid:c825402b-bbfa-4ad5-81b1-6a8332a6a8b6",
   "version": 1,
   "metadata": {
-    "timestamp": "2022-04-01T11:48:04-04:00",
+    "timestamp": "2022-05-23T12:05:01-07:00",
     "tools": [
       {
         "vendor": "anchore",
         "name": "syft",
-        "version": "[not provided]"
+        "version": "v0.42.0-bogus"
       }
     ],
     "component": {
-      "bom-ref": "e777314b02b362e4",
+      "bom-ref": "e779c1ed804ba529",
       "type": "container",
       "name": "user-image-input",
       "version": "sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368"
@@ -53,7 +53,7 @@
         },
         {
           "name": "syft:location:0:layerID",
-          "value": "sha256:fb6beecb75b39f4bb813dbf177e501edd5ddb3e69bb45cedeb78c676ee1b7a59"
+          "value": "sha256:cd8f3884f1211d65c19ce5bbc5174bcd2ce8ba96b63e5b3693969a53279c4405"
         },
         {
           "name": "syft:location:0:path",
@@ -83,7 +83,7 @@
         },
         {
           "name": "syft:location:0:layerID",
-          "value": "sha256:319b588ce64253a87b533c8ed01cf0025e0eac98e7b516e12532957e1244fdec"
+          "value": "sha256:42d2ea51c688e6dc7be81a305acbe006d27a6ef0c26ae3888fd0d4ce44f69265"
         },
         {
           "name": "syft:location:0:path",

diff --git a/...rnal/formats/cyclonedxjson/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden b/...rnal/formats/cyclonedxjson/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden
diff --git a/internal/formats/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden b/internal/formats/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden
@@ -1,12 +1,12 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<bom xmlns="http://cyclonedx.org/schema/bom/1.4" serialNumber="urn:uuid:554fd820-210b-40c8-8c0b-75690274e21c" version="1">
+<bom xmlns="http://cyclonedx.org/schema/bom/1.4" serialNumber="urn:uuid:a259c072-aaaf-4a3f-a707-49f691b1e9d9" version="1">
   <metadata>
-    <timestamp>2022-04-01T11:57:46-04:00</timestamp>
+    <timestamp>2022-05-23T12:02:41-07:00</timestamp>
     <tools>
       <tool>
         <vendor>anchore</vendor>
         <name>syft</name>
-        <version>[not provided]</version>
+        <version>v0.42.0-bogus</version>
       </tool>
     </tools>
     <component bom-ref="163686ac6e30c752" type="file">

diff --git a/internal/formats/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden b/internal/formats/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden
@@ -1,15 +1,15 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<bom xmlns="http://cyclonedx.org/schema/bom/1.4" serialNumber="urn:uuid:1535f940-172f-4d97-8280-d5a5764d1557" version="1">
+<bom xmlns="http://cyclonedx.org/schema/bom/1.4" serialNumber="urn:uuid:155802bd-09e5-4b95-9485-826b94447495" version="1">
   <metadata>
-    <timestamp>2022-04-01T11:57:46-04:00</timestamp>
+    <timestamp>2022-05-23T12:02:42-07:00</timestamp>
     <tools>
       <tool>
         <vendor>anchore</vendor>
         <name>syft</name>
-        <version>[not provided]</version>
+        <version>v0.42.0-bogus</version>
       </tool>
     </tools>
-    <component bom-ref="e777314b02b362e4" type="container">
+    <component bom-ref="e779c1ed804ba529" type="container">
       <name>user-image-input</name>
       <version>sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368</version>
     </component>
@@ -30,7 +30,7 @@
         <property name="syft:package:language">python</property>
         <property name="syft:package:metadataType">PythonPackageMetadata</property>
         <property name="syft:package:type">python</property>
-        <property name="syft:location:0:layerID">sha256:fb6beecb75b39f4bb813dbf177e501edd5ddb3e69bb45cedeb78c676ee1b7a59</property>
+        <property name="syft:location:0:layerID">sha256:cd8f3884f1211d65c19ce5bbc5174bcd2ce8ba96b63e5b3693969a53279c4405</property>
         <property name="syft:location:0:path">/somefile-1.txt</property>
       </properties>
     </component>
@@ -43,7 +43,7 @@
         <property name="syft:package:foundBy">the-cataloger-2</property>
         <property name="syft:package:metadataType">DpkgMetadata</property>
         <property name="syft:package:type">deb</property>
-        <property name="syft:location:0:layerID">sha256:319b588ce64253a87b533c8ed01cf0025e0eac98e7b516e12532957e1244fdec</property>
+        <property name="syft:location:0:layerID">sha256:42d2ea51c688e6dc7be81a305acbe006d27a6ef0c26ae3888fd0d4ce44f69265</property>
         <property name="syft:location:0:path">/somefile-2.txt</property>
         <property name="syft:metadata:installedSize">0</property>
       </properties>

diff --git a/internal/formats/cyclonedxxml/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden b/internal/formats/cyclonedxxml/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden
diff --git a/internal/formats/github/encoder.go b/internal/formats/github/encoder.go
@@ -10,7 +10,6 @@ import (
 	"github.com/anchore/packageurl-go"
 	"github.com/anchore/syft/internal"
 	"github.com/anchore/syft/internal/log"
-	"github.com/anchore/syft/internal/version"
 	"github.com/anchore/syft/syft/pkg"
 	"github.com/anchore/syft/syft/sbom"
 	"github.com/anchore/syft/syft/source"
@@ -19,8 +18,8 @@ import (
 // toGithubModel converts the provided SBOM to a GitHub dependency model
 func toGithubModel(s *sbom.SBOM) DependencySnapshot {
 	scanTime := time.Now().Format(time.RFC3339) // TODO is there a record of this somewhere?
-	v := version.FromBuild().Version
-	if v == "[not provided]" {
+	v := s.Descriptor.Version
+	if v == "[not provided]" || v == "" {
 		v = "0.0.0-dev"
 	}
 	return DependencySnapshot{

diff --git a/internal/formats/spdx22json/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden b/internal/formats/spdx22json/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden
@@ -3,15 +3,15 @@
  "name": "/some/path",
  "spdxVersion": "SPDX-2.2",
  "creationInfo": {
-  "created": "2022-04-01T15:48:39.459232Z",
+  "created": "2022-05-23T19:10:22.25645Z",
   "creators": [
    "Organization: Anchore, Inc",
-   "Tool: syft-[not provided]"
+   "Tool: syft-v0.42.0-bogus"
   ],
-  "licenseListVersion": "3.16"
+  "licenseListVersion": "3.17"
  },
  "dataLicense": "CC0-1.0",
- "documentNamespace": "https://anchore.com/syft/dir/some/path-8d335d81-29c9-4236-84f1-2292ea92aaf5",
+ "documentNamespace": "https://anchore.com/syft/dir/some/path-81dbcbfa-251d-4ad5-9b01-be91afb16469",
  "packages": [
   {
    "SPDXID": "SPDXRef-b85dbb4e6ece5082",

diff --git a/internal/formats/spdx22json/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden b/internal/formats/spdx22json/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden
@@ -3,15 +3,15 @@
  "name": "user-image-input",
  "spdxVersion": "SPDX-2.2",
  "creationInfo": {
-  "created": "2022-04-01T15:48:39.465643Z",
+  "created": "2022-05-23T19:10:22.412847Z",
   "creators": [
    "Organization: Anchore, Inc",
-   "Tool: syft-[not provided]"
+   "Tool: syft-v0.42.0-bogus"
   ],
-  "licenseListVersion": "3.16"
+  "licenseListVersion": "3.17"
  },
  "dataLicense": "CC0-1.0",
- "documentNamespace": "https://anchore.com/syft/image/user-image-input-e64e0be8-5031-4eec-842d-e59fb6deb518",
+ "documentNamespace": "https://anchore.com/syft/image/user-image-input-c9945597-78ce-4e9b-89d2-68b8e4e4ccb9",
  "packages": [
   {
    "SPDXID": "SPDXRef-2a46171f91c8d4bc",

diff --git a/internal/formats/spdx22json/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden b/internal/formats/spdx22json/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden
diff --git a/internal/formats/spdx22json/to_format_model.go b/internal/formats/spdx22json/to_format_model.go
@@ -11,7 +11,6 @@ import (
 	"github.com/anchore/syft/internal/formats/spdx22json/model"
 	"github.com/anchore/syft/internal/log"
 	"github.com/anchore/syft/internal/spdxlicense"
-	"github.com/anchore/syft/internal/version"
 	"github.com/anchore/syft/syft/artifact"
 	"github.com/anchore/syft/syft/file"
 	"github.com/anchore/syft/syft/pkg"
@@ -34,7 +33,7 @@ func toFormatModel(s sbom.SBOM) *model.Document {
 			Creators: []string{
 				// note: key-value format derived from the JSON example document examples: https://github.com/spdx/spdx-spec/blob/v2.2/examples/SPDXJSONExample-v2.2.spdx.json
 				"Organization: Anchore, Inc",
-				"Tool: " + internal.ApplicationName + "-" + version.FromBuild().Version,
+				"Tool: " + internal.ApplicationName + "-" + s.Descriptor.Version,
 			},
 			LicenseListVersion: spdxlicense.Version,
 		},

diff --git a/internal/formats/spdx22tagvalue/encoder_test.go b/internal/formats/spdx22tagvalue/encoder_test.go
@@ -53,7 +53,13 @@ func TestSPDXJSONSPDXIDs(t *testing.T) {
 			Source: source.Metadata{
 				Scheme: source.DirectoryScheme,
 			},
-			Descriptor: sbom.Descriptor{},
+			Descriptor: sbom.Descriptor{
+				Name:    "syft",
+				Version: "v0.42.0-bogus",
+				Configuration: map[string]string{
+					"config-key": "config-value",
+				},
+			},
 		},
 		true,
 		spdxTagValueRedactor,

diff --git a/internal/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden b/internal/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden
@@ -2,11 +2,11 @@ SPDXVersion: SPDX-2.2
 DataLicense: CC0-1.0
 SPDXID: SPDXRef-DOCUMENT
 DocumentName: .
-DocumentNamespace: https://anchore.com/syft/dir/8fbb3714-785d-4e3e-95cf-44a258bc65b0
-LicenseListVersion: 3.16
+DocumentNamespace: https://anchore.com/syft/dir/422d92b9-57e8-44ee-8039-f75c1d19be87
+LicenseListVersion: 3.17
 Creator: Organization: Anchore, Inc
-Creator: Tool: syft-[not provided]
-Created: 2022-05-02T15:27:05Z
+Creator: Tool: syft-v0.42.0-bogus
+Created: 2022-05-24T22:52:02Z
 
 ##### Package: @at-sign
 

diff --git a/...nal/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden b/...nal/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden
@@ -2,11 +2,11 @@ SPDXVersion: SPDX-2.2
 DataLicense: CC0-1.0
 SPDXID: SPDXRef-DOCUMENT
 DocumentName: /some/path
-DocumentNamespace: https://anchore.com/syft/dir/some/path-d227b0f2-4ee8-4e10-ac43-019db86d16ff
-LicenseListVersion: 3.16
+DocumentNamespace: https://anchore.com/syft/dir/some/path-c6b20d03-1478-4513-9feb-1ec427d4b547
+LicenseListVersion: 3.17
 Creator: Organization: Anchore, Inc
-Creator: Tool: syft-[not provided]
-Created: 2022-04-01T15:48:44Z
+Creator: Tool: syft-v0.42.0-bogus
+Created: 2022-05-24T22:51:02Z
 
 ##### Package: package-2
 

diff --git a/internal/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden b/internal/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden
@@ -2,11 +2,11 @@ SPDXVersion: SPDX-2.2
 DataLicense: CC0-1.0
 SPDXID: SPDXRef-DOCUMENT
 DocumentName: user-image-input
-DocumentNamespace: https://anchore.com/syft/image/user-image-input-49f98c61-3418-4427-9e00-8b1c735e9799
-LicenseListVersion: 3.16
+DocumentNamespace: https://anchore.com/syft/image/user-image-input-12a877bc-fe9b-40ef-aa9c-4d34f108d0d6
+LicenseListVersion: 3.17
 Creator: Organization: Anchore, Inc
-Creator: Tool: syft-[not provided]
-Created: 2022-04-01T15:48:44Z
+Creator: Tool: syft-v0.42.0-bogus
+Created: 2022-05-24T22:51:02Z
 
 ##### Package: package-2
 

diff --git a/...nal/formats/spdx22tagvalue/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden b/...nal/formats/spdx22tagvalue/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden
diff --git a/internal/formats/spdx22tagvalue/to_format_model.go b/internal/formats/spdx22tagvalue/to_format_model.go
@@ -9,7 +9,6 @@ import (
 	"github.com/anchore/syft/internal"
 	"github.com/anchore/syft/internal/formats/common/spdxhelpers"
 	"github.com/anchore/syft/internal/spdxlicense"
-	"github.com/anchore/syft/internal/version"
 	"github.com/anchore/syft/syft/pkg"
 	"github.com/spdx/tools-golang/spdx"
 )
@@ -69,7 +68,7 @@ func toFormatModel(s sbom.SBOM) *spdx.Document2_2 {
 			// Cardinality: mandatory, one or many
 			CreatorPersons:       nil,
 			CreatorOrganizations: []string{"Anchore, Inc"},
-			CreatorTools:         []string{internal.ApplicationName + "-" + version.FromBuild().Version},
+			CreatorTools:         []string{internal.ApplicationName + "-" + s.Descriptor.Version},
 
 			// 2.9: Created: data format YYYY-MM-DDThh:mm:ssZ
 			// Cardinality: mandatory, one