diff --git a/internal/formats/common/cyclonedxhelpers/decoder.go b/internal/formats/common/cyclonedxhelpers/decoder.go index 139cf06ee642..27215aa22ac7 100644 --- a/internal/formats/common/cyclonedxhelpers/decoder.go +++ b/internal/formats/common/cyclonedxhelpers/decoder.go @@ -45,17 +45,17 @@ func GetDecoder(format cyclonedx.BOMFileFormat) sbom.Decoder { } func toSyftModel(bom *cyclonedx.BOM) (*sbom.SBOM, error) { - meta := source.Metadata{} - if bom.Metadata != nil && bom.Metadata.Component != nil { - meta = decodeMetadata(bom.Metadata.Component) + if bom == nil { + return nil, fmt.Errorf("no content defined in CycloneDX BOM") } + s := &sbom.SBOM{ Artifacts: sbom.Artifacts{ PackageCatalog: pkg.NewCatalog(), LinuxDistribution: linuxReleaseFromComponents(*bom.Components), }, - Source: meta, - //Descriptor: sbom.Descriptor{}, + Source: extractComponents(bom.Metadata), + Descriptor: extractDescriptor(bom.Metadata), } idMap := make(map[string]interface{}) @@ -205,27 +205,45 @@ func collectRelationships(bom *cyclonedx.BOM, s *sbom.SBOM, idMap map[string]int } } -func decodeMetadata(component *cyclonedx.Component) source.Metadata { - switch component.Type { +func extractComponents(meta *cyclonedx.Metadata) source.Metadata { + if meta == nil || meta.Component == nil { + return source.Metadata{} + } + c := meta.Component + + image := source.ImageMetadata{ + UserInput: c.Name, + ID: c.BOMRef, + ManifestDigest: c.Version, + } + + switch c.Type { case cyclonedx.ComponentTypeContainer: return source.Metadata{ - Scheme: source.ImageScheme, - ImageMetadata: source.ImageMetadata{ - UserInput: component.Name, - ID: component.BOMRef, - ManifestDigest: component.Version, - }, + Scheme: source.ImageScheme, + ImageMetadata: image, } case cyclonedx.ComponentTypeFile: return source.Metadata{ - Scheme: source.FileScheme, // or source.DirectoryScheme - Path: component.Name, - ImageMetadata: source.ImageMetadata{ - UserInput: component.Name, - ID: component.BOMRef, - ManifestDigest: component.Version, - }, + Scheme: source.FileScheme, // or source.DirectoryScheme + Path: c.Name, + ImageMetadata: image, } } return source.Metadata{} } + +// if there is more than one tool in meta.Tools' list the last item will be used +// as descriptor. If there is a way to know which tool to use here please fix it. +func extractDescriptor(meta *cyclonedx.Metadata) (desc sbom.Descriptor) { + if meta == nil || meta.Tools == nil { + return + } + + for _, t := range *meta.Tools { + desc.Name = t.Name + desc.Version = t.Version + } + + return +} diff --git a/internal/formats/common/cyclonedxhelpers/format.go b/internal/formats/common/cyclonedxhelpers/format.go index 2fe525919662..a22b191b2d11 100644 --- a/internal/formats/common/cyclonedxhelpers/format.go +++ b/internal/formats/common/cyclonedxhelpers/format.go @@ -8,7 +8,6 @@ import ( "github.com/anchore/syft/internal" "github.com/anchore/syft/internal/log" - "github.com/anchore/syft/internal/version" "github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/linux" "github.com/anchore/syft/syft/sbom" @@ -17,13 +16,12 @@ import ( func ToFormatModel(s sbom.SBOM) *cyclonedx.BOM { cdxBOM := cyclonedx.NewBOM() - versionInfo := version.FromBuild() // NOTE(jonasagx): cycloneDX requires URN uuids (URN returns the RFC 2141 URN form of uuid): // https://github.com/CycloneDX/specification/blob/master/schema/bom-1.3-strict.schema.json#L36 // "pattern": "^urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$" cdxBOM.SerialNumber = uuid.New().URN() - cdxBOM.Metadata = toBomDescriptor(internal.ApplicationName, versionInfo.Version, s.Source) + cdxBOM.Metadata = toBomDescriptor(internal.ApplicationName, s.Descriptor.Version, s.Source) packages := s.Artifacts.PackageCatalog.Sorted() components := make([]cyclonedx.Component, len(packages)) diff --git a/internal/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden b/internal/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden index 1e78b418b49a..3b23a84e5165 100644 --- a/internal/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden +++ b/internal/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden @@ -1,15 +1,15 @@ { "bomFormat": "CycloneDX", "specVersion": "1.4", - "serialNumber": "urn:uuid:dec3f6b4-8458-48bb-b60d-dfd312f6ec4e", + "serialNumber": "urn:uuid:3ea3363f-3945-4859-9ba1-9a395983d248", "version": 1, "metadata": { - "timestamp": "2022-04-01T11:48:04-04:00", + "timestamp": "2022-05-23T12:05:00-07:00", "tools": [ { "vendor": "anchore", "name": "syft", - "version": "[not provided]" + "version": "v0.42.0-bogus" } ], "component": { diff --git a/internal/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden b/internal/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden index 315a418268c7..6dac17e18d55 100644 --- a/internal/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden +++ b/internal/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden @@ -1,19 +1,19 @@ { "bomFormat": "CycloneDX", "specVersion": "1.4", - "serialNumber": "urn:uuid:054d973e-fe99-4762-92e4-eaf01997ae41", + "serialNumber": "urn:uuid:c825402b-bbfa-4ad5-81b1-6a8332a6a8b6", "version": 1, "metadata": { - "timestamp": "2022-04-01T11:48:04-04:00", + "timestamp": "2022-05-23T12:05:01-07:00", "tools": [ { "vendor": "anchore", "name": "syft", - "version": "[not provided]" + "version": "v0.42.0-bogus" } ], "component": { - "bom-ref": "e777314b02b362e4", + "bom-ref": "e779c1ed804ba529", "type": "container", "name": "user-image-input", "version": "sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368" @@ -53,7 +53,7 @@ }, { "name": "syft:location:0:layerID", - "value": "sha256:fb6beecb75b39f4bb813dbf177e501edd5ddb3e69bb45cedeb78c676ee1b7a59" + "value": "sha256:cd8f3884f1211d65c19ce5bbc5174bcd2ce8ba96b63e5b3693969a53279c4405" }, { "name": "syft:location:0:path", @@ -83,7 +83,7 @@ }, { "name": "syft:location:0:layerID", - "value": "sha256:319b588ce64253a87b533c8ed01cf0025e0eac98e7b516e12532957e1244fdec" + "value": "sha256:42d2ea51c688e6dc7be81a305acbe006d27a6ef0c26ae3888fd0d4ce44f69265" }, { "name": "syft:location:0:path", diff --git a/internal/formats/cyclonedxjson/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden b/internal/formats/cyclonedxjson/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden index 5b5b8030509a..3d93b6d3ad1c 100644 Binary files a/internal/formats/cyclonedxjson/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden and b/internal/formats/cyclonedxjson/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden differ diff --git a/internal/formats/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden b/internal/formats/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden index aa66e8ec0d01..7505cd83b93a 100644 --- a/internal/formats/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden +++ b/internal/formats/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden @@ -1,12 +1,12 @@ - + - 2022-04-01T11:57:46-04:00 + 2022-05-23T12:02:41-07:00 anchore syft - [not provided] + v0.42.0-bogus diff --git a/internal/formats/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden b/internal/formats/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden index 78caa7f7acb2..6ef8367e66a6 100644 --- a/internal/formats/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden +++ b/internal/formats/cyclonedxxml/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden @@ -1,15 +1,15 @@ - + - 2022-04-01T11:57:46-04:00 + 2022-05-23T12:02:42-07:00 anchore syft - [not provided] + v0.42.0-bogus - + user-image-input sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368 @@ -30,7 +30,7 @@ python PythonPackageMetadata python - sha256:fb6beecb75b39f4bb813dbf177e501edd5ddb3e69bb45cedeb78c676ee1b7a59 + sha256:cd8f3884f1211d65c19ce5bbc5174bcd2ce8ba96b63e5b3693969a53279c4405 /somefile-1.txt @@ -43,7 +43,7 @@ the-cataloger-2 DpkgMetadata deb - sha256:319b588ce64253a87b533c8ed01cf0025e0eac98e7b516e12532957e1244fdec + sha256:42d2ea51c688e6dc7be81a305acbe006d27a6ef0c26ae3888fd0d4ce44f69265 /somefile-2.txt 0 diff --git a/internal/formats/cyclonedxxml/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden b/internal/formats/cyclonedxxml/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden index 5b5b8030509a..3d93b6d3ad1c 100644 Binary files a/internal/formats/cyclonedxxml/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden and b/internal/formats/cyclonedxxml/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden differ diff --git a/internal/formats/github/encoder.go b/internal/formats/github/encoder.go index 9dfc6890d442..6a2b2b66bed8 100644 --- a/internal/formats/github/encoder.go +++ b/internal/formats/github/encoder.go @@ -10,7 +10,6 @@ import ( "github.com/anchore/packageurl-go" "github.com/anchore/syft/internal" "github.com/anchore/syft/internal/log" - "github.com/anchore/syft/internal/version" "github.com/anchore/syft/syft/pkg" "github.com/anchore/syft/syft/sbom" "github.com/anchore/syft/syft/source" @@ -19,8 +18,8 @@ import ( // toGithubModel converts the provided SBOM to a GitHub dependency model func toGithubModel(s *sbom.SBOM) DependencySnapshot { scanTime := time.Now().Format(time.RFC3339) // TODO is there a record of this somewhere? - v := version.FromBuild().Version - if v == "[not provided]" { + v := s.Descriptor.Version + if v == "[not provided]" || v == "" { v = "0.0.0-dev" } return DependencySnapshot{ diff --git a/internal/formats/spdx22json/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden b/internal/formats/spdx22json/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden index 3299321a589f..f237501b5077 100644 --- a/internal/formats/spdx22json/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden +++ b/internal/formats/spdx22json/test-fixtures/snapshot/TestSPDXJSONDirectoryEncoder.golden @@ -3,15 +3,15 @@ "name": "/some/path", "spdxVersion": "SPDX-2.2", "creationInfo": { - "created": "2022-04-01T15:48:39.459232Z", + "created": "2022-05-23T19:10:22.25645Z", "creators": [ "Organization: Anchore, Inc", - "Tool: syft-[not provided]" + "Tool: syft-v0.42.0-bogus" ], - "licenseListVersion": "3.16" + "licenseListVersion": "3.17" }, "dataLicense": "CC0-1.0", - "documentNamespace": "https://anchore.com/syft/dir/some/path-8d335d81-29c9-4236-84f1-2292ea92aaf5", + "documentNamespace": "https://anchore.com/syft/dir/some/path-81dbcbfa-251d-4ad5-9b01-be91afb16469", "packages": [ { "SPDXID": "SPDXRef-b85dbb4e6ece5082", diff --git a/internal/formats/spdx22json/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden b/internal/formats/spdx22json/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden index 42260c91d439..f1891ad57aa2 100644 --- a/internal/formats/spdx22json/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden +++ b/internal/formats/spdx22json/test-fixtures/snapshot/TestSPDXJSONImageEncoder.golden @@ -3,15 +3,15 @@ "name": "user-image-input", "spdxVersion": "SPDX-2.2", "creationInfo": { - "created": "2022-04-01T15:48:39.465643Z", + "created": "2022-05-23T19:10:22.412847Z", "creators": [ "Organization: Anchore, Inc", - "Tool: syft-[not provided]" + "Tool: syft-v0.42.0-bogus" ], - "licenseListVersion": "3.16" + "licenseListVersion": "3.17" }, "dataLicense": "CC0-1.0", - "documentNamespace": "https://anchore.com/syft/image/user-image-input-e64e0be8-5031-4eec-842d-e59fb6deb518", + "documentNamespace": "https://anchore.com/syft/image/user-image-input-c9945597-78ce-4e9b-89d2-68b8e4e4ccb9", "packages": [ { "SPDXID": "SPDXRef-2a46171f91c8d4bc", diff --git a/internal/formats/spdx22json/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden b/internal/formats/spdx22json/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden index c1b1d2b797ec..3d93b6d3ad1c 100644 Binary files a/internal/formats/spdx22json/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden and b/internal/formats/spdx22json/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden differ diff --git a/internal/formats/spdx22json/to_format_model.go b/internal/formats/spdx22json/to_format_model.go index 91773895546c..6d8e47ea61e4 100644 --- a/internal/formats/spdx22json/to_format_model.go +++ b/internal/formats/spdx22json/to_format_model.go @@ -11,7 +11,6 @@ import ( "github.com/anchore/syft/internal/formats/spdx22json/model" "github.com/anchore/syft/internal/log" "github.com/anchore/syft/internal/spdxlicense" - "github.com/anchore/syft/internal/version" "github.com/anchore/syft/syft/artifact" "github.com/anchore/syft/syft/file" "github.com/anchore/syft/syft/pkg" @@ -34,7 +33,7 @@ func toFormatModel(s sbom.SBOM) *model.Document { Creators: []string{ // note: key-value format derived from the JSON example document examples: https://github.com/spdx/spdx-spec/blob/v2.2/examples/SPDXJSONExample-v2.2.spdx.json "Organization: Anchore, Inc", - "Tool: " + internal.ApplicationName + "-" + version.FromBuild().Version, + "Tool: " + internal.ApplicationName + "-" + s.Descriptor.Version, }, LicenseListVersion: spdxlicense.Version, }, diff --git a/internal/formats/spdx22tagvalue/encoder_test.go b/internal/formats/spdx22tagvalue/encoder_test.go index 9c3dba9e994f..8d0afa7fd107 100644 --- a/internal/formats/spdx22tagvalue/encoder_test.go +++ b/internal/formats/spdx22tagvalue/encoder_test.go @@ -53,7 +53,13 @@ func TestSPDXJSONSPDXIDs(t *testing.T) { Source: source.Metadata{ Scheme: source.DirectoryScheme, }, - Descriptor: sbom.Descriptor{}, + Descriptor: sbom.Descriptor{ + Name: "syft", + Version: "v0.42.0-bogus", + Configuration: map[string]string{ + "config-key": "config-value", + }, + }, }, true, spdxTagValueRedactor, diff --git a/internal/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden b/internal/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden index 6e83d7d8ee8c..ad82041e11d8 100644 --- a/internal/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden +++ b/internal/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXJSONSPDXIDs.golden @@ -2,11 +2,11 @@ SPDXVersion: SPDX-2.2 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: . -DocumentNamespace: https://anchore.com/syft/dir/8fbb3714-785d-4e3e-95cf-44a258bc65b0 -LicenseListVersion: 3.16 +DocumentNamespace: https://anchore.com/syft/dir/422d92b9-57e8-44ee-8039-f75c1d19be87 +LicenseListVersion: 3.17 Creator: Organization: Anchore, Inc -Creator: Tool: syft-[not provided] -Created: 2022-05-02T15:27:05Z +Creator: Tool: syft-v0.42.0-bogus +Created: 2022-05-24T22:52:02Z ##### Package: @at-sign diff --git a/internal/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden b/internal/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden index ba0ba4c69a61..83e333e4b9dd 100644 --- a/internal/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden +++ b/internal/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXTagValueDirectoryEncoder.golden @@ -2,11 +2,11 @@ SPDXVersion: SPDX-2.2 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: /some/path -DocumentNamespace: https://anchore.com/syft/dir/some/path-d227b0f2-4ee8-4e10-ac43-019db86d16ff -LicenseListVersion: 3.16 +DocumentNamespace: https://anchore.com/syft/dir/some/path-c6b20d03-1478-4513-9feb-1ec427d4b547 +LicenseListVersion: 3.17 Creator: Organization: Anchore, Inc -Creator: Tool: syft-[not provided] -Created: 2022-04-01T15:48:44Z +Creator: Tool: syft-v0.42.0-bogus +Created: 2022-05-24T22:51:02Z ##### Package: package-2 diff --git a/internal/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden b/internal/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden index f2e7d394f0e7..aae5ebf530ff 100644 --- a/internal/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden +++ b/internal/formats/spdx22tagvalue/test-fixtures/snapshot/TestSPDXTagValueImageEncoder.golden @@ -2,11 +2,11 @@ SPDXVersion: SPDX-2.2 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT DocumentName: user-image-input -DocumentNamespace: https://anchore.com/syft/image/user-image-input-49f98c61-3418-4427-9e00-8b1c735e9799 -LicenseListVersion: 3.16 +DocumentNamespace: https://anchore.com/syft/image/user-image-input-12a877bc-fe9b-40ef-aa9c-4d34f108d0d6 +LicenseListVersion: 3.17 Creator: Organization: Anchore, Inc -Creator: Tool: syft-[not provided] -Created: 2022-04-01T15:48:44Z +Creator: Tool: syft-v0.42.0-bogus +Created: 2022-05-24T22:51:02Z ##### Package: package-2 diff --git a/internal/formats/spdx22tagvalue/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden b/internal/formats/spdx22tagvalue/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden index c1b1d2b797ec..3d93b6d3ad1c 100644 Binary files a/internal/formats/spdx22tagvalue/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden and b/internal/formats/spdx22tagvalue/test-fixtures/snapshot/stereoscope-fixture-image-simple.golden differ diff --git a/internal/formats/spdx22tagvalue/to_format_model.go b/internal/formats/spdx22tagvalue/to_format_model.go index 99e007af5185..c678354210b0 100644 --- a/internal/formats/spdx22tagvalue/to_format_model.go +++ b/internal/formats/spdx22tagvalue/to_format_model.go @@ -9,7 +9,6 @@ import ( "github.com/anchore/syft/internal" "github.com/anchore/syft/internal/formats/common/spdxhelpers" "github.com/anchore/syft/internal/spdxlicense" - "github.com/anchore/syft/internal/version" "github.com/anchore/syft/syft/pkg" "github.com/spdx/tools-golang/spdx" ) @@ -69,7 +68,7 @@ func toFormatModel(s sbom.SBOM) *spdx.Document2_2 { // Cardinality: mandatory, one or many CreatorPersons: nil, CreatorOrganizations: []string{"Anchore, Inc"}, - CreatorTools: []string{internal.ApplicationName + "-" + version.FromBuild().Version}, + CreatorTools: []string{internal.ApplicationName + "-" + s.Descriptor.Version}, // 2.9: Created: data format YYYY-MM-DDThh:mm:ssZ // Cardinality: mandatory, one