From d91c2dd84211d825012063f78793787e7cbf2078 Mon Sep 17 00:00:00 2001 From: Keith Zantow Date: Wed, 8 Nov 2023 11:54:22 -0500 Subject: [PATCH] fix: identify cyclone-json without $schema (#2303) Signed-off-by: Keith Zantow --- syft/format/cyclonedxjson/decoder.go | 12 ++------ syft/format/cyclonedxjson/decoder_test.go | 15 ++++++++++ .../test-fixtures/identify/micronaut-1.4.json | 28 +++++++++++++++++++ .../test-fixtures/identify/micronaut-1.5.json | 28 +++++++++++++++++++ 4 files changed, 74 insertions(+), 9 deletions(-) create mode 100644 syft/format/cyclonedxjson/test-fixtures/identify/micronaut-1.4.json create mode 100644 syft/format/cyclonedxjson/test-fixtures/identify/micronaut-1.5.json diff --git a/syft/format/cyclonedxjson/decoder.go b/syft/format/cyclonedxjson/decoder.go index 67584cbc5ed..5fba5b9a633 100644 --- a/syft/format/cyclonedxjson/decoder.go +++ b/syft/format/cyclonedxjson/decoder.go @@ -4,7 +4,6 @@ import ( "encoding/json" "fmt" "io" - "strings" "github.com/CycloneDX/cyclonedx-go" @@ -75,7 +74,7 @@ func (d decoder) Identify(reader io.ReadSeeker) (sbom.FormatID, string) { return "", "" } - id, version := getFormatInfo(doc.JSONSchema, doc.BOMFormat, doc.SpecVersion) + id, version := getFormatInfo(doc.BOMFormat, doc.SpecVersion) if version == "" || id != ID { // not a cyclonedx json document that we support return "", "" @@ -84,18 +83,13 @@ func (d decoder) Identify(reader io.ReadSeeker) (sbom.FormatID, string) { return id, version } -func getFormatInfo(schemaURI, bomFormat string, specVersion any) (sbom.FormatID, string) { - if !strings.Contains(schemaURI, "cyclonedx.org/schema/bom") { - // not a cyclonedx json document - return "", "" - } - +func getFormatInfo(bomFormat string, specVersion any) (sbom.FormatID, string) { if bomFormat != "CycloneDX" { // not a cyclonedx json document return "", "" } - // by this point this looks to be valid cyclonedx json, but we need to know the version + // by this point, it looks to be cyclonedx json, but we need to know the version var ( version string diff --git a/syft/format/cyclonedxjson/decoder_test.go b/syft/format/cyclonedxjson/decoder_test.go index 1a949eb2b31..b38ad37ba55 100644 --- a/syft/format/cyclonedxjson/decoder_test.go +++ b/syft/format/cyclonedxjson/decoder_test.go @@ -103,6 +103,21 @@ func TestDecoder_Identify(t *testing.T) { }) } + cases = append(cases, []testCase{ + { + name: "no-schema-1.4", + file: "test-fixtures/identify/micronaut-1.4.json", + id: ID, + version: "1.4", + }, + { + name: "no-schema-1.5", + file: "test-fixtures/identify/micronaut-1.5.json", + id: ID, + version: "1.5", + }, + }...) + for _, test := range cases { t.Run(test.name, func(t *testing.T) { reader, err := os.Open(test.file) diff --git a/syft/format/cyclonedxjson/test-fixtures/identify/micronaut-1.4.json b/syft/format/cyclonedxjson/test-fixtures/identify/micronaut-1.4.json new file mode 100644 index 00000000000..06c7881ab24 --- /dev/null +++ b/syft/format/cyclonedxjson/test-fixtures/identify/micronaut-1.4.json @@ -0,0 +1,28 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.4", + "version": 1, + "components": [ + { + "type": "library", + "group": "io.netty", + "name": "netty-codec-http2", + "version": "4.1.73.Final", + "properties": [ + { + "name": "syft:cpe23", + "value": "cpe:2.3:a:codec:codec:4.1.73.Final:*:*:*:*:*:*:*" + }, + { + "name": "syft:cpe23", + "value": "cpe:2.3:a:codec:netty-codec-http2:4.1.73.Final:*:*:*:*:*:*:*" + }, + { + "name": "syft:cpe23", + "value": "cpe:2.3:a:codec:netty_codec_http2:4.1.73.Final:*:*:*:*:*:*:*" + } + ] + } + ], + "serialNumber": "urn:uuid:43538af4-f715-3d85-9629-336fdd3790ad" +} diff --git a/syft/format/cyclonedxjson/test-fixtures/identify/micronaut-1.5.json b/syft/format/cyclonedxjson/test-fixtures/identify/micronaut-1.5.json new file mode 100644 index 00000000000..4f1a819b431 --- /dev/null +++ b/syft/format/cyclonedxjson/test-fixtures/identify/micronaut-1.5.json @@ -0,0 +1,28 @@ +{ + "bomFormat": "CycloneDX", + "specVersion": "1.5", + "version": 1, + "components": [ + { + "type": "library", + "group": "io.netty", + "name": "netty-codec-http2", + "version": "4.1.73.Final", + "properties": [ + { + "name": "syft:cpe23", + "value": "cpe:2.3:a:codec:codec:4.1.73.Final:*:*:*:*:*:*:*" + }, + { + "name": "syft:cpe23", + "value": "cpe:2.3:a:codec:netty-codec-http2:4.1.73.Final:*:*:*:*:*:*:*" + }, + { + "name": "syft:cpe23", + "value": "cpe:2.3:a:codec:netty_codec_http2:4.1.73.Final:*:*:*:*:*:*:*" + } + ] + } + ], + "serialNumber": "urn:uuid:f4-f715-3d85-9629-336fdd3790ad" +}