Merge pull request #556 from thesurlydev/support-1.6-spec

Support 1.6 spec
CycloneDX · Oct 5, 2024 · a86023a · a86023a
2 parents dce6ee2 + 567818d
commit a86023a
Show file tree

Hide file tree

Showing 9 changed files with 41 additions and 36 deletions.
diff --git a/README.md b/README.md
@@ -45,7 +45,7 @@ Default Values
         <artifactId>cyclonedx-maven-plugin</artifactId>
         <configuration>
             <projectType>library</projectType>
-            <schemaVersion>1.5</schemaVersion>
+            <schemaVersion>1.6</schemaVersion>
             <includeBomSerialNumber>true</includeBomSerialNumber>
             <includeCompileScope>true</includeCompileScope>
             <includeProvidedScope>true</includeProvidedScope>
@@ -63,7 +63,7 @@ Default Values
 </plugins>
 ```
 
-`<projectType>` default value is `library` but there are [more choices defined in the CycloneDX specification](https://cyclonedx.org/docs/1.5/json/#metadata_component_type).
+`<projectType>` default value is `library` but there are [more choices defined in the CycloneDX specification](https://cyclonedx.org/docs/1.6/json/#metadata_component_type).
 
 See also [External References](https://cyclonedx.github.io/cyclonedx-maven-plugin/external-references.html) documentation for details on this topic.
 
@@ -99,6 +99,7 @@ the CycloneDX version supported by the target system.
 
 | Version | Schema Version | Format(s) |
 |---------|----------------| --------- |
+| 2.9.x   | CycloneDX v1.6 | XML/JSON |
 | 2.8.x   | CycloneDX v1.5 | XML/JSON |
 | 2.6.x   | CycloneDX v1.4 | XML/JSON |
 | 2.5.x   | CycloneDX v1.3 | XML/JSON |

diff --git a/pom.xml b/pom.xml
@@ -106,7 +106,7 @@
         <dependency>
             <groupId>org.cyclonedx</groupId>
             <artifactId>cyclonedx-core-java</artifactId>
-            <version>8.0.3</version>
+            <version>9.0.5</version>
         </dependency>
         <dependency>
             <groupId>javax.inject</groupId>

diff --git a/src/it/makeAggregateBom/api/pom.xml b/src/it/makeAggregateBom/api/pom.xml
@@ -32,7 +32,7 @@
         <dependency>
             <groupId>org.cyclonedx</groupId>
             <artifactId>cyclonedx-core-java</artifactId>
-            <version>7.2.1</version>
+            <version>9.0.5</version>
         </dependency>
     </dependencies>
 </project>
diff --git a/src/it/makeBom/pom.xml b/src/it/makeBom/pom.xml
@@ -72,7 +72,7 @@
         <dependency>
             <groupId>org.cyclonedx</groupId>
             <artifactId>cyclonedx-core-java</artifactId>
-            <version>7.2.1</version>
+            <version>9.0.5</version>
         </dependency>
         <dependency>
             <groupId>com.ibm.websphere.appserver.features</groupId>

diff --git a/src/it/makeBom/verify.groovy b/src/it/makeBom/verify.groovy
@@ -4,7 +4,9 @@ File bomFileJson = new File(basedir, "target/bom.json")
 assert bomFileXml.exists()
 assert bomFileJson.exists()
 
-assert bomFileXml.text.contains('<reference type="website"><url>https://github.com/CycloneDX/cyclonedx-maven-plugin</url></reference>')
+assert bomFileXml.text.contains('<reference type="website">\n' +
+        '          <url>https://github.com/CycloneDX/cyclonedx-maven-plugin</url>\n' +
+        '        </reference>')
 
 assert !bomFileXml.text.contains('<property name="maven.optional.unused">')
 

diff --git a/src/main/java/org/cyclonedx/maven/BaseCycloneDxMojo.java b/src/main/java/org/cyclonedx/maven/BaseCycloneDxMojo.java
@@ -29,8 +29,8 @@
 import org.apache.maven.project.MavenProjectHelper;
 import org.apache.maven.shared.dependency.analyzer.ProjectDependencyAnalysis;
 import org.codehaus.plexus.util.xml.Xpp3Dom;
-import org.cyclonedx.BomGeneratorFactory;
-import org.cyclonedx.CycloneDxSchema;
+import org.cyclonedx.Version;
+import org.cyclonedx.generators.BomGeneratorFactory;
 import org.cyclonedx.exception.GeneratorException;
 import org.cyclonedx.generators.json.BomJsonGenerator;
 import org.cyclonedx.generators.xml.BomXmlGenerator;
@@ -67,7 +67,7 @@ public abstract class BaseCycloneDxMojo extends AbstractMojo {
 
     /**
      * The component type associated to the SBOM metadata. See
-     * <a href="https://cyclonedx.org/docs/1.5/json/#metadata_component_type">CycloneDX reference</a> for supported
+     * <a href="https://cyclonedx.org/docs/1.6/json/#metadata_component_type">CycloneDX reference</a> for supported
      * values. 
      *
      * @since 2.0.0
@@ -80,9 +80,9 @@ public abstract class BaseCycloneDxMojo extends AbstractMojo {
      *
      * @since 2.1.0
      */
-    @Parameter(property = "schemaVersion", defaultValue = "1.5", required = false)
+    @Parameter(property = "schemaVersion", defaultValue = "1.6", required = false)
     private String schemaVersion;
-    private CycloneDxSchema.Version effectiveSchemaVersion = null;
+    private Version effectiveSchemaVersion = null;
 
     /**
      * The CycloneDX output format that should be generated (<code>xml</code>, <code>json</code> or <code>all</code>).
@@ -227,7 +227,7 @@ public abstract class BaseCycloneDxMojo extends AbstractMojo {
     private String outputTimestamp;
 
     /**
-     * <a href="https://cyclonedx.org/docs/1.5/json/#metadata_component_externalReferences_items_type">External references</a>
+     * <a href="https://cyclonedx.org/docs/1.6/json/#metadata_component_externalReferences_items_type">External references</a>
      * to be added to the component the BOM describes <code>$.metadata.component.externalReferences[]</code>:
      * <pre>
      * &lt;externalReferences&gt;
@@ -477,20 +477,22 @@ protected BomDependencies extractBOMDependencies(MavenProject mavenProject) thro
      * Resolves the CycloneDX schema the mojo has been requested to use.
      * @return the CycloneDX schema to use
      */
-    protected CycloneDxSchema.Version schemaVersion() {
+    protected Version schemaVersion() {
         if (effectiveSchemaVersion == null) {
             if ("1.0".equals(schemaVersion)) {
-                effectiveSchemaVersion = CycloneDxSchema.Version.VERSION_10;
+                effectiveSchemaVersion = Version.VERSION_10;
             } else if ("1.1".equals(schemaVersion)) {
-                effectiveSchemaVersion = CycloneDxSchema.Version.VERSION_11;
+                effectiveSchemaVersion = Version.VERSION_11;
             } else if ("1.2".equals(schemaVersion)) {
-                effectiveSchemaVersion = CycloneDxSchema.Version.VERSION_12;
+                effectiveSchemaVersion = Version.VERSION_12;
             } else if ("1.3".equals(schemaVersion)) {
-                effectiveSchemaVersion = CycloneDxSchema.Version.VERSION_13;
+                effectiveSchemaVersion = Version.VERSION_13;
             } else if ("1.4".equals(schemaVersion)) {
-                effectiveSchemaVersion = CycloneDxSchema.Version.VERSION_14;
+                effectiveSchemaVersion = Version.VERSION_14;
+            } else if ("1.5".equals(schemaVersion)) {
+                effectiveSchemaVersion = Version.VERSION_15;
             } else {
-                effectiveSchemaVersion = CycloneDxSchema.Version.VERSION_15;
+                effectiveSchemaVersion = Version.VERSION_16;
             }
         }
         return effectiveSchemaVersion;

diff --git a/src/main/java/org/cyclonedx/maven/DefaultModelConverter.java b/src/main/java/org/cyclonedx/maven/DefaultModelConverter.java
@@ -32,7 +32,7 @@
 import org.apache.maven.project.ProjectBuildingException;
 import org.apache.maven.project.ProjectBuildingResult;
 import org.apache.maven.repository.RepositorySystem;
-import org.cyclonedx.CycloneDxSchema;
+import org.cyclonedx.Version;
 import org.cyclonedx.model.Component;
 import org.cyclonedx.model.ExternalReference;
 import org.cyclonedx.model.Hash;
@@ -156,7 +156,7 @@ private String generatePackageUrl(String groupId, String artifactId, String vers
     }
 
     @Override
-    public Component convertMavenDependency(Artifact artifact, CycloneDxSchema.Version schemaVersion, boolean includeLicenseText) {
+    public Component convertMavenDependency(Artifact artifact, Version schemaVersion, boolean includeLicenseText) {
         final Component component = new Component();
         component.setGroup(artifact.getGroupId());
         component.setName(artifact.getArtifactId());
@@ -168,11 +168,11 @@ public Component convertMavenDependency(Artifact artifact, CycloneDxSchema.Versi
         } catch (IOException e) {
             logger.error("Error encountered calculating hashes", e);
         }
-        if (CycloneDxSchema.Version.VERSION_10 == schemaVersion) {
+        if (Version.VERSION_10 == schemaVersion) {
             component.setModified(isModified(artifact));
         }
         component.setPurl(generatePackageUrl(artifact));
-        if (CycloneDxSchema.Version.VERSION_10 != schemaVersion) {
+        if (Version.VERSION_10 != schemaVersion) {
             component.setBomRef(component.getPurl());
         }
         try {
@@ -210,7 +210,7 @@ private boolean isModified(Artifact artifact) {
      * @param project the project to extract data from
      * @param component the component to add data to
      */
-    private void extractComponentMetadata(MavenProject project, Component component, CycloneDxSchema.Version schemaVersion, boolean includeLicenseText) {
+    private void extractComponentMetadata(MavenProject project, Component component, Version schemaVersion, boolean includeLicenseText) {
         if (component.getPublisher() == null) {
             // If we don't already have publisher information, retrieve it.
             if (project.getOrganization() != null) {
@@ -227,7 +227,7 @@ private void extractComponentMetadata(MavenProject project, Component component,
                 component.setLicenseChoice(resolveMavenLicenses(project.getLicenses(), schemaVersion, includeLicenseText));
             }
         }
-        if (CycloneDxSchema.Version.VERSION_10 != schemaVersion) {
+        if (Version.VERSION_10 != schemaVersion) {
             addExternalReference(ExternalReference.Type.WEBSITE, project.getUrl(), component);
             if (project.getCiManagement() != null) {
                 addExternalReference(ExternalReference.Type.BUILD_SYSTEM, project.getCiManagement().getUrl(), component);
@@ -297,7 +297,7 @@ private boolean doesComponentHaveExternalReference(final Component component, fi
         return false;
     }
 
-    private LicenseChoice resolveMavenLicenses(final List<org.apache.maven.model.License> projectLicenses, final CycloneDxSchema.Version schemaVersion, boolean includeLicenseText) {
+    private LicenseChoice resolveMavenLicenses(final List<org.apache.maven.model.License> projectLicenses, final Version schemaVersion, boolean includeLicenseText) {
         final LicenseChoice licenseChoice = new LicenseChoice();
         for (org.apache.maven.model.License artifactLicense : projectLicenses) {
             boolean resolved = false;
@@ -328,14 +328,14 @@ private LicenseChoice resolveMavenLicenses(final List<org.apache.maven.model.Lic
         return licenseChoice;
     }
 
-    private boolean resolveLicenseInfo(final LicenseChoice licenseChoice, final LicenseChoice licenseChoiceToResolve, final CycloneDxSchema.Version schemaVersion)
+    private boolean resolveLicenseInfo(final LicenseChoice licenseChoice, final LicenseChoice licenseChoiceToResolve, final Version schemaVersion)
     {
         if (licenseChoiceToResolve != null) {
             if (licenseChoiceToResolve.getLicenses() != null && !licenseChoiceToResolve.getLicenses().isEmpty()) {
                 licenseChoice.addLicense(licenseChoiceToResolve.getLicenses().get(0));
                 return true;
             }
-            else if (licenseChoiceToResolve.getExpression() != null && CycloneDxSchema.Version.VERSION_10 != schemaVersion) {
+            else if (licenseChoiceToResolve.getExpression() != null && Version.VERSION_10 != schemaVersion) {
                 licenseChoice.setExpression(licenseChoiceToResolve.getExpression());
                 return true;
             }
@@ -344,7 +344,7 @@ else if (licenseChoiceToResolve.getExpression() != null && CycloneDxSchema.Versi
     }
 
     @Override
-    public Metadata convertMavenProject(final MavenProject project, String projectType, CycloneDxSchema.Version schemaVersion, boolean includeLicenseText, ExternalReference[] externalReferences) {
+    public Metadata convertMavenProject(final MavenProject project, String projectType, Version schemaVersion, boolean includeLicenseText, ExternalReference[] externalReferences) {
         final Metadata metadata = new Metadata();
 
         // prepare properties and hash values from the current mojo
@@ -361,7 +361,7 @@ public Metadata convertMavenProject(final MavenProject project, String projectTy
                 logger.warn("Unable to calculate hashes of self", e);
             }
         }
-        if (schemaVersion.compareTo(CycloneDxSchema.Version.VERSION_15) < 0) {
+        if (schemaVersion.compareTo(Version.VERSION_15) < 0) {
             // CycloneDX up to 1.4+ use metadata.tools.tool
             final Tool tool = new Tool();
             tool.setVendor(properties.getProperty("vendor"));

diff --git a/src/main/java/org/cyclonedx/maven/ModelConverter.java b/src/main/java/org/cyclonedx/maven/ModelConverter.java
@@ -20,7 +20,7 @@
 
 import org.apache.maven.artifact.Artifact;
 import org.apache.maven.project.MavenProject;
-import org.cyclonedx.CycloneDxSchema;
+import org.cyclonedx.Version;
 import org.cyclonedx.model.Component;
 import org.cyclonedx.model.ExternalReference;
 import org.cyclonedx.model.Metadata;
@@ -49,7 +49,7 @@ public interface ModelConverter {
      * @param includeLicenseText should license text be included in bom?
      * @return a CycloneDX component
      */
-    Component convertMavenDependency(Artifact artifact, CycloneDxSchema.Version schemaVersion, boolean includeLicenseText);
+    Component convertMavenDependency(Artifact artifact, Version schemaVersion, boolean includeLicenseText);
 
     /**
      * Converts a MavenProject into a CycloneDX Metadata object.
@@ -61,6 +61,6 @@ public interface ModelConverter {
      * @param externalReferences the external references
      * @return a CycloneDX Metadata object
      */
-    Metadata convertMavenProject(MavenProject project, String projectType, CycloneDxSchema.Version schemaVersion, boolean includeLicenseText, ExternalReference[] externalReferences);
+    Metadata convertMavenProject(MavenProject project, String projectType, Version schemaVersion, boolean includeLicenseText, ExternalReference[] externalReferences);
 
 }
diff --git a/src/site/markdown/external-references.md b/src/site/markdown/external-references.md
@@ -50,6 +50,6 @@ You can add more external references the component that the BOM describes by plu
 See valid [CycloneDX external reference types][external-reference-type].
 
 [maven-model]: https://maven.apache.org/ref/current/maven-model/maven.html
-[metadata-component]: https://cyclonedx.org/docs/1.5/json/#metadata_component
-[components]: https://cyclonedx.org/docs/1.5/json/#components
-[external-reference-type]: https://cyclonedx.org/docs/1.5/json/#metadata_component_externalReferences_items_type
+[metadata-component]: https://cyclonedx.org/docs/1.6/json/#metadata_component
+[components]: https://cyclonedx.org/docs/1.6/json/#components
+[external-reference-type]: https://cyclonedx.org/docs/1.6/json/#metadata_component_externalReferences_items_type