diff --git a/docs/docs/supply-chain/sbom.md b/docs/docs/supply-chain/sbom.md index 7091eb6ed2ba..cb3a68c9d8f3 100644 --- a/docs/docs/supply-chain/sbom.md +++ b/docs/docs/supply-chain/sbom.md @@ -217,13 +217,16 @@ $ cat result.json | jq . "version": 1, "metadata": { "timestamp": "2022-02-22T15:11:40.270597Z", - "tools": [ - { - "vendor": "aquasecurity", - "name": "trivy", - "version": "dev" - } - ], + "tools": { + "components": [ + { + "type": "application", + "group": "aquasecurity", + "name": "trivy", + "version": "dev" + } + ] + }, "component": { "bom-ref": "pkg:oci/alpine@sha256:21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300?repository_url=index.docker.io%2Flibrary%2Falpine&arch=amd64", "type": "container", diff --git a/go.mod b/go.mod index 877dfd73665b..420f5e748bde 100644 --- a/go.mod +++ b/go.mod @@ -7,7 +7,7 @@ require ( github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.0 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.4.0 github.com/BurntSushi/toml v1.3.2 - github.com/CycloneDX/cyclonedx-go v0.7.2 + github.com/CycloneDX/cyclonedx-go v0.8.0 github.com/GoogleCloudPlatform/docker-credential-gcr v2.0.5+incompatible github.com/Masterminds/sprig/v3 v3.2.3 github.com/NYTimes/gziphandler v1.1.1 diff --git a/go.sum b/go.sum index 4f43615c6d4e..6364a132f996 100644 --- a/go.sum +++ b/go.sum @@ -237,8 +237,8 @@ github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbi github.com/BurntSushi/toml v1.3.2 h1:o7IhLm0Msx3BaB+n3Ag7L8EVlByGnpq14C4YWiu/gL8= github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= -github.com/CycloneDX/cyclonedx-go v0.7.2 h1:kKQ0t1dPOlugSIYVOMiMtFqeXI2wp/f5DBIdfux8gnQ= -github.com/CycloneDX/cyclonedx-go v0.7.2/go.mod h1:K2bA+324+Og0X84fA8HhN2X066K7Bxz4rpMQ4ZhjtSk= +github.com/CycloneDX/cyclonedx-go v0.8.0 h1:FyWVj6x6hoJrui5uRQdYZcSievw3Z32Z88uYzG/0D6M= +github.com/CycloneDX/cyclonedx-go v0.8.0/go.mod h1:K2bA+324+Og0X84fA8HhN2X066K7Bxz4rpMQ4ZhjtSk= github.com/DATA-DOG/go-sqlmock v1.5.0 h1:Shsta01QNfFxHCfpW6YH2STWB0MudeXXEWMr20OEh60= github.com/DATA-DOG/go-sqlmock v1.5.0/go.mod h1:f/Ixk793poVmq4qj/V1dPUg2JEAKC73Q5eFN3EC/SaM= github.com/DmitriyVTitov/size v1.5.0/go.mod h1:le6rNI4CoLQV1b9gzp1+3d7hMAD/uu2QcJ+aYbNgiU0= diff --git a/integration/testdata/conda-cyclonedx.json.golden b/integration/testdata/conda-cyclonedx.json.golden index e449defa008a..30e0321b52a5 100644 --- a/integration/testdata/conda-cyclonedx.json.golden +++ b/integration/testdata/conda-cyclonedx.json.golden @@ -6,13 +6,16 @@ "version": 1, "metadata": { "timestamp": "2021-08-25T12:20:30+00:00", - "tools": [ - { - "vendor": "aquasecurity", - "name": "trivy", - "version": "dev" - } - ], + "tools": { + "components": [ + { + "type": "application", + "group": "aquasecurity", + "name": "trivy", + "version": "dev" + } + ] + }, "component": { "bom-ref": "3ff14136-e09f-4df9-80ea-000000000002", "type": "application", diff --git a/integration/testdata/fluentd-multiple-lockfiles.cdx.json.golden b/integration/testdata/fluentd-multiple-lockfiles.cdx.json.golden index c3e5903d5b79..aab59a6cf47f 100644 --- a/integration/testdata/fluentd-multiple-lockfiles.cdx.json.golden +++ b/integration/testdata/fluentd-multiple-lockfiles.cdx.json.golden @@ -6,13 +6,16 @@ "version": 1, "metadata": { "timestamp": "2021-08-25T12:20:30+00:00", - "tools": [ - { - "vendor": "aquasecurity", - "name": "trivy", - "version": "dev" - } - ], + "tools": { + "components": [ + { + "type": "application", + "group": "aquasecurity", + "name": "trivy", + "version": "dev" + } + ] + }, "component": { "bom-ref": "3ff14136-e09f-4df9-80ea-000000000002", "type": "container", diff --git a/integration/testdata/pom-cyclonedx.json.golden b/integration/testdata/pom-cyclonedx.json.golden index a77c75eb1f65..5487c239e2da 100644 --- a/integration/testdata/pom-cyclonedx.json.golden +++ b/integration/testdata/pom-cyclonedx.json.golden @@ -6,13 +6,16 @@ "version": 1, "metadata": { "timestamp": "2021-08-25T12:20:30+00:00", - "tools": [ - { - "vendor": "aquasecurity", - "name": "trivy", - "version": "dev" - } - ], + "tools": { + "components": [ + { + "type": "application", + "group": "aquasecurity", + "name": "trivy", + "version": "dev" + } + ] + }, "component": { "bom-ref": "3ff14136-e09f-4df9-80ea-000000000002", "type": "application", diff --git a/pkg/fanal/analyzer/sbom/testdata/cdx.json b/pkg/fanal/analyzer/sbom/testdata/cdx.json index 639677780faf..a006bf7053e2 100644 --- a/pkg/fanal/analyzer/sbom/testdata/cdx.json +++ b/pkg/fanal/analyzer/sbom/testdata/cdx.json @@ -5,13 +5,16 @@ "version": 1, "metadata": { "timestamp": "2023-06-01T13:10:23+00:00", - "tools": [ - { - "vendor": "aquasecurity", - "name": "trivy", - "version": "0.41.0-80-g1c03982fe" - } - ], + "tools": { + "components": [ + { + "type": "application", + "group": "aquasecurity", + "name": "trivy", + "version": "0.41.0-80-g1c03982fe" + } + ] + }, "component": { "bom-ref": "pkg:oci/elasticsearch@sha256:d4b68b602eb3d92ea3256886761752ae1159dc01fd391f4c4a87ebf6ba9d3895?repository_url=index.docker.io%2Fbitnami%2Felasticsearch\u0026arch=arm64", "type": "container", diff --git a/pkg/fanal/artifact/sbom/testdata/bom.json b/pkg/fanal/artifact/sbom/testdata/bom.json index 2244d48334e2..f8fd55ea6add 100644 --- a/pkg/fanal/artifact/sbom/testdata/bom.json +++ b/pkg/fanal/artifact/sbom/testdata/bom.json @@ -5,13 +5,16 @@ "version": 1, "metadata": { "timestamp": "2022-05-28T10:20:03.79527Z", - "tools": [ - { - "vendor": "aquasecurity", - "name": "trivy", - "version": "dev" - } - ], + "tools": { + "components": [ + { + "type": "application", + "group": "aquasecurity", + "name": "trivy", + "version": "dev" + } + ] + }, "component": { "bom-ref": "0f585d64-4815-4b72-92c5-97dae191fa4a", "type": "container", diff --git a/pkg/fanal/artifact/sbom/testdata/os-only-bom.json b/pkg/fanal/artifact/sbom/testdata/os-only-bom.json index 820057006668..837c16754211 100644 --- a/pkg/fanal/artifact/sbom/testdata/os-only-bom.json +++ b/pkg/fanal/artifact/sbom/testdata/os-only-bom.json @@ -5,13 +5,16 @@ "version": 1, "metadata": { "timestamp": "2022-05-28T10:20:03.79527Z", - "tools": [ - { - "vendor": "aquasecurity", - "name": "trivy", - "version": "dev" - } - ], + "tools": { + "components": [ + { + "type": "application", + "group": "aquasecurity", + "name": "trivy", + "version": "dev" + } + ] + }, "component": { "bom-ref": "0f585d64-4815-4b72-92c5-97dae191fa4a", "type": "container", diff --git a/pkg/rekortest/server.go b/pkg/rekortest/server.go index 72a9e6ef7c71..e5eb7dbd7858 100644 --- a/pkg/rekortest/server.go +++ b/pkg/rekortest/server.go @@ -54,11 +54,14 @@ var ( Version: 1, Metadata: &cyclonedx.Metadata{ Timestamp: "2022-09-15T13:53:49+00:00", - Tools: &[]cyclonedx.Tool{ - { - Vendor: "aquasecurity", - Name: "trivy", - Version: "dev", + Tools: &cyclonedx.ToolsChoice{ + Components: &[]cyclonedx.Component{ + { + Type: cyclonedx.ComponentTypeApplication, + Name: "trivy", + Group: "aquasecurity", + Version: "dev", + }, }, }, Component: &cyclonedx.Component{ @@ -175,11 +178,14 @@ var ( Version: 1, Metadata: &cyclonedx.Metadata{ Timestamp: "2022-10-21T09:50:08+00:00", - Tools: &[]cyclonedx.Tool{ - { - Vendor: "aquasecurity", - Name: "trivy", - Version: "dev", + Tools: &cyclonedx.ToolsChoice{ + Components: &[]cyclonedx.Component{ + { + Type: cyclonedx.ComponentTypeApplication, + Name: "trivy", + Group: "aquasecurity", + Version: "dev", + }, }, }, Component: &cyclonedx.Component{ diff --git a/pkg/sbom/cyclonedx/core/cyclonedx.go b/pkg/sbom/cyclonedx/core/cyclonedx.go index 7477a559262c..023e1c18d7b1 100644 --- a/pkg/sbom/cyclonedx/core/cyclonedx.go +++ b/pkg/sbom/cyclonedx/core/cyclonedx.go @@ -184,11 +184,14 @@ func (c *CycloneDX) BOMRef(component *Component) string { func (c *CycloneDX) Metadata(ctx context.Context) *cdx.Metadata { return &cdx.Metadata{ Timestamp: clock.Now(ctx).UTC().Format(timeLayout), - Tools: &[]cdx.Tool{ - { - Vendor: ToolVendor, - Name: ToolName, - Version: c.appVersion, + Tools: &cdx.ToolsChoice{ + Components: &[]cdx.Component{ + { + Type: cdx.ComponentTypeApplication, + Group: ToolVendor, + Name: ToolName, + Version: c.appVersion, + }, }, }, } @@ -313,11 +316,20 @@ func IsTrivySBOM(c *cdx.BOM) bool { return false } - for _, tool := range *c.Metadata.Tools { + for _, component := range lo.FromPtr(c.Metadata.Tools.Components) { + if component.Group == ToolVendor && component.Name == ToolName { + return true + } + } + + // Metadata.Tools array is deprecated (as of CycloneDX v1.5). We check this field for backward compatibility. + // cf. https://github.com/CycloneDX/cyclonedx-go/blob/b9654ae9b4705645152d20eb9872b5f3d73eac49/cyclonedx.go#L988 + for _, tool := range lo.FromPtr(c.Metadata.Tools.Tools) { if tool.Vendor == ToolVendor && tool.Name == ToolName { return true } } + return false } diff --git a/pkg/sbom/cyclonedx/core/cyclonedx_test.go b/pkg/sbom/cyclonedx/core/cyclonedx_test.go index 60ad12864520..87d5a589f9bf 100644 --- a/pkg/sbom/cyclonedx/core/cyclonedx_test.go +++ b/pkg/sbom/cyclonedx/core/cyclonedx_test.go @@ -182,11 +182,14 @@ func TestMarshaler_CoreComponent(t *testing.T) { Version: 1, Metadata: &cdx.Metadata{ Timestamp: "2021-08-25T12:20:30+00:00", - Tools: &[]cdx.Tool{ - { - Name: "trivy", - Vendor: "aquasecurity", - Version: "dev", + Tools: &cdx.ToolsChoice{ + Components: &[]cdx.Component{ + { + Type: cdx.ComponentTypeApplication, + Name: "trivy", + Group: "aquasecurity", + Version: "dev", + }, }, }, Component: &cdx.Component{ diff --git a/pkg/sbom/cyclonedx/marshal_test.go b/pkg/sbom/cyclonedx/marshal_test.go index 9d1f2d33aab0..a016e5b1e20a 100644 --- a/pkg/sbom/cyclonedx/marshal_test.go +++ b/pkg/sbom/cyclonedx/marshal_test.go @@ -242,11 +242,14 @@ func TestMarshaler_Marshal(t *testing.T) { Version: 1, Metadata: &cdx.Metadata{ Timestamp: "2021-08-25T12:20:30+00:00", - Tools: &[]cdx.Tool{ - { - Name: "trivy", - Vendor: "aquasecurity", - Version: "dev", + Tools: &cdx.ToolsChoice{ + Components: &[]cdx.Component{ + { + Type: cdx.ComponentTypeApplication, + Name: "trivy", + Group: "aquasecurity", + Version: "dev", + }, }, }, Component: &cdx.Component{ @@ -874,11 +877,14 @@ func TestMarshaler_Marshal(t *testing.T) { Version: 1, Metadata: &cdx.Metadata{ Timestamp: "2021-08-25T12:20:30+00:00", - Tools: &[]cdx.Tool{ - { - Name: "trivy", - Vendor: "aquasecurity", - Version: "dev", + Tools: &cdx.ToolsChoice{ + Components: &[]cdx.Component{ + { + Type: cdx.ComponentTypeApplication, + Name: "trivy", + Group: "aquasecurity", + Version: "dev", + }, }, }, Component: &cdx.Component{ @@ -1255,11 +1261,14 @@ func TestMarshaler_Marshal(t *testing.T) { Version: 1, Metadata: &cdx.Metadata{ Timestamp: "2021-08-25T12:20:30+00:00", - Tools: &[]cdx.Tool{ - { - Name: "trivy", - Vendor: "aquasecurity", - Version: "dev", + Tools: &cdx.ToolsChoice{ + Components: &[]cdx.Component{ + { + Type: cdx.ComponentTypeApplication, + Name: "trivy", + Group: "aquasecurity", + Version: "dev", + }, }, }, Component: &cdx.Component{ @@ -1545,11 +1554,14 @@ func TestMarshaler_Marshal(t *testing.T) { Version: 1, Metadata: &cdx.Metadata{ Timestamp: "2021-08-25T12:20:30+00:00", - Tools: &[]cdx.Tool{ - { - Name: "trivy", - Vendor: "aquasecurity", - Version: "dev", + Tools: &cdx.ToolsChoice{ + Components: &[]cdx.Component{ + { + Type: cdx.ComponentTypeApplication, + Name: "trivy", + Group: "aquasecurity", + Version: "dev", + }, }, }, Component: &cdx.Component{ @@ -1728,11 +1740,14 @@ func TestMarshaler_Marshal(t *testing.T) { Version: 1, Metadata: &cdx.Metadata{ Timestamp: "2021-08-25T12:20:30+00:00", - Tools: &[]cdx.Tool{ - { - Name: "trivy", - Vendor: "aquasecurity", - Version: "dev", + Tools: &cdx.ToolsChoice{ + Components: &[]cdx.Component{ + { + Type: cdx.ComponentTypeApplication, + Name: "trivy", + Group: "aquasecurity", + Version: "dev", + }, }, }, Component: &cdx.Component{ @@ -1813,11 +1828,14 @@ func TestMarshaler_Marshal(t *testing.T) { Version: 1, Metadata: &cdx.Metadata{ Timestamp: "2021-08-25T12:20:30+00:00", - Tools: &[]cdx.Tool{ - { - Name: "trivy", - Vendor: "aquasecurity", - Version: "dev", + Tools: &cdx.ToolsChoice{ + Components: &[]cdx.Component{ + { + Type: cdx.ComponentTypeApplication, + Name: "trivy", + Group: "aquasecurity", + Version: "dev", + }, }, }, Component: &cdx.Component{ diff --git a/pkg/sbom/cyclonedx/testdata/happy/bom.json b/pkg/sbom/cyclonedx/testdata/happy/bom.json index ada1488b8cbc..a7a1a474b8bd 100644 --- a/pkg/sbom/cyclonedx/testdata/happy/bom.json +++ b/pkg/sbom/cyclonedx/testdata/happy/bom.json @@ -5,13 +5,16 @@ "version": 1, "metadata": { "timestamp": "2022-05-28T10:20:03.79527Z", - "tools": [ - { - "vendor": "aquasecurity", - "name": "trivy", - "version": "dev" - } - ], + "tools": { + "components": [ + { + "type": "application", + "group": "aquasecurity", + "name": "trivy", + "version": "dev" + } + ] + }, "component": { "bom-ref": "0f585d64-4815-4b72-92c5-97dae191fa4a", "type": "container", diff --git a/pkg/sbom/cyclonedx/testdata/happy/empty-metadata-component-bom.json b/pkg/sbom/cyclonedx/testdata/happy/empty-metadata-component-bom.json index 63109c739206..2fb29d2647af 100644 --- a/pkg/sbom/cyclonedx/testdata/happy/empty-metadata-component-bom.json +++ b/pkg/sbom/cyclonedx/testdata/happy/empty-metadata-component-bom.json @@ -5,13 +5,16 @@ "version": 1, "metadata": { "timestamp": "2022-05-28T10:20:03.79527Z", - "tools": [ - { - "vendor": "aquasecurity", - "name": "trivy", - "version": "dev" - } - ] + "tools": { + "components": [ + { + "type": "application", + "group": "aquasecurity", + "name": "trivy", + "version": "dev" + } + ] + } }, "dependencies": [] } \ No newline at end of file diff --git a/pkg/sbom/cyclonedx/testdata/happy/group-in-name.json b/pkg/sbom/cyclonedx/testdata/happy/group-in-name.json index e42790df19ca..f7e7e44dc437 100644 --- a/pkg/sbom/cyclonedx/testdata/happy/group-in-name.json +++ b/pkg/sbom/cyclonedx/testdata/happy/group-in-name.json @@ -5,13 +5,16 @@ "version": 1, "metadata": { "timestamp": "2023-06-20T04:32:10+00:00", - "tools": [ - { - "vendor": "aquasecurity", - "name": "trivy", - "version": "0.42.1" - } - ], + "tools": { + "components": [ + { + "type": "application", + "group": "aquasecurity", + "name": "trivy", + "version": "dev" + } + ] + }, "component": { "bom-ref": "b0ae8323-eb7b-4be5-bc5c-4849fd795ec0", "type": "application", diff --git a/pkg/sbom/cyclonedx/testdata/happy/independent-library-bom.json b/pkg/sbom/cyclonedx/testdata/happy/independent-library-bom.json index 0a1b337820c2..164eed844166 100644 --- a/pkg/sbom/cyclonedx/testdata/happy/independent-library-bom.json +++ b/pkg/sbom/cyclonedx/testdata/happy/independent-library-bom.json @@ -5,13 +5,16 @@ "version": 1, "metadata": { "timestamp": "2022-05-28T10:20:03.79527Z", - "tools": [ - { - "vendor": "aquasecurity", - "name": "trivy", - "version": "dev" - } - ], + "tools": { + "components": [ + { + "type": "application", + "group": "aquasecurity", + "name": "trivy", + "version": "dev" + } + ] + }, "component": { "bom-ref": "0f585d64-4815-4b72-92c5-97dae191fa4a", "type": "application", diff --git a/pkg/sbom/cyclonedx/testdata/happy/infinite-loop-bom.json b/pkg/sbom/cyclonedx/testdata/happy/infinite-loop-bom.json index b3d039379709..d1080b4de92a 100644 --- a/pkg/sbom/cyclonedx/testdata/happy/infinite-loop-bom.json +++ b/pkg/sbom/cyclonedx/testdata/happy/infinite-loop-bom.json @@ -5,13 +5,16 @@ "version": 1, "metadata": { "timestamp": "2023-04-06T05:41:44+00:00", - "tools": [ - { - "vendor": "aquasecurity", - "name": "trivy", - "version": "dev" - } - ], + "tools": { + "components": [ + { + "type": "application", + "group": "aquasecurity", + "name": "trivy", + "version": "dev" + } + ] + }, "component": { "bom-ref": "pkg:oci/ubuntu@sha256:67211c14fa74f070d27cc59d69a7fa9aeff8e28ea118ef3babc295a0428a6d21?repository_url=index.docker.io%2Flibrary%2Fubuntu\u0026arch=amd64", "type": "container", diff --git a/pkg/sbom/cyclonedx/testdata/happy/kbom.json b/pkg/sbom/cyclonedx/testdata/happy/kbom.json index a843dbdfd212..3219cf7efaf6 100644 --- a/pkg/sbom/cyclonedx/testdata/happy/kbom.json +++ b/pkg/sbom/cyclonedx/testdata/happy/kbom.json @@ -6,13 +6,16 @@ "version": 1, "metadata": { "timestamp": "2023-09-29T06:25:00+00:00", - "tools": [ - { - "vendor": "aquasecurity", - "name": "trivy", - "version": "0.45.1-15-g7bbd0d097" - } - ], + "tools": { + "components": [ + { + "type": "application", + "group": "aquasecurity", + "name": "trivy", + "version": "dev" + } + ] + }, "component": { "bom-ref": "pkg:k8s/k8s.io%2Fkubernetes@1.27.4", "type": "platform", diff --git a/pkg/sbom/cyclonedx/testdata/happy/os-only-bom.json b/pkg/sbom/cyclonedx/testdata/happy/os-only-bom.json index 820057006668..837c16754211 100644 --- a/pkg/sbom/cyclonedx/testdata/happy/os-only-bom.json +++ b/pkg/sbom/cyclonedx/testdata/happy/os-only-bom.json @@ -5,13 +5,16 @@ "version": 1, "metadata": { "timestamp": "2022-05-28T10:20:03.79527Z", - "tools": [ - { - "vendor": "aquasecurity", - "name": "trivy", - "version": "dev" - } - ], + "tools": { + "components": [ + { + "type": "application", + "group": "aquasecurity", + "name": "trivy", + "version": "dev" + } + ] + }, "component": { "bom-ref": "0f585d64-4815-4b72-92c5-97dae191fa4a", "type": "container", diff --git a/pkg/sbom/cyclonedx/testdata/happy/unrelated-bom.json b/pkg/sbom/cyclonedx/testdata/happy/unrelated-bom.json index 5d9231de109d..aecf8e05abfb 100644 --- a/pkg/sbom/cyclonedx/testdata/happy/unrelated-bom.json +++ b/pkg/sbom/cyclonedx/testdata/happy/unrelated-bom.json @@ -5,13 +5,16 @@ "version": 1, "metadata": { "timestamp": "2022-05-28T10:20:03.79527Z", - "tools": [ - { - "vendor": "aquasecurity", - "name": "trivy", - "version": "dev" - } - ], + "tools": { + "components": [ + { + "type": "application", + "group": "aquasecurity", + "name": "trivy", + "version": "dev" + } + ] + }, "component": { "bom-ref": "0f585d64-4815-4b72-92c5-97dae191fa4a", "type": "application", diff --git a/pkg/sbom/cyclonedx/testdata/sad/invalid-purl.json b/pkg/sbom/cyclonedx/testdata/sad/invalid-purl.json index 58c9e14c8fff..070da15fbb05 100644 --- a/pkg/sbom/cyclonedx/testdata/sad/invalid-purl.json +++ b/pkg/sbom/cyclonedx/testdata/sad/invalid-purl.json @@ -5,13 +5,16 @@ "version": 1, "metadata": { "timestamp": "2022-05-28T10:20:03.79527Z", - "tools": [ - { - "vendor": "aquasecurity", - "name": "trivy", - "version": "dev" - } - ], + "tools": { + "components": [ + { + "type": "application", + "group": "aquasecurity", + "name": "trivy", + "version": "dev" + } + ] + }, "component": { "bom-ref": "0f585d64-4815-4b72-92c5-97dae191fa4a", "type": "application",