Merge pull request #337 from CycloneDX/next

Add support for v1.5

.gitignore

@@ -8,3 +8,4 @@ coverage-report/
 coverage.cobertura.xml
 **/__snapshots__/__mismatch__/
 *.user
+.DS_Store

src/cyclonedx/Commands/Add/AddFilesCommand.cs

@@ -34,10 +34,10 @@ namespace CycloneDX.Cli.Commands.Add
 {
     public static class AddFilesCommand
     {
-        public static void Configure(Command rootCommand)
+        public static void Configure(System.CommandLine.Command rootCommand)
         {
             Contract.Requires(rootCommand != null);
-            var subCommand = new Command("files", "Add files to a BOM");
+            var subCommand = new System.CommandLine.Command("files", "Add files to a BOM");
             subCommand.Add(new Option<string>("--input-file", "Input BOM filename."));
             subCommand.Add(new Option<bool>("--no-input", "Use this option to indicate that there is no input BOM."));
             subCommand.Add(new Option<string>("--output-file", "Output BOM filename, will write to stdout if no value provided."));
@@ -55,10 +55,9 @@ public static async Task<int> AddFiles(AddFilesCommandOptions options)
             Contract.Requires(options != null);
             var outputToConsole = string.IsNullOrEmpty(options.OutputFile);
 
-            var thisTool = new Tool
+            var thisTool = new Component
             {
                 Name = "CycloneDX CLI",
-                Vendor = "CycloneDX",
                 Version = Assembly.GetExecutingAssembly().GetName().Version.ToString(),
             };
 
@@ -68,9 +67,10 @@ public static async Task<int> AddFiles(AddFilesCommandOptions options)
             if (bom.SerialNumber is null) bom.SerialNumber = "urn:uuid:" + System.Guid.NewGuid().ToString();
             if (bom.Metadata is null) bom.Metadata = new Metadata();
             bom.Metadata.Timestamp = DateTime.UtcNow;
-            if (bom.Metadata.Tools is null) bom.Metadata.Tools = new List<Tool>();
-            if (!bom.Metadata.Tools.Exists(tool => tool.Name == thisTool.Name && tool.Version == thisTool.Version))
-                bom.Metadata.Tools.Add(thisTool);
+            if (bom.Metadata.Tools is null) bom.Metadata.Tools = new ToolChoices();
+            if (bom.Metadata.Tools.Components is null) bom.Metadata.Tools.Components = new List<Component>();
+            if (!bom.Metadata.Tools.Components.Exists(tool => tool.Name == thisTool.Name && tool.Version == thisTool.Version))
+                bom.Metadata.Tools.Components.Add(thisTool);
 
             if (options.OutputFormat == CycloneDXBomFormat.autodetect) options.OutputFormat = CliUtils.AutoDetectBomFormat(options.OutputFile);
             if (options.OutputFormat == CycloneDXBomFormat.autodetect)

src/cyclonedx/Commands/MergeCommand.cs

@@ -30,7 +30,7 @@ public static class MergeCommand
         public static void Configure(RootCommand rootCommand)
         {
             Contract.Requires(rootCommand != null);
-            var subCommand = new Command("merge", "Merge two or more BOMs");
+            var subCommand = new System.CommandLine.Command("merge", "Merge two or more BOMs");
             subCommand.Add(new Option<List<string>>("--input-files", "Input BOM filenames (separate filenames with a space)."));
             subCommand.Add(new Option<string>("--output-file", "Output BOM filename, will write to stdout if no value provided."));
             subCommand.Add(new Option<CycloneDXBomFormat>("--input-format", "Specify input file format."));

src/cyclonedx/Commands/ValidateCommand.cs

@@ -32,7 +32,7 @@ public static class ValidateCommand
         public static void Configure(RootCommand rootCommand)
         {
             Contract.Requires(rootCommand != null);
-            var subCommand = new Command("validate", "Validate a BOM");
+            var subCommand = new System.CommandLine.Command("validate", "Validate a BOM");
             subCommand.Add(new Option<string>("--input-file", "Input BOM filename, will read from stdin if no value provided."));
             subCommand.Add(new Option<ValidationBomFormat>("--input-format", "Specify input file format."));
             subCommand.Add(new Option<SpecificationVersion?>("--input-version", "Specify input file specification version (defaults to v1.4)"));
@@ -75,7 +75,11 @@ public static async Task<int> Validate(ValidateCommandOptions options)
             }
             else if (options.InputFormat == ValidationBomFormat.xml)
             {
-                validationResult = Xml.Validator.Validate(inputBom, SpecificationVersion.v1_4);
+                validationResult = Xml.Validator.Validate(inputBom, SpecificationVersion.v1_5);
+                if (!validationResult.Valid)
+                {
+                    validationResult = Xml.Validator.Validate(inputBom, SpecificationVersion.v1_4);
+                }
                 if (!validationResult.Valid)
                 {
                     validationResult = Xml.Validator.Validate(inputBom, SpecificationVersion.v1_3);
@@ -102,7 +106,11 @@ public static async Task<int> Validate(ValidateCommandOptions options)
             }
             else if (options.InputFormat == ValidationBomFormat.json)
             {
-                validationResult = Json.Validator.Validate(inputBom, SpecificationVersion.v1_4);
+                validationResult = Json.Validator.Validate(inputBom, SpecificationVersion.v1_5);
+                if (!validationResult.Valid)
+                {
+                    validationResult = Json.Validator.Validate(inputBom, SpecificationVersion.v1_4);
+                }
                 if (!validationResult.Valid)
                 {
                     validationResult = Json.Validator.Validate(inputBom, SpecificationVersion.v1_3);

src/cyclonedx/Serialization/CsvSerializer.cs

@@ -175,8 +175,8 @@ public static Bom Deserialize(string csv)
                             TagId = csvReader.GetField("SwidTagId").NullIfWhiteSpace(),
                             Name = csvReader.GetField("SwidName").NullIfWhiteSpace(),
                             Version = csvReader.GetField("SwidVersion").NullIfWhiteSpace(),
-                            TagVersion = csvReader.GetField<int?>("SwidTagVersion"),
-                            Patch = csvReader.GetField<bool?>("SwidPatch"),
+                            TagVersion = csvReader.GetField<int?>("SwidTagVersion").GetValueOrDefault(),
+                            Patch = csvReader.GetField<bool?>("SwidPatch").GetValueOrDefault(),
                             Text = new AttachedText
                             {
                                 ContentType = csvReader.GetField("SwidTextContentType").NullIfWhiteSpace(),

src/cyclonedx/cyclonedx.csproj

@@ -3,7 +3,7 @@
   <PropertyGroup>
     <OutputType>Exe</OutputType>
     <TargetFramework>net6.0</TargetFramework>
-    <PublishTrimmed>true</PublishTrimmed>
+<!--    <PublishTrimmed>true</PublishTrimmed>-->
     <AnalysisMode>AllEnabledByDefault</AnalysisMode>
     <RuntimeIdentifiers>linux-x64;linux-musl-x64;linux-arm;linux-arm64;win-x64;win-x86;win-arm;win-arm64;osx-x64;osx-arm64</RuntimeIdentifiers>
   </PropertyGroup>
@@ -15,8 +15,8 @@
   <ItemGroup>
     <PackageReference Include="CoderPatros.AntPathMatching" Version="0.1.1" />
     <PackageReference Include="CsvHelper" Version="29.0.0" />
-    <PackageReference Include="CycloneDX.Utils" Version="5.2.3" />
-    <PackageReference Include="CycloneDX.Spdx.Interop" Version="5.2.3" />
+    <PackageReference Include="CycloneDX.Utils" Version="6.0.0" />
+    <PackageReference Include="CycloneDX.Spdx.Interop" Version="6.0.0" />
     <PackageReference Include="System.CommandLine" Version="2.0.0-beta1.21308.1" />
     <PackageReference Include="System.Security.Cryptography.Xml" Version="6.0.1" />
   </ItemGroup>

tests/cyclonedx.tests/ConvertTests.cs

@@ -60,11 +60,21 @@ public class ConvertTests
         [InlineData("bom-1.4.xml", ConvertFormat.xml, "bom.xml", ConvertFormat.xml, null)]
         [InlineData("bom-1.4.xml", ConvertFormat.xml, "bom.xml", ConvertFormat.xml, SpecificationVersion.v1_4)]
 
+        [InlineData("bom-1.5.xml", ConvertFormat.autodetect, "bom.xml", ConvertFormat.autodetect, null)]
+        [InlineData("bom-1.5.xml", ConvertFormat.xml, "bom.xml", ConvertFormat.autodetect, null)]
+        [InlineData("bom-1.5.xml", ConvertFormat.xml, "bom.xml", ConvertFormat.xml, null)]
+        [InlineData("bom-1.5.xml", ConvertFormat.xml, "bom.xml", ConvertFormat.xml, SpecificationVersion.v1_5)]
+
         [InlineData("bom-1.4.json", ConvertFormat.autodetect, "bom.json", ConvertFormat.autodetect, null)]
         [InlineData("bom-1.4.json", ConvertFormat.json, "bom.json", ConvertFormat.autodetect, null)]
         [InlineData("bom-1.4.json", ConvertFormat.json, "bom.json", ConvertFormat.json, null)]
         [InlineData("bom-1.4.json", ConvertFormat.json, "bom.json", ConvertFormat.json, SpecificationVersion.v1_4)]
 
+        [InlineData("bom-1.5.json", ConvertFormat.autodetect, "bom.json", ConvertFormat.autodetect, null)]
+        [InlineData("bom-1.5.json", ConvertFormat.json, "bom.json", ConvertFormat.autodetect, null)]
+        [InlineData("bom-1.5.json", ConvertFormat.json, "bom.json", ConvertFormat.json, null)]
+        [InlineData("bom-1.5.json", ConvertFormat.json, "bom.json", ConvertFormat.json, SpecificationVersion.v1_5)]
+
         [InlineData("bom.csv", ConvertFormat.autodetect, "bom.csv", ConvertFormat.autodetect, null)]
         [InlineData("bom.csv", ConvertFormat.csv, "bom.csv", ConvertFormat.autodetect, null)]
         [InlineData("bom.csv", ConvertFormat.csv, "bom.csv", ConvertFormat.csv, null)]

tests/cyclonedx.tests/Resources/CsvSerializer/valid-component-types.csv

@@ -3,7 +3,7 @@ Application,,,,,,application-a,1.0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
 Library,,,,,,library-a,1.0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
 Framework,,,,,,framework-a,1.0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
 Container,,,,,,container-a,1.0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
-OperationSystem,,,,,,operating-system-a,1.0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
+Operating_System,,,,,,operating-system-a,1.0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
 Firmware,,,,,,firmware-a,1.0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
 Device,,,,,,device-a,1.0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
 File,,,,,,file-a,1.0,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

tests/cyclonedx.tests/Resources/bom-1.5.json

@@ -0,0 +1,177 @@
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.5",
+  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+  "version": 1,
+  "metadata": {
+    "timestamp": "2020-04-13T20:20:39+00:00",
+    "tools": [
+      {
+        "vendor": "Awesome Vendor",
+        "name": "Awesome Tool",
+        "version": "9.1.2",
+        "hashes": [
+          {
+            "alg": "SHA-1",
+            "content": "25ed8e31b995bb927966616df2a42b979a2717f0"
+          },
+          {
+            "alg": "SHA-256",
+            "content": "a74f733635a19aefb1f73e5947cef59cd7440c6952ef0f03d09d974274cbd6df"
+          }
+        ]
+      }
+    ],
+    "authors": [
+      {
+        "name": "Samantha Wright",
+        "email": "samantha.wright@example.com",
+        "phone": "800-555-1212"
+      }
+    ],
+    "component": {
+      "type": "application",
+      "author": "Acme Super Heros",
+      "name": "Acme Application",
+      "version": "9.1.1",
+      "swid": {
+        "tagId": "swidgen-242eb18a-503e-ca37-393b-cf156ef09691_9.1.1",
+        "name": "Acme Application",
+        "version": "9.1.1",
+        "text": {
+          "contentType": "text/xml",
+          "encoding": "base64",
+          "content": "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiID8+CjxTb2Z0d2FyZUlkZW50aXR5IHhtbDpsYW5nPSJFTiIgbmFtZT0iQWNtZSBBcHBsaWNhdGlvbiIgdmVyc2lvbj0iOS4xLjEiIAogdmVyc2lvblNjaGVtZT0ibXVsdGlwYXJ0bnVtZXJpYyIgCiB0YWdJZD0ic3dpZGdlbi1iNTk1MWFjOS00MmMwLWYzODItM2YxZS1iYzdhMmE0NDk3Y2JfOS4xLjEiIAogeG1sbnM9Imh0dHA6Ly9zdGFuZGFyZHMuaXNvLm9yZy9pc28vMTk3NzAvLTIvMjAxNS9zY2hlbWEueHNkIj4gCiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiAKIHhzaTpzY2hlbWFMb2NhdGlvbj0iaHR0cDovL3N0YW5kYXJkcy5pc28ub3JnL2lzby8xOTc3MC8tMi8yMDE1LWN1cnJlbnQvc2NoZW1hLnhzZCBzY2hlbWEueHNkIiA+CiAgPE1ldGEgZ2VuZXJhdG9yPSJTV0lEIFRhZyBPbmxpbmUgR2VuZXJhdG9yIHYwLjEiIC8+IAogIDxFbnRpdHkgbmFtZT0iQWNtZSwgSW5jLiIgcmVnaWQ9ImV4YW1wbGUuY29tIiByb2xlPSJ0YWdDcmVhdG9yIiAvPiAKPC9Tb2Z0d2FyZUlkZW50aXR5Pg=="
+        }
+      }
+    },
+    "manufacture": {
+      "name": "Acme, Inc.",
+      "url": [
+        "https://example.com"
+      ],
+      "contact": [
+        {
+          "name": "Acme Professional Services",
+          "email": "professional.services@example.com"
+        }
+      ]
+    },
+    "supplier": {
+      "name": "Acme, Inc.",
+      "url": [
+        "https://example.com"
+      ],
+      "contact": [
+        {
+          "name": "Acme Distribution",
+          "email": "distribution@example.com"
+        }
+      ]
+    }
+  },
+  "components": [
+    {
+      "bom-ref": "pkg:npm/acme/component@1.0.0",
+      "type": "library",
+      "publisher": "Acme Inc",
+      "group": "com.acme",
+      "name": "tomcat-catalina",
+      "version": "9.0.14",
+      "hashes": [
+        {
+          "alg": "MD5",
+          "content": "3942447fac867ae5cdb3229b658f4d48"
+        },
+        {
+          "alg": "SHA-1",
+          "content": "e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a"
+        },
+        {
+          "alg": "SHA-256",
+          "content": "f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b"
+        },
+        {
+          "alg": "SHA-512",
+          "content": "e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282"
+        }
+      ],
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "text": {
+              "contentType": "text/plain",
+              "encoding": "base64",
+              "content": "License text here"
+            },
+            "url": "https://www.apache.org/licenses/LICENSE-2.0.txt"
+          }
+        }
+      ],
+      "purl": "pkg:npm/acme/component@1.0.0",
+      "pedigree": {
+        "ancestors": [
+          {
+            "type": "library",
+            "publisher": "Acme Inc",
+            "group": "com.acme",
+            "name": "tomcat-catalina",
+            "version": "9.0.14"
+          },
+          {
+            "type": "library",
+            "publisher": "Acme Inc",
+            "group": "com.acme",
+            "name": "tomcat-catalina",
+            "version": "9.0.14"
+          }
+        ],
+        "commits": [
+          {
+            "uid": "7638417db6d59f3c431d3e1f261cc637155684cd",
+            "url": "https://location/to/7638417db6d59f3c431d3e1f261cc637155684cd",
+            "author": {
+              "timestamp": "2018-11-13T20:20:39+00:00",
+              "name": "me",
+              "email": "me@acme.org"
+            }
+          }
+        ]
+      }
+    },
+    {
+      "type": "library",
+      "supplier": {
+        "name": "Example, Inc.",
+        "url": [
+          "https://example.com",
+          "https://example.net"
+        ],
+        "contact": [
+          {
+            "name": "Example Support AMER Distribution",
+            "email": "support@example.com",
+            "phone": "800-555-1212"
+          },
+          {
+            "name": "Example Support APAC",
+            "email": "support@apac.example.com"
+          }
+        ]
+      },
+      "author": "Example Super Heros",
+      "group": "org.example",
+      "name": "mylibrary",
+      "version": "1.0.0"
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "pkg:npm/acme/component@1.0.0",
+      "dependsOn": [
+        "pkg:npm/acme/component@1.0.0"
+      ]
+    }
+  ]
+}

tests/cyclonedx.tests/ValidateTests.cs

@@ -44,6 +44,9 @@ public class ValidateTests
         [InlineData("bom-1.4.xml", ValidationBomFormat.autodetect, null, true)]
         [InlineData("bom-1.4.xml", ValidationBomFormat.xml, SpecificationVersion.v1_4, true)]
 
+        [InlineData("bom-1.5.xml", ValidationBomFormat.autodetect, null, true)]
+        [InlineData("bom-1.5.xml", ValidationBomFormat.xml, SpecificationVersion.v1_5, true)]
+
         [InlineData("bom-1.2.json", ValidationBomFormat.autodetect, null, true)]
         [InlineData("bom-1.2.json", ValidationBomFormat.autodetect, SpecificationVersion.v1_3, false)]
 
@@ -55,6 +58,9 @@ public class ValidateTests
 
         [InlineData("bom-1.4.json", ValidationBomFormat.autodetect, null, true)]
         [InlineData("bom-1.4.json", ValidationBomFormat.json, SpecificationVersion.v1_4, true)]
+
+        [InlineData("bom-1.5.json", ValidationBomFormat.autodetect, null, true)]
+        [InlineData("bom-1.5.json", ValidationBomFormat.json, SpecificationVersion.v1_5, true)]
         public async Task Validate(string inputFilename, ValidationBomFormat inputFormat, SpecificationVersion? inputVersion, bool valid)
         {
             var exitCode = await ValidateCommand.Validate(new ValidateCommandOptions

tests/cyclonedx.tests/__snapshots__/ConvertTests.ConvertFromSpdxJson_autodetect.snap

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
-<bom xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://cyclonedx.org/schema/bom/1.4">
+<bom xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://cyclonedx.org/schema/bom/1.5">
   <metadata>
     <timestamp>2010-01-29T18:30:22Z</timestamp>
     <tools>

tests/cyclonedx.tests/__snapshots__/ConvertTests.ConvertFromSpdxJson_spdxjson.snap

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
-<bom xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://cyclonedx.org/schema/bom/1.4">
+<bom xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://cyclonedx.org/schema/bom/1.5">
   <metadata>
     <timestamp>2010-01-29T18:30:22Z</timestamp>
     <tools>

tests/cyclonedx.tests/__snapshots__/ConvertTests.Convert_bom-1.0.xml_autodetect_bom.xml_autodetect_.snap

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
-<bom xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" version="1" xmlns="http://cyclonedx.org/schema/bom/1.4">
+<bom xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" version="1" xmlns="http://cyclonedx.org/schema/bom/1.5">
   <components>
     <component type="application">
       <group>org.example</group>

tests/cyclonedx.tests/__snapshots__/ConvertTests.Convert_bom-1.0.xml_xml_bom.xml_autodetect_.snap

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
-<bom xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" version="1" xmlns="http://cyclonedx.org/schema/bom/1.4">
+<bom xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" version="1" xmlns="http://cyclonedx.org/schema/bom/1.5">
   <components>
     <component type="application">
       <group>org.example</group>

tests/cyclonedx.tests/__snapshots__/ConvertTests.Convert_bom-1.1.xml_autodetect_bom.xml_autodetect_.snap

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
-<bom xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1" xmlns="http://cyclonedx.org/schema/bom/1.4">
+<bom xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1" xmlns="http://cyclonedx.org/schema/bom/1.5">
   <components>
     <component type="application">
       <publisher>Acme Inc</publisher>

tests/cyclonedx.tests/__snapshots__/ConvertTests.Convert_bom-1.1.xml_xml_bom.xml_autodetect_.snap

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
-<bom xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1" xmlns="http://cyclonedx.org/schema/bom/1.4">
+<bom xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1" xmlns="http://cyclonedx.org/schema/bom/1.5">
   <components>
     <component type="application">
       <publisher>Acme Inc</publisher>