feat(cyclonedx-reporter): Add metadata to SBOMs

This increases the score with tools like sbomqs [1]. Also see [2]. [1]: https://github.com/interlynk-io/sbomqs [2]: interlynk-io/sbombenchmark.dev#11 Signed-off-by: Sebastian Schuberth <sschuberth@gmail.com>
oss-review-toolkit · Aug 24, 2023 · e9f5e0f · e9f5e0f
1 parent 528f3ee
commit e9f5e0f
Show file tree

Hide file tree

Showing 6 changed files with 61 additions and 0 deletions.
diff --git a/...orters/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result-with-findings.json b/...orters/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result-with-findings.json
@@ -3,6 +3,15 @@
   "specVersion": "1.4",
   "serialNumber": "urn:uuid:01234567-0123-0123-0123-01234567",
   "version": 1,
+  "metadata": {
+    "timestamp": "1970-01-01T00:00:00Z",
+    "tools": [
+      {
+        "name": "OSS Review Toolkit",
+        "version": "deadbeef"
+      }
+    ]
+  },
   "components": [
     {
       "group": "@ort",

diff --git a/...ers/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result-without-findings.json b/...ers/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result-without-findings.json
@@ -3,6 +3,15 @@
   "specVersion": "1.4",
   "serialNumber": "urn:uuid:01234567-0123-0123-0123-01234567",
   "version": 1,
+  "metadata": {
+    "timestamp": "1970-01-01T00:00:00Z",
+    "tools": [
+      {
+        "name": "OSS Review Toolkit",
+        "version": "deadbeef"
+      }
+    ]
+  },
   "externalReferences": [
     {
       "type": "website",

diff --git a/plugins/reporters/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result.json b/plugins/reporters/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result.json
@@ -3,6 +3,15 @@
   "specVersion": "1.4",
   "serialNumber": "urn:uuid:01234567-0123-0123-0123-01234567",
   "version": 1,
+  "metadata": {
+    "timestamp": "1970-01-01T00:00:00Z",
+    "tools": [
+      {
+        "name": "OSS Review Toolkit",
+        "version": "deadbeef"
+      }
+    ]
+  },
   "components": [
     {
       "group": "@ort",

diff --git a/plugins/reporters/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result.xml b/plugins/reporters/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result.xml
@@ -1,5 +1,14 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <bom serialNumber="urn:uuid:01234567-0123-0123-0123-01234567" version="1" xmlns="http://cyclonedx.org/schema/bom/1.4">
+  <metadata>
+    <timestamp>1970-01-01T00:00:00Z</timestamp>
+    <tools>
+      <tool>
+        <name>OSS Review Toolkit</name>
+        <version>deadbeef</version>
+      </tool>
+    </tools>
+  </metadata>
   <components>
     <component type="library">
       <group>@ort</group>

diff --git a/plugins/reporters/cyclonedx/src/funTest/kotlin/CycloneDxReporterFunTest.kt b/plugins/reporters/cyclonedx/src/funTest/kotlin/CycloneDxReporterFunTest.kt
@@ -174,5 +174,13 @@ private fun String.patchCycloneDxResult(): String {
         .replaceFirst(
             """urn:uuid:[a-f0-9]{8}(?:-[a-f0-9]{4}){4}[a-f0-9]{8}""".toRegex(),
             "urn:uuid:01234567-0123-0123-0123-01234567"
+        )
+        .replaceFirst(
+            """(timestamp[>"](\s*:\s*")?)\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}Z""".toRegex(),
+            "$11970-01-01T00:00:00Z"
+        )
+        .replaceFirst(
+            """(version[>"](\s*:\s*")?)[\w.-]+""".toRegex(),
+            "$1deadbeef"
         ) + substring(headerEnd)
 }
diff --git a/plugins/reporters/cyclonedx/src/main/kotlin/CycloneDxReporter.kt b/plugins/reporters/cyclonedx/src/main/kotlin/CycloneDxReporter.kt
@@ -21,6 +21,7 @@ package org.ossreviewtoolkit.plugins.reporters.cyclonedx
 
 import java.io.File
 import java.util.Base64
+import java.util.Date
 import java.util.SortedSet
 import java.util.UUID
 
@@ -34,6 +35,8 @@ import org.cyclonedx.model.ExternalReference
 import org.cyclonedx.model.Hash
 import org.cyclonedx.model.License
 import org.cyclonedx.model.LicenseChoice
+import org.cyclonedx.model.Metadata
+import org.cyclonedx.model.Tool
 
 import org.ossreviewtoolkit.model.FileFormat
 import org.ossreviewtoolkit.model.LicenseSource
@@ -44,6 +47,8 @@ import org.ossreviewtoolkit.model.utils.toPurl
 import org.ossreviewtoolkit.reporter.Reporter
 import org.ossreviewtoolkit.reporter.ReporterInput
 import org.ossreviewtoolkit.utils.common.isFalse
+import org.ossreviewtoolkit.utils.ort.Environment
+import org.ossreviewtoolkit.utils.ort.ORT_FULL_NAME
 import org.ossreviewtoolkit.utils.ort.ORT_NAME
 import org.ossreviewtoolkit.utils.spdx.SpdxLicense
 
@@ -148,9 +153,20 @@ class CycloneDxReporter : Reporter {
             ?.mapTo(mutableSetOf()) { FileFormat.valueOf(it.uppercase()) }
             ?: setOf(FileFormat.XML)
 
+        val metadata = Metadata().apply {
+            timestamp = Date()
+            tools = listOf(
+                Tool().apply {
+                    name = ORT_FULL_NAME
+                    version = Environment.ORT_VERSION
+                }
+            )
+        }
+
         if (createSingleBom) {
             val bom = Bom().apply {
                 serialNumber = "urn:uuid:${UUID.randomUUID()}"
+                this.metadata = metadata
                 components = mutableListOf()
             }
 
@@ -187,6 +203,7 @@ class CycloneDxReporter : Reporter {
             projects.forEach { project ->
                 val bom = Bom().apply {
                     serialNumber = "urn:uuid:${UUID.randomUUID()}"
+                    this.metadata = metadata
                     components = mutableListOf()
                 }