From e7e4de64095d54df0fc58059c1d643b9ef888961 Mon Sep 17 00:00:00 2001 From: attiasas Date: Sun, 31 May 2026 15:33:56 +0300 Subject: [PATCH 1/6] Use default v1.6 of cdx spec --- artifactory_test.go | 2 +- commands/upload/uploadcdx.go | 2 +- commands/upload/uploadcdx_test.go | 4 +-- go.mod | 2 -- go.sum | 4 +-- sca/bom/buildinfo/buildinfobom.go | 2 +- sca/bom/indexer/indexerbom.go | 2 +- utils/formats/cdxutils/cyclonedxutils.go | 36 +++++++++++++++++++ utils/formats/cdxutils/cyclonedxutils_test.go | 6 ++-- .../githubsnapshotconvertor_test.go | 2 +- utils/results/common.go | 4 +-- utils/results/common_test.go | 6 ++-- .../cyclonedxparser/cyclonedxparser.go | 4 +-- utils/utils.go | 15 -------- 14 files changed, 55 insertions(+), 36 deletions(-) diff --git a/artifactory_test.go b/artifactory_test.go index 0c3f8d130..a8356188a 100644 --- a/artifactory_test.go +++ b/artifactory_test.go @@ -309,7 +309,7 @@ func generateTestRepoName() string { func getTestCdxFile(t *testing.T, tempDir string) string { // Create the cyclonedx BOM - bom := cyclonedx.NewBOM() + bom := cdxutils.NewBOM(cyclonedx.SpecVersion1_6) fileComponent := cdxutils.CreateFileOrDirComponent(tempDir) bom.Metadata = &cyclonedx.Metadata{ Component: &fileComponent, diff --git a/commands/upload/uploadcdx.go b/commands/upload/uploadcdx.go index d10870a77..50591dc8b 100644 --- a/commands/upload/uploadcdx.go +++ b/commands/upload/uploadcdx.go @@ -150,7 +150,7 @@ func validateInputFile(cdxFilePath string) (err error) { return fmt.Errorf("provided path '%s' is not existing file", cdxFilePath) } // check if the file is a valid cdx file - bom, err := utils.ReadSbomFromFile(cdxFilePath) + bom, err := cdxutils.ReadSbomFromFile(cdxFilePath) if err != nil || bom == nil { return fmt.Errorf("provided file %s is not a valid CycloneDX SBOM: %w", cdxFilePath, err) } diff --git a/commands/upload/uploadcdx_test.go b/commands/upload/uploadcdx_test.go index 135576281..666cccb68 100644 --- a/commands/upload/uploadcdx_test.go +++ b/commands/upload/uploadcdx_test.go @@ -18,7 +18,7 @@ func TestValidateInputFile(t *testing.T) { // Create a valid CycloneDX file for testing validCdxFilePath := filepath.Join(tempDirPath, "some_results.cdx.json") fileComponent := cdxutils.CreateFileOrDirComponent(filepath.Join("a", "directory", "file.txt")) - cdx := cyclonedx.NewBOM() + cdx := cdxutils.NewBOM(cyclonedx.SpecVersion1_6) cdx.Metadata = &cyclonedx.Metadata{ Component: &fileComponent, } @@ -69,7 +69,7 @@ func TestGenerateURLFromPath(t *testing.T) { // Create a valid CycloneDX file for testing validCdxFilePath := filepath.Join(tempDirPath, "valid_cdx.json") fileComponent := cdxutils.CreateFileOrDirComponent(filepath.Join("a", "directory", "file.txt")) - cdx := cyclonedx.NewBOM() + cdx := cdxutils.NewBOM(cyclonedx.SpecVersion1_6) cdx.Metadata = &cyclonedx.Metadata{ Component: &fileComponent, } diff --git a/go.mod b/go.mod index 10d3b0c80..0db3d6921 100644 --- a/go.mod +++ b/go.mod @@ -153,8 +153,6 @@ require ( // replace github.com/jfrog/jfrog-client-go => github.com/jfrog/jfrog-client-go master -replace github.com/CycloneDX/cyclonedx-go => github.com/CycloneDX/cyclonedx-go v0.10.0 - // replace github.com/jfrog/jfrog-cli-core/v2 => github.com/jfrog/jfrog-cli-core/v2 master //replace github.com/jfrog/jfrog-cli-artifactory => github.com/jfrog/jfrog-cli-artifactory main diff --git a/go.sum b/go.sum index 967a857f0..de2fb7b77 100644 --- a/go.sum +++ b/go.sum @@ -4,8 +4,8 @@ dario.cat/mergo v1.0.2/go.mod h1:E/hbnu0NxMFBjpMIE34DRGLWqDy0g5FuKDhCb31ngxA= github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho= github.com/BurntSushi/toml v1.6.0 h1:dRaEfpa2VI55EwlIW72hMRHdWouJeRF7TPYhI+AUQjk= github.com/BurntSushi/toml v1.6.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho= -github.com/CycloneDX/cyclonedx-go v0.10.0 h1:7xyklU7YD+CUyGzSFIARG18NYLsKVn4QFg04qSsu+7Y= -github.com/CycloneDX/cyclonedx-go v0.10.0/go.mod h1:vUvbCXQsEm48OI6oOlanxstwNByXjCZ2wuleUlwGEO8= +github.com/CycloneDX/cyclonedx-go v0.11.0 h1:GokP8FiRC+foiuwWhSSLpSD5H4hSWtGnR3wo7apkBFI= +github.com/CycloneDX/cyclonedx-go v0.11.0/go.mod h1:vUvbCXQsEm48OI6oOlanxstwNByXjCZ2wuleUlwGEO8= github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY= github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY= github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU= diff --git a/sca/bom/buildinfo/buildinfobom.go b/sca/bom/buildinfo/buildinfobom.go index a8d504812..8d825470a 100644 --- a/sca/bom/buildinfo/buildinfobom.go +++ b/sca/bom/buildinfo/buildinfobom.go @@ -89,7 +89,7 @@ func (b *BuildInfoBomGenerator) CleanUp() error { func (b *BuildInfoBomGenerator) GenerateSbom(target results.ScanTarget) (sbom *cyclonedx.BOM, err error) { // Create the CycloneDX BOM - sbom = cyclonedx.NewBOM() + sbom = cdxutils.NewBOM(cyclonedx.SpecVersion1_6) wdComponent := cdxutils.CreateFileOrDirComponent(target.Target) sbom.Metadata = &cyclonedx.Metadata{Component: &wdComponent} diff --git a/sca/bom/indexer/indexerbom.go b/sca/bom/indexer/indexerbom.go index a468d0002..142c9d83b 100644 --- a/sca/bom/indexer/indexerbom.go +++ b/sca/bom/indexer/indexerbom.go @@ -110,7 +110,7 @@ func (ibg *IndexerBomGenerator) GenerateSbom(target results.ScanTarget) (sbom *c func CreateTargetEmptySbom(target results.ScanTarget) *cyclonedx.BOM { // Create an empty CycloneDX BOM for the target - sbom := cyclonedx.NewBOM() + sbom := cdxutils.NewBOM(cyclonedx.SpecVersion1_6) binaryFileComponent := cdxutils.CreateFileOrDirComponent(target.Target) sbom.Metadata = &cyclonedx.Metadata{Component: &binaryFileComponent} return sbom diff --git a/utils/formats/cdxutils/cyclonedxutils.go b/utils/formats/cdxutils/cyclonedxutils.go index 5e9a06d15..0842dc672 100644 --- a/utils/formats/cdxutils/cyclonedxutils.go +++ b/utils/formats/cdxutils/cyclonedxutils.go @@ -1,7 +1,9 @@ package cdxutils import ( + "errors" "fmt" + "os" "path/filepath" "regexp" "slices" @@ -14,6 +16,7 @@ import ( "github.com/jfrog/gofrog/datastructures" + "github.com/jfrog/jfrog-client-go/utils/errorutils" "github.com/jfrog/jfrog-client-go/utils/log" "github.com/jfrog/jfrog-cli-security/utils" @@ -50,6 +53,39 @@ const ( type ComponentRelation string +func NewBOM(specVersion cyclonedx.SpecVersion) *cyclonedx.BOM { + if specVersion < cyclonedx.SpecVersion1_6 { + log.Error("Unsupported spec version: ", specVersion) + return nil + } + if specVersion == cyclonedx.SpecVersion1_7 { + // Default spec version is 1.7 + return cyclonedx.NewBOM() + } + return &cyclonedx.BOM{ + JSONSchema: "http://cyclonedx.org/schema/bom-1.6.schema.json", + XMLNS: "http://cyclonedx.org/schema/bom/1.6", + BOMFormat: cyclonedx.BOMFormat, + SpecVersion: cyclonedx.SpecVersion1_6, + Version: 1, + } +} + +func ReadSbomFromFile(cdxFilePath string) (bom *cyclonedx.BOM, err error) { + bom = cyclonedx.NewBOM() + file, err := os.Open(cdxFilePath) + if errorutils.CheckError(err) != nil { + return nil, fmt.Errorf("failed to open cdx file %s: %w", cdxFilePath, err) + } + defer func() { + err = errors.Join(err, file.Close()) + }() + if err = cyclonedx.NewBOMDecoder(file, cyclonedx.BOMFileFormatJSON).Decode(bom); err != nil { + return nil, fmt.Errorf("failed to decode provided cdx file %s: %w", cdxFilePath, err) + } + return bom, nil +} + func GetProperty(properties *[]cyclonedx.Property, name string) *cyclonedx.Property { if properties == nil || len(*properties) == 0 || name == "" { return nil diff --git a/utils/formats/cdxutils/cyclonedxutils_test.go b/utils/formats/cdxutils/cyclonedxutils_test.go index f3851d895..cf4ad8520 100644 --- a/utils/formats/cdxutils/cyclonedxutils_test.go +++ b/utils/formats/cdxutils/cyclonedxutils_test.go @@ -1323,7 +1323,7 @@ func TestGetOrCreateScaIssue(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - bom := cyclonedx.NewBOM() + bom := NewBOM(cyclonedx.SpecVersion1_6) vuln := GetOrCreateScaIssue(bom, tt.params) assert.NotNil(t, vuln) assert.Equal(t, tt.id, vuln.ID) @@ -1361,7 +1361,7 @@ func TestSearchVulnerabilityByRef(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - bom := cyclonedx.NewBOM() + bom := NewBOM(cyclonedx.SpecVersion1_6) for _, p := range tt.params { GetOrCreateScaIssue(bom, p) } @@ -1473,7 +1473,7 @@ func TestUpdateOrAppendVulnerabilitiesRatingsAndSearchRating(t *testing.T) { } func TestExclude(t *testing.T) { - bom := cyclonedx.NewBOM() + bom := NewBOM(cyclonedx.SpecVersion1_6) bom.Components = &[]cyclonedx.Component{ {BOMRef: "root", Type: cyclonedx.ComponentTypeLibrary}, {BOMRef: "comp1", PackageURL: "pkg:comp1", Type: cyclonedx.ComponentTypeLibrary}, diff --git a/utils/formats/snapshotconvertor/githubsnapshotconvertor_test.go b/utils/formats/snapshotconvertor/githubsnapshotconvertor_test.go index 951c50171..879cb3b7f 100644 --- a/utils/formats/snapshotconvertor/githubsnapshotconvertor_test.go +++ b/utils/formats/snapshotconvertor/githubsnapshotconvertor_test.go @@ -266,7 +266,7 @@ func TestCreateGithubSnapshotFromSbom(t *testing.T) { // createTestBOM creates a test BOM with the specified components and dependencies func createTestBOM(components []cyclonedx.Component, dependencies []cyclonedx.Dependency) *cdxutils.FullBOM { - innerBom := cyclonedx.NewBOM() + innerBom := cdxutils.NewBOM(cyclonedx.SpecVersion1_6) if len(components) > 0 { innerBom.Components = &components } diff --git a/utils/results/common.go b/utils/results/common.go index 8003cf153..bd923065d 100644 --- a/utils/results/common.go +++ b/utils/results/common.go @@ -922,7 +922,7 @@ func SearchTargetResultsByRelativePath(relativeTarget string, resultsToCompare * func DepsTreeToSbom(trees ...*xrayUtils.GraphNode) (components *[]cyclonedx.Component, dependencies *[]cyclonedx.Dependency) { parsed := datastructures.MakeSet[string]() - bom := cyclonedx.NewBOM() + bom := cdxutils.NewBOM(cyclonedx.SpecVersion1_6) bom.Components = &[]cyclonedx.Component{} bom.Dependencies = &[]cyclonedx.Dependency{} for _, root := range trees { @@ -940,7 +940,7 @@ func DepsTreeToSbom(trees ...*xrayUtils.GraphNode) (components *[]cyclonedx.Comp } func getDataFromNode(node *xrayUtils.GraphNode, parsed *datastructures.Set[string]) (*[]cyclonedx.Component, *[]cyclonedx.Dependency) { - bom := cyclonedx.NewBOM() + bom := cdxutils.NewBOM(cyclonedx.SpecVersion1_6) bom.Components = &[]cyclonedx.Component{} bom.Dependencies = &[]cyclonedx.Dependency{} if parsed.Exists(node.Id) { diff --git a/utils/results/common_test.go b/utils/results/common_test.go index 2cb74c40c..1a55f4ae9 100644 --- a/utils/results/common_test.go +++ b/utils/results/common_test.go @@ -1805,7 +1805,7 @@ func TestBomToFlatTree(t *testing.T) { }{ { name: "No components", - bom: cyclonedx.NewBOM(), + bom: cdxutils.NewBOM(cyclonedx.SpecVersion1_6), expected: &xrayUtils.GraphNode{Id: "root"}, }, { @@ -2839,7 +2839,7 @@ func TestScanResponseToSbom(t *testing.T) { for _, test := range tests { t.Run(test.name, func(t *testing.T) { // Prepare expected - expected := cyclonedx.NewBOM() + expected := cdxutils.NewBOM(cyclonedx.SpecVersion1_6) expected.Components = test.expected.Components expected.Dependencies = test.expected.Dependencies expected.Vulnerabilities = test.expected.Vulnerabilities @@ -2854,7 +2854,7 @@ func TestScanResponseToSbom(t *testing.T) { } } // Run test - destination := cyclonedx.NewBOM() + destination := cdxutils.NewBOM(cyclonedx.SpecVersion1_6) assert.NoError(t, ScanResponseToSbom(destination, test.response)) // Sort affects in vulnerabilities for consistent comparison if destination.Vulnerabilities != nil { diff --git a/utils/results/conversion/cyclonedxparser/cyclonedxparser.go b/utils/results/conversion/cyclonedxparser/cyclonedxparser.go index f2b612173..7e2af5472 100644 --- a/utils/results/conversion/cyclonedxparser/cyclonedxparser.go +++ b/utils/results/conversion/cyclonedxparser/cyclonedxparser.go @@ -54,7 +54,7 @@ func NewCmdResultsCycloneDxConverter(parseSast bool) *CmdResultsCycloneDxConvert func (cdc *CmdResultsCycloneDxConverter) Get() (bom *cdxutils.FullBOM, err error) { if cdc.bom == nil { - return &cdxutils.FullBOM{BOM: *cyclonedx.NewBOM()}, nil + return &cdxutils.FullBOM{BOM: *cdxutils.NewBOM(cyclonedx.SpecVersion1_6)}, nil } bom = cdc.bom bom.Metadata.Component, err = cdc.getMetadataComponent() @@ -80,7 +80,7 @@ func (cdc *CmdResultsCycloneDxConverter) Reset(metadata results.ResultsMetaData, cdc.gitContext = metadata.GitContext cdc.xrayVersion = metadata.XrayVersion // Reset the BOM - cdc.bom = &cdxutils.FullBOM{BOM: *cyclonedx.NewBOM()} + cdc.bom = &cdxutils.FullBOM{BOM: *cdxutils.NewBOM(cyclonedx.SpecVersion1_6)} cdc.bom.SerialNumber = cdxutils.GetSerialNumber(metadata.MultiScanId) cdc.bom.Metadata = &cyclonedx.Metadata{ Timestamp: time.Now().Format(time.RFC3339), diff --git a/utils/utils.go b/utils/utils.go index 4c9ea12b8..92617d778 100644 --- a/utils/utils.go +++ b/utils/utils.go @@ -312,21 +312,6 @@ func splitEnvVar(envVar string) (key, value string) { return split[0], strings.Join(split[1:], "=") } -func ReadSbomFromFile(cdxFilePath string) (bom *cyclonedx.BOM, err error) { - bom = cyclonedx.NewBOM() - file, err := os.Open(cdxFilePath) - if errorutils.CheckError(err) != nil { - return nil, fmt.Errorf("failed to open cdx file %s: %w", cdxFilePath, err) - } - defer func() { - err = errors.Join(err, file.Close()) - }() - if err = cyclonedx.NewBOMDecoder(file, cyclonedx.BOMFileFormatJSON).Decode(bom); err != nil { - return nil, fmt.Errorf("failed to decode provided cdx file %s: %w", cdxFilePath, err) - } - return bom, nil -} - func DumpCdxContentToFile(bom *cyclonedx.BOM, scanResultsOutputDir, filePrefix string, threadId int) (pathToSave string, err error) { logPrefix := "" if threadId >= 0 { From b3beed682fcb8b2e6f76a1f66ea19d8dbfd31120 Mon Sep 17 00:00:00 2001 From: attiasas Date: Sun, 31 May 2026 16:23:52 +0300 Subject: [PATCH 2/6] fix skip tests --- artifactory_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/artifactory_test.go b/artifactory_test.go index a8356188a..d96470693 100644 --- a/artifactory_test.go +++ b/artifactory_test.go @@ -119,7 +119,7 @@ func TestDependencyResolutionFromArtifactory(t *testing.T) { for _, testCase := range testCases { t.Run(testCase.projectType.String(), func(t *testing.T) { if testCase.skipMsg != "" { - securityTestUtils.SkipTestIfDurationNotPassed(t, "01-04-2026", 60, testCase.skipMsg) + securityTestUtils.SkipTestIfDurationNotPassed(t, "05-31-2026", 60, testCase.skipMsg) } testSingleTechDependencyResolution(t, testCase.testProjectPath, testCase.resolveRepoName, testCase.cacheRepoName, testCase.projectType) }) From 2d3cc437f200fc9e3230e0183bb44e63bc63663c Mon Sep 17 00:00:00 2001 From: attiasas Date: Mon, 1 Jun 2026 09:50:07 +0300 Subject: [PATCH 3/6] Update fix to use lib service --- artifactory_test.go | 2 +- commands/upload/uploadcdx_test.go | 4 ++-- go.mod | 3 +++ go.sum | 4 ++-- sca/bom/buildinfo/buildinfobom.go | 2 +- sca/bom/indexer/indexerbom.go | 2 +- utils/formats/cdxutils/cyclonedxutils.go | 18 ------------------ utils/formats/cdxutils/cyclonedxutils_test.go | 6 +++--- .../githubsnapshotconvertor_test.go | 2 +- utils/results/common.go | 4 ++-- utils/results/common_test.go | 6 +++--- .../cyclonedxparser/cyclonedxparser.go | 4 ++-- utils/utils.go | 15 +++++++++++++++ 13 files changed, 36 insertions(+), 36 deletions(-) diff --git a/artifactory_test.go b/artifactory_test.go index d96470693..b29fe0746 100644 --- a/artifactory_test.go +++ b/artifactory_test.go @@ -309,7 +309,7 @@ func generateTestRepoName() string { func getTestCdxFile(t *testing.T, tempDir string) string { // Create the cyclonedx BOM - bom := cdxutils.NewBOM(cyclonedx.SpecVersion1_6) + bom := cyclonedx.NewBOMWithSpecVersion(cyclonedx.SpecVersion1_6) fileComponent := cdxutils.CreateFileOrDirComponent(tempDir) bom.Metadata = &cyclonedx.Metadata{ Component: &fileComponent, diff --git a/commands/upload/uploadcdx_test.go b/commands/upload/uploadcdx_test.go index 666cccb68..94c85a0a2 100644 --- a/commands/upload/uploadcdx_test.go +++ b/commands/upload/uploadcdx_test.go @@ -18,7 +18,7 @@ func TestValidateInputFile(t *testing.T) { // Create a valid CycloneDX file for testing validCdxFilePath := filepath.Join(tempDirPath, "some_results.cdx.json") fileComponent := cdxutils.CreateFileOrDirComponent(filepath.Join("a", "directory", "file.txt")) - cdx := cdxutils.NewBOM(cyclonedx.SpecVersion1_6) + cdx := cyclonedx.NewBOMWithSpecVersion(cyclonedx.SpecVersion1_6) cdx.Metadata = &cyclonedx.Metadata{ Component: &fileComponent, } @@ -69,7 +69,7 @@ func TestGenerateURLFromPath(t *testing.T) { // Create a valid CycloneDX file for testing validCdxFilePath := filepath.Join(tempDirPath, "valid_cdx.json") fileComponent := cdxutils.CreateFileOrDirComponent(filepath.Join("a", "directory", "file.txt")) - cdx := cdxutils.NewBOM(cyclonedx.SpecVersion1_6) + cdx := cyclonedx.NewBOMWithSpecVersion(cyclonedx.SpecVersion1_6) cdx.Metadata = &cyclonedx.Metadata{ Component: &fileComponent, } diff --git a/go.mod b/go.mod index 0db3d6921..3f485e03a 100644 --- a/go.mod +++ b/go.mod @@ -160,3 +160,6 @@ require ( // replace github.com/jfrog/build-info-go => github.com/jfrog/build-info-go dev // replace github.com/jfrog/froggit-go => github.com/jfrog/froggit-go master + +// attiasas:new_bom_with_spec +replace github.com/CycloneDX/cyclonedx-go => github.com/attiasas/cyclonedx-go v0.0.0-20260601062827-6dae744d6259 diff --git a/go.sum b/go.sum index de2fb7b77..cfb35d1f8 100644 --- a/go.sum +++ b/go.sum @@ -4,8 +4,6 @@ dario.cat/mergo v1.0.2/go.mod h1:E/hbnu0NxMFBjpMIE34DRGLWqDy0g5FuKDhCb31ngxA= github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho= github.com/BurntSushi/toml v1.6.0 h1:dRaEfpa2VI55EwlIW72hMRHdWouJeRF7TPYhI+AUQjk= github.com/BurntSushi/toml v1.6.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho= -github.com/CycloneDX/cyclonedx-go v0.11.0 h1:GokP8FiRC+foiuwWhSSLpSD5H4hSWtGnR3wo7apkBFI= -github.com/CycloneDX/cyclonedx-go v0.11.0/go.mod h1:vUvbCXQsEm48OI6oOlanxstwNByXjCZ2wuleUlwGEO8= github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY= github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY= github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU= @@ -21,6 +19,8 @@ github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFI github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= +github.com/attiasas/cyclonedx-go v0.0.0-20260601062827-6dae744d6259 h1:kTLajO8ZJ8h2cmvLEbxynUM+OqhlzhLo7d61JQvP6kw= +github.com/attiasas/cyclonedx-go v0.0.0-20260601062827-6dae744d6259/go.mod h1:vUvbCXQsEm48OI6oOlanxstwNByXjCZ2wuleUlwGEO8= github.com/beevik/etree v1.6.0 h1:u8Kwy8pp9D9XeITj2Z0XtA5qqZEmtJtuXZRQi+j03eE= github.com/beevik/etree v1.6.0/go.mod h1:bh4zJxiIr62SOf9pRzN7UUYaEDa9HEKafK25+sLc0Gc= github.com/bradleyjkemp/cupaloy/v2 v2.8.0 h1:any4BmKE+jGIaMpnU8YgH/I2LPiLBufr6oMMlVBbn9M= diff --git a/sca/bom/buildinfo/buildinfobom.go b/sca/bom/buildinfo/buildinfobom.go index 8d825470a..3160ba023 100644 --- a/sca/bom/buildinfo/buildinfobom.go +++ b/sca/bom/buildinfo/buildinfobom.go @@ -89,7 +89,7 @@ func (b *BuildInfoBomGenerator) CleanUp() error { func (b *BuildInfoBomGenerator) GenerateSbom(target results.ScanTarget) (sbom *cyclonedx.BOM, err error) { // Create the CycloneDX BOM - sbom = cdxutils.NewBOM(cyclonedx.SpecVersion1_6) + sbom = cyclonedx.NewBOMWithSpecVersion(cyclonedx.SpecVersion1_6) wdComponent := cdxutils.CreateFileOrDirComponent(target.Target) sbom.Metadata = &cyclonedx.Metadata{Component: &wdComponent} diff --git a/sca/bom/indexer/indexerbom.go b/sca/bom/indexer/indexerbom.go index 142c9d83b..08cb6e1ca 100644 --- a/sca/bom/indexer/indexerbom.go +++ b/sca/bom/indexer/indexerbom.go @@ -110,7 +110,7 @@ func (ibg *IndexerBomGenerator) GenerateSbom(target results.ScanTarget) (sbom *c func CreateTargetEmptySbom(target results.ScanTarget) *cyclonedx.BOM { // Create an empty CycloneDX BOM for the target - sbom := cdxutils.NewBOM(cyclonedx.SpecVersion1_6) + sbom := cyclonedx.NewBOMWithSpecVersion(cyclonedx.SpecVersion1_6) binaryFileComponent := cdxutils.CreateFileOrDirComponent(target.Target) sbom.Metadata = &cyclonedx.Metadata{Component: &binaryFileComponent} return sbom diff --git a/utils/formats/cdxutils/cyclonedxutils.go b/utils/formats/cdxutils/cyclonedxutils.go index 0842dc672..7e294ad70 100644 --- a/utils/formats/cdxutils/cyclonedxutils.go +++ b/utils/formats/cdxutils/cyclonedxutils.go @@ -53,24 +53,6 @@ const ( type ComponentRelation string -func NewBOM(specVersion cyclonedx.SpecVersion) *cyclonedx.BOM { - if specVersion < cyclonedx.SpecVersion1_6 { - log.Error("Unsupported spec version: ", specVersion) - return nil - } - if specVersion == cyclonedx.SpecVersion1_7 { - // Default spec version is 1.7 - return cyclonedx.NewBOM() - } - return &cyclonedx.BOM{ - JSONSchema: "http://cyclonedx.org/schema/bom-1.6.schema.json", - XMLNS: "http://cyclonedx.org/schema/bom/1.6", - BOMFormat: cyclonedx.BOMFormat, - SpecVersion: cyclonedx.SpecVersion1_6, - Version: 1, - } -} - func ReadSbomFromFile(cdxFilePath string) (bom *cyclonedx.BOM, err error) { bom = cyclonedx.NewBOM() file, err := os.Open(cdxFilePath) diff --git a/utils/formats/cdxutils/cyclonedxutils_test.go b/utils/formats/cdxutils/cyclonedxutils_test.go index cf4ad8520..18900df30 100644 --- a/utils/formats/cdxutils/cyclonedxutils_test.go +++ b/utils/formats/cdxutils/cyclonedxutils_test.go @@ -1323,7 +1323,7 @@ func TestGetOrCreateScaIssue(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - bom := NewBOM(cyclonedx.SpecVersion1_6) + bom := cyclonedx.NewBOMWithSpecVersion(cyclonedx.SpecVersion1_6) vuln := GetOrCreateScaIssue(bom, tt.params) assert.NotNil(t, vuln) assert.Equal(t, tt.id, vuln.ID) @@ -1361,7 +1361,7 @@ func TestSearchVulnerabilityByRef(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - bom := NewBOM(cyclonedx.SpecVersion1_6) + bom := cyclonedx.NewBOMWithSpecVersion(cyclonedx.SpecVersion1_6) for _, p := range tt.params { GetOrCreateScaIssue(bom, p) } @@ -1473,7 +1473,7 @@ func TestUpdateOrAppendVulnerabilitiesRatingsAndSearchRating(t *testing.T) { } func TestExclude(t *testing.T) { - bom := NewBOM(cyclonedx.SpecVersion1_6) + bom := cyclonedx.NewBOMWithSpecVersion(cyclonedx.SpecVersion1_6) bom.Components = &[]cyclonedx.Component{ {BOMRef: "root", Type: cyclonedx.ComponentTypeLibrary}, {BOMRef: "comp1", PackageURL: "pkg:comp1", Type: cyclonedx.ComponentTypeLibrary}, diff --git a/utils/formats/snapshotconvertor/githubsnapshotconvertor_test.go b/utils/formats/snapshotconvertor/githubsnapshotconvertor_test.go index 879cb3b7f..78c272831 100644 --- a/utils/formats/snapshotconvertor/githubsnapshotconvertor_test.go +++ b/utils/formats/snapshotconvertor/githubsnapshotconvertor_test.go @@ -266,7 +266,7 @@ func TestCreateGithubSnapshotFromSbom(t *testing.T) { // createTestBOM creates a test BOM with the specified components and dependencies func createTestBOM(components []cyclonedx.Component, dependencies []cyclonedx.Dependency) *cdxutils.FullBOM { - innerBom := cdxutils.NewBOM(cyclonedx.SpecVersion1_6) + innerBom := cyclonedx.NewBOMWithSpecVersion(cyclonedx.SpecVersion1_6) if len(components) > 0 { innerBom.Components = &components } diff --git a/utils/results/common.go b/utils/results/common.go index bd923065d..e16763c31 100644 --- a/utils/results/common.go +++ b/utils/results/common.go @@ -922,7 +922,7 @@ func SearchTargetResultsByRelativePath(relativeTarget string, resultsToCompare * func DepsTreeToSbom(trees ...*xrayUtils.GraphNode) (components *[]cyclonedx.Component, dependencies *[]cyclonedx.Dependency) { parsed := datastructures.MakeSet[string]() - bom := cdxutils.NewBOM(cyclonedx.SpecVersion1_6) + bom := cyclonedx.NewBOMWithSpecVersion(cyclonedx.SpecVersion1_6) bom.Components = &[]cyclonedx.Component{} bom.Dependencies = &[]cyclonedx.Dependency{} for _, root := range trees { @@ -940,7 +940,7 @@ func DepsTreeToSbom(trees ...*xrayUtils.GraphNode) (components *[]cyclonedx.Comp } func getDataFromNode(node *xrayUtils.GraphNode, parsed *datastructures.Set[string]) (*[]cyclonedx.Component, *[]cyclonedx.Dependency) { - bom := cdxutils.NewBOM(cyclonedx.SpecVersion1_6) + bom := cyclonedx.NewBOMWithSpecVersion(cyclonedx.SpecVersion1_6) bom.Components = &[]cyclonedx.Component{} bom.Dependencies = &[]cyclonedx.Dependency{} if parsed.Exists(node.Id) { diff --git a/utils/results/common_test.go b/utils/results/common_test.go index 1a55f4ae9..deb9f9913 100644 --- a/utils/results/common_test.go +++ b/utils/results/common_test.go @@ -1805,7 +1805,7 @@ func TestBomToFlatTree(t *testing.T) { }{ { name: "No components", - bom: cdxutils.NewBOM(cyclonedx.SpecVersion1_6), + bom: cyclonedx.NewBOMWithSpecVersion(cyclonedx.SpecVersion1_6), expected: &xrayUtils.GraphNode{Id: "root"}, }, { @@ -2839,7 +2839,7 @@ func TestScanResponseToSbom(t *testing.T) { for _, test := range tests { t.Run(test.name, func(t *testing.T) { // Prepare expected - expected := cdxutils.NewBOM(cyclonedx.SpecVersion1_6) + expected := cyclonedx.NewBOMWithSpecVersion(cyclonedx.SpecVersion1_6) expected.Components = test.expected.Components expected.Dependencies = test.expected.Dependencies expected.Vulnerabilities = test.expected.Vulnerabilities @@ -2854,7 +2854,7 @@ func TestScanResponseToSbom(t *testing.T) { } } // Run test - destination := cdxutils.NewBOM(cyclonedx.SpecVersion1_6) + destination := cyclonedx.NewBOMWithSpecVersion(cyclonedx.SpecVersion1_6) assert.NoError(t, ScanResponseToSbom(destination, test.response)) // Sort affects in vulnerabilities for consistent comparison if destination.Vulnerabilities != nil { diff --git a/utils/results/conversion/cyclonedxparser/cyclonedxparser.go b/utils/results/conversion/cyclonedxparser/cyclonedxparser.go index 7e2af5472..77c71513d 100644 --- a/utils/results/conversion/cyclonedxparser/cyclonedxparser.go +++ b/utils/results/conversion/cyclonedxparser/cyclonedxparser.go @@ -54,7 +54,7 @@ func NewCmdResultsCycloneDxConverter(parseSast bool) *CmdResultsCycloneDxConvert func (cdc *CmdResultsCycloneDxConverter) Get() (bom *cdxutils.FullBOM, err error) { if cdc.bom == nil { - return &cdxutils.FullBOM{BOM: *cdxutils.NewBOM(cyclonedx.SpecVersion1_6)}, nil + return &cdxutils.FullBOM{BOM: *cyclonedx.NewBOMWithSpecVersion(cyclonedx.SpecVersion1_6)}, nil } bom = cdc.bom bom.Metadata.Component, err = cdc.getMetadataComponent() @@ -80,7 +80,7 @@ func (cdc *CmdResultsCycloneDxConverter) Reset(metadata results.ResultsMetaData, cdc.gitContext = metadata.GitContext cdc.xrayVersion = metadata.XrayVersion // Reset the BOM - cdc.bom = &cdxutils.FullBOM{BOM: *cdxutils.NewBOM(cyclonedx.SpecVersion1_6)} + cdc.bom = &cdxutils.FullBOM{BOM: *cyclonedx.NewBOMWithSpecVersion(cyclonedx.SpecVersion1_6)} cdc.bom.SerialNumber = cdxutils.GetSerialNumber(metadata.MultiScanId) cdc.bom.Metadata = &cyclonedx.Metadata{ Timestamp: time.Now().Format(time.RFC3339), diff --git a/utils/utils.go b/utils/utils.go index 92617d778..eb797b248 100644 --- a/utils/utils.go +++ b/utils/utils.go @@ -333,6 +333,21 @@ func SaveCdxContentToFile(pathToSave string, bom *cyclonedx.BOM) (err error) { return cyclonedx.NewBOMEncoder(file, cyclonedx.BOMFileFormatJSON).SetPretty(true).Encode(bom) } +func ReadSbomFromFile(cdxFilePath string) (bom *cyclonedx.BOM, err error) { + bom = cyclonedx.NewBOM() + file, err := os.Open(cdxFilePath) + if errorutils.CheckError(err) != nil { + return nil, fmt.Errorf("failed to open cdx file %s: %w", cdxFilePath, err) + } + defer func() { + err = errors.Join(err, file.Close()) + }() + if err = cyclonedx.NewBOMDecoder(file, cyclonedx.BOMFileFormatJSON).Decode(bom); err != nil { + return nil, fmt.Errorf("failed to decode provided cdx file %s: %w", cdxFilePath, err) + } + return bom, nil +} + func DumpCdxJsonContentToFile(fileContent []byte, scanResultsOutputDir, filePrefix string, threadId int) (resultsFileFullPath string, err error) { return DumpContentToFile(fileContent, scanResultsOutputDir, filePrefix, "cdx.json", threadId) } From 22a1cb13b54df15154216c09035ddee06e42ac25 Mon Sep 17 00:00:00 2001 From: attiasas Date: Mon, 1 Jun 2026 09:53:50 +0300 Subject: [PATCH 4/6] revert not needed --- commands/upload/uploadcdx.go | 2 +- utils/formats/cdxutils/cyclonedxutils.go | 18 -------------- utils/utils.go | 30 ++++++++++++------------ 3 files changed, 16 insertions(+), 34 deletions(-) diff --git a/commands/upload/uploadcdx.go b/commands/upload/uploadcdx.go index 50591dc8b..d10870a77 100644 --- a/commands/upload/uploadcdx.go +++ b/commands/upload/uploadcdx.go @@ -150,7 +150,7 @@ func validateInputFile(cdxFilePath string) (err error) { return fmt.Errorf("provided path '%s' is not existing file", cdxFilePath) } // check if the file is a valid cdx file - bom, err := cdxutils.ReadSbomFromFile(cdxFilePath) + bom, err := utils.ReadSbomFromFile(cdxFilePath) if err != nil || bom == nil { return fmt.Errorf("provided file %s is not a valid CycloneDX SBOM: %w", cdxFilePath, err) } diff --git a/utils/formats/cdxutils/cyclonedxutils.go b/utils/formats/cdxutils/cyclonedxutils.go index 7e294ad70..5e9a06d15 100644 --- a/utils/formats/cdxutils/cyclonedxutils.go +++ b/utils/formats/cdxutils/cyclonedxutils.go @@ -1,9 +1,7 @@ package cdxutils import ( - "errors" "fmt" - "os" "path/filepath" "regexp" "slices" @@ -16,7 +14,6 @@ import ( "github.com/jfrog/gofrog/datastructures" - "github.com/jfrog/jfrog-client-go/utils/errorutils" "github.com/jfrog/jfrog-client-go/utils/log" "github.com/jfrog/jfrog-cli-security/utils" @@ -53,21 +50,6 @@ const ( type ComponentRelation string -func ReadSbomFromFile(cdxFilePath string) (bom *cyclonedx.BOM, err error) { - bom = cyclonedx.NewBOM() - file, err := os.Open(cdxFilePath) - if errorutils.CheckError(err) != nil { - return nil, fmt.Errorf("failed to open cdx file %s: %w", cdxFilePath, err) - } - defer func() { - err = errors.Join(err, file.Close()) - }() - if err = cyclonedx.NewBOMDecoder(file, cyclonedx.BOMFileFormatJSON).Decode(bom); err != nil { - return nil, fmt.Errorf("failed to decode provided cdx file %s: %w", cdxFilePath, err) - } - return bom, nil -} - func GetProperty(properties *[]cyclonedx.Property, name string) *cyclonedx.Property { if properties == nil || len(*properties) == 0 || name == "" { return nil diff --git a/utils/utils.go b/utils/utils.go index eb797b248..4c9ea12b8 100644 --- a/utils/utils.go +++ b/utils/utils.go @@ -312,6 +312,21 @@ func splitEnvVar(envVar string) (key, value string) { return split[0], strings.Join(split[1:], "=") } +func ReadSbomFromFile(cdxFilePath string) (bom *cyclonedx.BOM, err error) { + bom = cyclonedx.NewBOM() + file, err := os.Open(cdxFilePath) + if errorutils.CheckError(err) != nil { + return nil, fmt.Errorf("failed to open cdx file %s: %w", cdxFilePath, err) + } + defer func() { + err = errors.Join(err, file.Close()) + }() + if err = cyclonedx.NewBOMDecoder(file, cyclonedx.BOMFileFormatJSON).Decode(bom); err != nil { + return nil, fmt.Errorf("failed to decode provided cdx file %s: %w", cdxFilePath, err) + } + return bom, nil +} + func DumpCdxContentToFile(bom *cyclonedx.BOM, scanResultsOutputDir, filePrefix string, threadId int) (pathToSave string, err error) { logPrefix := "" if threadId >= 0 { @@ -333,21 +348,6 @@ func SaveCdxContentToFile(pathToSave string, bom *cyclonedx.BOM) (err error) { return cyclonedx.NewBOMEncoder(file, cyclonedx.BOMFileFormatJSON).SetPretty(true).Encode(bom) } -func ReadSbomFromFile(cdxFilePath string) (bom *cyclonedx.BOM, err error) { - bom = cyclonedx.NewBOM() - file, err := os.Open(cdxFilePath) - if errorutils.CheckError(err) != nil { - return nil, fmt.Errorf("failed to open cdx file %s: %w", cdxFilePath, err) - } - defer func() { - err = errors.Join(err, file.Close()) - }() - if err = cyclonedx.NewBOMDecoder(file, cyclonedx.BOMFileFormatJSON).Decode(bom); err != nil { - return nil, fmt.Errorf("failed to decode provided cdx file %s: %w", cdxFilePath, err) - } - return bom, nil -} - func DumpCdxJsonContentToFile(fileContent []byte, scanResultsOutputDir, filePrefix string, threadId int) (resultsFileFullPath string, err error) { return DumpContentToFile(fileContent, scanResultsOutputDir, filePrefix, "cdx.json", threadId) } From af57213685e8ed775ad03d942ae1e0be7ea0e004 Mon Sep 17 00:00:00 2001 From: attiasas Date: Mon, 1 Jun 2026 13:16:37 +0300 Subject: [PATCH 5/6] Update to spec version 1.7 --- artifactory_test.go | 2 +- commands/upload/uploadcdx_test.go | 4 ++-- sca/bom/buildinfo/buildinfobom.go | 2 +- sca/bom/indexer/indexerbom.go | 2 +- utils/formats/cdxutils/cyclonedxutils.go | 6 ++++++ utils/formats/cdxutils/cyclonedxutils_test.go | 6 +++--- .../snapshotconvertor/githubsnapshotconvertor_test.go | 2 +- utils/results/common.go | 4 ++-- utils/results/common_test.go | 6 +++--- utils/results/conversion/cyclonedxparser/cyclonedxparser.go | 4 ++-- 10 files changed, 22 insertions(+), 16 deletions(-) diff --git a/artifactory_test.go b/artifactory_test.go index b29fe0746..bd9270993 100644 --- a/artifactory_test.go +++ b/artifactory_test.go @@ -309,7 +309,7 @@ func generateTestRepoName() string { func getTestCdxFile(t *testing.T, tempDir string) string { // Create the cyclonedx BOM - bom := cyclonedx.NewBOMWithSpecVersion(cyclonedx.SpecVersion1_6) + bom := cdxutils.NewBOM() fileComponent := cdxutils.CreateFileOrDirComponent(tempDir) bom.Metadata = &cyclonedx.Metadata{ Component: &fileComponent, diff --git a/commands/upload/uploadcdx_test.go b/commands/upload/uploadcdx_test.go index 94c85a0a2..1bb99abd1 100644 --- a/commands/upload/uploadcdx_test.go +++ b/commands/upload/uploadcdx_test.go @@ -18,7 +18,7 @@ func TestValidateInputFile(t *testing.T) { // Create a valid CycloneDX file for testing validCdxFilePath := filepath.Join(tempDirPath, "some_results.cdx.json") fileComponent := cdxutils.CreateFileOrDirComponent(filepath.Join("a", "directory", "file.txt")) - cdx := cyclonedx.NewBOMWithSpecVersion(cyclonedx.SpecVersion1_6) + cdx := cdxutils.NewBOM() cdx.Metadata = &cyclonedx.Metadata{ Component: &fileComponent, } @@ -69,7 +69,7 @@ func TestGenerateURLFromPath(t *testing.T) { // Create a valid CycloneDX file for testing validCdxFilePath := filepath.Join(tempDirPath, "valid_cdx.json") fileComponent := cdxutils.CreateFileOrDirComponent(filepath.Join("a", "directory", "file.txt")) - cdx := cyclonedx.NewBOMWithSpecVersion(cyclonedx.SpecVersion1_6) + cdx := cdxutils.NewBOM() cdx.Metadata = &cyclonedx.Metadata{ Component: &fileComponent, } diff --git a/sca/bom/buildinfo/buildinfobom.go b/sca/bom/buildinfo/buildinfobom.go index 3160ba023..9bafa7d76 100644 --- a/sca/bom/buildinfo/buildinfobom.go +++ b/sca/bom/buildinfo/buildinfobom.go @@ -89,7 +89,7 @@ func (b *BuildInfoBomGenerator) CleanUp() error { func (b *BuildInfoBomGenerator) GenerateSbom(target results.ScanTarget) (sbom *cyclonedx.BOM, err error) { // Create the CycloneDX BOM - sbom = cyclonedx.NewBOMWithSpecVersion(cyclonedx.SpecVersion1_6) + sbom = cdxutils.NewBOM() wdComponent := cdxutils.CreateFileOrDirComponent(target.Target) sbom.Metadata = &cyclonedx.Metadata{Component: &wdComponent} diff --git a/sca/bom/indexer/indexerbom.go b/sca/bom/indexer/indexerbom.go index 08cb6e1ca..a47dfce64 100644 --- a/sca/bom/indexer/indexerbom.go +++ b/sca/bom/indexer/indexerbom.go @@ -110,7 +110,7 @@ func (ibg *IndexerBomGenerator) GenerateSbom(target results.ScanTarget) (sbom *c func CreateTargetEmptySbom(target results.ScanTarget) *cyclonedx.BOM { // Create an empty CycloneDX BOM for the target - sbom := cyclonedx.NewBOMWithSpecVersion(cyclonedx.SpecVersion1_6) + sbom := cdxutils.NewBOM() binaryFileComponent := cdxutils.CreateFileOrDirComponent(target.Target) sbom.Metadata = &cyclonedx.Metadata{Component: &binaryFileComponent} return sbom diff --git a/utils/formats/cdxutils/cyclonedxutils.go b/utils/formats/cdxutils/cyclonedxutils.go index 5e9a06d15..e26871a92 100644 --- a/utils/formats/cdxutils/cyclonedxutils.go +++ b/utils/formats/cdxutils/cyclonedxutils.go @@ -46,10 +46,16 @@ const ( // JFrog specific properties JfrogRelationProperty = "jfrog:dependency:type" + + SpecVersion = cyclonedx.SpecVersion1_7 ) type ComponentRelation string +func NewBOM() *cyclonedx.BOM { + return cyclonedx.NewBOMWithSpecVersion(SpecVersion) +} + func GetProperty(properties *[]cyclonedx.Property, name string) *cyclonedx.Property { if properties == nil || len(*properties) == 0 || name == "" { return nil diff --git a/utils/formats/cdxutils/cyclonedxutils_test.go b/utils/formats/cdxutils/cyclonedxutils_test.go index 18900df30..8b3add2b3 100644 --- a/utils/formats/cdxutils/cyclonedxutils_test.go +++ b/utils/formats/cdxutils/cyclonedxutils_test.go @@ -1323,7 +1323,7 @@ func TestGetOrCreateScaIssue(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - bom := cyclonedx.NewBOMWithSpecVersion(cyclonedx.SpecVersion1_6) + bom := NewBOM() vuln := GetOrCreateScaIssue(bom, tt.params) assert.NotNil(t, vuln) assert.Equal(t, tt.id, vuln.ID) @@ -1361,7 +1361,7 @@ func TestSearchVulnerabilityByRef(t *testing.T) { } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { - bom := cyclonedx.NewBOMWithSpecVersion(cyclonedx.SpecVersion1_6) + bom := NewBOM() for _, p := range tt.params { GetOrCreateScaIssue(bom, p) } @@ -1473,7 +1473,7 @@ func TestUpdateOrAppendVulnerabilitiesRatingsAndSearchRating(t *testing.T) { } func TestExclude(t *testing.T) { - bom := cyclonedx.NewBOMWithSpecVersion(cyclonedx.SpecVersion1_6) + bom := NewBOM() bom.Components = &[]cyclonedx.Component{ {BOMRef: "root", Type: cyclonedx.ComponentTypeLibrary}, {BOMRef: "comp1", PackageURL: "pkg:comp1", Type: cyclonedx.ComponentTypeLibrary}, diff --git a/utils/formats/snapshotconvertor/githubsnapshotconvertor_test.go b/utils/formats/snapshotconvertor/githubsnapshotconvertor_test.go index 78c272831..e846b02c2 100644 --- a/utils/formats/snapshotconvertor/githubsnapshotconvertor_test.go +++ b/utils/formats/snapshotconvertor/githubsnapshotconvertor_test.go @@ -266,7 +266,7 @@ func TestCreateGithubSnapshotFromSbom(t *testing.T) { // createTestBOM creates a test BOM with the specified components and dependencies func createTestBOM(components []cyclonedx.Component, dependencies []cyclonedx.Dependency) *cdxutils.FullBOM { - innerBom := cyclonedx.NewBOMWithSpecVersion(cyclonedx.SpecVersion1_6) + innerBom := cdxutils.NewBOM() if len(components) > 0 { innerBom.Components = &components } diff --git a/utils/results/common.go b/utils/results/common.go index e16763c31..ed0019b3d 100644 --- a/utils/results/common.go +++ b/utils/results/common.go @@ -922,7 +922,7 @@ func SearchTargetResultsByRelativePath(relativeTarget string, resultsToCompare * func DepsTreeToSbom(trees ...*xrayUtils.GraphNode) (components *[]cyclonedx.Component, dependencies *[]cyclonedx.Dependency) { parsed := datastructures.MakeSet[string]() - bom := cyclonedx.NewBOMWithSpecVersion(cyclonedx.SpecVersion1_6) + bom := cdxutils.NewBOM() bom.Components = &[]cyclonedx.Component{} bom.Dependencies = &[]cyclonedx.Dependency{} for _, root := range trees { @@ -940,7 +940,7 @@ func DepsTreeToSbom(trees ...*xrayUtils.GraphNode) (components *[]cyclonedx.Comp } func getDataFromNode(node *xrayUtils.GraphNode, parsed *datastructures.Set[string]) (*[]cyclonedx.Component, *[]cyclonedx.Dependency) { - bom := cyclonedx.NewBOMWithSpecVersion(cyclonedx.SpecVersion1_6) + bom := cdxutils.NewBOM() bom.Components = &[]cyclonedx.Component{} bom.Dependencies = &[]cyclonedx.Dependency{} if parsed.Exists(node.Id) { diff --git a/utils/results/common_test.go b/utils/results/common_test.go index deb9f9913..9e2c6e07e 100644 --- a/utils/results/common_test.go +++ b/utils/results/common_test.go @@ -1805,7 +1805,7 @@ func TestBomToFlatTree(t *testing.T) { }{ { name: "No components", - bom: cyclonedx.NewBOMWithSpecVersion(cyclonedx.SpecVersion1_6), + bom: cdxutils.NewBOM(), expected: &xrayUtils.GraphNode{Id: "root"}, }, { @@ -2839,7 +2839,7 @@ func TestScanResponseToSbom(t *testing.T) { for _, test := range tests { t.Run(test.name, func(t *testing.T) { // Prepare expected - expected := cyclonedx.NewBOMWithSpecVersion(cyclonedx.SpecVersion1_6) + expected := cdxutils.NewBOM() expected.Components = test.expected.Components expected.Dependencies = test.expected.Dependencies expected.Vulnerabilities = test.expected.Vulnerabilities @@ -2854,7 +2854,7 @@ func TestScanResponseToSbom(t *testing.T) { } } // Run test - destination := cyclonedx.NewBOMWithSpecVersion(cyclonedx.SpecVersion1_6) + destination := cdxutils.NewBOM() assert.NoError(t, ScanResponseToSbom(destination, test.response)) // Sort affects in vulnerabilities for consistent comparison if destination.Vulnerabilities != nil { diff --git a/utils/results/conversion/cyclonedxparser/cyclonedxparser.go b/utils/results/conversion/cyclonedxparser/cyclonedxparser.go index 77c71513d..bcfca19f3 100644 --- a/utils/results/conversion/cyclonedxparser/cyclonedxparser.go +++ b/utils/results/conversion/cyclonedxparser/cyclonedxparser.go @@ -54,7 +54,7 @@ func NewCmdResultsCycloneDxConverter(parseSast bool) *CmdResultsCycloneDxConvert func (cdc *CmdResultsCycloneDxConverter) Get() (bom *cdxutils.FullBOM, err error) { if cdc.bom == nil { - return &cdxutils.FullBOM{BOM: *cyclonedx.NewBOMWithSpecVersion(cyclonedx.SpecVersion1_6)}, nil + return &cdxutils.FullBOM{BOM: *cdxutils.NewBOM()}, nil } bom = cdc.bom bom.Metadata.Component, err = cdc.getMetadataComponent() @@ -80,7 +80,7 @@ func (cdc *CmdResultsCycloneDxConverter) Reset(metadata results.ResultsMetaData, cdc.gitContext = metadata.GitContext cdc.xrayVersion = metadata.XrayVersion // Reset the BOM - cdc.bom = &cdxutils.FullBOM{BOM: *cyclonedx.NewBOMWithSpecVersion(cyclonedx.SpecVersion1_6)} + cdc.bom = &cdxutils.FullBOM{BOM: *cdxutils.NewBOM()} cdc.bom.SerialNumber = cdxutils.GetSerialNumber(metadata.MultiScanId) cdc.bom.Metadata = &cyclonedx.Metadata{ Timestamp: time.Now().Format(time.RFC3339), From b097795f24cdc360c5e08e2c96d7e1caa047d8e5 Mon Sep 17 00:00:00 2001 From: attiasas Date: Mon, 1 Jun 2026 15:31:31 +0300 Subject: [PATCH 6/6] update deps --- go.mod | 2 +- go.sum | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/go.mod b/go.mod index 3f485e03a..198c21be5 100644 --- a/go.mod +++ b/go.mod @@ -162,4 +162,4 @@ require ( // replace github.com/jfrog/froggit-go => github.com/jfrog/froggit-go master // attiasas:new_bom_with_spec -replace github.com/CycloneDX/cyclonedx-go => github.com/attiasas/cyclonedx-go v0.0.0-20260601062827-6dae744d6259 +replace github.com/CycloneDX/cyclonedx-go => github.com/attiasas/cyclonedx-go v0.0.0-20260601065733-87d3536856ab diff --git a/go.sum b/go.sum index cfb35d1f8..4a815555c 100644 --- a/go.sum +++ b/go.sum @@ -19,8 +19,8 @@ github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFI github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= -github.com/attiasas/cyclonedx-go v0.0.0-20260601062827-6dae744d6259 h1:kTLajO8ZJ8h2cmvLEbxynUM+OqhlzhLo7d61JQvP6kw= -github.com/attiasas/cyclonedx-go v0.0.0-20260601062827-6dae744d6259/go.mod h1:vUvbCXQsEm48OI6oOlanxstwNByXjCZ2wuleUlwGEO8= +github.com/attiasas/cyclonedx-go v0.0.0-20260601065733-87d3536856ab h1:HhWZXcDh0jtzUCjlDXnoEhMjg3vCVVQMsANxUtmF9KU= +github.com/attiasas/cyclonedx-go v0.0.0-20260601065733-87d3536856ab/go.mod h1:vUvbCXQsEm48OI6oOlanxstwNByXjCZ2wuleUlwGEO8= github.com/beevik/etree v1.6.0 h1:u8Kwy8pp9D9XeITj2Z0XtA5qqZEmtJtuXZRQi+j03eE= github.com/beevik/etree v1.6.0/go.mod h1:bh4zJxiIr62SOf9pRzN7UUYaEDa9HEKafK25+sLc0Gc= github.com/bradleyjkemp/cupaloy/v2 v2.8.0 h1:any4BmKE+jGIaMpnU8YgH/I2LPiLBufr6oMMlVBbn9M=