Fix CDX spec version issue

artifactory_test.go

@@ -119,7 +119,7 @@ func TestDependencyResolutionFromArtifactory(t *testing.T) {
 	for _, testCase := range testCases {
 		t.Run(testCase.projectType.String(), func(t *testing.T) {
 			if testCase.skipMsg != "" {
-				securityTestUtils.SkipTestIfDurationNotPassed(t, "01-04-2026", 60, testCase.skipMsg)
+				securityTestUtils.SkipTestIfDurationNotPassed(t, "05-31-2026", 60, testCase.skipMsg)
 			}
 			testSingleTechDependencyResolution(t, testCase.testProjectPath, testCase.resolveRepoName, testCase.cacheRepoName, testCase.projectType)
 		})
@@ -309,7 +309,7 @@ func generateTestRepoName() string {
 
 func getTestCdxFile(t *testing.T, tempDir string) string {
 	// Create the cyclonedx BOM
-	bom := cyclonedx.NewBOM()
+	bom := cdxutils.NewBOM()
 	fileComponent := cdxutils.CreateFileOrDirComponent(tempDir)
 	bom.Metadata = &cyclonedx.Metadata{
 		Component: &fileComponent,

commands/upload/uploadcdx_test.go

@@ -18,7 +18,7 @@ func TestValidateInputFile(t *testing.T) {
 	// Create a valid CycloneDX file for testing
 	validCdxFilePath := filepath.Join(tempDirPath, "some_results.cdx.json")
 	fileComponent := cdxutils.CreateFileOrDirComponent(filepath.Join("a", "directory", "file.txt"))
-	cdx := cyclonedx.NewBOM()
+	cdx := cdxutils.NewBOM()
 	cdx.Metadata = &cyclonedx.Metadata{
 		Component: &fileComponent,
 	}
@@ -69,7 +69,7 @@ func TestGenerateURLFromPath(t *testing.T) {
 	// Create a valid CycloneDX file for testing
 	validCdxFilePath := filepath.Join(tempDirPath, "valid_cdx.json")
 	fileComponent := cdxutils.CreateFileOrDirComponent(filepath.Join("a", "directory", "file.txt"))
-	cdx := cyclonedx.NewBOM()
+	cdx := cdxutils.NewBOM()
 	cdx.Metadata = &cyclonedx.Metadata{
 		Component: &fileComponent,
 	}

go.mod

@@ -153,12 +153,13 @@ require (
 
 // replace github.com/jfrog/jfrog-client-go => github.com/jfrog/jfrog-client-go master
 
-replace github.com/CycloneDX/cyclonedx-go => github.com/CycloneDX/cyclonedx-go v0.10.0
-
 // replace github.com/jfrog/jfrog-cli-core/v2 => github.com/jfrog/jfrog-cli-core/v2 master
 
 //replace github.com/jfrog/jfrog-cli-artifactory => github.com/jfrog/jfrog-cli-artifactory main
 
 // replace github.com/jfrog/build-info-go => github.com/jfrog/build-info-go dev
 
 // replace github.com/jfrog/froggit-go => github.com/jfrog/froggit-go master
+
+// attiasas:new_bom_with_spec
+replace github.com/CycloneDX/cyclonedx-go => github.com/attiasas/cyclonedx-go v0.0.0-20260601065733-87d3536856ab

go.sum

@@ -4,8 +4,6 @@ dario.cat/mergo v1.0.2/go.mod h1:E/hbnu0NxMFBjpMIE34DRGLWqDy0g5FuKDhCb31ngxA=
 github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
 github.com/BurntSushi/toml v1.6.0 h1:dRaEfpa2VI55EwlIW72hMRHdWouJeRF7TPYhI+AUQjk=
 github.com/BurntSushi/toml v1.6.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
-github.com/CycloneDX/cyclonedx-go v0.10.0 h1:7xyklU7YD+CUyGzSFIARG18NYLsKVn4QFg04qSsu+7Y=
-github.com/CycloneDX/cyclonedx-go v0.10.0/go.mod h1:vUvbCXQsEm48OI6oOlanxstwNByXjCZ2wuleUlwGEO8=
 github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
@@ -21,6 +19,8 @@ github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFI
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
+github.com/attiasas/cyclonedx-go v0.0.0-20260601065733-87d3536856ab h1:HhWZXcDh0jtzUCjlDXnoEhMjg3vCVVQMsANxUtmF9KU=
+github.com/attiasas/cyclonedx-go v0.0.0-20260601065733-87d3536856ab/go.mod h1:vUvbCXQsEm48OI6oOlanxstwNByXjCZ2wuleUlwGEO8=
 github.com/beevik/etree v1.6.0 h1:u8Kwy8pp9D9XeITj2Z0XtA5qqZEmtJtuXZRQi+j03eE=
 github.com/beevik/etree v1.6.0/go.mod h1:bh4zJxiIr62SOf9pRzN7UUYaEDa9HEKafK25+sLc0Gc=
 github.com/bradleyjkemp/cupaloy/v2 v2.8.0 h1:any4BmKE+jGIaMpnU8YgH/I2LPiLBufr6oMMlVBbn9M=

sca/bom/buildinfo/buildinfobom.go

@@ -89,7 +89,7 @@ func (b *BuildInfoBomGenerator) CleanUp() error {
 
 func (b *BuildInfoBomGenerator) GenerateSbom(target results.ScanTarget) (sbom *cyclonedx.BOM, err error) {
 	// Create the CycloneDX BOM
-	sbom = cyclonedx.NewBOM()
+	sbom = cdxutils.NewBOM()
 	wdComponent := cdxutils.CreateFileOrDirComponent(target.Target)
 	sbom.Metadata = &cyclonedx.Metadata{Component: &wdComponent}
 

sca/bom/indexer/indexerbom.go

@@ -110,7 +110,7 @@ func (ibg *IndexerBomGenerator) GenerateSbom(target results.ScanTarget) (sbom *c
 
 func CreateTargetEmptySbom(target results.ScanTarget) *cyclonedx.BOM {
 	// Create an empty CycloneDX BOM for the target
-	sbom := cyclonedx.NewBOM()
+	sbom := cdxutils.NewBOM()
 	binaryFileComponent := cdxutils.CreateFileOrDirComponent(target.Target)
 	sbom.Metadata = &cyclonedx.Metadata{Component: &binaryFileComponent}
 	return sbom

utils/formats/cdxutils/cyclonedxutils.go

@@ -46,10 +46,16 @@ const (
 
 	// JFrog specific properties
 	JfrogRelationProperty = "jfrog:dependency:type"
+
+	SpecVersion = cyclonedx.SpecVersion1_7
 )
 
 type ComponentRelation string
 
+func NewBOM() *cyclonedx.BOM {
+	return cyclonedx.NewBOMWithSpecVersion(SpecVersion)
+}
+
 func GetProperty(properties *[]cyclonedx.Property, name string) *cyclonedx.Property {
 	if properties == nil || len(*properties) == 0 || name == "" {
 		return nil

utils/formats/cdxutils/cyclonedxutils_test.go

@@ -1323,7 +1323,7 @@ func TestGetOrCreateScaIssue(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			bom := cyclonedx.NewBOM()
+			bom := NewBOM()
 			vuln := GetOrCreateScaIssue(bom, tt.params)
 			assert.NotNil(t, vuln)
 			assert.Equal(t, tt.id, vuln.ID)
@@ -1361,7 +1361,7 @@ func TestSearchVulnerabilityByRef(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			bom := cyclonedx.NewBOM()
+			bom := NewBOM()
 			for _, p := range tt.params {
 				GetOrCreateScaIssue(bom, p)
 			}
@@ -1473,7 +1473,7 @@ func TestUpdateOrAppendVulnerabilitiesRatingsAndSearchRating(t *testing.T) {
 }
 
 func TestExclude(t *testing.T) {
-	bom := cyclonedx.NewBOM()
+	bom := NewBOM()
 	bom.Components = &[]cyclonedx.Component{
 		{BOMRef: "root", Type: cyclonedx.ComponentTypeLibrary},
 		{BOMRef: "comp1", PackageURL: "pkg:comp1", Type: cyclonedx.ComponentTypeLibrary},

utils/formats/snapshotconvertor/githubsnapshotconvertor_test.go

@@ -266,7 +266,7 @@ func TestCreateGithubSnapshotFromSbom(t *testing.T) {
 
 // createTestBOM creates a test BOM with the specified components and dependencies
 func createTestBOM(components []cyclonedx.Component, dependencies []cyclonedx.Dependency) *cdxutils.FullBOM {
-	innerBom := cyclonedx.NewBOM()
+	innerBom := cdxutils.NewBOM()
 	if len(components) > 0 {
 		innerBom.Components = &components
 	}

utils/results/common.go

@@ -922,7 +922,7 @@ func SearchTargetResultsByRelativePath(relativeTarget string, resultsToCompare *
 
 func DepsTreeToSbom(trees ...*xrayUtils.GraphNode) (components *[]cyclonedx.Component, dependencies *[]cyclonedx.Dependency) {
 	parsed := datastructures.MakeSet[string]()
-	bom := cyclonedx.NewBOM()
+	bom := cdxutils.NewBOM()
 	bom.Components = &[]cyclonedx.Component{}
 	bom.Dependencies = &[]cyclonedx.Dependency{}
 	for _, root := range trees {
@@ -940,7 +940,7 @@ func DepsTreeToSbom(trees ...*xrayUtils.GraphNode) (components *[]cyclonedx.Comp
 }
 
 func getDataFromNode(node *xrayUtils.GraphNode, parsed *datastructures.Set[string]) (*[]cyclonedx.Component, *[]cyclonedx.Dependency) {
-	bom := cyclonedx.NewBOM()
+	bom := cdxutils.NewBOM()
 	bom.Components = &[]cyclonedx.Component{}
 	bom.Dependencies = &[]cyclonedx.Dependency{}
 	if parsed.Exists(node.Id) {

utils/results/common_test.go

@@ -1805,7 +1805,7 @@ func TestBomToFlatTree(t *testing.T) {
 	}{
 		{
 			name:     "No components",
-			bom:      cyclonedx.NewBOM(),
+			bom:      cdxutils.NewBOM(),
 			expected: &xrayUtils.GraphNode{Id: "root"},
 		},
 		{
@@ -2839,7 +2839,7 @@ func TestScanResponseToSbom(t *testing.T) {
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
 			// Prepare expected
-			expected := cyclonedx.NewBOM()
+			expected := cdxutils.NewBOM()
 			expected.Components = test.expected.Components
 			expected.Dependencies = test.expected.Dependencies
 			expected.Vulnerabilities = test.expected.Vulnerabilities
@@ -2854,7 +2854,7 @@ func TestScanResponseToSbom(t *testing.T) {
 				}
 			}
 			// Run test
-			destination := cyclonedx.NewBOM()
+			destination := cdxutils.NewBOM()
 			assert.NoError(t, ScanResponseToSbom(destination, test.response))
 			// Sort affects in vulnerabilities for consistent comparison
 			if destination.Vulnerabilities != nil {

utils/results/conversion/cyclonedxparser/cyclonedxparser.go

@@ -54,7 +54,7 @@ func NewCmdResultsCycloneDxConverter(parseSast bool) *CmdResultsCycloneDxConvert
 
 func (cdc *CmdResultsCycloneDxConverter) Get() (bom *cdxutils.FullBOM, err error) {
 	if cdc.bom == nil {
-		return &cdxutils.FullBOM{BOM: *cyclonedx.NewBOM()}, nil
+		return &cdxutils.FullBOM{BOM: *cdxutils.NewBOM()}, nil
 	}
 	bom = cdc.bom
 	bom.Metadata.Component, err = cdc.getMetadataComponent()
@@ -80,7 +80,7 @@ func (cdc *CmdResultsCycloneDxConverter) Reset(metadata results.ResultsMetaData,
 	cdc.gitContext = metadata.GitContext
 	cdc.xrayVersion = metadata.XrayVersion
 	// Reset the BOM
-	cdc.bom = &cdxutils.FullBOM{BOM: *cyclonedx.NewBOM()}
+	cdc.bom = &cdxutils.FullBOM{BOM: *cdxutils.NewBOM()}
 	cdc.bom.SerialNumber = cdxutils.GetSerialNumber(metadata.MultiScanId)
 	cdc.bom.Metadata = &cyclonedx.Metadata{
 		Timestamp: time.Now().Format(time.RFC3339),