CycloneDX · stevespringett · May 30, 2024 · Feb 29, 2024 · May 14, 2024
@@ -24,14 +24,12 @@ private CycloneDxMediaType() { }
 
     /**
      * Official CycloneDX XML media type assigned by IANA.
-     *
      * https://www.iana.org/assignments/media-types/application/vnd.cyclonedx+xml
      */
     public static final String APPLICATION_CYCLONEDX_XML = "application/vnd.cyclonedx+xml";
 
     /**
      * Official CycloneDX JSON media type assigned by IANA.
-     *
      * https://www.iana.org/assignments/media-types/application/vnd.cyclonedx+json
      */
     public static final String APPLICATION_CYCLONEDX_JSON = "application/vnd.cyclonedx+json";

@@ -29,7 +29,6 @@
 import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
 import com.fasterxml.jackson.databind.annotation.JsonSerialize;
 import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlElementWrapper;
-import org.apache.commons.lang3.StringUtils;
 import org.cyclonedx.util.serializer.ExtensibleTypesSerializer;
 import org.cyclonedx.util.deserializer.ExtensionDeserializer;
 

@@ -68,7 +68,7 @@ public List<Attribute> getAttributes() {
     }
 
     public String getValue() {
-        if (super.getExtensibleTypes() != null && super.getExtensibleTypes().size() > 0) {
+        if (super.getExtensibleTypes() != null && !super.getExtensibleTypes().isEmpty()) {
             return null;
         } else {
             return value;

@@ -23,15 +23,11 @@
 import java.util.Objects;
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonInclude;
-import com.fasterxml.jackson.annotation.JsonRootName;
 import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
-import com.fasterxml.jackson.databind.annotation.JsonSerialize;
 import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlElementWrapper;
 import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlProperty;
-import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlRootElement;
 import org.cyclonedx.model.license.Expression;
 import org.cyclonedx.util.deserializer.LicenseDeserializer;
-import org.cyclonedx.util.serializer.LicenseChoiceSerializer;
 
 @JsonIgnoreProperties(ignoreUnknown = true)
 @JsonInclude(JsonInclude.Include.NON_EMPTY)

@@ -3,7 +3,6 @@
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonInclude;
 import com.fasterxml.jackson.annotation.JsonTypeName;
-import com.fasterxml.jackson.annotation.JsonSubTypes;
 import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
 import org.cyclonedx.model.ExternalReference;
 import org.cyclonedx.model.OrganizationalEntity;

@@ -3,7 +3,6 @@
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonInclude;
 import com.fasterxml.jackson.annotation.JsonPropertyOrder;
-import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlRootElement;
 import org.cyclonedx.model.AttachmentText;
 
 @JsonIgnoreProperties(ignoreUnknown = true)

@@ -5,11 +5,9 @@
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonInclude;
 import com.fasterxml.jackson.annotation.JsonPropertyOrder;
-import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
 import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlElementWrapper;
 import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlProperty;
 import org.cyclonedx.model.component.modelCard.data.Governance;
-import org.cyclonedx.util.deserializer.StringListDeserializer;
 
 @JsonIgnoreProperties(ignoreUnknown = true)
 @JsonInclude(JsonInclude.Include.NON_EMPTY)

@@ -2,7 +2,6 @@
 
 import com.fasterxml.jackson.annotation.JsonCreator;
 import com.fasterxml.jackson.annotation.JsonProperty;
-import org.cyclonedx.model.LifecycleChoice.Phase;
 
 public enum CertificationLevel
 {

@@ -7,7 +7,6 @@
 import com.fasterxml.jackson.annotation.JsonPropertyOrder;
 import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlElementWrapper;
 import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlProperty;
-import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlRootElement;
 
 @JsonIgnoreProperties(ignoreUnknown = true)
 @JsonInclude(JsonInclude.Include.NON_EMPTY)

@@ -6,12 +6,10 @@
 import com.fasterxml.jackson.annotation.JsonInclude;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.annotation.JsonPropertyOrder;
-import com.fasterxml.jackson.databind.annotation.JsonDeserialize;
 import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlElementWrapper;
 import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlProperty;
 import org.cyclonedx.model.ExternalReference;
 import org.cyclonedx.model.Property;
-import org.cyclonedx.util.deserializer.StringListDeserializer;
 
 @JsonIgnoreProperties(ignoreUnknown = true)
 @JsonInclude(JsonInclude.Include.NON_EMPTY)

@@ -8,9 +8,7 @@
 import com.fasterxml.jackson.annotation.JsonPropertyOrder;
 import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlElementWrapper;
 import com.fasterxml.jackson.dataformat.xml.annotation.JacksonXmlProperty;
-import org.cyclonedx.model.Property;
 import org.cyclonedx.model.formulation.common.BasicDataAbstract;
-import org.cyclonedx.model.formulation.common.ResourceReferenceChoice;
 
 @JsonIgnoreProperties(ignoreUnknown = true)
 @JsonInclude(JsonInclude.Include.NON_EMPTY)
@@ -56,30 +54,6 @@ public String getAccessMode() {
     }
   }
 
-  public String getBomRef() {
-    return bomRef;
-  }
-
-  public void setBomRef(final String bomRef) {
-    this.bomRef = bomRef;
-  }
-
-  public String getUid() {
-    return uid;
-  }
-
-  public void setUid(final String uid) {
-    this.uid = uid;
-  }
-
-  public String getName() {
-    return name;
-  }
-
-  public void setName(final String name) {
-    this.name = name;
-  }
-
   @JacksonXmlElementWrapper(localName = "aliases")
   @JacksonXmlProperty(localName = "alias")
   public List<String> getAliases() {
@@ -90,24 +64,6 @@ public void setAliases(final List<String> aliases) {
     this.aliases = aliases;
   }
 
-  public String getDescription() {
-    return description;
-  }
-
-  public void setDescription(final String description) {
-    this.description = description;
-  }
-
-  @JacksonXmlElementWrapper(localName = "resourceReferences")
-  @JacksonXmlProperty(localName = "resourceReference")
-  public List<ResourceReferenceChoice> getResourceReferences() {
-    return resourceReferences;
-  }
-
-  public void setResourceReferences(final List<ResourceReferenceChoice> resourceReferences) {
-    this.resourceReferences = resourceReferences;
-  }
-
   public AccessMode getAccessMode() {
     return accessMode;
   }
@@ -147,14 +103,4 @@ public Volume getVolume() {
   public void setVolume(final Volume volume) {
     this.volume = volume;
   }
-
-  @JacksonXmlElementWrapper(localName = "properties")
-  @JacksonXmlProperty(localName = "property")
-  public List<Property> getProperties() {
-    return properties;
-  }
-
-  public void setProperties(final List<Property> properties) {
-    this.properties = properties;
-  }
 }
@@ -35,7 +35,6 @@
 import org.cyclonedx.model.Tool;
 import org.cyclonedx.model.VersionFilter;
 import org.cyclonedx.util.serializer.CustomDateSerializer;
-import org.cyclonedx.Version;
 
 /**
  * @since 6.0.0

@@ -155,7 +155,6 @@ public List<ParseException> validate(final InputStream inputStream, final Versio
      * Verifies a CycloneDX BOM conforms to the specification through JSON validation.
      * @param bomString the CycloneDX BOM to validate
      * @param schemaVersion the schema version to validate against
-     * @return true is the file is a valid BOM, false if not
      * @throws IOException when errors are encountered
      * @since 3.0.0
      */
@@ -167,7 +166,6 @@ public List<ParseException> validate(final String bomString, final Version schem
      * Verifies a CycloneDX BOM conforms to the specification through JSON validation.
      * @param bomJson the CycloneDX BOM to validate
      * @param schemaVersion the schema version to validate against
-     * @return true is the file is a valid BOM, false if not
      * @throws IOException when errors are encountered
      * @since 3.0.0
      */

@@ -0,0 +1,65 @@
+/*
+ * This file is part of CycloneDX Core (Java).
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * Copyright (c) OWASP Foundation. All Rights Reserved.
+ */
+package org.cyclonedx.util.deserializer;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.JsonDeserializer;
+import com.fasterxml.jackson.databind.JsonNode;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.fasterxml.jackson.databind.node.ArrayNode;
+import org.cyclonedx.model.formulation.common.AbstractType;
+import org.cyclonedx.model.formulation.common.EnvVariableChoice;
+import org.cyclonedx.model.formulation.common.ResourceReferenceChoice;
+
+public abstract class AbstractDataTypeDeserializer<T extends AbstractType>
+    extends JsonDeserializer<T> {
+
+  protected final ObjectMapper objectMapper = new ObjectMapper();
+
+  protected void setEnvironmentVars(final JsonNode node, AbstractType data) throws JsonProcessingException {
+    JsonNode nodes = node.get("environmentVars");
+    List<EnvVariableChoice> environmentVars = new ArrayList<>();
+
+    ArrayNode environmentVarsNode = (nodes.isArray() ? (ArrayNode) nodes : new ArrayNode(null).add(nodes));
+
+    for (JsonNode envVarNode : environmentVarsNode) {
+      EnvVariableChoice envVar = objectMapper.treeToValue(envVarNode, EnvVariableChoice.class);
+      environmentVars.add(envVar);
+    }
+    data.setEnvironmentVars(environmentVars);
+  }
+
+  protected void setReference(JsonNode node, String fieldName, AbstractType type)
+      throws JsonProcessingException
+  {
+    if (node.has(fieldName)) {
+      JsonNode fieldNode = node.get(fieldName);
+      ResourceReferenceChoice reference = objectMapper.treeToValue(fieldNode, ResourceReferenceChoice.class);
+
+      if ("source".equals(fieldName)) {
+        type.setSource(reference);
+      } else if ("target".equals(fieldName)) {
+        type.setTarget(reference);
+      }
+    }
+  }
+}
@@ -86,11 +86,13 @@ public ComponentWrapper deserialize(
       ObjectNode node = parser.readValueAs(ObjectNode.class);
       if (node.has("component")) {
         JsonNode component = node.get("component");
-        JsonParser componentsParser = component.traverse(parser.getCodec());
-        if (component.isArray()) {
-          components = Arrays.asList(componentsParser.readValueAs(Component[].class));
-        } else {
-          components = Collections.singletonList(componentsParser.readValueAs(Component.class));
+        try (JsonParser componentsParser = component.traverse(parser.getCodec())) {
+          if (component.isArray()) {
+            components = Arrays.asList(componentsParser.readValueAs(Component[].class));
+          }
+          else {
+            components = Collections.singletonList(componentsParser.readValueAs(Component.class));
+          }
         }
       }
     }

@@ -19,27 +19,19 @@
 package org.cyclonedx.util.deserializer;
 
 import java.io.IOException;
-import java.util.ArrayList;
 import java.util.List;
 
 import com.fasterxml.jackson.core.JsonParser;
 import com.fasterxml.jackson.core.type.TypeReference;
 import com.fasterxml.jackson.databind.DeserializationContext;
-import com.fasterxml.jackson.databind.JsonDeserializer;
 import com.fasterxml.jackson.databind.JsonNode;
-import com.fasterxml.jackson.databind.ObjectMapper;
-import com.fasterxml.jackson.databind.node.ArrayNode;
 import org.cyclonedx.model.AttachmentText;
 import org.cyclonedx.model.Property;
-import org.cyclonedx.model.formulation.common.EnvVariableChoice;
 import org.cyclonedx.model.formulation.common.InputType;
 import org.cyclonedx.model.formulation.common.InputType.Parameter;
 import org.cyclonedx.model.formulation.common.ResourceReferenceChoice;
 
-public class InputTypeDeserializer extends JsonDeserializer<InputType> {
-  private final ObjectMapper objectMapper = new ObjectMapper();
-
-  private final EnvVariableChoiceDeserializer envVariableDeserializer = new EnvVariableChoiceDeserializer();
+public class InputTypeDeserializer extends AbstractDataTypeDeserializer<InputType> {
 
   @Override
   public InputType deserialize(JsonParser jsonParser, DeserializationContext deserializationContext)
@@ -48,19 +40,10 @@ public InputType deserialize(JsonParser jsonParser, DeserializationContext deser
     JsonNode node = jsonParser.getCodec().readTree(jsonParser);
     InputType inputType = new InputType();
 
-    if(node.has("source")) {
-      JsonNode sourceNode = node.get("source");
-      ResourceReferenceChoice source = objectMapper.treeToValue(sourceNode, ResourceReferenceChoice.class);
-      inputType.setSource(source);
-    }
-
-    if(node.has("target")) {
-      JsonNode targetNode = node.get("target");
-      ResourceReferenceChoice target = objectMapper.treeToValue(targetNode, ResourceReferenceChoice.class);
-      inputType.setTarget(target);
-    }
+    setReference(node, "source", inputType);
+    setReference(node, "target", inputType);
 
-    createInputDataInfo(node, inputType, deserializationContext, jsonParser);
+    createInputDataInfo(node, inputType);
 
     if(node.has("properties")) {
       JsonNode propertiesNode = node.get("properties");
@@ -71,7 +54,7 @@ public InputType deserialize(JsonParser jsonParser, DeserializationContext deser
     return inputType;
   }
 
-  private void createInputDataInfo(JsonNode node, InputType inputType, DeserializationContext ctxt, JsonParser jsonParser)
+  private void createInputDataInfo(JsonNode node, InputType inputType)
       throws IOException
   {
     if (node.has("resource")) {
@@ -83,17 +66,7 @@ private void createInputDataInfo(JsonNode node, InputType inputType, Deserializa
       List<Parameter> parameters = objectMapper.convertValue(parametersNode, new TypeReference<List<Parameter>>() {});
       inputType.setParameters(parameters);
     } else if (node.has("environmentVars")) {
-      JsonNode nodes = node.get("environmentVars");
-      List<EnvVariableChoice> environmentVars = new ArrayList<>();
-
-      ArrayNode environmentVarsNode = (nodes.isArray() ? (ArrayNode) nodes : new ArrayNode(null).add(nodes));
-
-      for (JsonNode envVarNode : environmentVarsNode) {
-        JsonParser nodeParser = envVarNode.traverse(jsonParser.getCodec());
-        EnvVariableChoice envVar =  envVariableDeserializer.deserialize(nodeParser, ctxt);
-        environmentVars.add(envVar);
-      }
-      inputType.setEnvironmentVars(environmentVars);
+      setEnvironmentVars(node, inputType);
     } else if (node.has("data")) {
       JsonNode dataNode = node.get("data");
       AttachmentText data = objectMapper.treeToValue(dataNode, AttachmentText.class);

@@ -34,7 +34,7 @@
 public class LicenseDeserializer extends JsonDeserializer<LicenseChoice>
 {
 
-  ExpressionDeserializer expressionDeserializer = new ExpressionDeserializer();
+  final ExpressionDeserializer expressionDeserializer = new ExpressionDeserializer();
 
   @Override
   public LicenseChoice deserialize(