diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml index 20b9278295e62..745b4b1ca5fa5 100644 --- a/gradle/libs.versions.toml +++ b/gradle/libs.versions.toml @@ -16,7 +16,7 @@ asciidoctorjPdf = "2.3.9" clikt = "4.2.1" commonsCompress = "1.24.0" cvssCalculator = "1.4.2" -cyclonedx = "7.3.2" +cyclonedx = "8.0.1" diffUtils = "4.12" diskLruCache = "2.0.2" exposed = "0.44.0" diff --git a/plugins/reporters/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result-with-findings.json b/plugins/reporters/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result-with-findings.json index d695a26a3fb11..a77dad2464805 100644 --- a/plugins/reporters/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result-with-findings.json +++ b/plugins/reporters/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result-with-findings.json @@ -1,16 +1,19 @@ { "bomFormat": "CycloneDX", - "specVersion": "1.4", + "specVersion": "1.5", "serialNumber": "urn:uuid:01234567-0123-0123-0123-01234567", "version": 1, "metadata": { "timestamp": "1970-01-01T00:00:00Z", - "tools": [ - { - "name": "OSS Review Toolkit", - "version": "deadbeef" - } - ], + "tools": { + "components": [ + { + "name": "OSS Review Toolkit", + "version": "deadbeef", + "type": "application" + } + ] + }, "licenses": [ { "expression": "CC0-1.0" diff --git a/plugins/reporters/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result-without-findings.json b/plugins/reporters/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result-without-findings.json index a9d1007e84348..4b121f88510d4 100644 --- a/plugins/reporters/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result-without-findings.json +++ b/plugins/reporters/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result-without-findings.json @@ -1,16 +1,19 @@ { "bomFormat": "CycloneDX", - "specVersion": "1.4", + "specVersion": "1.5", "serialNumber": "urn:uuid:01234567-0123-0123-0123-01234567", "version": 1, "metadata": { "timestamp": "1970-01-01T00:00:00Z", - "tools": [ - { - "name": "OSS Review Toolkit", - "version": "deadbeef" - } - ], + "tools": { + "components": [ + { + "name": "OSS Review Toolkit", + "version": "deadbeef", + "type": "application" + } + ] + }, "licenses": [ { "expression": "CC0-1.0" diff --git a/plugins/reporters/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result.json b/plugins/reporters/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result.json index d25bf037bfd90..45bd6e09edb62 100644 --- a/plugins/reporters/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result.json +++ b/plugins/reporters/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result.json @@ -1,16 +1,19 @@ { "bomFormat": "CycloneDX", - "specVersion": "1.4", + "specVersion": "1.5", "serialNumber": "urn:uuid:01234567-0123-0123-0123-01234567", "version": 1, "metadata": { "timestamp": "1970-01-01T00:00:00Z", - "tools": [ - { - "name": "OSS Review Toolkit", - "version": "deadbeef" - } - ], + "tools": { + "components": [ + { + "name": "OSS Review Toolkit", + "version": "deadbeef", + "type": "application" + } + ] + }, "licenses": [ { "expression": "CC0-1.0" diff --git a/plugins/reporters/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result.xml b/plugins/reporters/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result.xml index 42e63f77e85bd..f026cf3d4d896 100644 --- a/plugins/reporters/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result.xml +++ b/plugins/reporters/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result.xml @@ -1,12 +1,14 @@ - + 1970-01-01T00:00:00Z - - OSS Review Toolkit - deadbeef - + + + OSS Review Toolkit + deadbeef + + CC0-1.0 diff --git a/plugins/reporters/cyclonedx/src/funTest/kotlin/CycloneDxReporterFunTest.kt b/plugins/reporters/cyclonedx/src/funTest/kotlin/CycloneDxReporterFunTest.kt index 962ab258816f3..81645a421d3e4 100644 --- a/plugins/reporters/cyclonedx/src/funTest/kotlin/CycloneDxReporterFunTest.kt +++ b/plugins/reporters/cyclonedx/src/funTest/kotlin/CycloneDxReporterFunTest.kt @@ -168,19 +168,14 @@ class CycloneDxReporterFunTest : WordSpec({ } }) -private fun String.patchCycloneDxResult(): String { - val headerEnd = indexOf("components").takeUnless { it < 0 } ?: length - return substring(0, headerEnd) - .replaceFirst( - """urn:uuid:[a-f0-9]{8}(?:-[a-f0-9]{4}){4}[a-f0-9]{8}""".toRegex(), - "urn:uuid:01234567-0123-0123-0123-01234567" - ) - .replaceFirst( - """(timestamp[>"](\s*:\s*")?)\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}Z""".toRegex(), - "$11970-01-01T00:00:00Z" - ) - .replaceFirst( - """(version[>"](\s*:\s*")?)[\w.+-]+""".toRegex(), - "$1deadbeef" - ) + substring(headerEnd) -} +private fun String.patchCycloneDxResult(): String = + replaceFirst( + """urn:uuid:[a-f0-9]{8}(?:-[a-f0-9]{4}){4}[a-f0-9]{8}""".toRegex(), + "urn:uuid:01234567-0123-0123-0123-01234567" + ).replaceFirst( + """(timestamp[>"](\s*:\s*")?)\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}Z""".toRegex(), + "$11970-01-01T00:00:00Z" + ).replaceFirst( + """(version[>"](\s*:\s*")?)[\w.+-]+""".toRegex(), + "$1deadbeef" + ) diff --git a/plugins/reporters/cyclonedx/src/main/kotlin/CycloneDxReporter.kt b/plugins/reporters/cyclonedx/src/main/kotlin/CycloneDxReporter.kt index 808b03654afe0..276ba37b61259 100644 --- a/plugins/reporters/cyclonedx/src/main/kotlin/CycloneDxReporter.kt +++ b/plugins/reporters/cyclonedx/src/main/kotlin/CycloneDxReporter.kt @@ -36,7 +36,7 @@ import org.cyclonedx.model.Hash import org.cyclonedx.model.License import org.cyclonedx.model.LicenseChoice import org.cyclonedx.model.Metadata -import org.cyclonedx.model.Tool +import org.cyclonedx.model.metadata.ToolInformation import org.ossreviewtoolkit.model.FileFormat import org.ossreviewtoolkit.model.LicenseSource @@ -66,7 +66,7 @@ import org.ossreviewtoolkit.utils.spdx.SpdxLicense */ class CycloneDxReporter : Reporter { companion object { - val DEFAULT_SCHEMA_VERSION = CycloneDxSchema.Version.VERSION_14 + val DEFAULT_SCHEMA_VERSION = CycloneDxSchema.Version.VERSION_15 val DEFAULT_DATA_LICENSE = SpdxLicense.CC0_1_0 const val REPORT_BASE_FILENAME = "bom.cyclonedx" @@ -155,12 +155,15 @@ class CycloneDxReporter : Reporter { val metadata = Metadata().apply { timestamp = Date() - tools = listOf( - Tool().apply { - name = ORT_FULL_NAME - version = Environment.ORT_VERSION - } - ) + toolChoice = ToolInformation().apply { + components = listOf( + Component().apply { + type = Component.Type.APPLICATION + name = ORT_FULL_NAME + version = Environment.ORT_VERSION + } + ) + } licenseChoice = LicenseChoice().apply { expression = dataLicense } }