feat: kbom and cyclonedx v1.5 spec support (#4708)

* feat: kbom and cyclonedx v1.5 spec support Signed-off-by: chenk <hen.keinan@gmail.com> * feat: kbom and cyclonedx v1.5 spec support Signed-off-by: chenk <hen.keinan@gmail.com> * feat: kbom and cyclonedx v1.5 spec support Signed-off-by: chenk <hen.keinan@gmail.com> * feat: feat: kbom and cyclonedx 1.5 spec support Signed-off-by: chenk <hen.keinan@gmail.com> * fix: unmarshal bom on v1.5 return invalid specification version Signed-off-by: chenk <hen.keinan@gmail.com> * feat: cyclonedx-1.5 spec support Signed-off-by: chenk <hen.keinan@gmail.com> --------- Signed-off-by: chenk <hen.keinan@gmail.com>
2025-12-22 23:26:39 -08:00 · 2023-06-25 16:47:06 +03:00
parent 46748ce6ea
commit 85c681d443
29 changed files with 51 additions and 44 deletions
--- a/docs/docs/supply-chain/sbom.md
+++ b/docs/docs/supply-chain/sbom.md
@@ -224,7 +224,7 @@ $ trivy image --format cyclonedx --output result.json alpine:3.15
 $ cat result.json | jq .
 {
  "bomFormat": "CycloneDX",
-  "specVersion": "1.4",
+  "specVersion": "1.5",
  "serialNumber": "urn:uuid:2be5773d-7cd3-4b4b-90a5-e165474ddace",
  "version": 1,
  "metadata": {
--- a/docs/docs/supply-chain/vex.md
+++ b/docs/docs/supply-chain/vex.md
@@ -43,7 +43,7 @@ Take a look at the example below.
 $ cat <<EOF > trivy.vex.cdx
 {
  "bomFormat": "CycloneDX",
-  "specVersion": "1.4",
+  "specVersion": "1.5",
  "version": 1,
  "vulnerabilities": [
    {
--- a/go.mod
+++ b/go.mod
@@ -7,7 +7,7 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.0
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0
 	github.com/BurntSushi/toml v1.3.2
-	github.com/CycloneDX/cyclonedx-go v0.7.0
+	github.com/CycloneDX/cyclonedx-go v0.7.2-0.20230625092137-07e2f29defc3
 	github.com/GoogleCloudPlatform/docker-credential-gcr v2.0.5+incompatible
 	github.com/Masterminds/sprig/v3 v3.2.3
 	github.com/NYTimes/gziphandler v1.1.1
--- a/go.sum
+++ b/go.sum
@@ -235,8 +235,8 @@ github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbi
 github.com/BurntSushi/toml v1.3.2 h1:o7IhLm0Msx3BaB+n3Ag7L8EVlByGnpq14C4YWiu/gL8=
 github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
-github.com/CycloneDX/cyclonedx-go v0.7.0 h1:jNxp8hL7UpcvPDFXjY+Y1ibFtsW+e5zyF9QoSmhK/zg=
-github.com/CycloneDX/cyclonedx-go v0.7.0/go.mod h1:W5Z9w8pTTL+t+yG3PCiFRGlr8PUlE0pGWzKSJbsyXkg=
+github.com/CycloneDX/cyclonedx-go v0.7.2-0.20230625092137-07e2f29defc3 h1:NqeV+ZMqpcosu0Xg2VW14Ru9ayBs/toe2oihS7sN6Xo=
+github.com/CycloneDX/cyclonedx-go v0.7.2-0.20230625092137-07e2f29defc3/go.mod h1:fGXSp1lCDfMQ8KR1EjxT4ewc5HHhGczRF2pWhLSWohs=
 github.com/DATA-DOG/go-sqlmock v1.5.0 h1:Shsta01QNfFxHCfpW6YH2STWB0MudeXXEWMr20OEh60=
 github.com/GoogleCloudPlatform/docker-credential-gcr v2.0.5+incompatible h1:juIaKLLVhqzP55d8x4cSVgwyQv76Z55/fRv/UBr2KkQ=
 github.com/GoogleCloudPlatform/docker-credential-gcr v2.0.5+incompatible/go.mod h1:BB1eHdMLYEFuFdBlRMb0N7YGVdM5s6Pt0njxgvfbGGs=
@@ -1643,6 +1643,7 @@ github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG
 github.com/tchap/go-patricia v2.2.6+incompatible/go.mod h1:bmLyhP68RS6kStMGxByiQ23RP/odRBOTVjwp2cDyi6I=
 github.com/tchap/go-patricia/v2 v2.3.1 h1:6rQp39lgIYZ+MHmdEq4xzuk1t7OdC35z/xm0BGhTkes=
 github.com/tchap/go-patricia/v2 v2.3.1/go.mod h1:VZRHKAb53DLaG+nA9EaYYiaEx6YztwDlLElMsnSHD4k=
+github.com/terminalstatic/go-xsd-validate v0.1.5 h1:RqpJnf6HGE2CB/lZB1A8BYguk8uRtcvYAPLCF15qguo=
 github.com/testcontainers/testcontainers-go v0.20.1 h1:mK15UPJ8c5P+NsQKmkqzs/jMdJt6JMs5vlw2y4j92c0=
 github.com/testcontainers/testcontainers-go v0.20.1/go.mod h1:zb+NOlCQBkZ7RQp4QI+YMIHyO2CQ/qsXzNF5eLJ24SY=
 github.com/tetratelabs/wazero v1.2.0 h1:I/8LMf4YkCZ3r2XaL9whhA0VMyAvF6QE+O7rco0DCeQ=
--- a/integration/k8s_test.go
+++ b/integration/k8s_test.go
@@ -98,7 +98,7 @@ func TestK8s(t *testing.T) {
 		require.NoError(t, err)

 		assert.Equal(t, got.Metadata.Component.Name, "kind-kind-test")
-		assert.Equal(t, got.Metadata.Component.Type, cdx.ComponentType("container"))
+		assert.Equal(t, got.Metadata.Component.Type, cdx.ComponentType("platform"))

 		// Has components
 		assert.True(t, len(*got.Components) > 0)
--- a/integration/testdata/conda-cyclonedx.json.golden
+++ b/integration/testdata/conda-cyclonedx.json.golden
@@ -1,6 +1,6 @@
 {
  "bomFormat": "CycloneDX",
-  "specVersion": "1.4",
+  "specVersion": "1.5",
  "serialNumber": "urn:uuid:e1f49b6f-018f-4bf3-97c8-85cd92a82c7c",
  "version": 1,
  "metadata": {
--- a/integration/testdata/fixtures/sbom/centos-7-cyclonedx.json
+++ b/integration/testdata/fixtures/sbom/centos-7-cyclonedx.json
@@ -1,6 +1,6 @@
 {
  "bomFormat": "CycloneDX",
-  "specVersion": "1.4",
+  "specVersion": "1.5",
  "serialNumber": "urn:uuid:1455c02d-64ca-453e-a5df-ddfb70a7c804",
  "version": 1,
  "metadata": {
--- a/integration/testdata/fixtures/sbom/fluentd-multiple-lockfiles-cyclonedx.json
+++ b/integration/testdata/fixtures/sbom/fluentd-multiple-lockfiles-cyclonedx.json
@@ -1,6 +1,6 @@
 {
  "bomFormat": "CycloneDX",
-  "specVersion": "1.4",
+  "specVersion": "1.5",
  "serialNumber": "urn:uuid:31ee662c-480e-4f63-9765-23ea8afc754d",
  "version": 1,
  "metadata": {
--- a/pkg/attestation/sbom/rekor_test.go
+++ b/pkg/attestation/sbom/rekor_test.go
@@ -22,7 +22,7 @@ func TestRekor_RetrieveSBOM(t *testing.T) {
 		{
 			name:   "happy path",
 			digest: "sha256:5891b5b522d5df086d0ff0b110fbd9d21bb4fc7163af34d08286a2e846f6be03",
-			want:   `{"bomFormat":"CycloneDX","specVersion":"1.4","version":2}`,
+			want:   `{"bomFormat":"CycloneDX","specVersion":"1.5","version":2}`,
 		},
 		{
 			name:    "404",
--- a/pkg/fanal/analyzer/sbom/testdata/cdx.json
+++ b/pkg/fanal/analyzer/sbom/testdata/cdx.json
@@ -1,6 +1,6 @@
 {
  "bomFormat": "CycloneDX",
-  "specVersion": "1.4",
+  "specVersion": "1.5",
  "serialNumber": "urn:uuid:73f26314-e86a-4f5a-befc-f853a15b64e7",
  "version": 1,
  "metadata": {
--- a/pkg/fanal/artifact/sbom/testdata/bom.json
+++ b/pkg/fanal/artifact/sbom/testdata/bom.json
@@ -1,6 +1,6 @@
 {
  "bomFormat": "CycloneDX",
-  "specVersion": "1.4",
+  "specVersion": "1.5",
  "serialNumber": "urn:uuid:c986ba94-e37d-49c8-9e30-96daccd0415b",
  "version": 1,
  "metadata": {
--- a/pkg/fanal/artifact/sbom/testdata/os-only-bom.json
+++ b/pkg/fanal/artifact/sbom/testdata/os-only-bom.json
@@ -1,6 +1,6 @@
 {
  "bomFormat": "CycloneDX",
-  "specVersion": "1.4",
+  "specVersion": "1.5",
  "serialNumber": "urn:uuid:c986ba94-e37d-49c8-9e30-96daccd0415b",
  "version": 1,
  "metadata": {
--- a/pkg/k8s/scanner/scanner.go
+++ b/pkg/k8s/scanner/scanner.go
@@ -250,7 +250,7 @@ func clusterInfoToReportResources(allArtifact []*artifacts.Artifact, clusterName
 	}
 	rootComponent := &core.Component{
 		Name:       clusterName,
-		Type:       cdx.ComponentTypeContainer,
+		Type:       cdx.ComponentTypePlatform,
 		Components: coreComponents,
 	}
 	return rootComponent, nil
@@ -304,7 +304,7 @@ func nodeComponent(nf bom.NodeInfo) *core.Component {
 		k8sComponentName: nf.NodeName,
 	}, k8sCoreComponentNamespace)...)
 	return &core.Component{
-		Type:       cdx.ComponentTypeContainer,
+		Type:       cdx.ComponentTypePlatform,
 		Name:       nf.NodeName,
 		Properties: properties,
 		Components: []*core.Component{
--- a/pkg/k8s/scanner/scanner_test.go
+++ b/pkg/k8s/scanner/scanner_test.go
@@ -72,7 +72,7 @@ func TestK8sClusterInfoReport(t *testing.T) {
 				},
 			},
 			want: &core.Component{
-				Type: cdx.ComponentTypeContainer,
+				Type: cdx.ComponentTypePlatform,
 				Name: "test-cluster",
 				Components: []*core.Component{
 					{
@@ -110,7 +110,7 @@ func TestK8sClusterInfoReport(t *testing.T) {
 						},
 					},
 					{
-						Type: cdx.ComponentTypeContainer,
+						Type: cdx.ComponentTypePlatform,
 						Name: "kind-control-plane",
 						Properties: []core.Property{
 							{Name: "Architecture", Value: "arm64"},
--- a/pkg/rekortest/server.go
+++ b/pkg/rekortest/server.go
@@ -50,7 +50,7 @@ var (
 			Data: &cyclonedx.BOM{
 				BOMFormat:    cyclonedx.BOMFormat,
 				SerialNumber: "urn:uuid:6453fd82-71f4-47c8-ad12-01775619c443",
-				SpecVersion:  cyclonedx.SpecVersion1_4,
+				SpecVersion:  cyclonedx.SpecVersion1_5,
 				Version:      1,
 				Metadata: &cyclonedx.Metadata{
 					Timestamp: "2022-09-15T13:53:49+00:00",
@@ -138,7 +138,7 @@ var (
 			Data: &cyclonedx.BOM{
 				BOMFormat:    cyclonedx.BOMFormat,
 				SerialNumber: "urn:uuid:8b16c9a3-e957-4c85-b43d-7dd05ea0421c",
-				SpecVersion:  cyclonedx.SpecVersion1_4,
+				SpecVersion:  cyclonedx.SpecVersion1_5,
 				Version:      1,
 				Metadata: &cyclonedx.Metadata{
 					Timestamp: "2022-10-21T09:50:08+00:00",
@@ -205,7 +205,7 @@ var (
 		Predicate: &attestation.CosignPredicate{
 			Data: &cyclonedx.BOM{
 				BOMFormat:   cyclonedx.BOMFormat,
-				SpecVersion: cyclonedx.SpecVersion1_4,
+				SpecVersion: cyclonedx.SpecVersion1_5,
 				Version:     2,
 			},
 		},
--- a/pkg/sbom/cyclonedx/core/cyclonedx_test.go
+++ b/pkg/sbom/cyclonedx/core/cyclonedx_test.go
@@ -132,10 +132,11 @@ func TestMarshaler_CoreComponent(t *testing.T) {
 			},

 			want: &cdx.BOM{
-				XMLNS:        "http://cyclonedx.org/schema/bom/1.4",
+				XMLNS:        "http://cyclonedx.org/schema/bom/1.5",
 				BOMFormat:    "CycloneDX",
 				SerialNumber: "urn:uuid:3ff14136-e09f-4df9-80ea-000000000001",
-				SpecVersion:  cdx.SpecVersion1_4,
+				JSONSchema:   "http://cyclonedx.org/schema/bom-1.5.schema.json",
+				SpecVersion:  cdx.SpecVersion1_5,
 				Version:      1,
 				Metadata: &cdx.Metadata{
 					Timestamp: "2021-08-25T12:20:30+00:00",
--- a/pkg/sbom/cyclonedx/marshal_test.go
+++ b/pkg/sbom/cyclonedx/marshal_test.go
@@ -182,9 +182,10 @@ func TestMarshaler_Marshal(t *testing.T) {
 				},
 			},
 			want: &cdx.BOM{
-				XMLNS:        "http://cyclonedx.org/schema/bom/1.4",
+				XMLNS:        "http://cyclonedx.org/schema/bom/1.5",
 				BOMFormat:    "CycloneDX",
-				SpecVersion:  cdx.SpecVersion1_4,
+				SpecVersion:  cdx.SpecVersion1_5,
+				JSONSchema: "http://cyclonedx.org/schema/bom-1.5.schema.json",
 				SerialNumber: "urn:uuid:3ff14136-e09f-4df9-80ea-000000000001",
 				Version:      1,
 				Metadata: &cdx.Metadata{
@@ -726,9 +727,10 @@ func TestMarshaler_Marshal(t *testing.T) {
 				},
 			},
 			want: &cdx.BOM{
-				XMLNS:        "http://cyclonedx.org/schema/bom/1.4",
+				XMLNS:        "http://cyclonedx.org/schema/bom/1.5",
 				BOMFormat:    "CycloneDX",
-				SpecVersion:  cdx.SpecVersion1_4,
+				SpecVersion:  cdx.SpecVersion1_5,
+				JSONSchema: "http://cyclonedx.org/schema/bom-1.5.schema.json",
 				SerialNumber: "urn:uuid:3ff14136-e09f-4df9-80ea-000000000001",
 				Version:      1,
 				Metadata: &cdx.Metadata{
@@ -1060,9 +1062,10 @@ func TestMarshaler_Marshal(t *testing.T) {
 				},
 			},
 			want: &cdx.BOM{
-				XMLNS:        "http://cyclonedx.org/schema/bom/1.4",
+				XMLNS:        "http://cyclonedx.org/schema/bom/1.5",
 				BOMFormat:    "CycloneDX",
-				SpecVersion:  cdx.SpecVersion1_4,
+				SpecVersion:  cdx.SpecVersion1_5,
+				JSONSchema: "http://cyclonedx.org/schema/bom-1.5.schema.json",
 				SerialNumber: "urn:uuid:3ff14136-e09f-4df9-80ea-000000000001",
 				Version:      1,
 				Metadata: &cdx.Metadata{
@@ -1187,9 +1190,10 @@ func TestMarshaler_Marshal(t *testing.T) {
 				},
 			},
 			want: &cdx.BOM{
-				XMLNS:        "http://cyclonedx.org/schema/bom/1.4",
+				XMLNS:        "http://cyclonedx.org/schema/bom/1.5",
 				BOMFormat:    "CycloneDX",
-				SpecVersion:  cdx.SpecVersion1_4,
+				SpecVersion:  cdx.SpecVersion1_5,
+				JSONSchema: "http://cyclonedx.org/schema/bom-1.5.schema.json",
 				SerialNumber: "urn:uuid:3ff14136-e09f-4df9-80ea-000000000001",
 				Version:      1,
 				Metadata: &cdx.Metadata{
@@ -1267,9 +1271,10 @@ func TestMarshaler_Marshal(t *testing.T) {
 				Results:       types.Results{},
 			},
 			want: &cdx.BOM{
-				XMLNS:        "http://cyclonedx.org/schema/bom/1.4",
+				XMLNS:        "http://cyclonedx.org/schema/bom/1.5",
 				BOMFormat:    "CycloneDX",
-				SpecVersion:  cdx.SpecVersion1_4,
+				SpecVersion:  cdx.SpecVersion1_5,
+				JSONSchema: "http://cyclonedx.org/schema/bom-1.5.schema.json",
 				SerialNumber: "urn:uuid:3ff14136-e09f-4df9-80ea-000000000001",
 				Version:      1,
 				Metadata: &cdx.Metadata{
--- a/pkg/sbom/cyclonedx/testdata/happy/bom.json
+++ b/pkg/sbom/cyclonedx/testdata/happy/bom.json
@@ -1,6 +1,6 @@
 {
  "bomFormat": "CycloneDX",
-  "specVersion": "1.4",
+  "specVersion": "1.5",
  "serialNumber": "urn:uuid:c986ba94-e37d-49c8-9e30-96daccd0415b",
  "version": 1,
  "metadata": {
--- a/pkg/sbom/cyclonedx/testdata/happy/empty-bom.json
+++ b/pkg/sbom/cyclonedx/testdata/happy/empty-bom.json
@@ -1,6 +1,6 @@
 {
  "bomFormat": "CycloneDX",
-  "specVersion": "1.4",
+  "specVersion": "1.5",
  "serialNumber": "urn:uuid:c986ba94-e37d-49c8-9e30-96daccd0415b",
  "version": 1,
  "metadata": {
--- a/pkg/sbom/cyclonedx/testdata/happy/empty-metadata-component-bom.json
+++ b/pkg/sbom/cyclonedx/testdata/happy/empty-metadata-component-bom.json
@@ -1,6 +1,6 @@
 {
  "bomFormat": "CycloneDX",
-  "specVersion": "1.4",
+  "specVersion": "1.5",
  "serialNumber": "urn:uuid:c986ba94-e37d-49c8-9e30-96daccd0415b",
  "version": 1,
  "metadata": {
--- a/pkg/sbom/cyclonedx/testdata/happy/group-in-name.json
+++ b/pkg/sbom/cyclonedx/testdata/happy/group-in-name.json
@@ -1,6 +1,6 @@
 {
  "bomFormat": "CycloneDX",
-  "specVersion": "1.4",
+  "specVersion": "1.5",
  "serialNumber": "urn:uuid:8366a7c8-229c-4518-b86c-8a1bcf69af01",
  "version": 1,
  "metadata": {
--- a/pkg/sbom/cyclonedx/testdata/happy/independent-library-bom.json
+++ b/pkg/sbom/cyclonedx/testdata/happy/independent-library-bom.json
@@ -1,6 +1,6 @@
 {
  "bomFormat": "CycloneDX",
-  "specVersion": "1.4",
+  "specVersion": "1.5",
  "serialNumber": "urn:uuid:c986ba94-e37d-49c8-9e30-96daccd0415b",
  "version": 1,
  "metadata": {
--- a/pkg/sbom/cyclonedx/testdata/happy/infinite-loop-bom.json
+++ b/pkg/sbom/cyclonedx/testdata/happy/infinite-loop-bom.json
@@ -1,6 +1,6 @@
 {
  "bomFormat": "CycloneDX",
-  "specVersion": "1.4",
+  "specVersion": "1.5",
  "serialNumber": "urn:uuid:a085f5e7-f5c1-4bc0-96be-ffa4d235ebc8",
  "version": 1,
  "metadata": {
--- a/pkg/sbom/cyclonedx/testdata/happy/os-only-bom.json
+++ b/pkg/sbom/cyclonedx/testdata/happy/os-only-bom.json
@@ -1,6 +1,6 @@
 {
  "bomFormat": "CycloneDX",
-  "specVersion": "1.4",
+  "specVersion": "1.5",
  "serialNumber": "urn:uuid:c986ba94-e37d-49c8-9e30-96daccd0415b",
  "version": 1,
  "metadata": {
--- a/pkg/sbom/cyclonedx/testdata/happy/third-party-bom-no-os.json
+++ b/pkg/sbom/cyclonedx/testdata/happy/third-party-bom-no-os.json
@@ -1,6 +1,6 @@
 {
  "bomFormat": "CycloneDX",
-  "specVersion": "1.4",
+  "specVersion": "1.5",
  "serialNumber": "urn:uuid:c986ba94-e37d-49c8-9e30-96daccd0415b",
  "version": 1,
  "metadata": {
--- a/pkg/sbom/cyclonedx/testdata/happy/third-party-bom.json
+++ b/pkg/sbom/cyclonedx/testdata/happy/third-party-bom.json
@@ -1,6 +1,6 @@
 {
  "bomFormat": "CycloneDX",
-  "specVersion": "1.4",
+  "specVersion": "1.5",
  "serialNumber": "urn:uuid:c986ba94-e37d-49c8-9e30-96daccd0415b",
  "version": 1,
  "metadata": {
--- a/pkg/sbom/cyclonedx/testdata/happy/unrelated-bom.json
+++ b/pkg/sbom/cyclonedx/testdata/happy/unrelated-bom.json
@@ -1,6 +1,6 @@
 {
  "bomFormat": "CycloneDX",
-  "specVersion": "1.4",
+  "specVersion": "1.5",
  "serialNumber": "urn:uuid:c986ba94-e37d-49c8-9e30-96daccd0415b",
  "version": 1,
  "metadata": {
--- a/pkg/sbom/cyclonedx/testdata/sad/invalid-purl.json
+++ b/pkg/sbom/cyclonedx/testdata/sad/invalid-purl.json
@@ -1,6 +1,6 @@
 {
  "bomFormat": "CycloneDX",
-  "specVersion": "1.4",
+  "specVersion": "1.5",
  "serialNumber": "urn:uuid:c986ba94-e37d-49c8-9e30-96daccd0415b",
  "version": 1,
  "metadata": {
--- a/pkg/vex/testdata/cyclonedx.json
+++ b/pkg/vex/testdata/cyclonedx.json
@@ -1,6 +1,6 @@
 {
  "bomFormat": "CycloneDX",
-  "specVersion": "1.4",
+  "specVersion": "1.5",
  "version": 1,
  "vulnerabilities": [
    {