Merge pull request #6841 from Checkmarx/cyclonedx

feat(results): update cyclonedx reports to support v1.5
Checkmarx · Jan 17, 2024 · 8613564 · 8613564
2 parents 97c0598 + c50bc91
commit 8613564
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 5 deletions.
diff --git a/docs/results.md b/docs/results.md
@@ -620,13 +620,15 @@ PDF reports are sorted by severity (from high to info), the results will have qu
 
 ## CycloneDX
 
-Now, the CycloneDX report is only available in XML format since the vulnerability schema extension is not currently available in JSON. The guidelines used to build the CycloneDX report were the [bom schema 1.3](http://cyclonedx.org/schema/bom/1.3) and [vulnerability schema 1.0](https://github.com/CycloneDX/specification/blob/master/schema/ext/vulnerability-1.0.xsd).
+Now, the CycloneDX report is only available in XML format since the vulnerability schema extension is not currently available in JSON. The guidelines used to build the CycloneDX report were the [bom schema 1.3](http://cyclonedx.org/schema/bom/1.3) and [vulnerability schema 1.0](https://github.com/CycloneDX/specification/blob/master/schema/ext/vulnerability-1.0.xsd).                                                                                               
+**Note:** As of the latest update, the CycloneDX version utilized in the report is 1.5. However, it's important to clarify that no additional features or fields introduced in version 1.5 are currently utilized. The functionality remains consistent with the version 1.3 for KICS. Future updates will leverage the new features introduced in CycloneDX version 1.5.
+
 
 You can export CycloneDX report by using `--report-formats "cyclonedx"`. The generated report file will have a prefix `cyclonedx-` and looks like the following example:
 
 ```
 <?xml version="1.0" encoding="UTF-8"?>
-<bom xmlns="http://cyclonedx.org/schema/bom/1.3" serialNumber="urn:uuid:9f9c80f3-5795-476d-974f-85e6cf1daa65" xmlns:v="http://cyclonedx.org/schema/ext/vulnerability/1.0" version="1">
+<bom xmlns="http://cyclonedx.org/schema/bom/1.5" serialNumber="urn:uuid:9f9c80f3-5795-476d-974f-85e6cf1daa65" xmlns:v="http://cyclonedx.org/schema/ext/vulnerability/1.0" version="1">
 	<metadata>
 		<timestamp>2021-12-03T15:39:49Z</timestamp>
 		<tools>

diff --git a/pkg/report/model/cyclonedx.go b/pkg/report/model/cyclonedx.go
@@ -218,9 +218,10 @@ func InitCycloneDxReport() *CycloneDxReport {
 			},
 		},
 	}
-
+	// Update cycloneDX version to 1.5 (from 1.3 to 1.5 nothing needed to change since we only create 1 bom at a time,
+	// more changes to come)
 	return &CycloneDxReport{
-		XMLNS:        "http://cyclonedx.org/schema/bom/1.3",
+		XMLNS:        "http://cyclonedx.org/schema/bom/1.5",
 		XMLNSV:       "http://cyclonedx.org/schema/ext/vulnerability/1.0",
 		SerialNumber: "urn:uuid:" + uuid.New().String(),
 		Version:      1,
@@ -268,5 +269,6 @@ func BuildCycloneDxReport(summary *model.Summary, filePaths map[string]string) *
 
 		bom.Components.Components = append(bom.Components.Components, component)
 	}
+
 	return bom
 }
diff --git a/pkg/report/model/cyclonedx_test.go b/pkg/report/model/cyclonedx_test.go
@@ -24,8 +24,9 @@ var metadata Metadata = Metadata{
 	},
 }
 
+// Update XMLNS version to 1.5 from 1.3
 var initCycloneDxReport CycloneDxReport = CycloneDxReport{
-	XMLNS:        "http://cyclonedx.org/schema/bom/1.3",
+	XMLNS:        "http://cyclonedx.org/schema/bom/1.5",
 	XMLNSV:       "http://cyclonedx.org/schema/ext/vulnerability/1.0",
 	SerialNumber: "urn:uuid:", // set to "urn:uuid:" because it will be different for every report
 	Version:      1,