From 2a589ec5219b8c5016263ca520cd567f068a5d49 Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Fri, 29 Dec 2023 09:52:39 +0000 Subject: [PATCH 1/6] feat(results): update cyclonedx reports from v1.3 to v1.5 --- pkg/report/model/cyclonedx.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/pkg/report/model/cyclonedx.go b/pkg/report/model/cyclonedx.go index 3aa3af32043..176ae333b92 100644 --- a/pkg/report/model/cyclonedx.go +++ b/pkg/report/model/cyclonedx.go @@ -218,9 +218,9 @@ func InitCycloneDxReport() *CycloneDxReport { }, }, } - + //update cycloneDX version to 1.5 (from 1.3 to 1.5 nothing needed to change since we only create 1 bom at a time, more changes to come) return &CycloneDxReport{ - XMLNS: "http://cyclonedx.org/schema/bom/1.3", + XMLNS: "http://cyclonedx.org/schema/bom/1.5", XMLNSV: "http://cyclonedx.org/schema/ext/vulnerability/1.0", SerialNumber: "urn:uuid:" + uuid.New().String(), Version: 1, @@ -268,5 +268,6 @@ func BuildCycloneDxReport(summary *model.Summary, filePaths map[string]string) * bom.Components.Components = append(bom.Components.Components, component) } + return bom } From e7501b8cfa4b5d25ac33f0a384c0cc479021fc92 Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Fri, 29 Dec 2023 10:56:56 +0000 Subject: [PATCH 2/6] feat(update): update cyclonedx reports to support v1.5 --- pkg/report/model/cyclonedx.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkg/report/model/cyclonedx.go b/pkg/report/model/cyclonedx.go index 176ae333b92..7ec684dc0ab 100644 --- a/pkg/report/model/cyclonedx.go +++ b/pkg/report/model/cyclonedx.go @@ -218,7 +218,8 @@ func InitCycloneDxReport() *CycloneDxReport { }, }, } - //update cycloneDX version to 1.5 (from 1.3 to 1.5 nothing needed to change since we only create 1 bom at a time, more changes to come) + // Update cycloneDX version to 1.5 (from 1.3 to 1.5 nothing needed to change since we only create 1 bom at a time, + // more changes to come) return &CycloneDxReport{ XMLNS: "http://cyclonedx.org/schema/bom/1.5", XMLNSV: "http://cyclonedx.org/schema/ext/vulnerability/1.0", From 79b1631deb787da6469c3255ecafbd51cabd81fe Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Fri, 29 Dec 2023 11:10:00 +0000 Subject: [PATCH 3/6] feat(update): update cyclonedx reports to support v1.5 --- pkg/report/model/cyclonedx_test.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkg/report/model/cyclonedx_test.go b/pkg/report/model/cyclonedx_test.go index 6925f17f513..117f54cdf90 100644 --- a/pkg/report/model/cyclonedx_test.go +++ b/pkg/report/model/cyclonedx_test.go @@ -24,8 +24,9 @@ var metadata Metadata = Metadata{ }, } +// Update XMLNS version to 1.5 from 1.3 var initCycloneDxReport CycloneDxReport = CycloneDxReport{ - XMLNS: "http://cyclonedx.org/schema/bom/1.3", + XMLNS: "http://cyclonedx.org/schema/bom/1.5", XMLNSV: "http://cyclonedx.org/schema/ext/vulnerability/1.0", SerialNumber: "urn:uuid:", // set to "urn:uuid:" because it will be different for every report Version: 1, From 2f669b642d068023ea2383e2c41c2f4936e1594e Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Wed, 10 Jan 2024 11:27:07 +0000 Subject: [PATCH 4/6] update documentation for the new version 1.5 of cyclonedx --- docs/results.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/results.md b/docs/results.md index 61ce60c66cb..f29fc73ded8 100644 --- a/docs/results.md +++ b/docs/results.md @@ -621,12 +621,14 @@ PDF reports are sorted by severity (from high to info), the results will have qu ## CycloneDX Now, the CycloneDX report is only available in XML format since the vulnerability schema extension is not currently available in JSON. The guidelines used to build the CycloneDX report were the [bom schema 1.3](http://cyclonedx.org/schema/bom/1.3) and [vulnerability schema 1.0](https://github.com/CycloneDX/specification/blob/master/schema/ext/vulnerability-1.0.xsd). +**Note:** As of the latest update, the CycloneDX version utilized in the report is 1.5. However, it's important to clarify that no additional features or fields introduced in version 1.5 are currently utilized. The functionality remains consistent with the version 1.3 for KICS. Future updates will leverage the new features introduced in CycloneDX version 1.5. + You can export CycloneDX report by using `--report-formats "cyclonedx"`. The generated report file will have a prefix `cyclonedx-` and looks like the following example: ``` - + 2021-12-03T15:39:49Z From 6318b5e9127e3b62b02a51ed47e725ace5d99b58 Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Mon, 15 Jan 2024 18:40:12 +0000 Subject: [PATCH 5/6] Adding a new line on the note in the CycloneDX documentation --- docs/results.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/results.md b/docs/results.md index f29fc73ded8..e8f88bfcb57 100644 --- a/docs/results.md +++ b/docs/results.md @@ -620,7 +620,7 @@ PDF reports are sorted by severity (from high to info), the results will have qu ## CycloneDX -Now, the CycloneDX report is only available in XML format since the vulnerability schema extension is not currently available in JSON. The guidelines used to build the CycloneDX report were the [bom schema 1.3](http://cyclonedx.org/schema/bom/1.3) and [vulnerability schema 1.0](https://github.com/CycloneDX/specification/blob/master/schema/ext/vulnerability-1.0.xsd). +Now, the CycloneDX report is only available in XML format since the vulnerability schema extension is not currently available in JSON. The guidelines used to build the CycloneDX report were the [bom schema 1.3](http://cyclonedx.org/schema/bom/1.3) and [vulnerability schema 1.0](https://github.com/CycloneDX/specification/blob/master/schema/ext/vulnerability-1.0.xsd). **Note:** As of the latest update, the CycloneDX version utilized in the report is 1.5. However, it's important to clarify that no additional features or fields introduced in version 1.5 are currently utilized. The functionality remains consistent with the version 1.3 for KICS. Future updates will leverage the new features introduced in CycloneDX version 1.5. From 72c9a01d25187a58ed99f6e990535a3a6012550b Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Tue, 16 Jan 2024 12:36:00 +0000 Subject: [PATCH 6/6] Fix adding new line on the note in the CycloneDX documentation --- docs/results.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/results.md b/docs/results.md index e8f88bfcb57..67c4de83c58 100644 --- a/docs/results.md +++ b/docs/results.md @@ -620,7 +620,7 @@ PDF reports are sorted by severity (from high to info), the results will have qu ## CycloneDX -Now, the CycloneDX report is only available in XML format since the vulnerability schema extension is not currently available in JSON. The guidelines used to build the CycloneDX report were the [bom schema 1.3](http://cyclonedx.org/schema/bom/1.3) and [vulnerability schema 1.0](https://github.com/CycloneDX/specification/blob/master/schema/ext/vulnerability-1.0.xsd). +Now, the CycloneDX report is only available in XML format since the vulnerability schema extension is not currently available in JSON. The guidelines used to build the CycloneDX report were the [bom schema 1.3](http://cyclonedx.org/schema/bom/1.3) and [vulnerability schema 1.0](https://github.com/CycloneDX/specification/blob/master/schema/ext/vulnerability-1.0.xsd). **Note:** As of the latest update, the CycloneDX version utilized in the report is 1.5. However, it's important to clarify that no additional features or fields introduced in version 1.5 are currently utilized. The functionality remains consistent with the version 1.3 for KICS. Future updates will leverage the new features introduced in CycloneDX version 1.5.