Skip to content

Commit

Permalink
feat(spec1-5): add support for identity, occurrences, and callstack e…
Browse files Browse the repository at this point in the history
…vidence

Signed-off-by: nscuro <[email protected]>
  • Loading branch information
nscuro committed Dec 7, 2023
1 parent 61dd91e commit 2fbde0e
Show file tree
Hide file tree
Showing 6 changed files with 300 additions and 2 deletions.
6 changes: 6 additions & 0 deletions convert.go
Original file line number Diff line number Diff line change
Expand Up @@ -140,6 +140,12 @@ func componentConverter(specVersion SpecVersion) func(*Component) {
if specVersion < SpecVersion1_5 {
c.ModelCard = nil
c.Data = nil

if c.Evidence != nil {
c.Evidence.Identity = nil
c.Evidence.Occurrences = nil
c.Evidence.Callstack = nil
}
}

if !specVersion.supportsComponentType(c.Type) {
Expand Down
66 changes: 64 additions & 2 deletions cyclonedx.go
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,20 @@ func Bool(value bool) *bool {

type BOMReference string

type Callstack struct {
Frames *[]CallstackFrame `json:"frames,omitempty" xml:"frames>frame,omitempty"`
}

type CallstackFrame struct {
Package string `json:"package,omitempty" xml:"package,omitempty"`
Module string `json:"module,omitempty" xml:"module,omitempty"`
Function string `json:"function,omitempty" xml:"function,omitempty"`
Parameters *[]string `json:"parameters,omitempty" xml:"parameters>parameter,omitempty"`
Line *int `json:"line,omitempty" xml:"line,omitempty"`
Column *int `json:"column,omitempty" xml:"column,omitempty"`
FullFilename string `json:"fullFilename,omitempty" xml:"fullFilename,omitempty"`
}

type ComponentType string

const (
Expand Down Expand Up @@ -275,8 +289,56 @@ type Diff struct {
}

type Evidence struct {
Licenses *Licenses `json:"licenses,omitempty" xml:"licenses,omitempty"`
Copyright *[]Copyright `json:"copyright,omitempty" xml:"copyright>text,omitempty"`
Identity *EvidenceIdentity `json:"identity,omitempty" xml:"identity,omitempty"`
Occurrences *[]EvidenceOccurrence `json:"occurrences,omitempty" xml:"occurrences>occurrence,omitempty"`
Callstack *Callstack `json:"callstack,omitempty" xml:"callstack,omitempty"`
Licenses *Licenses `json:"licenses,omitempty" xml:"licenses,omitempty"`
Copyright *[]Copyright `json:"copyright,omitempty" xml:"copyright>text,omitempty"`
}

type EvidenceIdentity struct {
Field EvidenceIdentityFieldType `json:"field,omitempty" xml:"field,omitempty"`
Confidence *float32 `json:"confidence,omitempty" xml:"confidence,omitempty"`
Methods *[]EvidenceIdentityMethod `json:"methods,omitempty" xml:"methods>method,omitempty"`
Tools *[]BOMReference `json:"tools,omitempty" xml:"tools>tool,omitempty"`
}

type EvidenceIdentityFieldType string

const (
EvidenceIdentityFieldTypeCPE EvidenceIdentityFieldType = "cpe"
EvidenceIdentityFieldTypeGroup EvidenceIdentityFieldType = "group"
EvidenceIdentityFieldTypeHash EvidenceIdentityFieldType = "hash"
EvidenceIdentityFieldTypeName EvidenceIdentityFieldType = "name"
EvidenceIdentityFieldTypePURL EvidenceIdentityFieldType = "purl"
EvidenceIdentityFieldTypeSWID EvidenceIdentityFieldType = "swid"
EvidenceIdentityFieldTypeVersion EvidenceIdentityFieldType = "version"
)

type EvidenceIdentityMethod struct {
Technique EvidenceIdentityTechnique `json:"technique,omitempty" xml:"technique,omitempty"`
Confidence *float32 `json:"confidence,omitempty" xml:"confidence,omitempty"`
Value string `json:"value,omitempty" xml:"value,omitempty"`
}

type EvidenceIdentityTechnique string

const (
EvidenceIdentityTechniqueASTFingerprint EvidenceIdentityTechnique = "ast-fingerprint"
EvidenceIdentityTechniqueAttestation EvidenceIdentityTechnique = "attestation"
EvidenceIdentityTechniqueBinaryAnalysis EvidenceIdentityTechnique = "binary-analysis"
EvidenceIdentityTechniqueDynamicAnalysis EvidenceIdentityTechnique = "dynamic-analysis"
EvidenceIdentityTechniqueFilename EvidenceIdentityTechnique = "filename"
EvidenceIdentityTechniqueHashComparison EvidenceIdentityTechnique = "hash-comparison"
EvidenceIdentityTechniqueInstrumentation EvidenceIdentityTechnique = "instrumentation"
EvidenceIdentityTechniqueManifestAnalysis EvidenceIdentityTechnique = "manifest-analysis"
EvidenceIdentityTechniqueOther EvidenceIdentityTechnique = "other"
EvidenceIdentityTechniqueSourceCodeAnalysis EvidenceIdentityTechnique = "source-code-analysis"
)

type EvidenceOccurrence struct {
BOMRef string `json:"bom-ref,omitempty" xml:"bom-ref,attr,omitempty"`
Location string `json:"location,omitempty" xml:"location,omitempty"`
}

type ExternalReference struct {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,65 @@
],
"purl": "pkg:maven/com.google.code.findbugs/[email protected]",
"evidence": {
"identity": {
"field": "purl",
"confidence": 1,
"methods": [
{
"technique": "filename",
"confidence": 0.1,
"value": "findbugs-project-3.0.0.jar"
},
{
"technique": "ast-fingerprint",
"confidence": 0.9,
"value": "61e4bc08251761c3a73b606b9110a65899cb7d44f3b14c81ebc1e67c98e1d9ab"
},
{
"technique": "hash-comparison",
"confidence": 0.7,
"value": "7c547a9d67cc7bc315c93b6e2ff8e4b6b41ae5be454ac249655ecb5ca2a85abf"
}
],
"tools": [
"bom-ref-of-tool-that-performed-analysis"
]
},
"occurrences": [
{
"bom-ref": "d6bf237e-4e11-4713-9f62-56d18d5e2079",
"location": "/path/to/component"
},
{
"bom-ref": "b574d5d1-e3cf-4dcd-9ba5-f3507eb1b175",
"location": "/another/path/to/component"
}
],
"callstack": {
"frames": [
{
"package": "com.apache.logging.log4j.core",
"module": "Logger.class",
"function": "logMessage",
"parameters": [
"com.acme.HelloWorld",
"Level.INFO",
"null",
"Hello World"
],
"line": 150,
"column": 17,
"fullFilename": "/path/to/log4j-core-2.14.0.jar!/org/apache/logging/log4j/core/Logger.class"
},
{
"module": "HelloWorld.class",
"function": "main",
"line": 20,
"column": 12,
"fullFilename": "/path/to/HelloWorld.class"
}
]
},
"licenses": [
{
"license": {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,63 @@
</licenses>
<purl>pkg:maven/com.google.code.findbugs/[email protected]</purl>
<evidence>
<identity>
<field>purl</field>
<confidence>1</confidence>
<methods>
<method>
<technique>filename</technique>
<confidence>0.1</confidence>
<value>findbugs-project-3.0.0.jar</value>
</method>
<method>
<technique>ast-fingerprint</technique>
<confidence>0.9</confidence>
<value>61e4bc08251761c3a73b606b9110a65899cb7d44f3b14c81ebc1e67c98e1d9ab</value>
</method>
<method>
<technique>hash-comparison</technique>
<confidence>0.7</confidence>
<value>7c547a9d67cc7bc315c93b6e2ff8e4b6b41ae5be454ac249655ecb5ca2a85abf</value>
</method>
</methods>
<tools>
<tool ref="bom-ref-of-tool-that-performed-analysis"></tool>
</tools>
</identity>
<occurrences>
<occurrence bom-ref="d6bf237e-4e11-4713-9f62-56d18d5e2079">
<location>/path/to/component</location>
</occurrence>
<occurrence bom-ref="b574d5d1-e3cf-4dcd-9ba5-f3507eb1b175">
<location>/another/path/to/component</location>
</occurrence>
</occurrences>
<callstack>
<frames>
<frame>
<package>com.apache.logging.log4j.core</package>
<module>Logger.class</module>
<function>logMessage</function>
<parameters>
<parameter>com.acme.HelloWorld</parameter>
<parameter>Level.INFO</parameter>
<parameter>null</parameter>
<parameter>Hello World</parameter>
</parameters>
<line>150</line>
<column>17</column>
<fullFilename>/path/to/log4j-core-2.14.0.jar!/org/apache/logging/log4j/core/Logger.class</fullFilename>
</frame>
<frame>
<module>HelloWorld.class</module>
<function>main</function>
<line>20</line>
<column>12</column>
<fullFilename>/path/to/HelloWorld.class</fullFilename>
</frame>
</frames>
</callstack>
<licenses>
<license>
<id>Apache-2.0</id>
Expand Down
57 changes: 57 additions & 0 deletions testdata/valid-evidence.json
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,63 @@
],
"purl": "pkg:maven/com.google.code.findbugs/[email protected]",
"evidence": {
"identity": {
"field": "purl",
"confidence": 1,
"methods": [
{
"technique": "filename",
"confidence": 0.1,
"value": "findbugs-project-3.0.0.jar"
},
{
"technique": "ast-fingerprint",
"confidence": 0.9,
"value": "61e4bc08251761c3a73b606b9110a65899cb7d44f3b14c81ebc1e67c98e1d9ab"
},
{
"technique": "hash-comparison",
"confidence": 0.7,
"value": "7c547a9d67cc7bc315c93b6e2ff8e4b6b41ae5be454ac249655ecb5ca2a85abf"
}
],
"tools": [
"bom-ref-of-tool-that-performed-analysis"
]
},
"occurrences": [
{
"bom-ref": "d6bf237e-4e11-4713-9f62-56d18d5e2079",
"location": "/path/to/component"
},
{
"bom-ref": "b574d5d1-e3cf-4dcd-9ba5-f3507eb1b175",
"location": "/another/path/to/component"
}
],
"callstack": {
"frames": [
{

"package": "com.apache.logging.log4j.core",
"module": "Logger.class",
"function": "logMessage",
"parameters": [
"com.acme.HelloWorld", "Level.INFO", "null", "Hello World"
],
"line": 150,
"column": 17,
"fullFilename": "/path/to/log4j-core-2.14.0.jar!/org/apache/logging/log4j/core/Logger.class"
},
{
"module": "HelloWorld.class",
"function": "main",
"line": 20,
"column": 12,
"fullFilename": "/path/to/HelloWorld.class"
}
]
},
"licenses": [
{
"license": {
Expand Down
57 changes: 57 additions & 0 deletions testdata/valid-evidence.xml
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,63 @@
</licenses>
<purl>pkg:maven/com.google.code.findbugs/[email protected]</purl>
<evidence>
<identity>
<field>purl</field>
<confidence>1</confidence>
<methods>
<method>
<technique>filename</technique>
<confidence>0.1</confidence>
<value>findbugs-project-3.0.0.jar</value>
</method>
<method>
<technique>ast-fingerprint</technique>
<confidence>0.9</confidence>
<value>61e4bc08251761c3a73b606b9110a65899cb7d44f3b14c81ebc1e67c98e1d9ab</value>
</method>
<method>
<technique>hash-comparison</technique>
<confidence>0.7</confidence>
<value>7c547a9d67cc7bc315c93b6e2ff8e4b6b41ae5be454ac249655ecb5ca2a85abf</value>
</method>
</methods>
<tools>
<tool ref="bom-ref-of-tool-that-performed-analysis"/>
</tools>
</identity>
<occurrences>
<occurrence bom-ref="d6bf237e-4e11-4713-9f62-56d18d5e2079">
<location>/path/to/component</location>
</occurrence>
<occurrence bom-ref="b574d5d1-e3cf-4dcd-9ba5-f3507eb1b175">
<location>/another/path/to/component</location>
</occurrence>
</occurrences>
<callstack>
<frames>
<frame>
<package>com.apache.logging.log4j.core</package>
<module>Logger.class</module>
<function>logMessage</function>
<parameters>
<parameter>com.acme.HelloWorld</parameter>
<parameter>Level.INFO</parameter>
<parameter>null</parameter>
<parameter>Hello World</parameter>
</parameters>
<line>150</line>
<column>17</column>
<fullFilename>/path/to/log4j-core-2.14.0.jar!/org/apache/logging/log4j/core/Logger.class</fullFilename>
</frame>
<frame>
<module>HelloWorld.class</module>
<function>main</function>
<line>20</line>
<column>12</column>
<fullFilename>/path/to/HelloWorld.class</fullFilename>
</frame>
</frames>
</callstack>
<licenses>
<license>
<id>Apache-2.0</id>
Expand Down

0 comments on commit 2fbde0e

Please sign in to comment.