From 550d288c29a1dbb3e76721345822f9521ab0f7a7 Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Tue, 17 Sep 2024 17:28:21 +0600 Subject: [PATCH 1/2] fix(cyclonedx): unmarshal `framework` components as `library` --- pkg/sbom/cyclonedx/unmarshal.go | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/pkg/sbom/cyclonedx/unmarshal.go b/pkg/sbom/cyclonedx/unmarshal.go index 71a0ee27b640..de410d008794 100644 --- a/pkg/sbom/cyclonedx/unmarshal.go +++ b/pkg/sbom/cyclonedx/unmarshal.go @@ -166,7 +166,10 @@ func (b *BOM) unmarshalType(t cdx.ComponentType) (core.ComponentType, error) { ctype = core.TypeContainerImage case cdx.ComponentTypeApplication: ctype = core.TypeApplication - case cdx.ComponentTypeLibrary: + // There are not many differences between a `library` and a `framework` components, and sometimes it is difficult to choose the right type. + // That is why some users choose `framework` type. + // So we should parse and scan `framework` components as libraries. + case cdx.ComponentTypeLibrary, cdx.ComponentTypeFramework: ctype = core.TypeLibrary case cdx.ComponentTypeOS: ctype = core.TypeOS From 4c2d41fcb61c16e0880e76f7c950ddf9545fc36b Mon Sep 17 00:00:00 2001 From: DmitriyLewen Date: Tue, 17 Sep 2024 17:28:39 +0600 Subject: [PATCH 2/2] test: use `framework` in third-party-bom.json --- pkg/sbom/cyclonedx/testdata/happy/third-party-bom.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/sbom/cyclonedx/testdata/happy/third-party-bom.json b/pkg/sbom/cyclonedx/testdata/happy/third-party-bom.json index d8b5068f5cc0..281d3c4fcc30 100644 --- a/pkg/sbom/cyclonedx/testdata/happy/third-party-bom.json +++ b/pkg/sbom/cyclonedx/testdata/happy/third-party-bom.json @@ -46,7 +46,7 @@ }, { "bom-ref": "pkg:composer/pear/pear_exception@v1.0.0", - "type": "library", + "type": "framework", "name": "pear/pear_exception", "version": "v1.0.0", "purl": "pkg:composer/pear/pear_exception@v1.0.0"