search

CycloneDX / cyclonedx-go

Go library to consume and produce CycloneDX Software Bill of Materials (SBOM)
https://cyclonedx.org/
Apache License 2.0
72 stars 29 forks source link

Inconsistent authors handling for 1.5 #190

Open kzantow opened 2 months ago

kzantow commented 2 months ago

CycloneDX 1.6 has deprecated the component.author in favor of component.authors, but this is handled somewhat inconsistently and incorrectly when outputting earlier versions.

When specifying the authors for a component, but not specifying an author, this is dropped. I suppose this is somewhat expected since it's going from a list to a single value, but there could be some logic to, say, take the first name as the author.

Secondly, when specifying the authors for a component within the metadata.tools, it is still output in 1.5. Is there something else I should be doing here?

Is the guidance here to set both author and authors.name for maximum compatibility? Or something else?

Using version v0.9.0 of this library, here's an example program:

package main

import (
    "os"

    "github.com/CycloneDX/cyclonedx-go"
)

func main() {
    bom := cyclonedx.BOM{
        Metadata: &cyclonedx.Metadata{
            Timestamp:  "",
            Lifecycles: nil,
            Tools: &cyclonedx.ToolsChoice{
                Components: &[]cyclonedx.Component{
                    {
                        Authors: &[]cyclonedx.OrganizationalContact{
                            {
                                Name: "some-author-1",
                            },
                        },
                    },
                },
            },
        },
        Components: &[]cyclonedx.Component{
            {
                Authors: &[]cyclonedx.OrganizationalContact{
                    {
                        Name: "some-author-2",
                    },
                },
            },
        },
    }

    enc := cyclonedx.NewBOMEncoder(os.Stdout, cyclonedx.BOMFileFormatJSON)
    enc.SetPretty(true)
    enc.SetEscapeHTML(false)
    _ = enc.EncodeVersion(&bom, cyclonedx.SpecVersion1_5)
}

outputs:

{
  "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
  "bomFormat": "",
  "specVersion": "1.5",
  "version": 0,
  "metadata": {
    "tools": {
      "components": [
        {
          "type": "",
          "authors": [
            {
              "name": "some-author-1"
            }
          ],
          "name": ""
        }
      ]
    }
  },
  "components": [
    {
      "type": "application",
      "name": ""
    }
  ]
}
nscuro commented 1 month ago

When specifying the authors for a component, but not specifying an author, this is dropped. I suppose this is somewhat expected since it's going from a list to a single value, but there could be some logic to, say, take the first name as the author.

Agreed. When outputting to v1.5, and authors is populated, we should reduce the array of authors to a single string, and populate author with that instead.

Secondly, when specifying the authors for a component within the metadata.tools, it is still output in 1.5. Is there something else I should be doing here?

Nothing to do on your side, this is a bug in the library. authors should be (re-)moved as outlined above.

Is the guidance here to set both author and authors.name for maximum compatibility? Or something else?

For the purpose of generating BOMs, I'd recommend to only set authors. It's the responsibility of cyclonedx-go to convert it accordingly.

On the consumer side, tools still have to assume that author is populated, even when receiving a v1.6 BOM. Since author is only deprecated, nothing stops people / generators from populating that field. But, again, Syft as a generator should not have to worry about that.