search

CycloneDX / cyclonedx-php-library

PHP Implementation of OWASP CycloneDX Bill of Materials (BOM)
https://cyclonedx.org/
Apache License 2.0
7 stars 0 forks source link

[v2.1.1] `specVersion` attribute available on same way on both normalizers #283

Closed llaville closed 1 year ago

llaville commented 1 year ago

Hello,

JSON serializer provide specVersion attribute, such as : 

{
    "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json",
    "bomFormat": "CycloneDX",
    "specVersion": "1.4",
    "serialNumber": "urn:uuid:75b8c8bc-8856-443e-9b29-c9e356ae48ba",
    "version": 1,

}

See: https://github.com/CycloneDX/cyclonedx-php-library/blob/v2.1.1/src/Core/Serialization/JSON/Normalizers/BomNormalizer.php#L64

While XML serializer provide same info through a namespace

<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.4" version="1" serialNumber="urn:uuid:d113faca-3f69-445d-8965-c9a4c7899ec8">

See: https://github.com/CycloneDX/cyclonedx-php-library/blob/v2.1.1/src/Core/Serialization/DOM/Normalizers/BomNormalizer.php#L48

It may be helpful to have the same equivalent information available on both normalizers !

Perharps adding in attributes :

        SimpleDOM::setAttributes(
            $element,
            [
                'version' => $bom->getVersion(),
                'specVersion' => $factory->getSpec()->getVersion()->value,
                'serialNumber' => $this->normalizeSerialNumber($bom->getSerialNumber()),
            ]
        );

What do you think ?

llaville commented 1 year ago

Just in case someone want to analyse XML file contents like that !

<?php

$xmlString = file_get_contents(__DIR__ . '/sbom.xml');

$xml = simplexml_load_string($xmlString, null,  LIBXML_NOCDATA);
$json = json_encode($xml);
$array = json_decode($json,true);

var_dump(
    $array['@attributes'],
    $array['metadata'],
);

That will print 

array(2) {
  ["version"]=>
  string(1) "1"
  ["serialNumber"]=>
  string(45) "urn:uuid:d113faca-3f69-445d-8965-c9a4c7899ec8"
}
array(2) {
  ["timestamp"]=>
  string(20) "2023-03-28T12:30:47Z"
  ["tools"]=>
  array(1) {
    ["tool"]=>
    array(3) {
      ["vendor"]=>
      string(11) "box-project"
      ["name"]=>
      string(3) "box"
      ["version"]=>
      string(13) "4.3.8@5534406"
    }
  }
}
jkowalleck commented 1 year ago

Hello @llaville , The requested change is against the current CycloneDX specification. If you want the spec changed, then please open a ticket here: https://github.com/CycloneDX/specification

Be aware that the Spec is not PHP bound, so the Spec community loves stories, justifications, use-cases and examples in JSON/XML/ProtoBuff. :)