feat: add support for new tools object format from CycloneDX 1.5

Festo-se / cyclonedx-editor-validator

Tool for creating, modifying and validating CycloneDX SBOMs.

https://festo-se.github.io/cyclonedx-editor-validator/

GNU General Public License v3.0

18 stars 4 forks source link

feat: add support for new tools object format from CycloneDX 1.5 #143

Closed mmarseu closed 4 months ago

mmarseu commented 5 months ago

This PR adds support for transforming SBOMs using CycloneDX 1.5's new .metadata.tools object.

If the SBOM

uses the now-deprecated array style, it will stay an array.
uses the new object style, it will stay an object.
contains no .metadata.tools field, an array will be created.

github-actions[bot] commented 5 months ago

Coverage Report •

File	Stmts	Miss	Cover	Missing
auxiliary
output.py	54	1	98%	97
sbomFunctions.py	140	3	97%	70, 78, 155
TOTAL	1448	55	96%

Tests	Skipped	Failures	Errors	Time
270	0 :zzz:	0 :x:	0 :fire:	3.716s :stopwatch:

italvi commented 5 months ago

If the SBOM

contains no .metadata.tools field, an array will be created.

Is this really according to our discussion in #142? Would not be the proper check if sbom.get("specVersion","") < 1.5 then list else dict?

mmarseu commented 5 months ago

If the SBOM

contains no .metadata.tools field, an array will be created.

Is this really according to our discussion in #142?

Not at all. But it was an easy solution which works fine until the array version is removed from the spec (not before CycloneDX 2.0, I imagine, as that would be a breaking change).

Would not be the proper check if sbom.get("specVersion","") < 1.5 then list else dict?

Well, in real, non-pseudo code, this was a little harder to do, but it is done 😉