[SPEC] Deprecated syntax for "`author`" field: not following CycloneDX v1.6 Spec in syft 1.9

[Nicolas-Peiffer]

What happened

The deprecated syntax for the "author" field is still used by syft v1.9.0, resulting in the following warning/error deprecation message:

Expected "authors" field

You can see an example of a valid authors field of CycloneDX v1.6 here: https://github.com/CycloneDX/specification/blob/62a669075f1897193a14060e0784e6a7576b693d/tools/src/test/resources/1.6/valid-bom-1.6.json#L26

You can check cyclonedx 1.6: https://cyclonedx.org/docs/1.6/json/#components_items_author

The BOM file generated by Syft should look like this:

{
  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:1c4d1c8b-3f2a-41bd-b03f-c8e150fc23e1",
  "version": 1,
  "metadata": {
    "timestamp": "2024-07-15T08:43:56Z",
    "tools": {
      "components": [
        {
          "type": "application",
          "authors": [
            {
              "name": "anchore"
            }
          ],
          "name": "syft",
          "version": "1.9.0"
        }
      ]
    },
  }
[...]
}

In github.com/CycloneDX/cyclonedx-go, there is a deprecation notice for the author field // Deprecated: Use authors or manufacturer instead..

The authors field is implemented like this: https://github.com/CycloneDX/cyclonedx-go/blob/795ee183544e3f8376b984e911f00188f79e90d8/cyclonedx.go#L230

type Component struct {
[...]
    Manufacturer       *OrganizationalEntity    `json:"manufacturer,omitempty" xml:"manufacturer,omitempty"`
    Author             string                   `json:"author,omitempty" xml:"author,omitempty"` // Deprecated: Use authors or manufacturer instead.
    Authors            *[]OrganizationalContact `json:"authors,omitempty" xml:"authors>author,omitempty"`
[...]
}

[...]
type OrganizationalContact struct {
    BOMRef string `json:"bom-ref,omitempty" xml:"bom-ref,attr,omitempty"`
    Name   string `json:"name,omitempty" xml:"name,omitempty"`
    Email  string `json:"email,omitempty" xml:"email,omitempty"`
    Phone  string `json:"phone,omitempty" xml:"phone,omitempty"`
}
[...]

Steps to reproduce the issue

In our case, syft is triggered by a tool called goreleaser on a GoLang project on a Gitlab.

# .goreleaser.yaml file
  - id: syft-CycloneDX-sbom-binary
    cmd: syft
    artifacts: binary
    documents:
      - "${artifact}.syft.cyclonedx.sbom.json"
    args: ["$artifact", "--output", "cyclonedx-json","--file","$document"]

This syft from goreleaser command corresponds to:

syft <artifact_name> --output "cyclonedx-json" --file <output_filename>

Environment

• Output of syft version:

  syft version
  
  Application: syft
  Version:    1.9.0
  BuildDate:  2024-07-11T17:32:46Z
  GitCommit:  4e09908ba124dca7e6f1f6e7dc4f4663fae658ca
  GitDescription: v1.9.0
  Platform:   linux/amd64
  GoVersion:  go1.22.5
  Compiler:   gc

• OS (e.g: cat /etc/os-release or similar):

  cat /etc/os-release 
  
  PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
  NAME="Debian GNU/Linux"
  VERSION_ID="12"
  VERSION="12 (bookworm)"
  VERSION_CODENAME=bookworm
  ID=debian
  HOME_URL="https://www.debian.org/"
  SUPPORT_URL="https://www.debian.org/support"
  BUG_REPORT_URL="https://bugs.debian.org/"

cc @louison77

[kzantow]

Thanks for the report, @Nicolas-Peiffer -- just a note: use of this field is deprecated in 1.6, but still part of the spec and allowed so I don't think it's necessary to change it today.

That said, we definitely will need to update things in the future but I ran into an issue with the cyclonedx library we are using that the authors field results in invalid CycloneDX 1.5 output. I've filed an issue about this and will follow it up with a PR if it becomes an issue when we have to make the change.