search

anthonyharrison / lib4sbom

Library to ingest and generate SBOMs
Apache License 2.0
16 stars 11 forks source link

SBOM.set_version doesn't seem to work as expected #10

Closed rhaley-starfish closed 1 year ago

rhaley-starfish commented 1 year ago

Hello,

Once again, thank you for this most excellent tool. I attempted to generate an SBOM in CycloneDX 1.4 format. I set the version to "1.4" and then generated the file, but it did not seem to set the specVersion or the BOM version correctly:

    my_sbom = SBOM()
    my_sbom.set_type(sbom_type='cyclonedx')
    my_sbom.set_version("1.4")

Output:

C:\Users\rhaley\tuleap\PythonSBOMTool\venv\Scripts\python.exe C:/Users/rhaley/tuleap/PythonSBOMTool/main.py 
Hi, PyCharm
{
  "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "serialNumber": "urn:uuidbfda0bdf-f573-46c0-9f34-2fadfa634a1c",
  "version": 1,
  "metadata": {
  ...

We can see that the "schema" value was pointed to 1.4 but the "specVersion" is still 1.5 and the "version" was not affected at all.

As version is an overloaded term, I would think that to change the specification version would be a function call like set_specVersion() and set_version would affect the serial number version. That in my mind would be more consistent with the other "set_version" functions.

Thank you for considering this ticket.

Complete script here:

   print_hi('PyCharm')

    sbg = SBOMGenerator(format='json', sbom_type='cyclonedx')

    my_sbom = SBOM()
    my_sbom.set_type(sbom_type='cyclonedx')
    my_sbom.set_version("1.4")

    sbom_packages = {}
    my_package = SBOMPackage()
    my_package.set_name("glibc")
    my_package.set_version("2.15")
    my_package.set_supplier("organisation", "gnu")
    my_package.set_licensedeclared("GPL3")
    sbom_packages[(my_package.get_name(), my_package.get_value('version'))] = my_package.get_package()

    my_sbom.add_packages(sbom_packages)

    my_file = SBOMFile()
    my_file.set_name("OneTwoThree")
    my_file.set_licenseconcluded("MIT")
    hl = hashlib.sha256()
    hl.update(b"This really should point to a file...")
    filehash_hex = hl.hexdigest()
    my_file.set_checksum("SHA256", filehash_hex)
    files = {}
    files[my_file.get_name()] = my_file.get_file()
    my_sbom.add_files(files)

    # Will be displayed on console
    sbg.generate("ClinicianApp", my_sbom.get_sbom())