chore(deps): bump github.com/CycloneDX/cyclonedx-go from 0.7.1-0.20221222100750-41a1ac565cce to 0.7.1 (#1706)

go.mod

@@ -49,7 +49,7 @@ require (
 )
 
 require (
-	github.com/CycloneDX/cyclonedx-go v0.7.1-0.20221222100750-41a1ac565cce
+	github.com/CycloneDX/cyclonedx-go v0.7.1
 	github.com/Masterminds/sprig/v3 v3.2.3
 	github.com/anchore/go-logger v0.0.0-20220728155337-03b66a5207d8
 	github.com/anchore/stereoscope v0.0.0-20230412183729-8602f1afc574

go.sum

@@ -54,8 +54,8 @@ github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg6
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/toml v0.4.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
-github.com/CycloneDX/cyclonedx-go v0.7.1-0.20221222100750-41a1ac565cce h1:o5r3msApzvtE5LhcMkxWaKernD/PK0HpMccu7ywBj5Q=
-github.com/CycloneDX/cyclonedx-go v0.7.1-0.20221222100750-41a1ac565cce/go.mod h1:XURd0m8zvnLE5aIRqg6JOVRl7qZ/pWBtuFa9EHjQwFc=
+github.com/CycloneDX/cyclonedx-go v0.7.1 h1:5w1SxjGm9MTMNTuRbEPyw21ObdbaagTWF/KfF0qHTRE=
+github.com/CycloneDX/cyclonedx-go v0.7.1/go.mod h1:N/nrdWQI2SIjaACyyDs/u7+ddCkyl/zkNs8xFsHF2Ps=
 github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ=
 github.com/DataDog/zstd v1.4.5 h1:EndNeuB0l9syBZhut0wns3gV1hL8zX8LIu6ZiVHWLIQ=
 github.com/DataDog/zstd v1.4.5/go.mod h1:1jcaCB/ufaK+sKp1NBhlGmpz41jOoPQ35bpF36t7BBo=

syft/formats/cyclonedxjson/encoder_test.go

@@ -33,14 +33,18 @@ func TestCycloneDxImageEncoder(t *testing.T) {
 }
 
 func cycloneDxRedactor(s []byte) []byte {
-	serialPattern := regexp.MustCompile(`urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}`)
-	rfc3339Pattern := regexp.MustCompile(`([0-9]+)-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])[Tt]([01][0-9]|2[0-3]):([0-5][0-9]):([0-5][0-9]|60)(\.[0-9]+)?(([Zz])|([+|\-]([01][0-9]|2[0-3]):[0-5][0-9]))`)
-	sha256Pattern := regexp.MustCompile(`sha256:[A-Fa-f0-9]{64}`)
-	for _, pattern := range []*regexp.Regexp{serialPattern, rfc3339Pattern, sha256Pattern} {
-		s = pattern.ReplaceAll(s, []byte(""))
+	replacements := map[string]string{
+		// UUIDs
+		`urn:uuid:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}`: `urn:uuid:redacted`,
+		// timestamps
+		`([0-9]+)-(0[1-9]|1[012])-(0[1-9]|[12][0-9]|3[01])[Tt]([01][0-9]|2[0-3]):([0-5][0-9]):([0-5][0-9]|60)(\.[0-9]+)?(([Zz])|([+|\-]([01][0-9]|2[0-3]):[0-5][0-9]))`: `timestamp:redacted`,
+		// image hashes
+		`sha256:[A-Fa-f0-9]{64}`: `sha256:redacted`,
+		// bom-refs
+		`"bom-ref":\s*"[^"]+"`: `"bom-ref": "redacted"`,
+	}
+	for pattern, replacement := range replacements {
+		s = regexp.MustCompile(pattern).ReplaceAll(s, []byte(replacement))
 	}
-	// the bom-ref will be autogenerated every time, the value here should not be directly tested in snapshot tests
-	s = regexp.MustCompile(`\s+"bom-ref":\s*"[^"]+",?\n`).ReplaceAll(s, []byte(""))
-
 	return s
 }

syft/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxDirectoryEncoder.golden

@@ -1,10 +1,11 @@
 {
+  "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.4",
-  "serialNumber": "urn:uuid:0b628da1-274e-4c24-821c-f9452f37db54",
+  "serialNumber": "urn:uuid:redacted",
   "version": 1,
   "metadata": {
-    "timestamp": "2022-12-22T18:33:51-05:00",
+    "timestamp": "timestamp:redacted",
     "tools": [
       {
         "vendor": "anchore",
@@ -13,14 +14,14 @@
       }
     ],
     "component": {
-      "bom-ref": "163686ac6e30c752",
+      "bom-ref": "redacted",
       "type": "file",
       "name": "/some/path"
     }
   },
   "components": [
     {
-      "bom-ref": "1b1d0be59ac59d2c",
+      "bom-ref": "redacted",
       "type": "library",
       "name": "package-1",
       "version": "1.0.1",
@@ -57,7 +58,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:deb/debian/package-2@2.0.1?package-id=db4abfe497c180d3",
+      "bom-ref": "redacted",
       "type": "library",
       "name": "package-2",
       "version": "2.0.1",

syft/formats/cyclonedxjson/test-fixtures/snapshot/TestCycloneDxImageEncoder.golden

@@ -1,10 +1,11 @@
 {
+  "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.4",
-  "serialNumber": "urn:uuid:542fc1a1-81ac-4b76-b9e2-8e6b9d8c840a",
+  "serialNumber": "urn:uuid:redacted",
   "version": 1,
   "metadata": {
-    "timestamp": "2022-12-22T18:33:51-05:00",
+    "timestamp": "timestamp:redacted",
     "tools": [
       {
         "vendor": "anchore",
@@ -13,15 +14,15 @@
       }
     ],
     "component": {
-      "bom-ref": "ffd645a093c0fe70",
+      "bom-ref": "redacted",
       "type": "container",
       "name": "user-image-input",
-      "version": "sha256:2731251dc34951c0e50fcc643b4c5f74922dad1a5d98f302b504cf46cd5d9368"
+      "version": "sha256:redacted"
     }
   },
   "components": [
     {
-      "bom-ref": "66ba429119b8bec6",
+      "bom-ref": "redacted",
       "type": "library",
       "name": "package-1",
       "version": "1.0.1",
@@ -53,7 +54,7 @@
         },
         {
           "name": "syft:location:0:layerID",
-          "value": "sha256:62058900d4ce269c900160b8dd255fe310c3a459dda236d041102fa070f84406"
+          "value": "sha256:redacted"
         },
         {
           "name": "syft:location:0:path",
@@ -62,7 +63,7 @@
       ]
     },
     {
-      "bom-ref": "pkg:deb/debian/package-2@2.0.1?package-id=958443e2d9304af4",
+      "bom-ref": "redacted",
       "type": "library",
       "name": "package-2",
       "version": "2.0.1",
@@ -83,7 +84,7 @@
         },
         {
           "name": "syft:location:0:layerID",
-          "value": "sha256:623ad97366f39ae279f1925673cdacb4851ddf2e3266f04e63010ec080a098c1"
+          "value": "sha256:redacted"
         },
         {
           "name": "syft:location:0:path",

syft/formats/internal/testutils/utils.go

@@ -47,21 +47,14 @@ func AssertEncoderAgainstGoldenImageSnapshot(t *testing.T, format sbom.Format, s
 
 	err := format.Encode(&buffer, sbom)
 	assert.NoError(t, err)
-	actual := buffer.Bytes()
+	actual := redact(buffer.Bytes(), redactors...)
 
 	// replace the expected snapshot contents with the current encoder contents
 	if updateSnapshot {
 		testutils.UpdateGoldenFileContents(t, actual)
 	}
 
-	var expected = testutils.GetGoldenFileContents(t)
-
-	// remove dynamic values, which should be tested independently
-	redactors = append(redactors, carriageRedactor)
-	for _, r := range redactors {
-		actual = r(actual)
-		expected = r(expected)
-	}
+	expected := redact(testutils.GetGoldenFileContents(t), redactors...)
 
 	if json {
 		require.JSONEq(t, string(expected), string(actual))
@@ -78,21 +71,14 @@ func AssertEncoderAgainstGoldenSnapshot(t *testing.T, format sbom.Format, sbom s
 
 	err := format.Encode(&buffer, sbom)
 	assert.NoError(t, err)
-	actual := buffer.Bytes()
+	actual := redact(buffer.Bytes(), redactors...)
 
 	// replace the expected snapshot contents with the current encoder contents
 	if updateSnapshot {
 		testutils.UpdateGoldenFileContents(t, actual)
 	}
 
-	var expected = testutils.GetGoldenFileContents(t)
-
-	// remove dynamic values, which should be tested independently
-	redactors = append(redactors, carriageRedactor)
-	for _, r := range redactors {
-		actual = r(actual)
-		expected = r(expected)
-	}
+	expected := redact(testutils.GetGoldenFileContents(t), redactors...)
 
 	if json {
 		require.JSONEq(t, string(expected), string(actual))
@@ -390,3 +376,12 @@ func AddSampleFileRelationships(s *sbom.SBOM) {
 		})
 	}
 }
+
+// remove dynamic values, which should be tested independently
+func redact(b []byte, redactors ...redactor) []byte {
+	redactors = append(redactors, carriageRedactor)
+	for _, r := range redactors {
+		b = r(b)
+	}
+	return b
+}