feat: update syft to generate cyclone-dx 1.6 by default (#2978)

- Resolves #2974
- add detailed instructions re: updating schemas (a necessary task
  when a new CycloneDX spec version becomes available).
- The DefaultVersion constant has been updated to "1.6" -- it's not
  clear to me how this is used at this time (it may be redundant given
  other code), but effectively unless a specific spec version is
  configured, `syft` will emit the "most recent" spec version available
  for cyclonedx. Users who wish to pin back to a "older" specVersion
  (e.g. to preserve compatibilty with utilities that have not yet bumped
  to latest) can either set this in a syft config file or pass a
  name@spec_version pair to the output flag (e.g. `-o
  cyclonedx-json@1.5=some-1.5-spec-bom.cdx.json`)
- Regenerate relevant .golden files (there seems to be a way to do this
  via flags, but I couldn't quite figure out the right set to pass
  correctly, esp. since (as a relative go novice) I found it difficult
  to run just a single test file. I ended up "brute-forcing it" by
  changing the *updateSnapshot val to "true" and running it in Goland.
  A brief comment giving an example of regenerating fixtures usage would
  be helpful.

Signed-off-by: Rajan Agaskar <ragaskar@gmail.com>
This commit is contained in:
Rajan Agaskar 2024-06-21 08:51:27 -07:00 committed by GitHub
parent 9b178174a7
commit ae0683074e
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
13 changed files with 5289 additions and 330 deletions

View file

@ -7,3 +7,12 @@ For this reason we've included a copy of all schemas needed to validate `syft` o
to reference local copies of dependent schemas. to reference local copies of dependent schemas.
You can get the latest schemas from the [CycloneDX specifications repo](https://github.com/CycloneDX/specification/tree/master/schema). You can get the latest schemas from the [CycloneDX specifications repo](https://github.com/CycloneDX/specification/tree/master/schema).
When the spec version is bumped an approach to determining prior modifications is to compare the
prior spec version (e.g. if updating to 1.7, compare the files in this directory against the 1.6
equivalents).
One can also update the schemas and observe the errors in order to make the necessary updates.
At the time of writing, the cyclonedx.xsd needed modifications to link to the local spdx.xsd,
and also to changes the minOccurs for a license tag to 0. (The json schema does not require
modification for the generated file to lint properly, but can simply be copy/pasted).

File diff suppressed because one or more lines are too long

File diff suppressed because it is too large Load diff

View file

@ -2,7 +2,7 @@
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema"
elementFormDefault="qualified" elementFormDefault="qualified"
targetNamespace="http://cyclonedx.org/schema/spdx" targetNamespace="http://cyclonedx.org/schema/spdx"
version="1.0-3.23"> version="1.0-3.24.0">
<xs:simpleType name="licenseId"> <xs:simpleType name="licenseId">
<xs:restriction base="xs:string"> <xs:restriction base="xs:string">
@ -12,6 +12,11 @@
<xs:documentation>BSD Zero Clause License</xs:documentation> <xs:documentation>BSD Zero Clause License</xs:documentation>
</xs:annotation> </xs:annotation>
</xs:enumeration> </xs:enumeration>
<xs:enumeration value="3D-Slicer-1.0">
<xs:annotation>
<xs:documentation>3D Slicer License v1.0</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="AAL"> <xs:enumeration value="AAL">
<xs:annotation> <xs:annotation>
<xs:documentation>Attribution Assurance License</xs:documentation> <xs:documentation>Attribution Assurance License</xs:documentation>
@ -117,6 +122,11 @@
<xs:documentation>Aladdin Free Public License</xs:documentation> <xs:documentation>Aladdin Free Public License</xs:documentation>
</xs:annotation> </xs:annotation>
</xs:enumeration> </xs:enumeration>
<xs:enumeration value="AMD-newlib">
<xs:annotation>
<xs:documentation>AMD newlib License</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="AMDPLPA"> <xs:enumeration value="AMDPLPA">
<xs:annotation> <xs:annotation>
<xs:documentation>AMD&apos;s plpa_map.c License</xs:documentation> <xs:documentation>AMD&apos;s plpa_map.c License</xs:documentation>
@ -147,6 +157,11 @@
<xs:documentation>ANTLR Software Rights Notice with license fallback</xs:documentation> <xs:documentation>ANTLR Software Rights Notice with license fallback</xs:documentation>
</xs:annotation> </xs:annotation>
</xs:enumeration> </xs:enumeration>
<xs:enumeration value="any-OSI">
<xs:annotation>
<xs:documentation>Any OSI License</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="Apache-1.0"> <xs:enumeration value="Apache-1.0">
<xs:annotation> <xs:annotation>
<xs:documentation>Apache License 1.0</xs:documentation> <xs:documentation>Apache License 1.0</xs:documentation>
@ -322,6 +337,11 @@
<xs:documentation>BSD 2-Clause - Ian Darwin variant</xs:documentation> <xs:documentation>BSD 2-Clause - Ian Darwin variant</xs:documentation>
</xs:annotation> </xs:annotation>
</xs:enumeration> </xs:enumeration>
<xs:enumeration value="BSD-2-Clause-first-lines">
<xs:annotation>
<xs:documentation>BSD 2-Clause - first lines requirement</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="BSD-2-Clause-FreeBSD"> <xs:enumeration value="BSD-2-Clause-FreeBSD">
<xs:annotation> <xs:annotation>
<xs:documentation>BSD 2-Clause FreeBSD License</xs:documentation> <xs:documentation>BSD 2-Clause FreeBSD License</xs:documentation>
@ -522,6 +542,11 @@
<xs:documentation>Caldera License (without preamble)</xs:documentation> <xs:documentation>Caldera License (without preamble)</xs:documentation>
</xs:annotation> </xs:annotation>
</xs:enumeration> </xs:enumeration>
<xs:enumeration value="Catharon">
<xs:annotation>
<xs:documentation>Catharon License</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="CATOSL-1.1"> <xs:enumeration value="CATOSL-1.1">
<xs:annotation> <xs:annotation>
<xs:documentation>Computer Associates Trusted Open Source License 1.1</xs:documentation> <xs:documentation>Computer Associates Trusted Open Source License 1.1</xs:documentation>
@ -1002,6 +1027,11 @@
<xs:documentation>curl License</xs:documentation> <xs:documentation>curl License</xs:documentation>
</xs:annotation> </xs:annotation>
</xs:enumeration> </xs:enumeration>
<xs:enumeration value="cve-tou">
<xs:annotation>
<xs:documentation>Common Vulnerability Enumeration ToU License</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="D-FSL-1.0"> <xs:enumeration value="D-FSL-1.0">
<xs:annotation> <xs:annotation>
<xs:documentation>Deutsche Freie Software Lizenz</xs:documentation> <xs:documentation>Deutsche Freie Software Lizenz</xs:documentation>
@ -1482,6 +1512,11 @@
<xs:documentation>gtkbook License</xs:documentation> <xs:documentation>gtkbook License</xs:documentation>
</xs:annotation> </xs:annotation>
</xs:enumeration> </xs:enumeration>
<xs:enumeration value="Gutmann">
<xs:annotation>
<xs:documentation>Gutmann License</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="HaskellReport"> <xs:enumeration value="HaskellReport">
<xs:annotation> <xs:annotation>
<xs:documentation>Haskell Language Report License</xs:documentation> <xs:documentation>Haskell Language Report License</xs:documentation>
@ -1532,11 +1567,21 @@
<xs:documentation>HPND with US Government export control warning</xs:documentation> <xs:documentation>HPND with US Government export control warning</xs:documentation>
</xs:annotation> </xs:annotation>
</xs:enumeration> </xs:enumeration>
<xs:enumeration value="HPND-export-US-acknowledgement">
<xs:annotation>
<xs:documentation>HPND with US Government export control warning and acknowledgment</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="HPND-export-US-modify"> <xs:enumeration value="HPND-export-US-modify">
<xs:annotation> <xs:annotation>
<xs:documentation>HPND with US Government export control warning and modification rqmt</xs:documentation> <xs:documentation>HPND with US Government export control warning and modification rqmt</xs:documentation>
</xs:annotation> </xs:annotation>
</xs:enumeration> </xs:enumeration>
<xs:enumeration value="HPND-export2-US">
<xs:annotation>
<xs:documentation>HPND with US Government export control and 2 disclaimers</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="HPND-Fenneberg-Livingston"> <xs:enumeration value="HPND-Fenneberg-Livingston">
<xs:annotation> <xs:annotation>
<xs:documentation>Historical Permission Notice and Disclaimer - Fenneberg-Livingston variant</xs:documentation> <xs:documentation>Historical Permission Notice and Disclaimer - Fenneberg-Livingston variant</xs:documentation>
@ -1547,6 +1592,11 @@
<xs:documentation>Historical Permission Notice and Disclaimer - INRIA-IMAG variant</xs:documentation> <xs:documentation>Historical Permission Notice and Disclaimer - INRIA-IMAG variant</xs:documentation>
</xs:annotation> </xs:annotation>
</xs:enumeration> </xs:enumeration>
<xs:enumeration value="HPND-Intel">
<xs:annotation>
<xs:documentation>Historical Permission Notice and Disclaimer - Intel variant</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="HPND-Kevlin-Henney"> <xs:enumeration value="HPND-Kevlin-Henney">
<xs:annotation> <xs:annotation>
<xs:documentation>Historical Permission Notice and Disclaimer - Kevlin Henney variant</xs:documentation> <xs:documentation>Historical Permission Notice and Disclaimer - Kevlin Henney variant</xs:documentation>
@ -1557,6 +1607,11 @@
<xs:documentation>Historical Permission Notice and Disclaimer - Markus Kuhn variant</xs:documentation> <xs:documentation>Historical Permission Notice and Disclaimer - Markus Kuhn variant</xs:documentation>
</xs:annotation> </xs:annotation>
</xs:enumeration> </xs:enumeration>
<xs:enumeration value="HPND-merchantability-variant">
<xs:annotation>
<xs:documentation>Historical Permission Notice and Disclaimer - merchantability variant</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="HPND-MIT-disclaimer"> <xs:enumeration value="HPND-MIT-disclaimer">
<xs:annotation> <xs:annotation>
<xs:documentation>Historical Permission Notice and Disclaimer with MIT disclaimer</xs:documentation> <xs:documentation>Historical Permission Notice and Disclaimer with MIT disclaimer</xs:documentation>
@ -1587,11 +1642,21 @@
<xs:documentation>HPND sell variant with MIT disclaimer</xs:documentation> <xs:documentation>HPND sell variant with MIT disclaimer</xs:documentation>
</xs:annotation> </xs:annotation>
</xs:enumeration> </xs:enumeration>
<xs:enumeration value="HPND-sell-variant-MIT-disclaimer-rev">
<xs:annotation>
<xs:documentation>HPND sell variant with MIT disclaimer - reverse</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="HPND-UC"> <xs:enumeration value="HPND-UC">
<xs:annotation> <xs:annotation>
<xs:documentation>Historical Permission Notice and Disclaimer - University of California variant</xs:documentation> <xs:documentation>Historical Permission Notice and Disclaimer - University of California variant</xs:documentation>
</xs:annotation> </xs:annotation>
</xs:enumeration> </xs:enumeration>
<xs:enumeration value="HPND-UC-export-US">
<xs:annotation>
<xs:documentation>Historical Permission Notice and Disclaimer - University of California, US export warning</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="HTMLTIDY"> <xs:enumeration value="HTMLTIDY">
<xs:annotation> <xs:annotation>
<xs:documentation>HTML Tidy License</xs:documentation> <xs:documentation>HTML Tidy License</xs:documentation>
@ -2027,6 +2092,11 @@
<xs:documentation>MIT Festival Variant</xs:documentation> <xs:documentation>MIT Festival Variant</xs:documentation>
</xs:annotation> </xs:annotation>
</xs:enumeration> </xs:enumeration>
<xs:enumeration value="MIT-Khronos-old">
<xs:annotation>
<xs:documentation>MIT Khronos - old variant</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="MIT-Modern-Variant"> <xs:enumeration value="MIT-Modern-Variant">
<xs:annotation> <xs:annotation>
<xs:documentation>MIT License Modern Variant</xs:documentation> <xs:documentation>MIT License Modern Variant</xs:documentation>
@ -2162,11 +2232,21 @@
<xs:documentation>Net Boolean Public License v1</xs:documentation> <xs:documentation>Net Boolean Public License v1</xs:documentation>
</xs:annotation> </xs:annotation>
</xs:enumeration> </xs:enumeration>
<xs:enumeration value="NCBI-PD">
<xs:annotation>
<xs:documentation>NCBI Public Domain Notice</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="NCGL-UK-2.0"> <xs:enumeration value="NCGL-UK-2.0">
<xs:annotation> <xs:annotation>
<xs:documentation>Non-Commercial Government Licence</xs:documentation> <xs:documentation>Non-Commercial Government Licence</xs:documentation>
</xs:annotation> </xs:annotation>
</xs:enumeration> </xs:enumeration>
<xs:enumeration value="NCL">
<xs:annotation>
<xs:documentation>NCL Source Code License</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="NCSA"> <xs:enumeration value="NCSA">
<xs:annotation> <xs:annotation>
<xs:documentation>University of Illinois/NCSA Open Source License</xs:documentation> <xs:documentation>University of Illinois/NCSA Open Source License</xs:documentation>
@ -2282,6 +2362,11 @@
<xs:documentation>Open Use of Data Agreement v1.0</xs:documentation> <xs:documentation>Open Use of Data Agreement v1.0</xs:documentation>
</xs:annotation> </xs:annotation>
</xs:enumeration> </xs:enumeration>
<xs:enumeration value="OAR">
<xs:annotation>
<xs:documentation>OAR License</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="OCCT-PL"> <xs:enumeration value="OCCT-PL">
<xs:annotation> <xs:annotation>
<xs:documentation>Open CASCADE Technology Public License</xs:documentation> <xs:documentation>Open CASCADE Technology Public License</xs:documentation>
@ -2562,6 +2647,11 @@
<xs:documentation>Pixar License</xs:documentation> <xs:documentation>Pixar License</xs:documentation>
</xs:annotation> </xs:annotation>
</xs:enumeration> </xs:enumeration>
<xs:enumeration value="pkgconf">
<xs:annotation>
<xs:documentation>pkgconf License</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="Plexus"> <xs:enumeration value="Plexus">
<xs:annotation> <xs:annotation>
<xs:documentation>Plexus Classworlds License</xs:documentation> <xs:documentation>Plexus Classworlds License</xs:documentation>
@ -2587,6 +2677,11 @@
<xs:documentation>PostgreSQL License</xs:documentation> <xs:documentation>PostgreSQL License</xs:documentation>
</xs:annotation> </xs:annotation>
</xs:enumeration> </xs:enumeration>
<xs:enumeration value="PPL">
<xs:annotation>
<xs:documentation>Peer Production License</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="PSF-2.0"> <xs:enumeration value="PSF-2.0">
<xs:annotation> <xs:annotation>
<xs:documentation>Python Software Foundation License 2.0</xs:documentation> <xs:documentation>Python Software Foundation License 2.0</xs:documentation>
@ -2862,6 +2957,11 @@
<xs:documentation>Sun PPP License</xs:documentation> <xs:documentation>Sun PPP License</xs:documentation>
</xs:annotation> </xs:annotation>
</xs:enumeration> </xs:enumeration>
<xs:enumeration value="Sun-PPP-2000">
<xs:annotation>
<xs:documentation>Sun PPP License (2000)</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="SunPro"> <xs:enumeration value="SunPro">
<xs:annotation> <xs:annotation>
<xs:documentation>SunPro License</xs:documentation> <xs:documentation>SunPro License</xs:documentation>
@ -2907,6 +3007,11 @@
<xs:documentation>Transitive Grace Period Public Licence 1.0</xs:documentation> <xs:documentation>Transitive Grace Period Public Licence 1.0</xs:documentation>
</xs:annotation> </xs:annotation>
</xs:enumeration> </xs:enumeration>
<xs:enumeration value="threeparttable">
<xs:annotation>
<xs:documentation>threeparttable License</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="TMate"> <xs:enumeration value="TMate">
<xs:annotation> <xs:annotation>
<xs:documentation>TMate Open Source License</xs:documentation> <xs:documentation>TMate Open Source License</xs:documentation>
@ -3132,6 +3237,11 @@
<xs:documentation>XSkat License</xs:documentation> <xs:documentation>XSkat License</xs:documentation>
</xs:annotation> </xs:annotation>
</xs:enumeration> </xs:enumeration>
<xs:enumeration value="xzoom">
<xs:annotation>
<xs:documentation>xzoom License</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="YPL-1.0"> <xs:enumeration value="YPL-1.0">
<xs:annotation> <xs:annotation>
<xs:documentation>Yahoo! Public License v1.0</xs:documentation> <xs:documentation>Yahoo! Public License v1.0</xs:documentation>
@ -3203,6 +3313,11 @@
<xs:documentation>Asterisk exception</xs:documentation> <xs:documentation>Asterisk exception</xs:documentation>
</xs:annotation> </xs:annotation>
</xs:enumeration> </xs:enumeration>
<xs:enumeration value="Asterisk-linking-protocols-exception">
<xs:annotation>
<xs:documentation>Asterisk linking protocols exception</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="Autoconf-exception-2.0"> <xs:enumeration value="Autoconf-exception-2.0">
<xs:annotation> <xs:annotation>
<xs:documentation>Autoconf exception 2.0</xs:documentation> <xs:documentation>Autoconf exception 2.0</xs:documentation>
@ -3438,6 +3553,11 @@
<xs:documentation>OpenVPN OpenSSL Exception</xs:documentation> <xs:documentation>OpenVPN OpenSSL Exception</xs:documentation>
</xs:annotation> </xs:annotation>
</xs:enumeration> </xs:enumeration>
<xs:enumeration value="PCRE2-exception">
<xs:annotation>
<xs:documentation>PCRE2 exception</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="PS-or-PDF-font-exception-20170817"> <xs:enumeration value="PS-or-PDF-font-exception-20170817">
<xs:annotation> <xs:annotation>
<xs:documentation>PS/PDF font exception (2017-08-17)</xs:documentation> <xs:documentation>PS/PDF font exception (2017-08-17)</xs:documentation>
@ -3463,6 +3583,11 @@
<xs:documentation>Qwt exception 1.0</xs:documentation> <xs:documentation>Qwt exception 1.0</xs:documentation>
</xs:annotation> </xs:annotation>
</xs:enumeration> </xs:enumeration>
<xs:enumeration value="RRDtool-FLOSS-exception-2.0">
<xs:annotation>
<xs:documentation>RRDtool FLOSS exception 2.0</xs:documentation>
</xs:annotation>
</xs:enumeration>
<xs:enumeration value="SANE-exception"> <xs:enumeration value="SANE-exception">
<xs:annotation> <xs:annotation>
<xs:documentation>SANE Exception</xs:documentation> <xs:documentation>SANE Exception</xs:documentation>

View file

@ -0,0 +1,59 @@
{
"$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"serialNumber": "urn:uuid:5208fea9-73dd-4624-b596-69fddccdb9e7",
"version": 1,
"metadata": {
"timestamp": "2023-09-29T12:02:02-04:00",
"tools": [
{
"vendor": "anchore",
"name": "syft",
"version": "[not provided]"
}
],
"component": {
"bom-ref": "a0ff99a6af10f11f",
"type": "file",
"name": "go.mod",
"version": "sha256:sha256:dc333f342905248a52e424d8dfd061251d01867d01a4f9d7397144a775ff9ebd"
}
},
"components": [
{
"bom-ref": "pkg:golang/github.com/wagoodman/go-partybus@v0.0.0-20230516145632-8ccac152c651?package-id=2ff71a67fb024c86",
"type": "library",
"name": "github.com/wagoodman/go-partybus",
"version": "v0.0.0-20230516145632-8ccac152c651",
"cpe": "cpe:2.3:a:wagoodman:go-partybus:v0.0.0-20230516145632-8ccac152c651:*:*:*:*:*:*:*",
"purl": "pkg:golang/github.com/wagoodman/go-partybus@v0.0.0-20230516145632-8ccac152c651",
"properties": [
{
"name": "syft:package:foundBy",
"value": "go-module-file-cataloger"
},
{
"name": "syft:package:language",
"value": "go"
},
{
"name": "syft:package:metadataType",
"value": "GolangModMetadata"
},
{
"name": "syft:package:type",
"value": "go-module"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:wagoodman:go_partybus:v0.0.0-20230516145632-8ccac152c651:*:*:*:*:*:*:*"
},
{
"name": "syft:location:0:path",
"value": "/go.mod"
}
]
}
]
}

View file

@ -0,0 +1,28 @@
{
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"version": 1,
"components": [
{
"type": "library",
"group": "io.netty",
"name": "netty-codec-http2",
"version": "4.1.73.Final",
"properties": [
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:codec:codec:4.1.73.Final:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:codec:netty-codec-http2:4.1.73.Final:*:*:*:*:*:*:*"
},
{
"name": "syft:cpe23",
"value": "cpe:2.3:a:codec:netty_codec_http2:4.1.73.Final:*:*:*:*:*:*:*"
}
]
}
],
"serialNumber": "urn:uuid:3eb5ec7a-cb05-4339-b873-e27b1c1efaba"
}

View file

@ -1,7 +1,7 @@
{ {
"$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
"bomFormat": "CycloneDX", "bomFormat": "CycloneDX",
"specVersion": "1.5", "specVersion": "1.6",
"serialNumber": "urn:uuid:redacted", "serialNumber": "urn:uuid:redacted",
"version": 1, "version": 1,
"metadata": { "metadata": {

View file

@ -1,7 +1,7 @@
{ {
"$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json", "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
"bomFormat": "CycloneDX", "bomFormat": "CycloneDX",
"specVersion": "1.5", "specVersion": "1.6",
"serialNumber": "urn:uuid:redacted", "serialNumber": "urn:uuid:redacted",
"version": 1, "version": 1,
"metadata": { "metadata": {

View file

@ -0,0 +1,33 @@
<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.6" serialNumber="urn:uuid:098e8516-ecd5-4130-9d5f-c32ba1ddb0dd" version="1">
<metadata>
<timestamp>2023-09-29T11:48:10-04:00</timestamp>
<tools>
<tool>
<vendor>anchore</vendor>
<name>syft</name>
<version>[not provided]</version>
</tool>
</tools>
<component bom-ref="a0ff99a6af10f11f" type="file">
<name>go.mod</name>
<version>sha256:sha256:dc333f342905248a52e424d8dfd061251d01867d01a4f9d7397144a775ff9ebd</version>
</component>
</metadata>
<components>
<component bom-ref="pkg:golang/github.com/wagoodman/go-partybus@v0.0.0-20230516145632-8ccac152c651?package-id=2ff71a67fb024c86" type="library">
<name>github.com/wagoodman/go-partybus</name>
<version>v0.0.0-20230516145632-8ccac152c651</version>
<cpe>cpe:2.3:a:wagoodman:go-partybus:v0.0.0-20230516145632-8ccac152c651:*:*:*:*:*:*:*</cpe>
<purl>pkg:golang/github.com/wagoodman/go-partybus@v0.0.0-20230516145632-8ccac152c651</purl>
<properties>
<property name="syft:package:foundBy">go-module-file-cataloger</property>
<property name="syft:package:language">go</property>
<property name="syft:package:metadataType">GolangModMetadata</property>
<property name="syft:package:type">go-module</property>
<property name="syft:cpe23">cpe:2.3:a:wagoodman:go_partybus:v0.0.0-20230516145632-8ccac152c651:*:*:*:*:*:*:*</property>
<property name="syft:location:0:path">/go.mod</property>
</properties>
</component>
</components>
</bom>

View file

@ -1,5 +1,5 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.5" serialNumber="redacted" version="1"> <bom xmlns="http://cyclonedx.org/schema/bom/1.6" serialNumber="redacted" version="1">
<metadata> <metadata>
<timestamp>redacted</timestamp> <timestamp>redacted</timestamp>
<tools> <tools>

View file

@ -1,5 +1,5 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.5" serialNumber="redacted" version="1"> <bom xmlns="http://cyclonedx.org/schema/bom/1.6" serialNumber="redacted" version="1">
<metadata> <metadata>
<timestamp>redacted</timestamp> <timestamp>redacted</timestamp>
<tools> <tools>

View file

@ -9,7 +9,7 @@ import (
"github.com/anchore/syft/syft/sbom" "github.com/anchore/syft/syft/sbom"
) )
const DefaultVersion = "1.5" const DefaultVersion = "1.6"
type Encoder struct { type Encoder struct {
version cyclonedx.SpecVersion version cyclonedx.SpecVersion

View file

@ -19,6 +19,7 @@ func SupportedVersions(id sbom.FormatID) []string {
"1.3", "1.3",
"1.4", "1.4",
"1.5", "1.5",
"1.6",
} }
if id != JSONFormatID { if id != JSONFormatID {
@ -43,6 +44,8 @@ func SpecVersionFromString(v string) (cyclonedx.SpecVersion, error) {
return cyclonedx.SpecVersion1_4, nil return cyclonedx.SpecVersion1_4, nil
case "1.5": case "1.5":
return cyclonedx.SpecVersion1_5, nil return cyclonedx.SpecVersion1_5, nil
case "1.6":
return cyclonedx.SpecVersion1_6, nil
} }
return -1, fmt.Errorf("unsupported CycloneDX version %q", v) return -1, fmt.Errorf("unsupported CycloneDX version %q", v)
} }
@ -61,6 +64,8 @@ func VersionFromSpecVersion(spec cyclonedx.SpecVersion) string {
return "1.4" return "1.4"
case cyclonedx.SpecVersion1_5: case cyclonedx.SpecVersion1_5:
return "1.5" return "1.5"
case cyclonedx.SpecVersion1_6:
return "1.6"
} }
return "" return ""
} }