Mirrors/syft
2
0
Fork 0
mirror of https://github.com/anchore/syft synced 2024-09-20 06:01:53 +00:00
Code Issues Projects Releases Packages Wiki Activity
syft/schema/cyclonedx
History
Rajan Agaskar ae0683074e
feat: update syft to generate cyclone-dx 1.6 by default (#2978) 
- Resolves #2974
- add detailed instructions re: updating schemas (a necessary task
  when a new CycloneDX spec version becomes available).
- The DefaultVersion constant has been updated to "1.6" -- it's not
  clear to me how this is used at this time (it may be redundant given
  other code), but effectively unless a specific spec version is
  configured, `syft` will emit the "most recent" spec version available
  for cyclonedx. Users who wish to pin back to a "older" specVersion
  (e.g. to preserve compatibilty with utilities that have not yet bumped
  to latest) can either set this in a syft config file or pass a
  name@spec_version pair to the output flag (e.g. `-o
  cyclonedx-json@1.5=some-1.5-spec-bom.cdx.json`)
- Regenerate relevant .golden files (there seems to be a way to do this
  via flags, but I couldn't quite figure out the right set to pass
  correctly, esp. since (as a relative go novice) I found it difficult
  to run just a single test file. I ended up "brute-forcing it" by
  changing the *updateSnapshot val to "true" and running it in Goland.
  A brief comment giving an example of regenerating fixtures usage would
  be helpful.

Signed-off-by: Rajan Agaskar <ragaskar@gmail.com>
2024-06-21 08:51:27 -07:00
..
.gitignore add cyclone-json output format (#635) 2021-12-03 17:06:23 -08:00
cyclonedx.json feat: update syft to generate cyclone-dx 1.6 by default (#2978) 2024-06-21 08:51:27 -07:00
cyclonedx.xsd feat: update syft to generate cyclone-dx 1.6 by default (#2978) 2024-06-21 08:51:27 -07:00
Makefile Split the sbom.Format interface by encode and decode use cases (#2186) 2023-10-25 13:43:06 +00:00
README.md feat: update syft to generate cyclone-dx 1.6 by default (#2978) 2024-06-21 08:51:27 -07:00
spdx.xsd feat: update syft to generate cyclone-dx 1.6 by default (#2978) 2024-06-21 08:51:27 -07:00

README.md

CycloneDX Schemas

syft generates a CycloneDX Bom output. We want to be able to validate the CycloneDX schemas (and dependent schemas) against generated syft output. The best way to do this is with xmllint, however, this tool does not know how to deal with references from HTTP, only the local filesystem. For this reason we've included a copy of all schemas needed to validate syft output, modified to reference local copies of dependent schemas.

You can get the latest schemas from the CycloneDX specifications repo.

When the spec version is bumped an approach to determining prior modifications is to compare the prior spec version (e.g. if updating to 1.7, compare the files in this directory against the 1.6 equivalents).

One can also update the schemas and observe the errors in order to make the necessary updates. At the time of writing, the cyclonedx.xsd needed modifications to link to the local spdx.xsd, and also to changes the minOccurs for a license tag to 0. (The json schema does not require modification for the generated file to lint properly, but can simply be copy/pasted).