Merge pull request #105 from CycloneDX/spec-v1.5-attestations

feat(spec1-5): add support for annotations
CycloneDX · Jun 27, 2023 · 1631719 · 1631719
2 parents 6f68905 + d84947d
commit 1631719
Show file tree

Hide file tree

Showing 6 changed files with 398 additions and 0 deletions.
diff --git a/convert.go b/convert.go
@@ -48,6 +48,9 @@ func (b *BOM) convert(specVersion SpecVersion) {
 	if specVersion < SpecVersion1_4 {
 		b.Vulnerabilities = nil
 	}
+	if specVersion < SpecVersion1_5 {
+		b.Annotations = nil
+	}
 
 	if b.Metadata != nil {
 		if specVersion < SpecVersion1_3 {

diff --git a/cyclonedx.go b/cyclonedx.go
@@ -48,6 +48,21 @@ type Affects struct {
 	Range *[]AffectedVersions `json:"versions,omitempty" xml:"versions>version,omitempty"`
 }
 
+type Annotation struct {
+	BOMRef    string          `json:"bom-ref,omitempty" xml:"bom-ref,attr,omitempty"`
+	Subjects  *[]BOMReference `json:"subjects,omitempty" xml:"subjects>subject,omitempty"`
+	Annotator *Annotator      `json:"annotator,omitempty" xml:"annotator,omitempty"`
+	Timestamp string          `json:"timestamp,omitempty" xml:"timestamp,omitempty"`
+	Text      string          `json:"text,omitempty" xml:"text,omitempty"`
+}
+
+type Annotator struct {
+	Organization *OrganizationalEntity  `json:"organization,omitempty" xml:"organization,omitempty"`
+	Individual   *OrganizationalContact `json:"individual,omitempty" xml:"individual,omitempty"`
+	Component    *Component             `json:"component,omitempty" xml:"component,omitempty"`
+	Service      *Service               `json:"service,omitempty" xml:"service,omitempty"`
+}
+
 type AttachedText struct {
 	Content     string `json:"content" xml:",chardata"`
 	ContentType string `json:"contentType,omitempty" xml:"content-type,attr,omitempty"`
@@ -74,6 +89,7 @@ type BOM struct {
 	Compositions       *[]Composition       `json:"compositions,omitempty" xml:"compositions>composition,omitempty"`
 	Properties         *[]Property          `json:"properties,omitempty" xml:"properties>property,omitempty"`
 	Vulnerabilities    *[]Vulnerability     `json:"vulnerabilities,omitempty" xml:"vulnerabilities>vulnerability,omitempty"`
+	Annotations        *[]Annotation        `json:"annotations,omitempty" xml:"annotations>annotation,omitempty"`
 }
 
 func NewBOM() *BOM {

diff --git a/testdata/snapshots/cyclonedx-go-TestRoundTripJSON-func1-valid-annotation.json b/testdata/snapshots/cyclonedx-go-TestRoundTripJSON-func1-valid-annotation.json
@@ -0,0 +1,103 @@
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.5",
+  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+  "version": 1,
+  "components": [
+    {
+      "bom-ref": "component-a",
+      "type": "library",
+      "name": "Component A",
+      "version": "1.0.0"
+    }
+  ],
+  "annotations": [
+    {
+      "bom-ref": "annotation-1",
+      "subjects": [
+        "component-a"
+      ],
+      "annotator": {
+        "organization": {
+          "name": "Acme, Inc.",
+          "url": [
+            "https://example.com"
+          ],
+          "contact": [
+            {
+              "name": "Acme Professional Services",
+              "email": "professional.services@example.com"
+            }
+          ]
+        }
+      },
+      "timestamp": "2022-01-01T00:00:00Z",
+      "text": "This is a sample annotation made by an organization"
+    },
+    {
+      "bom-ref": "annotation-2",
+      "subjects": [
+        "component-a"
+      ],
+      "annotator": {
+        "individual": {
+          "name": "Samantha Wright",
+          "email": "samantha.wright@example.com",
+          "phone": "800-555-1212"
+        }
+      },
+      "timestamp": "2022-01-01T00:00:00Z",
+      "text": "This is a sample annotation made by a person"
+    },
+    {
+      "bom-ref": "annotation-3",
+      "subjects": [
+        "component-a"
+      ],
+      "annotator": {
+        "component": {
+          "type": "application",
+          "name": "Awesome Tool",
+          "version": "9.1.2"
+        }
+      },
+      "timestamp": "2022-01-01T00:00:00Z",
+      "text": "This is a sample annotation made by a component"
+    },
+    {
+      "bom-ref": "annotation-4",
+      "subjects": [
+        "component-a"
+      ],
+      "annotator": {
+        "service": {
+          "bom-ref": "b2a46a4b-8367-4bae-9820-95557cfe03a8",
+          "provider": {
+            "name": "Partner Org",
+            "url": [
+              "https://partner.org"
+            ]
+          },
+          "group": "org.partner",
+          "name": "BOM Annotation Service",
+          "version": "2020-Q2",
+          "endpoints": [
+            "https://partner.org/api/v1/inspect",
+            "https://partner.org/api/v1/annotate"
+          ],
+          "authenticated": true,
+          "x-trust-boundary": true,
+          "data": [
+            {
+              "flow": "bi-directional",
+              "classification": "public"
+            }
+          ]
+        }
+      },
+      "timestamp": "2022-01-01T00:00:00Z",
+      "text": "This is a sample annotation made by a service"
+    }
+  ]
+}
+
diff --git a/testdata/snapshots/cyclonedx-go-TestRoundTripXML-func1-valid-annotation.xml b/testdata/snapshots/cyclonedx-go-TestRoundTripXML-func1-valid-annotation.xml
@@ -0,0 +1,87 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.5" serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1">
+  <components>
+    <component bom-ref="component-a" type="library">
+      <name>Component A</name>
+      <version>1.0.0</version>
+    </component>
+  </components>
+  <annotations>
+    <annotation bom-ref="annotation-1">
+      <subjects>
+        <subject ref="component-a"></subject>
+      </subjects>
+      <annotator>
+        <organization>
+          <name>Acme, Inc.</name>
+          <url>https://example.com</url>
+          <contact>
+            <name>Acme Professional Services</name>
+            <email>professional.services@example.com</email>
+          </contact>
+        </organization>
+      </annotator>
+      <timestamp>2020-04-07T07:01:00Z</timestamp>
+      <text>This is a sample annotation made by an organization</text>
+    </annotation>
+    <annotation bom-ref="annotation-2">
+      <subjects>
+        <subject ref="component-a"></subject>
+      </subjects>
+      <annotator>
+        <individual>
+          <name>Samantha Wright</name>
+          <email>samantha.wright@example.com</email>
+          <phone>800-555-1212</phone>
+        </individual>
+      </annotator>
+      <timestamp>2020-04-07T07:01:00Z</timestamp>
+      <text>This is a sample annotation made by an person</text>
+    </annotation>
+    <annotation bom-ref="annotation-3">
+      <subjects>
+        <subject ref="component-a"></subject>
+      </subjects>
+      <annotator>
+        <component type="application">
+          <name>Awesome Tool</name>
+          <version>9.1.2</version>
+        </component>
+      </annotator>
+      <timestamp>2020-04-07T07:01:00Z</timestamp>
+      <text>This is a sample annotation made by a component</text>
+    </annotation>
+    <annotation bom-ref="annotation-4">
+      <subjects>
+        <subject ref="component-a"></subject>
+      </subjects>
+      <annotator>
+        <service bom-ref="b2a46a4b-8367-4bae-9820-95557cfe03a8">
+          <provider>
+            <name>Partner Org</name>
+            <url>https://partner.org</url>
+            <contact>
+              <name>Support</name>
+              <email>support@partner</email>
+              <phone>800-555-1212</phone>
+            </contact>
+          </provider>
+          <group>org.partner</group>
+          <name>BOM Annotation Service</name>
+          <version>2020-Q2</version>
+          <endpoints>
+            <endpoint>https://partner.org/api/v1/inspect</endpoint>
+            <endpoint>https://partner.org/api/v1/annotate</endpoint>
+          </endpoints>
+          <authenticated>true</authenticated>
+          <x-trust-boundary>true</x-trust-boundary>
+          <data>
+            <classification flow="bi-directional">pubic</classification>
+          </data>
+        </service>
+      </annotator>
+      <timestamp>2020-04-07T07:01:00Z</timestamp>
+      <text>This is a sample annotation made by a service</text>
+    </annotation>
+  </annotations>
+</bom>
diff --git a/testdata/valid-annotation.json b/testdata/valid-annotation.json
@@ -0,0 +1,102 @@
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.5",
+  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+  "version": 1,
+  "components": [
+    {
+      "bom-ref": "component-a",
+      "type": "library",
+      "name": "Component A",
+      "version": "1.0.0"
+    }
+  ],
+  "annotations": [
+    {
+      "bom-ref": "annotation-1",
+      "subjects": [
+        "component-a"
+      ],
+      "annotator": {
+        "organization": {
+          "name": "Acme, Inc.",
+          "url": [
+            "https://example.com"
+          ],
+          "contact": [
+            {
+              "name": "Acme Professional Services",
+              "email": "professional.services@example.com"
+            }
+          ]
+        }
+      },
+      "timestamp": "2022-01-01T00:00:00Z",
+      "text": "This is a sample annotation made by an organization"
+    },
+    {
+      "bom-ref": "annotation-2",
+      "subjects": [
+        "component-a"
+      ],
+      "annotator": {
+        "individual": {
+          "name": "Samantha Wright",
+          "email": "samantha.wright@example.com",
+          "phone": "800-555-1212"
+        }
+      },
+      "timestamp": "2022-01-01T00:00:00Z",
+      "text": "This is a sample annotation made by a person"
+    },
+    {
+      "bom-ref": "annotation-3",
+      "subjects": [
+        "component-a"
+      ],
+      "annotator": {
+        "component": {
+          "type": "application",
+          "name": "Awesome Tool",
+          "version": "9.1.2"
+        }
+      },
+      "timestamp": "2022-01-01T00:00:00Z",
+      "text": "This is a sample annotation made by a component"
+    },
+    {
+      "bom-ref": "annotation-4",
+      "subjects": [
+        "component-a"
+      ],
+      "annotator": {
+        "service": {
+          "bom-ref": "b2a46a4b-8367-4bae-9820-95557cfe03a8",
+          "provider": {
+            "name": "Partner Org",
+            "url": [
+              "https://partner.org"
+            ]
+          },
+          "group": "org.partner",
+          "name": "BOM Annotation Service",
+          "version": "2020-Q2",
+          "endpoints": [
+            "https://partner.org/api/v1/inspect",
+            "https://partner.org/api/v1/annotate"
+          ],
+          "authenticated": true,
+          "x-trust-boundary": true,
+          "data": [
+            {
+              "classification": "public",
+              "flow": "bi-directional"
+            }
+          ]
+        }
+      },
+      "timestamp": "2022-01-01T00:00:00Z",
+      "text": "This is a sample annotation made by a service"
+    }
+  ]
+}