feat: add support for encoding to older spec versions (#51)

* feat: add support for encoding to older spec versions

Signed-off-by: nscuro <nscuro@protonmail.com>

* fix: ignore generated sources in license check

Signed-off-by: nscuro <nscuro@protonmail.com>

Signed-off-by: nscuro <nscuro@protonmail.com>

Author: nscuro

.licenserc.yml

@@ -3,17 +3,18 @@ header:
     spdx-id: Apache-2.0
     copyright-owner: OWASP Foundation
   paths-ignore:
+    - "**/*.md"
+    - "**/go.mod"
+    - "**/go.sum"
+    - "**/testdata/**"
     - ".github/**"
     - ".gitignore"
     - ".gitpod.*"
     - ".golangci.yml"
     - ".goreleaser.yml"
     - ".licenserc.yml"
-    - "**/*.md"
-    - "**/go.mod"
-    - "**/go.sum"
-    - "**/testdata/**"
     - "CODEOWNERS"
     - "LICENSE"
     - "Makefile"
-    - "NOTICE"
+    - "NOTICE"
+    - "cyclonedx_string.go"

Makefile

@@ -10,5 +10,9 @@ clean:
 	go clean
 .PHONY: clean
 
+generate:
+	go generate
+.PHONY: generate
+
 all: clean build test
 .PHONY: all

README.md

@@ -28,15 +28,18 @@ Also, checkout the [`examples`](./example_test.go) to get an idea of how this li
 
 | cyclonedx-go versions | Supported Go versions | Supported CycloneDX spec |
 |:---------------------:|:---------------------:|:------------------------:|
-|    < v0.4.0           |         1.14+         |           1.2            |
-|   == v0.4.0           |         1.14+         |           1.3            |
-|   >= v0.5.0           |         1.15+         |           1.4            |
+|       < v0.4.0        |         1.14+         |           1.2            |
+|       == v0.4.0       |         1.14+         |           1.3            |
+|       >= v0.5.0       |         1.15+         |           1.4            |
+|       >= v0.7.0       |         1.15+         |         1.0-1.4          |
 
 We're aiming to support all [officially supported](https://golang.org/doc/devel/release.html#policy) Go versions, plus
 an additional older version.
 
-This library will only support the latest version of the CycloneDX specification. While it's generally possible to 
-*read* BOMs of an older spec, *writing* will exclusively produce BOMs conforming to the latest supported spec.
+Prior to v0.7.0, this library only supported the latest version of the CycloneDX specification. While it is generally 
+possible to *read* BOMs of an older spec, *writing* would exclusively produce BOMs conforming to the latest supported spec.
+
+Starting with v0.7.0, writing BOMs conforming to all previous version of the spec is also possible.
 
 ## Copyright & License
 

copy.go

@@ -0,0 +1,43 @@
+// This file is part of CycloneDX Go
+//
+// Licensed under the Apache License, Version 2.0 (the “License”);
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an “AS IS” BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// SPDX-License-Identifier: Apache-2.0
+// Copyright (c) OWASP Foundation. All Rights Reserved.
+
+package cyclonedx
+
+import (
+	"bytes"
+	"encoding/gob"
+	"fmt"
+)
+
+// copy creates a deep copy of the BOM in a given destination.
+// Copying is currently done be encoding and decoding the BOM struct using the gop.
+// In the future we may choose to switch to a more efficient strategy,
+// and consider to export this API.
+func (b BOM) copy(dst *BOM) error {
+	buf := bytes.Buffer{}
+	err := gob.NewEncoder(&buf).Encode(b)
+	if err != nil {
+		return fmt.Errorf("failed to encode bom: %w", err)
+	}
+
+	err = gob.NewDecoder(&buf).Decode(dst)
+	if err != nil {
+		return fmt.Errorf("failed to decode bom: %w", err)
+	}
+
+	return nil
+}

cyclonedx.go

@@ -26,11 +26,10 @@ import (
 	"regexp"
 )
 
+//go:generate stringer -linecomment -output cyclonedx_string.go -type SpecVersion
+
 const (
-	BOMFormat      = "CycloneDX"
-	defaultVersion = 1
-	SpecVersion    = "1.4"
-	XMLNamespace   = "http://cyclonedx.org/schema/bom/1.4"
+	BOMFormat = "CycloneDX"
 )
 
 type Advisory struct {
@@ -61,8 +60,8 @@ type BOM struct {
 	XMLNS   string   `json:"-" xml:"xmlns,attr"`
 
 	// JSON specific fields
-	BOMFormat   string `json:"bomFormat" xml:"-"`
-	SpecVersion string `json:"specVersion" xml:"-"`
+	BOMFormat   string      `json:"bomFormat" xml:"-"`
+	SpecVersion SpecVersion `json:"specVersion" xml:"-"`
 
 	SerialNumber       string               `json:"serialNumber,omitempty" xml:"serialNumber,attr,omitempty"`
 	Version            int                  `json:"version" xml:"version,attr"`
@@ -78,10 +77,10 @@ type BOM struct {
 
 func NewBOM() *BOM {
 	return &BOM{
-		XMLNS:       XMLNamespace,
+		XMLNS:       xmlNamespaces[SpecVersion1_4],
 		BOMFormat:   BOMFormat,
-		SpecVersion: SpecVersion,
-		Version:     defaultVersion,
+		SpecVersion: SpecVersion1_4,
+		Version:     1,
 	}
 }
 
@@ -590,6 +589,70 @@ type Source struct {
 	URL  string `json:"url,omitempty" xml:"url,omitempty"`
 }
 
+type SpecVersion int
+
+const (
+	SpecVersion1_0 SpecVersion = iota + 1 // 1.0
+	SpecVersion1_1                        // 1.1
+	SpecVersion1_2                        // 1.2
+	SpecVersion1_3                        // 1.3
+	SpecVersion1_4                        // 1.4
+)
+
+func (sv SpecVersion) MarshalJSON() ([]byte, error) {
+	return json.Marshal(sv.String())
+}
+
+func (sv *SpecVersion) UnmarshalJSON(bytes []byte) error {
+	var v string
+	err := json.Unmarshal(bytes, &v)
+	if err != nil {
+		return err
+	}
+
+	switch v {
+	case SpecVersion1_0.String():
+		*sv = SpecVersion1_0
+	case SpecVersion1_1.String():
+		*sv = SpecVersion1_1
+	case SpecVersion1_2.String():
+		*sv = SpecVersion1_2
+	case SpecVersion1_3.String():
+		*sv = SpecVersion1_3
+	case SpecVersion1_4.String():
+		*sv = SpecVersion1_4
+	}
+
+	return nil
+}
+
+func (sv SpecVersion) MarshalXML(e *xml.Encoder, start xml.StartElement) error {
+	return e.EncodeElement(sv.String(), start)
+}
+
+func (sv *SpecVersion) UnmarshalXML(d *xml.Decoder, start xml.StartElement) error {
+	var v string
+	err := d.DecodeElement(&v, &start)
+	if err != nil {
+		return err
+	}
+
+	switch v {
+	case SpecVersion1_0.String():
+		*sv = SpecVersion1_0
+	case SpecVersion1_1.String():
+		*sv = SpecVersion1_1
+	case SpecVersion1_2.String():
+		*sv = SpecVersion1_2
+	case SpecVersion1_3.String():
+		*sv = SpecVersion1_3
+	case SpecVersion1_4.String():
+		*sv = SpecVersion1_4
+	}
+
+	return nil
+}
+
 type SWID struct {
 	Text       *AttachedText `json:"text,omitempty" xml:"text,omitempty"`
 	URL        string        `json:"url,omitempty" xml:"url,attr,omitempty"`
@@ -657,3 +720,11 @@ const (
 	VulnerabilityStatusAffected    VulnerabilityStatus = "affected"
 	VulnerabilityStatusNotAffected VulnerabilityStatus = "unaffected"
 )
+
+var xmlNamespaces = map[SpecVersion]string{
+	SpecVersion1_0: "http://cyclonedx.org/schema/bom/1.0",
+	SpecVersion1_1: "http://cyclonedx.org/schema/bom/1.1",
+	SpecVersion1_2: "http://cyclonedx.org/schema/bom/1.2",
+	SpecVersion1_3: "http://cyclonedx.org/schema/bom/1.3",
+	SpecVersion1_4: "http://cyclonedx.org/schema/bom/1.4",
+}

cyclonedx_string.go

@@ -20,12 +20,19 @@ package cyclonedx
 import (
 	"encoding/json"
 	"encoding/xml"
+	"fmt"
+	"os/exec"
+	"strings"
 	"testing"
 
+	"github.com/bradleyjkemp/cupaloy/v2"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 
+var snapShooter = cupaloy.NewDefaultConfig().
+	WithOptions(cupaloy.SnapshotSubdirectory("./testdata/snapshots"))
+
 func TestBool(t *testing.T) {
 	assert.Equal(t, true, *Bool(true))
 	assert.Equal(t, false, *Bool(false))
@@ -228,3 +235,17 @@ func TestVulnerability_Properties(t *testing.T) {
 	// EXPECT
 	assert.Equal(t, 0, len(*vuln.Properties))
 }
+
+func assertValidBOM(t *testing.T, bomFilePath string, version SpecVersion) {
+	inputFormat := "xml"
+	if strings.HasSuffix(bomFilePath, ".json") {
+		inputFormat = "json"
+	}
+	inputVersion := fmt.Sprintf("v%s", strings.ReplaceAll(version.String(), ".", "_"))
+	valCmd := exec.Command("cyclonedx", "validate", "--input-file", bomFilePath, "--input-format", inputFormat, "--input-version", inputVersion, "--fail-on-errors")
+	valOut, err := valCmd.CombinedOutput()
+	if !assert.NoError(t, err) {
+		// Provide some context when test is failing
+		fmt.Printf("validation error: %s\n", string(valOut))
+	}
+}

cyclonedx_test.go

@@ -38,6 +38,7 @@ type jsonBOMDecoder struct {
 	reader io.Reader
 }
 
+// Decode implements the BOMDecoder interface.
 func (j jsonBOMDecoder) Decode(bom *BOM) error {
 	return json.NewDecoder(j.reader).Decode(bom)
 }
@@ -46,6 +47,7 @@ type xmlBOMDecoder struct {
 	reader io.Reader
 }
 
+// Decode implements the BOMDecoder interface.
 func (x xmlBOMDecoder) Decode(bom *BOM) error {
 	return xml.NewDecoder(x.reader).Decode(bom)
 }

decode.go

@@ -0,0 +1,166 @@
+// This file is part of CycloneDX Go
+//
+// Licensed under the Apache License, Version 2.0 (the “License”);
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an “AS IS” BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// SPDX-License-Identifier: Apache-2.0
+// Copyright (c) OWASP Foundation. All Rights Reserved.
+
+package cyclonedx
+
+import "fmt"
+
+// downgrade "downgrades" the BOM to a given version of the specification.
+// Downgrading works by successively removing (or changing) fields introduced in later specification versions.
+// This procedure has been adapted from the .NET implementation:
+// https://github.com/CycloneDX/cyclonedx-dotnet-library/blob/v5.2.2/src/CycloneDX.Core/BomUtils.cs#L60
+func (b *BOM) downgrade(version SpecVersion) error {
+	if version < SpecVersion1_1 {
+		b.SerialNumber = ""
+		b.ExternalReferences = nil
+		forEachComponent(b.Components, func(c *Component) {
+			c.BOMRef = ""
+			c.ExternalReferences = nil
+			if c.Licenses != nil {
+				// Keep track of licenses that are still valid
+				// after removal of unsupported fields.
+				validLicenses := make(Licenses, 0)
+
+				for i := range *c.Licenses {
+					license := &(*c.Licenses)[i]
+					if license.License != nil {
+						license.License.Text = nil
+						license.License.URL = ""
+					}
+					license.Expression = ""
+					if license.License != nil {
+						validLicenses = append(validLicenses, *license)
+					}
+				}
+
+				// Remove the licenses node entirely if no valid licenses
+				// are left. This avoids empty (thus invalid) <licenses> tags in XML.
+				if len(validLicenses) == 0 {
+					c.Licenses = nil
+				} else {
+					c.Licenses = &validLicenses
+				}
+			}
+			if c.Modified == nil {
+				c.Modified = Bool(false)
+			}
+			c.Pedigree = nil
+		})
+	}
+
+	if version < SpecVersion1_2 {
+		b.Metadata = nil
+		b.Dependencies = nil
+		b.Services = nil
+		forEachComponent(b.Components, func(c *Component) {
+			c.Author = ""
+			c.MIMEType = ""
+			c.Supplier = nil
+			c.SWID = nil
+			if c.Pedigree != nil {
+				c.Pedigree.Patches = nil
+			}
+		})
+	}
+
+	if version < SpecVersion1_3 {
+		b.Compositions = nil
+		if b.Metadata != nil {
+			b.Metadata.Licenses = nil
+			b.Metadata.Properties = nil
+		}
+		forEachComponent(b.Components, func(c *Component) {
+			c.Evidence = nil
+			c.Properties = nil
+			if c.ExternalReferences != nil {
+				for i := range *c.ExternalReferences {
+					(*c.ExternalReferences)[i].Hashes = nil
+				}
+			}
+		})
+		forEachService(b.Services, func(s *Service) {
+			s.Properties = nil
+			if s.ExternalReferences != nil {
+				for i := range *s.ExternalReferences {
+					(*s.ExternalReferences)[i].Hashes = nil
+				}
+			}
+		})
+	}
+
+	if version < SpecVersion1_4 {
+		if b.Metadata != nil && b.Metadata.Tools != nil {
+			for i := range *b.Metadata.Tools {
+				(*b.Metadata.Tools)[i].ExternalReferences = nil
+			}
+		}
+		forEachComponent(b.Components, func(c *Component) {
+			c.ReleaseNotes = nil
+			if c.Version == "" {
+				c.Version = "0.0.0"
+			}
+		})
+		forEachService(b.Services, func(s *Service) {
+			s.ReleaseNotes = nil
+		})
+		b.Vulnerabilities = nil
+	}
+
+	b.SpecVersion = version
+	b.XMLNS = xmlNamespaces[version]
+
+	return nil
+}
+
+func (b *BOM) copyAndDowngrade(version SpecVersion) (*BOM, error) {
+	var bomCopy BOM
+	err := b.copy(&bomCopy)
+	if err != nil {
+		return nil, fmt.Errorf("failed to copy bom: %w", err)
+	}
+
+	err = bomCopy.downgrade(version)
+	return &bomCopy, err
+}
+
+func forEachComponent(components *[]Component, f func(c *Component)) {
+	if components == nil || len(*components) == 0 {
+		return
+	}
+
+	for i := range *components {
+		component := &(*components)[i]
+		f(component)
+		forEachComponent(component.Components, f)
+		if component.Pedigree != nil {
+			forEachComponent(component.Pedigree.Ancestors, f)
+			forEachComponent(component.Pedigree.Descendants, f)
+			forEachComponent(component.Pedigree.Variants, f)
+		}
+	}
+}
+
+func forEachService(services *[]Service, f func(s *Service)) {
+	if services == nil || len(*services) == 0 {
+		return
+	}
+
+	for i := range *services {
+		f(&(*services)[i])
+		forEachService((*services)[i].Services, f)
+	}
+}

downgrade.go

@@ -25,8 +25,16 @@ import (
 )
 
 type BOMEncoder interface {
-	Encode(*BOM) error
-	SetPretty(bool)
+	// Encode encodes a given BOM.
+	Encode(bom *BOM) error
+
+	// EncodeVersion encodes a given BOM in a specific version of the specification.
+	// Choosing a lower spec version than what the BOM was constructed for will result
+	// in loss of information. The original BOM struct is guaranteed to not be modified.
+	EncodeVersion(bom *BOM, version SpecVersion) error
+
+	// SetPretty toggles prettified output.
+	SetPretty(pretty bool) BOMEncoder
 }
 
 func NewBOMEncoder(writer io.Writer, format BOMFileFormat) BOMEncoder {
@@ -41,23 +49,42 @@ type jsonBOMEncoder struct {
 	pretty bool
 }
 
+// Encode implements the BOMEncoder interface.
 func (j jsonBOMEncoder) Encode(bom *BOM) error {
+	if bom.SpecVersion < SpecVersion1_2 {
+		return fmt.Errorf("json format is not supported for specification versions lower than 1.2")
+	}
+
 	encoder := json.NewEncoder(j.writer)
 	if j.pretty {
 		encoder.SetIndent("", "  ")
 	}
+
 	return encoder.Encode(bom)
 }
 
-func (j *jsonBOMEncoder) SetPretty(pretty bool) {
+// EncodeVersion implements the BOMEncoder interface.
+func (j jsonBOMEncoder) EncodeVersion(bom *BOM, version SpecVersion) (err error) {
+	bom, err = bom.copyAndDowngrade(version)
+	if err != nil {
+		return
+	}
+
+	return j.Encode(bom)
+}
+
+// SetPretty implements the BOMEncoder interface.
+func (j *jsonBOMEncoder) SetPretty(pretty bool) BOMEncoder {
 	j.pretty = pretty
+	return j
 }
 
 type xmlBOMEncoder struct {
 	writer io.Writer
 	pretty bool
 }
 
+// Encode implements the BOMEncoder interface.
 func (x xmlBOMEncoder) Encode(bom *BOM) error {
 	if _, err := fmt.Fprintf(x.writer, xml.Header); err != nil {
 		return err
@@ -67,9 +94,22 @@ func (x xmlBOMEncoder) Encode(bom *BOM) error {
 	if x.pretty {
 		encoder.Indent("", "  ")
 	}
+
 	return encoder.Encode(bom)
 }
 
-func (x *xmlBOMEncoder) SetPretty(pretty bool) {
+// EncodeVersion implements the BOMEncoder interface.
+func (x xmlBOMEncoder) EncodeVersion(bom *BOM, version SpecVersion) (err error) {
+	bom, err = bom.copyAndDowngrade(version)
+	if err != nil {
+		return
+	}
+
+	return x.Encode(bom)
+}
+
+// SetPretty implements the BOMEncoder interface.
+func (x *xmlBOMEncoder) SetPretty(pretty bool) BOMEncoder {
 	x.pretty = pretty
+	return x
 }

encode.go

@@ -19,6 +19,11 @@ package cyclonedx
 
 import (
 	"bytes"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"os"
+	"path/filepath"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -102,3 +107,83 @@ func TestXmlBOMEncoder_SetPretty(t *testing.T) {
   </metadata>
 </bom>`, buf.String())
 }
+
+func TestJsonBOMEncoder_EncodeVersion(t *testing.T) {
+	t.Run(SpecVersion1_0.String(), func(t *testing.T) {
+		err := NewBOMEncoder(ioutil.Discard, BOMFileFormatJSON).EncodeVersion(NewBOM(), SpecVersion1_0)
+		require.Error(t, err)
+		require.ErrorContains(t, err, "not supported")
+	})
+
+	t.Run(SpecVersion1_1.String(), func(t *testing.T) {
+		err := NewBOMEncoder(ioutil.Discard, BOMFileFormatJSON).EncodeVersion(NewBOM(), SpecVersion1_1)
+		require.Error(t, err)
+		require.ErrorContains(t, err, "not supported")
+	})
+
+	for _, version := range []SpecVersion{SpecVersion1_2, SpecVersion1_3, SpecVersion1_4} {
+		t.Run(version.String(), func(t *testing.T) {
+			// Read original BOM JSON
+			inputFile, err := os.Open("./testdata/valid-bom.json")
+			require.NoError(t, err)
+
+			// Decode BOM
+			var bom BOM
+			require.NoError(t, NewBOMDecoder(inputFile, BOMFileFormatJSON).Decode(&bom))
+			inputFile.Close()
+
+			// Prepare encoding destinations
+			buf := bytes.Buffer{}
+			outputFilePath := filepath.Join(t.TempDir(), "bom.json")
+			outputFile, err := os.Create(outputFilePath)
+			require.NoError(t, err)
+
+			// Encode BOM again, for a specific version
+			err = NewBOMEncoder(io.MultiWriter(&buf, outputFile), BOMFileFormatJSON).
+				SetPretty(true).
+				EncodeVersion(&bom, version)
+			require.NoError(t, err)
+			outputFile.Close() // Required for CLI to be able to access the file
+
+			// Sanity checks: BOM has to be valid
+			assertValidBOM(t, outputFilePath, version)
+
+			// Compare with snapshot
+			require.NoError(t, snapShooter.SnapshotMulti(fmt.Sprintf("%s.bom.json", version), buf.String()))
+		})
+	}
+}
+
+func TestXmlBOMEncoder_EncodeVersion(t *testing.T) {
+	for _, version := range []SpecVersion{SpecVersion1_0, SpecVersion1_1, SpecVersion1_2, SpecVersion1_3, SpecVersion1_4} {
+		t.Run(version.String(), func(t *testing.T) {
+			// Read original BOM JSON
+			inputFile, err := os.Open("./testdata/valid-bom.xml")
+			require.NoError(t, err)
+
+			// Decode BOM
+			var bom BOM
+			require.NoError(t, NewBOMDecoder(inputFile, BOMFileFormatXML).Decode(&bom))
+			inputFile.Close()
+
+			// Prepare encoding destinations
+			buf := bytes.Buffer{}
+			outputFilePath := filepath.Join(t.TempDir(), "bom.xml")
+			outputFile, err := os.Create(outputFilePath)
+			require.NoError(t, err)
+
+			// Encode BOM again
+			err = NewBOMEncoder(io.MultiWriter(&buf, outputFile), BOMFileFormatXML).
+				SetPretty(true).
+				EncodeVersion(&bom, version)
+			require.NoError(t, err)
+			outputFile.Close() // Required for CLI to be able to access the file
+
+			// Sanity checks: BOM has to be valid
+			require.NoError(t, snapShooter.SnapshotMulti(fmt.Sprintf("%s.bom.xml", version), buf.String()))
+
+			// Compare with snapshot
+			assertValidBOM(t, outputFilePath, version)
+		})
+	}
+}

encode_test.go

@@ -80,9 +80,10 @@ func Example_encode() {
 	bom.Dependencies = &dependencies
 
 	// Encode the BOM
-	encoder := cdx.NewBOMEncoder(os.Stdout, cdx.BOMFileFormatXML)
-	encoder.SetPretty(true)
-	if err := encoder.Encode(bom); err != nil {
+	err := cdx.NewBOMEncoder(os.Stdout, cdx.BOMFileFormatXML).
+		SetPretty(true).
+		Encode(bom)
+	if err != nil {
 		panic(err)
 	}
 

example_test.go

@@ -19,56 +19,48 @@ package cyclonedx
 
 import (
 	"bytes"
-	"fmt"
 	"io"
-	"io/ioutil"
 	"os"
-	"os/exec"
 	"path/filepath"
-	"strings"
 	"testing"
 
-	"github.com/bradleyjkemp/cupaloy/v2"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 
-var roundTripSnapshotter = cupaloy.NewDefaultConfig().
-	WithOptions(cupaloy.SnapshotSubdirectory("./testdata/snapshots"))
-
-var subTestNameSlashReplacer = strings.NewReplacer("/", "_")
-
 func TestRoundTripJSON(t *testing.T) {
 	bomFilePaths, err := filepath.Glob("./testdata/*.json")
 	require.NoError(t, err)
 
 	for _, bomFilePath := range bomFilePaths {
 		t.Run(filepath.Base(bomFilePath), func(t *testing.T) {
 			// Read original BOM JSON
-			bomFile, err := os.Open(bomFilePath)
+			inputFile, err := os.Open(bomFilePath)
 			require.NoError(t, err)
 
 			// Decode BOM
-			bom := new(BOM)
-			require.NoError(t, NewBOMDecoder(bomFile, BOMFileFormatJSON).Decode(bom))
-			bomFile.Close()
+			var bom BOM
+			require.NoError(t, NewBOMDecoder(inputFile, BOMFileFormatJSON).Decode(&bom))
+			inputFile.Close()
+
+			// Prepare encoding destinations
+			buf := bytes.Buffer{}
+			outputFilePath := filepath.Join(t.TempDir(), "bom.json")
+			outputFile, err := os.Create(outputFilePath)
+			require.NoError(t, err)
 
 			// Encode BOM again
-			buf := new(bytes.Buffer)
-			tempFile, err := ioutil.TempFile("", "*_"+subTestNameSlashReplacer.Replace(t.Name()))
+			err = NewBOMEncoder(io.MultiWriter(&buf, outputFile), BOMFileFormatJSON).
+				SetPretty(true).
+				Encode(&bom)
 			require.NoError(t, err)
-
-			encoder := NewBOMEncoder(io.MultiWriter(buf, tempFile), BOMFileFormatJSON)
-			encoder.SetPretty(true)
-			require.NoError(t, encoder.Encode(bom))
-			tempFile.Close() // Required for CLI to be able to access the file
+			outputFile.Close() // Required for CLI to be able to access the file
 
 			// Sanity checks: BOM has to be valid
-			assertValidBOM(t, tempFile.Name())
-			os.Remove(tempFile.Name())
+			assertValidBOM(t, outputFilePath, SpecVersion1_4)
 
 			// Compare with snapshot
-			assert.NoError(t, roundTripSnapshotter.SnapshotMulti(filepath.Base(bomFilePath), buf.String()))
+			assert.NoError(t, snapShooter.SnapshotMulti(filepath.Base(bomFilePath), buf.String()))
 		})
 	}
 }
@@ -80,43 +72,32 @@ func TestRoundTripXML(t *testing.T) {
 	for _, bomFilePath := range bomFilePaths {
 		t.Run(filepath.Base(bomFilePath), func(t *testing.T) {
 			// Read original BOM XML
-			bomFile, err := os.Open(bomFilePath)
+			inputFile, err := os.Open(bomFilePath)
 			require.NoError(t, err)
 
 			// Decode BOM
-			bom := new(BOM)
-			require.NoError(t, NewBOMDecoder(bomFile, BOMFileFormatXML).Decode(bom))
-			bomFile.Close()
+			var bom BOM
+			require.NoError(t, NewBOMDecoder(inputFile, BOMFileFormatXML).Decode(&bom))
+			inputFile.Close()
+
+			// Prepare encoding destinations
+			buf := bytes.Buffer{}
+			outputFilePath := filepath.Join(t.TempDir(), "bom.xml")
+			outputFile, err := os.Create(outputFilePath)
+			require.NoError(t, err)
 
 			// Encode BOM again
-			buf := new(bytes.Buffer)
-			tempFile, err := ioutil.TempFile("", "*_"+subTestNameSlashReplacer.Replace(t.Name()))
+			err = NewBOMEncoder(io.MultiWriter(&buf, outputFile), BOMFileFormatXML).
+				SetPretty(true).
+				Encode(&bom)
 			require.NoError(t, err)
-
-			encoder := NewBOMEncoder(io.MultiWriter(buf, tempFile), BOMFileFormatXML)
-			encoder.SetPretty(true)
-			require.NoError(t, encoder.Encode(bom))
-			tempFile.Close() // Required for CLI to be able to access the file
+			outputFile.Close() // Required for CLI to be able to access the file
 
 			// Sanity check: BOM has to be valid
-			assertValidBOM(t, tempFile.Name())
-			os.Remove(tempFile.Name())
+			assertValidBOM(t, outputFilePath, SpecVersion1_4)
 
 			// Compare with snapshot
-			assert.NoError(t, roundTripSnapshotter.SnapshotMulti(filepath.Base(bomFilePath), buf.String()))
+			assert.NoError(t, snapShooter.SnapshotMulti(filepath.Base(bomFilePath), buf.String()))
 		})
 	}
 }
-
-func assertValidBOM(t *testing.T, bomFilePath string) {
-	inputFormat := "xml"
-	if strings.HasSuffix(bomFilePath, ".json") {
-		inputFormat = "json"
-	}
-	valCmd := exec.Command("cyclonedx", "validate", "--input-file", bomFilePath, "--input-format", inputFormat, "--input-version", "v1_4", "--fail-on-errors")
-	valOut, err := valCmd.CombinedOutput()
-	if !assert.NoError(t, err) {
-		// Provide some context when test is failing
-		fmt.Printf("validation error: %s\n", string(valOut))
-	}
-}

roundtrip_test.go

@@ -0,0 +1,175 @@
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.2",
+  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+  "version": 1,
+  "metadata": {
+    "timestamp": "2020-04-13T20:20:39+00:00",
+    "tools": [
+      {
+        "vendor": "Awesome Vendor",
+        "name": "Awesome Tool",
+        "version": "9.1.2",
+        "hashes": [
+          {
+            "alg": "SHA-1",
+            "content": "25ed8e31b995bb927966616df2a42b979a2717f0"
+          },
+          {
+            "alg": "SHA-256",
+            "content": "a74f733635a19aefb1f73e5947cef59cd7440c6952ef0f03d09d974274cbd6df"
+          }
+        ]
+      }
+    ],
+    "authors": [
+      {
+        "name": "Samantha Wright",
+        "email": "samantha.wright@example.com",
+        "phone": "800-555-1212"
+      }
+    ],
+    "component": {
+      "type": "application",
+      "author": "Acme Super Heros",
+      "name": "Acme Application",
+      "version": "9.1.1",
+      "swid": {
+        "text": {
+          "content": "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiID8+CjxTb2Z0d2FyZUlkZW50aXR5IHhtbDpsYW5nPSJFTiIgbmFtZT0iQWNtZSBBcHBsaWNhdGlvbiIgdmVyc2lvbj0iOS4xLjEiIAogdmVyc2lvblNjaGVtZT0ibXVsdGlwYXJ0bnVtZXJpYyIgCiB0YWdJZD0ic3dpZGdlbi1iNTk1MWFjOS00MmMwLWYzODItM2YxZS1iYzdhMmE0NDk3Y2JfOS4xLjEiIAogeG1sbnM9Imh0dHA6Ly9zdGFuZGFyZHMuaXNvLm9yZy9pc28vMTk3NzAvLTIvMjAxNS9zY2hlbWEueHNkIj4gCiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiAKIHhzaTpzY2hlbWFMb2NhdGlvbj0iaHR0cDovL3N0YW5kYXJkcy5pc28ub3JnL2lzby8xOTc3MC8tMi8yMDE1LWN1cnJlbnQvc2NoZW1hLnhzZCBzY2hlbWEueHNkIiA+CiAgPE1ldGEgZ2VuZXJhdG9yPSJTV0lEIFRhZyBPbmxpbmUgR2VuZXJhdG9yIHYwLjEiIC8+IAogIDxFbnRpdHkgbmFtZT0iQWNtZSwgSW5jLiIgcmVnaWQ9ImV4YW1wbGUuY29tIiByb2xlPSJ0YWdDcmVhdG9yIiAvPiAKPC9Tb2Z0d2FyZUlkZW50aXR5Pg==",
+          "contentType": "text/xml",
+          "encoding": "base64"
+        },
+        "tagId": "swidgen-242eb18a-503e-ca37-393b-cf156ef09691_9.1.1",
+        "name": "Acme Application",
+        "version": "9.1.1"
+      }
+    },
+    "manufacture": {
+      "name": "Acme, Inc.",
+      "url": [
+        "https://example.com"
+      ],
+      "contact": [
+        {
+          "name": "Acme Professional Services",
+          "email": "professional.services@example.com"
+        }
+      ]
+    },
+    "supplier": {
+      "name": "Acme, Inc.",
+      "url": [
+        "https://example.com"
+      ],
+      "contact": [
+        {
+          "name": "Acme Distribution",
+          "email": "distribution@example.com"
+        }
+      ]
+    }
+  },
+  "components": [
+    {
+      "bom-ref": "pkg:npm/acme/component@1.0.0",
+      "type": "library",
+      "publisher": "Acme Inc",
+      "group": "com.acme",
+      "name": "tomcat-catalina",
+      "version": "9.0.14",
+      "hashes": [
+        {
+          "alg": "MD5",
+          "content": "3942447fac867ae5cdb3229b658f4d48"
+        },
+        {
+          "alg": "SHA-1",
+          "content": "e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a"
+        },
+        {
+          "alg": "SHA-256",
+          "content": "f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b"
+        },
+        {
+          "alg": "SHA-512",
+          "content": "e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282"
+        }
+      ],
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "text": {
+              "content": "License text here",
+              "contentType": "text/plain",
+              "encoding": "base64"
+            },
+            "url": "https://www.apache.org/licenses/LICENSE-2.0.txt"
+          }
+        }
+      ],
+      "purl": "pkg:npm/acme/component@1.0.0",
+      "pedigree": {
+        "ancestors": [
+          {
+            "type": "library",
+            "publisher": "Acme Inc",
+            "group": "com.acme",
+            "name": "tomcat-catalina",
+            "version": "9.0.14"
+          },
+          {
+            "type": "library",
+            "publisher": "Acme Inc",
+            "group": "com.acme",
+            "name": "tomcat-catalina",
+            "version": "9.0.14"
+          }
+        ],
+        "commits": [
+          {
+            "uid": "123",
+            "author": {
+              "timestamp": "2018-11-13T20:20:39+00:00"
+            }
+          }
+        ]
+      }
+    },
+    {
+      "type": "library",
+      "supplier": {
+        "name": "Example, Inc.",
+        "url": [
+          "https://example.com",
+          "https://example.net"
+        ],
+        "contact": [
+          {
+            "name": "Example Support AMER Distribution",
+            "email": "support@example.com",
+            "phone": "800-555-1212"
+          },
+          {
+            "name": "Example Support APAC",
+            "email": "support@apac.example.com"
+          }
+        ]
+      },
+      "author": "Example Super Heros",
+      "group": "org.example",
+      "name": "mylibrary",
+      "version": "1.0.0"
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "pkg:npm/acme/component@1.0.0",
+      "dependsOn": [
+        "pkg:npm/acme/component@1.0.0"
+      ]
+    }
+  ]
+}
+

testdata/snapshots/cyclonedx-go-TestJsonBOMEncoder_EncodeVersion-func3-1.2.bom.json

@@ -0,0 +1,175 @@
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.3",
+  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+  "version": 1,
+  "metadata": {
+    "timestamp": "2020-04-13T20:20:39+00:00",
+    "tools": [
+      {
+        "vendor": "Awesome Vendor",
+        "name": "Awesome Tool",
+        "version": "9.1.2",
+        "hashes": [
+          {
+            "alg": "SHA-1",
+            "content": "25ed8e31b995bb927966616df2a42b979a2717f0"
+          },
+          {
+            "alg": "SHA-256",
+            "content": "a74f733635a19aefb1f73e5947cef59cd7440c6952ef0f03d09d974274cbd6df"
+          }
+        ]
+      }
+    ],
+    "authors": [
+      {
+        "name": "Samantha Wright",
+        "email": "samantha.wright@example.com",
+        "phone": "800-555-1212"
+      }
+    ],
+    "component": {
+      "type": "application",
+      "author": "Acme Super Heros",
+      "name": "Acme Application",
+      "version": "9.1.1",
+      "swid": {
+        "text": {
+          "content": "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiID8+CjxTb2Z0d2FyZUlkZW50aXR5IHhtbDpsYW5nPSJFTiIgbmFtZT0iQWNtZSBBcHBsaWNhdGlvbiIgdmVyc2lvbj0iOS4xLjEiIAogdmVyc2lvblNjaGVtZT0ibXVsdGlwYXJ0bnVtZXJpYyIgCiB0YWdJZD0ic3dpZGdlbi1iNTk1MWFjOS00MmMwLWYzODItM2YxZS1iYzdhMmE0NDk3Y2JfOS4xLjEiIAogeG1sbnM9Imh0dHA6Ly9zdGFuZGFyZHMuaXNvLm9yZy9pc28vMTk3NzAvLTIvMjAxNS9zY2hlbWEueHNkIj4gCiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiAKIHhzaTpzY2hlbWFMb2NhdGlvbj0iaHR0cDovL3N0YW5kYXJkcy5pc28ub3JnL2lzby8xOTc3MC8tMi8yMDE1LWN1cnJlbnQvc2NoZW1hLnhzZCBzY2hlbWEueHNkIiA+CiAgPE1ldGEgZ2VuZXJhdG9yPSJTV0lEIFRhZyBPbmxpbmUgR2VuZXJhdG9yIHYwLjEiIC8+IAogIDxFbnRpdHkgbmFtZT0iQWNtZSwgSW5jLiIgcmVnaWQ9ImV4YW1wbGUuY29tIiByb2xlPSJ0YWdDcmVhdG9yIiAvPiAKPC9Tb2Z0d2FyZUlkZW50aXR5Pg==",
+          "contentType": "text/xml",
+          "encoding": "base64"
+        },
+        "tagId": "swidgen-242eb18a-503e-ca37-393b-cf156ef09691_9.1.1",
+        "name": "Acme Application",
+        "version": "9.1.1"
+      }
+    },
+    "manufacture": {
+      "name": "Acme, Inc.",
+      "url": [
+        "https://example.com"
+      ],
+      "contact": [
+        {
+          "name": "Acme Professional Services",
+          "email": "professional.services@example.com"
+        }
+      ]
+    },
+    "supplier": {
+      "name": "Acme, Inc.",
+      "url": [
+        "https://example.com"
+      ],
+      "contact": [
+        {
+          "name": "Acme Distribution",
+          "email": "distribution@example.com"
+        }
+      ]
+    }
+  },
+  "components": [
+    {
+      "bom-ref": "pkg:npm/acme/component@1.0.0",
+      "type": "library",
+      "publisher": "Acme Inc",
+      "group": "com.acme",
+      "name": "tomcat-catalina",
+      "version": "9.0.14",
+      "hashes": [
+        {
+          "alg": "MD5",
+          "content": "3942447fac867ae5cdb3229b658f4d48"
+        },
+        {
+          "alg": "SHA-1",
+          "content": "e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a"
+        },
+        {
+          "alg": "SHA-256",
+          "content": "f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b"
+        },
+        {
+          "alg": "SHA-512",
+          "content": "e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282"
+        }
+      ],
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "text": {
+              "content": "License text here",
+              "contentType": "text/plain",
+              "encoding": "base64"
+            },
+            "url": "https://www.apache.org/licenses/LICENSE-2.0.txt"
+          }
+        }
+      ],
+      "purl": "pkg:npm/acme/component@1.0.0",
+      "pedigree": {
+        "ancestors": [
+          {
+            "type": "library",
+            "publisher": "Acme Inc",
+            "group": "com.acme",
+            "name": "tomcat-catalina",
+            "version": "9.0.14"
+          },
+          {
+            "type": "library",
+            "publisher": "Acme Inc",
+            "group": "com.acme",
+            "name": "tomcat-catalina",
+            "version": "9.0.14"
+          }
+        ],
+        "commits": [
+          {
+            "uid": "123",
+            "author": {
+              "timestamp": "2018-11-13T20:20:39+00:00"
+            }
+          }
+        ]
+      }
+    },
+    {
+      "type": "library",
+      "supplier": {
+        "name": "Example, Inc.",
+        "url": [
+          "https://example.com",
+          "https://example.net"
+        ],
+        "contact": [
+          {
+            "name": "Example Support AMER Distribution",
+            "email": "support@example.com",
+            "phone": "800-555-1212"
+          },
+          {
+            "name": "Example Support APAC",
+            "email": "support@apac.example.com"
+          }
+        ]
+      },
+      "author": "Example Super Heros",
+      "group": "org.example",
+      "name": "mylibrary",
+      "version": "1.0.0"
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "pkg:npm/acme/component@1.0.0",
+      "dependsOn": [
+        "pkg:npm/acme/component@1.0.0"
+      ]
+    }
+  ]
+}
+

testdata/snapshots/cyclonedx-go-TestJsonBOMEncoder_EncodeVersion-func3-1.3.bom.json

@@ -0,0 +1,175 @@
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.4",
+  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+  "version": 1,
+  "metadata": {
+    "timestamp": "2020-04-13T20:20:39+00:00",
+    "tools": [
+      {
+        "vendor": "Awesome Vendor",
+        "name": "Awesome Tool",
+        "version": "9.1.2",
+        "hashes": [
+          {
+            "alg": "SHA-1",
+            "content": "25ed8e31b995bb927966616df2a42b979a2717f0"
+          },
+          {
+            "alg": "SHA-256",
+            "content": "a74f733635a19aefb1f73e5947cef59cd7440c6952ef0f03d09d974274cbd6df"
+          }
+        ]
+      }
+    ],
+    "authors": [
+      {
+        "name": "Samantha Wright",
+        "email": "samantha.wright@example.com",
+        "phone": "800-555-1212"
+      }
+    ],
+    "component": {
+      "type": "application",
+      "author": "Acme Super Heros",
+      "name": "Acme Application",
+      "version": "9.1.1",
+      "swid": {
+        "text": {
+          "content": "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiID8+CjxTb2Z0d2FyZUlkZW50aXR5IHhtbDpsYW5nPSJFTiIgbmFtZT0iQWNtZSBBcHBsaWNhdGlvbiIgdmVyc2lvbj0iOS4xLjEiIAogdmVyc2lvblNjaGVtZT0ibXVsdGlwYXJ0bnVtZXJpYyIgCiB0YWdJZD0ic3dpZGdlbi1iNTk1MWFjOS00MmMwLWYzODItM2YxZS1iYzdhMmE0NDk3Y2JfOS4xLjEiIAogeG1sbnM9Imh0dHA6Ly9zdGFuZGFyZHMuaXNvLm9yZy9pc28vMTk3NzAvLTIvMjAxNS9zY2hlbWEueHNkIj4gCiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiAKIHhzaTpzY2hlbWFMb2NhdGlvbj0iaHR0cDovL3N0YW5kYXJkcy5pc28ub3JnL2lzby8xOTc3MC8tMi8yMDE1LWN1cnJlbnQvc2NoZW1hLnhzZCBzY2hlbWEueHNkIiA+CiAgPE1ldGEgZ2VuZXJhdG9yPSJTV0lEIFRhZyBPbmxpbmUgR2VuZXJhdG9yIHYwLjEiIC8+IAogIDxFbnRpdHkgbmFtZT0iQWNtZSwgSW5jLiIgcmVnaWQ9ImV4YW1wbGUuY29tIiByb2xlPSJ0YWdDcmVhdG9yIiAvPiAKPC9Tb2Z0d2FyZUlkZW50aXR5Pg==",
+          "contentType": "text/xml",
+          "encoding": "base64"
+        },
+        "tagId": "swidgen-242eb18a-503e-ca37-393b-cf156ef09691_9.1.1",
+        "name": "Acme Application",
+        "version": "9.1.1"
+      }
+    },
+    "manufacture": {
+      "name": "Acme, Inc.",
+      "url": [
+        "https://example.com"
+      ],
+      "contact": [
+        {
+          "name": "Acme Professional Services",
+          "email": "professional.services@example.com"
+        }
+      ]
+    },
+    "supplier": {
+      "name": "Acme, Inc.",
+      "url": [
+        "https://example.com"
+      ],
+      "contact": [
+        {
+          "name": "Acme Distribution",
+          "email": "distribution@example.com"
+        }
+      ]
+    }
+  },
+  "components": [
+    {
+      "bom-ref": "pkg:npm/acme/component@1.0.0",
+      "type": "library",
+      "publisher": "Acme Inc",
+      "group": "com.acme",
+      "name": "tomcat-catalina",
+      "version": "9.0.14",
+      "hashes": [
+        {
+          "alg": "MD5",
+          "content": "3942447fac867ae5cdb3229b658f4d48"
+        },
+        {
+          "alg": "SHA-1",
+          "content": "e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a"
+        },
+        {
+          "alg": "SHA-256",
+          "content": "f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b"
+        },
+        {
+          "alg": "SHA-512",
+          "content": "e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282"
+        }
+      ],
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "text": {
+              "content": "License text here",
+              "contentType": "text/plain",
+              "encoding": "base64"
+            },
+            "url": "https://www.apache.org/licenses/LICENSE-2.0.txt"
+          }
+        }
+      ],
+      "purl": "pkg:npm/acme/component@1.0.0",
+      "pedigree": {
+        "ancestors": [
+          {
+            "type": "library",
+            "publisher": "Acme Inc",
+            "group": "com.acme",
+            "name": "tomcat-catalina",
+            "version": "9.0.14"
+          },
+          {
+            "type": "library",
+            "publisher": "Acme Inc",
+            "group": "com.acme",
+            "name": "tomcat-catalina",
+            "version": "9.0.14"
+          }
+        ],
+        "commits": [
+          {
+            "uid": "123",
+            "author": {
+              "timestamp": "2018-11-13T20:20:39+00:00"
+            }
+          }
+        ]
+      }
+    },
+    {
+      "type": "library",
+      "supplier": {
+        "name": "Example, Inc.",
+        "url": [
+          "https://example.com",
+          "https://example.net"
+        ],
+        "contact": [
+          {
+            "name": "Example Support AMER Distribution",
+            "email": "support@example.com",
+            "phone": "800-555-1212"
+          },
+          {
+            "name": "Example Support APAC",
+            "email": "support@apac.example.com"
+          }
+        ]
+      },
+      "author": "Example Super Heros",
+      "group": "org.example",
+      "name": "mylibrary",
+      "version": "1.0.0"
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "pkg:npm/acme/component@1.0.0",
+      "dependsOn": [
+        "pkg:npm/acme/component@1.0.0"
+      ]
+    }
+  ]
+}
+

testdata/snapshots/cyclonedx-go-TestJsonBOMEncoder_EncodeVersion-func3-1.4.bom.json

@@ -0,0 +1,62 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.0" version="1">
+  <components>
+    <component type="application">
+      <publisher>Acme Inc</publisher>
+      <group>com.acme</group>
+      <name>tomcat-catalina</name>
+      <version>9.0.14</version>
+      <description>Modified version of Apache Catalina</description>
+      <scope>required</scope>
+      <hashes>
+        <hash alg="MD5">3942447fac867ae5cdb3229b658f4d48</hash>
+        <hash alg="SHA-1">e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a</hash>
+        <hash alg="SHA-256">f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b</hash>
+        <hash alg="SHA-512">e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282</hash>
+      </hashes>
+      <licenses>
+        <license>
+          <id>Apache-2.0</id>
+        </license>
+      </licenses>
+      <purl>pkg:maven/com.acme/tomcat-catalina@9.0.14?packaging=jar</purl>
+      <modified>false</modified>
+    </component>
+    <component type="library">
+      <group>org.example</group>
+      <name>mylibrary</name>
+      <version>1.0.0</version>
+      <scope>required</scope>
+      <hashes>
+        <hash alg="MD5">2342c2eaf1feb9a80195dbaddf2ebaa3</hash>
+        <hash alg="SHA-1">68b78babe00a053f9e35ec6a2d9080f5b90122b0</hash>
+        <hash alg="SHA-256">708f1f53b41f11f02d12a11b1a38d2905d47b099afc71a0f1124ef8582ec7313</hash>
+        <hash alg="SHA-512">387b7ae16b9cae45f830671541539bf544202faae5aac544a93b7b0a04f5f846fa2f4e81ef3f1677e13aed7496408a441f5657ab6d54423e56bf6f38da124aef</hash>
+      </hashes>
+      <copyright>Copyright Example Inc. All rights reserved.</copyright>
+      <cpe>cpe:/a:example:myapplication:1.0.0</cpe>
+      <purl>pkg:maven/com.example/myapplication@1.0.0?packaging=war</purl>
+      <modified>false</modified>
+    </component>
+    <component type="framework">
+      <group>com.example</group>
+      <name>myframework</name>
+      <version>1.0.0</version>
+      <description>Example Inc, enterprise framework</description>
+      <scope>required</scope>
+      <hashes>
+        <hash alg="MD5">cfcb0b64aacd2f81c1cd546543de965a</hash>
+        <hash alg="SHA-1">7fbeef2346c45d565c3341f037bce4e088af8a52</hash>
+        <hash alg="SHA-256">0384db3cec55d86a6898c489fdb75a8e75fe66b26639634983d2f3c3558493d1</hash>
+        <hash alg="SHA-512">854909cdb9e3ca183056837144aab6d8069b377bd66445087cc7157bf0c3f620418705dd0b83bdc2f73a508c2bdb316ca1809d75ee6972d02023a3e7dd655c79</hash>
+      </hashes>
+      <licenses>
+        <license>
+          <name>Some random license</name>
+        </license>
+      </licenses>
+      <purl>pkg:maven/com.example/myframework@1.0.0?packaging=war</purl>
+      <modified>false</modified>
+    </component>
+  </components>
+</bom>