feat(spec1-5): add support for additional compositions and compositio…

…n identity

Signed-off-by: nscuro <nscuro@protonmail.com>

convert.go

@@ -87,6 +87,10 @@ func (b *BOM) convert(specVersion SpecVersion) {
 		convertVulnerabilities(b.Vulnerabilities, specVersion)
 	}
 
+	if b.Compositions != nil {
+		convertCompositions(b.Compositions, specVersion)
+	}
+
 	if b.ExternalReferences != nil {
 		convertExternalReferences(b.ExternalReferences, specVersion)
 	}
@@ -142,6 +146,19 @@ func componentConverter(specVersion SpecVersion) func(*Component) {
 	}
 }
 
+func convertCompositions(comps *[]Composition, specVersion SpecVersion) {
+	if comps == nil {
+		return
+	}
+
+	for i := range *comps {
+		comp := &(*comps)[i]
+		if !specVersion.supportsCompositionAggregate(comp.Aggregate) {
+			comp.Aggregate = CompositionAggregateUnknown
+		}
+	}
+}
+
 // convertExternalReferences modifies an ExternalReference slice such that it adheres to a given SpecVersion.
 func convertExternalReferences(extRefs *[]ExternalReference, specVersion SpecVersion) {
 	if extRefs == nil {
@@ -338,6 +355,16 @@ func (sv SpecVersion) supportsComponentType(cType ComponentType) bool {
 	return false
 }
 
+func (sv SpecVersion) supportsCompositionAggregate(ca CompositionAggregate) bool {
+	switch ca {
+	case CompositionAggregateIncompleteFirstPartyOpenSourceOnly, CompositionAggregateIncompleteFirstPartyProprietaryOnly,
+		CompositionAggregateIncompleteThirdPartyOpenSourceOnly, CompositionAggregateIncompleteThirdPartyProprietaryOnly:
+		return sv >= SpecVersion1_5
+	}
+
+	return sv >= SpecVersion1_3
+}
+
 func (sv SpecVersion) supportsExternalReferenceType(ert ExternalReferenceType) bool {
 	switch ert {
 	case ERTypeAdversaryModel, ERTypeAttestation, ERTypeCertificationReport, ERTypeCodifiedInfrastructure,

cyclonedx.go

@@ -166,20 +166,26 @@ type Component struct {
 }
 
 type Composition struct {
-	Aggregate    CompositionAggregate `json:"aggregate" xml:"aggregate"`
-	Assemblies   *[]BOMReference      `json:"assemblies,omitempty" xml:"assemblies>assembly,omitempty"`
-	Dependencies *[]BOMReference      `json:"dependencies,omitempty" xml:"dependencies>dependency,omitempty"`
+	BOMRef          string               `json:"bom-ref,omitempty" xml:"bom-ref,attr,omitempty"`
+	Aggregate       CompositionAggregate `json:"aggregate" xml:"aggregate"`
+	Assemblies      *[]BOMReference      `json:"assemblies,omitempty" xml:"assemblies>assembly,omitempty"`
+	Dependencies    *[]BOMReference      `json:"dependencies,omitempty" xml:"dependencies>dependency,omitempty"`
+	Vulnerabilities *[]BOMReference      `json:"vulnerabilities,omitempty" xml:"vulnerabilities>vulnerability,omitempty"`
 }
 
 type CompositionAggregate string
 
 const (
-	CompositionAggregateComplete                 CompositionAggregate = "complete"
-	CompositionAggregateIncomplete               CompositionAggregate = "incomplete"
-	CompositionAggregateIncompleteFirstPartyOnly CompositionAggregate = "incomplete_first_party_only"
-	CompositionAggregateIncompleteThirdPartyOnly CompositionAggregate = "incomplete_third_party_only"
-	CompositionAggregateUnknown                  CompositionAggregate = "unknown"
-	CompositionAggregateNotSpecified             CompositionAggregate = "not_specified"
+	CompositionAggregateComplete                            CompositionAggregate = "complete"
+	CompositionAggregateIncomplete                          CompositionAggregate = "incomplete"
+	CompositionAggregateIncompleteFirstPartyOnly            CompositionAggregate = "incomplete_first_party_only"
+	CompositionAggregateIncompleteFirstPartyOpenSourceOnly  CompositionAggregate = "incomplete_first_party_opensource_only"
+	CompositionAggregateIncompleteFirstPartyProprietaryOnly CompositionAggregate = "incomplete_first_party_proprietary_only"
+	CompositionAggregateIncompleteThirdPartyOnly            CompositionAggregate = "incomplete_third_party_only"
+	CompositionAggregateIncompleteThirdPartyOpenSourceOnly  CompositionAggregate = "incomplete_third_party_opensource_only"
+	CompositionAggregateIncompleteThirdPartyProprietaryOnly CompositionAggregate = "incomplete_third_party_proprietary_only"
+	CompositionAggregateNotSpecified                        CompositionAggregate = "not_specified"
+	CompositionAggregateUnknown                             CompositionAggregate = "unknown"
 )
 
 type Copyright struct {

testdata/snapshots/cyclonedx-go-TestRoundTripJSON-func1-valid-compositions.json

@@ -46,6 +46,7 @@
   ],
   "compositions": [
     {
+      "bom-ref": "composition-1",
       "aggregate": "complete",
       "assemblies": [
         "pkg:maven/partner/shaded-library@1.0"
@@ -59,6 +60,21 @@
       "assemblies": [
         "pkg:maven/acme/library@3.0"
       ]
+    },
+    {
+      "aggregate": "incomplete_first_party_only",
+      "vulnerabilities": [
+        "vulnerability-1"
+      ]
+    }
+  ],
+  "vulnerabilities": [
+    {
+      "bom-ref": "vulnerability-1",
+      "id": "ACME-12345",
+      "source": {
+        "name": "Acme Inc"
+      }
     }
   ]
 }

testdata/snapshots/cyclonedx-go-TestRoundTripXML-func1-valid-compositions.xml

@@ -32,7 +32,7 @@
     </dependency>
   </dependencies>
   <compositions>
-    <composition>
+    <composition bom-ref="composition-1">
       <aggregate>complete</aggregate>
       <assemblies>
         <assembly ref="pkg:maven/partner/shaded-library@1.0"></assembly>
@@ -47,5 +47,19 @@
         <assembly ref="pkg:maven/acme/library@3.0"></assembly>
       </assemblies>
     </composition>
+    <composition>
+      <aggregate>incomplete_first_party_only</aggregate>
+      <assemblies>
+        <assembly ref="vulnerability-1"></assembly>
+      </assemblies>
+    </composition>
   </compositions>
+  <vulnerabilities>
+    <vulnerability bom-ref="vulnerability-1">
+      <id>ACME-12345</id>
+      <source>
+        <name>Acme Inc</name>
+      </source>
+    </vulnerability>
+  </vulnerabilities>
 </bom>

testdata/valid-compositions.json

@@ -44,8 +44,18 @@
       ]
     }
   ],
+  "vulnerabilities": [
+    {
+      "bom-ref": "vulnerability-1",
+      "id": "ACME-12345",
+      "source": {
+        "name": "Acme Inc"
+      }
+    }
+  ],
   "compositions": [
     {
+      "bom-ref": "composition-1",
       "aggregate": "complete",
       "assemblies": [
         "pkg:maven/partner/shaded-library@1.0"
@@ -59,6 +69,12 @@
       "assemblies": [
         "pkg:maven/acme/library@3.0"
       ]
+    },
+    {
+      "aggregate": "incomplete_first_party_only",
+      "vulnerabilities": [
+        "vulnerability-1"
+      ]
     }
   ]
 }

testdata/valid-compositions.xml

@@ -31,8 +31,16 @@
             <dependency ref="pkg:maven/acme/library@3.0"/>
         </dependency>
     </dependencies>
+    <vulnerabilities>
+        <vulnerability bom-ref="vulnerability-1">
+            <id>ACME-12345</id>
+            <source>
+                <name>Acme Inc</name>
+            </source>
+        </vulnerability>
+    </vulnerabilities>
     <compositions>
-        <composition>
+        <composition bom-ref="composition-1">
             <aggregate>complete</aggregate>
             <assemblies>
                 <assembly ref="pkg:maven/partner/shaded-library@1.0"/>
@@ -47,5 +55,11 @@
                 <assembly ref="pkg:maven/acme/library@3.0"/>
             </assemblies>
         </composition>
+        <composition>
+            <aggregate>incomplete_first_party_only</aggregate>
+            <assemblies>
+                <assembly ref="vulnerability-1"/>
+            </assemblies>
+        </composition>
     </compositions>
 </bom>