Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Specification version 1.5 support #109

Closed
paulkoko opened this issue Jul 13, 2023 · 12 comments · Fixed by #90
Closed

Specification version 1.5 support #109

paulkoko opened this issue Jul 13, 2023 · 12 comments · Fixed by #90
Labels
spec/1.5

Comments

@paulkoko
Copy link

Are there plans to add support for 1.5?
@nscuro
Copy link
Member

nscuro commented Jul 14, 2023

Hi @paulkoko, yes it is planned and I'm working on it. Just scrambling for time to complete it currently.

A good chunk is already done in #90, and some tiny parts are already merged to master.

@niclas-g
Copy link

Hi, any updates on this progress?
(Trivy defaults to 1.5 in its output since Jun 30 - which we are unable to consume currently)

@nscuro
Copy link
Member

nscuro commented Aug 22, 2023

Hey @niclas-g, I really want to get this done but am a bit time constrained with other priorities right now.

If you're willing and able to, you could help by either contributing missing parts in #90, or alternatively test the changes that currently exist in that branch, and let me know of any issues you run into.

If you have an existing code base you could test on with v1.5 BOMs, that'd be super helpful.

When you say you can't consume BOMs generated by Trivy, is it that info is being dropped, or is decoding failing entirely?

@niclas-g
Copy link

If you're willing and able to, you could help by either contributing missing parts in #90, or alternatively test the changes that currently exist in that branch, and let me know of any issues you run into.

If you have an existing code base you could test on with v1.5 BOMs, that'd be super helpful.

I'll be happy to test against our codebase, I'll see if I can put some time towards it this week or next.

When you say you can't consume BOMs generated by Trivy, is it that info is being dropped, or is decoding failing entirely?

Decoding fails entirely, it returns an ErrInvalidSpecVersion here when it discovers that it's an unsupported version.

@nscuro
Copy link
Member

nscuro commented Aug 23, 2023

@niclas-g Decoding fails entirely, it returns an ErrInvalidSpecVersion here when it discovers that it's an unsupported version.

Ah, I see. This is technically fixed in master already

cyclonedx-go/cyclonedx_json.go

Lines 28 to 62 in 83031d6

func (sv *SpecVersion) UnmarshalJSON(bytes []byte) error {
var v string
err := json.Unmarshal(bytes, &v)
if err != nil {
return err
}
switch v {
case SpecVersion1_0.String():
*sv = SpecVersion1_0
case SpecVersion1_1.String():
*sv = SpecVersion1_1
case SpecVersion1_2.String():
*sv = SpecVersion1_2
case SpecVersion1_3.String():
*sv = SpecVersion1_3
case SpecVersion1_4.String():
*sv = SpecVersion1_4
case SpecVersion1_5.String():
*sv = SpecVersion1_5
default:
return ErrInvalidSpecVersion
}
return nil
}
var jsonSchemas = map[SpecVersion]string{
SpecVersion1_0: "",
SpecVersion1_1: "",
SpecVersion1_2: "http://cyclonedx.org/schema/bom-1.2.schema.json",
SpecVersion1_3: "http://cyclonedx.org/schema/bom-1.3.schema.json",
SpecVersion1_4: "http://cyclonedx.org/schema/bom-1.4.schema.json",
SpecVersion1_5: "http://cyclonedx.org/schema/bom-1.5.schema.json",
}

For a short-term "solution" I could cut a v0.7.2 release, so that at least decoding works again. Would that help?

@niclas-g
Copy link

@nscuro, that would be great!

@nscuro
Copy link
Member

nscuro commented Aug 23, 2023

@niclas-g Here we go: https://github.com/CycloneDX/cyclonedx-go/releases/tag/v0.7.2

Would still very much appreciate it if you could also test the spec-v1.5 branch with your code base! :)

@niclas-g
Copy link

Thanks @nscuro! I'll have a look at the release shortly and try out the branch against our code base next week.

@niclas-g
Copy link

niclas-g commented Aug 30, 2023
edited

Ok, now I have had some time to test the spec-v1.5 branch against our codebase and it runs without any problems @nscuro . That said we are not looking at anything new introduced in the 1.5 version yet. But the branch doesn't break our application so we are happy :) Keep up the good work! 👍

@esnible
Copy link

esnible commented Sep 28, 2023

Is there a list of 1.5 features that are not yet supported? For example

  • modelcard
  • data
  • signature
  • additionalProperties
  • attachment
  • hash-alg
  • condition

@esnible
Copy link

esnible commented Oct 30, 2023
edited

I am concerned about Metadata.Tools, https://github.com/CycloneDX/cyclonedx-go/blob/master/cyclonedx.go#L439

It seems like it will not be possible to deserialize both 1.4 and 1.5 SBOMs into the same structure without a custom deserializer.

@benjsc
Copy link

benjsc commented Dec 6, 2023

Handling Metadata.tools discussion is in #115

@nscuro nscuro mentioned this issue Dec 9, 2023
Merged
19 tasks
@nscuro nscuro closed this as completed in #90 Dec 9, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
spec/1.5
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: add support for spec v1.5 CycloneDX/cyclonedx-go
5 participants
@benjsc @esnible @nscuro @paulkoko @niclas-g