The resolves entries of a Patch object are not serialized to XML #313
Labels
bug
Something isn't working
Comments
|
any updates? |
|
This is fixed with the new serialization since 4.0. import sys
from packageurl import PackageURL
from cyclonedx.exception import MissingOptionalDependencyException
from cyclonedx.factory.license import LicenseFactory
from cyclonedx.model import OrganizationalEntity, XsUri
from cyclonedx.model.bom import Bom
from cyclonedx.model.component import Component, ComponentType, Pedigree, Patch, PatchClassification
from cyclonedx.output import make_outputter, LATEST_SUPPORTED_SCHEMA_VERSION
from cyclonedx.output.json import JsonV1Dot4
from cyclonedx.schema import SchemaVersion, OutputFormat
from cyclonedx.validation.json import JsonStrictValidator
from cyclonedx.validation import make_schemabased_validator
from cyclonedx.model.issue import *
from typing import TYPE_CHECKING
if TYPE_CHECKING:
from cyclonedx.output.json import Json as JsonOutputter
from cyclonedx.output.xml import Xml as XmlOutputter
from cyclonedx.validation.xml import XmlValidator
lc_factory = LicenseFactory()
# region build the BOM
bom = Bom()
bom.metadata.component = root_component = Component(
name='myApp',
type=ComponentType.APPLICATION,
licenses=[lc_factory.make_from_string('MIT')],
bom_ref='myApp',
)
component1 = Component(
type=ComponentType.LIBRARY,
name='some-component',
group='acme',
version='1.33.7-beta.1',
licenses=[lc_factory.make_from_string('(c) 2021 Acme inc.')],
supplier=OrganizationalEntity(
name='Acme Inc',
urls=[XsUri('https://www.acme.org')]
),
bom_ref='[email protected]',
purl=PackageURL('generic', 'acme', 'some-component', '1.33.7-beta.1')
)
bom.components.add(component1)
bom.register_dependency(root_component, [component1])
component2 = Component(
type=ComponentType.LIBRARY,
name='some-library',
licenses=[lc_factory.make_from_string('GPL-3.0-only WITH Classpath-exception-2.0')]
)
bom.components.add(component2)
bom.register_dependency(component1, [component2])
iss = IssueType(
type=IssueClassification.SECURITY,
name='FooBar Gap',
description='Serious hole when using FooBar')
pat = Patch(type=PatchClassification.BACKPORT, resolves=[iss])
ped = Pedigree(patches=[pat])
component2.pedigree = ped
my_xml_outputter: 'XmlOutputter' = make_outputter(bom, OutputFormat.XML, LATEST_SUPPORTED_SCHEMA_VERSION)
serialized_xml = my_xml_outputter.output_as_string(indent=2)
print(serialized_xml)
my_xml_validator: 'XmlValidator' = make_schemabased_validator(
my_xml_outputter.output_format, my_xml_outputter.schema_version)
try:
validation_errors = my_xml_validator.validate_str(serialized_xml)
if validation_errors:
print('XML invalid', 'ValidationError:', repr(validation_errors), sep='\n', file=sys.stderr)
sys.exit(2)
print('XML valid')
except MissingOptionalDependencyException as error:
print('XML-validation was skipped due to', error)This correctly outputs: <?xml version="1.0" ?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.4" serialNumber="urn:uuid:b5fa4fd9-1b60-4561-8584-b208fae16c20" version="1">
<metadata>
<timestamp>2023-11-23T16:59:26.276007+00:00</timestamp>
<tools>
<tool>
<vendor>CycloneDX</vendor>
<name>cyclonedx-python-lib</name>
<version>5.1.1</version>
<externalReferences>
<reference type="build-system">
<url>https://github.com/CycloneDX/cyclonedx-python-lib/actions</url>
</reference>
<reference type="distribution">
<url>https://pypi.org/project/cyclonedx-python-lib/</url>
</reference>
<reference type="documentation">
<url>https://cyclonedx-python-library.readthedocs.io/</url>
</reference>
<reference type="issue-tracker">
<url>https://github.com/CycloneDX/cyclonedx-python-lib/issues</url>
</reference>
<reference type="license">
<url>https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/LICENSE</url>
</reference>
<reference type="release-notes">
<url>https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CHANGELOG.md</url>
</reference>
<reference type="vcs">
<url>https://github.com/CycloneDX/cyclonedx-python-lib</url>
</reference>
<reference type="website">
<url>https://github.com/CycloneDX/cyclonedx-python-lib/#readme</url>
</reference>
</externalReferences>
</tool>
</tools>
<component type="application" bom-ref="myApp">
<name>myApp</name>
<licenses>
<license>
<id>MIT</id>
</license>
</licenses>
</component>
</metadata>
<components>
<component type="library" bom-ref="[email protected]">
<supplier>
<name>Acme Inc</name>
<url>https://www.acme.org</url>
</supplier>
<group>acme</group>
<name>some-component</name>
<version>1.33.7-beta.1</version>
<licenses>
<license>
<name>(c) 2021 Acme inc.</name>
</license>
</licenses>
<purl>pkg:generic/acme/[email protected]</purl>
</component>
<component type="library" bom-ref="7b0a78c3-0e7d-4323-af34-491989173de3">
<name>some-library</name>
<licenses>
<expression>GPL-3.0-only WITH Classpath-exception-2.0</expression>
</licenses>
<pedigree>
<patches>
<patch type="backport">
<resolves>
<issue type="security">
<name>FooBar Gap</name>
<description>Serious hole when using FooBar</description>
</issue>
</resolves>
</patch>
</patches>
</pedigree>
</component>
</components>
<dependencies>
<dependency ref="7b0a78c3-0e7d-4323-af34-491989173de3"/>
<dependency ref="myApp">
<dependency ref="[email protected]"/>
</dependency>
<dependency ref="[email protected]">
<dependency ref="7b0a78c3-0e7d-4323-af34-491989173de3"/>
</dependency>
</dependencies>
</bom> |
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When a BOM is created that has Patch objects with a non empty resolves property, the Issues are ignored and do not appear in the output.
The resolves property stored in a ReleaseNote object is already correctly serialized, so it is just a matter of some code reuse.
See:
#312 for a patch and test.
The text was updated successfully, but these errors were encountered: