diff --git a/cyclonedx/model/__init__.py b/cyclonedx/model/__init__.py index 113ed928..6fa11761 100644 --- a/cyclonedx/model/__init__.py +++ b/cyclonedx/model/__init__.py @@ -51,9 +51,78 @@ def sha1sum(filename: str) -> str: return h.hexdigest() +class DataFlow(Enum): + """ + This is our internal representation of the dataFlowType simple type within the CycloneDX standard. + + .. note:: + See the CycloneDX Schema: https://cyclonedx.org/docs/1.4/xml/#type_dataFlowType + """ + INBOUND = "inbound" + OUTBOUND = "outbound" + BI_DIRECTIONAL = "bi-directional" + UNKNOWN = "unknown" + + +class DataClassification: + """ + This is our internal representation of the `dataClassificationType` complex type within the CycloneDX standard. + + .. note:: + See the CycloneDX Schema for dataClassificationType: + https://cyclonedx.org/docs/1.4/xml/#type_dataClassificationType + """ + + def __init__(self, flow: DataFlow, classification: str) -> None: + if not flow and not classification: + raise NoPropertiesProvidedException( + 'One of `flow` or `classification` must be supplied - neither supplied' + ) + + self.flow = flow + self.classification = classification + + @property + def flow(self) -> DataFlow: + """ + Specifies the flow direction of the data. + + Valid values are: inbound, outbound, bi-directional, and unknown. + + Direction is relative to the service. + + - Inbound flow states that data enters the service + - Outbound flow states that data leaves the service + - Bi-directional states that data flows both ways + - Unknown states that the direction is not known + + Returns: + `DataFlow` + """ + return self._flow + + @flow.setter + def flow(self, flow: DataFlow) -> None: + self._flow = flow + + @property + def classification(self) -> str: + """ + Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed. + + Returns: + `str` + """ + return self._classification + + @classification.setter + def classification(self, classification: str) -> None: + self._classification = classification + + class Encoding(Enum): """ - This is out internal representation of the encoding simple type within the CycloneDX standard. + This is our internal representation of the encoding simple type within the CycloneDX standard. .. note:: See the CycloneDX Schema: https://cyclonedx.org/docs/1.4/#type_encoding diff --git a/cyclonedx/model/bom.py b/cyclonedx/model/bom.py index d0aa0068..c15cad82 100644 --- a/cyclonedx/model/bom.py +++ b/cyclonedx/model/bom.py @@ -18,11 +18,12 @@ # Copyright (c) OWASP Foundation. All Rights Reserved. from datetime import datetime, timezone -from typing import List, Optional +from typing import cast, List, Optional from uuid import uuid4, UUID from . import ThisTool, Tool from .component import Component +from .service import Service from ..parser import BaseParser @@ -133,7 +134,7 @@ def from_parser(parser: BaseParser) -> 'Bom': bom.add_components(parser.get_components()) return bom - def __init__(self) -> None: + def __init__(self, components: Optional[List[Component]] = None, services: Optional[List[Service]] = None) -> None: """ Create a new Bom that you can manually/programmatically add data to later. @@ -142,7 +143,8 @@ def __init__(self) -> None: """ self.uuid = uuid4() self.metadata = BomMetaData() - self._components: List[Component] = [] + self.components = components + self.services = services @property def uuid(self) -> UUID: @@ -176,17 +178,17 @@ def metadata(self, metadata: BomMetaData) -> None: self._metadata = metadata @property - def components(self) -> List[Component]: + def components(self) -> Optional[List[Component]]: """ Get all the Components currently in this Bom. Returns: - List of all Components in this Bom. + List of all Components in this Bom or `None` """ return self._components @components.setter - def components(self, components: List[Component]) -> None: + def components(self, components: Optional[List[Component]]) -> None: self._components = components def add_component(self, component: Component) -> None: @@ -200,8 +202,10 @@ def add_component(self, component: Component) -> None: Returns: None """ - if not self.has_component(component=component): - self._components.append(component) + if not self.components: + self.components = [component] + elif not self.has_component(component=component): + self.components.append(component) def add_components(self, components: List[Component]) -> None: """ @@ -214,7 +218,7 @@ def add_components(self, components: List[Component]) -> None: Returns: None """ - self.components = self._components + components + self.components = (self._components or []) + components def component_count(self) -> int: """ @@ -223,7 +227,7 @@ def component_count(self) -> int: Returns: The number of Components in this Bom as `int`. """ - return len(self._components) + return len(self._components) if self._components else 0 def get_component_by_purl(self, purl: Optional[str]) -> Optional[Component]: """ @@ -236,8 +240,11 @@ def get_component_by_purl(self, purl: Optional[str]) -> Optional[Component]: Returns: `Component` or `None` """ + if not self._components: + return None + if purl: - found = list(filter(lambda x: x.purl == purl, self.components)) + found = list(filter(lambda x: x.purl == purl, cast(List[Component], self.components))) if len(found) == 1: return found[0] @@ -263,7 +270,80 @@ def has_component(self, component: Component) -> bool: Returns: `bool` - `True` if the supplied Component is part of this Bom, `False` otherwise. """ - return component in self._components + if not self.components: + return False + return component in self.components + + @property + def services(self) -> Optional[List[Service]]: + """ + Get all the Services currently in this Bom. + + Returns: + List of `Service` in this Bom or `None` + """ + return self._services + + @services.setter + def services(self, services: Optional[List[Service]]) -> None: + self._services = services + + def add_service(self, service: Service) -> None: + """ + Add a Service to this Bom instance. + + Args: + service: + `cyclonedx.model.service.Service` instance to add to this Bom. + + Returns: + None + """ + if not self.services: + self.services = [service] + elif not self.has_service(service=service): + self.services.append(service) + + def add_services(self, services: List[Service]) -> None: + """ + Add multiple Services at once to this Bom instance. + + Args: + services: + List of `cyclonedx.model.service.Service` instances to add to this Bom. + + Returns: + None + """ + self.services = (self.services or []) + services + + def has_service(self, service: Service) -> bool: + """ + Check whether this Bom contains the provided Service. + + Args: + service: + The instance of `cyclonedx.model.service.Service` to check if this Bom contains. + + Returns: + `bool` - `True` if the supplied Service is part of this Bom, `False` otherwise. + """ + if not self.services: + return False + + return service in self.services + + def service_count(self) -> int: + """ + Returns the current count of Services within this Bom. + + Returns: + The number of Services in this Bom as `int`. + """ + if not self.services: + return 0 + + return len(self.services) def has_vulnerabilities(self) -> bool: """ @@ -273,8 +353,9 @@ def has_vulnerabilities(self) -> bool: `bool` - `True` if at least one `cyclonedx.model.component.Component` has at least one Vulnerability, `False` otherwise. """ - for c in self.components: - if c.has_vulnerabilities(): - return True + if self.components: + for c in self.components: + if c.has_vulnerabilities(): + return True return False diff --git a/cyclonedx/model/issue.py b/cyclonedx/model/issue.py index befd21d7..029f1540 100644 --- a/cyclonedx/model/issue.py +++ b/cyclonedx/model/issue.py @@ -26,7 +26,7 @@ class IssueClassification(Enum): This is out internal representation of the enum `issueClassification`. .. note:: - See the CycloneDX Schema definition: hhttps://cyclonedx.org/docs/1.4/xml/#type_issueClassification + See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.4/xml/#type_issueClassification """ DEFECT = 'defect' ENHANCEMENT = 'enhancement' diff --git a/cyclonedx/model/service.py b/cyclonedx/model/service.py new file mode 100644 index 00000000..674d0761 --- /dev/null +++ b/cyclonedx/model/service.py @@ -0,0 +1,294 @@ +# encoding: utf-8 + +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 + +from typing import List, Optional +from uuid import uuid4 + +from . import ExternalReference, DataClassification, LicenseChoice, OrganizationalEntity, Property, XsUri # , Signature +from .release_note import ReleaseNotes + +""" +This set of classes represents the data that is possible about known Services. + +.. note:: + See the CycloneDX Schema extension definition https://cyclonedx.org/docs/1.4/xml/#type_servicesType +""" + + +class Service: + """ + Class that models the `service` complex type in the CycloneDX schema. + + .. note:: + See the CycloneDX schema: https://cyclonedx.org/docs/1.4/xml/#type_service + """ + + def __init__(self, name: str, bom_ref: Optional[str] = None, provider: Optional[OrganizationalEntity] = None, + group: Optional[str] = None, version: Optional[str] = None, description: Optional[str] = None, + endpoints: Optional[List[XsUri]] = None, authenticated: Optional[bool] = None, + x_trust_boundary: Optional[bool] = None, data: Optional[List[DataClassification]] = None, + licenses: Optional[List[LicenseChoice]] = None, + external_references: Optional[List[ExternalReference]] = None, + properties: Optional[List[Property]] = None, + # services: Optional[List[Service]] = None, -- I have no clue how to do this, + # commenting out so someone else can + release_notes: Optional[ReleaseNotes] = None, + ) -> None: + self.bom_ref = bom_ref or str(uuid4()) + self.provider = provider + self.group = group + self.name = name + self.version = version + self.description = description + self.endpoints = endpoints + self.authenticated = authenticated + self.x_trust_boundary = x_trust_boundary + self.data = data + self.licenses = licenses or [] + self.external_references = external_references or [] + # self.services = services -- no clue + self.release_notes = release_notes + self.properties = properties + + @property + def bom_ref(self) -> Optional[str]: + """ + An optional identifier which can be used to reference the service elsewhere in the BOM. Uniqueness is enforced + within all elements and children of the root-level bom element. + + If a value was not provided in the constructor, a UUIDv4 will have been assigned. + + Returns: + `str` unique identifier for this Service + """ + return self._bom_ref + + @bom_ref.setter + def bom_ref(self, bom_ref: Optional[str]) -> None: + self._bom_ref = bom_ref + + @property + def provider(self) -> Optional[OrganizationalEntity]: + """ + Get the The organization that provides the service. + + Returns: + `OrganizationalEntity` if set else `None` + """ + return self._provider + + @provider.setter + def provider(self, provider: Optional[OrganizationalEntity]) -> None: + self._provider = provider + + @property + def group(self) -> Optional[str]: + """ + The grouping name, namespace, or identifier. This will often be a shortened, single name of the company or + project that produced the service or domain name. Whitespace and special characters should be avoided. + + Returns: + `str` if provided else `None` + """ + return self._group + + @group.setter + def group(self, group: Optional[str]) -> None: + self._group = group + + @property + def name(self) -> str: + """ + The name of the service. This will often be a shortened, single name of the service. + + Returns: + `str` + """ + return self._name + + @name.setter + def name(self, name: str) -> None: + self._name = name + + @property + def version(self) -> Optional[str]: + """ + The service version. + + Returns: + `str` if set else `None` + """ + return self._version + + @version.setter + def version(self, version: Optional[str]) -> None: + self._version = version + + @property + def description(self) -> Optional[str]: + """ + Specifies a description for the service. + + Returns: + `str` if set else `None` + """ + return self._description + + @description.setter + def description(self, description: Optional[str]) -> None: + self._description = description + + @property + def endpoints(self) -> Optional[List[XsUri]]: + """ + A list of endpoints URI's this service provides. + + Returns: + List of `XsUri` else `None` + """ + return self._endpoints + + @endpoints.setter + def endpoints(self, endpoints: Optional[List[XsUri]]) -> None: + self._endpoints = endpoints + + def add_endpoint(self, endpoint: XsUri) -> None: + """ + Add an endpoint URI for this Service. + + Args: + endpoint: + `XsUri` instance to add + + Returns: + None + """ + self.endpoints = (self._endpoints or []) + [endpoint] + + @property + def authenticated(self) -> Optional[bool]: + """ + A boolean value indicating if the service requires authentication. A value of true indicates the service + requires authentication prior to use. + + A value of false indicates the service does not require authentication. + + Returns: + `bool` if set else `None` + """ + return self._authenticated + + @authenticated.setter + def authenticated(self, authenticated: Optional[bool]) -> None: + self._authenticated = authenticated + + @property + def x_trust_boundary(self) -> Optional[bool]: + """ + A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates + that by using the service, a trust boundary is crossed. + + A value of false indicates that by using the service, a trust boundary is not crossed. + + Returns: + `bool` if set else `None` + """ + return self._x_trust_boundary + + @x_trust_boundary.setter + def x_trust_boundary(self, x_trust_boundary: Optional[bool]) -> None: + self._x_trust_boundary = x_trust_boundary + + @property + def data(self) -> Optional[List[DataClassification]]: + """ + Specifies the data classification. + + Returns: + List of `DataClassificiation` or `None` + """ + return self._data + + @data.setter + def data(self, data: Optional[List[DataClassification]]) -> None: + self._data = data + + @property + def licenses(self) -> List[LicenseChoice]: + """ + A optional list of statements about how this Service is licensed. + + Returns: + List of `LicenseChoice` else `None` + """ + return self._licenses + + @licenses.setter + def licenses(self, licenses: List[LicenseChoice]) -> None: + self._licenses = licenses + + @property + def external_references(self) -> List[ExternalReference]: + """ + Provides the ability to document external references related to the Service. + + Returns: + List of `ExternalReference`s + """ + return self._external_references + + @external_references.setter + def external_references(self, external_references: List[ExternalReference]) -> None: + self._external_references = external_references + + def add_external_reference(self, reference: ExternalReference) -> None: + """ + Add an `ExternalReference` to this `Service`. + + Args: + reference: + `ExternalReference` instance to add. + """ + self.external_references = self._external_references + [reference] + + @property + def release_notes(self) -> Optional[ReleaseNotes]: + """ + Specifies optional release notes. + + Returns: + `ReleaseNotes` or `None` + """ + return self._release_notes + + @release_notes.setter + def release_notes(self, release_notes: Optional[ReleaseNotes]) -> None: + self._release_notes = release_notes + + @property + def properties(self) -> Optional[List[Property]]: + """ + Provides the ability to document properties in a key/value store. This provides flexibility to include data not + officially supported in the standard without having to use additional namespaces or create extensions. + + Return: + List of `Property` or `None` + """ + return self._properties + + @properties.setter + def properties(self, properties: Optional[List[Property]]) -> None: + self._properties = properties diff --git a/cyclonedx/output/json.py b/cyclonedx/output/json.py index 1b7bcdec..e8460a20 100644 --- a/cyclonedx/output/json.py +++ b/cyclonedx/output/json.py @@ -19,13 +19,14 @@ import json from abc import abstractmethod -from typing import Any, Dict, List, Optional, Union +from typing import cast, Any, Dict, List, Optional, Union from . import BaseOutput from .schema import BaseSchemaVersion, SchemaVersion1Dot0, SchemaVersion1Dot1, SchemaVersion1Dot2, SchemaVersion1Dot3, \ SchemaVersion1Dot4 from .serializer.json import CycloneDxJSONEncoder from ..model.bom import Bom +from ..model.component import Component ComponentDict = Dict[str, Union[ @@ -51,11 +52,12 @@ def generate(self, force_regeneration: bool = False) -> None: return vulnerabilities: Dict[str, List[Dict[Any, Any]]] = {"vulnerabilities": []} - for component in self.get_bom().components: - for vulnerability in component.get_vulnerabilities(): - vulnerabilities['vulnerabilities'].append( - json.loads(json.dumps(vulnerability, cls=CycloneDxJSONEncoder)) - ) + if self.get_bom().components: + for component in cast(List[Component], self.get_bom().components): + for vulnerability in component.get_vulnerabilities(): + vulnerabilities['vulnerabilities'].append( + json.loads(json.dumps(vulnerability, cls=CycloneDxJSONEncoder)) + ) bom_json = json.loads(json.dumps(self.get_bom(), cls=CycloneDxJSONEncoder)) bom_json = json.loads(self._specialise_output_for_schema_version(bom_json=bom_json)) @@ -94,6 +96,15 @@ def _specialise_output_for_schema_version(self, bom_json: Dict[Any, Any]) -> str else: bom_json['components'] = [] + # Iterate Services + if 'services' in bom_json.keys(): + for i in range(len(bom_json['services'])): + if not self.services_supports_properties() and 'properties' in bom_json['services'][i].keys(): + del bom_json['services'][i]['properties'] + + if not self.services_supports_release_notes() and 'releaseNotes' in bom_json['services'][i].keys(): + del bom_json['services'][i]['releaseNotes'] + # Iterate Vulnerabilities if 'vulnerabilities' in bom_json.keys(): for i in range(len(bom_json['vulnerabilities'])): diff --git a/cyclonedx/output/schema.py b/cyclonedx/output/schema.py index 87e8ca18..138f613c 100644 --- a/cyclonedx/output/schema.py +++ b/cyclonedx/output/schema.py @@ -31,6 +31,15 @@ def bom_metadata_supports_tools(self) -> bool: def bom_metadata_supports_tools_external_references(self) -> bool: return True + def bom_supports_services(self) -> bool: + return True + + def services_supports_properties(self) -> bool: + return True + + def services_supports_release_notes(self) -> bool: + return True + def bom_supports_vulnerabilities(self) -> bool: return True @@ -77,6 +86,9 @@ class SchemaVersion1Dot3(BaseSchemaVersion): def bom_metadata_supports_tools_external_references(self) -> bool: return False + def services_supports_release_notes(self) -> bool: + return False + def bom_supports_vulnerabilities(self) -> bool: return False @@ -98,6 +110,12 @@ class SchemaVersion1Dot2(BaseSchemaVersion): def bom_metadata_supports_tools_external_references(self) -> bool: return False + def services_supports_properties(self) -> bool: + return False + + def services_supports_release_notes(self) -> bool: + return False + def bom_supports_vulnerabilities(self) -> bool: return False @@ -122,6 +140,15 @@ def bom_metadata_supports_tools(self) -> bool: def bom_metadata_supports_tools_external_references(self) -> bool: return False + def bom_supports_services(self) -> bool: + return False + + def services_supports_properties(self) -> bool: + return False + + def services_supports_release_notes(self) -> bool: + return False + def bom_supports_vulnerabilities(self) -> bool: return False @@ -152,6 +179,15 @@ def bom_metadata_supports_tools(self) -> bool: def bom_metadata_supports_tools_external_references(self) -> bool: return False + def bom_supports_services(self) -> bool: + return False + + def services_supports_properties(self) -> bool: + return False + + def services_supports_release_notes(self) -> bool: + return False + def bom_supports_vulnerabilities(self) -> bool: return False diff --git a/cyclonedx/output/serializer/json.py b/cyclonedx/output/serializer/json.py index e1a65267..5d0398c6 100644 --- a/cyclonedx/output/serializer/json.py +++ b/cyclonedx/output/serializer/json.py @@ -31,7 +31,7 @@ from cyclonedx.model import XsUri HYPHENATED_ATTRIBUTES = [ - 'bom_ref', 'mime_type' + 'bom_ref', 'mime_type', 'x_trust_boundary' ] PYTHON_TO_JSON_NAME = compile(r'_([a-z])') @@ -78,7 +78,7 @@ def default(self, o: Any) -> Any: new_key = PYTHON_TO_JSON_NAME.sub(lambda x: x.group(1).upper(), new_key) # Skip any None values - if v: + if v or v is False: if isinstance(v, PackageURL): # Special handling of PackageURL instances which JSON would otherwise automatically encode to # an Array diff --git a/cyclonedx/output/xml.py b/cyclonedx/output/xml.py index c4ba91fc..1282449e 100644 --- a/cyclonedx/output/xml.py +++ b/cyclonedx/output/xml.py @@ -18,7 +18,7 @@ # Copyright (c) OWASP Foundation. All Rights Reserved. import warnings -from typing import List, Optional +from typing import cast, List, Optional from xml.etree import ElementTree from . import BaseOutput @@ -51,33 +51,34 @@ def generate(self, force_regeneration: bool = False) -> None: components_element = ElementTree.SubElement(self._root_bom_element, 'components') has_vulnerabilities: bool = False - for component in self.get_bom().components: - component_element = self._add_component_element(component=component) - components_element.append(component_element) - if self.bom_supports_vulnerabilities_via_extension() and component.has_vulnerabilities(): - # Vulnerabilities are only possible when bom-ref is supported by the main CycloneDX schema version - vulnerabilities = ElementTree.SubElement(component_element, 'v:vulnerabilities') - for vulnerability in component.get_vulnerabilities(): - if component.bom_ref: - vulnerabilities.append( - self._get_vulnerability_as_xml_element_pre_1_3(bom_ref=component.bom_ref, - vulnerability=vulnerability) + if self.get_bom().components: + for component in cast(List[Component], self.get_bom().components): + component_element = self._add_component_element(component=component) + components_element.append(component_element) + if self.bom_supports_vulnerabilities_via_extension() and component.has_vulnerabilities(): + # Vulnerabilities are only possible when bom-ref is supported by the main CycloneDX schema version + vulnerabilities = ElementTree.SubElement(component_element, 'v:vulnerabilities') + for vulnerability in component.get_vulnerabilities(): + if component.bom_ref: + vulnerabilities.append( + self._get_vulnerability_as_xml_element_pre_1_3(bom_ref=component.bom_ref, + vulnerability=vulnerability) + ) + else: + warnings.warn( + f'Unable to include Vulnerability {str(vulnerability)} in generated BOM as the ' + f'Component it relates to ({str(component)}) but it has no bom-ref.' + ) + elif component.has_vulnerabilities(): + has_vulnerabilities = True + + if self.bom_supports_vulnerabilities() and has_vulnerabilities: + vulnerabilities_element = ElementTree.SubElement(self._root_bom_element, 'vulnerabilities') + for component in cast(List[Component], self.get_bom().components): + for vulnerability in component.get_vulnerabilities(): + vulnerabilities_element.append( + self._get_vulnerability_as_xml_element_post_1_4(vulnerability=vulnerability) ) - else: - warnings.warn( - f'Unable to include Vulnerability {str(vulnerability)} in generated BOM as the Component' - f'it relates to ({str(component)}) but it has no bom-ref.' - ) - elif component.has_vulnerabilities(): - has_vulnerabilities = True - - if self.bom_supports_vulnerabilities() and has_vulnerabilities: - vulnerabilities_element = ElementTree.SubElement(self._root_bom_element, 'vulnerabilities') - for component in self.get_bom().components: - for vulnerability in component.get_vulnerabilities(): - vulnerabilities_element.append( - self._get_vulnerability_as_xml_element_post_1_4(vulnerability=vulnerability) - ) self.generated = True diff --git a/tests/fixtures/bom_v1.2_services_complex.json b/tests/fixtures/bom_v1.2_services_complex.json new file mode 100644 index 00000000..dfc82f66 --- /dev/null +++ b/tests/fixtures/bom_v1.2_services_complex.json @@ -0,0 +1,84 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.2a.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.2", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "timestamp": "2021-09-01T10:50:42.051979+00:00", + "tools": [ + { + "vendor": "CycloneDX", + "name": "cyclonedx-python-lib", + "version": "VERSION" + } + ], + "component": { + "type": "library", + "bom-ref": "17e3b199-dc0b-42ef-bfdd-1fa81a1e3eda", + "name": "cyclonedx-python-lib", + "version": "1.0.0" + } + }, + "components": [], + "services": [ + { + "bom-ref": "my-specific-bom-ref-for-my-first-service", + "provider": { + "contact": [ + { + "email": "paul.horton@owasp.org", + "name": "Paul Horton" + }, + { + "email": "someone@somewhere.tld", + "name": "A N Other", + "phone": "+44 (0)1234 567890" + } + ], + "name": "CycloneDX", + "url": [ + "https://cyclonedx.org" + ] + }, + "group": "a-group", + "name": "my-first-service", + "version": "1.2.3", + "description": "Description goes here", + "endpoints": [ + "/api/thing/1", + "/api/thing/2" + ], + "authenticated": false, + "x-trust-boundary": true, + "data": [ + { + "classification": "public", + "flow": "outbound" + } + ], + "licenses": [ + { + "expression": "Commercial" + } + ], + "externalReferences": [ + { + "comment": "No comment", + "hashes": [ + { + "alg": "SHA-256", + "content": "806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b" + } + ], + "type": "distribution", + "url": "https://cyclonedx.org" + } + ] + }, + { + "bom-ref": "0b049d09-64c0-4490-a0f5-c84d9aacf857", + "name": "my-second-service" + } + ] +} \ No newline at end of file diff --git a/tests/fixtures/bom_v1.2_services_simple.json b/tests/fixtures/bom_v1.2_services_simple.json new file mode 100644 index 00000000..a19dd04d --- /dev/null +++ b/tests/fixtures/bom_v1.2_services_simple.json @@ -0,0 +1,34 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.2a.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.2", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "timestamp": "2021-09-01T10:50:42.051979+00:00", + "tools": [ + { + "vendor": "CycloneDX", + "name": "cyclonedx-python-lib", + "version": "VERSION" + } + ], + "component": { + "type": "library", + "bom-ref": "17e3b199-dc0b-42ef-bfdd-1fa81a1e3eda", + "name": "cyclonedx-python-lib", + "version": "1.0.0" + } + }, + "components": [], + "services": [ + { + "bom-ref": "0b049d09-64c0-4490-a0f5-c84d9aacf857", + "name": "my-first-service" + }, + { + "bom-ref": "0b049d09-64c0-4490-a0f5-c84d9aacf857", + "name": "my-second-service" + } + ] +} \ No newline at end of file diff --git a/tests/fixtures/bom_v1.3_services_complex.json b/tests/fixtures/bom_v1.3_services_complex.json new file mode 100644 index 00000000..d517c042 --- /dev/null +++ b/tests/fixtures/bom_v1.3_services_complex.json @@ -0,0 +1,94 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.3.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.3", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "timestamp": "2021-09-01T10:50:42.051979+00:00", + "tools": [ + { + "vendor": "CycloneDX", + "name": "cyclonedx-python-lib", + "version": "VERSION" + } + ], + "component": { + "type": "library", + "bom-ref": "df70b5f1-8f53-47a4-be48-669ae78795e6", + "name": "cyclonedx-python-lib", + "version": "1.0.0" + } + }, + "components": [], + "services": [ + { + "bom-ref": "my-specific-bom-ref-for-my-first-service", + "provider": { + "contact": [ + { + "email": "paul.horton@owasp.org", + "name": "Paul Horton" + }, + { + "email": "someone@somewhere.tld", + "name": "A N Other", + "phone": "+44 (0)1234 567890" + } + ], + "name": "CycloneDX", + "url": [ + "https://cyclonedx.org" + ] + }, + "group": "a-group", + "name": "my-first-service", + "version": "1.2.3", + "description": "Description goes here", + "endpoints": [ + "/api/thing/1", + "/api/thing/2" + ], + "authenticated": false, + "x-trust-boundary": true, + "data": [ + { + "classification": "public", + "flow": "outbound" + } + ], + "licenses": [ + { + "expression": "Commercial" + } + ], + "externalReferences": [ + { + "comment": "No comment", + "hashes": [ + { + "alg": "SHA-256", + "content": "806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b" + } + ], + "type": "distribution", + "url": "https://cyclonedx.org" + } + ], + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ] + }, + { + "bom-ref": "e9c2e297-eee6-4f45-ac2d-6662b1db77bf", + "name": "my-second-service" + } + ] +} \ No newline at end of file diff --git a/tests/fixtures/bom_v1.3_services_simple.json b/tests/fixtures/bom_v1.3_services_simple.json new file mode 100644 index 00000000..514d2be4 --- /dev/null +++ b/tests/fixtures/bom_v1.3_services_simple.json @@ -0,0 +1,34 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.3.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.3", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "timestamp": "2021-09-01T10:50:42.051979+00:00", + "tools": [ + { + "vendor": "CycloneDX", + "name": "cyclonedx-python-lib", + "version": "VERSION" + } + ], + "component": { + "type": "library", + "bom-ref": "cd3e9c95-9d41-49e7-9924-8cf0465ae789", + "name": "cyclonedx-python-lib", + "version": "1.0.0" + } + }, + "components": [], + "services": [ + { + "bom-ref": "bb5911d6-1a1d-41c9-b6e0-46e848d16655", + "name": "my-first-service" + }, + { + "bom-ref": "bb5911d6-1a1d-41c9-b6e0-46e848d16655", + "name": "my-second-service" + } + ] +} \ No newline at end of file diff --git a/tests/fixtures/bom_v1.4_services_complex.json b/tests/fixtures/bom_v1.4_services_complex.json new file mode 100644 index 00000000..45c90ebb --- /dev/null +++ b/tests/fixtures/bom_v1.4_services_complex.json @@ -0,0 +1,187 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.4", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "timestamp": "2021-09-01T10:50:42.051979+00:00", + "tools": [ + { + "vendor": "CycloneDX", + "name": "cyclonedx-python-lib", + "version": "VERSION", + "externalReferences": [ + { + "type": "build-system", + "url": "https://github.com/CycloneDX/cyclonedx-python-lib/actions" + }, + { + "type": "distribution", + "url": "https://pypi.org/project/cyclonedx-python-lib/" + }, + { + "type": "documentation", + "url": "https://cyclonedx.github.io/cyclonedx-python-lib/" + }, + { + "type": "issue-tracker", + "url": "https://github.com/CycloneDX/cyclonedx-python-lib/issues" + }, + { + "type": "license", + "url": "https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/LICENSE" + }, + { + "type": "release-notes", + "url": "https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CHANGELOG.md" + }, + { + "type": "vcs", + "url": "https://github.com/CycloneDX/cyclonedx-python-lib" + }, + { + "type": "website", + "url": "https://cyclonedx.org" + } + ] + } + ], + "component": { + "type": "library", + "bom-ref": "2a4ec791-4846-4769-8332-06e6ee170395", + "name": "cyclonedx-python-lib", + "version": "1.0.0" + } + }, + "components": [], + "services": [ + { + "bom-ref": "my-specific-bom-ref-for-my-first-service", + "provider": { + "contact": [ + { + "email": "paul.horton@owasp.org", + "name": "Paul Horton" + }, + { + "email": "someone@somewhere.tld", + "name": "A N Other", + "phone": "+44 (0)1234 567890" + } + ], + "name": "CycloneDX", + "url": [ + "https://cyclonedx.org" + ] + }, + "group": "a-group", + "name": "my-first-service", + "version": "1.2.3", + "description": "Description goes here", + "endpoints": [ + "/api/thing/1", + "/api/thing/2" + ], + "authenticated": false, + "x-trust-boundary": true, + "data": [ + { + "classification": "public", + "flow": "outbound" + } + ], + "licenses": [ + { + "expression": "Commercial" + } + ], + "externalReferences": [ + { + "comment": "No comment", + "hashes": [ + { + "alg": "SHA-256", + "content": "806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b" + } + ], + "type": "distribution", + "url": "https://cyclonedx.org" + } + ], + "releaseNotes": { + "aliases": [ + "First Test Release" + ], + "description": "This release is a test release", + "featuredImage": "https://cyclonedx.org/theme/assets/images/CycloneDX-Twitter-Card.png", + "notes": [ + { + "locale": "en-GB", + "text": { + "content": "U29tZSBzaW1wbGUgcGxhaW4gdGV4dA==", + "contentType": "text/plain; charset=UTF-8", + "encoding": "base64" + } + }, + { + "locale": "en-US", + "text": { + "content": "U29tZSBzaW1wbGUgcGxhaW4gdGV4dA==", + "contentType": "text/plain; charset=UTF-8", + "encoding": "base64" + } + } + ], + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "resolves": [ + { + "description": "Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features...", + "id": "CVE-2021-44228", + "name": "Apache Log3Shell", + "references": [ + "https://logging.apache.org/log4j/2.x/security.html", + "https://central.sonatype.org/news/20211213_log4shell_help" + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228" + }, + "type": "security" + } + ], + "socialImage": "https://cyclonedx.org/cyclonedx-icon.png", + "tags": [ + "test", + "alpha" + ], + "timestamp": "2021-12-31T10:00:00+00:00", + "title": "Release Notes Title", + "type": "major" + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ] + }, + { + "bom-ref": "b1650ab8-33fb-47e3-bc6e-07031054a946", + "name": "my-second-service" + } + ] +} \ No newline at end of file diff --git a/tests/fixtures/bom_v1.4_services_simple.json b/tests/fixtures/bom_v1.4_services_simple.json new file mode 100644 index 00000000..6a2ae027 --- /dev/null +++ b/tests/fixtures/bom_v1.4_services_simple.json @@ -0,0 +1,68 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.4", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "timestamp": "2021-09-01T10:50:42.051979+00:00", + "tools": [ + { + "vendor": "CycloneDX", + "name": "cyclonedx-python-lib", + "version": "VERSION", + "externalReferences": [ + { + "type": "build-system", + "url": "https://github.com/CycloneDX/cyclonedx-python-lib/actions" + }, + { + "type": "distribution", + "url": "https://pypi.org/project/cyclonedx-python-lib/" + }, + { + "type": "documentation", + "url": "https://cyclonedx.github.io/cyclonedx-python-lib/" + }, + { + "type": "issue-tracker", + "url": "https://github.com/CycloneDX/cyclonedx-python-lib/issues" + }, + { + "type": "license", + "url": "https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/LICENSE" + }, + { + "type": "release-notes", + "url": "https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CHANGELOG.md" + }, + { + "type": "vcs", + "url": "https://github.com/CycloneDX/cyclonedx-python-lib" + }, + { + "type": "website", + "url": "https://cyclonedx.org" + } + ] + } + ], + "component": { + "type": "library", + "bom-ref": "44eba9c8-ccfb-4868-90cb-deb27f72b358", + "name": "cyclonedx-python-lib", + "version": "1.0.0" + } + }, + "components": [], + "services": [ + { + "bom-ref": "86452881-cb1a-4296-9450-2eb6f3e55744", + "name": "my-first-service" + }, + { + "bom-ref": "86452881-cb1a-4296-9450-2eb6f3e55744", + "name": "my-second-service" + } + ] +} \ No newline at end of file diff --git a/tests/fixtures/bom_v1.4_setuptools_with_vulnerabilities.json b/tests/fixtures/bom_v1.4_setuptools_with_vulnerabilities.json index 260af12e..ee9ba1b7 100644 --- a/tests/fixtures/bom_v1.4_setuptools_with_vulnerabilities.json +++ b/tests/fixtures/bom_v1.4_setuptools_with_vulnerabilities.json @@ -126,7 +126,7 @@ "contact": [ { "name": "Paul Horton", - "email": "simplyecommerce@googlemail.com" + "email": "paul.horton@owasp.org" }, { "name": "A N Other", diff --git a/tests/test_model.py b/tests/test_model.py index 6f1ae657..620cb661 100644 --- a/tests/test_model.py +++ b/tests/test_model.py @@ -1,3 +1,21 @@ +# encoding: utf-8 + +# This file is part of CycloneDX Python Lib +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# Copyright (c) OWASP Foundation. All Rights Reserved. import base64 from unittest import TestCase diff --git a/tests/test_model_component.py b/tests/test_model_component.py index a150b39a..070e2d3c 100644 --- a/tests/test_model_component.py +++ b/tests/test_model_component.py @@ -1,3 +1,21 @@ +# encoding: utf-8 + +# This file is part of CycloneDX Python Lib +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# Copyright (c) OWASP Foundation. All Rights Reserved. from unittest import TestCase from unittest.mock import Mock, patch diff --git a/tests/test_model_release_note.py b/tests/test_model_release_note.py index 33af0c3c..a360bd70 100644 --- a/tests/test_model_release_note.py +++ b/tests/test_model_release_note.py @@ -1,3 +1,21 @@ +# encoding: utf-8 + +# This file is part of CycloneDX Python Lib +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# Copyright (c) OWASP Foundation. All Rights Reserved. import datetime from unittest import TestCase diff --git a/tests/test_model_service.py b/tests/test_model_service.py new file mode 100644 index 00000000..47571b76 --- /dev/null +++ b/tests/test_model_service.py @@ -0,0 +1,44 @@ +# encoding: utf-8 + +# This file is part of CycloneDX Python Lib +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# Copyright (c) OWASP Foundation. All Rights Reserved. +from unittest import TestCase +from unittest.mock import Mock, patch + +from cyclonedx.model.service import Service + + +class TestModelService(TestCase): + + @patch('cyclonedx.model.service.uuid4', return_value='77d15ab9-5602-4cca-8ed2-59ae579aafd3') + def test_minimal_service(self, mock_uuid: Mock) -> None: + s = Service(name='my-test-service') + mock_uuid.assert_called() + self.assertEqual(s.name, 'my-test-service') + self.assertEqual(s.bom_ref, '77d15ab9-5602-4cca-8ed2-59ae579aafd3') + self.assertIsNone(s.provider) + self.assertIsNone(s.group) + self.assertIsNone(s.version) + self.assertIsNone(s.description) + self.assertIsNone(s.endpoints) + self.assertIsNone(s.authenticated) + self.assertIsNone(s.x_trust_boundary) + self.assertIsNone(s.data) + self.assertListEqual(s.licenses, []) + self.assertListEqual(s.external_references, []) + self.assertIsNone(s.release_notes) + self.assertIsNone(s.properties) diff --git a/tests/test_model_vulnerability.py b/tests/test_model_vulnerability.py index fe302c43..361b9f1d 100644 --- a/tests/test_model_vulnerability.py +++ b/tests/test_model_vulnerability.py @@ -1,3 +1,22 @@ +# encoding: utf-8 + +# This file is part of CycloneDX Python Lib +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# Copyright (c) OWASP Foundation. All Rights Reserved. + import unittest from unittest import TestCase from unittest.mock import Mock, patch diff --git a/tests/test_output_json.py b/tests/test_output_json.py index c424e2f5..9d8e2d53 100644 --- a/tests/test_output_json.py +++ b/tests/test_output_json.py @@ -17,18 +17,21 @@ # SPDX-License-Identifier: Apache-2.0 # Copyright (c) OWASP Foundation. All Rights Reserved. import base64 -from decimal import Decimal from datetime import datetime, timezone +from decimal import Decimal from os.path import dirname, join -from packageurl import PackageURL +from typing import List from unittest.mock import Mock, patch +from packageurl import PackageURL + from cyclonedx.model import Encoding, ExternalReference, ExternalReferenceType, HashType, LicenseChoice, Note, \ - NoteText, OrganizationalContact, OrganizationalEntity, Property, Tool, XsUri + NoteText, OrganizationalContact, OrganizationalEntity, Property, Tool, XsUri, DataClassification, DataFlow from cyclonedx.model.bom import Bom from cyclonedx.model.component import Component, ComponentType from cyclonedx.model.issue import IssueClassification, IssueType from cyclonedx.model.release_note import ReleaseNotes +from cyclonedx.model.service import Service from cyclonedx.model.vulnerability import ImpactAnalysisState, ImpactAnalysisJustification, ImpactAnalysisResponse, \ ImpactAnalysisAffectedStatus, Vulnerability, VulnerabilityCredits, VulnerabilityRating, VulnerabilitySeverity, \ VulnerabilitySource, VulnerabilityScoreSource, VulnerabilityAdvisory, VulnerabilityReference, \ @@ -39,6 +42,7 @@ class TestOutputJson(BaseJsonTestCase): + timestamp: datetime = datetime(2021, 12, 31, 10, 0, 0, 0).replace(tzinfo=timezone.utc) def test_simple_bom_v1_4(self) -> None: bom = Bom() @@ -175,17 +179,7 @@ def test_bom_v1_3_with_component_external_references(self) -> None: c.add_hash( HashType.from_composite_str('sha256:806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b') ) - c.add_external_reference( - ExternalReference( - reference_type=ExternalReferenceType.DISTRIBUTION, - url='https://cyclonedx.org', - comment='No comment', - hashes=[ - HashType.from_composite_str( - 'sha256:806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b') - ] - ) - ) + c.add_external_reference(TestOutputJson._get_external_reference_1()) bom.add_component(c) outputter: Json = get_instance(bom=bom, output_format=OutputFormat.JSON) self.assertIsInstance(outputter, JsonV1Dot3) @@ -247,56 +241,12 @@ def test_with_component_release_notes_pre_1_4(self) -> None: def test_with_component_release_notes_post_1_4(self) -> None: bom = Bom() - timestamp: datetime = datetime(2021, 12, 31, 10, 0, 0, 0).replace(tzinfo=timezone.utc) - - text_content: str = base64.b64encode( - bytes('Some simple plain text', encoding='UTF-8') - ).decode(encoding='UTF-8') - c = Component( name='setuptools', version='50.3.2', bom_ref='pkg:pypi/setuptools@50.3.2?extension=tar.gz', purl=PackageURL( type='pypi', name='setuptools', version='50.3.2', qualifiers='extension=tar.gz' ), - release_notes=ReleaseNotes( - type='major', title="Release Notes Title", - featured_image=XsUri('https://cyclonedx.org/theme/assets/images/CycloneDX-Twitter-Card.png'), - social_image=XsUri('https://cyclonedx.org/cyclonedx-icon.png'), - description="This release is a test release", timestamp=timestamp, - aliases=[ - "First Test Release" - ], - tags=['test', 'alpha'], - resolves=[ - IssueType( - classification=IssueClassification.SECURITY, id='CVE-2021-44228', name='Apache Log3Shell', - description='Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features...', - source_name='NVD', source_url=XsUri('https://nvd.nist.gov/vuln/detail/CVE-2021-44228'), - references=[ - XsUri('https://logging.apache.org/log4j/2.x/security.html'), - XsUri('https://central.sonatype.org/news/20211213_log4shell_help') - ] - ) - ], - notes=[ - Note( - text=NoteText( - content=text_content, content_type='text/plain; charset=UTF-8', - content_encoding=Encoding.BASE_64 - ), locale='en-GB' - ), - Note( - text=NoteText( - content=text_content, content_type='text/plain; charset=UTF-8', - content_encoding=Encoding.BASE_64 - ), locale='en-US' - ) - ], - properties=[ - Property(name='key1', value='val1'), - Property(name='key2', value='val2') - ] - ) + release_notes=TestOutputJson._get_release_notes() ) bom.add_component(c) outputter: Json = get_instance(bom=bom, output_format=OutputFormat.JSON, schema_version=SchemaVersion.V1_4) @@ -350,13 +300,7 @@ def test_simple_bom_v1_4_with_vulnerabilities(self) -> None: tzinfo=timezone.utc), credits=VulnerabilityCredits( organizations=[ - OrganizationalEntity( - name='CycloneDX', urls=[XsUri('https://cyclonedx.org')], contacts=[ - OrganizationalContact(name='Paul Horton', email='simplyecommerce@googlemail.com'), - OrganizationalContact(name='A N Other', email='someone@somewhere.tld', - phone='+44 (0)1234 567890') - ] - ) + TestOutputJson._get_org_entity_1() ], individuals=[ OrganizationalContact(name='A N Other', email='someone@somewhere.tld', phone='+44 (0)1234 567890'), @@ -395,4 +339,204 @@ def test_bom_v1_3_with_metadata_component(self, mock_uuid: Mock) -> None: with open(join(dirname(__file__), 'fixtures/bom_v1.3_with_metadata_component.json')) as expected_json: self.assertEqualJsonBom(outputter.output_as_string(), expected_json.read()) - maxDiff = None + @patch('cyclonedx.model.component.uuid4', return_value='17e3b199-dc0b-42ef-bfdd-1fa81a1e3eda') + @patch('cyclonedx.model.service.uuid4', return_value='0b049d09-64c0-4490-a0f5-c84d9aacf857') + def test_bom_v1_2_services(self, mock_uuid_c: Mock, mock_uuid_s: Mock) -> None: + bom = Bom(services=[ + Service(name='my-first-service'), + Service(name='my-second-service') + ]) + bom.metadata.component = Component( + name='cyclonedx-python-lib', version='1.0.0', component_type=ComponentType.LIBRARY + ) + mock_uuid_c.assert_called() + mock_uuid_s.assert_called() + outputter = get_instance(bom=bom, output_format=OutputFormat.JSON, schema_version=SchemaVersion.V1_2) + self.assertIsInstance(outputter, JsonV1Dot2) + with open(join(dirname(__file__), 'fixtures/bom_v1.2_services_simple.json')) as expected_json: + self.assertValidAgainstSchema(bom_json=outputter.output_as_string(), schema_version=SchemaVersion.V1_2) + self.assertEqualJsonBom(outputter.output_as_string(), expected_json.read()) + + @patch('cyclonedx.model.component.uuid4', return_value='17e3b199-dc0b-42ef-bfdd-1fa81a1e3eda') + @patch('cyclonedx.model.service.uuid4', return_value='0b049d09-64c0-4490-a0f5-c84d9aacf857') + def test_bom_v1_2_services_simple(self, mock_uuid_c: Mock, mock_uuid_s: Mock) -> None: + bom = TestOutputJson._get_bom_with_services_simple() + mock_uuid_c.assert_called() + mock_uuid_s.assert_called() + outputter = get_instance(bom=bom, output_format=OutputFormat.JSON, schema_version=SchemaVersion.V1_2) + self.assertIsInstance(outputter, JsonV1Dot2) + with open(join(dirname(__file__), 'fixtures/bom_v1.2_services_simple.json')) as expected_json: + self.assertValidAgainstSchema(bom_json=outputter.output_as_string(), schema_version=SchemaVersion.V1_2) + self.assertEqualJsonBom(outputter.output_as_string(), expected_json.read()) + + @patch('cyclonedx.model.component.uuid4', return_value='17e3b199-dc0b-42ef-bfdd-1fa81a1e3eda') + @patch('cyclonedx.model.service.uuid4', return_value='0b049d09-64c0-4490-a0f5-c84d9aacf857') + def test_bom_v1_2_services_complex(self, mock_uuid_c: Mock, mock_uuid_s: Mock) -> None: + bom = TestOutputJson._get_bom_with_services_complex() + mock_uuid_c.assert_called() + mock_uuid_s.assert_called() + outputter = get_instance(bom=bom, output_format=OutputFormat.JSON, schema_version=SchemaVersion.V1_2) + self.assertIsInstance(outputter, JsonV1Dot2) + with open(join(dirname(__file__), 'fixtures/bom_v1.2_services_complex.json')) as expected_json: + self.assertValidAgainstSchema(bom_json=outputter.output_as_string(), schema_version=SchemaVersion.V1_2) + self.assertEqualJsonBom(outputter.output_as_string(), expected_json.read()) + + @patch('cyclonedx.model.component.uuid4', return_value='cd3e9c95-9d41-49e7-9924-8cf0465ae789') + @patch('cyclonedx.model.service.uuid4', return_value='bb5911d6-1a1d-41c9-b6e0-46e848d16655') + def test_bom_v1_3_services_simple(self, mock_uuid_c: Mock, mock_uuid_s: Mock) -> None: + bom = TestOutputJson._get_bom_with_services_simple() + mock_uuid_c.assert_called() + mock_uuid_s.assert_called() + outputter = get_instance(bom=bom, output_format=OutputFormat.JSON, schema_version=SchemaVersion.V1_3) + self.assertIsInstance(outputter, JsonV1Dot3) + with open(join(dirname(__file__), 'fixtures/bom_v1.3_services_simple.json')) as expected_json: + self.assertValidAgainstSchema(bom_json=outputter.output_as_string(), schema_version=SchemaVersion.V1_3) + self.assertEqualJsonBom(outputter.output_as_string(), expected_json.read()) + + @patch('cyclonedx.model.component.uuid4', return_value='df70b5f1-8f53-47a4-be48-669ae78795e6') + @patch('cyclonedx.model.service.uuid4', return_value='e9c2e297-eee6-4f45-ac2d-6662b1db77bf') + def test_bom_v1_3_services_complex(self, mock_uuid_c: Mock, mock_uuid_s: Mock) -> None: + bom = TestOutputJson._get_bom_with_services_complex() + mock_uuid_c.assert_called() + mock_uuid_s.assert_called() + outputter = get_instance(bom=bom, output_format=OutputFormat.JSON, schema_version=SchemaVersion.V1_3) + self.assertIsInstance(outputter, JsonV1Dot3) + with open(join(dirname(__file__), 'fixtures/bom_v1.3_services_complex.json')) as expected_json: + self.assertValidAgainstSchema(bom_json=outputter.output_as_string(), schema_version=SchemaVersion.V1_3) + self.assertEqualJsonBom(outputter.output_as_string(), expected_json.read()) + + @patch('cyclonedx.model.component.uuid4', return_value='44eba9c8-ccfb-4868-90cb-deb27f72b358') + @patch('cyclonedx.model.service.uuid4', return_value='86452881-cb1a-4296-9450-2eb6f3e55744') + def test_bom_v1_4_services_simple(self, mock_uuid_c: Mock, mock_uuid_s: Mock) -> None: + bom = TestOutputJson._get_bom_with_services_simple() + mock_uuid_c.assert_called() + mock_uuid_s.assert_called() + outputter = get_instance(bom=bom, output_format=OutputFormat.JSON, schema_version=SchemaVersion.V1_4) + self.assertIsInstance(outputter, JsonV1Dot4) + with open(join(dirname(__file__), 'fixtures/bom_v1.4_services_simple.json')) as expected_json: + self.assertValidAgainstSchema(bom_json=outputter.output_as_string(), schema_version=SchemaVersion.V1_4) + self.assertEqualJsonBom(outputter.output_as_string(), expected_json.read()) + + @patch('cyclonedx.model.component.uuid4', return_value='2a4ec791-4846-4769-8332-06e6ee170395') + @patch('cyclonedx.model.service.uuid4', return_value='b1650ab8-33fb-47e3-bc6e-07031054a946') + def test_bom_v1_4_services_complex(self, mock_uuid_c: Mock, mock_uuid_s: Mock) -> None: + bom = TestOutputJson._get_bom_with_services_complex() + mock_uuid_c.assert_called() + mock_uuid_s.assert_called() + outputter = get_instance(bom=bom, output_format=OutputFormat.JSON, schema_version=SchemaVersion.V1_4) + self.assertIsInstance(outputter, JsonV1Dot4) + with open(join(dirname(__file__), 'fixtures/bom_v1.4_services_complex.json')) as expected_json: + self.assertValidAgainstSchema(bom_json=outputter.output_as_string(), schema_version=SchemaVersion.V1_4) + self.assertEqualJsonBom(outputter.output_as_string(), expected_json.read()) + + @staticmethod + def _get_bom_with_services_simple() -> Bom: + bom = Bom(services=[ + Service(name='my-first-service'), + Service(name='my-second-service') + ]) + bom.metadata.component = Component( + name='cyclonedx-python-lib', version='1.0.0', component_type=ComponentType.LIBRARY + ) + return bom + + @staticmethod + def _get_bom_with_services_complex() -> Bom: + bom = Bom(services=[ + Service( + name='my-first-service', bom_ref='my-specific-bom-ref-for-my-first-service', + provider=TestOutputJson._get_org_entity_1(), group='a-group', version='1.2.3', + description='Description goes here', endpoints=[ + XsUri('/api/thing/1'), + XsUri('/api/thing/2') + ], + authenticated=False, x_trust_boundary=True, data=[ + DataClassification(flow=DataFlow.OUTBOUND, classification='public') + ], + licenses=[ + LicenseChoice(license_expression='Commercial') + ], + external_references=[ + TestOutputJson._get_external_reference_1() + ], + properties=TestOutputJson._get_properties_1(), + release_notes=TestOutputJson._get_release_notes() + ), + Service(name='my-second-service') + ]) + bom.metadata.component = Component( + name='cyclonedx-python-lib', version='1.0.0', component_type=ComponentType.LIBRARY + ) + return bom + + @staticmethod + def _get_external_reference_1() -> ExternalReference: + return ExternalReference( + reference_type=ExternalReferenceType.DISTRIBUTION, + url='https://cyclonedx.org', + comment='No comment', + hashes=[ + HashType.from_composite_str( + 'sha256:806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b') + ] + ) + + @staticmethod + def _get_org_entity_1() -> OrganizationalEntity: + return OrganizationalEntity( + name='CycloneDX', urls=[XsUri('https://cyclonedx.org')], contacts=[ + OrganizationalContact(name='Paul Horton', email='paul.horton@owasp.org'), + OrganizationalContact(name='A N Other', email='someone@somewhere.tld', + phone='+44 (0)1234 567890') + ] + ) + + @staticmethod + def _get_properties_1() -> List[Property]: + return [ + Property(name='key1', value='val1'), + Property(name='key2', value='val2') + ] + + @staticmethod + def _get_release_notes() -> ReleaseNotes: + text_content: str = base64.b64encode( + bytes('Some simple plain text', encoding='UTF-8') + ).decode(encoding='UTF-8') + + return ReleaseNotes( + type='major', title="Release Notes Title", + featured_image=XsUri('https://cyclonedx.org/theme/assets/images/CycloneDX-Twitter-Card.png'), + social_image=XsUri('https://cyclonedx.org/cyclonedx-icon.png'), + description="This release is a test release", timestamp=TestOutputJson.timestamp, + aliases=[ + "First Test Release" + ], + tags=['test', 'alpha'], + resolves=[ + IssueType( + classification=IssueClassification.SECURITY, id='CVE-2021-44228', name='Apache Log3Shell', + description='Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features...', + source_name='NVD', source_url=XsUri('https://nvd.nist.gov/vuln/detail/CVE-2021-44228'), + references=[ + XsUri('https://logging.apache.org/log4j/2.x/security.html'), + XsUri('https://central.sonatype.org/news/20211213_log4shell_help') + ] + ) + ], + notes=[ + Note( + text=NoteText( + content=text_content, content_type='text/plain; charset=UTF-8', + content_encoding=Encoding.BASE_64 + ), locale='en-GB' + ), + Note( + text=NoteText( + content=text_content, content_type='text/plain; charset=UTF-8', + content_encoding=Encoding.BASE_64 + ), locale='en-US' + ) + ], + properties=TestOutputJson._get_properties_1() + )