From 8acf98a6a913a23ffb4bef988daabc18048bfefd Mon Sep 17 00:00:00 2001 From: Jeffry Hesse <5544326+DarthHater@users.noreply.github.com> Date: Mon, 24 Jan 2022 14:02:06 -0900 Subject: [PATCH 01/19] WIP but a lil hand up for @madpah Signed-off-by: Jeffry Hesse <5544326+DarthHater@users.noreply.github.com> --- cyclonedx/model/__init__.py | 160 +++++++++++++++++++++++++ cyclonedx/model/issue.py | 2 +- cyclonedx/model/service.py | 228 ++++++++++++++++++++++++++++++++++++ 3 files changed, 389 insertions(+), 1 deletion(-) create mode 100644 cyclonedx/model/service.py diff --git a/cyclonedx/model/__init__.py b/cyclonedx/model/__init__.py index 113ed928..2a881c81 100644 --- a/cyclonedx/model/__init__.py +++ b/cyclonedx/model/__init__.py @@ -50,6 +50,166 @@ def sha1sum(filename: str) -> str: h.update(byte_block) return h.hexdigest() +class DataFlow(Enum): + """ + This is out internal representation of the dataFlowType simple type within the CycloneDX standard. + + .. note:: + See the CycloneDX Schema: https://cyclonedx.org/docs/1.4/xml/#type_dataFlowType + """ + INBOUND = "inbound" + OUTBOUND = "outbound" + BI_DIRECTIONAL = "bi-directional" + UNKNOWN = "unknown" + +class Data: + """ + This is our internal representation of the `dataClassificationType` complex type within the CycloneDX standard. + + .. note:: + See the CycloneDX Schema for dataClassificationType: https://cyclonedx.org/docs/1.4/xml/#type_dataClassificationType + """ + + def __init__(self, flow: DataFlow, classification: str) -> None: + if not flow and not classification: + raise NoPropertiesProvidedException( + 'One of `flow` or `classification` must be supplied - neither supplied' + ) + + self.flow = flow + self.classification = classification + + @property + def flow(self) -> DataFlow: + """ + Specifies the data flow for the service. + + Returns: + `DataFlow` + """ + return self._flow + + @flow.setter + def flow(self, flow: DataFlow) -> None: + self._flow = flow + + @property + def classification(self) -> str: + """ + Specifies the classification of the data for the service. + + Returns: + `str` + """ + return self._content_type + + @classification.setter + def classification(self, classification: str) -> None: + self._classification = classification + +class SignatureAlgorithm(Enum): + """ + This is out internal representation of the algorithm simple type within the CycloneDX standard. + + .. note:: + See the CycloneDX Schema: https://cyclonedx.org/docs/1.4/json/#tab-pane_signature_oneOf_i2_algorithm_oneOf_i0 + """ + RS256 = "RS256" + RS384 = "RS384" + RS512 = "RS512" + PS256 = "PS256" + PS384 = "PS384" + PS512 = "PS512" + ES256 = "ES256" + ES384 = "ES384" + ES512 = "ES512" + ED25519 = "Ed25519" + ED448 = "Ed448" + HS256 = "HS256" + HS384 = "HS384" + HS512 = "HS512" + +class SignaturePublicKeyKty(Enum): + """ + This is our internal representation of the kty simple type within the CycloneDX standard. + + .. note:: + See the CycloneDX Schema: https://cyclonedx.org/docs/1.4/json/#signature_oneOf_i2_publicKey_kty + """ + EC = "EC" + OKP = "OKP" + RSA = "RSA" + +class SignaturePublicKeyCrv(Enum): + """ + This is our internal representation of the crv simple type within the CycloneDX standard. + + .. note:: + See the CycloneDX Schema: https://cyclonedx.org/docs/1.4/json/#signature_oneOf_i2_publicKey_allOf_i1_then_crv + """ + ED25519 = "Ed25519" + Ed448 = "Ed448" + +class SignaturePublicKey: + """ + This is our internal representation of the public key complex type within the CycloneDX standard. + + .. note:: + See the CycloneDX Schema: https://cyclonedx.org/docs/1.4/json/#signature_oneOf_i2_publicKey + JSON only + """ + def __init__(self, kty: SignaturePublicKeyKty = None, crv: Optional[SignaturePublicKeyCrv] = None, + x: Optional[str] = None, y: Optional[str] = None, + n: Optional[str] = None, e: Optional[str] = None, + value: str = None) -> None: + if not kty and not value: + raise NoPropertiesProvidedException( + '`kty` must be supplied' + ) + if kty == SignaturePublicKeyKty.EC and not crv and not x and not y: + raise NoPropertiesProvidedException( + 'if `kty` equals EC, `crv`, `x` and `y` must be supplied' + ) + if kty == SignaturePublicKeyKty.OKP and not crv and not x: + raise NoPropertiesProvidedException( + 'if `kty` equals OKP, `crv`, and `x` must be supplied' + ) + if kty == SignaturePublicKeyKty.RSA and not n and not e: + raise NoPropertiesProvidedException( + 'if `kty` equals RSA, `n`, and `e` must be supplied' + ) + self.kty = kty + self.crv = crv + self.x = x + self.y = y + self.n = n + self.e = e + self.value = value + +class Signature: + """ + This is out internal representation of the signature complex type within the CycloneDX standard. + + .. note:: + See the CycloneDX Schema: https://cyclonedx.org/docs/1.4/json/#signature + JSON only + """ + + def __init__(self, algorithm: SignatureAlgorithm, key_id: Optional[str], + public_key: Optional[SignaturePublicKey] = None, + certificate_path: Optional[List[str]] = None, + excludes: Optional[List[str]] = None, + value: str = None) -> None: + if not algorithm and not value: + raise NoPropertiesProvidedException( + 'One of `algorithm` or `value` must be supplied - neither supplied' + ) + self.algorithm = algorithm + self.key_id = key_id + self.public_key = public_key + self.certificate_path = certificate_path + self.excludes = excludes + self.value = value class Encoding(Enum): """ diff --git a/cyclonedx/model/issue.py b/cyclonedx/model/issue.py index befd21d7..029f1540 100644 --- a/cyclonedx/model/issue.py +++ b/cyclonedx/model/issue.py @@ -26,7 +26,7 @@ class IssueClassification(Enum): This is out internal representation of the enum `issueClassification`. .. note:: - See the CycloneDX Schema definition: hhttps://cyclonedx.org/docs/1.4/xml/#type_issueClassification + See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.4/xml/#type_issueClassification """ DEFECT = 'defect' ENHANCEMENT = 'enhancement' diff --git a/cyclonedx/model/service.py b/cyclonedx/model/service.py new file mode 100644 index 00000000..22f47195 --- /dev/null +++ b/cyclonedx/model/service.py @@ -0,0 +1,228 @@ +# encoding: utf-8 + +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 + +from typing import List, Optional +from uuid import uuid4 + +from ..exception.model import NoPropertiesProvidedException +from .release_note import ReleaseNotes +from . import ExternalReference, Data, Signature, LicenseChoice, Property + +class Service: + """ + Class that models the `vulnerabilityType` complex type in the CycloneDX schema (version >= 1.4). + + This class also provides data support for schema versions < 1.4 where Vulnerabilites were possible through a schema + extension (in XML only). + + .. note:: + See the CycloneDX schema: https://cyclonedx.org/docs/1.4/#type_vulnerabilityType + """ + + def __init__(self, bom_ref: Optional[str] = None, + group: Optional[str] = None, + name: str = None, + version: Optional[str] = None, + description: Optional[str] = None, + endpoints: Optional[List[str]] = None, + authenticated: Optional[bool] = None, + x_trust_boundary: Optional[bool] = None, + data: Optional[List[Data]] = None, + licenses: Optional[List[LicenseChoice]] = None, + external_references: Optional[List[ExternalReference]] = None, + # services: Optional[List[Service]] = None, -- I have no clue how to do this, commenting out so someone else can + release_notes: Optional[ReleaseNotes] = None, + properties: Optional[List[Property]] = None, + signature: Optional[Signature] = None): + if not name: + raise NoPropertiesProvidedException( + '`name` was not provideed - it must be provided.' + ) + + self.bom_ref = bom_ref or str(uuid4()) + self.group = group + self.name = name + self.version = version + self.description = description + self.endpoints = endpoints + self.authenticated = authenticated + self.x_trust_boundary = x_trust_boundary + self.data = data + self.licenses = licenses + self.external_references = external_references + # self.services = services -- no clue + self.release_notes = release_notes + self.properties = properties + self.signature = signature + + @property + def bom_ref(self) -> Optional[str]: + """ + Get the unique reference for this Service in this BOM. + + If a value was not provided in the constructor, a UUIDv4 will have been assigned. + + Returns: + `str` unique identifier for this Service + """ + return self._bom_ref + + @bom_ref.setter + def bom_ref(self, bom_ref: Optional[str]) -> None: + self._bom_ref = bom_ref + + @property + def group(self) -> Optional[str]: + """ + A group of the service as provided by the source. + """ + return self._group + + @group.setter + def group(self, group: Optional[str]) -> None: + self._group = group + + @property + def name(self) -> str: + """ + A name of the service as provided by the source. + """ + return self._name + + @name.setter + def name(self, name: str) -> None: + self._name = name + + @property + def version(self) -> Optional[str]: + """ + A version of the service as provided by the source. + """ + return self._version + + @version.setter + def version(self, version: Optional[str]) -> None: + self._version = version + + @property + def description(self) -> Optional[str]: + """ + A description of the service as provided by the source. + """ + return self._description + + @description.setter + def description(self, description: Optional[str]) -> None: + self._description = description + + @property + def endpoints(self) -> Optional[List[str]]: + """ + A list of endpoints for the service as provided by the source. + """ + return self._endpoints + + @endpoints.setter + def endpoints(self, endpoints: Optional[List[str]]) -> None: + self._endpoints = endpoints + + @property + def authenticated(self) -> Optional[bool]: + """ + A True/False or None value of if the service requires authentication as provided by the source. + """ + return self._authenticated + + @authenticated.setter + def authenticated(self, authenticated: Optional[bool]) -> None: + self._authenticated = authenticated + + @property + def x_trust_boundary(self) -> Optional[bool]: + """ + A True/False or None value of if the service has a X-Trust-Boundary as provided by the source. + """ + return self._x_trust_boundary + + @x_trust_boundary.setter + def x_trust_boundary(self, x_trust_boundary: Optional[bool]) -> None: + self._x_trust_boundary = x_trust_boundary + + @property + def data(self) -> Optional[List[Data]]: + """ + A list of data information for the service as provided by the source. + """ + return self._data + + @data.setter + def data(self, data: Optional[List[Data]]) -> None: + self._data = data + + @property + def licenses(self) -> Optional[List[LicenseChoice]]: + """ + A list of licenses for the service as provided by the source. + """ + return self._licenses + + @licenses.setter + def licenses(self, licenses: Optional[List[LicenseChoice]]) -> None: + self._licenses = licenses + + @property + def external_references(self) -> Optional[List[ExternalReference]]: + """ + A list of externalReferences for the service as provided by the source. + """ + return self._external_references + + @external_references.setter + def external_references(self, external_references: Optional[List[ExternalReference]]) -> None: + self._external_references = external_references + + @property + def release_notes(self) -> Optional[ReleaseNotes]: + """ + A release note for the service as provided by the source. + """ + return self._release_notes + + @release_notes.setter + def release_notes(self, release_notes: Optional[ReleaseNotes]) -> None: + self._release_notes = release_notes + + @property + def properties(self) -> Optional[List[Property]]: + """ + A list of properties for the service as provided by the source. + """ + return self._properties + + @properties.setter + def properties(self, properties: Optional[List[Property]]) -> None: + self._properties = properties + + @property + def signature(self) -> Optional[Signature]: + """ + A JSF signature for the service as provided by the source. + """ + return self._signature + + @signature.setter + def signature(self, signature: Optional[Signature]) -> None: + self._signature = signature From 4edcb0e680f020b93acb2d49d6a792313a05a851 Mon Sep 17 00:00:00 2001 From: Paul Horton Date: Tue, 25 Jan 2022 14:53:04 +0000 Subject: [PATCH 02/19] chore: added missing license header Signed-off-by: Paul Horton --- tests/test_model.py | 18 ++++++++++++++++++ tests/test_model_component.py | 18 ++++++++++++++++++ tests/test_model_release_note.py | 18 ++++++++++++++++++ tests/test_model_vulnerability.py | 19 +++++++++++++++++++ 4 files changed, 73 insertions(+) diff --git a/tests/test_model.py b/tests/test_model.py index 6f1ae657..620cb661 100644 --- a/tests/test_model.py +++ b/tests/test_model.py @@ -1,3 +1,21 @@ +# encoding: utf-8 + +# This file is part of CycloneDX Python Lib +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# Copyright (c) OWASP Foundation. All Rights Reserved. import base64 from unittest import TestCase diff --git a/tests/test_model_component.py b/tests/test_model_component.py index a150b39a..070e2d3c 100644 --- a/tests/test_model_component.py +++ b/tests/test_model_component.py @@ -1,3 +1,21 @@ +# encoding: utf-8 + +# This file is part of CycloneDX Python Lib +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# Copyright (c) OWASP Foundation. All Rights Reserved. from unittest import TestCase from unittest.mock import Mock, patch diff --git a/tests/test_model_release_note.py b/tests/test_model_release_note.py index 33af0c3c..a360bd70 100644 --- a/tests/test_model_release_note.py +++ b/tests/test_model_release_note.py @@ -1,3 +1,21 @@ +# encoding: utf-8 + +# This file is part of CycloneDX Python Lib +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# Copyright (c) OWASP Foundation. All Rights Reserved. import datetime from unittest import TestCase diff --git a/tests/test_model_vulnerability.py b/tests/test_model_vulnerability.py index fe302c43..361b9f1d 100644 --- a/tests/test_model_vulnerability.py +++ b/tests/test_model_vulnerability.py @@ -1,3 +1,22 @@ +# encoding: utf-8 + +# This file is part of CycloneDX Python Lib +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# Copyright (c) OWASP Foundation. All Rights Reserved. + import unittest from unittest import TestCase from unittest.mock import Mock, patch From cbebae2fce7d93f5771cab67bd49927869f31b00 Mon Sep 17 00:00:00 2001 From: Jeffry Hesse <5544326+DarthHater@users.noreply.github.com> Date: Tue, 25 Jan 2022 08:53:05 -0900 Subject: [PATCH 03/19] No default values for required fields --- cyclonedx/model/__init__.py | 10 ++++------ cyclonedx/model/service.py | 3 +-- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/cyclonedx/model/__init__.py b/cyclonedx/model/__init__.py index 2a881c81..76dd3cf8 100644 --- a/cyclonedx/model/__init__.py +++ b/cyclonedx/model/__init__.py @@ -160,9 +160,8 @@ class SignaturePublicKey: """ def __init__(self, kty: SignaturePublicKeyKty = None, crv: Optional[SignaturePublicKeyCrv] = None, x: Optional[str] = None, y: Optional[str] = None, - n: Optional[str] = None, e: Optional[str] = None, - value: str = None) -> None: - if not kty and not value: + n: Optional[str] = None, e: Optional[str] = None) -> None: + if not kty: raise NoPropertiesProvidedException( '`kty` must be supplied' ) @@ -195,11 +194,10 @@ class Signature: JSON only """ - def __init__(self, algorithm: SignatureAlgorithm, key_id: Optional[str], + def __init__(self, algorithm: SignatureAlgorithm, value: str, key_id: Optional[str], public_key: Optional[SignaturePublicKey] = None, certificate_path: Optional[List[str]] = None, - excludes: Optional[List[str]] = None, - value: str = None) -> None: + excludes: Optional[List[str]] = None) -> None: if not algorithm and not value: raise NoPropertiesProvidedException( 'One of `algorithm` or `value` must be supplied - neither supplied' diff --git a/cyclonedx/model/service.py b/cyclonedx/model/service.py index 22f47195..29cf1897 100644 --- a/cyclonedx/model/service.py +++ b/cyclonedx/model/service.py @@ -32,9 +32,8 @@ class Service: See the CycloneDX schema: https://cyclonedx.org/docs/1.4/#type_vulnerabilityType """ - def __init__(self, bom_ref: Optional[str] = None, + def __init__(self, name: str, bom_ref: Optional[str] = None, group: Optional[str] = None, - name: str = None, version: Optional[str] = None, description: Optional[str] = None, endpoints: Optional[List[str]] = None, From 0f2d68193293efef3a80696059e1bb5195f0f14f Mon Sep 17 00:00:00 2001 From: Jeffry Hesse <5544326+DarthHater@users.noreply.github.com> Date: Tue, 25 Jan 2022 08:59:23 -0900 Subject: [PATCH 04/19] Add Services to BOM --- cyclonedx/model/bom.py | 65 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) diff --git a/cyclonedx/model/bom.py b/cyclonedx/model/bom.py index d0aa0068..b69876f0 100644 --- a/cyclonedx/model/bom.py +++ b/cyclonedx/model/bom.py @@ -24,6 +24,7 @@ from . import ThisTool, Tool from .component import Component from ..parser import BaseParser +from .service import Service class BomMetaData: @@ -143,6 +144,7 @@ def __init__(self) -> None: self.uuid = uuid4() self.metadata = BomMetaData() self._components: List[Component] = [] + self._services: List[Service] = [] @property def uuid(self) -> UUID: @@ -265,6 +267,69 @@ def has_component(self, component: Component) -> bool: """ return component in self._components + @property + def services(self) -> List[Service]: + """ + Get all the Services currently in this Bom. + + Returns: + List of all Services in this Bom. + """ + return self._services + + @services.setter + def services(self, services: List[Service]) -> None: + self._services = services + + def add_service(self, service: Service) -> None: + """ + Add a Service to this Bom instance. + + Args: + service: + `cyclonedx.model.service.Service` instance to add to this Bom. + + Returns: + None + """ + if not self.has_component(service=service): + self._services.append(service) + + def add_services(self, services: List[Service]) -> None: + """ + Add multiple Services at once to this Bom instance. + + Args: + services: + List of `cyclonedx.model.service.Service` instances to add to this Bom. + + Returns: + None + """ + self.services = self._services + services + + def has_service(self, service: Service) -> bool: + """ + Check whether this Bom contains the provided Service. + + Args: + component: + The instance of `cyclonedx.model.service.Service` to check if this Bom contains. + + Returns: + `bool` - `True` if the supplied Service is part of this Bom, `False` otherwise. + """ + return service in self._services + + def service_count(self) -> int: + """ + Returns the current count of Services within this Bom. + + Returns: + The number of Services in this Bom as `int`. + """ + return len(self._services) + def has_vulnerabilities(self) -> bool: """ Check whether this Bom has any declared vulnerabilities. From 756218dd7acd3a414be306c64a5b5b06b7ceb7d2 Mon Sep 17 00:00:00 2001 From: Jeffry Hesse <5544326+DarthHater@users.noreply.github.com> Date: Tue, 25 Jan 2022 09:00:14 -0900 Subject: [PATCH 05/19] Typo fix --- cyclonedx/model/__init__.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/cyclonedx/model/__init__.py b/cyclonedx/model/__init__.py index 76dd3cf8..34baeff5 100644 --- a/cyclonedx/model/__init__.py +++ b/cyclonedx/model/__init__.py @@ -52,7 +52,7 @@ def sha1sum(filename: str) -> str: class DataFlow(Enum): """ - This is out internal representation of the dataFlowType simple type within the CycloneDX standard. + This is our internal representation of the dataFlowType simple type within the CycloneDX standard. .. note:: See the CycloneDX Schema: https://cyclonedx.org/docs/1.4/xml/#type_dataFlowType @@ -109,7 +109,7 @@ def classification(self, classification: str) -> None: class SignatureAlgorithm(Enum): """ - This is out internal representation of the algorithm simple type within the CycloneDX standard. + This is our internal representation of the algorithm simple type within the CycloneDX standard. .. note:: See the CycloneDX Schema: https://cyclonedx.org/docs/1.4/json/#tab-pane_signature_oneOf_i2_algorithm_oneOf_i0 @@ -187,7 +187,7 @@ def __init__(self, kty: SignaturePublicKeyKty = None, crv: Optional[SignaturePub class Signature: """ - This is out internal representation of the signature complex type within the CycloneDX standard. + This is our internal representation of the signature complex type within the CycloneDX standard. .. note:: See the CycloneDX Schema: https://cyclonedx.org/docs/1.4/json/#signature @@ -211,7 +211,7 @@ def __init__(self, algorithm: SignatureAlgorithm, value: str, key_id: Optional[s class Encoding(Enum): """ - This is out internal representation of the encoding simple type within the CycloneDX standard. + This is our internal representation of the encoding simple type within the CycloneDX standard. .. note:: See the CycloneDX Schema: https://cyclonedx.org/docs/1.4/#type_encoding From 42a7ae71d384239844270d79382c36b88cb30fd4 Mon Sep 17 00:00:00 2001 From: Paul Horton Date: Wed, 26 Jan 2022 08:34:02 +0000 Subject: [PATCH 06/19] aligned classes with standards, commented out Signature work for now, added first tests for Services Signed-off-by: Paul Horton --- cyclonedx/model/__init__.py | 235 ++++++++++-------- cyclonedx/model/bom.py | 30 ++- cyclonedx/model/service.py | 197 ++++++++++----- cyclonedx/output/json.py | 20 +- cyclonedx/output/schema.py | 36 +++ cyclonedx/output/serializer/json.py | 4 +- tests/fixtures/bom_v1.2_services_complex.json | 84 +++++++ tests/fixtures/bom_v1.2_services_simple.json | 34 +++ ..._v1.4_setuptools_with_vulnerabilities.json | 2 +- tests/test_model_service.py | 45 ++++ tests/test_output_json.py | 226 ++++++++++++----- 11 files changed, 669 insertions(+), 244 deletions(-) create mode 100644 tests/fixtures/bom_v1.2_services_complex.json create mode 100644 tests/fixtures/bom_v1.2_services_simple.json create mode 100644 tests/test_model_service.py diff --git a/cyclonedx/model/__init__.py b/cyclonedx/model/__init__.py index 2a881c81..a91396f6 100644 --- a/cyclonedx/model/__init__.py +++ b/cyclonedx/model/__init__.py @@ -50,9 +50,10 @@ def sha1sum(filename: str) -> str: h.update(byte_block) return h.hexdigest() + class DataFlow(Enum): """ - This is out internal representation of the dataFlowType simple type within the CycloneDX standard. + This is our internal representation of the dataFlowType simple type within the CycloneDX standard. .. note:: See the CycloneDX Schema: https://cyclonedx.org/docs/1.4/xml/#type_dataFlowType @@ -62,12 +63,14 @@ class DataFlow(Enum): BI_DIRECTIONAL = "bi-directional" UNKNOWN = "unknown" -class Data: + +class DataClassification: """ This is our internal representation of the `dataClassificationType` complex type within the CycloneDX standard. .. note:: - See the CycloneDX Schema for dataClassificationType: https://cyclonedx.org/docs/1.4/xml/#type_dataClassificationType + See the CycloneDX Schema for dataClassificationType: + https://cyclonedx.org/docs/1.4/xml/#type_dataClassificationType """ def __init__(self, flow: DataFlow, classification: str) -> None: @@ -82,7 +85,16 @@ def __init__(self, flow: DataFlow, classification: str) -> None: @property def flow(self) -> DataFlow: """ - Specifies the data flow for the service. + Specifies the flow direction of the data. + + Valid values are: inbound, outbound, bi-directional, and unknown. + + Direction is relative to the service. + + - Inbound flow states that data enters the service + - Outbound flow states that data leaves the service + - Bi-directional states that data flows both ways + - Unknown states that the direction is not known Returns: `DataFlow` @@ -96,120 +108,127 @@ def flow(self, flow: DataFlow) -> None: @property def classification(self) -> str: """ - Specifies the classification of the data for the service. + Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed. Returns: `str` """ - return self._content_type - + return self._classification + @classification.setter def classification(self, classification: str) -> None: self._classification = classification -class SignatureAlgorithm(Enum): - """ - This is out internal representation of the algorithm simple type within the CycloneDX standard. - - .. note:: - See the CycloneDX Schema: https://cyclonedx.org/docs/1.4/json/#tab-pane_signature_oneOf_i2_algorithm_oneOf_i0 - """ - RS256 = "RS256" - RS384 = "RS384" - RS512 = "RS512" - PS256 = "PS256" - PS384 = "PS384" - PS512 = "PS512" - ES256 = "ES256" - ES384 = "ES384" - ES512 = "ES512" - ED25519 = "Ed25519" - ED448 = "Ed448" - HS256 = "HS256" - HS384 = "HS384" - HS512 = "HS512" - -class SignaturePublicKeyKty(Enum): - """ - This is our internal representation of the kty simple type within the CycloneDX standard. - - .. note:: - See the CycloneDX Schema: https://cyclonedx.org/docs/1.4/json/#signature_oneOf_i2_publicKey_kty - """ - EC = "EC" - OKP = "OKP" - RSA = "RSA" -class SignaturePublicKeyCrv(Enum): - """ - This is our internal representation of the crv simple type within the CycloneDX standard. - - .. note:: - See the CycloneDX Schema: https://cyclonedx.org/docs/1.4/json/#signature_oneOf_i2_publicKey_allOf_i1_then_crv - """ - ED25519 = "Ed25519" - Ed448 = "Ed448" - -class SignaturePublicKey: - """ - This is our internal representation of the public key complex type within the CycloneDX standard. - - .. note:: - See the CycloneDX Schema: https://cyclonedx.org/docs/1.4/json/#signature_oneOf_i2_publicKey - JSON only - """ - def __init__(self, kty: SignaturePublicKeyKty = None, crv: Optional[SignaturePublicKeyCrv] = None, - x: Optional[str] = None, y: Optional[str] = None, - n: Optional[str] = None, e: Optional[str] = None, - value: str = None) -> None: - if not kty and not value: - raise NoPropertiesProvidedException( - '`kty` must be supplied' - ) - if kty == SignaturePublicKeyKty.EC and not crv and not x and not y: - raise NoPropertiesProvidedException( - 'if `kty` equals EC, `crv`, `x` and `y` must be supplied' - ) - if kty == SignaturePublicKeyKty.OKP and not crv and not x: - raise NoPropertiesProvidedException( - 'if `kty` equals OKP, `crv`, and `x` must be supplied' - ) - if kty == SignaturePublicKeyKty.RSA and not n and not e: - raise NoPropertiesProvidedException( - 'if `kty` equals RSA, `n`, and `e` must be supplied' - ) - self.kty = kty - self.crv = crv - self.x = x - self.y = y - self.n = n - self.e = e - self.value = value - -class Signature: - """ - This is out internal representation of the signature complex type within the CycloneDX standard. - - .. note:: - See the CycloneDX Schema: https://cyclonedx.org/docs/1.4/json/#signature - JSON only - """ +# class SignatureAlgorithm(Enum): +# """ +# This is out internal representation of the algorithm simple type within the CycloneDX standard. +# +# .. note:: +# See the CycloneDX Schema: https://cyclonedx.org/docs/1.4/json/#tab-pane_signature_oneOf_i2_algorithm_oneOf_i0 +# """ +# RS256 = "RS256" +# RS384 = "RS384" +# RS512 = "RS512" +# PS256 = "PS256" +# PS384 = "PS384" +# PS512 = "PS512" +# ES256 = "ES256" +# ES384 = "ES384" +# ES512 = "ES512" +# ED25519 = "Ed25519" +# ED448 = "Ed448" +# HS256 = "HS256" +# HS384 = "HS384" +# HS512 = "HS512" +# +# +# class SignaturePublicKeyKty(Enum): +# """ +# This is our internal representation of the kty simple type within the CycloneDX standard. +# +# .. note:: +# See the CycloneDX Schema: https://cyclonedx.org/docs/1.4/json/#signature_oneOf_i2_publicKey_kty +# """ +# EC = "EC" +# OKP = "OKP" +# RSA = "RSA" +# +# +# class SignaturePublicKeyCrv(Enum): +# """ +# This is our internal representation of the crv simple type within the CycloneDX standard. +# +# .. note:: +# See the CycloneDX Schema: https://cyclonedx.org/docs/1.4/json/#signature_oneOf_i2_publicKey_allOf_i1_then_crv +# """ +# ED25519 = "Ed25519" +# Ed448 = "Ed448" +# +# +# class SignaturePublicKey: +# """ +# This is our internal representation of the public key complex type within the CycloneDX standard. +# +# .. note:: +# See the CycloneDX Schema: https://cyclonedx.org/docs/1.4/json/#signature_oneOf_i2_publicKey +# JSON only +# """ +# +# def __init__(self, kty: SignaturePublicKeyKty = None, crv: Optional[SignaturePublicKeyCrv] = None, +# x: Optional[str] = None, y: Optional[str] = None, +# n: Optional[str] = None, e: Optional[str] = None, +# value: str = None) -> None: +# if not kty and not value: +# raise NoPropertiesProvidedException( +# '`kty` must be supplied' +# ) +# if kty == SignaturePublicKeyKty.EC and not crv and not x and not y: +# raise NoPropertiesProvidedException( +# 'if `kty` equals EC, `crv`, `x` and `y` must be supplied' +# ) +# if kty == SignaturePublicKeyKty.OKP and not crv and not x: +# raise NoPropertiesProvidedException( +# 'if `kty` equals OKP, `crv`, and `x` must be supplied' +# ) +# if kty == SignaturePublicKeyKty.RSA and not n and not e: +# raise NoPropertiesProvidedException( +# 'if `kty` equals RSA, `n`, and `e` must be supplied' +# ) +# self.kty = kty +# self.crv = crv +# self.x = x +# self.y = y +# self.n = n +# self.e = e +# self.value = value +# +# +# class Signature: +# """ +# This is out internal representation of the signature complex type within the CycloneDX standard. +# +# .. note:: +# See the CycloneDX Schema: https://cyclonedx.org/docs/1.4/json/#signature +# JSON only +# """ +# +# def __init__(self, algorithm: SignatureAlgorithm, key_id: Optional[str], +# public_key: Optional[SignaturePublicKey] = None, +# certificate_path: Optional[List[str]] = None, +# excludes: Optional[List[str]] = None, +# value: str = None) -> None: +# if not algorithm and not value: +# raise NoPropertiesProvidedException( +# 'One of `algorithm` or `value` must be supplied - neither supplied' +# ) +# self.algorithm = algorithm +# self.key_id = key_id +# self.public_key = public_key +# self.certificate_path = certificate_path +# self.excludes = excludes +# self.value = value - def __init__(self, algorithm: SignatureAlgorithm, key_id: Optional[str], - public_key: Optional[SignaturePublicKey] = None, - certificate_path: Optional[List[str]] = None, - excludes: Optional[List[str]] = None, - value: str = None) -> None: - if not algorithm and not value: - raise NoPropertiesProvidedException( - 'One of `algorithm` or `value` must be supplied - neither supplied' - ) - self.algorithm = algorithm - self.key_id = key_id - self.public_key = public_key - self.certificate_path = certificate_path - self.excludes = excludes - self.value = value class Encoding(Enum): """ diff --git a/cyclonedx/model/bom.py b/cyclonedx/model/bom.py index d0aa0068..5786ea0a 100644 --- a/cyclonedx/model/bom.py +++ b/cyclonedx/model/bom.py @@ -23,6 +23,7 @@ from . import ThisTool, Tool from .component import Component +from .service import Service from ..parser import BaseParser @@ -133,7 +134,7 @@ def from_parser(parser: BaseParser) -> 'Bom': bom.add_components(parser.get_components()) return bom - def __init__(self) -> None: + def __init__(self, components: Optional[List[Component]] = None, services: Optional[List[Service]] = None) -> None: """ Create a new Bom that you can manually/programmatically add data to later. @@ -142,7 +143,8 @@ def __init__(self) -> None: """ self.uuid = uuid4() self.metadata = BomMetaData() - self._components: List[Component] = [] + self.components = components + self.services = services @property def uuid(self) -> UUID: @@ -200,7 +202,9 @@ def add_component(self, component: Component) -> None: Returns: None """ - if not self.has_component(component=component): + if not self.components: + self.components = [component] + elif not self.has_component(component=component): self._components.append(component) def add_components(self, components: List[Component]) -> None: @@ -263,7 +267,9 @@ def has_component(self, component: Component) -> bool: Returns: `bool` - `True` if the supplied Component is part of this Bom, `False` otherwise. """ - return component in self._components + if not self.components: + return False + return component in self.components def has_vulnerabilities(self) -> bool: """ @@ -278,3 +284,19 @@ def has_vulnerabilities(self) -> bool: return True return False + + @property + def services(self) -> Optional[List[Service]]: + """ + A list of services. + + This may include microservices, function-as-a-service, and other types of network or intra-process services. + + Returns: + List of `Service` or `None` + """ + return self._services + + @services.setter + def services(self, services: Optional[List[Service]]) -> None: + self._services = services diff --git a/cyclonedx/model/service.py b/cyclonedx/model/service.py index 22f47195..b8bf3afe 100644 --- a/cyclonedx/model/service.py +++ b/cyclonedx/model/service.py @@ -17,42 +17,39 @@ from typing import List, Optional from uuid import uuid4 -from ..exception.model import NoPropertiesProvidedException +from . import ExternalReference, DataClassification, LicenseChoice, OrganizationalEntity, Property, XsUri # , Signature from .release_note import ReleaseNotes -from . import ExternalReference, Data, Signature, LicenseChoice, Property + +""" +This set of classes represents the data that is possible about known Services. + +.. note:: + See the CycloneDX Schema extension definition https://cyclonedx.org/docs/1.4/xml/#type_servicesType +""" + class Service: """ - Class that models the `vulnerabilityType` complex type in the CycloneDX schema (version >= 1.4). - - This class also provides data support for schema versions < 1.4 where Vulnerabilites were possible through a schema - extension (in XML only). + Class that models the `service` complex type in the CycloneDX schema. .. note:: - See the CycloneDX schema: https://cyclonedx.org/docs/1.4/#type_vulnerabilityType + See the CycloneDX schema: https://cyclonedx.org/docs/1.4/xml/#type_service """ - def __init__(self, bom_ref: Optional[str] = None, - group: Optional[str] = None, - name: str = None, - version: Optional[str] = None, - description: Optional[str] = None, - endpoints: Optional[List[str]] = None, - authenticated: Optional[bool] = None, - x_trust_boundary: Optional[bool] = None, - data: Optional[List[Data]] = None, + def __init__(self, name: str, bom_ref: Optional[str] = None, provider: Optional[OrganizationalEntity] = None, + group: Optional[str] = None, version: Optional[str] = None, description: Optional[str] = None, + endpoints: Optional[List[XsUri]] = None, authenticated: Optional[bool] = None, + x_trust_boundary: Optional[bool] = None, data: Optional[List[DataClassification]] = None, licenses: Optional[List[LicenseChoice]] = None, external_references: Optional[List[ExternalReference]] = None, - # services: Optional[List[Service]] = None, -- I have no clue how to do this, commenting out so someone else can - release_notes: Optional[ReleaseNotes] = None, properties: Optional[List[Property]] = None, - signature: Optional[Signature] = None): - if not name: - raise NoPropertiesProvidedException( - '`name` was not provideed - it must be provided.' - ) - + # services: Optional[List[Service]] = None, -- I have no clue how to do this, + # commenting out so someone else can + release_notes: Optional[ReleaseNotes] = None, + # signature: Optional[Signature] = None + ): self.bom_ref = bom_ref or str(uuid4()) + self.provider = provider self.group = group self.name = name self.version = version @@ -61,17 +58,18 @@ def __init__(self, bom_ref: Optional[str] = None, self.authenticated = authenticated self.x_trust_boundary = x_trust_boundary self.data = data - self.licenses = licenses - self.external_references = external_references + self.licenses = licenses or [] + self.external_references = external_references or [] # self.services = services -- no clue self.release_notes = release_notes self.properties = properties - self.signature = signature - + # self.signature = signature + @property def bom_ref(self) -> Optional[str]: """ - Get the unique reference for this Service in this BOM. + An optional identifier which can be used to reference the service elsewhere in the BOM. Uniqueness is enforced + within all elements and children of the root-level bom element. If a value was not provided in the constructor, a UUIDv4 will have been assigned. @@ -84,10 +82,28 @@ def bom_ref(self) -> Optional[str]: def bom_ref(self, bom_ref: Optional[str]) -> None: self._bom_ref = bom_ref + @property + def provider(self) -> Optional[OrganizationalEntity]: + """ + Get the The organization that provides the service. + + Returns: + `OrganizationalEntity` if set else `None` + """ + return self._provider + + @provider.setter + def provider(self, provider: Optional[OrganizationalEntity]) -> None: + self._provider = provider + @property def group(self) -> Optional[str]: """ - A group of the service as provided by the source. + The grouping name, namespace, or identifier. This will often be a shortened, single name of the company or + project that produced the service or domain name. Whitespace and special characters should be avoided. + + Returns: + `str` if provided else `None` """ return self._group @@ -98,7 +114,10 @@ def group(self, group: Optional[str]) -> None: @property def name(self) -> str: """ - A name of the service as provided by the source. + The name of the service. This will often be a shortened, single name of the service. + + Returns: + `str` """ return self._name @@ -109,7 +128,10 @@ def name(self, name: str) -> None: @property def version(self) -> Optional[str]: """ - A version of the service as provided by the source. + The service version. + + Returns: + `str` if set else `None` """ return self._version @@ -120,7 +142,10 @@ def version(self, version: Optional[str]) -> None: @property def description(self) -> Optional[str]: """ - A description of the service as provided by the source. + Specifies a description for the service. + + Returns: + `str` if set else `None` """ return self._description @@ -129,20 +154,42 @@ def description(self, description: Optional[str]) -> None: self._description = description @property - def endpoints(self) -> Optional[List[str]]: + def endpoints(self) -> Optional[List[XsUri]]: """ - A list of endpoints for the service as provided by the source. + A list of endpoints URI's this service provides. + + Returns: + List of `XsUri` else `None` """ return self._endpoints @endpoints.setter - def endpoints(self, endpoints: Optional[List[str]]) -> None: + def endpoints(self, endpoints: Optional[List[XsUri]]) -> None: self._endpoints = endpoints + def add_endpoint(self, endpoint: XsUri) -> None: + """ + Add an endpoint URI for this Service. + + Args: + endpoint: + `XsUri` instance to add + + Returns: + None + """ + self.endpoints = self._endpoints + [endpoint] + @property def authenticated(self) -> Optional[bool]: """ - A True/False or None value of if the service requires authentication as provided by the source. + A boolean value indicating if the service requires authentication. A value of true indicates the service + requires authentication prior to use. + + A value of false indicates the service does not require authentication. + + Returns: + `bool` if set else `None` """ return self._authenticated @@ -153,7 +200,13 @@ def authenticated(self, authenticated: Optional[bool]) -> None: @property def x_trust_boundary(self) -> Optional[bool]: """ - A True/False or None value of if the service has a X-Trust-Boundary as provided by the source. + A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates + that by using the service, a trust boundary is crossed. + + A value of false indicates that by using the service, a trust boundary is not crossed. + + Returns: + `bool` if set else `None` """ return self._x_trust_boundary @@ -162,42 +215,64 @@ def x_trust_boundary(self, x_trust_boundary: Optional[bool]) -> None: self._x_trust_boundary = x_trust_boundary @property - def data(self) -> Optional[List[Data]]: + def data(self) -> Optional[List[DataClassification]]: """ - A list of data information for the service as provided by the source. + Specifies the data classification. + + Returns: + List of `DataClassificiation` or `None` """ return self._data @data.setter - def data(self, data: Optional[List[Data]]) -> None: + def data(self, data: Optional[List[DataClassification]]) -> None: self._data = data @property - def licenses(self) -> Optional[List[LicenseChoice]]: + def licenses(self) -> List[LicenseChoice]: """ - A list of licenses for the service as provided by the source. + A optional list of statements about how this Service is licensed. + + Returns: + List of `LicenseChoice` else `None` """ return self._licenses @licenses.setter - def licenses(self, licenses: Optional[List[LicenseChoice]]) -> None: + def licenses(self, licenses: List[LicenseChoice]) -> None: self._licenses = licenses @property - def external_references(self) -> Optional[List[ExternalReference]]: + def external_references(self) -> List[ExternalReference]: """ - A list of externalReferences for the service as provided by the source. + Provides the ability to document external references related to the Service. + + Returns: + List of `ExternalReference`s """ return self._external_references @external_references.setter - def external_references(self, external_references: Optional[List[ExternalReference]]) -> None: + def external_references(self, external_references: List[ExternalReference]) -> None: self._external_references = external_references + def add_external_reference(self, reference: ExternalReference) -> None: + """ + Add an `ExternalReference` to this `Service`. + + Args: + reference: + `ExternalReference` instance to add. + """ + self.external_references = self._external_references + [reference] + @property def release_notes(self) -> Optional[ReleaseNotes]: """ - A release note for the service as provided by the source. + Specifies optional release notes. + + Returns: + `ReleaseNotes` or `None` """ return self._release_notes @@ -208,7 +283,11 @@ def release_notes(self, release_notes: Optional[ReleaseNotes]) -> None: @property def properties(self) -> Optional[List[Property]]: """ - A list of properties for the service as provided by the source. + Provides the ability to document properties in a key/value store. This provides flexibility to include data not + officially supported in the standard without having to use additional namespaces or create extensions. + + Return: + List of `Property` or `None` """ return self._properties @@ -216,13 +295,13 @@ def properties(self) -> Optional[List[Property]]: def properties(self, properties: Optional[List[Property]]) -> None: self._properties = properties - @property - def signature(self) -> Optional[Signature]: - """ - A JSF signature for the service as provided by the source. - """ - return self._signature - - @signature.setter - def signature(self, signature: Optional[Signature]) -> None: - self._signature = signature + # @property + # def signature(self) -> Optional[Signature]: + # """ + # A JSF signature for the service as provided by the source. + # """ + # return self._signature + # + # @signature.setter + # def signature(self, signature: Optional[Signature]) -> None: + # self._signature = signature diff --git a/cyclonedx/output/json.py b/cyclonedx/output/json.py index 1b7bcdec..fef1916c 100644 --- a/cyclonedx/output/json.py +++ b/cyclonedx/output/json.py @@ -51,11 +51,12 @@ def generate(self, force_regeneration: bool = False) -> None: return vulnerabilities: Dict[str, List[Dict[Any, Any]]] = {"vulnerabilities": []} - for component in self.get_bom().components: - for vulnerability in component.get_vulnerabilities(): - vulnerabilities['vulnerabilities'].append( - json.loads(json.dumps(vulnerability, cls=CycloneDxJSONEncoder)) - ) + if self.get_bom().components: + for component in self.get_bom().components: + for vulnerability in component.get_vulnerabilities(): + vulnerabilities['vulnerabilities'].append( + json.loads(json.dumps(vulnerability, cls=CycloneDxJSONEncoder)) + ) bom_json = json.loads(json.dumps(self.get_bom(), cls=CycloneDxJSONEncoder)) bom_json = json.loads(self._specialise_output_for_schema_version(bom_json=bom_json)) @@ -94,6 +95,15 @@ def _specialise_output_for_schema_version(self, bom_json: Dict[Any, Any]) -> str else: bom_json['components'] = [] + # Iterate Services + if 'services' in bom_json.keys(): + for i in range(len(bom_json['services'])): + if not self.services_supports_properties() and 'properties' in bom_json['services'][i].keys(): + del bom_json['services'][i]['properties'] + + if not self.services_supports_release_notes() and 'releaseNotes' in bom_json['services'][i].keys(): + del bom_json['services'][i]['releaseNotes'] + # Iterate Vulnerabilities if 'vulnerabilities' in bom_json.keys(): for i in range(len(bom_json['vulnerabilities'])): diff --git a/cyclonedx/output/schema.py b/cyclonedx/output/schema.py index 87e8ca18..138f613c 100644 --- a/cyclonedx/output/schema.py +++ b/cyclonedx/output/schema.py @@ -31,6 +31,15 @@ def bom_metadata_supports_tools(self) -> bool: def bom_metadata_supports_tools_external_references(self) -> bool: return True + def bom_supports_services(self) -> bool: + return True + + def services_supports_properties(self) -> bool: + return True + + def services_supports_release_notes(self) -> bool: + return True + def bom_supports_vulnerabilities(self) -> bool: return True @@ -77,6 +86,9 @@ class SchemaVersion1Dot3(BaseSchemaVersion): def bom_metadata_supports_tools_external_references(self) -> bool: return False + def services_supports_release_notes(self) -> bool: + return False + def bom_supports_vulnerabilities(self) -> bool: return False @@ -98,6 +110,12 @@ class SchemaVersion1Dot2(BaseSchemaVersion): def bom_metadata_supports_tools_external_references(self) -> bool: return False + def services_supports_properties(self) -> bool: + return False + + def services_supports_release_notes(self) -> bool: + return False + def bom_supports_vulnerabilities(self) -> bool: return False @@ -122,6 +140,15 @@ def bom_metadata_supports_tools(self) -> bool: def bom_metadata_supports_tools_external_references(self) -> bool: return False + def bom_supports_services(self) -> bool: + return False + + def services_supports_properties(self) -> bool: + return False + + def services_supports_release_notes(self) -> bool: + return False + def bom_supports_vulnerabilities(self) -> bool: return False @@ -152,6 +179,15 @@ def bom_metadata_supports_tools(self) -> bool: def bom_metadata_supports_tools_external_references(self) -> bool: return False + def bom_supports_services(self) -> bool: + return False + + def services_supports_properties(self) -> bool: + return False + + def services_supports_release_notes(self) -> bool: + return False + def bom_supports_vulnerabilities(self) -> bool: return False diff --git a/cyclonedx/output/serializer/json.py b/cyclonedx/output/serializer/json.py index e1a65267..5d0398c6 100644 --- a/cyclonedx/output/serializer/json.py +++ b/cyclonedx/output/serializer/json.py @@ -31,7 +31,7 @@ from cyclonedx.model import XsUri HYPHENATED_ATTRIBUTES = [ - 'bom_ref', 'mime_type' + 'bom_ref', 'mime_type', 'x_trust_boundary' ] PYTHON_TO_JSON_NAME = compile(r'_([a-z])') @@ -78,7 +78,7 @@ def default(self, o: Any) -> Any: new_key = PYTHON_TO_JSON_NAME.sub(lambda x: x.group(1).upper(), new_key) # Skip any None values - if v: + if v or v is False: if isinstance(v, PackageURL): # Special handling of PackageURL instances which JSON would otherwise automatically encode to # an Array diff --git a/tests/fixtures/bom_v1.2_services_complex.json b/tests/fixtures/bom_v1.2_services_complex.json new file mode 100644 index 00000000..dfc82f66 --- /dev/null +++ b/tests/fixtures/bom_v1.2_services_complex.json @@ -0,0 +1,84 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.2a.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.2", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "timestamp": "2021-09-01T10:50:42.051979+00:00", + "tools": [ + { + "vendor": "CycloneDX", + "name": "cyclonedx-python-lib", + "version": "VERSION" + } + ], + "component": { + "type": "library", + "bom-ref": "17e3b199-dc0b-42ef-bfdd-1fa81a1e3eda", + "name": "cyclonedx-python-lib", + "version": "1.0.0" + } + }, + "components": [], + "services": [ + { + "bom-ref": "my-specific-bom-ref-for-my-first-service", + "provider": { + "contact": [ + { + "email": "paul.horton@owasp.org", + "name": "Paul Horton" + }, + { + "email": "someone@somewhere.tld", + "name": "A N Other", + "phone": "+44 (0)1234 567890" + } + ], + "name": "CycloneDX", + "url": [ + "https://cyclonedx.org" + ] + }, + "group": "a-group", + "name": "my-first-service", + "version": "1.2.3", + "description": "Description goes here", + "endpoints": [ + "/api/thing/1", + "/api/thing/2" + ], + "authenticated": false, + "x-trust-boundary": true, + "data": [ + { + "classification": "public", + "flow": "outbound" + } + ], + "licenses": [ + { + "expression": "Commercial" + } + ], + "externalReferences": [ + { + "comment": "No comment", + "hashes": [ + { + "alg": "SHA-256", + "content": "806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b" + } + ], + "type": "distribution", + "url": "https://cyclonedx.org" + } + ] + }, + { + "bom-ref": "0b049d09-64c0-4490-a0f5-c84d9aacf857", + "name": "my-second-service" + } + ] +} \ No newline at end of file diff --git a/tests/fixtures/bom_v1.2_services_simple.json b/tests/fixtures/bom_v1.2_services_simple.json new file mode 100644 index 00000000..a19dd04d --- /dev/null +++ b/tests/fixtures/bom_v1.2_services_simple.json @@ -0,0 +1,34 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.2a.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.2", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "timestamp": "2021-09-01T10:50:42.051979+00:00", + "tools": [ + { + "vendor": "CycloneDX", + "name": "cyclonedx-python-lib", + "version": "VERSION" + } + ], + "component": { + "type": "library", + "bom-ref": "17e3b199-dc0b-42ef-bfdd-1fa81a1e3eda", + "name": "cyclonedx-python-lib", + "version": "1.0.0" + } + }, + "components": [], + "services": [ + { + "bom-ref": "0b049d09-64c0-4490-a0f5-c84d9aacf857", + "name": "my-first-service" + }, + { + "bom-ref": "0b049d09-64c0-4490-a0f5-c84d9aacf857", + "name": "my-second-service" + } + ] +} \ No newline at end of file diff --git a/tests/fixtures/bom_v1.4_setuptools_with_vulnerabilities.json b/tests/fixtures/bom_v1.4_setuptools_with_vulnerabilities.json index 260af12e..ee9ba1b7 100644 --- a/tests/fixtures/bom_v1.4_setuptools_with_vulnerabilities.json +++ b/tests/fixtures/bom_v1.4_setuptools_with_vulnerabilities.json @@ -126,7 +126,7 @@ "contact": [ { "name": "Paul Horton", - "email": "simplyecommerce@googlemail.com" + "email": "paul.horton@owasp.org" }, { "name": "A N Other", diff --git a/tests/test_model_service.py b/tests/test_model_service.py new file mode 100644 index 00000000..c19f842a --- /dev/null +++ b/tests/test_model_service.py @@ -0,0 +1,45 @@ +# encoding: utf-8 + +# This file is part of CycloneDX Python Lib +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# Copyright (c) OWASP Foundation. All Rights Reserved. +from unittest import TestCase +from unittest.mock import Mock, patch + +from cyclonedx.model.service import Service + + +class TestModelService(TestCase): + + @patch('cyclonedx.model.service.uuid4', return_value='77d15ab9-5602-4cca-8ed2-59ae579aafd3') + def test_minimal_service(self, mock_uuid: Mock) -> None: + s = Service(name='my-test-service') + mock_uuid.assert_called() + self.assertEqual(s.name, 'my-test-service') + self.assertEqual(s.bom_ref, '77d15ab9-5602-4cca-8ed2-59ae579aafd3') + self.assertIsNone(s.provider) + self.assertIsNone(s.group) + self.assertIsNone(s.version) + self.assertIsNone(s.description) + self.assertIsNone(s.endpoints) + self.assertIsNone(s.authenticated) + self.assertIsNone(s.x_trust_boundary) + self.assertIsNone(s.data) + self.assertListEqual(s.licenses, []) + self.assertListEqual(s.external_references, []) + self.assertIsNone(s.release_notes) + self.assertIsNone(s.properties) + diff --git a/tests/test_output_json.py b/tests/test_output_json.py index c424e2f5..b21975ba 100644 --- a/tests/test_output_json.py +++ b/tests/test_output_json.py @@ -20,15 +20,18 @@ from decimal import Decimal from datetime import datetime, timezone from os.path import dirname, join +from typing import List + from packageurl import PackageURL from unittest.mock import Mock, patch from cyclonedx.model import Encoding, ExternalReference, ExternalReferenceType, HashType, LicenseChoice, Note, \ - NoteText, OrganizationalContact, OrganizationalEntity, Property, Tool, XsUri + NoteText, OrganizationalContact, OrganizationalEntity, Property, Tool, XsUri, DataClassification, DataFlow from cyclonedx.model.bom import Bom from cyclonedx.model.component import Component, ComponentType from cyclonedx.model.issue import IssueClassification, IssueType from cyclonedx.model.release_note import ReleaseNotes +from cyclonedx.model.service import Service from cyclonedx.model.vulnerability import ImpactAnalysisState, ImpactAnalysisJustification, ImpactAnalysisResponse, \ ImpactAnalysisAffectedStatus, Vulnerability, VulnerabilityCredits, VulnerabilityRating, VulnerabilitySeverity, \ VulnerabilitySource, VulnerabilityScoreSource, VulnerabilityAdvisory, VulnerabilityReference, \ @@ -39,6 +42,7 @@ class TestOutputJson(BaseJsonTestCase): + timestamp: datetime = datetime(2021, 12, 31, 10, 0, 0, 0).replace(tzinfo=timezone.utc) def test_simple_bom_v1_4(self) -> None: bom = Bom() @@ -175,17 +179,7 @@ def test_bom_v1_3_with_component_external_references(self) -> None: c.add_hash( HashType.from_composite_str('sha256:806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b') ) - c.add_external_reference( - ExternalReference( - reference_type=ExternalReferenceType.DISTRIBUTION, - url='https://cyclonedx.org', - comment='No comment', - hashes=[ - HashType.from_composite_str( - 'sha256:806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b') - ] - ) - ) + c.add_external_reference(TestOutputJson._get_external_reference_1()) bom.add_component(c) outputter: Json = get_instance(bom=bom, output_format=OutputFormat.JSON) self.assertIsInstance(outputter, JsonV1Dot3) @@ -247,56 +241,12 @@ def test_with_component_release_notes_pre_1_4(self) -> None: def test_with_component_release_notes_post_1_4(self) -> None: bom = Bom() - timestamp: datetime = datetime(2021, 12, 31, 10, 0, 0, 0).replace(tzinfo=timezone.utc) - - text_content: str = base64.b64encode( - bytes('Some simple plain text', encoding='UTF-8') - ).decode(encoding='UTF-8') - c = Component( name='setuptools', version='50.3.2', bom_ref='pkg:pypi/setuptools@50.3.2?extension=tar.gz', purl=PackageURL( type='pypi', name='setuptools', version='50.3.2', qualifiers='extension=tar.gz' ), - release_notes=ReleaseNotes( - type='major', title="Release Notes Title", - featured_image=XsUri('https://cyclonedx.org/theme/assets/images/CycloneDX-Twitter-Card.png'), - social_image=XsUri('https://cyclonedx.org/cyclonedx-icon.png'), - description="This release is a test release", timestamp=timestamp, - aliases=[ - "First Test Release" - ], - tags=['test', 'alpha'], - resolves=[ - IssueType( - classification=IssueClassification.SECURITY, id='CVE-2021-44228', name='Apache Log3Shell', - description='Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features...', - source_name='NVD', source_url=XsUri('https://nvd.nist.gov/vuln/detail/CVE-2021-44228'), - references=[ - XsUri('https://logging.apache.org/log4j/2.x/security.html'), - XsUri('https://central.sonatype.org/news/20211213_log4shell_help') - ] - ) - ], - notes=[ - Note( - text=NoteText( - content=text_content, content_type='text/plain; charset=UTF-8', - content_encoding=Encoding.BASE_64 - ), locale='en-GB' - ), - Note( - text=NoteText( - content=text_content, content_type='text/plain; charset=UTF-8', - content_encoding=Encoding.BASE_64 - ), locale='en-US' - ) - ], - properties=[ - Property(name='key1', value='val1'), - Property(name='key2', value='val2') - ] - ) + release_notes=TestOutputJson._get_release_notes() ) bom.add_component(c) outputter: Json = get_instance(bom=bom, output_format=OutputFormat.JSON, schema_version=SchemaVersion.V1_4) @@ -350,13 +300,7 @@ def test_simple_bom_v1_4_with_vulnerabilities(self) -> None: tzinfo=timezone.utc), credits=VulnerabilityCredits( organizations=[ - OrganizationalEntity( - name='CycloneDX', urls=[XsUri('https://cyclonedx.org')], contacts=[ - OrganizationalContact(name='Paul Horton', email='simplyecommerce@googlemail.com'), - OrganizationalContact(name='A N Other', email='someone@somewhere.tld', - phone='+44 (0)1234 567890') - ] - ) + TestOutputJson._get_org_entity_1() ], individuals=[ OrganizationalContact(name='A N Other', email='someone@somewhere.tld', phone='+44 (0)1234 567890'), @@ -395,4 +339,156 @@ def test_bom_v1_3_with_metadata_component(self, mock_uuid: Mock) -> None: with open(join(dirname(__file__), 'fixtures/bom_v1.3_with_metadata_component.json')) as expected_json: self.assertEqualJsonBom(outputter.output_as_string(), expected_json.read()) - maxDiff = None + @patch('cyclonedx.model.component.uuid4', return_value='17e3b199-dc0b-42ef-bfdd-1fa81a1e3eda') + @patch('cyclonedx.model.service.uuid4', return_value='0b049d09-64c0-4490-a0f5-c84d9aacf857') + def test_bom_v1_2_services(self, mock_uuid_c: Mock, mock_uuid_s: Mock) -> None: + bom = Bom(services=[ + Service(name='my-first-service'), + Service(name='my-second-service') + ]) + bom.metadata.component = Component( + name='cyclonedx-python-lib', version='1.0.0', component_type=ComponentType.LIBRARY + ) + mock_uuid_c.assert_called() + mock_uuid_s.assert_called() + outputter = get_instance(bom=bom, output_format=OutputFormat.JSON, schema_version=SchemaVersion.V1_2) + self.assertIsInstance(outputter, JsonV1Dot2) + with open(join(dirname(__file__), 'fixtures/bom_v1.2_services_simple.json')) as expected_json: + self.assertValidAgainstSchema(bom_json=outputter.output_as_string(), schema_version=SchemaVersion.V1_2) + self.assertEqualJsonBom(outputter.output_as_string(), expected_json.read()) + + @patch('cyclonedx.model.component.uuid4', return_value='17e3b199-dc0b-42ef-bfdd-1fa81a1e3eda') + @patch('cyclonedx.model.service.uuid4', return_value='0b049d09-64c0-4490-a0f5-c84d9aacf857') + def test_bom_v1_2_services_simple(self, mock_uuid_c: Mock, mock_uuid_s: Mock) -> None: + bom = TestOutputJson._get_bom_with_services_simple() + mock_uuid_c.assert_called() + mock_uuid_s.assert_called() + outputter = get_instance(bom=bom, output_format=OutputFormat.JSON, schema_version=SchemaVersion.V1_2) + self.assertIsInstance(outputter, JsonV1Dot2) + with open(join(dirname(__file__), 'fixtures/bom_v1.2_services_simple.json')) as expected_json: + self.assertValidAgainstSchema(bom_json=outputter.output_as_string(), schema_version=SchemaVersion.V1_2) + self.assertEqualJsonBom(outputter.output_as_string(), expected_json.read()) + + @patch('cyclonedx.model.component.uuid4', return_value='17e3b199-dc0b-42ef-bfdd-1fa81a1e3eda') + @patch('cyclonedx.model.service.uuid4', return_value='0b049d09-64c0-4490-a0f5-c84d9aacf857') + def test_bom_v1_2_services_complex(self, mock_uuid_c: Mock, mock_uuid_s: Mock) -> None: + bom = TestOutputJson._get_bom_with_services_complex() + mock_uuid_c.assert_called() + mock_uuid_s.assert_called() + outputter = get_instance(bom=bom, output_format=OutputFormat.JSON, schema_version=SchemaVersion.V1_2) + self.assertIsInstance(outputter, JsonV1Dot2) + with open(join(dirname(__file__), 'fixtures/bom_v1.2_services_complex.json')) as expected_json: + self.assertValidAgainstSchema(bom_json=outputter.output_as_string(), schema_version=SchemaVersion.V1_2) + self.assertEqualJsonBom(outputter.output_as_string(), expected_json.read()) + + @staticmethod + def _get_bom_with_services_simple() -> Bom: + bom = Bom(services=[ + Service(name='my-first-service'), + Service(name='my-second-service') + ]) + bom.metadata.component = Component( + name='cyclonedx-python-lib', version='1.0.0', component_type=ComponentType.LIBRARY + ) + return bom + + @staticmethod + def _get_bom_with_services_complex() -> Bom: + bom = Bom(services=[ + Service( + name='my-first-service', bom_ref='my-specific-bom-ref-for-my-first-service', + provider=TestOutputJson._get_org_entity_1(), group='a-group', version='1.2.3', + description='Description goes here', endpoints=[ + XsUri('/api/thing/1'), + XsUri('/api/thing/2') + ], + authenticated=False, x_trust_boundary=True, data=[ + DataClassification(flow=DataFlow.OUTBOUND, classification='public') + ], + licenses=[ + LicenseChoice(license_expression='Commercial') + ], + external_references=[ + TestOutputJson._get_external_reference_1() + ], + properties=TestOutputJson._get_properties_1(), + release_notes=TestOutputJson._get_release_notes() + ), + Service(name='my-second-service') + ]) + bom.metadata.component = Component( + name='cyclonedx-python-lib', version='1.0.0', component_type=ComponentType.LIBRARY + ) + return bom + + @staticmethod + def _get_external_reference_1() -> ExternalReference: + return ExternalReference( + reference_type=ExternalReferenceType.DISTRIBUTION, + url='https://cyclonedx.org', + comment='No comment', + hashes=[ + HashType.from_composite_str( + 'sha256:806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b') + ] + ) + + @staticmethod + def _get_org_entity_1() -> OrganizationalEntity: + return OrganizationalEntity( + name='CycloneDX', urls=[XsUri('https://cyclonedx.org')], contacts=[ + OrganizationalContact(name='Paul Horton', email='paul.horton@owasp.org'), + OrganizationalContact(name='A N Other', email='someone@somewhere.tld', + phone='+44 (0)1234 567890') + ] + ) + + @staticmethod + def _get_properties_1() -> List[Property]: + return [ + Property(name='key1', value='val1'), + Property(name='key2', value='val2') + ] + + @staticmethod + def _get_release_notes() -> ReleaseNotes: + text_content: str = base64.b64encode( + bytes('Some simple plain text', encoding='UTF-8') + ).decode(encoding='UTF-8') + + return ReleaseNotes( + type='major', title="Release Notes Title", + featured_image=XsUri('https://cyclonedx.org/theme/assets/images/CycloneDX-Twitter-Card.png'), + social_image=XsUri('https://cyclonedx.org/cyclonedx-icon.png'), + description="This release is a test release", timestamp=TestOutputJson.timestamp, + aliases=[ + "First Test Release" + ], + tags=['test', 'alpha'], + resolves=[ + IssueType( + classification=IssueClassification.SECURITY, id='CVE-2021-44228', name='Apache Log3Shell', + description='Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features...', + source_name='NVD', source_url=XsUri('https://nvd.nist.gov/vuln/detail/CVE-2021-44228'), + references=[ + XsUri('https://logging.apache.org/log4j/2.x/security.html'), + XsUri('https://central.sonatype.org/news/20211213_log4shell_help') + ] + ) + ], + notes=[ + Note( + text=NoteText( + content=text_content, content_type='text/plain; charset=UTF-8', + content_encoding=Encoding.BASE_64 + ), locale='en-GB' + ), + Note( + text=NoteText( + content=text_content, content_type='text/plain; charset=UTF-8', + content_encoding=Encoding.BASE_64 + ), locale='en-US' + ) + ], + properties=TestOutputJson._get_properties_1() + ) From 267391d534ae7a43797a9c003a5d75f585164b58 Mon Sep 17 00:00:00 2001 From: Paul Horton Date: Wed, 26 Jan 2022 10:51:06 +0000 Subject: [PATCH 07/19] addressed standards Signed-off-by: Paul Horton --- cyclonedx/model/__init__.py | 112 +----------------------------------- cyclonedx/model/bom.py | 26 +++++---- cyclonedx/model/service.py | 17 +----- cyclonedx/output/json.py | 5 +- cyclonedx/output/xml.py | 55 +++++++++--------- tests/test_model_service.py | 1 - 6 files changed, 49 insertions(+), 167 deletions(-) diff --git a/cyclonedx/model/__init__.py b/cyclonedx/model/__init__.py index a91396f6..feeaff51 100644 --- a/cyclonedx/model/__init__.py +++ b/cyclonedx/model/__init__.py @@ -114,122 +114,12 @@ def classification(self) -> str: `str` """ return self._classification - + @classification.setter def classification(self, classification: str) -> None: self._classification = classification -# class SignatureAlgorithm(Enum): -# """ -# This is out internal representation of the algorithm simple type within the CycloneDX standard. -# -# .. note:: -# See the CycloneDX Schema: https://cyclonedx.org/docs/1.4/json/#tab-pane_signature_oneOf_i2_algorithm_oneOf_i0 -# """ -# RS256 = "RS256" -# RS384 = "RS384" -# RS512 = "RS512" -# PS256 = "PS256" -# PS384 = "PS384" -# PS512 = "PS512" -# ES256 = "ES256" -# ES384 = "ES384" -# ES512 = "ES512" -# ED25519 = "Ed25519" -# ED448 = "Ed448" -# HS256 = "HS256" -# HS384 = "HS384" -# HS512 = "HS512" -# -# -# class SignaturePublicKeyKty(Enum): -# """ -# This is our internal representation of the kty simple type within the CycloneDX standard. -# -# .. note:: -# See the CycloneDX Schema: https://cyclonedx.org/docs/1.4/json/#signature_oneOf_i2_publicKey_kty -# """ -# EC = "EC" -# OKP = "OKP" -# RSA = "RSA" -# -# -# class SignaturePublicKeyCrv(Enum): -# """ -# This is our internal representation of the crv simple type within the CycloneDX standard. -# -# .. note:: -# See the CycloneDX Schema: https://cyclonedx.org/docs/1.4/json/#signature_oneOf_i2_publicKey_allOf_i1_then_crv -# """ -# ED25519 = "Ed25519" -# Ed448 = "Ed448" -# -# -# class SignaturePublicKey: -# """ -# This is our internal representation of the public key complex type within the CycloneDX standard. -# -# .. note:: -# See the CycloneDX Schema: https://cyclonedx.org/docs/1.4/json/#signature_oneOf_i2_publicKey -# JSON only -# """ -# -# def __init__(self, kty: SignaturePublicKeyKty = None, crv: Optional[SignaturePublicKeyCrv] = None, -# x: Optional[str] = None, y: Optional[str] = None, -# n: Optional[str] = None, e: Optional[str] = None, -# value: str = None) -> None: -# if not kty and not value: -# raise NoPropertiesProvidedException( -# '`kty` must be supplied' -# ) -# if kty == SignaturePublicKeyKty.EC and not crv and not x and not y: -# raise NoPropertiesProvidedException( -# 'if `kty` equals EC, `crv`, `x` and `y` must be supplied' -# ) -# if kty == SignaturePublicKeyKty.OKP and not crv and not x: -# raise NoPropertiesProvidedException( -# 'if `kty` equals OKP, `crv`, and `x` must be supplied' -# ) -# if kty == SignaturePublicKeyKty.RSA and not n and not e: -# raise NoPropertiesProvidedException( -# 'if `kty` equals RSA, `n`, and `e` must be supplied' -# ) -# self.kty = kty -# self.crv = crv -# self.x = x -# self.y = y -# self.n = n -# self.e = e -# self.value = value -# -# -# class Signature: -# """ -# This is out internal representation of the signature complex type within the CycloneDX standard. -# -# .. note:: -# See the CycloneDX Schema: https://cyclonedx.org/docs/1.4/json/#signature -# JSON only -# """ -# -# def __init__(self, algorithm: SignatureAlgorithm, key_id: Optional[str], -# public_key: Optional[SignaturePublicKey] = None, -# certificate_path: Optional[List[str]] = None, -# excludes: Optional[List[str]] = None, -# value: str = None) -> None: -# if not algorithm and not value: -# raise NoPropertiesProvidedException( -# 'One of `algorithm` or `value` must be supplied - neither supplied' -# ) -# self.algorithm = algorithm -# self.key_id = key_id -# self.public_key = public_key -# self.certificate_path = certificate_path -# self.excludes = excludes -# self.value = value - - class Encoding(Enum): """ This is out internal representation of the encoding simple type within the CycloneDX standard. diff --git a/cyclonedx/model/bom.py b/cyclonedx/model/bom.py index 5786ea0a..cbfcbb39 100644 --- a/cyclonedx/model/bom.py +++ b/cyclonedx/model/bom.py @@ -18,7 +18,7 @@ # Copyright (c) OWASP Foundation. All Rights Reserved. from datetime import datetime, timezone -from typing import List, Optional +from typing import cast, List, Optional from uuid import uuid4, UUID from . import ThisTool, Tool @@ -178,17 +178,17 @@ def metadata(self, metadata: BomMetaData) -> None: self._metadata = metadata @property - def components(self) -> List[Component]: + def components(self) -> Optional[List[Component]]: """ Get all the Components currently in this Bom. Returns: - List of all Components in this Bom. + List of all Components in this Bom or `None` """ return self._components @components.setter - def components(self, components: List[Component]) -> None: + def components(self, components: Optional[List[Component]]) -> None: self._components = components def add_component(self, component: Component) -> None: @@ -205,7 +205,7 @@ def add_component(self, component: Component) -> None: if not self.components: self.components = [component] elif not self.has_component(component=component): - self._components.append(component) + self.components.append(component) def add_components(self, components: List[Component]) -> None: """ @@ -218,7 +218,7 @@ def add_components(self, components: List[Component]) -> None: Returns: None """ - self.components = self._components + components + self.components = (self._components or []) + components def component_count(self) -> int: """ @@ -227,7 +227,7 @@ def component_count(self) -> int: Returns: The number of Components in this Bom as `int`. """ - return len(self._components) + return len(self._components) if self._components else 0 def get_component_by_purl(self, purl: Optional[str]) -> Optional[Component]: """ @@ -240,8 +240,11 @@ def get_component_by_purl(self, purl: Optional[str]) -> Optional[Component]: Returns: `Component` or `None` """ + if not self._components: + return None + if purl: - found = list(filter(lambda x: x.purl == purl, self.components)) + found = list(filter(lambda x: x.purl == purl, cast(List[Component], self.components))) if len(found) == 1: return found[0] @@ -279,9 +282,10 @@ def has_vulnerabilities(self) -> bool: `bool` - `True` if at least one `cyclonedx.model.component.Component` has at least one Vulnerability, `False` otherwise. """ - for c in self.components: - if c.has_vulnerabilities(): - return True + if self.components: + for c in self.components: + if c.has_vulnerabilities(): + return True return False diff --git a/cyclonedx/model/service.py b/cyclonedx/model/service.py index b8bf3afe..674d0761 100644 --- a/cyclonedx/model/service.py +++ b/cyclonedx/model/service.py @@ -46,8 +46,7 @@ def __init__(self, name: str, bom_ref: Optional[str] = None, provider: Optional[ # services: Optional[List[Service]] = None, -- I have no clue how to do this, # commenting out so someone else can release_notes: Optional[ReleaseNotes] = None, - # signature: Optional[Signature] = None - ): + ) -> None: self.bom_ref = bom_ref or str(uuid4()) self.provider = provider self.group = group @@ -63,7 +62,6 @@ def __init__(self, name: str, bom_ref: Optional[str] = None, provider: Optional[ # self.services = services -- no clue self.release_notes = release_notes self.properties = properties - # self.signature = signature @property def bom_ref(self) -> Optional[str]: @@ -178,7 +176,7 @@ def add_endpoint(self, endpoint: XsUri) -> None: Returns: None """ - self.endpoints = self._endpoints + [endpoint] + self.endpoints = (self._endpoints or []) + [endpoint] @property def authenticated(self) -> Optional[bool]: @@ -294,14 +292,3 @@ def properties(self) -> Optional[List[Property]]: @properties.setter def properties(self, properties: Optional[List[Property]]) -> None: self._properties = properties - - # @property - # def signature(self) -> Optional[Signature]: - # """ - # A JSF signature for the service as provided by the source. - # """ - # return self._signature - # - # @signature.setter - # def signature(self, signature: Optional[Signature]) -> None: - # self._signature = signature diff --git a/cyclonedx/output/json.py b/cyclonedx/output/json.py index fef1916c..e8460a20 100644 --- a/cyclonedx/output/json.py +++ b/cyclonedx/output/json.py @@ -19,13 +19,14 @@ import json from abc import abstractmethod -from typing import Any, Dict, List, Optional, Union +from typing import cast, Any, Dict, List, Optional, Union from . import BaseOutput from .schema import BaseSchemaVersion, SchemaVersion1Dot0, SchemaVersion1Dot1, SchemaVersion1Dot2, SchemaVersion1Dot3, \ SchemaVersion1Dot4 from .serializer.json import CycloneDxJSONEncoder from ..model.bom import Bom +from ..model.component import Component ComponentDict = Dict[str, Union[ @@ -52,7 +53,7 @@ def generate(self, force_regeneration: bool = False) -> None: vulnerabilities: Dict[str, List[Dict[Any, Any]]] = {"vulnerabilities": []} if self.get_bom().components: - for component in self.get_bom().components: + for component in cast(List[Component], self.get_bom().components): for vulnerability in component.get_vulnerabilities(): vulnerabilities['vulnerabilities'].append( json.loads(json.dumps(vulnerability, cls=CycloneDxJSONEncoder)) diff --git a/cyclonedx/output/xml.py b/cyclonedx/output/xml.py index c4ba91fc..1282449e 100644 --- a/cyclonedx/output/xml.py +++ b/cyclonedx/output/xml.py @@ -18,7 +18,7 @@ # Copyright (c) OWASP Foundation. All Rights Reserved. import warnings -from typing import List, Optional +from typing import cast, List, Optional from xml.etree import ElementTree from . import BaseOutput @@ -51,33 +51,34 @@ def generate(self, force_regeneration: bool = False) -> None: components_element = ElementTree.SubElement(self._root_bom_element, 'components') has_vulnerabilities: bool = False - for component in self.get_bom().components: - component_element = self._add_component_element(component=component) - components_element.append(component_element) - if self.bom_supports_vulnerabilities_via_extension() and component.has_vulnerabilities(): - # Vulnerabilities are only possible when bom-ref is supported by the main CycloneDX schema version - vulnerabilities = ElementTree.SubElement(component_element, 'v:vulnerabilities') - for vulnerability in component.get_vulnerabilities(): - if component.bom_ref: - vulnerabilities.append( - self._get_vulnerability_as_xml_element_pre_1_3(bom_ref=component.bom_ref, - vulnerability=vulnerability) + if self.get_bom().components: + for component in cast(List[Component], self.get_bom().components): + component_element = self._add_component_element(component=component) + components_element.append(component_element) + if self.bom_supports_vulnerabilities_via_extension() and component.has_vulnerabilities(): + # Vulnerabilities are only possible when bom-ref is supported by the main CycloneDX schema version + vulnerabilities = ElementTree.SubElement(component_element, 'v:vulnerabilities') + for vulnerability in component.get_vulnerabilities(): + if component.bom_ref: + vulnerabilities.append( + self._get_vulnerability_as_xml_element_pre_1_3(bom_ref=component.bom_ref, + vulnerability=vulnerability) + ) + else: + warnings.warn( + f'Unable to include Vulnerability {str(vulnerability)} in generated BOM as the ' + f'Component it relates to ({str(component)}) but it has no bom-ref.' + ) + elif component.has_vulnerabilities(): + has_vulnerabilities = True + + if self.bom_supports_vulnerabilities() and has_vulnerabilities: + vulnerabilities_element = ElementTree.SubElement(self._root_bom_element, 'vulnerabilities') + for component in cast(List[Component], self.get_bom().components): + for vulnerability in component.get_vulnerabilities(): + vulnerabilities_element.append( + self._get_vulnerability_as_xml_element_post_1_4(vulnerability=vulnerability) ) - else: - warnings.warn( - f'Unable to include Vulnerability {str(vulnerability)} in generated BOM as the Component' - f'it relates to ({str(component)}) but it has no bom-ref.' - ) - elif component.has_vulnerabilities(): - has_vulnerabilities = True - - if self.bom_supports_vulnerabilities() and has_vulnerabilities: - vulnerabilities_element = ElementTree.SubElement(self._root_bom_element, 'vulnerabilities') - for component in self.get_bom().components: - for vulnerability in component.get_vulnerabilities(): - vulnerabilities_element.append( - self._get_vulnerability_as_xml_element_post_1_4(vulnerability=vulnerability) - ) self.generated = True diff --git a/tests/test_model_service.py b/tests/test_model_service.py index c19f842a..47571b76 100644 --- a/tests/test_model_service.py +++ b/tests/test_model_service.py @@ -42,4 +42,3 @@ def test_minimal_service(self, mock_uuid: Mock) -> None: self.assertListEqual(s.external_references, []) self.assertIsNone(s.release_notes) self.assertIsNone(s.properties) - From 75ad0bd83745ab97dfd5926f07859353d86d89ee Mon Sep 17 00:00:00 2001 From: github-actions Date: Mon, 24 Jan 2022 12:15:13 +0000 Subject: [PATCH 08/19] 1.2.0 Automatically generated by python-semantic-release Signed-off-by: Paul Horton --- CHANGELOG.md | 4 ++++ pyproject.toml | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bea0a616..e9441bf0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,10 @@ +## v1.2.0 (2022-01-24) +### Feature +* Add CPE to component ([#138](https://github.com/CycloneDX/cyclonedx-python-lib/issues/138)) ([`269ee15`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/269ee155f203d5771c56edb92f7279466bf2012f)) + ## v1.1.1 (2022-01-19) ### Fix * Bump dependencies ([#136](https://github.com/CycloneDX/cyclonedx-python-lib/issues/136)) ([`18ec498`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/18ec4987f6aa4a259d30000a19aa6ee1d49681d1)) diff --git a/pyproject.toml b/pyproject.toml index 2a176adf..1e69d9f6 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [tool.poetry] name = "cyclonedx-python-lib" -version = "1.1.1" +version = "1.2.0" description = "A library for producing CycloneDX SBOM (Software Bill of Materials) files." authors = ["Paul Horton "] maintainers = ["Paul Horton "] From b2611cfc73e688b45092fe4efe5e8e6a8889a936 Mon Sep 17 00:00:00 2001 From: Paul Horton Date: Mon, 24 Jan 2022 13:28:51 +0000 Subject: [PATCH 09/19] feat: `bom-ref` for Component and Vulnerability default to a UUID (#142) * feat: `bom-ref` for Component and Vulnerability default to a UUID if not supplied ensuring they have a unique value #141 Signed-off-by: Paul Horton * doc: updated documentation to reflect change Signed-off-by: Paul Horton * patched other tests to support UUID for bom-ref Signed-off-by: Paul Horton * better syntax Signed-off-by: Paul Horton --- cyclonedx/model/component.py | 9 ++++-- cyclonedx/model/vulnerability.py | 7 +++-- docs/modelling.rst | 6 +++- .../bom_v1.3_with_metadata_component.json | 1 + .../bom_v1.3_with_metadata_component.xml | 2 +- tests/test_model_component.py | 30 +++++++++++++++---- tests/test_model_vulnerability.py | 26 +++++++++++++++- tests/test_output_json.py | 8 +++-- tests/test_output_xml.py | 8 +++-- 9 files changed, 80 insertions(+), 17 deletions(-) diff --git a/cyclonedx/model/component.py b/cyclonedx/model/component.py index f0b1e6ad..8998620c 100644 --- a/cyclonedx/model/component.py +++ b/cyclonedx/model/component.py @@ -21,6 +21,7 @@ from enum import Enum from os.path import exists from typing import List, Optional +from uuid import uuid4 # See https://github.com/package-url/packageurl-python/issues/65 from packageurl import PackageURL # type: ignore @@ -112,7 +113,7 @@ def __init__(self, name: str, component_type: ComponentType = ComponentType.LIBR ) -> None: self.type = component_type self.mime_type = mime_type - self.bom_ref = bom_ref + self.bom_ref = bom_ref or str(uuid4()) self.supplier = supplier self.author = author self.publisher = publisher @@ -189,8 +190,10 @@ def bom_ref(self) -> Optional[str]: An optional identifier which can be used to reference the component elsewhere in the BOM. Every bom-ref MUST be unique within the BOM. + If a value was not provided in the constructor, a UUIDv4 will have been assigned. + Returns: - `str` as a unique identifiers for this Component if set else `None` + `str` as a unique identifiers for this Component """ return self._bom_ref @@ -507,7 +510,7 @@ def __eq__(self, other: object) -> bool: def __hash__(self) -> int: return hash(( - self.author, self.bom_ref, self.copyright, self.description, str(self.external_references), self.group, + self.author, self.copyright, self.description, str(self.external_references), self.group, str(self.hashes), str(self.licenses), self.mime_type, self.name, self.properties, self.publisher, self.purl, self.release_notes, self.scope, self.supplier, self.type, self.version, self.cpe )) diff --git a/cyclonedx/model/vulnerability.py b/cyclonedx/model/vulnerability.py index 1e7e832f..1a7a9720 100644 --- a/cyclonedx/model/vulnerability.py +++ b/cyclonedx/model/vulnerability.py @@ -24,6 +24,7 @@ from enum import Enum from typing import List, Optional, Tuple, Union from urllib.parse import ParseResult, urlparse +from uuid import uuid4 from . import OrganizationalContact, OrganizationalEntity, Tool, XsUri from .impact_analysis import ImpactAnalysisAffectedStatus, ImpactAnalysisJustification, ImpactAnalysisResponse, \ @@ -644,7 +645,7 @@ def __init__(self, bom_ref: Optional[str] = None, id: Optional[str] = None, # Deprecated Parameters kept for backwards compatibility source_name: Optional[str] = None, source_url: Optional[str] = None, recommendations: Optional[List[str]] = None) -> None: - self.bom_ref = bom_ref + self.bom_ref = bom_ref or str(uuid4()) self.id = id self.source = source self.references = references or [] @@ -677,8 +678,10 @@ def bom_ref(self) -> Optional[str]: """ Get the unique reference for this Vulnerability in this BOM. + If a value was not provided in the constructor, a UUIDv4 will have been assigned. + Returns: - `str` if set else `None` + `str` unique identifier for this Vulnerability """ return self._bom_ref diff --git a/docs/modelling.rst b/docs/modelling.rst index f8c36cc3..68626f4b 100644 --- a/docs/modelling.rst +++ b/docs/modelling.rst @@ -15,13 +15,17 @@ Examples From a Parser ~~~~~~~~~~~~~ + **Note:** Concreate parser implementations were moved out of this library and into `CycloneDX Python`_ as of version + ``1.0.0``. + .. code-block:: python from cyclonedx.model.bom import Bom - from cyclonedx.parser.environment import EnvironmentParser + from cyclonedx_py.parser.environment import EnvironmentParser parser = EnvironmentParser() bom = Bom.from_parser(parser=parser) +.. _CycloneDX Python: https://github.com/CycloneDX/cyclonedx-python .. _Jake: https://pypi.org/project/jake \ No newline at end of file diff --git a/tests/fixtures/bom_v1.3_with_metadata_component.json b/tests/fixtures/bom_v1.3_with_metadata_component.json index 1cb8628a..7290dfc7 100644 --- a/tests/fixtures/bom_v1.3_with_metadata_component.json +++ b/tests/fixtures/bom_v1.3_with_metadata_component.json @@ -14,6 +14,7 @@ } ], "component": { + "bom-ref": "be2c6502-7e9a-47db-9a66-e34f729810a3", "type": "library", "name": "cyclonedx-python-lib", "version": "1.0.0" diff --git a/tests/fixtures/bom_v1.3_with_metadata_component.xml b/tests/fixtures/bom_v1.3_with_metadata_component.xml index 6baf1884..1bbe3362 100644 --- a/tests/fixtures/bom_v1.3_with_metadata_component.xml +++ b/tests/fixtures/bom_v1.3_with_metadata_component.xml @@ -9,7 +9,7 @@ VERSION - + cyclonedx-python-lib 1.0.0 diff --git a/tests/test_model_component.py b/tests/test_model_component.py index ee8b42a6..a150b39a 100644 --- a/tests/test_model_component.py +++ b/tests/test_model_component.py @@ -1,4 +1,5 @@ from unittest import TestCase +from unittest.mock import Mock, patch from cyclonedx.model import ExternalReference, ExternalReferenceType from cyclonedx.model.component import Component, ComponentType @@ -6,18 +7,35 @@ class TestModelComponent(TestCase): - def test_empty_basic_component(self) -> None: + @patch('cyclonedx.model.component.uuid4', return_value='6f266d1c-760f-4552-ae3b-41a9b74232fa') + def test_empty_basic_component(self, mock_uuid: Mock) -> None: c = Component( name='test-component', version='1.2.3' ) + mock_uuid.assert_called() self.assertEqual(c.name, 'test-component') - self.assertEqual(c.version, '1.2.3') self.assertEqual(c.type, ComponentType.LIBRARY) - self.assertEqual(len(c.external_references), 0) - self.assertEqual(len(c.hashes), 0) + self.assertIsNone(c.mime_type) + self.assertEqual(c.bom_ref, '6f266d1c-760f-4552-ae3b-41a9b74232fa') + self.assertIsNone(c.supplier) + self.assertIsNone(c.author) + self.assertIsNone(c.publisher) + self.assertIsNone(c.group) + self.assertEqual(c.version, '1.2.3') + self.assertIsNone(c.description) + self.assertIsNone(c.scope) + self.assertListEqual(c.hashes, []) + self.assertListEqual(c.licenses, []) + self.assertIsNone(c.copyright) + self.assertIsNone(c.purl) + self.assertListEqual(c.external_references, []) + self.assertIsNone(c.properties) + self.assertIsNone(c.release_notes) + self.assertEqual(len(c.get_vulnerabilities()), 0) - def test_multiple_basic_components(self) -> None: + @patch('cyclonedx.model.component.uuid4', return_value='6f266d1c-760f-4552-ae3b-41a9b74232fa') + def test_multiple_basic_components(self, mock_uuid: Mock) -> None: c1 = Component( name='test-component', version='1.2.3' ) @@ -40,6 +58,8 @@ def test_multiple_basic_components(self) -> None: self.assertNotEqual(c1, c2) + mock_uuid.assert_called() + def test_external_references(self) -> None: c = Component( name='test-component', version='1.2.3' diff --git a/tests/test_model_vulnerability.py b/tests/test_model_vulnerability.py index 5e7c4e22..fe302c43 100644 --- a/tests/test_model_vulnerability.py +++ b/tests/test_model_vulnerability.py @@ -1,7 +1,9 @@ import unittest from unittest import TestCase +from unittest.mock import Mock, patch -from cyclonedx.model.vulnerability import VulnerabilityRating, VulnerabilitySeverity, VulnerabilityScoreSource +from cyclonedx.model.vulnerability import Vulnerability, VulnerabilityRating, VulnerabilitySeverity, \ + VulnerabilityScoreSource class TestModelVulnerability(TestCase): @@ -149,3 +151,25 @@ def test_v_source_get_localised_vector_other_2(self) -> None: VulnerabilityScoreSource.OTHER.get_localised_vector(vector='SOMETHING_OR_OTHER'), 'SOMETHING_OR_OTHER' ) + + @patch('cyclonedx.model.vulnerability.uuid4', return_value='0afa65bc-4acd-428b-9e17-8e97b1969745') + def test_empty_vulnerability(self, mock_uuid: Mock) -> None: + v = Vulnerability() + mock_uuid.assert_called() + self.assertEqual(v.bom_ref, '0afa65bc-4acd-428b-9e17-8e97b1969745') + self.assertIsNone(v.id) + self.assertIsNone(v.source) + self.assertListEqual(v.references, []) + self.assertListEqual(v.ratings, []) + self.assertListEqual(v.cwes, []) + self.assertIsNone(v.description) + self.assertIsNone(v.detail) + self.assertIsNone(v.recommendation) + self.assertListEqual(v.advisories, []) + self.assertIsNone(v.created) + self.assertIsNone(v.published) + self.assertIsNone(v.updated) + self.assertIsNone(v.credits) + self.assertListEqual(v.tools, []) + self.assertIsNone(v.analysis) + self.assertListEqual(v.affects, []) diff --git a/tests/test_output_json.py b/tests/test_output_json.py index cd043f38..c424e2f5 100644 --- a/tests/test_output_json.py +++ b/tests/test_output_json.py @@ -21,6 +21,7 @@ from datetime import datetime, timezone from os.path import dirname, join from packageurl import PackageURL +from unittest.mock import Mock, patch from cyclonedx.model import Encoding, ExternalReference, ExternalReferenceType, HashType, LicenseChoice, Note, \ NoteText, OrganizationalContact, OrganizationalEntity, Property, Tool, XsUri @@ -382,10 +383,13 @@ def test_simple_bom_v1_4_with_vulnerabilities(self) -> None: self.assertEqualJsonBom(expected_json.read(), outputter.output_as_string()) expected_json.close() - def test_bom_v1_3_with_metadata_component(self) -> None: + @patch('cyclonedx.model.component.uuid4', return_value='be2c6502-7e9a-47db-9a66-e34f729810a3') + def test_bom_v1_3_with_metadata_component(self, mock_uuid: Mock) -> None: bom = Bom() bom.metadata.component = Component( - name='cyclonedx-python-lib', version='1.0.0', component_type=ComponentType.LIBRARY) + name='cyclonedx-python-lib', version='1.0.0', component_type=ComponentType.LIBRARY + ) + mock_uuid.assert_called() outputter = get_instance(bom=bom, output_format=OutputFormat.JSON) self.assertIsInstance(outputter, JsonV1Dot3) with open(join(dirname(__file__), 'fixtures/bom_v1.3_with_metadata_component.json')) as expected_json: diff --git a/tests/test_output_xml.py b/tests/test_output_xml.py index 087b1416..c659d425 100644 --- a/tests/test_output_xml.py +++ b/tests/test_output_xml.py @@ -21,6 +21,7 @@ from decimal import Decimal from os.path import dirname, join from packageurl import PackageURL +from unittest.mock import Mock, patch from cyclonedx.model import Encoding, ExternalReference, ExternalReferenceType, HashType, Note, NoteText, \ OrganizationalContact, OrganizationalEntity, Property, Tool, XsUri @@ -520,10 +521,13 @@ def test_with_component_release_notes_post_1_4(self) -> None: namespace=outputter.get_target_namespace()) expected_xml.close() - def test_bom_v1_3_with_metadata_component(self) -> None: + @patch('cyclonedx.model.component.uuid4', return_value='5d82790b-3139-431d-855a-ab63d14a18bb') + def test_bom_v1_3_with_metadata_component(self, mock_uuid: Mock) -> None: bom = Bom() bom.metadata.component = Component( - name='cyclonedx-python-lib', version='1.0.0', component_type=ComponentType.LIBRARY) + name='cyclonedx-python-lib', version='1.0.0', component_type=ComponentType.LIBRARY + ) + mock_uuid.assert_called() outputter: Xml = get_instance(bom=bom) self.assertIsInstance(outputter, XmlV1Dot3) with open(join(dirname(__file__), 'fixtures/bom_v1.3_with_metadata_component.xml')) as expected_xml: From 7bc872737063070db6401d9de7b8729049e2018f Mon Sep 17 00:00:00 2001 From: github-actions Date: Mon, 24 Jan 2022 13:30:14 +0000 Subject: [PATCH 10/19] 1.3.0 Automatically generated by python-semantic-release Signed-off-by: Paul Horton --- CHANGELOG.md | 4 ++++ pyproject.toml | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e9441bf0..de135d1f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,10 @@ +## v1.3.0 (2022-01-24) +### Feature +* `bom-ref` for Component and Vulnerability default to a UUID ([#142](https://github.com/CycloneDX/cyclonedx-python-lib/issues/142)) ([`3953bb6`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/3953bb676f423c325ca4d80f3fcee33ad042ad93)) + ## v1.2.0 (2022-01-24) ### Feature * Add CPE to component ([#138](https://github.com/CycloneDX/cyclonedx-python-lib/issues/138)) ([`269ee15`](https://github.com/CycloneDX/cyclonedx-python-lib/commit/269ee155f203d5771c56edb92f7279466bf2012f)) diff --git a/pyproject.toml b/pyproject.toml index 1e69d9f6..9546bc59 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [tool.poetry] name = "cyclonedx-python-lib" -version = "1.2.0" +version = "1.3.0" description = "A library for producing CycloneDX SBOM (Software Bill of Materials) files." authors = ["Paul Horton "] maintainers = ["Paul Horton "] From 155e31c40e454ea51c67345a3a5f430954a23c54 Mon Sep 17 00:00:00 2001 From: Jeffry Hesse <5544326+DarthHater@users.noreply.github.com> Date: Mon, 24 Jan 2022 14:02:06 -0900 Subject: [PATCH 11/19] WIP but a lil hand up for @madpah Signed-off-by: Jeffry Hesse <5544326+DarthHater@users.noreply.github.com> Signed-off-by: Paul Horton --- cyclonedx/model/__init__.py | 160 +++++++++++++++++++++++++ cyclonedx/model/issue.py | 2 +- cyclonedx/model/service.py | 228 ++++++++++++++++++++++++++++++++++++ 3 files changed, 389 insertions(+), 1 deletion(-) create mode 100644 cyclonedx/model/service.py diff --git a/cyclonedx/model/__init__.py b/cyclonedx/model/__init__.py index 113ed928..2a881c81 100644 --- a/cyclonedx/model/__init__.py +++ b/cyclonedx/model/__init__.py @@ -50,6 +50,166 @@ def sha1sum(filename: str) -> str: h.update(byte_block) return h.hexdigest() +class DataFlow(Enum): + """ + This is out internal representation of the dataFlowType simple type within the CycloneDX standard. + + .. note:: + See the CycloneDX Schema: https://cyclonedx.org/docs/1.4/xml/#type_dataFlowType + """ + INBOUND = "inbound" + OUTBOUND = "outbound" + BI_DIRECTIONAL = "bi-directional" + UNKNOWN = "unknown" + +class Data: + """ + This is our internal representation of the `dataClassificationType` complex type within the CycloneDX standard. + + .. note:: + See the CycloneDX Schema for dataClassificationType: https://cyclonedx.org/docs/1.4/xml/#type_dataClassificationType + """ + + def __init__(self, flow: DataFlow, classification: str) -> None: + if not flow and not classification: + raise NoPropertiesProvidedException( + 'One of `flow` or `classification` must be supplied - neither supplied' + ) + + self.flow = flow + self.classification = classification + + @property + def flow(self) -> DataFlow: + """ + Specifies the data flow for the service. + + Returns: + `DataFlow` + """ + return self._flow + + @flow.setter + def flow(self, flow: DataFlow) -> None: + self._flow = flow + + @property + def classification(self) -> str: + """ + Specifies the classification of the data for the service. + + Returns: + `str` + """ + return self._content_type + + @classification.setter + def classification(self, classification: str) -> None: + self._classification = classification + +class SignatureAlgorithm(Enum): + """ + This is out internal representation of the algorithm simple type within the CycloneDX standard. + + .. note:: + See the CycloneDX Schema: https://cyclonedx.org/docs/1.4/json/#tab-pane_signature_oneOf_i2_algorithm_oneOf_i0 + """ + RS256 = "RS256" + RS384 = "RS384" + RS512 = "RS512" + PS256 = "PS256" + PS384 = "PS384" + PS512 = "PS512" + ES256 = "ES256" + ES384 = "ES384" + ES512 = "ES512" + ED25519 = "Ed25519" + ED448 = "Ed448" + HS256 = "HS256" + HS384 = "HS384" + HS512 = "HS512" + +class SignaturePublicKeyKty(Enum): + """ + This is our internal representation of the kty simple type within the CycloneDX standard. + + .. note:: + See the CycloneDX Schema: https://cyclonedx.org/docs/1.4/json/#signature_oneOf_i2_publicKey_kty + """ + EC = "EC" + OKP = "OKP" + RSA = "RSA" + +class SignaturePublicKeyCrv(Enum): + """ + This is our internal representation of the crv simple type within the CycloneDX standard. + + .. note:: + See the CycloneDX Schema: https://cyclonedx.org/docs/1.4/json/#signature_oneOf_i2_publicKey_allOf_i1_then_crv + """ + ED25519 = "Ed25519" + Ed448 = "Ed448" + +class SignaturePublicKey: + """ + This is our internal representation of the public key complex type within the CycloneDX standard. + + .. note:: + See the CycloneDX Schema: https://cyclonedx.org/docs/1.4/json/#signature_oneOf_i2_publicKey + JSON only + """ + def __init__(self, kty: SignaturePublicKeyKty = None, crv: Optional[SignaturePublicKeyCrv] = None, + x: Optional[str] = None, y: Optional[str] = None, + n: Optional[str] = None, e: Optional[str] = None, + value: str = None) -> None: + if not kty and not value: + raise NoPropertiesProvidedException( + '`kty` must be supplied' + ) + if kty == SignaturePublicKeyKty.EC and not crv and not x and not y: + raise NoPropertiesProvidedException( + 'if `kty` equals EC, `crv`, `x` and `y` must be supplied' + ) + if kty == SignaturePublicKeyKty.OKP and not crv and not x: + raise NoPropertiesProvidedException( + 'if `kty` equals OKP, `crv`, and `x` must be supplied' + ) + if kty == SignaturePublicKeyKty.RSA and not n and not e: + raise NoPropertiesProvidedException( + 'if `kty` equals RSA, `n`, and `e` must be supplied' + ) + self.kty = kty + self.crv = crv + self.x = x + self.y = y + self.n = n + self.e = e + self.value = value + +class Signature: + """ + This is out internal representation of the signature complex type within the CycloneDX standard. + + .. note:: + See the CycloneDX Schema: https://cyclonedx.org/docs/1.4/json/#signature + JSON only + """ + + def __init__(self, algorithm: SignatureAlgorithm, key_id: Optional[str], + public_key: Optional[SignaturePublicKey] = None, + certificate_path: Optional[List[str]] = None, + excludes: Optional[List[str]] = None, + value: str = None) -> None: + if not algorithm and not value: + raise NoPropertiesProvidedException( + 'One of `algorithm` or `value` must be supplied - neither supplied' + ) + self.algorithm = algorithm + self.key_id = key_id + self.public_key = public_key + self.certificate_path = certificate_path + self.excludes = excludes + self.value = value class Encoding(Enum): """ diff --git a/cyclonedx/model/issue.py b/cyclonedx/model/issue.py index befd21d7..029f1540 100644 --- a/cyclonedx/model/issue.py +++ b/cyclonedx/model/issue.py @@ -26,7 +26,7 @@ class IssueClassification(Enum): This is out internal representation of the enum `issueClassification`. .. note:: - See the CycloneDX Schema definition: hhttps://cyclonedx.org/docs/1.4/xml/#type_issueClassification + See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.4/xml/#type_issueClassification """ DEFECT = 'defect' ENHANCEMENT = 'enhancement' diff --git a/cyclonedx/model/service.py b/cyclonedx/model/service.py new file mode 100644 index 00000000..22f47195 --- /dev/null +++ b/cyclonedx/model/service.py @@ -0,0 +1,228 @@ +# encoding: utf-8 + +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 + +from typing import List, Optional +from uuid import uuid4 + +from ..exception.model import NoPropertiesProvidedException +from .release_note import ReleaseNotes +from . import ExternalReference, Data, Signature, LicenseChoice, Property + +class Service: + """ + Class that models the `vulnerabilityType` complex type in the CycloneDX schema (version >= 1.4). + + This class also provides data support for schema versions < 1.4 where Vulnerabilites were possible through a schema + extension (in XML only). + + .. note:: + See the CycloneDX schema: https://cyclonedx.org/docs/1.4/#type_vulnerabilityType + """ + + def __init__(self, bom_ref: Optional[str] = None, + group: Optional[str] = None, + name: str = None, + version: Optional[str] = None, + description: Optional[str] = None, + endpoints: Optional[List[str]] = None, + authenticated: Optional[bool] = None, + x_trust_boundary: Optional[bool] = None, + data: Optional[List[Data]] = None, + licenses: Optional[List[LicenseChoice]] = None, + external_references: Optional[List[ExternalReference]] = None, + # services: Optional[List[Service]] = None, -- I have no clue how to do this, commenting out so someone else can + release_notes: Optional[ReleaseNotes] = None, + properties: Optional[List[Property]] = None, + signature: Optional[Signature] = None): + if not name: + raise NoPropertiesProvidedException( + '`name` was not provideed - it must be provided.' + ) + + self.bom_ref = bom_ref or str(uuid4()) + self.group = group + self.name = name + self.version = version + self.description = description + self.endpoints = endpoints + self.authenticated = authenticated + self.x_trust_boundary = x_trust_boundary + self.data = data + self.licenses = licenses + self.external_references = external_references + # self.services = services -- no clue + self.release_notes = release_notes + self.properties = properties + self.signature = signature + + @property + def bom_ref(self) -> Optional[str]: + """ + Get the unique reference for this Service in this BOM. + + If a value was not provided in the constructor, a UUIDv4 will have been assigned. + + Returns: + `str` unique identifier for this Service + """ + return self._bom_ref + + @bom_ref.setter + def bom_ref(self, bom_ref: Optional[str]) -> None: + self._bom_ref = bom_ref + + @property + def group(self) -> Optional[str]: + """ + A group of the service as provided by the source. + """ + return self._group + + @group.setter + def group(self, group: Optional[str]) -> None: + self._group = group + + @property + def name(self) -> str: + """ + A name of the service as provided by the source. + """ + return self._name + + @name.setter + def name(self, name: str) -> None: + self._name = name + + @property + def version(self) -> Optional[str]: + """ + A version of the service as provided by the source. + """ + return self._version + + @version.setter + def version(self, version: Optional[str]) -> None: + self._version = version + + @property + def description(self) -> Optional[str]: + """ + A description of the service as provided by the source. + """ + return self._description + + @description.setter + def description(self, description: Optional[str]) -> None: + self._description = description + + @property + def endpoints(self) -> Optional[List[str]]: + """ + A list of endpoints for the service as provided by the source. + """ + return self._endpoints + + @endpoints.setter + def endpoints(self, endpoints: Optional[List[str]]) -> None: + self._endpoints = endpoints + + @property + def authenticated(self) -> Optional[bool]: + """ + A True/False or None value of if the service requires authentication as provided by the source. + """ + return self._authenticated + + @authenticated.setter + def authenticated(self, authenticated: Optional[bool]) -> None: + self._authenticated = authenticated + + @property + def x_trust_boundary(self) -> Optional[bool]: + """ + A True/False or None value of if the service has a X-Trust-Boundary as provided by the source. + """ + return self._x_trust_boundary + + @x_trust_boundary.setter + def x_trust_boundary(self, x_trust_boundary: Optional[bool]) -> None: + self._x_trust_boundary = x_trust_boundary + + @property + def data(self) -> Optional[List[Data]]: + """ + A list of data information for the service as provided by the source. + """ + return self._data + + @data.setter + def data(self, data: Optional[List[Data]]) -> None: + self._data = data + + @property + def licenses(self) -> Optional[List[LicenseChoice]]: + """ + A list of licenses for the service as provided by the source. + """ + return self._licenses + + @licenses.setter + def licenses(self, licenses: Optional[List[LicenseChoice]]) -> None: + self._licenses = licenses + + @property + def external_references(self) -> Optional[List[ExternalReference]]: + """ + A list of externalReferences for the service as provided by the source. + """ + return self._external_references + + @external_references.setter + def external_references(self, external_references: Optional[List[ExternalReference]]) -> None: + self._external_references = external_references + + @property + def release_notes(self) -> Optional[ReleaseNotes]: + """ + A release note for the service as provided by the source. + """ + return self._release_notes + + @release_notes.setter + def release_notes(self, release_notes: Optional[ReleaseNotes]) -> None: + self._release_notes = release_notes + + @property + def properties(self) -> Optional[List[Property]]: + """ + A list of properties for the service as provided by the source. + """ + return self._properties + + @properties.setter + def properties(self, properties: Optional[List[Property]]) -> None: + self._properties = properties + + @property + def signature(self) -> Optional[Signature]: + """ + A JSF signature for the service as provided by the source. + """ + return self._signature + + @signature.setter + def signature(self, signature: Optional[Signature]) -> None: + self._signature = signature From a0f2020c3ea172ff320d9fed84a2fbf42cad7626 Mon Sep 17 00:00:00 2001 From: Paul Horton Date: Tue, 25 Jan 2022 14:53:04 +0000 Subject: [PATCH 12/19] chore: added missing license header Signed-off-by: Paul Horton --- tests/test_model.py | 18 ++++++++++++++++++ tests/test_model_component.py | 18 ++++++++++++++++++ tests/test_model_release_note.py | 18 ++++++++++++++++++ tests/test_model_vulnerability.py | 19 +++++++++++++++++++ 4 files changed, 73 insertions(+) diff --git a/tests/test_model.py b/tests/test_model.py index 6f1ae657..620cb661 100644 --- a/tests/test_model.py +++ b/tests/test_model.py @@ -1,3 +1,21 @@ +# encoding: utf-8 + +# This file is part of CycloneDX Python Lib +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# Copyright (c) OWASP Foundation. All Rights Reserved. import base64 from unittest import TestCase diff --git a/tests/test_model_component.py b/tests/test_model_component.py index a150b39a..070e2d3c 100644 --- a/tests/test_model_component.py +++ b/tests/test_model_component.py @@ -1,3 +1,21 @@ +# encoding: utf-8 + +# This file is part of CycloneDX Python Lib +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# Copyright (c) OWASP Foundation. All Rights Reserved. from unittest import TestCase from unittest.mock import Mock, patch diff --git a/tests/test_model_release_note.py b/tests/test_model_release_note.py index 33af0c3c..a360bd70 100644 --- a/tests/test_model_release_note.py +++ b/tests/test_model_release_note.py @@ -1,3 +1,21 @@ +# encoding: utf-8 + +# This file is part of CycloneDX Python Lib +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# Copyright (c) OWASP Foundation. All Rights Reserved. import datetime from unittest import TestCase diff --git a/tests/test_model_vulnerability.py b/tests/test_model_vulnerability.py index fe302c43..361b9f1d 100644 --- a/tests/test_model_vulnerability.py +++ b/tests/test_model_vulnerability.py @@ -1,3 +1,22 @@ +# encoding: utf-8 + +# This file is part of CycloneDX Python Lib +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# Copyright (c) OWASP Foundation. All Rights Reserved. + import unittest from unittest import TestCase from unittest.mock import Mock, patch From 6e241f86678847e63d9e657556d0918ab5e0a17f Mon Sep 17 00:00:00 2001 From: Paul Horton Date: Wed, 26 Jan 2022 08:34:02 +0000 Subject: [PATCH 13/19] aligned classes with standards, commented out Signature work for now, added first tests for Services Signed-off-by: Paul Horton --- cyclonedx/model/__init__.py | 235 ++++++++++-------- cyclonedx/model/bom.py | 30 ++- cyclonedx/model/service.py | 197 ++++++++++----- cyclonedx/output/json.py | 20 +- cyclonedx/output/schema.py | 36 +++ cyclonedx/output/serializer/json.py | 4 +- tests/fixtures/bom_v1.2_services_complex.json | 84 +++++++ tests/fixtures/bom_v1.2_services_simple.json | 34 +++ ..._v1.4_setuptools_with_vulnerabilities.json | 2 +- tests/test_model_service.py | 45 ++++ tests/test_output_json.py | 226 ++++++++++++----- 11 files changed, 669 insertions(+), 244 deletions(-) create mode 100644 tests/fixtures/bom_v1.2_services_complex.json create mode 100644 tests/fixtures/bom_v1.2_services_simple.json create mode 100644 tests/test_model_service.py diff --git a/cyclonedx/model/__init__.py b/cyclonedx/model/__init__.py index 2a881c81..a91396f6 100644 --- a/cyclonedx/model/__init__.py +++ b/cyclonedx/model/__init__.py @@ -50,9 +50,10 @@ def sha1sum(filename: str) -> str: h.update(byte_block) return h.hexdigest() + class DataFlow(Enum): """ - This is out internal representation of the dataFlowType simple type within the CycloneDX standard. + This is our internal representation of the dataFlowType simple type within the CycloneDX standard. .. note:: See the CycloneDX Schema: https://cyclonedx.org/docs/1.4/xml/#type_dataFlowType @@ -62,12 +63,14 @@ class DataFlow(Enum): BI_DIRECTIONAL = "bi-directional" UNKNOWN = "unknown" -class Data: + +class DataClassification: """ This is our internal representation of the `dataClassificationType` complex type within the CycloneDX standard. .. note:: - See the CycloneDX Schema for dataClassificationType: https://cyclonedx.org/docs/1.4/xml/#type_dataClassificationType + See the CycloneDX Schema for dataClassificationType: + https://cyclonedx.org/docs/1.4/xml/#type_dataClassificationType """ def __init__(self, flow: DataFlow, classification: str) -> None: @@ -82,7 +85,16 @@ def __init__(self, flow: DataFlow, classification: str) -> None: @property def flow(self) -> DataFlow: """ - Specifies the data flow for the service. + Specifies the flow direction of the data. + + Valid values are: inbound, outbound, bi-directional, and unknown. + + Direction is relative to the service. + + - Inbound flow states that data enters the service + - Outbound flow states that data leaves the service + - Bi-directional states that data flows both ways + - Unknown states that the direction is not known Returns: `DataFlow` @@ -96,120 +108,127 @@ def flow(self, flow: DataFlow) -> None: @property def classification(self) -> str: """ - Specifies the classification of the data for the service. + Data classification tags data according to its type, sensitivity, and value if altered, stolen, or destroyed. Returns: `str` """ - return self._content_type - + return self._classification + @classification.setter def classification(self, classification: str) -> None: self._classification = classification -class SignatureAlgorithm(Enum): - """ - This is out internal representation of the algorithm simple type within the CycloneDX standard. - - .. note:: - See the CycloneDX Schema: https://cyclonedx.org/docs/1.4/json/#tab-pane_signature_oneOf_i2_algorithm_oneOf_i0 - """ - RS256 = "RS256" - RS384 = "RS384" - RS512 = "RS512" - PS256 = "PS256" - PS384 = "PS384" - PS512 = "PS512" - ES256 = "ES256" - ES384 = "ES384" - ES512 = "ES512" - ED25519 = "Ed25519" - ED448 = "Ed448" - HS256 = "HS256" - HS384 = "HS384" - HS512 = "HS512" - -class SignaturePublicKeyKty(Enum): - """ - This is our internal representation of the kty simple type within the CycloneDX standard. - - .. note:: - See the CycloneDX Schema: https://cyclonedx.org/docs/1.4/json/#signature_oneOf_i2_publicKey_kty - """ - EC = "EC" - OKP = "OKP" - RSA = "RSA" -class SignaturePublicKeyCrv(Enum): - """ - This is our internal representation of the crv simple type within the CycloneDX standard. - - .. note:: - See the CycloneDX Schema: https://cyclonedx.org/docs/1.4/json/#signature_oneOf_i2_publicKey_allOf_i1_then_crv - """ - ED25519 = "Ed25519" - Ed448 = "Ed448" - -class SignaturePublicKey: - """ - This is our internal representation of the public key complex type within the CycloneDX standard. - - .. note:: - See the CycloneDX Schema: https://cyclonedx.org/docs/1.4/json/#signature_oneOf_i2_publicKey - JSON only - """ - def __init__(self, kty: SignaturePublicKeyKty = None, crv: Optional[SignaturePublicKeyCrv] = None, - x: Optional[str] = None, y: Optional[str] = None, - n: Optional[str] = None, e: Optional[str] = None, - value: str = None) -> None: - if not kty and not value: - raise NoPropertiesProvidedException( - '`kty` must be supplied' - ) - if kty == SignaturePublicKeyKty.EC and not crv and not x and not y: - raise NoPropertiesProvidedException( - 'if `kty` equals EC, `crv`, `x` and `y` must be supplied' - ) - if kty == SignaturePublicKeyKty.OKP and not crv and not x: - raise NoPropertiesProvidedException( - 'if `kty` equals OKP, `crv`, and `x` must be supplied' - ) - if kty == SignaturePublicKeyKty.RSA and not n and not e: - raise NoPropertiesProvidedException( - 'if `kty` equals RSA, `n`, and `e` must be supplied' - ) - self.kty = kty - self.crv = crv - self.x = x - self.y = y - self.n = n - self.e = e - self.value = value - -class Signature: - """ - This is out internal representation of the signature complex type within the CycloneDX standard. - - .. note:: - See the CycloneDX Schema: https://cyclonedx.org/docs/1.4/json/#signature - JSON only - """ +# class SignatureAlgorithm(Enum): +# """ +# This is out internal representation of the algorithm simple type within the CycloneDX standard. +# +# .. note:: +# See the CycloneDX Schema: https://cyclonedx.org/docs/1.4/json/#tab-pane_signature_oneOf_i2_algorithm_oneOf_i0 +# """ +# RS256 = "RS256" +# RS384 = "RS384" +# RS512 = "RS512" +# PS256 = "PS256" +# PS384 = "PS384" +# PS512 = "PS512" +# ES256 = "ES256" +# ES384 = "ES384" +# ES512 = "ES512" +# ED25519 = "Ed25519" +# ED448 = "Ed448" +# HS256 = "HS256" +# HS384 = "HS384" +# HS512 = "HS512" +# +# +# class SignaturePublicKeyKty(Enum): +# """ +# This is our internal representation of the kty simple type within the CycloneDX standard. +# +# .. note:: +# See the CycloneDX Schema: https://cyclonedx.org/docs/1.4/json/#signature_oneOf_i2_publicKey_kty +# """ +# EC = "EC" +# OKP = "OKP" +# RSA = "RSA" +# +# +# class SignaturePublicKeyCrv(Enum): +# """ +# This is our internal representation of the crv simple type within the CycloneDX standard. +# +# .. note:: +# See the CycloneDX Schema: https://cyclonedx.org/docs/1.4/json/#signature_oneOf_i2_publicKey_allOf_i1_then_crv +# """ +# ED25519 = "Ed25519" +# Ed448 = "Ed448" +# +# +# class SignaturePublicKey: +# """ +# This is our internal representation of the public key complex type within the CycloneDX standard. +# +# .. note:: +# See the CycloneDX Schema: https://cyclonedx.org/docs/1.4/json/#signature_oneOf_i2_publicKey +# JSON only +# """ +# +# def __init__(self, kty: SignaturePublicKeyKty = None, crv: Optional[SignaturePublicKeyCrv] = None, +# x: Optional[str] = None, y: Optional[str] = None, +# n: Optional[str] = None, e: Optional[str] = None, +# value: str = None) -> None: +# if not kty and not value: +# raise NoPropertiesProvidedException( +# '`kty` must be supplied' +# ) +# if kty == SignaturePublicKeyKty.EC and not crv and not x and not y: +# raise NoPropertiesProvidedException( +# 'if `kty` equals EC, `crv`, `x` and `y` must be supplied' +# ) +# if kty == SignaturePublicKeyKty.OKP and not crv and not x: +# raise NoPropertiesProvidedException( +# 'if `kty` equals OKP, `crv`, and `x` must be supplied' +# ) +# if kty == SignaturePublicKeyKty.RSA and not n and not e: +# raise NoPropertiesProvidedException( +# 'if `kty` equals RSA, `n`, and `e` must be supplied' +# ) +# self.kty = kty +# self.crv = crv +# self.x = x +# self.y = y +# self.n = n +# self.e = e +# self.value = value +# +# +# class Signature: +# """ +# This is out internal representation of the signature complex type within the CycloneDX standard. +# +# .. note:: +# See the CycloneDX Schema: https://cyclonedx.org/docs/1.4/json/#signature +# JSON only +# """ +# +# def __init__(self, algorithm: SignatureAlgorithm, key_id: Optional[str], +# public_key: Optional[SignaturePublicKey] = None, +# certificate_path: Optional[List[str]] = None, +# excludes: Optional[List[str]] = None, +# value: str = None) -> None: +# if not algorithm and not value: +# raise NoPropertiesProvidedException( +# 'One of `algorithm` or `value` must be supplied - neither supplied' +# ) +# self.algorithm = algorithm +# self.key_id = key_id +# self.public_key = public_key +# self.certificate_path = certificate_path +# self.excludes = excludes +# self.value = value - def __init__(self, algorithm: SignatureAlgorithm, key_id: Optional[str], - public_key: Optional[SignaturePublicKey] = None, - certificate_path: Optional[List[str]] = None, - excludes: Optional[List[str]] = None, - value: str = None) -> None: - if not algorithm and not value: - raise NoPropertiesProvidedException( - 'One of `algorithm` or `value` must be supplied - neither supplied' - ) - self.algorithm = algorithm - self.key_id = key_id - self.public_key = public_key - self.certificate_path = certificate_path - self.excludes = excludes - self.value = value class Encoding(Enum): """ diff --git a/cyclonedx/model/bom.py b/cyclonedx/model/bom.py index d0aa0068..5786ea0a 100644 --- a/cyclonedx/model/bom.py +++ b/cyclonedx/model/bom.py @@ -23,6 +23,7 @@ from . import ThisTool, Tool from .component import Component +from .service import Service from ..parser import BaseParser @@ -133,7 +134,7 @@ def from_parser(parser: BaseParser) -> 'Bom': bom.add_components(parser.get_components()) return bom - def __init__(self) -> None: + def __init__(self, components: Optional[List[Component]] = None, services: Optional[List[Service]] = None) -> None: """ Create a new Bom that you can manually/programmatically add data to later. @@ -142,7 +143,8 @@ def __init__(self) -> None: """ self.uuid = uuid4() self.metadata = BomMetaData() - self._components: List[Component] = [] + self.components = components + self.services = services @property def uuid(self) -> UUID: @@ -200,7 +202,9 @@ def add_component(self, component: Component) -> None: Returns: None """ - if not self.has_component(component=component): + if not self.components: + self.components = [component] + elif not self.has_component(component=component): self._components.append(component) def add_components(self, components: List[Component]) -> None: @@ -263,7 +267,9 @@ def has_component(self, component: Component) -> bool: Returns: `bool` - `True` if the supplied Component is part of this Bom, `False` otherwise. """ - return component in self._components + if not self.components: + return False + return component in self.components def has_vulnerabilities(self) -> bool: """ @@ -278,3 +284,19 @@ def has_vulnerabilities(self) -> bool: return True return False + + @property + def services(self) -> Optional[List[Service]]: + """ + A list of services. + + This may include microservices, function-as-a-service, and other types of network or intra-process services. + + Returns: + List of `Service` or `None` + """ + return self._services + + @services.setter + def services(self, services: Optional[List[Service]]) -> None: + self._services = services diff --git a/cyclonedx/model/service.py b/cyclonedx/model/service.py index 22f47195..b8bf3afe 100644 --- a/cyclonedx/model/service.py +++ b/cyclonedx/model/service.py @@ -17,42 +17,39 @@ from typing import List, Optional from uuid import uuid4 -from ..exception.model import NoPropertiesProvidedException +from . import ExternalReference, DataClassification, LicenseChoice, OrganizationalEntity, Property, XsUri # , Signature from .release_note import ReleaseNotes -from . import ExternalReference, Data, Signature, LicenseChoice, Property + +""" +This set of classes represents the data that is possible about known Services. + +.. note:: + See the CycloneDX Schema extension definition https://cyclonedx.org/docs/1.4/xml/#type_servicesType +""" + class Service: """ - Class that models the `vulnerabilityType` complex type in the CycloneDX schema (version >= 1.4). - - This class also provides data support for schema versions < 1.4 where Vulnerabilites were possible through a schema - extension (in XML only). + Class that models the `service` complex type in the CycloneDX schema. .. note:: - See the CycloneDX schema: https://cyclonedx.org/docs/1.4/#type_vulnerabilityType + See the CycloneDX schema: https://cyclonedx.org/docs/1.4/xml/#type_service """ - def __init__(self, bom_ref: Optional[str] = None, - group: Optional[str] = None, - name: str = None, - version: Optional[str] = None, - description: Optional[str] = None, - endpoints: Optional[List[str]] = None, - authenticated: Optional[bool] = None, - x_trust_boundary: Optional[bool] = None, - data: Optional[List[Data]] = None, + def __init__(self, name: str, bom_ref: Optional[str] = None, provider: Optional[OrganizationalEntity] = None, + group: Optional[str] = None, version: Optional[str] = None, description: Optional[str] = None, + endpoints: Optional[List[XsUri]] = None, authenticated: Optional[bool] = None, + x_trust_boundary: Optional[bool] = None, data: Optional[List[DataClassification]] = None, licenses: Optional[List[LicenseChoice]] = None, external_references: Optional[List[ExternalReference]] = None, - # services: Optional[List[Service]] = None, -- I have no clue how to do this, commenting out so someone else can - release_notes: Optional[ReleaseNotes] = None, properties: Optional[List[Property]] = None, - signature: Optional[Signature] = None): - if not name: - raise NoPropertiesProvidedException( - '`name` was not provideed - it must be provided.' - ) - + # services: Optional[List[Service]] = None, -- I have no clue how to do this, + # commenting out so someone else can + release_notes: Optional[ReleaseNotes] = None, + # signature: Optional[Signature] = None + ): self.bom_ref = bom_ref or str(uuid4()) + self.provider = provider self.group = group self.name = name self.version = version @@ -61,17 +58,18 @@ def __init__(self, bom_ref: Optional[str] = None, self.authenticated = authenticated self.x_trust_boundary = x_trust_boundary self.data = data - self.licenses = licenses - self.external_references = external_references + self.licenses = licenses or [] + self.external_references = external_references or [] # self.services = services -- no clue self.release_notes = release_notes self.properties = properties - self.signature = signature - + # self.signature = signature + @property def bom_ref(self) -> Optional[str]: """ - Get the unique reference for this Service in this BOM. + An optional identifier which can be used to reference the service elsewhere in the BOM. Uniqueness is enforced + within all elements and children of the root-level bom element. If a value was not provided in the constructor, a UUIDv4 will have been assigned. @@ -84,10 +82,28 @@ def bom_ref(self) -> Optional[str]: def bom_ref(self, bom_ref: Optional[str]) -> None: self._bom_ref = bom_ref + @property + def provider(self) -> Optional[OrganizationalEntity]: + """ + Get the The organization that provides the service. + + Returns: + `OrganizationalEntity` if set else `None` + """ + return self._provider + + @provider.setter + def provider(self, provider: Optional[OrganizationalEntity]) -> None: + self._provider = provider + @property def group(self) -> Optional[str]: """ - A group of the service as provided by the source. + The grouping name, namespace, or identifier. This will often be a shortened, single name of the company or + project that produced the service or domain name. Whitespace and special characters should be avoided. + + Returns: + `str` if provided else `None` """ return self._group @@ -98,7 +114,10 @@ def group(self, group: Optional[str]) -> None: @property def name(self) -> str: """ - A name of the service as provided by the source. + The name of the service. This will often be a shortened, single name of the service. + + Returns: + `str` """ return self._name @@ -109,7 +128,10 @@ def name(self, name: str) -> None: @property def version(self) -> Optional[str]: """ - A version of the service as provided by the source. + The service version. + + Returns: + `str` if set else `None` """ return self._version @@ -120,7 +142,10 @@ def version(self, version: Optional[str]) -> None: @property def description(self) -> Optional[str]: """ - A description of the service as provided by the source. + Specifies a description for the service. + + Returns: + `str` if set else `None` """ return self._description @@ -129,20 +154,42 @@ def description(self, description: Optional[str]) -> None: self._description = description @property - def endpoints(self) -> Optional[List[str]]: + def endpoints(self) -> Optional[List[XsUri]]: """ - A list of endpoints for the service as provided by the source. + A list of endpoints URI's this service provides. + + Returns: + List of `XsUri` else `None` """ return self._endpoints @endpoints.setter - def endpoints(self, endpoints: Optional[List[str]]) -> None: + def endpoints(self, endpoints: Optional[List[XsUri]]) -> None: self._endpoints = endpoints + def add_endpoint(self, endpoint: XsUri) -> None: + """ + Add an endpoint URI for this Service. + + Args: + endpoint: + `XsUri` instance to add + + Returns: + None + """ + self.endpoints = self._endpoints + [endpoint] + @property def authenticated(self) -> Optional[bool]: """ - A True/False or None value of if the service requires authentication as provided by the source. + A boolean value indicating if the service requires authentication. A value of true indicates the service + requires authentication prior to use. + + A value of false indicates the service does not require authentication. + + Returns: + `bool` if set else `None` """ return self._authenticated @@ -153,7 +200,13 @@ def authenticated(self, authenticated: Optional[bool]) -> None: @property def x_trust_boundary(self) -> Optional[bool]: """ - A True/False or None value of if the service has a X-Trust-Boundary as provided by the source. + A boolean value indicating if use of the service crosses a trust zone or boundary. A value of true indicates + that by using the service, a trust boundary is crossed. + + A value of false indicates that by using the service, a trust boundary is not crossed. + + Returns: + `bool` if set else `None` """ return self._x_trust_boundary @@ -162,42 +215,64 @@ def x_trust_boundary(self, x_trust_boundary: Optional[bool]) -> None: self._x_trust_boundary = x_trust_boundary @property - def data(self) -> Optional[List[Data]]: + def data(self) -> Optional[List[DataClassification]]: """ - A list of data information for the service as provided by the source. + Specifies the data classification. + + Returns: + List of `DataClassificiation` or `None` """ return self._data @data.setter - def data(self, data: Optional[List[Data]]) -> None: + def data(self, data: Optional[List[DataClassification]]) -> None: self._data = data @property - def licenses(self) -> Optional[List[LicenseChoice]]: + def licenses(self) -> List[LicenseChoice]: """ - A list of licenses for the service as provided by the source. + A optional list of statements about how this Service is licensed. + + Returns: + List of `LicenseChoice` else `None` """ return self._licenses @licenses.setter - def licenses(self, licenses: Optional[List[LicenseChoice]]) -> None: + def licenses(self, licenses: List[LicenseChoice]) -> None: self._licenses = licenses @property - def external_references(self) -> Optional[List[ExternalReference]]: + def external_references(self) -> List[ExternalReference]: """ - A list of externalReferences for the service as provided by the source. + Provides the ability to document external references related to the Service. + + Returns: + List of `ExternalReference`s """ return self._external_references @external_references.setter - def external_references(self, external_references: Optional[List[ExternalReference]]) -> None: + def external_references(self, external_references: List[ExternalReference]) -> None: self._external_references = external_references + def add_external_reference(self, reference: ExternalReference) -> None: + """ + Add an `ExternalReference` to this `Service`. + + Args: + reference: + `ExternalReference` instance to add. + """ + self.external_references = self._external_references + [reference] + @property def release_notes(self) -> Optional[ReleaseNotes]: """ - A release note for the service as provided by the source. + Specifies optional release notes. + + Returns: + `ReleaseNotes` or `None` """ return self._release_notes @@ -208,7 +283,11 @@ def release_notes(self, release_notes: Optional[ReleaseNotes]) -> None: @property def properties(self) -> Optional[List[Property]]: """ - A list of properties for the service as provided by the source. + Provides the ability to document properties in a key/value store. This provides flexibility to include data not + officially supported in the standard without having to use additional namespaces or create extensions. + + Return: + List of `Property` or `None` """ return self._properties @@ -216,13 +295,13 @@ def properties(self) -> Optional[List[Property]]: def properties(self, properties: Optional[List[Property]]) -> None: self._properties = properties - @property - def signature(self) -> Optional[Signature]: - """ - A JSF signature for the service as provided by the source. - """ - return self._signature - - @signature.setter - def signature(self, signature: Optional[Signature]) -> None: - self._signature = signature + # @property + # def signature(self) -> Optional[Signature]: + # """ + # A JSF signature for the service as provided by the source. + # """ + # return self._signature + # + # @signature.setter + # def signature(self, signature: Optional[Signature]) -> None: + # self._signature = signature diff --git a/cyclonedx/output/json.py b/cyclonedx/output/json.py index 1b7bcdec..fef1916c 100644 --- a/cyclonedx/output/json.py +++ b/cyclonedx/output/json.py @@ -51,11 +51,12 @@ def generate(self, force_regeneration: bool = False) -> None: return vulnerabilities: Dict[str, List[Dict[Any, Any]]] = {"vulnerabilities": []} - for component in self.get_bom().components: - for vulnerability in component.get_vulnerabilities(): - vulnerabilities['vulnerabilities'].append( - json.loads(json.dumps(vulnerability, cls=CycloneDxJSONEncoder)) - ) + if self.get_bom().components: + for component in self.get_bom().components: + for vulnerability in component.get_vulnerabilities(): + vulnerabilities['vulnerabilities'].append( + json.loads(json.dumps(vulnerability, cls=CycloneDxJSONEncoder)) + ) bom_json = json.loads(json.dumps(self.get_bom(), cls=CycloneDxJSONEncoder)) bom_json = json.loads(self._specialise_output_for_schema_version(bom_json=bom_json)) @@ -94,6 +95,15 @@ def _specialise_output_for_schema_version(self, bom_json: Dict[Any, Any]) -> str else: bom_json['components'] = [] + # Iterate Services + if 'services' in bom_json.keys(): + for i in range(len(bom_json['services'])): + if not self.services_supports_properties() and 'properties' in bom_json['services'][i].keys(): + del bom_json['services'][i]['properties'] + + if not self.services_supports_release_notes() and 'releaseNotes' in bom_json['services'][i].keys(): + del bom_json['services'][i]['releaseNotes'] + # Iterate Vulnerabilities if 'vulnerabilities' in bom_json.keys(): for i in range(len(bom_json['vulnerabilities'])): diff --git a/cyclonedx/output/schema.py b/cyclonedx/output/schema.py index 87e8ca18..138f613c 100644 --- a/cyclonedx/output/schema.py +++ b/cyclonedx/output/schema.py @@ -31,6 +31,15 @@ def bom_metadata_supports_tools(self) -> bool: def bom_metadata_supports_tools_external_references(self) -> bool: return True + def bom_supports_services(self) -> bool: + return True + + def services_supports_properties(self) -> bool: + return True + + def services_supports_release_notes(self) -> bool: + return True + def bom_supports_vulnerabilities(self) -> bool: return True @@ -77,6 +86,9 @@ class SchemaVersion1Dot3(BaseSchemaVersion): def bom_metadata_supports_tools_external_references(self) -> bool: return False + def services_supports_release_notes(self) -> bool: + return False + def bom_supports_vulnerabilities(self) -> bool: return False @@ -98,6 +110,12 @@ class SchemaVersion1Dot2(BaseSchemaVersion): def bom_metadata_supports_tools_external_references(self) -> bool: return False + def services_supports_properties(self) -> bool: + return False + + def services_supports_release_notes(self) -> bool: + return False + def bom_supports_vulnerabilities(self) -> bool: return False @@ -122,6 +140,15 @@ def bom_metadata_supports_tools(self) -> bool: def bom_metadata_supports_tools_external_references(self) -> bool: return False + def bom_supports_services(self) -> bool: + return False + + def services_supports_properties(self) -> bool: + return False + + def services_supports_release_notes(self) -> bool: + return False + def bom_supports_vulnerabilities(self) -> bool: return False @@ -152,6 +179,15 @@ def bom_metadata_supports_tools(self) -> bool: def bom_metadata_supports_tools_external_references(self) -> bool: return False + def bom_supports_services(self) -> bool: + return False + + def services_supports_properties(self) -> bool: + return False + + def services_supports_release_notes(self) -> bool: + return False + def bom_supports_vulnerabilities(self) -> bool: return False diff --git a/cyclonedx/output/serializer/json.py b/cyclonedx/output/serializer/json.py index e1a65267..5d0398c6 100644 --- a/cyclonedx/output/serializer/json.py +++ b/cyclonedx/output/serializer/json.py @@ -31,7 +31,7 @@ from cyclonedx.model import XsUri HYPHENATED_ATTRIBUTES = [ - 'bom_ref', 'mime_type' + 'bom_ref', 'mime_type', 'x_trust_boundary' ] PYTHON_TO_JSON_NAME = compile(r'_([a-z])') @@ -78,7 +78,7 @@ def default(self, o: Any) -> Any: new_key = PYTHON_TO_JSON_NAME.sub(lambda x: x.group(1).upper(), new_key) # Skip any None values - if v: + if v or v is False: if isinstance(v, PackageURL): # Special handling of PackageURL instances which JSON would otherwise automatically encode to # an Array diff --git a/tests/fixtures/bom_v1.2_services_complex.json b/tests/fixtures/bom_v1.2_services_complex.json new file mode 100644 index 00000000..dfc82f66 --- /dev/null +++ b/tests/fixtures/bom_v1.2_services_complex.json @@ -0,0 +1,84 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.2a.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.2", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "timestamp": "2021-09-01T10:50:42.051979+00:00", + "tools": [ + { + "vendor": "CycloneDX", + "name": "cyclonedx-python-lib", + "version": "VERSION" + } + ], + "component": { + "type": "library", + "bom-ref": "17e3b199-dc0b-42ef-bfdd-1fa81a1e3eda", + "name": "cyclonedx-python-lib", + "version": "1.0.0" + } + }, + "components": [], + "services": [ + { + "bom-ref": "my-specific-bom-ref-for-my-first-service", + "provider": { + "contact": [ + { + "email": "paul.horton@owasp.org", + "name": "Paul Horton" + }, + { + "email": "someone@somewhere.tld", + "name": "A N Other", + "phone": "+44 (0)1234 567890" + } + ], + "name": "CycloneDX", + "url": [ + "https://cyclonedx.org" + ] + }, + "group": "a-group", + "name": "my-first-service", + "version": "1.2.3", + "description": "Description goes here", + "endpoints": [ + "/api/thing/1", + "/api/thing/2" + ], + "authenticated": false, + "x-trust-boundary": true, + "data": [ + { + "classification": "public", + "flow": "outbound" + } + ], + "licenses": [ + { + "expression": "Commercial" + } + ], + "externalReferences": [ + { + "comment": "No comment", + "hashes": [ + { + "alg": "SHA-256", + "content": "806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b" + } + ], + "type": "distribution", + "url": "https://cyclonedx.org" + } + ] + }, + { + "bom-ref": "0b049d09-64c0-4490-a0f5-c84d9aacf857", + "name": "my-second-service" + } + ] +} \ No newline at end of file diff --git a/tests/fixtures/bom_v1.2_services_simple.json b/tests/fixtures/bom_v1.2_services_simple.json new file mode 100644 index 00000000..a19dd04d --- /dev/null +++ b/tests/fixtures/bom_v1.2_services_simple.json @@ -0,0 +1,34 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.2a.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.2", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "timestamp": "2021-09-01T10:50:42.051979+00:00", + "tools": [ + { + "vendor": "CycloneDX", + "name": "cyclonedx-python-lib", + "version": "VERSION" + } + ], + "component": { + "type": "library", + "bom-ref": "17e3b199-dc0b-42ef-bfdd-1fa81a1e3eda", + "name": "cyclonedx-python-lib", + "version": "1.0.0" + } + }, + "components": [], + "services": [ + { + "bom-ref": "0b049d09-64c0-4490-a0f5-c84d9aacf857", + "name": "my-first-service" + }, + { + "bom-ref": "0b049d09-64c0-4490-a0f5-c84d9aacf857", + "name": "my-second-service" + } + ] +} \ No newline at end of file diff --git a/tests/fixtures/bom_v1.4_setuptools_with_vulnerabilities.json b/tests/fixtures/bom_v1.4_setuptools_with_vulnerabilities.json index 260af12e..ee9ba1b7 100644 --- a/tests/fixtures/bom_v1.4_setuptools_with_vulnerabilities.json +++ b/tests/fixtures/bom_v1.4_setuptools_with_vulnerabilities.json @@ -126,7 +126,7 @@ "contact": [ { "name": "Paul Horton", - "email": "simplyecommerce@googlemail.com" + "email": "paul.horton@owasp.org" }, { "name": "A N Other", diff --git a/tests/test_model_service.py b/tests/test_model_service.py new file mode 100644 index 00000000..c19f842a --- /dev/null +++ b/tests/test_model_service.py @@ -0,0 +1,45 @@ +# encoding: utf-8 + +# This file is part of CycloneDX Python Lib +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# Copyright (c) OWASP Foundation. All Rights Reserved. +from unittest import TestCase +from unittest.mock import Mock, patch + +from cyclonedx.model.service import Service + + +class TestModelService(TestCase): + + @patch('cyclonedx.model.service.uuid4', return_value='77d15ab9-5602-4cca-8ed2-59ae579aafd3') + def test_minimal_service(self, mock_uuid: Mock) -> None: + s = Service(name='my-test-service') + mock_uuid.assert_called() + self.assertEqual(s.name, 'my-test-service') + self.assertEqual(s.bom_ref, '77d15ab9-5602-4cca-8ed2-59ae579aafd3') + self.assertIsNone(s.provider) + self.assertIsNone(s.group) + self.assertIsNone(s.version) + self.assertIsNone(s.description) + self.assertIsNone(s.endpoints) + self.assertIsNone(s.authenticated) + self.assertIsNone(s.x_trust_boundary) + self.assertIsNone(s.data) + self.assertListEqual(s.licenses, []) + self.assertListEqual(s.external_references, []) + self.assertIsNone(s.release_notes) + self.assertIsNone(s.properties) + diff --git a/tests/test_output_json.py b/tests/test_output_json.py index c424e2f5..b21975ba 100644 --- a/tests/test_output_json.py +++ b/tests/test_output_json.py @@ -20,15 +20,18 @@ from decimal import Decimal from datetime import datetime, timezone from os.path import dirname, join +from typing import List + from packageurl import PackageURL from unittest.mock import Mock, patch from cyclonedx.model import Encoding, ExternalReference, ExternalReferenceType, HashType, LicenseChoice, Note, \ - NoteText, OrganizationalContact, OrganizationalEntity, Property, Tool, XsUri + NoteText, OrganizationalContact, OrganizationalEntity, Property, Tool, XsUri, DataClassification, DataFlow from cyclonedx.model.bom import Bom from cyclonedx.model.component import Component, ComponentType from cyclonedx.model.issue import IssueClassification, IssueType from cyclonedx.model.release_note import ReleaseNotes +from cyclonedx.model.service import Service from cyclonedx.model.vulnerability import ImpactAnalysisState, ImpactAnalysisJustification, ImpactAnalysisResponse, \ ImpactAnalysisAffectedStatus, Vulnerability, VulnerabilityCredits, VulnerabilityRating, VulnerabilitySeverity, \ VulnerabilitySource, VulnerabilityScoreSource, VulnerabilityAdvisory, VulnerabilityReference, \ @@ -39,6 +42,7 @@ class TestOutputJson(BaseJsonTestCase): + timestamp: datetime = datetime(2021, 12, 31, 10, 0, 0, 0).replace(tzinfo=timezone.utc) def test_simple_bom_v1_4(self) -> None: bom = Bom() @@ -175,17 +179,7 @@ def test_bom_v1_3_with_component_external_references(self) -> None: c.add_hash( HashType.from_composite_str('sha256:806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b') ) - c.add_external_reference( - ExternalReference( - reference_type=ExternalReferenceType.DISTRIBUTION, - url='https://cyclonedx.org', - comment='No comment', - hashes=[ - HashType.from_composite_str( - 'sha256:806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b') - ] - ) - ) + c.add_external_reference(TestOutputJson._get_external_reference_1()) bom.add_component(c) outputter: Json = get_instance(bom=bom, output_format=OutputFormat.JSON) self.assertIsInstance(outputter, JsonV1Dot3) @@ -247,56 +241,12 @@ def test_with_component_release_notes_pre_1_4(self) -> None: def test_with_component_release_notes_post_1_4(self) -> None: bom = Bom() - timestamp: datetime = datetime(2021, 12, 31, 10, 0, 0, 0).replace(tzinfo=timezone.utc) - - text_content: str = base64.b64encode( - bytes('Some simple plain text', encoding='UTF-8') - ).decode(encoding='UTF-8') - c = Component( name='setuptools', version='50.3.2', bom_ref='pkg:pypi/setuptools@50.3.2?extension=tar.gz', purl=PackageURL( type='pypi', name='setuptools', version='50.3.2', qualifiers='extension=tar.gz' ), - release_notes=ReleaseNotes( - type='major', title="Release Notes Title", - featured_image=XsUri('https://cyclonedx.org/theme/assets/images/CycloneDX-Twitter-Card.png'), - social_image=XsUri('https://cyclonedx.org/cyclonedx-icon.png'), - description="This release is a test release", timestamp=timestamp, - aliases=[ - "First Test Release" - ], - tags=['test', 'alpha'], - resolves=[ - IssueType( - classification=IssueClassification.SECURITY, id='CVE-2021-44228', name='Apache Log3Shell', - description='Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features...', - source_name='NVD', source_url=XsUri('https://nvd.nist.gov/vuln/detail/CVE-2021-44228'), - references=[ - XsUri('https://logging.apache.org/log4j/2.x/security.html'), - XsUri('https://central.sonatype.org/news/20211213_log4shell_help') - ] - ) - ], - notes=[ - Note( - text=NoteText( - content=text_content, content_type='text/plain; charset=UTF-8', - content_encoding=Encoding.BASE_64 - ), locale='en-GB' - ), - Note( - text=NoteText( - content=text_content, content_type='text/plain; charset=UTF-8', - content_encoding=Encoding.BASE_64 - ), locale='en-US' - ) - ], - properties=[ - Property(name='key1', value='val1'), - Property(name='key2', value='val2') - ] - ) + release_notes=TestOutputJson._get_release_notes() ) bom.add_component(c) outputter: Json = get_instance(bom=bom, output_format=OutputFormat.JSON, schema_version=SchemaVersion.V1_4) @@ -350,13 +300,7 @@ def test_simple_bom_v1_4_with_vulnerabilities(self) -> None: tzinfo=timezone.utc), credits=VulnerabilityCredits( organizations=[ - OrganizationalEntity( - name='CycloneDX', urls=[XsUri('https://cyclonedx.org')], contacts=[ - OrganizationalContact(name='Paul Horton', email='simplyecommerce@googlemail.com'), - OrganizationalContact(name='A N Other', email='someone@somewhere.tld', - phone='+44 (0)1234 567890') - ] - ) + TestOutputJson._get_org_entity_1() ], individuals=[ OrganizationalContact(name='A N Other', email='someone@somewhere.tld', phone='+44 (0)1234 567890'), @@ -395,4 +339,156 @@ def test_bom_v1_3_with_metadata_component(self, mock_uuid: Mock) -> None: with open(join(dirname(__file__), 'fixtures/bom_v1.3_with_metadata_component.json')) as expected_json: self.assertEqualJsonBom(outputter.output_as_string(), expected_json.read()) - maxDiff = None + @patch('cyclonedx.model.component.uuid4', return_value='17e3b199-dc0b-42ef-bfdd-1fa81a1e3eda') + @patch('cyclonedx.model.service.uuid4', return_value='0b049d09-64c0-4490-a0f5-c84d9aacf857') + def test_bom_v1_2_services(self, mock_uuid_c: Mock, mock_uuid_s: Mock) -> None: + bom = Bom(services=[ + Service(name='my-first-service'), + Service(name='my-second-service') + ]) + bom.metadata.component = Component( + name='cyclonedx-python-lib', version='1.0.0', component_type=ComponentType.LIBRARY + ) + mock_uuid_c.assert_called() + mock_uuid_s.assert_called() + outputter = get_instance(bom=bom, output_format=OutputFormat.JSON, schema_version=SchemaVersion.V1_2) + self.assertIsInstance(outputter, JsonV1Dot2) + with open(join(dirname(__file__), 'fixtures/bom_v1.2_services_simple.json')) as expected_json: + self.assertValidAgainstSchema(bom_json=outputter.output_as_string(), schema_version=SchemaVersion.V1_2) + self.assertEqualJsonBom(outputter.output_as_string(), expected_json.read()) + + @patch('cyclonedx.model.component.uuid4', return_value='17e3b199-dc0b-42ef-bfdd-1fa81a1e3eda') + @patch('cyclonedx.model.service.uuid4', return_value='0b049d09-64c0-4490-a0f5-c84d9aacf857') + def test_bom_v1_2_services_simple(self, mock_uuid_c: Mock, mock_uuid_s: Mock) -> None: + bom = TestOutputJson._get_bom_with_services_simple() + mock_uuid_c.assert_called() + mock_uuid_s.assert_called() + outputter = get_instance(bom=bom, output_format=OutputFormat.JSON, schema_version=SchemaVersion.V1_2) + self.assertIsInstance(outputter, JsonV1Dot2) + with open(join(dirname(__file__), 'fixtures/bom_v1.2_services_simple.json')) as expected_json: + self.assertValidAgainstSchema(bom_json=outputter.output_as_string(), schema_version=SchemaVersion.V1_2) + self.assertEqualJsonBom(outputter.output_as_string(), expected_json.read()) + + @patch('cyclonedx.model.component.uuid4', return_value='17e3b199-dc0b-42ef-bfdd-1fa81a1e3eda') + @patch('cyclonedx.model.service.uuid4', return_value='0b049d09-64c0-4490-a0f5-c84d9aacf857') + def test_bom_v1_2_services_complex(self, mock_uuid_c: Mock, mock_uuid_s: Mock) -> None: + bom = TestOutputJson._get_bom_with_services_complex() + mock_uuid_c.assert_called() + mock_uuid_s.assert_called() + outputter = get_instance(bom=bom, output_format=OutputFormat.JSON, schema_version=SchemaVersion.V1_2) + self.assertIsInstance(outputter, JsonV1Dot2) + with open(join(dirname(__file__), 'fixtures/bom_v1.2_services_complex.json')) as expected_json: + self.assertValidAgainstSchema(bom_json=outputter.output_as_string(), schema_version=SchemaVersion.V1_2) + self.assertEqualJsonBom(outputter.output_as_string(), expected_json.read()) + + @staticmethod + def _get_bom_with_services_simple() -> Bom: + bom = Bom(services=[ + Service(name='my-first-service'), + Service(name='my-second-service') + ]) + bom.metadata.component = Component( + name='cyclonedx-python-lib', version='1.0.0', component_type=ComponentType.LIBRARY + ) + return bom + + @staticmethod + def _get_bom_with_services_complex() -> Bom: + bom = Bom(services=[ + Service( + name='my-first-service', bom_ref='my-specific-bom-ref-for-my-first-service', + provider=TestOutputJson._get_org_entity_1(), group='a-group', version='1.2.3', + description='Description goes here', endpoints=[ + XsUri('/api/thing/1'), + XsUri('/api/thing/2') + ], + authenticated=False, x_trust_boundary=True, data=[ + DataClassification(flow=DataFlow.OUTBOUND, classification='public') + ], + licenses=[ + LicenseChoice(license_expression='Commercial') + ], + external_references=[ + TestOutputJson._get_external_reference_1() + ], + properties=TestOutputJson._get_properties_1(), + release_notes=TestOutputJson._get_release_notes() + ), + Service(name='my-second-service') + ]) + bom.metadata.component = Component( + name='cyclonedx-python-lib', version='1.0.0', component_type=ComponentType.LIBRARY + ) + return bom + + @staticmethod + def _get_external_reference_1() -> ExternalReference: + return ExternalReference( + reference_type=ExternalReferenceType.DISTRIBUTION, + url='https://cyclonedx.org', + comment='No comment', + hashes=[ + HashType.from_composite_str( + 'sha256:806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b') + ] + ) + + @staticmethod + def _get_org_entity_1() -> OrganizationalEntity: + return OrganizationalEntity( + name='CycloneDX', urls=[XsUri('https://cyclonedx.org')], contacts=[ + OrganizationalContact(name='Paul Horton', email='paul.horton@owasp.org'), + OrganizationalContact(name='A N Other', email='someone@somewhere.tld', + phone='+44 (0)1234 567890') + ] + ) + + @staticmethod + def _get_properties_1() -> List[Property]: + return [ + Property(name='key1', value='val1'), + Property(name='key2', value='val2') + ] + + @staticmethod + def _get_release_notes() -> ReleaseNotes: + text_content: str = base64.b64encode( + bytes('Some simple plain text', encoding='UTF-8') + ).decode(encoding='UTF-8') + + return ReleaseNotes( + type='major', title="Release Notes Title", + featured_image=XsUri('https://cyclonedx.org/theme/assets/images/CycloneDX-Twitter-Card.png'), + social_image=XsUri('https://cyclonedx.org/cyclonedx-icon.png'), + description="This release is a test release", timestamp=TestOutputJson.timestamp, + aliases=[ + "First Test Release" + ], + tags=['test', 'alpha'], + resolves=[ + IssueType( + classification=IssueClassification.SECURITY, id='CVE-2021-44228', name='Apache Log3Shell', + description='Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features...', + source_name='NVD', source_url=XsUri('https://nvd.nist.gov/vuln/detail/CVE-2021-44228'), + references=[ + XsUri('https://logging.apache.org/log4j/2.x/security.html'), + XsUri('https://central.sonatype.org/news/20211213_log4shell_help') + ] + ) + ], + notes=[ + Note( + text=NoteText( + content=text_content, content_type='text/plain; charset=UTF-8', + content_encoding=Encoding.BASE_64 + ), locale='en-GB' + ), + Note( + text=NoteText( + content=text_content, content_type='text/plain; charset=UTF-8', + content_encoding=Encoding.BASE_64 + ), locale='en-US' + ) + ], + properties=TestOutputJson._get_properties_1() + ) From d71ab0b5bc9b44594d1fffe889f2790d51cf1ffe Mon Sep 17 00:00:00 2001 From: Paul Horton Date: Wed, 26 Jan 2022 18:00:26 +0000 Subject: [PATCH 14/19] removed signature from this branch Signed-off-by: Paul Horton --- cyclonedx/model/__init__.py | 71 +++++++++++++++++++++++++++++++++++++ cyclonedx/model/service.py | 11 ++++++ 2 files changed, 82 insertions(+) diff --git a/cyclonedx/model/__init__.py b/cyclonedx/model/__init__.py index a91396f6..fe090dd0 100644 --- a/cyclonedx/model/__init__.py +++ b/cyclonedx/model/__init__.py @@ -120,6 +120,7 @@ def classification(self, classification: str) -> None: self._classification = classification +<<<<<<< HEAD # class SignatureAlgorithm(Enum): # """ # This is out internal representation of the algorithm simple type within the CycloneDX standard. @@ -229,6 +230,76 @@ def classification(self, classification: str) -> None: # self.excludes = excludes # self.value = value +======= +class SignaturePublicKeyCrv(Enum): + """ + This is our internal representation of the crv simple type within the CycloneDX standard. + + .. note:: + See the CycloneDX Schema: https://cyclonedx.org/docs/1.4/json/#signature_oneOf_i2_publicKey_allOf_i1_then_crv + """ + ED25519 = "Ed25519" + Ed448 = "Ed448" + +class SignaturePublicKey: + """ + This is our internal representation of the public key complex type within the CycloneDX standard. + + .. note:: + See the CycloneDX Schema: https://cyclonedx.org/docs/1.4/json/#signature_oneOf_i2_publicKey + JSON only + """ + def __init__(self, kty: SignaturePublicKeyKty = None, crv: Optional[SignaturePublicKeyCrv] = None, + x: Optional[str] = None, y: Optional[str] = None, + n: Optional[str] = None, e: Optional[str] = None) -> None: + if not kty: + raise NoPropertiesProvidedException( + '`kty` must be supplied' + ) + if kty == SignaturePublicKeyKty.EC and not crv and not x and not y: + raise NoPropertiesProvidedException( + 'if `kty` equals EC, `crv`, `x` and `y` must be supplied' + ) + if kty == SignaturePublicKeyKty.OKP and not crv and not x: + raise NoPropertiesProvidedException( + 'if `kty` equals OKP, `crv`, and `x` must be supplied' + ) + if kty == SignaturePublicKeyKty.RSA and not n and not e: + raise NoPropertiesProvidedException( + 'if `kty` equals RSA, `n`, and `e` must be supplied' + ) + self.kty = kty + self.crv = crv + self.x = x + self.y = y + self.n = n + self.e = e + self.value = value + +class Signature: + """ + This is out internal representation of the signature complex type within the CycloneDX standard. + + .. note:: + See the CycloneDX Schema: https://cyclonedx.org/docs/1.4/json/#signature + JSON only + """ + + def __init__(self, algorithm: SignatureAlgorithm, value: str, key_id: Optional[str], + public_key: Optional[SignaturePublicKey] = None, + certificate_path: Optional[List[str]] = None, + excludes: Optional[List[str]] = None) -> None: + if not algorithm and not value: + raise NoPropertiesProvidedException( + 'One of `algorithm` or `value` must be supplied - neither supplied' + ) + self.algorithm = algorithm + self.key_id = key_id + self.public_key = public_key + self.certificate_path = certificate_path + self.excludes = excludes + self.value = value +>>>>>>> cbebae2 (No default values for required fields) class Encoding(Enum): """ diff --git a/cyclonedx/model/service.py b/cyclonedx/model/service.py index b8bf3afe..47336043 100644 --- a/cyclonedx/model/service.py +++ b/cyclonedx/model/service.py @@ -36,10 +36,21 @@ class Service: See the CycloneDX schema: https://cyclonedx.org/docs/1.4/xml/#type_service """ +<<<<<<< HEAD def __init__(self, name: str, bom_ref: Optional[str] = None, provider: Optional[OrganizationalEntity] = None, group: Optional[str] = None, version: Optional[str] = None, description: Optional[str] = None, endpoints: Optional[List[XsUri]] = None, authenticated: Optional[bool] = None, x_trust_boundary: Optional[bool] = None, data: Optional[List[DataClassification]] = None, +======= + def __init__(self, name: str, bom_ref: Optional[str] = None, + group: Optional[str] = None, + version: Optional[str] = None, + description: Optional[str] = None, + endpoints: Optional[List[str]] = None, + authenticated: Optional[bool] = None, + x_trust_boundary: Optional[bool] = None, + data: Optional[List[Data]] = None, +>>>>>>> cbebae2 (No default values for required fields) licenses: Optional[List[LicenseChoice]] = None, external_references: Optional[List[ExternalReference]] = None, properties: Optional[List[Property]] = None, From adbcb381726290e7feec88bf0579f65e348421b2 Mon Sep 17 00:00:00 2001 From: Jeffry Hesse <5544326+DarthHater@users.noreply.github.com> Date: Tue, 25 Jan 2022 08:59:23 -0900 Subject: [PATCH 15/19] Add Services to BOM --- cyclonedx/model/bom.py | 64 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 64 insertions(+) diff --git a/cyclonedx/model/bom.py b/cyclonedx/model/bom.py index 5786ea0a..be09df7f 100644 --- a/cyclonedx/model/bom.py +++ b/cyclonedx/model/bom.py @@ -25,6 +25,7 @@ from .component import Component from .service import Service from ..parser import BaseParser +from .service import Service class BomMetaData: @@ -271,6 +272,69 @@ def has_component(self, component: Component) -> bool: return False return component in self.components + @property + def services(self) -> List[Service]: + """ + Get all the Services currently in this Bom. + + Returns: + List of all Services in this Bom. + """ + return self._services + + @services.setter + def services(self, services: List[Service]) -> None: + self._services = services + + def add_service(self, service: Service) -> None: + """ + Add a Service to this Bom instance. + + Args: + service: + `cyclonedx.model.service.Service` instance to add to this Bom. + + Returns: + None + """ + if not self.has_component(service=service): + self._services.append(service) + + def add_services(self, services: List[Service]) -> None: + """ + Add multiple Services at once to this Bom instance. + + Args: + services: + List of `cyclonedx.model.service.Service` instances to add to this Bom. + + Returns: + None + """ + self.services = self._services + services + + def has_service(self, service: Service) -> bool: + """ + Check whether this Bom contains the provided Service. + + Args: + component: + The instance of `cyclonedx.model.service.Service` to check if this Bom contains. + + Returns: + `bool` - `True` if the supplied Service is part of this Bom, `False` otherwise. + """ + return service in self._services + + def service_count(self) -> int: + """ + Returns the current count of Services within this Bom. + + Returns: + The number of Services in this Bom as `int`. + """ + return len(self._services) + def has_vulnerabilities(self) -> bool: """ Check whether this Bom has any declared vulnerabilities. From 1428ab1803df1dd81700571e9a50c008af7135dc Mon Sep 17 00:00:00 2001 From: Jeffry Hesse <5544326+DarthHater@users.noreply.github.com> Date: Tue, 25 Jan 2022 09:00:14 -0900 Subject: [PATCH 16/19] Typo fix --- cyclonedx/model/__init__.py | 185 +----------------------------------- 1 file changed, 2 insertions(+), 183 deletions(-) diff --git a/cyclonedx/model/__init__.py b/cyclonedx/model/__init__.py index fe090dd0..6fa11761 100644 --- a/cyclonedx/model/__init__.py +++ b/cyclonedx/model/__init__.py @@ -114,196 +114,15 @@ def classification(self) -> str: `str` """ return self._classification - + @classification.setter def classification(self, classification: str) -> None: self._classification = classification -<<<<<<< HEAD -# class SignatureAlgorithm(Enum): -# """ -# This is out internal representation of the algorithm simple type within the CycloneDX standard. -# -# .. note:: -# See the CycloneDX Schema: https://cyclonedx.org/docs/1.4/json/#tab-pane_signature_oneOf_i2_algorithm_oneOf_i0 -# """ -# RS256 = "RS256" -# RS384 = "RS384" -# RS512 = "RS512" -# PS256 = "PS256" -# PS384 = "PS384" -# PS512 = "PS512" -# ES256 = "ES256" -# ES384 = "ES384" -# ES512 = "ES512" -# ED25519 = "Ed25519" -# ED448 = "Ed448" -# HS256 = "HS256" -# HS384 = "HS384" -# HS512 = "HS512" -# -# -# class SignaturePublicKeyKty(Enum): -# """ -# This is our internal representation of the kty simple type within the CycloneDX standard. -# -# .. note:: -# See the CycloneDX Schema: https://cyclonedx.org/docs/1.4/json/#signature_oneOf_i2_publicKey_kty -# """ -# EC = "EC" -# OKP = "OKP" -# RSA = "RSA" -# -# -# class SignaturePublicKeyCrv(Enum): -# """ -# This is our internal representation of the crv simple type within the CycloneDX standard. -# -# .. note:: -# See the CycloneDX Schema: https://cyclonedx.org/docs/1.4/json/#signature_oneOf_i2_publicKey_allOf_i1_then_crv -# """ -# ED25519 = "Ed25519" -# Ed448 = "Ed448" -# -# -# class SignaturePublicKey: -# """ -# This is our internal representation of the public key complex type within the CycloneDX standard. -# -# .. note:: -# See the CycloneDX Schema: https://cyclonedx.org/docs/1.4/json/#signature_oneOf_i2_publicKey -# JSON only -# """ -# -# def __init__(self, kty: SignaturePublicKeyKty = None, crv: Optional[SignaturePublicKeyCrv] = None, -# x: Optional[str] = None, y: Optional[str] = None, -# n: Optional[str] = None, e: Optional[str] = None, -# value: str = None) -> None: -# if not kty and not value: -# raise NoPropertiesProvidedException( -# '`kty` must be supplied' -# ) -# if kty == SignaturePublicKeyKty.EC and not crv and not x and not y: -# raise NoPropertiesProvidedException( -# 'if `kty` equals EC, `crv`, `x` and `y` must be supplied' -# ) -# if kty == SignaturePublicKeyKty.OKP and not crv and not x: -# raise NoPropertiesProvidedException( -# 'if `kty` equals OKP, `crv`, and `x` must be supplied' -# ) -# if kty == SignaturePublicKeyKty.RSA and not n and not e: -# raise NoPropertiesProvidedException( -# 'if `kty` equals RSA, `n`, and `e` must be supplied' -# ) -# self.kty = kty -# self.crv = crv -# self.x = x -# self.y = y -# self.n = n -# self.e = e -# self.value = value -# -# -# class Signature: -# """ -# This is out internal representation of the signature complex type within the CycloneDX standard. -# -# .. note:: -# See the CycloneDX Schema: https://cyclonedx.org/docs/1.4/json/#signature -# JSON only -# """ -# -# def __init__(self, algorithm: SignatureAlgorithm, key_id: Optional[str], -# public_key: Optional[SignaturePublicKey] = None, -# certificate_path: Optional[List[str]] = None, -# excludes: Optional[List[str]] = None, -# value: str = None) -> None: -# if not algorithm and not value: -# raise NoPropertiesProvidedException( -# 'One of `algorithm` or `value` must be supplied - neither supplied' -# ) -# self.algorithm = algorithm -# self.key_id = key_id -# self.public_key = public_key -# self.certificate_path = certificate_path -# self.excludes = excludes -# self.value = value - -======= -class SignaturePublicKeyCrv(Enum): - """ - This is our internal representation of the crv simple type within the CycloneDX standard. - - .. note:: - See the CycloneDX Schema: https://cyclonedx.org/docs/1.4/json/#signature_oneOf_i2_publicKey_allOf_i1_then_crv - """ - ED25519 = "Ed25519" - Ed448 = "Ed448" - -class SignaturePublicKey: - """ - This is our internal representation of the public key complex type within the CycloneDX standard. - - .. note:: - See the CycloneDX Schema: https://cyclonedx.org/docs/1.4/json/#signature_oneOf_i2_publicKey - JSON only - """ - def __init__(self, kty: SignaturePublicKeyKty = None, crv: Optional[SignaturePublicKeyCrv] = None, - x: Optional[str] = None, y: Optional[str] = None, - n: Optional[str] = None, e: Optional[str] = None) -> None: - if not kty: - raise NoPropertiesProvidedException( - '`kty` must be supplied' - ) - if kty == SignaturePublicKeyKty.EC and not crv and not x and not y: - raise NoPropertiesProvidedException( - 'if `kty` equals EC, `crv`, `x` and `y` must be supplied' - ) - if kty == SignaturePublicKeyKty.OKP and not crv and not x: - raise NoPropertiesProvidedException( - 'if `kty` equals OKP, `crv`, and `x` must be supplied' - ) - if kty == SignaturePublicKeyKty.RSA and not n and not e: - raise NoPropertiesProvidedException( - 'if `kty` equals RSA, `n`, and `e` must be supplied' - ) - self.kty = kty - self.crv = crv - self.x = x - self.y = y - self.n = n - self.e = e - self.value = value - -class Signature: - """ - This is out internal representation of the signature complex type within the CycloneDX standard. - - .. note:: - See the CycloneDX Schema: https://cyclonedx.org/docs/1.4/json/#signature - JSON only - """ - - def __init__(self, algorithm: SignatureAlgorithm, value: str, key_id: Optional[str], - public_key: Optional[SignaturePublicKey] = None, - certificate_path: Optional[List[str]] = None, - excludes: Optional[List[str]] = None) -> None: - if not algorithm and not value: - raise NoPropertiesProvidedException( - 'One of `algorithm` or `value` must be supplied - neither supplied' - ) - self.algorithm = algorithm - self.key_id = key_id - self.public_key = public_key - self.certificate_path = certificate_path - self.excludes = excludes - self.value = value ->>>>>>> cbebae2 (No default values for required fields) - class Encoding(Enum): """ - This is out internal representation of the encoding simple type within the CycloneDX standard. + This is our internal representation of the encoding simple type within the CycloneDX standard. .. note:: See the CycloneDX Schema: https://cyclonedx.org/docs/1.4/#type_encoding From fc8eefa3064a0f2a5b80bb0ba42dd6225d3f4def Mon Sep 17 00:00:00 2001 From: Paul Horton Date: Wed, 26 Jan 2022 10:51:06 +0000 Subject: [PATCH 17/19] addressed standards Signed-off-by: Paul Horton --- cyclonedx/model/bom.py | 26 ++++++++++-------- cyclonedx/model/service.py | 17 ++---------- cyclonedx/output/json.py | 5 ++-- cyclonedx/output/xml.py | 55 +++++++++++++++++++------------------ tests/test_model_service.py | 1 - 5 files changed, 48 insertions(+), 56 deletions(-) diff --git a/cyclonedx/model/bom.py b/cyclonedx/model/bom.py index be09df7f..0d1876e3 100644 --- a/cyclonedx/model/bom.py +++ b/cyclonedx/model/bom.py @@ -18,7 +18,7 @@ # Copyright (c) OWASP Foundation. All Rights Reserved. from datetime import datetime, timezone -from typing import List, Optional +from typing import cast, List, Optional from uuid import uuid4, UUID from . import ThisTool, Tool @@ -179,17 +179,17 @@ def metadata(self, metadata: BomMetaData) -> None: self._metadata = metadata @property - def components(self) -> List[Component]: + def components(self) -> Optional[List[Component]]: """ Get all the Components currently in this Bom. Returns: - List of all Components in this Bom. + List of all Components in this Bom or `None` """ return self._components @components.setter - def components(self, components: List[Component]) -> None: + def components(self, components: Optional[List[Component]]) -> None: self._components = components def add_component(self, component: Component) -> None: @@ -206,7 +206,7 @@ def add_component(self, component: Component) -> None: if not self.components: self.components = [component] elif not self.has_component(component=component): - self._components.append(component) + self.components.append(component) def add_components(self, components: List[Component]) -> None: """ @@ -219,7 +219,7 @@ def add_components(self, components: List[Component]) -> None: Returns: None """ - self.components = self._components + components + self.components = (self._components or []) + components def component_count(self) -> int: """ @@ -228,7 +228,7 @@ def component_count(self) -> int: Returns: The number of Components in this Bom as `int`. """ - return len(self._components) + return len(self._components) if self._components else 0 def get_component_by_purl(self, purl: Optional[str]) -> Optional[Component]: """ @@ -241,8 +241,11 @@ def get_component_by_purl(self, purl: Optional[str]) -> Optional[Component]: Returns: `Component` or `None` """ + if not self._components: + return None + if purl: - found = list(filter(lambda x: x.purl == purl, self.components)) + found = list(filter(lambda x: x.purl == purl, cast(List[Component], self.components))) if len(found) == 1: return found[0] @@ -343,9 +346,10 @@ def has_vulnerabilities(self) -> bool: `bool` - `True` if at least one `cyclonedx.model.component.Component` has at least one Vulnerability, `False` otherwise. """ - for c in self.components: - if c.has_vulnerabilities(): - return True + if self.components: + for c in self.components: + if c.has_vulnerabilities(): + return True return False diff --git a/cyclonedx/model/service.py b/cyclonedx/model/service.py index 47336043..022877f6 100644 --- a/cyclonedx/model/service.py +++ b/cyclonedx/model/service.py @@ -57,8 +57,7 @@ def __init__(self, name: str, bom_ref: Optional[str] = None, # services: Optional[List[Service]] = None, -- I have no clue how to do this, # commenting out so someone else can release_notes: Optional[ReleaseNotes] = None, - # signature: Optional[Signature] = None - ): + ) -> None: self.bom_ref = bom_ref or str(uuid4()) self.provider = provider self.group = group @@ -74,7 +73,6 @@ def __init__(self, name: str, bom_ref: Optional[str] = None, # self.services = services -- no clue self.release_notes = release_notes self.properties = properties - # self.signature = signature @property def bom_ref(self) -> Optional[str]: @@ -189,7 +187,7 @@ def add_endpoint(self, endpoint: XsUri) -> None: Returns: None """ - self.endpoints = self._endpoints + [endpoint] + self.endpoints = (self._endpoints or []) + [endpoint] @property def authenticated(self) -> Optional[bool]: @@ -305,14 +303,3 @@ def properties(self) -> Optional[List[Property]]: @properties.setter def properties(self, properties: Optional[List[Property]]) -> None: self._properties = properties - - # @property - # def signature(self) -> Optional[Signature]: - # """ - # A JSF signature for the service as provided by the source. - # """ - # return self._signature - # - # @signature.setter - # def signature(self, signature: Optional[Signature]) -> None: - # self._signature = signature diff --git a/cyclonedx/output/json.py b/cyclonedx/output/json.py index fef1916c..e8460a20 100644 --- a/cyclonedx/output/json.py +++ b/cyclonedx/output/json.py @@ -19,13 +19,14 @@ import json from abc import abstractmethod -from typing import Any, Dict, List, Optional, Union +from typing import cast, Any, Dict, List, Optional, Union from . import BaseOutput from .schema import BaseSchemaVersion, SchemaVersion1Dot0, SchemaVersion1Dot1, SchemaVersion1Dot2, SchemaVersion1Dot3, \ SchemaVersion1Dot4 from .serializer.json import CycloneDxJSONEncoder from ..model.bom import Bom +from ..model.component import Component ComponentDict = Dict[str, Union[ @@ -52,7 +53,7 @@ def generate(self, force_regeneration: bool = False) -> None: vulnerabilities: Dict[str, List[Dict[Any, Any]]] = {"vulnerabilities": []} if self.get_bom().components: - for component in self.get_bom().components: + for component in cast(List[Component], self.get_bom().components): for vulnerability in component.get_vulnerabilities(): vulnerabilities['vulnerabilities'].append( json.loads(json.dumps(vulnerability, cls=CycloneDxJSONEncoder)) diff --git a/cyclonedx/output/xml.py b/cyclonedx/output/xml.py index c4ba91fc..1282449e 100644 --- a/cyclonedx/output/xml.py +++ b/cyclonedx/output/xml.py @@ -18,7 +18,7 @@ # Copyright (c) OWASP Foundation. All Rights Reserved. import warnings -from typing import List, Optional +from typing import cast, List, Optional from xml.etree import ElementTree from . import BaseOutput @@ -51,33 +51,34 @@ def generate(self, force_regeneration: bool = False) -> None: components_element = ElementTree.SubElement(self._root_bom_element, 'components') has_vulnerabilities: bool = False - for component in self.get_bom().components: - component_element = self._add_component_element(component=component) - components_element.append(component_element) - if self.bom_supports_vulnerabilities_via_extension() and component.has_vulnerabilities(): - # Vulnerabilities are only possible when bom-ref is supported by the main CycloneDX schema version - vulnerabilities = ElementTree.SubElement(component_element, 'v:vulnerabilities') - for vulnerability in component.get_vulnerabilities(): - if component.bom_ref: - vulnerabilities.append( - self._get_vulnerability_as_xml_element_pre_1_3(bom_ref=component.bom_ref, - vulnerability=vulnerability) + if self.get_bom().components: + for component in cast(List[Component], self.get_bom().components): + component_element = self._add_component_element(component=component) + components_element.append(component_element) + if self.bom_supports_vulnerabilities_via_extension() and component.has_vulnerabilities(): + # Vulnerabilities are only possible when bom-ref is supported by the main CycloneDX schema version + vulnerabilities = ElementTree.SubElement(component_element, 'v:vulnerabilities') + for vulnerability in component.get_vulnerabilities(): + if component.bom_ref: + vulnerabilities.append( + self._get_vulnerability_as_xml_element_pre_1_3(bom_ref=component.bom_ref, + vulnerability=vulnerability) + ) + else: + warnings.warn( + f'Unable to include Vulnerability {str(vulnerability)} in generated BOM as the ' + f'Component it relates to ({str(component)}) but it has no bom-ref.' + ) + elif component.has_vulnerabilities(): + has_vulnerabilities = True + + if self.bom_supports_vulnerabilities() and has_vulnerabilities: + vulnerabilities_element = ElementTree.SubElement(self._root_bom_element, 'vulnerabilities') + for component in cast(List[Component], self.get_bom().components): + for vulnerability in component.get_vulnerabilities(): + vulnerabilities_element.append( + self._get_vulnerability_as_xml_element_post_1_4(vulnerability=vulnerability) ) - else: - warnings.warn( - f'Unable to include Vulnerability {str(vulnerability)} in generated BOM as the Component' - f'it relates to ({str(component)}) but it has no bom-ref.' - ) - elif component.has_vulnerabilities(): - has_vulnerabilities = True - - if self.bom_supports_vulnerabilities() and has_vulnerabilities: - vulnerabilities_element = ElementTree.SubElement(self._root_bom_element, 'vulnerabilities') - for component in self.get_bom().components: - for vulnerability in component.get_vulnerabilities(): - vulnerabilities_element.append( - self._get_vulnerability_as_xml_element_post_1_4(vulnerability=vulnerability) - ) self.generated = True diff --git a/tests/test_model_service.py b/tests/test_model_service.py index c19f842a..47571b76 100644 --- a/tests/test_model_service.py +++ b/tests/test_model_service.py @@ -42,4 +42,3 @@ def test_minimal_service(self, mock_uuid: Mock) -> None: self.assertListEqual(s.external_references, []) self.assertIsNone(s.release_notes) self.assertIsNone(s.properties) - From ea8aa64496e68f281aac7623ae322d0ca84b06fa Mon Sep 17 00:00:00 2001 From: Paul Horton Date: Wed, 26 Jan 2022 18:09:52 +0000 Subject: [PATCH 18/19] resolved typing issues from merge Signed-off-by: Paul Horton --- cyclonedx/model/bom.py | 43 +++++++++++++++----------------------- cyclonedx/model/service.py | 11 ---------- 2 files changed, 17 insertions(+), 37 deletions(-) diff --git a/cyclonedx/model/bom.py b/cyclonedx/model/bom.py index 0d1876e3..c15cad82 100644 --- a/cyclonedx/model/bom.py +++ b/cyclonedx/model/bom.py @@ -25,7 +25,6 @@ from .component import Component from .service import Service from ..parser import BaseParser -from .service import Service class BomMetaData: @@ -276,17 +275,17 @@ def has_component(self, component: Component) -> bool: return component in self.components @property - def services(self) -> List[Service]: + def services(self) -> Optional[List[Service]]: """ Get all the Services currently in this Bom. Returns: - List of all Services in this Bom. + List of `Service` in this Bom or `None` """ return self._services @services.setter - def services(self, services: List[Service]) -> None: + def services(self, services: Optional[List[Service]]) -> None: self._services = services def add_service(self, service: Service) -> None: @@ -300,8 +299,10 @@ def add_service(self, service: Service) -> None: Returns: None """ - if not self.has_component(service=service): - self._services.append(service) + if not self.services: + self.services = [service] + elif not self.has_service(service=service): + self.services.append(service) def add_services(self, services: List[Service]) -> None: """ @@ -314,20 +315,23 @@ def add_services(self, services: List[Service]) -> None: Returns: None """ - self.services = self._services + services + self.services = (self.services or []) + services def has_service(self, service: Service) -> bool: """ Check whether this Bom contains the provided Service. Args: - component: + service: The instance of `cyclonedx.model.service.Service` to check if this Bom contains. Returns: `bool` - `True` if the supplied Service is part of this Bom, `False` otherwise. """ - return service in self._services + if not self.services: + return False + + return service in self.services def service_count(self) -> int: """ @@ -336,7 +340,10 @@ def service_count(self) -> int: Returns: The number of Services in this Bom as `int`. """ - return len(self._services) + if not self.services: + return 0 + + return len(self.services) def has_vulnerabilities(self) -> bool: """ @@ -352,19 +359,3 @@ def has_vulnerabilities(self) -> bool: return True return False - - @property - def services(self) -> Optional[List[Service]]: - """ - A list of services. - - This may include microservices, function-as-a-service, and other types of network or intra-process services. - - Returns: - List of `Service` or `None` - """ - return self._services - - @services.setter - def services(self, services: Optional[List[Service]]) -> None: - self._services = services diff --git a/cyclonedx/model/service.py b/cyclonedx/model/service.py index 022877f6..674d0761 100644 --- a/cyclonedx/model/service.py +++ b/cyclonedx/model/service.py @@ -36,21 +36,10 @@ class Service: See the CycloneDX schema: https://cyclonedx.org/docs/1.4/xml/#type_service """ -<<<<<<< HEAD def __init__(self, name: str, bom_ref: Optional[str] = None, provider: Optional[OrganizationalEntity] = None, group: Optional[str] = None, version: Optional[str] = None, description: Optional[str] = None, endpoints: Optional[List[XsUri]] = None, authenticated: Optional[bool] = None, x_trust_boundary: Optional[bool] = None, data: Optional[List[DataClassification]] = None, -======= - def __init__(self, name: str, bom_ref: Optional[str] = None, - group: Optional[str] = None, - version: Optional[str] = None, - description: Optional[str] = None, - endpoints: Optional[List[str]] = None, - authenticated: Optional[bool] = None, - x_trust_boundary: Optional[bool] = None, - data: Optional[List[Data]] = None, ->>>>>>> cbebae2 (No default values for required fields) licenses: Optional[List[LicenseChoice]] = None, external_references: Optional[List[ExternalReference]] = None, properties: Optional[List[Property]] = None, From 37cc10e2aabfb839964f9a7fbfe4ab2720bcc121 Mon Sep 17 00:00:00 2001 From: Paul Horton Date: Wed, 26 Jan 2022 18:22:21 +0000 Subject: [PATCH 19/19] added a bunch more tests for JSON output Signed-off-by: Paul Horton --- tests/fixtures/bom_v1.3_services_complex.json | 94 +++++++++ tests/fixtures/bom_v1.3_services_simple.json | 34 ++++ tests/fixtures/bom_v1.4_services_complex.json | 187 ++++++++++++++++++ tests/fixtures/bom_v1.4_services_simple.json | 68 +++++++ tests/test_output_json.py | 52 ++++- 5 files changed, 433 insertions(+), 2 deletions(-) create mode 100644 tests/fixtures/bom_v1.3_services_complex.json create mode 100644 tests/fixtures/bom_v1.3_services_simple.json create mode 100644 tests/fixtures/bom_v1.4_services_complex.json create mode 100644 tests/fixtures/bom_v1.4_services_simple.json diff --git a/tests/fixtures/bom_v1.3_services_complex.json b/tests/fixtures/bom_v1.3_services_complex.json new file mode 100644 index 00000000..d517c042 --- /dev/null +++ b/tests/fixtures/bom_v1.3_services_complex.json @@ -0,0 +1,94 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.3.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.3", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "timestamp": "2021-09-01T10:50:42.051979+00:00", + "tools": [ + { + "vendor": "CycloneDX", + "name": "cyclonedx-python-lib", + "version": "VERSION" + } + ], + "component": { + "type": "library", + "bom-ref": "df70b5f1-8f53-47a4-be48-669ae78795e6", + "name": "cyclonedx-python-lib", + "version": "1.0.0" + } + }, + "components": [], + "services": [ + { + "bom-ref": "my-specific-bom-ref-for-my-first-service", + "provider": { + "contact": [ + { + "email": "paul.horton@owasp.org", + "name": "Paul Horton" + }, + { + "email": "someone@somewhere.tld", + "name": "A N Other", + "phone": "+44 (0)1234 567890" + } + ], + "name": "CycloneDX", + "url": [ + "https://cyclonedx.org" + ] + }, + "group": "a-group", + "name": "my-first-service", + "version": "1.2.3", + "description": "Description goes here", + "endpoints": [ + "/api/thing/1", + "/api/thing/2" + ], + "authenticated": false, + "x-trust-boundary": true, + "data": [ + { + "classification": "public", + "flow": "outbound" + } + ], + "licenses": [ + { + "expression": "Commercial" + } + ], + "externalReferences": [ + { + "comment": "No comment", + "hashes": [ + { + "alg": "SHA-256", + "content": "806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b" + } + ], + "type": "distribution", + "url": "https://cyclonedx.org" + } + ], + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ] + }, + { + "bom-ref": "e9c2e297-eee6-4f45-ac2d-6662b1db77bf", + "name": "my-second-service" + } + ] +} \ No newline at end of file diff --git a/tests/fixtures/bom_v1.3_services_simple.json b/tests/fixtures/bom_v1.3_services_simple.json new file mode 100644 index 00000000..514d2be4 --- /dev/null +++ b/tests/fixtures/bom_v1.3_services_simple.json @@ -0,0 +1,34 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.3.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.3", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "timestamp": "2021-09-01T10:50:42.051979+00:00", + "tools": [ + { + "vendor": "CycloneDX", + "name": "cyclonedx-python-lib", + "version": "VERSION" + } + ], + "component": { + "type": "library", + "bom-ref": "cd3e9c95-9d41-49e7-9924-8cf0465ae789", + "name": "cyclonedx-python-lib", + "version": "1.0.0" + } + }, + "components": [], + "services": [ + { + "bom-ref": "bb5911d6-1a1d-41c9-b6e0-46e848d16655", + "name": "my-first-service" + }, + { + "bom-ref": "bb5911d6-1a1d-41c9-b6e0-46e848d16655", + "name": "my-second-service" + } + ] +} \ No newline at end of file diff --git a/tests/fixtures/bom_v1.4_services_complex.json b/tests/fixtures/bom_v1.4_services_complex.json new file mode 100644 index 00000000..45c90ebb --- /dev/null +++ b/tests/fixtures/bom_v1.4_services_complex.json @@ -0,0 +1,187 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.4", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "timestamp": "2021-09-01T10:50:42.051979+00:00", + "tools": [ + { + "vendor": "CycloneDX", + "name": "cyclonedx-python-lib", + "version": "VERSION", + "externalReferences": [ + { + "type": "build-system", + "url": "https://github.com/CycloneDX/cyclonedx-python-lib/actions" + }, + { + "type": "distribution", + "url": "https://pypi.org/project/cyclonedx-python-lib/" + }, + { + "type": "documentation", + "url": "https://cyclonedx.github.io/cyclonedx-python-lib/" + }, + { + "type": "issue-tracker", + "url": "https://github.com/CycloneDX/cyclonedx-python-lib/issues" + }, + { + "type": "license", + "url": "https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/LICENSE" + }, + { + "type": "release-notes", + "url": "https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CHANGELOG.md" + }, + { + "type": "vcs", + "url": "https://github.com/CycloneDX/cyclonedx-python-lib" + }, + { + "type": "website", + "url": "https://cyclonedx.org" + } + ] + } + ], + "component": { + "type": "library", + "bom-ref": "2a4ec791-4846-4769-8332-06e6ee170395", + "name": "cyclonedx-python-lib", + "version": "1.0.0" + } + }, + "components": [], + "services": [ + { + "bom-ref": "my-specific-bom-ref-for-my-first-service", + "provider": { + "contact": [ + { + "email": "paul.horton@owasp.org", + "name": "Paul Horton" + }, + { + "email": "someone@somewhere.tld", + "name": "A N Other", + "phone": "+44 (0)1234 567890" + } + ], + "name": "CycloneDX", + "url": [ + "https://cyclonedx.org" + ] + }, + "group": "a-group", + "name": "my-first-service", + "version": "1.2.3", + "description": "Description goes here", + "endpoints": [ + "/api/thing/1", + "/api/thing/2" + ], + "authenticated": false, + "x-trust-boundary": true, + "data": [ + { + "classification": "public", + "flow": "outbound" + } + ], + "licenses": [ + { + "expression": "Commercial" + } + ], + "externalReferences": [ + { + "comment": "No comment", + "hashes": [ + { + "alg": "SHA-256", + "content": "806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b" + } + ], + "type": "distribution", + "url": "https://cyclonedx.org" + } + ], + "releaseNotes": { + "aliases": [ + "First Test Release" + ], + "description": "This release is a test release", + "featuredImage": "https://cyclonedx.org/theme/assets/images/CycloneDX-Twitter-Card.png", + "notes": [ + { + "locale": "en-GB", + "text": { + "content": "U29tZSBzaW1wbGUgcGxhaW4gdGV4dA==", + "contentType": "text/plain; charset=UTF-8", + "encoding": "base64" + } + }, + { + "locale": "en-US", + "text": { + "content": "U29tZSBzaW1wbGUgcGxhaW4gdGV4dA==", + "contentType": "text/plain; charset=UTF-8", + "encoding": "base64" + } + } + ], + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ], + "resolves": [ + { + "description": "Apache Log4j2 2.0-beta9 through 2.12.1 and 2.13.0 through 2.15.0 JNDI features...", + "id": "CVE-2021-44228", + "name": "Apache Log3Shell", + "references": [ + "https://logging.apache.org/log4j/2.x/security.html", + "https://central.sonatype.org/news/20211213_log4shell_help" + ], + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-44228" + }, + "type": "security" + } + ], + "socialImage": "https://cyclonedx.org/cyclonedx-icon.png", + "tags": [ + "test", + "alpha" + ], + "timestamp": "2021-12-31T10:00:00+00:00", + "title": "Release Notes Title", + "type": "major" + }, + "properties": [ + { + "name": "key1", + "value": "val1" + }, + { + "name": "key2", + "value": "val2" + } + ] + }, + { + "bom-ref": "b1650ab8-33fb-47e3-bc6e-07031054a946", + "name": "my-second-service" + } + ] +} \ No newline at end of file diff --git a/tests/fixtures/bom_v1.4_services_simple.json b/tests/fixtures/bom_v1.4_services_simple.json new file mode 100644 index 00000000..6a2ae027 --- /dev/null +++ b/tests/fixtures/bom_v1.4_services_simple.json @@ -0,0 +1,68 @@ +{ + "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json", + "bomFormat": "CycloneDX", + "specVersion": "1.4", + "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79", + "version": 1, + "metadata": { + "timestamp": "2021-09-01T10:50:42.051979+00:00", + "tools": [ + { + "vendor": "CycloneDX", + "name": "cyclonedx-python-lib", + "version": "VERSION", + "externalReferences": [ + { + "type": "build-system", + "url": "https://github.com/CycloneDX/cyclonedx-python-lib/actions" + }, + { + "type": "distribution", + "url": "https://pypi.org/project/cyclonedx-python-lib/" + }, + { + "type": "documentation", + "url": "https://cyclonedx.github.io/cyclonedx-python-lib/" + }, + { + "type": "issue-tracker", + "url": "https://github.com/CycloneDX/cyclonedx-python-lib/issues" + }, + { + "type": "license", + "url": "https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/LICENSE" + }, + { + "type": "release-notes", + "url": "https://github.com/CycloneDX/cyclonedx-python-lib/blob/main/CHANGELOG.md" + }, + { + "type": "vcs", + "url": "https://github.com/CycloneDX/cyclonedx-python-lib" + }, + { + "type": "website", + "url": "https://cyclonedx.org" + } + ] + } + ], + "component": { + "type": "library", + "bom-ref": "44eba9c8-ccfb-4868-90cb-deb27f72b358", + "name": "cyclonedx-python-lib", + "version": "1.0.0" + } + }, + "components": [], + "services": [ + { + "bom-ref": "86452881-cb1a-4296-9450-2eb6f3e55744", + "name": "my-first-service" + }, + { + "bom-ref": "86452881-cb1a-4296-9450-2eb6f3e55744", + "name": "my-second-service" + } + ] +} \ No newline at end of file diff --git a/tests/test_output_json.py b/tests/test_output_json.py index b21975ba..9d8e2d53 100644 --- a/tests/test_output_json.py +++ b/tests/test_output_json.py @@ -17,13 +17,13 @@ # SPDX-License-Identifier: Apache-2.0 # Copyright (c) OWASP Foundation. All Rights Reserved. import base64 -from decimal import Decimal from datetime import datetime, timezone +from decimal import Decimal from os.path import dirname, join from typing import List +from unittest.mock import Mock, patch from packageurl import PackageURL -from unittest.mock import Mock, patch from cyclonedx.model import Encoding, ExternalReference, ExternalReferenceType, HashType, LicenseChoice, Note, \ NoteText, OrganizationalContact, OrganizationalEntity, Property, Tool, XsUri, DataClassification, DataFlow @@ -381,6 +381,54 @@ def test_bom_v1_2_services_complex(self, mock_uuid_c: Mock, mock_uuid_s: Mock) - self.assertValidAgainstSchema(bom_json=outputter.output_as_string(), schema_version=SchemaVersion.V1_2) self.assertEqualJsonBom(outputter.output_as_string(), expected_json.read()) + @patch('cyclonedx.model.component.uuid4', return_value='cd3e9c95-9d41-49e7-9924-8cf0465ae789') + @patch('cyclonedx.model.service.uuid4', return_value='bb5911d6-1a1d-41c9-b6e0-46e848d16655') + def test_bom_v1_3_services_simple(self, mock_uuid_c: Mock, mock_uuid_s: Mock) -> None: + bom = TestOutputJson._get_bom_with_services_simple() + mock_uuid_c.assert_called() + mock_uuid_s.assert_called() + outputter = get_instance(bom=bom, output_format=OutputFormat.JSON, schema_version=SchemaVersion.V1_3) + self.assertIsInstance(outputter, JsonV1Dot3) + with open(join(dirname(__file__), 'fixtures/bom_v1.3_services_simple.json')) as expected_json: + self.assertValidAgainstSchema(bom_json=outputter.output_as_string(), schema_version=SchemaVersion.V1_3) + self.assertEqualJsonBom(outputter.output_as_string(), expected_json.read()) + + @patch('cyclonedx.model.component.uuid4', return_value='df70b5f1-8f53-47a4-be48-669ae78795e6') + @patch('cyclonedx.model.service.uuid4', return_value='e9c2e297-eee6-4f45-ac2d-6662b1db77bf') + def test_bom_v1_3_services_complex(self, mock_uuid_c: Mock, mock_uuid_s: Mock) -> None: + bom = TestOutputJson._get_bom_with_services_complex() + mock_uuid_c.assert_called() + mock_uuid_s.assert_called() + outputter = get_instance(bom=bom, output_format=OutputFormat.JSON, schema_version=SchemaVersion.V1_3) + self.assertIsInstance(outputter, JsonV1Dot3) + with open(join(dirname(__file__), 'fixtures/bom_v1.3_services_complex.json')) as expected_json: + self.assertValidAgainstSchema(bom_json=outputter.output_as_string(), schema_version=SchemaVersion.V1_3) + self.assertEqualJsonBom(outputter.output_as_string(), expected_json.read()) + + @patch('cyclonedx.model.component.uuid4', return_value='44eba9c8-ccfb-4868-90cb-deb27f72b358') + @patch('cyclonedx.model.service.uuid4', return_value='86452881-cb1a-4296-9450-2eb6f3e55744') + def test_bom_v1_4_services_simple(self, mock_uuid_c: Mock, mock_uuid_s: Mock) -> None: + bom = TestOutputJson._get_bom_with_services_simple() + mock_uuid_c.assert_called() + mock_uuid_s.assert_called() + outputter = get_instance(bom=bom, output_format=OutputFormat.JSON, schema_version=SchemaVersion.V1_4) + self.assertIsInstance(outputter, JsonV1Dot4) + with open(join(dirname(__file__), 'fixtures/bom_v1.4_services_simple.json')) as expected_json: + self.assertValidAgainstSchema(bom_json=outputter.output_as_string(), schema_version=SchemaVersion.V1_4) + self.assertEqualJsonBom(outputter.output_as_string(), expected_json.read()) + + @patch('cyclonedx.model.component.uuid4', return_value='2a4ec791-4846-4769-8332-06e6ee170395') + @patch('cyclonedx.model.service.uuid4', return_value='b1650ab8-33fb-47e3-bc6e-07031054a946') + def test_bom_v1_4_services_complex(self, mock_uuid_c: Mock, mock_uuid_s: Mock) -> None: + bom = TestOutputJson._get_bom_with_services_complex() + mock_uuid_c.assert_called() + mock_uuid_s.assert_called() + outputter = get_instance(bom=bom, output_format=OutputFormat.JSON, schema_version=SchemaVersion.V1_4) + self.assertIsInstance(outputter, JsonV1Dot4) + with open(join(dirname(__file__), 'fixtures/bom_v1.4_services_complex.json')) as expected_json: + self.assertValidAgainstSchema(bom_json=outputter.output_as_string(), schema_version=SchemaVersion.V1_4) + self.assertEqualJsonBom(outputter.output_as_string(), expected_json.read()) + @staticmethod def _get_bom_with_services_simple() -> Bom: bom = Bom(services=[