Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve support for the Component.Evidence.Identity field in CycloneDX 1.6 #192

Open
darioandre opened this issue Jul 30, 2024 · 6 comments · May be fixed by #204
Open

Improve support for the Component.Evidence.Identity field in CycloneDX 1.6 #192

darioandre opened this issue Jul 30, 2024 · 6 comments · May be fixed by #204
Labels
bug Something isn't working help wanted Extra attention is needed spec/1.6

Comments

@darioandre
Copy link

In CycloneDX 1.5, the Component.Evidence.Identity field was specified as a single Identity object. In CycloneDX 1.6 this has been deprecated in favor of an array of Identity objects.
The specifications can be compared here:
1.5: https://cyclonedx.org/docs/1.5/json/#components_items_evidence_identity
1.6: https://cyclonedx.org/docs/1.6/json/#components_items_evidence_identity

cyclonedx-go still defines Identity as *EvidenceIdentity so it fails to unmarshal SBOMs which have an array of identities in place of a single one; the error is: cannot unmarshal array into Go struct field Evidence.components.evidence.identity of type cyclonedx.EvidenceIdentity.

This currently happens with some SBOMs generated by cdxgen (https://github.com/CycloneDX/cdxgen) when using the --spec-version 1.6 argument. This is an SBOM affected by the issue. It was generated from a skeleton Poetry project, with just pytest added, using this command:

docker run --rm -v /tmp:/tmp -v $(pwd):/app:rw -t ghcr.io/cyclonedx/cdxgen -r /app -o /app/bom.json --spec-version 1.6`
@nscuro nscuro added bug Something isn't working spec/1.6 labels Aug 7, 2024
@eruvanos
Copy link

We also run into that issue, trivy inherits this issue :/

@eruvanos eruvanos mentioned this issue Oct 24, 2024
Closed
@nscuro nscuro added the help wanted Extra attention is needed label Oct 24, 2024
@DmitriyLewen
Copy link

Hi everyone!
I'm working on this task.
Can you assign it to me?

I'll try to finish it today or next week.

@DmitriyLewen DmitriyLewen linked a pull request Oct 25, 2024 that will close this issue
Open
@DmitriyLewen
Copy link

Created #204

@darioandre
Copy link
Author

Just my thoughts as a user of the library, regarding @DmitriyLewen's approach:

  • Existing code using the Identity field will need to be refactored
  • If the Identity field is populated, marshalling will only create CycloneDX 1.6 compliant files, which, depending on the case, may not be desired (OK, I know this is explicitly mentioned in the readme)
  • The logic for decoding and converting between versions is getting increasingly complex

@nscuro Perhaps it could make sense to consider introducing different BOM structures for different versions (or range of versions) of the specification, with the possibility of explicitly converting one to the other (most likely from a version to the next one).
Of course, this means some duplication in the structure definitions, but overall I think it would make the implementation and the use of the library clearer:

  • No breaking changes: the user chooses the version of structure to use and has a well defined upgrade path if needed
  • No workarounds in the JSON/XML decoders
  • All logic to convert between versions would be in clearly defined, separate conversion functions (JSON/XML agnostic) with clear semantics
  • Overall, it would be more straightforward for both maintainers and users to support newer CycloneDX versions in the future

One of our use cases (probably a typical one) is decoding an external JSON/XML file, which might be of any version, and use it via a specific version of the structure (which may or may not be the latest). To support this, there could be a helper function which decodes the file to the correct structure, matching the file version (e.g. extracted with gjson), and then converts it using the conversion functions, possibly multiple times, until the version wanted by the user is reached.

Note that a similar approach has been taken for SPDX files: https://github.com/spdx/tools-golang

@DmitriyLewen
Copy link

DmitriyLewen commented Oct 28, 2024
edited
Loading

I agree with your thoughts @darioandre.
Your solution seems more correct.

But this problem exists now. We have a problem - users can't scan the CycloneDX file (aquasecurity/trivy#6902 (comment)), so we want to fix this problem as soon as possible.

@jkowalleck
Copy link
Member

see also: #207

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working help wanted Extra attention is needed spec/1.6
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: change Component.Evidence.Identity to array DmitriyLewen/cyclonedx-go
5 participants
@jkowalleck @nscuro @eruvanos @darioandre @DmitriyLewen