add Cyclone DX 1.6 support

DataDog · Dec 25, 2024 · 017d20f · 017d20f
1 parent b021be0
commit 017d20f
Show file tree

Hide file tree

Showing 6 changed files with 5,761 additions and 2 deletions.
diff --git a/src/commands/sbom/__tests__/fixtures/cdxgen-cyclonedx1.6.json b/src/commands/sbom/__tests__/fixtures/cdxgen-cyclonedx1.6.json
@@ -0,0 +1 @@
+{"bomFormat":"CycloneDX","specVersion":"1.6","serialNumber":"urn:uuid:cb37f136-72df-4275-9175-f1c06f03af1d","version":1,"metadata":{"timestamp":"2024-12-25T22:40:31Z","tools":{"components":[{"group":"@cyclonedx","name":"cdxgen","version":"11.0.7","purl":"pkg:npm/%40cyclonedx/cdxgen@11.0.7","type":"application","bom-ref":"pkg:npm/@cyclonedx/cdxgen@11.0.7","publisher":"OWASP Foundation","authors":[{"name":"OWASP Foundation"}]}]},"authors":[{"name":"OWASP Foundation"}],"lifecycles":[{"phase":"build"}],"component":{"group":"","name":"demo-static-analysis-gates","version":"latest","type":"application","bom-ref":"pkg:pypi/demo-static-analysis-gates@latest","purl":"pkg:pypi/demo-static-analysis-gates@latest"},"properties":[{"name":"cdx:bom:componentTypes","value":"pypi"}]},"components":[{"group":"","name":"Flask","version":"3.0.0","description":"A simple framework for building complex web applications.","hashes":[{"alg":"SHA-256","content":"21128f47e4e3b9d597a3e8521a329bf56909b690fcc3fa3e477725aa81367638"}],"licenses":[{"license":{"id":"0BSD","url":"https://opensource.org/licenses/0BSD"}}],"purl":"pkg:pypi/flask@3.0.0","type":"framework","bom-ref":"pkg:pypi/flask@3.0.0","properties":[{"name":"cdx:pypi:versionSpecifiers","value":"~=3.0.0"},{"name":"cdx:pypi:latest_version","value":"3.1.0"},{"name":"cdx:pypi:resolved_from","value":"flask"}],"tags":["framework","web"]},{"authors":[{"name":"Kenneth Reitz <me@kennethreitz.org>"}],"group":"","name":"requests","version":"2.31.0","description":"Python HTTP for Humans.","hashes":[{"alg":"SHA-256","content":"58cd2187c01e70e6e26505bca751777aa9f2ee0b7f4300988b709f44e013003f"}],"licenses":[{"license":{"id":"Apache-2.0","url":"https://opensource.org/licenses/Apache-2.0"}}],"purl":"pkg:pypi/requests@2.31.0","externalReferences":[{"type":"website","url":"https://requests.readthedocs.io"}],"type":"library","bom-ref":"pkg:pypi/requests@2.31.0","properties":[{"name":"cdx:pypi:versionSpecifiers","value":"~=2.31.0"},{"name":"cdx:pypi:latest_version","value":"2.32.3"},{"name":"cdx:pypi:resolved_from","value":"requests"}]}],"services":[],"dependencies":[{"ref":"pkg:pypi/demo-static-analysis-gates@latest","dependsOn":[]}],"annotations":[]}
diff --git a/src/commands/sbom/__tests__/payload.test.ts b/src/commands/sbom/__tests__/payload.test.ts
@@ -40,6 +40,40 @@ describe('generation of payload', () => {
     expect(payload?.dependencies[0].licenses.length).toBe(0)
     expect(payload?.dependencies[0].language).toBe(DependencyLanguage.PHP)
   })
+
+  test('should correctly work with a CycloneDX 1.6 file', async () => {
+    const sbomFile = './src/commands/sbom/__tests__/fixtures/cdxgen-cyclonedx1.6.json'
+    const sbomContent = JSON.parse(fs.readFileSync(sbomFile).toString('utf8'))
+    const config: DatadogCiConfig = {
+      apiKey: undefined,
+      env: undefined,
+      envVarTags: undefined,
+    }
+    const tags = await getSpanTags(config, [], true)
+
+    const payload = generatePayload(sbomContent, tags, 'service', 'env')
+    expect(payload).not.toBeNull()
+    expect(payload?.id).toStrictEqual(expect.any(String))
+
+    expect(payload?.commit.sha).toStrictEqual(expect.any(String))
+    expect(payload?.commit.author_name).toStrictEqual(expect.any(String))
+    expect(payload?.commit.author_email).toStrictEqual(expect.any(String))
+    expect(payload?.commit.committer_name).toStrictEqual(expect.any(String))
+    expect(payload?.commit.committer_email).toStrictEqual(expect.any(String))
+    expect(payload?.commit.branch).toStrictEqual(expect.any(String))
+    expect(payload?.repository.url).toContain('github.com')
+    expect(payload?.repository.url).toContain('DataDog/datadog-ci')
+    expect(payload?.dependencies.length).toBe(2)
+    expect(payload?.dependencies[0].name).toBe('Flask')
+    expect(payload?.dependencies[0].version).toBe('3.0.0')
+    expect(payload?.dependencies[0].licenses.length).toBe(1)
+    expect(payload?.dependencies[0].language).toBe(DependencyLanguage.PYTHON)
+    expect(payload?.dependencies[1].name).toBe('requests')
+    expect(payload?.dependencies[1].version).toBe('2.31.0')
+    expect(payload?.dependencies[1].licenses.length).toBe(1)
+    expect(payload?.dependencies[1].language).toBe(DependencyLanguage.PYTHON)
+  })
+
   test('should succeed when called on a valid SBOM file for CycloneDX 1.5', async () => {
     const sbomFile = './src/commands/sbom/__tests__/fixtures/sbom.1.5.ok.json'
     const sbomContent = JSON.parse(fs.readFileSync(sbomFile).toString('utf8'))

diff --git a/src/commands/sbom/__tests__/validation.test.ts b/src/commands/sbom/__tests__/validation.test.ts
@@ -11,6 +11,11 @@ describe('validation of sbom file', () => {
       validateFileAgainstToolRequirements('./src/commands/sbom/__tests__/fixtures/sbom.1.5.ok.json', false)
     ).toBeTruthy()
   })
+  test('should succeed when called on a valid CycloneDX 1.6 SBOM file', () => {
+    expect(
+      validateSbomFileAgainstSchema('./src/commands/sbom/__tests__/fixtures/cdxgen-cyclonedx1.6.json', validator, false)
+    ).toBeTruthy()
+  })
   test('should succeed when called on a valid CycloneDX 1.5 SBOM file', () => {
     expect(
       validateSbomFileAgainstSchema('./src/commands/sbom/__tests__/fixtures/sbom.1.5.ok.json', validator, false)
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		{"bomFormat":"CycloneDX","specVersion":"1.6","serialNumber":"urn:uuid:cb37f136-72df-4275-9175-f1c06f03af1d","version":1,"metadata":{"timestamp":"2024-12-25T22:40:31Z","tools":{"components":[{"group":"@cyclonedx","name":"cdxgen","version":"11.0.7","purl":"pkg:npm/%40cyclonedx/cdxgen@11.0.7","type":"application","bom-ref":"pkg:npm/@cyclonedx/cdxgen@11.0.7","publisher":"OWASP Foundation","authors":[{"name":"OWASP Foundation"}]}]},"authors":[{"name":"OWASP Foundation"}],"lifecycles":[{"phase":"build"}],"component":{"group":"","name":"demo-static-analysis-gates","version":"latest","type":"application","bom-ref":"pkg:pypi/demo-static-analysis-gates@latest","purl":"pkg:pypi/demo-static-analysis-gates@latest"},"properties":[{"name":"cdx:bom:componentTypes","value":"pypi"}]},"components":[{"group":"","name":"Flask","version":"3.0.0","description":"A simple framework for building complex web applications.","hashes":[{"alg":"SHA-256","content":"21128f47e4e3b9d597a3e8521a329bf56909b690fcc3fa3e477725aa81367638"}],"licenses":[{"license":{"id":"0BSD","url":"https://opensource.org/licenses/0BSD"}}],"purl":"pkg:pypi/flask@3.0.0","type":"framework","bom-ref":"pkg:pypi/flask@3.0.0","properties":[{"name":"cdx:pypi:versionSpecifiers","value":"~=3.0.0"},{"name":"cdx:pypi:latest_version","value":"3.1.0"},{"name":"cdx:pypi:resolved_from","value":"flask"}],"tags":["framework","web"]},{"authors":[{"name":"Kenneth Reitz <me@kennethreitz.org>"}],"group":"","name":"requests","version":"2.31.0","description":"Python HTTP for Humans.","hashes":[{"alg":"SHA-256","content":"58cd2187c01e70e6e26505bca751777aa9f2ee0b7f4300988b709f44e013003f"}],"licenses":[{"license":{"id":"Apache-2.0","url":"https://opensource.org/licenses/Apache-2.0"}}],"purl":"pkg:pypi/requests@2.31.0","externalReferences":[{"type":"website","url":"https://requests.readthedocs.io"}],"type":"library","bom-ref":"pkg:pypi/requests@2.31.0","properties":[{"name":"cdx:pypi:versionSpecifiers","value":"~=2.31.0"},{"name":"cdx:pypi:latest_version","value":"2.32.3"},{"name":"cdx:pypi:resolved_from","value":"requests"}]}],"services":[],"dependencies":[{"ref":"pkg:pypi/demo-static-analysis-gates@latest","dependsOn":[]}],"annotations":[]}