feat(sbom): add manufacturer field to CycloneDX tools metadata (#9019)

Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
2025-12-12 07:40:48 -08:00 · 2025-06-27 13:03:58 +05:30
parent fd2bc91e13
commit 41d0f949c8
8 changed files with 48 additions and 7 deletions
--- a/integration/testdata/conda-cyclonedx.json.golden
+++ b/integration/testdata/conda-cyclonedx.json.golden
@@ -10,6 +10,9 @@
      "components": [
        {
          "type": "application",
+          "manufacturer": {
+            "name": "Aqua Security Software Ltd."
+          },
          "group": "aquasecurity",
          "name": "trivy",
          "version": "dev"
--- a/integration/testdata/conda-environment-cyclonedx.json.golden
+++ b/integration/testdata/conda-environment-cyclonedx.json.golden
@@ -10,6 +10,9 @@
      "components": [
        {
          "type": "application",
+          "manufacturer": {
+            "name": "Aqua Security Software Ltd."
+          },
          "group": "aquasecurity",
          "name": "trivy",
          "version": "dev"
--- a/integration/testdata/fluentd-multiple-lockfiles-short.cdx.json.golden
+++ b/integration/testdata/fluentd-multiple-lockfiles-short.cdx.json.golden
@@ -10,6 +10,9 @@
      "components": [
        {
          "type": "application",
+          "manufacturer": {
+            "name": "Aqua Security Software Ltd."
+          },
          "group": "aquasecurity",
          "name": "trivy",
          "version": "dev"
--- a/integration/testdata/fluentd-multiple-lockfiles.cdx.json.golden
+++ b/integration/testdata/fluentd-multiple-lockfiles.cdx.json.golden
@@ -10,6 +10,9 @@
      "components": [
        {
          "type": "application",
+          "manufacturer": {
+            "name": "Aqua Security Software Ltd."
+          },
          "group": "aquasecurity",
          "name": "trivy",
          "version": "dev"
--- a/integration/testdata/npm-cyclonedx.json.golden
+++ b/integration/testdata/npm-cyclonedx.json.golden
@@ -10,6 +10,9 @@
      "components": [
        {
          "type": "application",
+          "manufacturer": {
+            "name": "Aqua Security Software Ltd."
+          },
          "group": "aquasecurity",
          "name": "trivy",
          "version": "dev"
--- a/integration/testdata/pom-cyclonedx.json.golden
+++ b/integration/testdata/pom-cyclonedx.json.golden
@@ -10,6 +10,9 @@
      "components": [
        {
          "type": "application",
+          "manufacturer": {
+            "name": "Aqua Security Software Ltd."
+          },
          "group": "aquasecurity",
          "name": "trivy",
          "version": "dev"
--- a/pkg/sbom/cyclonedx/marshal.go
+++ b/pkg/sbom/cyclonedx/marshal.go
@@ -26,9 +26,10 @@ import (
 )

 const (
-	ToolVendor = "aquasecurity"
-	ToolName   = "trivy"
-	Namespace  = ToolVendor + ":" + ToolName + ":"
+	ToolVendor       = "aquasecurity"
+	ToolName         = "trivy"
+	ToolManufacturer = "Aqua Security Software Ltd."
+	Namespace        = ToolVendor + ":" + ToolName + ":"

 	// https://json-schema.org/understanding-json-schema/reference/string.html#dates-and-times
 	timeLayout = "2006-01-02T15:04:05+00:00"
@@ -88,10 +89,11 @@ func (m *Marshaler) Metadata(ctx context.Context) *cdx.Metadata {
 		Tools: &cdx.ToolsChoice{
 			Components: &[]cdx.Component{
 				{
-					Type:    cdx.ComponentTypeApplication,
-					Group:   ToolVendor,
-					Name:    ToolName,
-					Version: m.appVersion,
+					Type:         cdx.ComponentTypeApplication,
+					Group:        ToolVendor,
+					Name:         ToolName,
+					Version:      m.appVersion,
+					Manufacturer: &cdx.OrganizationalEntity{Name: ToolManufacturer},
 				},
 			},
 		},
--- a/pkg/sbom/cyclonedx/marshal_test.go
+++ b/pkg/sbom/cyclonedx/marshal_test.go
@@ -287,6 +287,9 @@ func TestMarshaler_MarshalReport(t *testing.T) {
 								Name:    "trivy",
 								Group:   "aquasecurity",
 								Version: "dev",
+								Manufacturer: &cdx.OrganizationalEntity{
+									Name: "Aqua Security Software Ltd.",
+								},
 							},
 						},
 					},
@@ -923,6 +926,9 @@ func TestMarshaler_MarshalReport(t *testing.T) {
 								Name:    "trivy",
 								Group:   "aquasecurity",
 								Version: "dev",
+								Manufacturer: &cdx.OrganizationalEntity{
+									Name: "Aqua Security Software Ltd.",
+								},
 							},
 						},
 					},
@@ -1308,6 +1314,9 @@ func TestMarshaler_MarshalReport(t *testing.T) {
 								Name:    "trivy",
 								Group:   "aquasecurity",
 								Version: "dev",
+								Manufacturer: &cdx.OrganizationalEntity{
+									Name: "Aqua Security Software Ltd.",
+								},
 							},
 						},
 					},
@@ -1535,6 +1544,9 @@ func TestMarshaler_MarshalReport(t *testing.T) {
 								Name:    "trivy",
 								Group:   "aquasecurity",
 								Version: "dev",
+								Manufacturer: &cdx.OrganizationalEntity{
+									Name: "Aqua Security Software Ltd.",
+								},
 							},
 						},
 					},
@@ -1791,6 +1803,9 @@ func TestMarshaler_MarshalReport(t *testing.T) {
 								Name:    "trivy",
 								Group:   "aquasecurity",
 								Version: "dev",
+								Manufacturer: &cdx.OrganizationalEntity{
+									Name: "Aqua Security Software Ltd.",
+								},
 							},
 						},
 					},
@@ -1978,6 +1993,9 @@ func TestMarshaler_MarshalReport(t *testing.T) {
 								Name:    "trivy",
 								Group:   "aquasecurity",
 								Version: "dev",
+								Manufacturer: &cdx.OrganizationalEntity{
+									Name: "Aqua Security Software Ltd.",
+								},
 							},
 						},
 					},
@@ -2066,6 +2084,9 @@ func TestMarshaler_MarshalReport(t *testing.T) {
 								Name:    "trivy",
 								Group:   "aquasecurity",
 								Version: "dev",
+								Manufacturer: &cdx.OrganizationalEntity{
+									Name: "Aqua Security Software Ltd.",
+								},
 							},
 						},
 					},