refactor(sbom): use new metadata.tools struct for CycloneDX (#5981)

Signed-off-by: knqyf263 <knqyf263@gmail.com> Co-authored-by: knqyf263 <knqyf263@gmail.com>
2025-12-12 15:50:15 -08:00 · 2024-01-23 19:59:48 +06:00
parent f6be42b71d
commit fb36c4ed09
22 changed files with 253 additions and 166 deletions
--- a/docs/docs/supply-chain/sbom.md
+++ b/docs/docs/supply-chain/sbom.md
@@ -217,13 +217,16 @@ $ cat result.json | jq .
  "version": 1,
  "metadata": {
    "timestamp": "2022-02-22T15:11:40.270597Z",
-    "tools": [
-      {
-        "vendor": "aquasecurity",
-        "name": "trivy",
-        "version": "dev"
-      }
-    ],
+    "tools": {
+      "components": [
+        {
+          "type": "application",
+          "group": "aquasecurity",
+          "name": "trivy",
+          "version": "dev"
+        }
+      ]
+    },
    "component": {
      "bom-ref": "pkg:oci/alpine@sha256:21a3deaa0d32a8057914f36584b5288d2e5ecc984380bc0118285c70fa8c9300?repository_url=index.docker.io%2Flibrary%2Falpine&arch=amd64",
      "type": "container",
--- a/go.mod
+++ b/go.mod
@@ -7,7 +7,7 @@ require (
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.9.0
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.4.0
 	github.com/BurntSushi/toml v1.3.2
-	github.com/CycloneDX/cyclonedx-go v0.7.2
+	github.com/CycloneDX/cyclonedx-go v0.8.0
 	github.com/GoogleCloudPlatform/docker-credential-gcr v2.0.5+incompatible
 	github.com/Masterminds/sprig/v3 v3.2.3
 	github.com/NYTimes/gziphandler v1.1.1
--- a/go.sum
+++ b/go.sum
@@ -237,8 +237,8 @@ github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbi
 github.com/BurntSushi/toml v1.3.2 h1:o7IhLm0Msx3BaB+n3Ag7L8EVlByGnpq14C4YWiu/gL8=
 github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
-github.com/CycloneDX/cyclonedx-go v0.7.2 h1:kKQ0t1dPOlugSIYVOMiMtFqeXI2wp/f5DBIdfux8gnQ=
-github.com/CycloneDX/cyclonedx-go v0.7.2/go.mod h1:K2bA+324+Og0X84fA8HhN2X066K7Bxz4rpMQ4ZhjtSk=
+github.com/CycloneDX/cyclonedx-go v0.8.0 h1:FyWVj6x6hoJrui5uRQdYZcSievw3Z32Z88uYzG/0D6M=
+github.com/CycloneDX/cyclonedx-go v0.8.0/go.mod h1:K2bA+324+Og0X84fA8HhN2X066K7Bxz4rpMQ4ZhjtSk=
 github.com/DATA-DOG/go-sqlmock v1.5.0 h1:Shsta01QNfFxHCfpW6YH2STWB0MudeXXEWMr20OEh60=
 github.com/DATA-DOG/go-sqlmock v1.5.0/go.mod h1:f/Ixk793poVmq4qj/V1dPUg2JEAKC73Q5eFN3EC/SaM=
 github.com/DmitriyVTitov/size v1.5.0/go.mod h1:le6rNI4CoLQV1b9gzp1+3d7hMAD/uu2QcJ+aYbNgiU0=
--- a/integration/testdata/conda-cyclonedx.json.golden
+++ b/integration/testdata/conda-cyclonedx.json.golden
@@ -6,13 +6,16 @@
  "version": 1,
  "metadata": {
    "timestamp": "2021-08-25T12:20:30+00:00",
-    "tools": [
-      {
-        "vendor": "aquasecurity",
-        "name": "trivy",
-        "version": "dev"
-      }
-    ],
+    "tools": {
+      "components": [
+        {
+          "type": "application",
+          "group": "aquasecurity",
+          "name": "trivy",
+          "version": "dev"
+        }
+      ]
+    },
    "component": {
      "bom-ref": "3ff14136-e09f-4df9-80ea-000000000002",
      "type": "application",
--- a/integration/testdata/fluentd-multiple-lockfiles.cdx.json.golden
+++ b/integration/testdata/fluentd-multiple-lockfiles.cdx.json.golden
@@ -6,13 +6,16 @@
  "version": 1,
  "metadata": {
    "timestamp": "2021-08-25T12:20:30+00:00",
-    "tools": [
-      {
-        "vendor": "aquasecurity",
-        "name": "trivy",
-        "version": "dev"
-      }
-    ],
+    "tools": {
+      "components": [
+        {
+          "type": "application",
+          "group": "aquasecurity",
+          "name": "trivy",
+          "version": "dev"
+        }
+      ]
+    },
    "component": {
      "bom-ref": "3ff14136-e09f-4df9-80ea-000000000002",
      "type": "container",
--- a/integration/testdata/pom-cyclonedx.json.golden
+++ b/integration/testdata/pom-cyclonedx.json.golden
@@ -6,13 +6,16 @@
  "version": 1,
  "metadata": {
    "timestamp": "2021-08-25T12:20:30+00:00",
-    "tools": [
-      {
-        "vendor": "aquasecurity",
-        "name": "trivy",
-        "version": "dev"
-      }
-    ],
+    "tools": {
+      "components": [
+        {
+          "type": "application",
+          "group": "aquasecurity",
+          "name": "trivy",
+          "version": "dev"
+        }
+      ]
+    },
    "component": {
      "bom-ref": "3ff14136-e09f-4df9-80ea-000000000002",
      "type": "application",
--- a/pkg/fanal/analyzer/sbom/testdata/cdx.json
+++ b/pkg/fanal/analyzer/sbom/testdata/cdx.json
@@ -5,13 +5,16 @@
  "version": 1,
  "metadata": {
    "timestamp": "2023-06-01T13:10:23+00:00",
-    "tools": [
-      {
-        "vendor": "aquasecurity",
-        "name": "trivy",
-        "version": "0.41.0-80-g1c03982fe"
-      }
-    ],
+    "tools": {
+      "components": [
+        {
+          "type": "application",
+          "group": "aquasecurity",
+          "name": "trivy",
+          "version": "0.41.0-80-g1c03982fe"
+        }
+      ]
+    },
    "component": {
      "bom-ref": "pkg:oci/elasticsearch@sha256:d4b68b602eb3d92ea3256886761752ae1159dc01fd391f4c4a87ebf6ba9d3895?repository_url=index.docker.io%2Fbitnami%2Felasticsearch\u0026arch=arm64",
      "type": "container",
--- a/pkg/fanal/artifact/sbom/testdata/bom.json
+++ b/pkg/fanal/artifact/sbom/testdata/bom.json
@@ -5,13 +5,16 @@
  "version": 1,
  "metadata": {
    "timestamp": "2022-05-28T10:20:03.79527Z",
-    "tools": [
-      {
-        "vendor": "aquasecurity",
-        "name": "trivy",
-        "version": "dev"
-      }
-    ],
+    "tools": {
+      "components": [
+        {
+          "type": "application",
+          "group": "aquasecurity",
+          "name": "trivy",
+          "version": "dev"
+        }
+      ]
+    },
    "component": {
      "bom-ref": "0f585d64-4815-4b72-92c5-97dae191fa4a",
      "type": "container",
--- a/pkg/fanal/artifact/sbom/testdata/os-only-bom.json
+++ b/pkg/fanal/artifact/sbom/testdata/os-only-bom.json
@@ -5,13 +5,16 @@
  "version": 1,
  "metadata": {
    "timestamp": "2022-05-28T10:20:03.79527Z",
-    "tools": [
-      {
-        "vendor": "aquasecurity",
-        "name": "trivy",
-        "version": "dev"
-      }
-    ],
+    "tools": {
+      "components": [
+        {
+          "type": "application",
+          "group": "aquasecurity",
+          "name": "trivy",
+          "version": "dev"
+        }
+      ]
+    },
    "component": {
      "bom-ref": "0f585d64-4815-4b72-92c5-97dae191fa4a",
      "type": "container",
--- a/pkg/rekortest/server.go
+++ b/pkg/rekortest/server.go
@@ -54,11 +54,14 @@ var (
 				Version:      1,
 				Metadata: &cyclonedx.Metadata{
 					Timestamp: "2022-09-15T13:53:49+00:00",
-					Tools: &[]cyclonedx.Tool{
-						{
-							Vendor:  "aquasecurity",
-							Name:    "trivy",
-							Version: "dev",
+					Tools: &cyclonedx.ToolsChoice{
+						Components: &[]cyclonedx.Component{
+							{
+								Type:    cyclonedx.ComponentTypeApplication,
+								Name:    "trivy",
+								Group:   "aquasecurity",
+								Version: "dev",
+							},
 						},
 					},
 					Component: &cyclonedx.Component{
@@ -175,11 +178,14 @@ var (
 				Version:      1,
 				Metadata: &cyclonedx.Metadata{
 					Timestamp: "2022-10-21T09:50:08+00:00",
-					Tools: &[]cyclonedx.Tool{
-						{
-							Vendor:  "aquasecurity",
-							Name:    "trivy",
-							Version: "dev",
+					Tools: &cyclonedx.ToolsChoice{
+						Components: &[]cyclonedx.Component{
+							{
+								Type:    cyclonedx.ComponentTypeApplication,
+								Name:    "trivy",
+								Group:   "aquasecurity",
+								Version: "dev",
+							},
 						},
 					},
 					Component: &cyclonedx.Component{
--- a/pkg/sbom/cyclonedx/core/cyclonedx.go
+++ b/pkg/sbom/cyclonedx/core/cyclonedx.go
@@ -184,11 +184,14 @@ func (c *CycloneDX) BOMRef(component *Component) string {
 func (c *CycloneDX) Metadata(ctx context.Context) *cdx.Metadata {
 	return &cdx.Metadata{
 		Timestamp: clock.Now(ctx).UTC().Format(timeLayout),
-		Tools: &[]cdx.Tool{
-			{
-				Vendor:  ToolVendor,
-				Name:    ToolName,
-				Version: c.appVersion,
+		Tools: &cdx.ToolsChoice{
+			Components: &[]cdx.Component{
+				{
+					Type:    cdx.ComponentTypeApplication,
+					Group:   ToolVendor,
+					Name:    ToolName,
+					Version: c.appVersion,
+				},
 			},
 		},
 	}
@@ -313,11 +316,20 @@ func IsTrivySBOM(c *cdx.BOM) bool {
 		return false
 	}

-	for _, tool := range *c.Metadata.Tools {
+	for _, component := range lo.FromPtr(c.Metadata.Tools.Components) {
+		if component.Group == ToolVendor && component.Name == ToolName {
+			return true
+		}
+	}
+
+	// Metadata.Tools array is deprecated (as of CycloneDX v1.5). We check this field for backward compatibility.
+	// cf. https://github.com/CycloneDX/cyclonedx-go/blob/b9654ae9b4705645152d20eb9872b5f3d73eac49/cyclonedx.go#L988
+	for _, tool := range lo.FromPtr(c.Metadata.Tools.Tools) {
 		if tool.Vendor == ToolVendor && tool.Name == ToolName {
 			return true
 		}
 	}
+
 	return false
 }

--- a/pkg/sbom/cyclonedx/core/cyclonedx_test.go
+++ b/pkg/sbom/cyclonedx/core/cyclonedx_test.go
@@ -182,11 +182,14 @@ func TestMarshaler_CoreComponent(t *testing.T) {
 				Version:      1,
 				Metadata: &cdx.Metadata{
 					Timestamp: "2021-08-25T12:20:30+00:00",
-					Tools: &[]cdx.Tool{
-						{
-							Name:    "trivy",
-							Vendor:  "aquasecurity",
-							Version: "dev",
+					Tools: &cdx.ToolsChoice{
+						Components: &[]cdx.Component{
+							{
+								Type:    cdx.ComponentTypeApplication,
+								Name:    "trivy",
+								Group:   "aquasecurity",
+								Version: "dev",
+							},
 						},
 					},
 					Component: &cdx.Component{
--- a/pkg/sbom/cyclonedx/marshal_test.go
+++ b/pkg/sbom/cyclonedx/marshal_test.go
@@ -242,11 +242,14 @@ func TestMarshaler_Marshal(t *testing.T) {
 				Version:      1,
 				Metadata: &cdx.Metadata{
 					Timestamp: "2021-08-25T12:20:30+00:00",
-					Tools: &[]cdx.Tool{
-						{
-							Name:    "trivy",
-							Vendor:  "aquasecurity",
-							Version: "dev",
+					Tools: &cdx.ToolsChoice{
+						Components: &[]cdx.Component{
+							{
+								Type:    cdx.ComponentTypeApplication,
+								Name:    "trivy",
+								Group:   "aquasecurity",
+								Version: "dev",
+							},
 						},
 					},
 					Component: &cdx.Component{
@@ -874,11 +877,14 @@ func TestMarshaler_Marshal(t *testing.T) {
 				Version:      1,
 				Metadata: &cdx.Metadata{
 					Timestamp: "2021-08-25T12:20:30+00:00",
-					Tools: &[]cdx.Tool{
-						{
-							Name:    "trivy",
-							Vendor:  "aquasecurity",
-							Version: "dev",
+					Tools: &cdx.ToolsChoice{
+						Components: &[]cdx.Component{
+							{
+								Type:    cdx.ComponentTypeApplication,
+								Name:    "trivy",
+								Group:   "aquasecurity",
+								Version: "dev",
+							},
 						},
 					},
 					Component: &cdx.Component{
@@ -1255,11 +1261,14 @@ func TestMarshaler_Marshal(t *testing.T) {
 				Version:      1,
 				Metadata: &cdx.Metadata{
 					Timestamp: "2021-08-25T12:20:30+00:00",
-					Tools: &[]cdx.Tool{
-						{
-							Name:    "trivy",
-							Vendor:  "aquasecurity",
-							Version: "dev",
+					Tools: &cdx.ToolsChoice{
+						Components: &[]cdx.Component{
+							{
+								Type:    cdx.ComponentTypeApplication,
+								Name:    "trivy",
+								Group:   "aquasecurity",
+								Version: "dev",
+							},
 						},
 					},
 					Component: &cdx.Component{
@@ -1545,11 +1554,14 @@ func TestMarshaler_Marshal(t *testing.T) {
 				Version:      1,
 				Metadata: &cdx.Metadata{
 					Timestamp: "2021-08-25T12:20:30+00:00",
-					Tools: &[]cdx.Tool{
-						{
-							Name:    "trivy",
-							Vendor:  "aquasecurity",
-							Version: "dev",
+					Tools: &cdx.ToolsChoice{
+						Components: &[]cdx.Component{
+							{
+								Type:    cdx.ComponentTypeApplication,
+								Name:    "trivy",
+								Group:   "aquasecurity",
+								Version: "dev",
+							},
 						},
 					},
 					Component: &cdx.Component{
@@ -1728,11 +1740,14 @@ func TestMarshaler_Marshal(t *testing.T) {
 				Version:      1,
 				Metadata: &cdx.Metadata{
 					Timestamp: "2021-08-25T12:20:30+00:00",
-					Tools: &[]cdx.Tool{
-						{
-							Name:    "trivy",
-							Vendor:  "aquasecurity",
-							Version: "dev",
+					Tools: &cdx.ToolsChoice{
+						Components: &[]cdx.Component{
+							{
+								Type:    cdx.ComponentTypeApplication,
+								Name:    "trivy",
+								Group:   "aquasecurity",
+								Version: "dev",
+							},
 						},
 					},
 					Component: &cdx.Component{
@@ -1813,11 +1828,14 @@ func TestMarshaler_Marshal(t *testing.T) {
 				Version:      1,
 				Metadata: &cdx.Metadata{
 					Timestamp: "2021-08-25T12:20:30+00:00",
-					Tools: &[]cdx.Tool{
-						{
-							Name:    "trivy",
-							Vendor:  "aquasecurity",
-							Version: "dev",
+					Tools: &cdx.ToolsChoice{
+						Components: &[]cdx.Component{
+							{
+								Type:    cdx.ComponentTypeApplication,
+								Name:    "trivy",
+								Group:   "aquasecurity",
+								Version: "dev",
+							},
 						},
 					},
 					Component: &cdx.Component{
--- a/pkg/sbom/cyclonedx/testdata/happy/bom.json
+++ b/pkg/sbom/cyclonedx/testdata/happy/bom.json
@@ -5,13 +5,16 @@
  "version": 1,
  "metadata": {
    "timestamp": "2022-05-28T10:20:03.79527Z",
-    "tools": [
-      {
-        "vendor": "aquasecurity",
-        "name": "trivy",
-        "version": "dev"
-      }
-    ],
+    "tools": {
+      "components": [
+        {
+          "type": "application",
+          "group": "aquasecurity",
+          "name": "trivy",
+          "version": "dev"
+        }
+      ]
+    },
    "component": {
      "bom-ref": "0f585d64-4815-4b72-92c5-97dae191fa4a",
      "type": "container",
--- a/pkg/sbom/cyclonedx/testdata/happy/empty-metadata-component-bom.json
+++ b/pkg/sbom/cyclonedx/testdata/happy/empty-metadata-component-bom.json
@@ -5,13 +5,16 @@
  "version": 1,
  "metadata": {
    "timestamp": "2022-05-28T10:20:03.79527Z",
-    "tools": [
-      {
-        "vendor": "aquasecurity",
-        "name": "trivy",
-        "version": "dev"
-      }
-    ]
+    "tools": {
+      "components": [
+        {
+          "type": "application",
+          "group": "aquasecurity",
+          "name": "trivy",
+          "version": "dev"
+        }
+      ]
+    }
  },
  "dependencies": []
 }
--- a/pkg/sbom/cyclonedx/testdata/happy/group-in-name.json
+++ b/pkg/sbom/cyclonedx/testdata/happy/group-in-name.json
@@ -5,13 +5,16 @@
  "version": 1,
  "metadata": {
    "timestamp": "2023-06-20T04:32:10+00:00",
-    "tools": [
-      {
-        "vendor": "aquasecurity",
-        "name": "trivy",
-        "version": "0.42.1"
-      }
-    ],
+    "tools": {
+      "components": [
+        {
+          "type": "application",
+          "group": "aquasecurity",
+          "name": "trivy",
+          "version": "dev"
+        }
+      ]
+    },
    "component": {
      "bom-ref": "b0ae8323-eb7b-4be5-bc5c-4849fd795ec0",
      "type": "application",
--- a/pkg/sbom/cyclonedx/testdata/happy/independent-library-bom.json
+++ b/pkg/sbom/cyclonedx/testdata/happy/independent-library-bom.json
@@ -5,13 +5,16 @@
  "version": 1,
  "metadata": {
    "timestamp": "2022-05-28T10:20:03.79527Z",
-    "tools": [
-      {
-        "vendor": "aquasecurity",
-        "name": "trivy",
-        "version": "dev"
-      }
-    ],
+    "tools": {
+      "components": [
+        {
+          "type": "application",
+          "group": "aquasecurity",
+          "name": "trivy",
+          "version": "dev"
+        }
+      ]
+    },
    "component": {
      "bom-ref": "0f585d64-4815-4b72-92c5-97dae191fa4a",
      "type": "application",
--- a/pkg/sbom/cyclonedx/testdata/happy/infinite-loop-bom.json
+++ b/pkg/sbom/cyclonedx/testdata/happy/infinite-loop-bom.json
@@ -5,13 +5,16 @@
  "version": 1,
  "metadata": {
    "timestamp": "2023-04-06T05:41:44+00:00",
-    "tools": [
-      {
-        "vendor": "aquasecurity",
-        "name": "trivy",
-        "version": "dev"
-      }
-    ],
+    "tools": {
+      "components": [
+        {
+          "type": "application",
+          "group": "aquasecurity",
+          "name": "trivy",
+          "version": "dev"
+        }
+      ]
+    },
    "component": {
      "bom-ref": "pkg:oci/ubuntu@sha256:67211c14fa74f070d27cc59d69a7fa9aeff8e28ea118ef3babc295a0428a6d21?repository_url=index.docker.io%2Flibrary%2Fubuntu\u0026arch=amd64",
      "type": "container",
--- a/pkg/sbom/cyclonedx/testdata/happy/kbom.json
+++ b/pkg/sbom/cyclonedx/testdata/happy/kbom.json
@@ -6,13 +6,16 @@
  "version": 1,
  "metadata": {
    "timestamp": "2023-09-29T06:25:00+00:00",
-    "tools": [
-      {
-        "vendor": "aquasecurity",
-        "name": "trivy",
-        "version": "0.45.1-15-g7bbd0d097"
-      }
-    ],
+    "tools": {
+      "components": [
+        {
+          "type": "application",
+          "group": "aquasecurity",
+          "name": "trivy",
+          "version": "dev"
+        }
+      ]
+    },
    "component": {
      "bom-ref": "pkg:k8s/k8s.io%2Fkubernetes@1.27.4",
      "type": "platform",
--- a/pkg/sbom/cyclonedx/testdata/happy/os-only-bom.json
+++ b/pkg/sbom/cyclonedx/testdata/happy/os-only-bom.json
@@ -5,13 +5,16 @@
  "version": 1,
  "metadata": {
    "timestamp": "2022-05-28T10:20:03.79527Z",
-    "tools": [
-      {
-        "vendor": "aquasecurity",
-        "name": "trivy",
-        "version": "dev"
-      }
-    ],
+    "tools": {
+      "components": [
+        {
+          "type": "application",
+          "group": "aquasecurity",
+          "name": "trivy",
+          "version": "dev"
+        }
+      ]
+    },
    "component": {
      "bom-ref": "0f585d64-4815-4b72-92c5-97dae191fa4a",
      "type": "container",
--- a/pkg/sbom/cyclonedx/testdata/happy/unrelated-bom.json
+++ b/pkg/sbom/cyclonedx/testdata/happy/unrelated-bom.json
@@ -5,13 +5,16 @@
  "version": 1,
  "metadata": {
    "timestamp": "2022-05-28T10:20:03.79527Z",
-    "tools": [
-      {
-        "vendor": "aquasecurity",
-        "name": "trivy",
-        "version": "dev"
-      }
-    ],
+    "tools": {
+      "components": [
+        {
+          "type": "application",
+          "group": "aquasecurity",
+          "name": "trivy",
+          "version": "dev"
+        }
+      ]
+    },
    "component": {
      "bom-ref": "0f585d64-4815-4b72-92c5-97dae191fa4a",
      "type": "application",
--- a/pkg/sbom/cyclonedx/testdata/sad/invalid-purl.json
+++ b/pkg/sbom/cyclonedx/testdata/sad/invalid-purl.json
@@ -5,13 +5,16 @@
  "version": 1,
  "metadata": {
    "timestamp": "2022-05-28T10:20:03.79527Z",
-    "tools": [
-      {
-        "vendor": "aquasecurity",
-        "name": "trivy",
-        "version": "dev"
-      }
-    ],
+    "tools": {
+      "components": [
+        {
+          "type": "application",
+          "group": "aquasecurity",
+          "name": "trivy",
+          "version": "dev"
+        }
+      ]
+    },
    "component": {
      "bom-ref": "0f585d64-4815-4b72-92c5-97dae191fa4a",
      "type": "application",