add signature object to citations for json-based sboms#814
Conversation
Up to standards ✅🟢 Issues
|
| Metric | Results |
|---|---|
| Complexity | 4 |
NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.
|
@sebtiem some changes have been made, could you fix the conflicts please |
Signed-off-by: Sebastian Tiemann <setie@mailbox.org>
| @JsonIgnoreProperties(ignoreUnknown = true) | ||
| @JsonInclude(Include.NON_NULL) | ||
| @JsonPropertyOrder({"bom-ref", "pointers", "expressions", "timestamp", "attributedTo", "process", "note"}) | ||
| @JsonPropertyOrder({"bomRef", "pointers", "expressions", "timestamp", "attributedTo", "process", "note", "signature"}) |
There was a problem hiding this comment.
@JsonPropertyOrder uses "bomRef" instead of "bom-ref", this changes the property order from "bom-ref" to "bomRef". The field is annotated with @JsonProperty("bom-ref"), so the serialized name is "bom-ref". Using the Java field name "bomRef" in the property order may not match Jackson's behavior consistently. However, looking at the test JSON, it uses "bom-ref" as the key, so this could cause ordering issues during serialization.
| "process": "task-license-scan", | ||
| "note": "Auto-detected by license scanner tool - with both, 'attributedTo' and 'process'" | ||
| }, | ||
| { |
There was a problem hiding this comment.
with this change do the tests still pass? I would expect some of the assertions to fail
There was a problem hiding this comment.
I will check again. Might be I ignored one or two tests because they are system language dependent and my system language is not english.
There was a problem hiding this comment.
On the other hand I would have expected some kind of pipeline runner to check for mergeable code to fail, maybe this is a general issue.
There was a problem hiding this comment.
Looks like one test of the XMLParserTest is fixed to English language. See #840. I will also provide a PR.
Signed-off-by: Sebastian Tiemann <setie@mailbox.org>
Signed-off-by: Sebastian Tiemann <setie@mailbox.org>
* Add new classes for new types * Update classes * Dev 1.7 Expression Detail (#787) * Support for license Details * Fix tests * Support for IKEV2 in 1.7 (#825) * Fix License issue serialization * Add Ike2 Proper Support * Add headers * Support patents and version-aware serialization (#827) Add polymorphic patent support and make serialization version-aware. Introduces PatentItem model plus PatentItemDeserializer, PatentsDeserializer and PatentAssertionDeserializer/Serializer to handle mixed Patent/PatentFamily entries and XML/JSON differences; updates Definition to use the polymorphic list and provides helpers for legacy access. Refactors many serializers (EnvironmentVars, InputType, ExternalReference, Hash, IkeV2Transform, etc.) and CustomSerializerModifier to honor @VersionFilter and a Version parameter, filters enum/field serialization by target BOM version, and normalizes date formatting. Also enhances OrganizationalChoice deserialization, adds properties handling to ExternalReferencesDeserializer, and small model tweaks (Component, Composition, Service, LicenseItem, PriorityApplication, FormulationCommon, Level) to align with newer schema versions. * Dev 1.7 fix model card (#829) * Use 'model-card' for MODEL_CARD external reference Update ExternalReference.MODEL_CARD to use kebab-case: change @JsonProperty and enum value from "model_card" to "model-card". This aligns the serialized name with the expected CycloneDX 1.5 naming while retaining the VersionFilter(Version.VERSION_15) annotation. * Adjust Citation & Component; delete Classifications Fix serialization and equality logic in model classes: change Citation @JsonPropertyOrder to use "bom-ref" to match the XML attribute, remove the now-unused Classifications class, and update Component.equals()/hashCode() to include newly added fields (isExternal, versionRange, patentAssertions, tags) so equality and hashing account for them. * Add related cryptographic assets and schema (#828) Introduce support for related cryptographic assets across crypto models and add a cryptography definitions schema. Changes include: - Add new RelatedCryptographicAsset model with type and ref, equals/hashCode. - Extend AlgorithmProperties, CertificateProperties, ProtocolProperties, and RelatedCryptoMaterialProperties to include List<RelatedCryptographicAsset> relatedCryptographicAssets with XML wrapper annotations, getters/setters, and include in equals/hashCode. - Annotate new fields with @VersionFilter(Version.VERSION_17) and add necessary imports. - Add cryptography-defs.schema.json resource containing algorithm family and elliptic curve metadata. - Register the new schema in CycloneDxSchema offlineMappings so it can be resolved at runtime. These changes enable expressing relationships between crypto objects and external cryptographic assets and provide a formal schema for algorithm/curve definitions. * Add CycloneDX 1.7 crypto tests; reorder JSON props (#830) Add comprehensive CycloneDX 1.7 cryptography unit tests for both JSON and XML generators (updates to BomJsonGeneratorTest and BomXmlGeneratorTest). Update schema verification to recognize -1.7 fixtures in JsonSchemaVerificationTest and XmlSchemaVerificationTest. Adjust AlgorithmProperties@JsonPropertyOrder to change the ordering of parameterSetIdentifier, curve, and ellipticCurve to match the 1.7 schema expectations. * add signature object to citations for json-based sboms (#814) * feat: add signature object to citations for json-based sboms Signed-off-by: Sebastian Tiemann <setie@mailbox.org> * revert chnage to bom reference JSON property Signed-off-by: Sebastian Tiemann <setie@mailbox.org> * Add new citation to checked amount of citation objects. Signed-off-by: Sebastian Tiemann <setie@mailbox.org> --------- Signed-off-by: Sebastian Tiemann <setie@mailbox.org> --------- Signed-off-by: Sebastian Tiemann <setie@mailbox.org> Co-authored-by: Sebastian Tiemann <setie@mailbox.org>
* Add new classes for new types * Update classes * Dev 1.7 Expression Detail (#787) * Support for license Details * Fix tests * Support for IKEV2 in 1.7 (#825) * Fix License issue serialization * Add Ike2 Proper Support * Add headers * Support patents and version-aware serialization (#827) Add polymorphic patent support and make serialization version-aware. Introduces PatentItem model plus PatentItemDeserializer, PatentsDeserializer and PatentAssertionDeserializer/Serializer to handle mixed Patent/PatentFamily entries and XML/JSON differences; updates Definition to use the polymorphic list and provides helpers for legacy access. Refactors many serializers (EnvironmentVars, InputType, ExternalReference, Hash, IkeV2Transform, etc.) and CustomSerializerModifier to honor @VersionFilter and a Version parameter, filters enum/field serialization by target BOM version, and normalizes date formatting. Also enhances OrganizationalChoice deserialization, adds properties handling to ExternalReferencesDeserializer, and small model tweaks (Component, Composition, Service, LicenseItem, PriorityApplication, FormulationCommon, Level) to align with newer schema versions. * Dev 1.7 fix model card (#829) * Use 'model-card' for MODEL_CARD external reference Update ExternalReference.MODEL_CARD to use kebab-case: change @JsonProperty and enum value from "model_card" to "model-card". This aligns the serialized name with the expected CycloneDX 1.5 naming while retaining the VersionFilter(Version.VERSION_15) annotation. * Adjust Citation & Component; delete Classifications Fix serialization and equality logic in model classes: change Citation @JsonPropertyOrder to use "bom-ref" to match the XML attribute, remove the now-unused Classifications class, and update Component.equals()/hashCode() to include newly added fields (isExternal, versionRange, patentAssertions, tags) so equality and hashing account for them. * Add related cryptographic assets and schema (#828) Introduce support for related cryptographic assets across crypto models and add a cryptography definitions schema. Changes include: - Add new RelatedCryptographicAsset model with type and ref, equals/hashCode. - Extend AlgorithmProperties, CertificateProperties, ProtocolProperties, and RelatedCryptoMaterialProperties to include List<RelatedCryptographicAsset> relatedCryptographicAssets with XML wrapper annotations, getters/setters, and include in equals/hashCode. - Annotate new fields with @VersionFilter(Version.VERSION_17) and add necessary imports. - Add cryptography-defs.schema.json resource containing algorithm family and elliptic curve metadata. - Register the new schema in CycloneDxSchema offlineMappings so it can be resolved at runtime. These changes enable expressing relationships between crypto objects and external cryptographic assets and provide a formal schema for algorithm/curve definitions. * Add CycloneDX 1.7 crypto tests; reorder JSON props (#830) Add comprehensive CycloneDX 1.7 cryptography unit tests for both JSON and XML generators (updates to BomJsonGeneratorTest and BomXmlGeneratorTest). Update schema verification to recognize -1.7 fixtures in JsonSchemaVerificationTest and XmlSchemaVerificationTest. Adjust AlgorithmProperties@JsonPropertyOrder to change the ordering of parameterSetIdentifier, curve, and ellipticCurve to match the 1.7 schema expectations. * add signature object to citations for json-based sboms (#814) * feat: add signature object to citations for json-based sboms Signed-off-by: Sebastian Tiemann <setie@mailbox.org> * revert chnage to bom reference JSON property Signed-off-by: Sebastian Tiemann <setie@mailbox.org> * Add new citation to checked amount of citation objects. Signed-off-by: Sebastian Tiemann <setie@mailbox.org> --------- Signed-off-by: Sebastian Tiemann <setie@mailbox.org> --------- Signed-off-by: Sebastian Tiemann <setie@mailbox.org> Co-authored-by: Sebastian Tiemann <setie@mailbox.org>
As specified, in a json-based BOM, a citation can contain a signature object.
See https://cyclonedx.org/docs/1.7/json/#citations_items_signature