feat(cyclonedx): Also set BOM-level component info

The component information at the BOM-level should describe the "thing" the BOM is about. In case of a single BOM, that is the repository, and in case of multiple BOMs that is the respective project. Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
oss-review-toolkit · Dec 9, 2024 · 5d2b5a6 · 5d2b5a6
1 parent 4f59b2a
commit 5d2b5a6
Show file tree

Hide file tree

Showing 5 changed files with 59 additions and 2 deletions.
diff --git a/...orters/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result-with-findings.json b/...orters/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result-with-findings.json
@@ -14,6 +14,14 @@
         }
       ]
     },
+    "component": {
+      "type": "application",
+      "bom-ref": "NPM:@ort:project-with-findings:1.0",
+      "group": "@ort",
+      "name": "project-with-findings",
+      "version": "1.0",
+      "description": ""
+    },
     "licenses": [
       {
         "expression": "CC0-1.0"

diff --git a/...ers/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result-without-findings.json b/...ers/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result-without-findings.json
@@ -14,6 +14,14 @@
         }
       ]
     },
+    "component": {
+      "type": "application",
+      "bom-ref": "NPM:@ort:project-without-findings:1.0",
+      "group": "@ort",
+      "name": "project-without-findings",
+      "version": "1.0",
+      "description": ""
+    },
     "licenses": [
       {
         "expression": "CC0-1.0"

diff --git a/plugins/reporters/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result.json b/plugins/reporters/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result.json
@@ -14,6 +14,12 @@
         }
       ]
     },
+    "component": {
+      "type": "file",
+      "bom-ref": "https://github.com/oss-review-toolkit/ort.git@main",
+      "name": "https://github.com/oss-review-toolkit/ort.git",
+      "version": "main"
+    },
     "licenses": [
       {
         "expression": "CC0-1.0"

diff --git a/plugins/reporters/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result.xml b/plugins/reporters/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result.xml
@@ -10,6 +10,10 @@
         </component>
       </components>
     </tools>
+    <component type="file" bom-ref="https://github.com/oss-review-toolkit/ort.git@main">
+      <name>https://github.com/oss-review-toolkit/ort.git</name>
+      <version>main</version>
+    </component>
     <licenses>
       <expression>CC0-1.0</expression>
     </licenses>

diff --git a/plugins/reporters/cyclonedx/src/main/kotlin/CycloneDxReporter.kt b/plugins/reporters/cyclonedx/src/main/kotlin/CycloneDxReporter.kt
@@ -31,6 +31,7 @@ import org.cyclonedx.model.Component
 import org.cyclonedx.model.ExternalReference
 import org.cyclonedx.model.LicenseChoice
 import org.cyclonedx.model.Metadata
+import org.cyclonedx.model.OrganizationalContact
 import org.cyclonedx.model.license.Expression
 import org.cyclonedx.model.metadata.ToolInformation
 
@@ -146,7 +147,21 @@ class CycloneDxReporter(
         if (config.singleBom) {
             val bom = Bom().apply {
                 serialNumber = "urn:uuid:${UUID.randomUUID()}"
-                this.metadata = metadata
+
+                this.metadata = metadata.apply {
+                    component = Component().apply {
+                        // There is no component type for repositories.
+                        type = Component.Type.FILE
+
+                        with(input.ortResult.repository.vcsProcessed) {
+                            bomRef = "$url@$revision"
+
+                            name = url
+                            version = revision
+                        }
+                    }
+                }
+
                 components = mutableListOf()
             }
 
@@ -185,7 +200,23 @@ class CycloneDxReporter(
             projects.forEach { project ->
                 val bom = Bom().apply {
                     serialNumber = "urn:uuid:${UUID.randomUUID()}"
-                    this.metadata = metadata
+
+                    this.metadata = metadata.apply {
+                        component = Component().apply {
+                            // Actually the project could be a library as well, but there is no automatic way to tell.
+                            type = Component.Type.APPLICATION
+
+                            bomRef = project.id.toCoordinates()
+
+                            group = project.id.namespace
+                            name = project.id.name
+                            version = project.id.version
+
+                            authors = project.authors.map { OrganizationalContact().apply { name = it } }
+                            description = project.description
+                        }
+                    }
+
                     components = mutableListOf()
                 }