Fixes XML Serialization: Corrects the XML generation for component authors to produce schema-compliant <authors><author>...</author></authors> structure, resolving the issue of nested <authors> tags.

Add backward compatibility to support legecy format: <authors><authors>...</authors></authors>

Author: jjhz

src/main/java/org/cyclonedx/model/Component.java

@@ -29,6 +29,7 @@
 import org.cyclonedx.model.component.crypto.CryptoProperties;
 import org.cyclonedx.model.component.Tags;
 import org.cyclonedx.model.component.data.ComponentData;
+import org.cyclonedx.util.deserializer.ComponentAuthorsDeserializer;
 import org.cyclonedx.util.deserializer.ComponentListDeserializer;
 import org.cyclonedx.util.deserializer.ExternalReferencesDeserializer;
 import org.cyclonedx.util.deserializer.HashesDeserializer;
@@ -223,7 +224,6 @@ public String getScopeName() {
     private Tags tags;
 
     @VersionFilter(Version.VERSION_16)
-    @JsonProperty("authors")
     private List<OrganizationalContact> authors;
 
     @VersionFilter(Version.VERSION_16)
@@ -556,10 +556,13 @@ public void setTags(final Tags tags) {
         this.tags = tags;
     }
 
+    @JacksonXmlElementWrapper(localName = "authors")
+    @JacksonXmlProperty(localName = "author")
     public List<OrganizationalContact> getAuthors() {
         return authors;
     }
 
+    @JsonDeserialize(using = ComponentAuthorsDeserializer.class)
     public void setAuthors(final List<OrganizationalContact> authors) {
         this.authors = authors;
     }

src/main/java/org/cyclonedx/util/deserializer/ComponentAuthorsDeserializer.java

@@ -0,0 +1,56 @@
+/*
+ * This file is part of CycloneDX Core (Java).
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ * Copyright (c) OWASP Foundation. All Rights Reserved.
+ */
+package org.cyclonedx.util.deserializer;
+
+import com.fasterxml.jackson.core.JsonParser;
+import com.fasterxml.jackson.core.JsonToken;
+import com.fasterxml.jackson.databind.DeserializationContext;
+import com.fasterxml.jackson.databind.JsonDeserializer;
+import com.fasterxml.jackson.dataformat.xml.deser.FromXmlParser;
+import org.cyclonedx.model.OrganizationalContact;
+
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.List;
+
+public class ComponentAuthorsDeserializer extends JsonDeserializer<List<OrganizationalContact>> {
+
+    @Override
+    public List<OrganizationalContact> deserialize(JsonParser p, DeserializationContext ctxt) throws IOException {
+        List<OrganizationalContact> contacts = new ArrayList<>();
+        if (p instanceof FromXmlParser) { // Handle XML
+            while (p.nextToken() != JsonToken.END_OBJECT && p.currentToken() != JsonToken.END_OBJECT) {
+                if (p.currentToken() == JsonToken.FIELD_NAME) {
+                    // Handles both <author> and <authors> as the item tag
+                    p.nextToken();
+                    OrganizationalContact contact = p.readValueAs(OrganizationalContact.class);
+                    contacts.add(contact);
+                }
+            }
+        } else { // Handle JSON
+            if (p.isExpectedStartArrayToken()) {
+                while (p.nextToken() != JsonToken.END_ARRAY) {
+                    // Handles case where author is a JSON object
+                    contacts.add(p.readValueAs(OrganizationalContact.class));
+                }
+            }
+        }
+        return contacts;
+    }
+}

src/test/java/org/cyclonedx/BomJsonGeneratorTest.java

@@ -602,6 +602,18 @@ public void testIssue492() throws Exception {
         assertTrue(parser.isValid(loadedFile, version));
     }
 
+    @Test
+    public void testComponentAuthorsDeserializationJsonObject16() throws Exception {
+        Bom bom = createCommonJsonBom("/1.6/valid-component-authors-json-object-1.6.json");
+        Component component = bom.getComponents().get(0);
+        assertNotNull(component.getAuthors());
+        assertEquals(2, component.getAuthors().size());
+        assertEquals("Test Author 1", component.getAuthors().get(0).getName());
+        assertEquals("[email protected]", component.getAuthors().get(0).getEmail());
+        assertEquals("Test Author 2", component.getAuthors().get(1).getName());
+        assertNull(component.getAuthors().get(1).getEmail());
+    }
+
     private void assertExternalReferenceInfo(Bom bom) {
         assertEquals(3, bom.getExternalReferences().size());
         assertEquals(3, bom.getComponents().get(0).getExternalReferences().size());

src/test/java/org/cyclonedx/BomXmlGeneratorTest.java

@@ -46,13 +46,21 @@
 import org.junit.jupiter.params.provider.Arguments;
 import org.junit.jupiter.params.provider.MethodSource;
 import org.w3c.dom.Document;
+import org.w3c.dom.NodeList;
+
+import javax.xml.namespace.NamespaceContext;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.xpath.XPath;
+import javax.xml.xpath.XPathConstants;
+import javax.xml.xpath.XPathFactory;
 import java.io.File;
 import java.io.FileWriter;
 import java.io.IOException;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.util.ArrayList;
-import java.util.Arrays;
+import java.util.Collections;
+import java.util.Iterator;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.UUID;
@@ -786,6 +794,64 @@ public void testIssue408Regression_jsonToXml_externalReferenceBom() throws Excep
         assertTrue(parser.isValid(loadedFile, version));
     }
 
+    @Test
+    public void testComponentAuthorSerializationOutputAsString() throws Exception {
+        Version version = Version.VERSION_16;
+        Bom bom = createCommonBomXml("/1.6/valid-component-authors-1.6.xml");
+
+        BomXmlGenerator generator = BomGeneratorFactory.createXml(version, bom);
+        String xmlString = generator.toXmlString();
+        File loadedFile = writeToFile(xmlString);
+
+        XmlParser parser = new XmlParser();
+        assertTrue(parser.isValid(loadedFile, version));
+
+        // Verify the xml content
+        DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+        dbf.setNamespaceAware(true);
+        Document doc = dbf.newDocumentBuilder()
+                .parse(new java.io.ByteArrayInputStream(xmlString.getBytes()));
+
+        XPath xpath = XPathFactory.newInstance().newXPath();
+        xpath.setNamespaceContext(new NamespaceContext() {
+            @Override
+            public String getNamespaceURI(String prefix) {
+                return "bom".equals(prefix) ? "http://cyclonedx.org/schema/bom/1.6" : null;
+            }
+            @Override
+            public String getPrefix(String namespaceURI) {
+                return "http://cyclonedx.org/schema/bom/1.6".equals(namespaceURI) ? "bom" : null;
+            }
+            @Override
+            public Iterator<String> getPrefixes(String namespaceURI) {
+                return Collections.singleton("bom").iterator();
+            }
+        });
+
+        NodeList authors = (NodeList) xpath.evaluate(
+                "//bom:component/bom:authors/bom:author",
+                doc,
+                XPathConstants.NODESET
+        );
+        assertEquals(2, authors.getLength(), "There should be exactly 2 <author> elements");
+
+        String author1 = xpath.evaluate("//bom:component/bom:authors/bom:author[1]/bom:name", doc);
+        String author2 = xpath.evaluate("//bom:component/bom:authors/bom:author[2]/bom:name", doc);
+
+        assertEquals("Test Author 1", author1);
+        assertEquals("Test Author 2", author2);
+    }
+
+    @Test
+    public void testComponentAuthorsDeserializationLegacy() throws Exception {
+        Bom bom = createCommonBomXml("/1.6/invalid-component-authors-legacy-1.6.xml");
+        Component component = bom.getComponents().get(0);
+        assertNotNull(component.getAuthors());
+        assertEquals(2, component.getAuthors().size());
+        assertEquals("Test Author 1", component.getAuthors().get(0).getName());
+        assertEquals("Test Author 2", component.getAuthors().get(1).getName());
+    }
+
     private void assertExternalReferenceInfo(Bom bom) {
         assertEquals(3, bom.getExternalReferences().size());
         assertEquals(3, bom.getComponents().get(0).getExternalReferences().size());

src/test/resources/1.6/invalid-component-authors-legacy-1.6.xml

@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<bom serialNumber="urn:uuid:e1acbeda-240f-4ab6-bd4e-749ab4183fec" version="1" xmlns="http://cyclonedx.org/schema/bom/1.6">
+  <components>
+    <component type="application">
+      <authors>
+        <authors>
+          <name>Test Author 1</name>
+        </authors>
+        <authors>
+          <name>Test Author 2</name>
+        </authors>
+      </authors>
+      <name>Test Component</name>
+    </component>
+  </components>
+</bom>

src/test/resources/1.6/valid-component-authors-1.6.xml

@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<bom serialNumber="urn:uuid:e1acbeda-240f-4ab6-bd4e-749ab4183fec" version="1" xmlns="http://cyclonedx.org/schema/bom/1.6">
+  <components>
+    <component type="application">
+      <authors>
+        <author>
+          <name>Test Author 1</name>
+        </author>
+        <author>
+          <name>Test Author 2</name>
+        </author>
+      </authors>
+      <name>Test Component</name>
+    </component>
+  </components>
+</bom>

src/test/resources/1.6/valid-component-authors-json-object-1.6.json

@@ -0,0 +1,22 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "serialNumber": "urn:uuid:e1acbeda-240f-4ab6-bd4e-749ab4183fec",
+  "version": 1,
+  "components": [
+    {
+      "type": "application",
+      "name": "Test Component",
+      "authors": [
+        {
+          "name": "Test Author 1",
+          "email": "[email protected]"
+        },
+        {
+          "name": "Test Author 2"
+        }
+      ]
+    }
+  ]
+}