Added system property to ensure the prerelease functionality is not he default behavior. Added unit test. Minor formatting cleanup. #121

Author: stevespringett

src/main/java/org/cyclonedx/util/PropertyDeserializer.java

@@ -13,9 +13,7 @@
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.List;
-
 import org.cyclonedx.model.Property;
-
 import com.fasterxml.jackson.core.JsonParser;
 import com.fasterxml.jackson.databind.DeserializationContext;
 import com.fasterxml.jackson.databind.JsonNode;
@@ -29,15 +27,13 @@
  * @author wrgoff
  * @since 28 May 2021
  */
-public class PropertyDeserializer extends StdDeserializer<List<Property>>
-{
+public class PropertyDeserializer extends StdDeserializer<List<Property>> {
 	private static final long serialVersionUID = 3080840606644733407L;
 
 	/**
 	 * Default Constructor.
 	 */
-	public PropertyDeserializer()
-	{
+	public PropertyDeserializer() {
 		this(null);
 	}
 
@@ -46,8 +42,7 @@ public PropertyDeserializer()
 	 * 
 	 * @param vc Class for which the deserializer is for.
 	 */
-	public PropertyDeserializer(final Class<?> vc)
-	{
+	public PropertyDeserializer(final Class<?> vc) {
 		super(vc);
 	}
 
@@ -60,34 +55,26 @@ public PropertyDeserializer(final Class<?> vc)
 	 */
 	@Override
 	public List<Property> deserialize(final JsonParser parser,
-			final DeserializationContext context) throws IOException
-	{
+			final DeserializationContext context) throws IOException {
 		List<Property> properties = new ArrayList<>();
 
-		if (parser instanceof FromXmlParser)
-		{
+		if (parser instanceof FromXmlParser) {
 			JsonNode node = parser.getCodec().readTree(parser);
-			if (node.has("properties"))
-			{
+			if (node.has("properties")) {
 				JsonNode propertiesNode = node.get("properties");
-				if(propertiesNode.isArray())
-				{
+				if(propertiesNode.isArray()) {
 					ArrayNode arrayNode = (ArrayNode) node;
-					for (int i = 0; i < arrayNode.size(); i++)
-					{
+					for (int i = 0; i < arrayNode.size(); i++) {
 						node = node.get("property");
 						properties.addAll(parsePropertyNode(node, new ArrayList<Property>()));
 					}
 				}
 			}
-			else if (node.has("property"))
-			{
+			else if (node.has("property")) {
 				node = node.get("property");
 				properties.addAll(parsePropertyNode(node, new ArrayList<Property>()));
 			}
-		}
-		else
-		{
+		} else {
 			Property[] props = parser.readValueAs(Property[].class);
 			properties = Arrays.asList(props.clone());
 		}
@@ -100,29 +87,26 @@ else if (node.has("property"))
 	 * @param node JsonNode to process the property form.
 	 * @return Property processed from the JsonNode passed in.
 	 */
-	private Property parseProperty(JsonNode node)
-	{
-		String name = "";
-		String value = "";
+	private Property parseProperty(JsonNode node) {
+		String name = null;
+		String value = null;
 
 		JsonNode nameNode = node.get("name");
-		if (nameNode != null)
+		if (nameNode != null) {
 			name = nameNode.asText();
-		
+		}
 		JsonNode valueNode = node.get("");
-		if (valueNode != null)
+		if (valueNode != null) {
 			value = valueNode.asText();
-		else
-		{
+		} else if (isPreleaseDeserializationEnabled()) {
 			valueNode = node.get("value");
-			if (valueNode != null)
+			if (valueNode != null) {
 				value = valueNode.asText();
+			}
 		}
-		
 		Property prop = new Property();
 		prop.setName(name);
 		prop.setValue(value);
-		
 		return prop;
 	}
 
@@ -133,18 +117,15 @@ private Property parseProperty(JsonNode node)
 	 * @param props     List of properties to append to.
 	 * @return List of properties processed.
 	 */
-	private List<Property> parseArrayNode(ArrayNode arrayNode, List<Property> props)
-	{
+	private List<Property> parseArrayNode(ArrayNode arrayNode, List<Property> props) {
 		JsonNode node;
-		for (int i = 0; i < arrayNode.size(); i++)
-		{
+		for (int i = 0; i < arrayNode.size(); i++) {
 			node = arrayNode.get(i);
-			if (node instanceof ArrayNode)
-			{
+			if (node instanceof ArrayNode) {
 				parseArrayNode(((ArrayNode) node), props);
-			}
-			else
+			} else {
 				props.add(parseProperty(node));
+			}
 		}
 		return props;
 	}
@@ -156,16 +137,18 @@ private List<Property> parseArrayNode(ArrayNode arrayNode, List<Property> props)
 	 * @param properties List of properties to append to.
 	 * @return List of properties.
 	 */
-	private List<Property> parsePropertyNode(JsonNode node, List<Property> properties)
-	{
-		if (node.isArray())
-		{
+	private List<Property> parsePropertyNode(JsonNode node, List<Property> properties) {
+		if (node.isArray()) {
 			ArrayNode arrayNode = (ArrayNode) node;
 			properties.addAll(parseArrayNode(arrayNode, new ArrayList<Property>()));
-		}
-		else
+		} else {
 			properties.add(parseProperty(node));
-		
+		}
 		return properties;
 	}
+
+	private boolean isPreleaseDeserializationEnabled() {
+		final String s = System.getProperty("cyclonedx.prerelease.13.properties");
+		return Boolean.parseBoolean(s);
+	}
 }

src/test/java/org/cyclonedx/parsers/XmlParserTest.java

@@ -426,4 +426,24 @@ public void testParsedObjects13Bom() throws Exception {
         assertEquals("pkg:maven/org.acme/[email protected]", d11.getRef());
         assertNull(d11.getDependencies());
     }
+
+    @Test
+    public void test13PrereleasePropertyBom() throws Exception {
+        final File file = new File(this.getClass().getResource("/1.3/valid-properties-1.3-prerelease.xml").getFile());
+        final XmlParser parser = new XmlParser();
+        final boolean valid = parser.isValid(file, CycloneDxSchema.Version.VERSION_12);
+        assertFalse(valid);
+        final Bom bom1 = parser.parse(file);
+        Component c1 = bom1.getComponents().get(0);
+        assertEquals(2, c1.getProperties().size());
+        assertEquals("Foo", c1.getProperties().get(0).getName());
+        assertNull(c1.getProperties().get(0).getValue());
+
+        System.setProperty("cyclonedx.prerelease.13.properties", "true");
+        final Bom bom2 = parser.parse(file);
+        Component c2 = bom2.getComponents().get(0);
+        assertEquals(2, c2.getProperties().size());
+        assertEquals("Foo", c2.getProperties().get(0).getName());
+        assertEquals("Bar", c2.getProperties().get(0).getValue());
+    }
 }

src/test/resources/1.3/valid-properties-1.3-prerelease.xml

@@ -0,0 +1,39 @@
+<?xml version="1.0"?>
+<bom serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1" xmlns="http://cyclonedx.org/schema/bom/1.3">
+    <!-- This is NOT a valid CycloneDX v1.3 SBOM. However Lockheed Martin adopted this when v1.3 was in development
+    and the spec had changed since release. The prerelease version had used attributes for the value. The released
+    version uses the element value itself so that CDATA could be used. To trigger the prerelease behavior the
+    `cyclonedx.prerelease.13.properties` system property must be present and set to true.
+    -->
+    <metadata>
+        <properties>
+            <property name="Foo" value="Bar"/>
+            <property name="Foo" value="You"/>
+            <property name="Foo" value="Two"/>
+            <property name="Bar" value="Foo"/>
+        </properties>
+    </metadata>
+    <components>
+        <component type="library">
+            <name>acme-library</name>
+            <version>1.0.0</version>
+            <properties>
+                <property name="Foo" value="Bar"/>
+                <property name="Bar" value="Foo"/>
+            </properties>
+        </component>
+    </components>
+    <services>
+        <service bom-ref="b2a46a4b-8367-4bae-9820-95557cfe03a8">
+            <group>org.partner</group>
+            <name>Stock ticker service</name>
+            <endpoints>
+                <endpoint>https://partner.org/api/v1/stock</endpoint>
+            </endpoints>
+            <properties>
+                <property name="Foo" value="Bar"/>
+                <property name="Bar" value="Foo"/>
+            </properties>
+        </service>
+    </services>
+</bom>