Merge pull request #412 from andreas-hilti/fix/merge

Fix merge of definitions and declarations

Author: coderpatros

src/CycloneDX.Utils/Merge.cs

@@ -150,30 +150,31 @@ public static Bom FlatMerge(Bom bom1, Bom bom2)
             var annotationsMerger = new ListMergeHelper<Annotation>();
             result.Annotations = annotationsMerger.Merge(bom1.Annotations, bom2.Annotations);
 
-            if (bom1.Definitions != null && bom2.Definitions != null)
+            if (bom1.Definitions != null || bom2.Definitions != null)
             {
                 //this will not take a signature, but it probably makes sense to empty those after a merge anyways. 
                 result.Definitions = new Definitions();
                 var standardMerger = new ListMergeHelper<Standard>();
-                result.Definitions.Standards = standardMerger.Merge(bom1.Definitions.Standards, bom2.Definitions.Standards);
+                result.Definitions.Standards = standardMerger.Merge(bom1.Definitions?.Standards, bom2.Definitions?.Standards);
             }
 
-            if (bom1.Declarations != null && bom2.Declarations != null)
+            if (bom1.Declarations != null || bom2.Declarations != null)
             {
                 //dont merge higher level signatures or the affirmation. The previously signed/affirmed data likely is changed.
                 result.Declarations = new Declarations();
                 var AssesorMerger = new ListMergeHelper<Assessor>();
-                result.Declarations.Assessors = AssesorMerger.Merge(bom1.Declarations.Assessors, bom2.Declarations.Assessors);
+                result.Declarations.Assessors = AssesorMerger.Merge(bom1.Declarations?.Assessors, bom2.Declarations?.Assessors);
                 var attestationMerger = new ListMergeHelper<Attestation>();
-                result.Declarations.Attestations = attestationMerger.Merge(bom1.Declarations.Attestations, bom2.Declarations.Attestations);
-                var claimmerger = new ListMergeHelper<Claim>();
-                result.Declarations.Claims = claimmerger.Merge(bom1.Declarations.Claims, bom2.Declarations.Claims);
+                result.Declarations.Attestations = attestationMerger.Merge(bom1.Declarations?.Attestations, bom2.Declarations?.Attestations);
+                var claimMerger = new ListMergeHelper<Claim>();
+                result.Declarations.Claims = claimMerger.Merge(bom1.Declarations?.Claims, bom2.Declarations?.Claims);
 
-                if (bom1.Declarations?.Targets != null && bom2.Declarations?.Targets != null)
+                if (bom1.Declarations?.Targets != null || bom2.Declarations?.Targets != null)
                 {
-                    result.Declarations.Targets.Organizations = new ListMergeHelper<OrganizationalEntity>().Merge(bom1.Declarations.Targets.Organizations, bom2.Declarations.Targets.Organizations);
-                    result.Declarations.Targets.Components = new ListMergeHelper<Component>().Merge(bom1.Declarations.Targets.Components, bom2.Declarations.Targets.Components);
-                    result.Declarations.Targets.Services = new ListMergeHelper<Service>().Merge(bom1.Declarations.Targets.Services, bom2.Declarations.Targets.Services);
+                    result.Declarations.Targets = new Targets();
+                    result.Declarations.Targets.Organizations = new ListMergeHelper<OrganizationalEntity>().Merge(bom1.Declarations?.Targets?.Organizations, bom2.Declarations?.Targets?.Organizations);
+                    result.Declarations.Targets.Components = new ListMergeHelper<Component>().Merge(bom1.Declarations?.Targets?.Components, bom2.Declarations?.Targets?.Components);
+                    result.Declarations.Targets.Services = new ListMergeHelper<Service>().Merge(bom1.Declarations?.Targets?.Services, bom2.Declarations?.Targets?.Services);
                 }
             }
 
@@ -223,6 +224,10 @@ public static Bom FlatMerge(IEnumerable<Bom> boms, Component bomSubject)
 
             if (bomSubject != null)
             {
+                if (result.Metadata == null)
+                {
+                    result.Metadata = new Metadata();
+                }
                 // use the params provided if possible
                 result.Metadata.Component = bomSubject;
                 result.Metadata.Component.BomRef = ComponentBomRefNamespace(result.Metadata.Component);
@@ -242,6 +247,11 @@ public static Bom FlatMerge(IEnumerable<Bom> boms, Component bomSubject)
                     }
                 }
 
+                if (result.Dependencies == null)
+                {
+                    result.Dependencies = new List<Dependency>();
+                }
+
                 result.Dependencies.Add(mainDependency);
 
 

tests/CycloneDX.Utils.Tests/MergeTests.cs

@@ -688,6 +688,46 @@ public void HierarchicalMergeTest1_6(string filename)
             Snapshot.Match(jsonString, SnapshotNameExtension.Create(filename));
         }
 
+        [Theory]
+        [InlineData("valid-attestation-1.6.json")]
+        [InlineData("valid-standard-1.6.json")]
+        public void FlatMergeTest1_6(string filename)
+        {
+            var subject = new Component
+            {
+                Type = Component.Classification.Application,
+                Name = "Thing",
+                Version = "1",
+            };
+            var resourceFilename = Path.Join("MergeTests_Resources", filename);
+            var jsonString = File.ReadAllText(resourceFilename);
+
+            var bom1 = Serializer.Deserialize(jsonString);
+            var bom2 = new Bom
+            {
+                Components = new List<Component>
+                {
+                    new Component
+                    {
+                        Type = Component.Classification.Application,
+                        BomRef = "bom2",
+                        Name = "bom2name"
+                    }
+                }
+            };
+
+
+            var result = CycloneDXUtils.FlatMerge(new[] { bom1, bom2 }, subject);
+            result.SpecVersion = SpecificationVersion.v1_6;
+
+            jsonString = Serializer.Serialize(result);
+
+            var validationResult = Validator.Validate(jsonString, SpecificationVersion.v1_6);
+            Assert.True(validationResult.Valid, string.Join(Environment.NewLine, validationResult.Messages));
+
+            Snapshot.Match(jsonString, SnapshotNameExtension.Create(filename));
+        }
+      
         [Fact]
         public void HierarchicalMergeAnnotationsTest()
         {

tests/CycloneDX.Utils.Tests/__snapshots__/MergeTests.FlatMergeTest1_6_valid-attestation-1.6.json.snap

@@ -0,0 +1,111 @@
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "metadata": {
+    "component": {
+      "type": "application",
+      "bom-ref": "Thing@1",
+      "name": "Thing",
+      "version": "1"
+    }
+  },
+  "components": [
+    {
+      "type": "application",
+      "bom-ref": "bom2",
+      "name": "bom2name"
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "Thing@1",
+      "dependsOn": []
+    }
+  ],
+  "declarations": {
+    "assessors": [
+      {
+        "bom-ref": "assessor-1",
+        "thirdParty": true,
+        "organization": {
+          "name": "Assessors Inc"
+        }
+      }
+    ],
+    "attestations": [
+      {
+        "summary": "Attestation summary here",
+        "assessor": "assessor-1",
+        "map": [
+          {
+            "requirement": "requirement-1",
+            "claims": [
+              "claim-1"
+            ],
+            "counterClaims": [
+              "counterClaim-1"
+            ],
+            "conformance": {
+              "score": 0.8,
+              "rationale": "Conformance rationale here",
+              "mitigationStrategies": [
+                "mitigationStrategy-1"
+              ]
+            },
+            "confidence": {
+              "score": 1,
+              "rationale": "Confidence rationale here"
+            }
+          }
+        ],
+        "signature": {
+          "algorithm": "ES256",
+          "certificatePath": [
+            "MIIB...",
+            "MIID..."
+          ],
+          "value": "tqIT..."
+        }
+      }
+    ],
+    "claims": [
+      {
+        "bom-ref": "claim-1",
+        "target": "acme-inc",
+        "predicate": "Predicate here",
+        "mitigationStrategies": [
+          "mitigationStrategy-1"
+        ],
+        "reasoning": "Reasoning here",
+        "evidence": [
+          "evidence-1"
+        ],
+        "counterEvidence": [
+          "counterEvidence-1"
+        ],
+        "externalReferences": [
+          {
+            "url": "https://alm.example.com",
+            "type": "issue-tracker"
+          }
+        ],
+        "signature": {
+          "algorithm": "ES256",
+          "certificatePath": [
+            "MIIB...",
+            "MIID..."
+          ],
+          "value": "tqIT..."
+        }
+      }
+    ],
+    "targets": {
+      "organizations": [
+        {
+          "name": "Acme Inc",
+          "bom-ref": "acme-inc"
+        }
+      ]
+    }
+  }
+}

tests/CycloneDX.Utils.Tests/__snapshots__/MergeTests.FlatMergeTest1_6_valid-standard-1.6.json.snap

@@ -0,0 +1,95 @@
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "metadata": {
+    "component": {
+      "type": "application",
+      "bom-ref": "Thing@1",
+      "name": "Thing",
+      "version": "1"
+    }
+  },
+  "components": [
+    {
+      "type": "application",
+      "bom-ref": "bom2",
+      "name": "bom2name"
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "Thing@1",
+      "dependsOn": []
+    }
+  ],
+  "definitions": {
+    "standards": [
+      {
+        "bom-ref": "standard-1",
+        "name": "Sample Standard",
+        "version": "1.0.0",
+        "description": "Description here",
+        "owner": "Acme Inc",
+        "requirements": [
+          {
+            "bom-ref": "requirement-1",
+            "identifier": "v1",
+            "title": "Title here"
+          },
+          {
+            "bom-ref": "requirement-1.1",
+            "identifier": "v1.1",
+            "title": "Title here",
+            "parent": "requirement-1"
+          },
+          {
+            "bom-ref": "requirement-1.1.1",
+            "identifier": "v1.1.1",
+            "text": "Text of the requirement here",
+            "descriptions": [
+              "Supplemental text here"
+            ],
+            "openCre": [
+              "CRE:616-305"
+            ],
+            "parent": "requirement-1.1"
+          }
+        ],
+        "levels": [
+          {
+            "bom-ref": "level-1",
+            "identifier": "Level 1",
+            "description": "Description here",
+            "requirements": [
+              "requirement-1.1.1"
+            ]
+          },
+          {
+            "bom-ref": "level-2",
+            "identifier": "Level 2",
+            "description": "Description here",
+            "requirements": [
+              "requirement-1.1.1"
+            ]
+          },
+          {
+            "bom-ref": "level-3",
+            "identifier": "Level 3",
+            "description": "Description here",
+            "requirements": [
+              "requirement-1.1.1"
+            ]
+          }
+        ],
+        "signature": {
+          "algorithm": "ES256",
+          "certificatePath": [
+            "MIIB...",
+            "MIID..."
+          ],
+          "value": "tqIT..."
+        }
+      }
+    ]
+  }
+}