Merge pull request #420 from CycloneDX/v1.7

Initial implementation of v1.7

Author: coderpatros

.codacy.yml

@@ -0,0 +1,3 @@
+---
+exclude_paths:
+  - "tests/**/Resources/**"

src/CycloneDX.Core/BomUtils.cs

@@ -19,6 +19,7 @@
 using System.Collections.Generic;
 using System.Linq;
 using System.Security.Claims;
+using CycloneDX.Core.Models;
 using CycloneDX.Models;
 using CycloneDX.Models.Vulnerabilities;
 using static CycloneDX.Models.EvidenceIdentity;
@@ -64,6 +65,15 @@ internal static Bom CopyBomAndDowngrade(Bom bom)
         {
             var bomCopy = bom.Copy();
 
+            // The protobuf deep copy does not preserve Signature/XmlSignature properties.
+            // Signatories require either a "signature" or "organization"+"externalReference"
+            // per the JSON schema oneOf constraint. Remove any that are now invalid.
+            if (bomCopy.Declarations?.Affirmation?.Signatories != null)
+            {
+                bomCopy.Declarations.Affirmation.Signatories.RemoveAll(s =>
+                    s.Signature == null && (s.Organization == null || s.ExternalReference == null));
+            }
+
             // we downgrade stuff starting with lowest spec first
             // this will remove entire classes of things and will save unnecessary processing further down
             if (bomCopy.SpecVersion < SpecificationVersion.v1_1)
@@ -349,6 +359,89 @@ internal static Bom CopyBomAndDowngrade(Bom bom)
 
             }
 
+            if (bomCopy.SpecVersion < SpecificationVersion.v1_7)
+            {
+                bomCopy.Citations = null;
+
+                if (bomCopy.Metadata != null)
+                {
+                    bomCopy.Metadata.DistributionConstraints = null;
+                }
+
+                if (bomCopy.Definitions != null)
+                {
+                    bomCopy.Definitions.Patents = null;
+                }
+
+                EnumerateAllComponents(bomCopy, (component) =>
+                {
+                    component.VersionRange = null;
+                    component.IsExternal = null;
+                    component.PatentAssertions = null;
+
+                    if (component.CryptoProperties?.CertificateProperties != null)
+                    {
+                        var certProps = component.CryptoProperties.CertificateProperties;
+                        certProps.SerialNumber = null;
+                        certProps.CertificateFileExtension = null;
+                        certProps.Fingerprint = null;
+                        certProps.CertificateStates = null;
+                        certProps.CreationDate = null;
+                        certProps.ActivationDate = null;
+                        certProps.DeactivationDate = null;
+                        certProps.RevocationDate = null;
+                        certProps.DestructionDate = null;
+                        certProps.CertificateExtensions = null;
+                        certProps.RelatedCryptographicAssets = null;
+                    }
+
+                    if (component.CryptoProperties?.RelatedCryptoMaterialProperties != null)
+                    {
+                        var rcmProps = component.CryptoProperties.RelatedCryptoMaterialProperties;
+                        rcmProps.Fingerprint = null;
+                        rcmProps.RelatedCryptographicAssets = null;
+                    }
+
+                    if (component.CryptoProperties?.ProtocolProperties != null)
+                    {
+                        var protoProps = component.CryptoProperties.ProtocolProperties;
+                        protoProps.RelatedCryptographicAssets = null;
+                        // Downgrade detailed IKEv2 transform types to null (v1.6 doesn't support the detailed format)
+                        protoProps.Ikev2TransformTypes = null;
+                    }
+                });
+
+                EnumerateAllServices(bomCopy, (service) =>
+                {
+                    service.PatentAssertions = null;
+                });
+
+                EnumerateAllLicenseChoices(bomCopy, (licenseChoice) =>
+                {
+                    licenseChoice.ExpressionDetails = null;
+                    licenseChoice.Licensing = null;
+                    licenseChoice.Properties = null;
+                });
+
+                // v1.6 xs:choice only allows EITHER licenses OR an expression, not both.
+                // v1.7 allows unbounded mixing. Strip expressions when mixed with licenses.
+                DowngradeMixedLicenseChoiceLists(bomCopy);
+
+                EnumerateAllExternalReferences(bomCopy, (externalReference) =>
+                {
+                    if (externalReference != null)
+                    {
+                        if (externalReference.Type == ExternalReference.ExternalReferenceType.Patent
+                            || externalReference.Type == ExternalReference.ExternalReferenceType.Patent_Family
+                            || externalReference.Type == ExternalReference.ExternalReferenceType.Patent_Assertion
+                            || externalReference.Type == ExternalReference.ExternalReferenceType.Citation)
+                        {
+                            externalReference.Type = ExternalReference.ExternalReferenceType.Other;
+                        }
+                    }
+                });
+            }
+
             // triggers a bunch of stuff, don't remove unless you know what you are doing
             bomCopy.SpecVersion = bomCopy.SpecVersion;
 
@@ -464,6 +557,55 @@ public static void EnumerateAllLicenses(Bom bom, Action<License> callback)
             });
         }
 
+        private static void DowngradeMixedLicenseChoiceList(List<LicenseChoice> licenses)
+        {
+            if (licenses == null || licenses.Count <= 1) { return; }
+            // v1.6 xs:choice only allows EITHER multiple licenses OR one expression.
+            // When mixed, keep licenses and drop expressions.
+            // When multiple expressions, keep only the first.
+            bool hasLicense = false;
+            bool hasExpression = false;
+            foreach (var lc in licenses)
+            {
+                if (lc.License != null) { hasLicense = true; }
+                if (lc.Expression != null) { hasExpression = true; }
+            }
+            if (hasLicense && hasExpression)
+            {
+                licenses.RemoveAll(lc => lc.Expression != null && lc.License == null);
+            }
+            else if (hasExpression)
+            {
+                // Keep only the first expression
+                bool first = true;
+                licenses.RemoveAll(lc =>
+                {
+                    if (lc.Expression != null)
+                    {
+                        if (first) { first = false; return false; }
+                        return true;
+                    }
+                    return false;
+                });
+            }
+        }
+
+        private static void DowngradeMixedLicenseChoiceLists(Bom bom)
+        {
+            if (bom.Metadata?.Licenses != null)
+            {
+                DowngradeMixedLicenseChoiceList(bom.Metadata.Licenses);
+            }
+            EnumerateAllComponents(bom, (component) =>
+            {
+                DowngradeMixedLicenseChoiceList(component.Licenses);
+            });
+            EnumerateAllServices(bom, (service) =>
+            {
+                DowngradeMixedLicenseChoiceList(service.Licenses);
+            });
+        }
+
         public static void EnumerateAllLicenseChoices(Bom bom, Action<LicenseChoice> callback)
         {
             if (bom.Metadata?.Licenses != null)
@@ -757,6 +899,27 @@ public static void EnumerateAllExternalReferences(Bom bom, Action<ExternalRefere
                 }
             }
 
+            if (bom.Definitions?.Patents != null)
+            {
+                foreach (var patentOrFamily in bom.Definitions.Patents)
+                {
+                    if (patentOrFamily?.Patent?.ExternalReferences != null)
+                    {
+                        foreach (var item in patentOrFamily.Patent.ExternalReferences)
+                        {
+                            callback(item);
+                        }
+                    }
+                    if (patentOrFamily?.PatentFamily?.ExternalReferences != null)
+                    {
+                        foreach (var item in patentOrFamily.PatentFamily.ExternalReferences)
+                        {
+                            callback(item);
+                        }
+                    }
+                }
+            }
+
             EnumerateAllResourceReferenceChoices(bom, (resoureReferenceChoice) =>
             {
                 if (resoureReferenceChoice?.ExternalReference != null)

src/CycloneDX.Core/Json/Converters/AsserterConverter.cs

@@ -0,0 +1,92 @@
+// This file is part of CycloneDX Library for .NET
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// SPDX-License-Identifier: Apache-2.0
+// Copyright (c) OWASP Foundation. All Rights Reserved.
+
+using System;
+using System.Diagnostics.Contracts;
+using System.Text.Json;
+using System.Text.Json.Serialization;
+using CycloneDX.Models;
+
+namespace CycloneDX.Json.Converters
+{
+    public class AsserterConverter : JsonConverter<Asserter>
+    {
+        public override Asserter Read(
+            ref Utf8JsonReader reader,
+            Type typeToConvert,
+            JsonSerializerOptions options)
+        {
+            if (reader.TokenType == JsonTokenType.Null)
+            {
+                return null;
+            }
+            else if (reader.TokenType == JsonTokenType.String)
+            {
+                return new Asserter { Ref = reader.GetString() };
+            }
+            else if (reader.TokenType == JsonTokenType.StartObject)
+            {
+                var doc = JsonDocument.ParseValue(ref reader);
+                // Discriminate: organizationalEntity has "url" or "contact" arrays
+                // organizationalContact has "email" or "phone" but not "url" array or "contact" array
+                if (doc.RootElement.TryGetProperty("url", out _) || doc.RootElement.TryGetProperty("contact", out _))
+                {
+                    var org = doc.Deserialize<OrganizationalEntity>(options);
+                    return new Asserter { Organization = org };
+                }
+                else
+                {
+                    var individual = doc.Deserialize<OrganizationalContact>(options);
+                    return new Asserter { Individual = individual };
+                }
+            }
+            else
+            {
+                throw new JsonException();
+            }
+        }
+
+        public override void Write(
+            Utf8JsonWriter writer,
+            Asserter value,
+            JsonSerializerOptions options)
+        {
+            Contract.Requires(writer != null);
+
+            if (value == null)
+            {
+                writer.WriteNullValue();
+            }
+            else if (value.Ref != null)
+            {
+                writer.WriteStringValue(value.Ref);
+            }
+            else if (value.Organization != null)
+            {
+                JsonSerializer.Serialize(writer, value.Organization, options);
+            }
+            else if (value.Individual != null)
+            {
+                JsonSerializer.Serialize(writer, value.Individual, options);
+            }
+            else
+            {
+                writer.WriteNullValue();
+            }
+        }
+    }
+}