Merge pull request #411 from andreas-hilti/feat/merge_annotations

Merge annotations

Author: coderpatros

src/CycloneDX.Core/Models/Annotation.cs

@@ -20,11 +20,12 @@
 using System.Xml.Serialization;
 using System.Text.Json.Serialization;
 using ProtoBuf;
+using System.Text.Json;
 
 namespace CycloneDX.Models
 {
     [ProtoContract]
-    public class Annotation
+    public class Annotation : IEquatable<Annotation>
     {
         [XmlType("subject")]
         public class XmlAnnotationSubject
@@ -91,5 +92,27 @@ public DateTime? Timestamp
         [XmlElement("text")]
         [ProtoMember(5)]
         public string Text { get; set; }
+
+
+        public override bool Equals(object obj)
+        {
+            var other = obj as Annotation;
+            if (other == null)
+            {
+                return false;
+            }
+
+            return JsonSerializer.Serialize(this, Json.Serializer.SerializerOptionsForHash) == JsonSerializer.Serialize(other, Json.Serializer.SerializerOptionsForHash);
+        }
+
+        public bool Equals(Annotation obj)
+        {
+            return JsonSerializer.Serialize(this, Json.Serializer.SerializerOptionsForHash) == JsonSerializer.Serialize(obj, Json.Serializer.SerializerOptionsForHash);
+        }
+
+        public override int GetHashCode()
+        {
+            return JsonSerializer.Serialize(this, Json.Serializer.SerializerOptionsForHash).GetHashCode();
+        }
     }
 }

src/CycloneDX.Utils/Merge.cs

@@ -147,6 +147,9 @@ public static Bom FlatMerge(Bom bom1, Bom bom2)
             var vulnerabilitiesMerger = new ListMergeHelper<Vulnerability>();
             result.Vulnerabilities = vulnerabilitiesMerger.Merge(bom1.Vulnerabilities, bom2.Vulnerabilities);
 
+            var annotationsMerger = new ListMergeHelper<Annotation>();
+            result.Annotations = annotationsMerger.Merge(bom1.Annotations, bom2.Annotations);
+
             if (bom1.Definitions != null && bom2.Definitions != null)
             {
                 //this will not take a signature, but it probably makes sense to empty those after a merge anyways. 
@@ -285,6 +288,7 @@ public static Bom HierarchicalMerge(IEnumerable<Bom> boms, Component bomSubject)
             result.Dependencies = new List<Dependency>();
             result.Compositions = new List<Composition>();
             result.Vulnerabilities = new List<Vulnerability>();
+            result.Annotations = new List<Annotation>();
 
             result.Declarations = new Declarations
             {
@@ -401,6 +405,13 @@ bom.SerialNumber is null
                     result.Vulnerabilities.AddRange(bom.Vulnerabilities);
                 }
 
+                // annotations
+                if (bom.Annotations != null)
+                {
+                    NamespaceAnnotationsBomRefs(ComponentBomRefNamespace(bom.Metadata.Component), bom.Annotations);
+                    result.Annotations.AddRange(bom.Annotations);
+                }
+
                 void NamespaceBomRefs(IEnumerable<IHasBomRef> refs) => CycloneDXUtils.NamespaceBomRefs(thisComponent, refs);
                 void NamespaceReference(IEnumerable<object> refs, string name) => CycloneDXUtils.NamespaceProperty(thisComponent, refs, name);
 
@@ -472,6 +483,7 @@ bom.SerialNumber is null
             if (result.Dependencies.Count == 0) { result.Dependencies = null; }
             if (result.Compositions.Count == 0) { result.Compositions = null; }
             if (result.Vulnerabilities.Count == 0) { result.Vulnerabilities = null; }
+            if (result.Annotations.Count == 0) { result.Annotations = null; }
 
             return result;
         }
@@ -631,6 +643,44 @@ private static void NamespaceVulnerabilitiesRefs(string bomRefNamespace, List<Vu
             }
         }
 
+        private static void NamespaceAnnotationsBomRefs(string bomRefNamespace, List<Annotation> annotations)
+        {
+            var pendingAnnotations = new Stack<Annotation>(annotations);
+
+            while (pendingAnnotations.Count > 0)
+            {
+                var annotation = pendingAnnotations.Pop();
+
+                annotation.BomRef = NamespacedBomRef(bomRefNamespace, annotation.BomRef);
+
+                if (annotation.Subjects != null)
+                {
+                    for (var i = 0; i < annotation.XmlSubjects.Count; i++)
+                    {
+                        annotation.XmlSubjects[i].Ref = NamespacedBomRef(bomRefNamespace, annotation.XmlSubjects[i].Ref);
+                    }
+                }
+                                
+                if (annotation.Annotator?.Component != null)
+                {
+                    NamespaceComponentBomRefs(bomRefNamespace, annotation.Annotator?.Component);
+                }
+                if (annotation.Annotator?.Individual != null)
+                {
+                    annotation.Annotator.Individual.BomRef = NamespacedBomRef(bomRefNamespace, annotation.Annotator.Individual.BomRef);
+                }
+                if (annotation.Annotator?.Organization != null)
+                {
+                    annotation.Annotator.Organization.BomRef = NamespacedBomRef(bomRefNamespace, annotation.Annotator.Organization.BomRef);
+                }
+                if (annotation.Annotator?.Service != null)
+                {
+                    annotation.Annotator.Service.BomRef = NamespacedBomRef(bomRefNamespace, annotation.Annotator.Service.BomRef);
+                }
+
+            }
+        }
+
         private static void NamespaceDependencyBomRefs(string bomRefNamespace, List<Dependency> dependencies)
         {
             var pendingDependencies = new Stack<Dependency>(dependencies);

tests/CycloneDX.Utils.Tests/MergeTests.cs

@@ -175,6 +175,72 @@ public void FlatMergeVulnerabilitiesTest()
             Snapshot.Match(result);
         }
 
+        [Fact]
+        public void FlatMergeAnnotationsTest()
+        {
+            var sbom1 = new Bom
+            {
+                Components = new List<Component>
+                    {
+                        new Component
+                        {
+                            Name = "Component1",
+                            Version = "1"
+                        }
+                    },
+                Annotations = new List<Annotation>
+                {
+                    new Annotation
+                    {
+                        BomRef = "annotation1",
+                        Subjects = new List<string> { "Component1" },
+                        Text = "Annotation Text",
+                        Annotator = new AnnotatorChoice
+                        {
+                            Individual = new OrganizationalContact
+                            {
+                                BomRef = "individual1",
+                                Name = "individual1",
+                            }
+                        }
+                    }
+                }
+            };
+            var sbom2 = new Bom
+            {
+                Components = new List<Component>
+                    {
+                        new Component
+                        {
+                            Name = "Component2",
+                            Version = "1"
+                        }
+                    },
+                Annotations = new List<Annotation>
+                {
+                    new Annotation
+                    {
+                        BomRef = "annotation2",
+                        Subjects = new List<string> { "Component2" },
+                        Text = "Annotation Text 2",
+                        Annotator = new AnnotatorChoice
+                        {
+                            Organization = new OrganizationalEntity
+                            {
+                                BomRef = "organization1",
+                                Name = "organization1",
+                            }
+                        }
+                    }
+                }
+            };
+
+            var result = CycloneDXUtils.FlatMerge(sbom1, sbom2);
+
+            Snapshot.Match(result);
+        }
+
+
         [Fact]
         public void HierarchicalMergeComponentsTest()
         {
@@ -621,5 +687,79 @@ public void HierarchicalMergeTest1_6(string filename)
 
             Snapshot.Match(jsonString, SnapshotNameExtension.Create(filename));
         }
+
+        [Fact]
+        public void HierarchicalMergeAnnotationsTest()
+        {
+            var subject = new Component
+            {
+                Name = "Thing",
+                Version = "1",
+            };
+
+            var sbom1 = new Bom
+            {
+                Metadata = new Metadata
+                {
+                    Component = new Component
+                    {
+                        Name = "System1",
+                        Version = "1",
+                        BomRef = "System1@1"
+                    }
+                },
+                Annotations = new List<Annotation>
+                {
+                    new Annotation
+                    {
+                        BomRef = "annotation1",
+                        Subjects = new List<string> { "System1@1" },
+                        Text = "Annotation Text",
+                        Annotator = new AnnotatorChoice
+                        {
+                            Individual = new OrganizationalContact
+                            {
+                                BomRef = "individual1",
+                                Name = "individual1",
+                            }
+                        }
+                    }
+                }
+            };
+            var sbom2 = new Bom
+            {
+                Metadata = new Metadata
+                {
+                    Component = new Component
+                    {
+                        Name = "System2",
+                        Version = "1",
+                        BomRef = "System2@1"
+                    }
+                },
+                Annotations = new List<Annotation>
+                {
+                    new Annotation
+                    {
+                        BomRef = "annotation2",
+                        Subjects = new List<string> { "System2@1" },
+                        Text = "Annotation Text 2",
+                        Annotator = new AnnotatorChoice
+                        {
+                            Organization = new OrganizationalEntity
+                            {
+                                BomRef = "organization1",
+                                Name = "organization1",
+                            }
+                        }
+                    }
+                }
+            };
+
+            var result = CycloneDXUtils.HierarchicalMerge(new[] { sbom1, sbom2 }, subject);
+
+            Snapshot.Match(result);
+        }
+
     }
 }

tests/CycloneDX.Utils.Tests/__snapshots__/MergeTests.FlatMergeAnnotationsTest.snap

@@ -0,0 +1,113 @@
+{
+  "BomFormat": "CycloneDX",
+  "SpecVersion": "v1_6",
+  "SpecVersionString": "1.6",
+  "SerialNumber": null,
+  "Version": null,
+  "Metadata": null,
+  "Components": [
+    {
+      "Type": "Null",
+      "MimeType": null,
+      "BomRef": null,
+      "Supplier": null,
+      "Author": null,
+      "Publisher": null,
+      "Group": null,
+      "Name": "Component1",
+      "Version": "1",
+      "Description": null,
+      "Scope": null,
+      "Licenses": null,
+      "Copyright": null,
+      "Cpe": null,
+      "Purl": null,
+      "Swid": null,
+      "Modified": null,
+      "Pedigree": null,
+      "Evidence": null,
+      "ModelCard": null,
+      "CryptoProperties": null,
+      "XmlSignature": null,
+      "Signature": null
+    },
+    {
+      "Type": "Null",
+      "MimeType": null,
+      "BomRef": null,
+      "Supplier": null,
+      "Author": null,
+      "Publisher": null,
+      "Group": null,
+      "Name": "Component2",
+      "Version": "1",
+      "Description": null,
+      "Scope": null,
+      "Licenses": null,
+      "Copyright": null,
+      "Cpe": null,
+      "Purl": null,
+      "Swid": null,
+      "Modified": null,
+      "Pedigree": null,
+      "Evidence": null,
+      "ModelCard": null,
+      "CryptoProperties": null,
+      "XmlSignature": null,
+      "Signature": null
+    }
+  ],
+  "Compositions": null,
+  "Annotations": [
+    {
+      "BomRef": "annotation1",
+      "Subjects": [
+        "Component1"
+      ],
+      "XmlSubjects": [
+        {
+          "Ref": "Component1"
+        }
+      ],
+      "Annotator": {
+        "Organization": null,
+        "Individual": {
+          "Name": "individual1",
+          "Email": null,
+          "Phone": null,
+          "BomRef": "individual1"
+        },
+        "Component": null,
+        "Service": null
+      },
+      "Text": "Annotation Text"
+    },
+    {
+      "BomRef": "annotation2",
+      "Subjects": [
+        "Component2"
+      ],
+      "XmlSubjects": [
+        {
+          "Ref": "Component2"
+        }
+      ],
+      "Annotator": {
+        "Organization": {
+          "Name": "organization1",
+          "Url": null,
+          "Contact": null,
+          "BomRef": "organization1",
+          "Address": null
+        },
+        "Individual": null,
+        "Component": null,
+        "Service": null
+      },
+      "Text": "Annotation Text 2"
+    }
+  ],
+  "Definitions": null,
+  "XmlSignature": null,
+  "Signature": null
+}