Convert a SPDX cpe externalReference into the item level cpe field

.markdownlint.json

@@ -1,5 +1,6 @@
 {
     "MD013": {
-        "code_blocks": false
+        "code_blocks": false,
+		"tables": false
     }
 }

README.md

@@ -39,6 +39,7 @@ minimising data loss during conversion, pull requests are welcome :)
 | License information in files | Needs review, the way SPDX and CycloneDX handle license information evidence is slightly different. |
 | Snippet Information | Snippets are not currently supported by CycloneDX |
 | Non-SPDX licenses | Implementation pending |
+| CPE for Component Identity | SPDX supports multiple CPEs for a package. But doesn't support specifying if any are a component identifier. The first one is used as component CPE.|
 
 #### CycloneDX -> SPDX
 

src/CycloneDX.Spdx.Interop/Converters/v2_3/Helpers/Component/ExternalRefs.cs

@@ -142,6 +142,13 @@ public static void AddSpdxExternalRefs(this Component component, List<ExternalRe
                         {
                             refPropValue = $"{extRef.ReferenceLocator} {extRef.Comment}";
                         }
+                        if ((refPropName == PropertyTaxonomy.EXTERNAL_REFERENCE_SECURITY_CPE22 ||
+                            refPropName == PropertyTaxonomy.EXTERNAL_REFERENCE_SECURITY_CPE23) && component.Cpe == null)
+                        {
+                            // For the first seen cpe, assume it is the component's cpe.
+                            component.Cpe = refPropValue;
+                            continue;
+                        }
 
                         if (refPropName == PropertyTaxonomy.EXTERNAL_REFERENCE_PACKAGE_MANAGER_PURL && component.Purl == null)
                         {

src/CycloneDX.Spdx.Interop/Converters/v2_3/Helpers/SpdxDocumentHelpers.cs

@@ -200,14 +200,31 @@ public static void AddCycloneDXComponents(this SpdxDocument doc, Bom bom)
                 package.Checksums = component.GetSpdxChecksums();
                 package.ExternalRefs = component.GetSpdxExternalRefs();
 
-                if (component.Purl != null)
+                if (component.Cpe != null)
                 {
                     if (package.ExternalRefs == null)
                     {
                         package.ExternalRefs = new List<ExternalRef>();
                     }
 
                     // Insert at the start, so that this correctly roundtrips, i.e. if there are
+                    // multiple CPEs, always pick the first as the component's cpe.
+                    var referenceType = component.Cpe.StartsWith("cpe:/", true, culture: System.Globalization.CultureInfo.InvariantCulture) ? "cpe22Type" : "cpe23Type";
+                    package.ExternalRefs.Insert(0, new ExternalRef
+                    {
+                        ReferenceCategory = ExternalRefCategory.SECURITY,
+                        ReferenceType = referenceType,
+                        ReferenceLocator = component.Cpe,
+                    });
+                }
+
+                if (component.Purl != null)
+                {
+                    if (package.ExternalRefs == null)
+                    {
+                        package.ExternalRefs = new List<ExternalRef>();
+                    }
+
                     // multiple PURLs, always pick the first as the component's PURL.
                     package.ExternalRefs.Insert(0, new ExternalRef
                     {

tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromSpdxToCDXTest_v2.2document.snap

@@ -111,6 +111,7 @@
         }
       ],
       "copyright": "Copyright 2008-2010 John Smith",
+      "cpe": "cpe:2.3:a:pivotal_software:spring_framework:4.1.0:*:*:*:*:*:*:*",
       "externalReferences": [
         {
           "url": "http://ftp.gnu.org/gnu/glibc/glibc-ports-2.15.tar.gz",
@@ -170,10 +171,6 @@
           "name": "spdx:package:originator:email",
           "value": "contact@example.com"
         },
-        {
-          "name": "spdx:external-reference:security:cpe23",
-          "value": "cpe:2.3:a:pivotal_software:spring_framework:4.1.0:*:*:*:*:*:*:*"
-        },
         {
           "name": "spdx:external-reference:other:http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301#LocationRef-acmeforge",
           "value": "acmecorp/acmenator/4.1.3-alpha This is the external ref for Acme"

tests/CycloneDX.Spdx.Interop.Tests/__snapshots__/ConverterTests.FromSpdxToCDXTest_v2.3document.snap

@@ -107,6 +107,7 @@
         }
       ],
       "copyright": "Copyright 2008-2010 John Smith",
+      "cpe": "cpe:2.3:a:pivotal_software:spring_framework:4.1.0:*:*:*:*:*:*:*",
       "externalReferences": [
         {
           "url": "http://ftp.gnu.org/gnu/glibc/glibc-ports-2.15.tar.gz",
@@ -182,10 +183,6 @@
           "name": "spdx:checksum:adler32",
           "value": "85ed0817af83a24ad8da68c2b5094de69833983c"
         },
-        {
-          "name": "spdx:external-reference:security:cpe23",
-          "value": "cpe:2.3:a:pivotal_software:spring_framework:4.1.0:*:*:*:*:*:*:*"
-        },
         {
           "name": "spdx:external-reference:persistent-id:swh",
           "value": "acmecorp/acmenator/4.1.3-alpha This is the external ref for Acme"