Added 5 missing fields to match CycloneDX 1.6 spec: (#256)

* Added 5 missing fields to match CycloneDX 1.6 spec:

- Name (string) - identifier for the data
- Description (string) - description of data content/usage
- Governance (*DataGovernance) - data governance metadata
- Source (*[]string) - array of URIs/URLs/BOM-Links where data originates
- Destination (*[]string) - array of URIs/URLs/BOM-Links where data is sent

Updated service struct XML tag & implemented custom XML marshalling

Updated test files to conform to the new standard.

Signed-off-by: Alistair McLean <alistair.mclean@netrise.io>

* Moving conversion logic, and handling cases for specs <1.6

Signed-off-by: Alistair McLean <alistair.mclean@netrise.io>

* go fmt

Signed-off-by: Alistair McLean <alistair.mclean@netrise.io>

---------

Fixes #208

---------

Signed-off-by: Alistair McLean <alistair.mclean@netrise.io>
Co-authored-by: Alistair McLean <alistair.mclean@netrise.io>

Author: alistair-mclean

convert.go

@@ -237,6 +237,24 @@ func convertCompositions(comps *[]Composition, specVersion SpecVersion) {
 	}
 }
 
+// convertDataClassifications modifies a DataClassification slice such that it adheres to a given SpecVersion.
+func convertDataClassifications(dataClassifications *[]DataClassification, specVersion SpecVersion) {
+	if dataClassifications == nil {
+		return
+	}
+
+	// v1.6 introduced Name, Description, Governance, Source, and Destination fields
+	if specVersion < SpecVersion1_6 {
+		for i := range *dataClassifications {
+			(*dataClassifications)[i].Name = ""
+			(*dataClassifications)[i].Description = ""
+			(*dataClassifications)[i].Governance = nil
+			(*dataClassifications)[i].Source = nil
+			(*dataClassifications)[i].Destination = nil
+		}
+	}
+}
+
 // convertExternalReferences modifies an ExternalReference slice such that it adheres to a given SpecVersion.
 func convertExternalReferences(extRefs *[]ExternalReference, specVersion SpecVersion) {
 	if extRefs == nil {
@@ -466,6 +484,10 @@ func serviceConverter(specVersion SpecVersion) func(*Service) {
 			s.TrustZone = ""
 		}
 
+		if specVersion < SpecVersion1_6 {
+			convertDataClassifications(s.Data, specVersion)
+		}
+
 		convertOrganizationalEntity(s.Provider, specVersion)
 		convertExternalReferences(s.ExternalReferences, specVersion)
 	}

cyclonedx.go

@@ -522,8 +522,13 @@ type SecuredBy struct {
 }
 
 type DataClassification struct {
-	Flow           DataFlow `json:"flow" xml:"flow,attr"`
-	Classification string   `json:"classification" xml:",chardata"`
+	Flow           DataFlow        `json:"flow" xml:"flow,attr"`
+	Classification string          `json:"classification" xml:",chardata"`
+	Name           string          `json:"name,omitempty" xml:"name,attr,omitempty"`
+	Description    string          `json:"description,omitempty" xml:"description,attr,omitempty"`
+	Governance     *DataGovernance `json:"governance,omitempty" xml:"governance,omitempty"`
+	Source         *[]string       `json:"source,omitempty" xml:"source>url,omitempty"`
+	Destination    *[]string       `json:"destination,omitempty" xml:"destination>url,omitempty"`
 }
 
 type DataFlow string
@@ -1296,7 +1301,7 @@ type Service struct {
 	Endpoints            *[]string             `json:"endpoints,omitempty" xml:"endpoints>endpoint,omitempty"`
 	Authenticated        *bool                 `json:"authenticated,omitempty" xml:"authenticated,omitempty"`
 	CrossesTrustBoundary *bool                 `json:"x-trust-boundary,omitempty" xml:"x-trust-boundary,omitempty"`
-	Data                 *[]DataClassification `json:"data,omitempty" xml:"data>classification,omitempty"`
+	Data                 *[]DataClassification `json:"data,omitempty" xml:"data>dataflow,omitempty"`
 	Licenses             *Licenses             `json:"licenses,omitempty" xml:"licenses,omitempty"`
 	ExternalReferences   *[]ExternalReference  `json:"externalReferences,omitempty" xml:"externalReferences>reference,omitempty"`
 	Properties           *[]Property           `json:"properties,omitempty" xml:"properties>property,omitempty"`

cyclonedx_xml.go

@@ -542,6 +542,182 @@ func (ev *Evidence) UnmarshalXML(d *xml.Decoder, _ xml.StartElement) error {
 	return nil
 }
 
+// MarshalXML implements custom XML marshaling for DataClassification to support the v1.6 dataflow format
+func (dc DataClassification) MarshalXML(e *xml.Encoder, start xml.StartElement) error {
+	start.Name.Local = "dataflow"
+
+	// Add name and description as attributes if present
+	if dc.Name != "" {
+		start.Attr = append(start.Attr, xml.Attr{Name: xml.Name{Local: "name"}, Value: dc.Name})
+	}
+	if dc.Description != "" {
+		start.Attr = append(start.Attr, xml.Attr{Name: xml.Name{Local: "description"}, Value: dc.Description})
+	}
+
+	if err := e.EncodeToken(start); err != nil {
+		return err
+	}
+
+	// Encode classification element with flow attribute and text content
+	if dc.Classification != "" || dc.Flow != "" {
+		classStart := xml.StartElement{Name: xml.Name{Local: "classification"}}
+		if dc.Flow != "" {
+			classStart.Attr = append(classStart.Attr, xml.Attr{Name: xml.Name{Local: "flow"}, Value: string(dc.Flow)})
+		}
+		if err := e.EncodeToken(classStart); err != nil {
+			return err
+		}
+		if dc.Classification != "" {
+			if err := e.EncodeToken(xml.CharData(dc.Classification)); err != nil {
+				return err
+			}
+		}
+		if err := e.EncodeToken(xml.EndElement{Name: classStart.Name}); err != nil {
+			return err
+		}
+	}
+
+	// Encode governance
+	if dc.Governance != nil {
+		govStart := xml.StartElement{Name: xml.Name{Local: "governance"}}
+		if err := e.EncodeElement(dc.Governance, govStart); err != nil {
+			return err
+		}
+	}
+
+	// Encode source URLs
+	if dc.Source != nil && len(*dc.Source) > 0 {
+		sourceStart := xml.StartElement{Name: xml.Name{Local: "source"}}
+		if err := e.EncodeToken(sourceStart); err != nil {
+			return err
+		}
+		for _, url := range *dc.Source {
+			urlStart := xml.StartElement{Name: xml.Name{Local: "url"}}
+			if err := e.EncodeElement(url, urlStart); err != nil {
+				return err
+			}
+		}
+		if err := e.EncodeToken(xml.EndElement{Name: sourceStart.Name}); err != nil {
+			return err
+		}
+	}
+
+	// Encode destination URLs
+	if dc.Destination != nil && len(*dc.Destination) > 0 {
+		destStart := xml.StartElement{Name: xml.Name{Local: "destination"}}
+		if err := e.EncodeToken(destStart); err != nil {
+			return err
+		}
+		for _, url := range *dc.Destination {
+			urlStart := xml.StartElement{Name: xml.Name{Local: "url"}}
+			if err := e.EncodeElement(url, urlStart); err != nil {
+				return err
+			}
+		}
+		if err := e.EncodeToken(xml.EndElement{Name: destStart.Name}); err != nil {
+			return err
+		}
+	}
+
+	return e.EncodeToken(xml.EndElement{Name: start.Name})
+}
+
+// UnmarshalXML implements custom XML unmarshaling for DataClassification to support the v1.6 dataflow format
+func (dc *DataClassification) UnmarshalXML(d *xml.Decoder, start xml.StartElement) error {
+	// Parse name and description from attributes
+	for _, attr := range start.Attr {
+		switch attr.Name.Local {
+		case "name":
+			dc.Name = attr.Value
+		case "description":
+			dc.Description = attr.Value
+		}
+	}
+
+	// Parse child elements
+	for {
+		token, err := d.Token()
+		if err != nil {
+			return err
+		}
+
+		switch el := token.(type) {
+		case xml.StartElement:
+			switch el.Name.Local {
+			case "classification":
+				// Parse flow attribute
+				for _, attr := range el.Attr {
+					if attr.Name.Local == "flow" {
+						dc.Flow = DataFlow(attr.Value)
+					}
+				}
+				// Parse classification text
+				var content string
+				if err := d.DecodeElement(&content, &el); err != nil {
+					return err
+				}
+				dc.Classification = content
+
+			case "governance":
+				var gov DataGovernance
+				if err := d.DecodeElement(&gov, &el); err != nil {
+					return err
+				}
+				dc.Governance = &gov
+
+			case "source":
+				var urls []string
+				for {
+					token, err := d.Token()
+					if err != nil {
+						return err
+					}
+					if end, ok := token.(xml.EndElement); ok && end.Name.Local == "source" {
+						break
+					}
+					if urlEl, ok := token.(xml.StartElement); ok && urlEl.Name.Local == "url" {
+						var url string
+						if err := d.DecodeElement(&url, &urlEl); err != nil {
+							return err
+						}
+						urls = append(urls, url)
+					}
+				}
+				if len(urls) > 0 {
+					dc.Source = &urls
+				}
+
+			case "destination":
+				var urls []string
+				for {
+					token, err := d.Token()
+					if err != nil {
+						return err
+					}
+					if end, ok := token.(xml.EndElement); ok && end.Name.Local == "destination" {
+						break
+					}
+					if urlEl, ok := token.(xml.StartElement); ok && urlEl.Name.Local == "url" {
+						var url string
+						if err := d.DecodeElement(&url, &urlEl); err != nil {
+							return err
+						}
+						urls = append(urls, url)
+					}
+				}
+				if len(urls) > 0 {
+					dc.Destination = &urls
+				}
+			}
+
+		case xml.EndElement:
+			if el.Name.Local == "dataflow" {
+				return nil
+			}
+		}
+	}
+}
+
 var xmlNamespaces = map[SpecVersion]string{
 	SpecVersion1_0: "http://cyclonedx.org/schema/bom/1.0",
 	SpecVersion1_1: "http://cyclonedx.org/schema/bom/1.1",

testdata/snapshots/cyclonedx-go-TestRoundTripJSON-func1-valid-service-data-governance.json

@@ -0,0 +1,66 @@
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+  "version": 1,
+  "services": [
+    {
+      "bom-ref": "api-service",
+      "name": "Payment API",
+      "version": "1.0.0",
+      "description": "Payment processing service",
+      "data": [
+        {
+          "flow": "inbound",
+          "classification": "PII",
+          "name": "Customer Payment Data",
+          "description": "Credit card and billing information from customers",
+          "governance": {
+            "custodians": [
+              {
+                "organization": {
+                  "name": "Security Team",
+                  "url": [
+                    "https://security.example.com"
+                  ]
+                }
+              }
+            ],
+            "stewards": [
+              {
+                "organization": {
+                  "name": "Data Governance"
+                }
+              }
+            ]
+          },
+          "source": [
+            "https://frontend.example.com",
+            "urn:cdx:f08a6ccd-4dce-4759-bd84-c626675d60a7/1#web-app"
+          ],
+          "destination": [
+            "https://payment-processor.example.com"
+          ]
+        },
+        {
+          "flow": "outbound",
+          "classification": "public",
+          "name": "Transaction Receipt",
+          "description": "Receipt data sent to customers",
+          "source": [
+            "https://payment-processor.example.com"
+          ],
+          "destination": [
+            "https://email-service.example.com",
+            "https://frontend.example.com"
+          ]
+        },
+        {
+          "flow": "bi-directional",
+          "classification": "confidential"
+        }
+      ]
+    }
+  ]
+}
+

testdata/snapshots/cyclonedx-go-TestRoundTripXML-func1-valid-annotation.xml

@@ -76,7 +76,9 @@
           <authenticated>true</authenticated>
           <x-trust-boundary>true</x-trust-boundary>
           <data>
-            <classification flow="bi-directional">pubic</classification>
+            <dataflow>
+              <classification flow="bi-directional">pubic</classification>
+            </dataflow>
           </data>
         </service>
       </annotator>

testdata/snapshots/cyclonedx-go-TestRoundTripXML-func1-valid-release-notes.xml

@@ -77,10 +77,18 @@
       <authenticated>true</authenticated>
       <x-trust-boundary>true</x-trust-boundary>
       <data>
-        <classification flow="inbound">PII</classification>
-        <classification flow="outbound">PIFI</classification>
-        <classification flow="bi-directional">pubic</classification>
-        <classification flow="unknown">partner-data</classification>
+        <dataflow>
+          <classification flow="inbound">PII</classification>
+        </dataflow>
+        <dataflow>
+          <classification flow="outbound">PIFI</classification>
+        </dataflow>
+        <dataflow>
+          <classification flow="bi-directional">pubic</classification>
+        </dataflow>
+        <dataflow>
+          <classification flow="unknown">partner-data</classification>
+        </dataflow>
       </data>
       <licenses>
         <license>

testdata/snapshots/cyclonedx-go-TestRoundTripXML-func1-valid-service-data-governance.xml

@@ -0,0 +1,52 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.6" serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79" version="1">
+  <services>
+    <service bom-ref="api-service">
+      <name>Payment API</name>
+      <version>1.0.0</version>
+      <description>Payment processing service</description>
+      <data>
+        <dataflow name="Customer Payment Data" description="Credit card and billing information from customers">
+          <classification flow="inbound">PII</classification>
+          <governance>
+            <custodians>
+              <custodian>
+                <organization>
+                  <name>Security Team</name>
+                  <url>https://security.example.com</url>
+                </organization>
+              </custodian>
+            </custodians>
+            <stewards>
+              <steward>
+                <organization>
+                  <name>Data Governance</name>
+                </organization>
+              </steward>
+            </stewards>
+          </governance>
+          <source>
+            <url>https://frontend.example.com</url>
+            <url>urn:cdx:f08a6ccd-4dce-4759-bd84-c626675d60a7/1#web-app</url>
+          </source>
+          <destination>
+            <url>https://payment-processor.example.com</url>
+          </destination>
+        </dataflow>
+        <dataflow name="Transaction Receipt" description="Receipt data sent to customers">
+          <classification flow="outbound">public</classification>
+          <source>
+            <url>https://payment-processor.example.com</url>
+          </source>
+          <destination>
+            <url>https://email-service.example.com</url>
+            <url>https://frontend.example.com</url>
+          </destination>
+        </dataflow>
+        <dataflow>
+          <classification flow="bi-directional">confidential</classification>
+        </dataflow>
+      </data>
+    </service>
+  </services>
+</bom>