feat: support for CycloneDX schema 1.4.2 - adds vulnerability.properties to the schema

Author: madpah

cyclonedx/model/vulnerability.py

@@ -27,7 +27,7 @@
 from sortedcontainers import SortedSet
 
 from ..exception.model import MutuallyExclusivePropertiesException, NoPropertiesProvidedException
-from . import ComparableTuple, OrganizationalContact, OrganizationalEntity, Tool, XsUri
+from . import ComparableTuple, OrganizationalContact, OrganizationalEntity, Property, Tool, XsUri
 from .bom_ref import BomRef
 from .impact_analysis import (
     ImpactAnalysisAffectedStatus,
@@ -788,6 +788,7 @@ def __init__(self, *, bom_ref: Optional[str] = None, id: Optional[str] = None,
                  credits: Optional[VulnerabilityCredits] = None,
                  tools: Optional[Iterable[Tool]] = None, analysis: Optional[VulnerabilityAnalysis] = None,
                  affects_targets: Optional[Iterable[BomTarget]] = None,
+                 properties: Optional[Iterable[Property]] = None,
                  # Deprecated Parameters kept for backwards compatibility
                  source_name: Optional[str] = None, source_url: Optional[str] = None,
                  recommendations: Optional[Iterable[str]] = None) -> None:
@@ -808,6 +809,7 @@ def __init__(self, *, bom_ref: Optional[str] = None, id: Optional[str] = None,
         self.tools = tools or []  # type: ignore
         self.analysis = analysis
         self.affects = affects_targets or []  # type: ignore
+        self.properties = properties or []  # type: ignore
 
         if source_name or source_url:
             warnings.warn('`source_name` and `source_url` are deprecated - use `source`', DeprecationWarning)
@@ -1062,6 +1064,21 @@ def affects(self) -> "SortedSet[BomTarget]":
     def affects(self, affects_targets: Iterable[BomTarget]) -> None:
         self._affects = SortedSet(affects_targets)
 
+    @property
+    def properties(self) -> "SortedSet[Property]":
+        """
+        Provides the ability to document properties in a key/value store. This provides flexibility to include data not
+        officially supported in the standard without having to use additional namespaces or create extensions.
+
+        Return:
+            Set of `Property`
+        """
+        return self._properties
+
+    @properties.setter
+    def properties(self, properties: Iterable[Property]) -> None:
+        self._properties = SortedSet(properties)
+
     def __eq__(self, other: object) -> bool:
         if isinstance(other, Vulnerability):
             return hash(other) == hash(self)
@@ -1079,7 +1096,7 @@ def __hash__(self) -> int:
         return hash((
             self.id, self.source, tuple(self.references), tuple(self.ratings), tuple(self.cwes), self.description,
             self.detail, self.recommendation, tuple(self.advisories), self.created, self.published, self.updated,
-            self.credits, tuple(self.tools), self.analysis, tuple(self.affects)
+            self.credits, tuple(self.tools), self.analysis, tuple(self.affects), tuple(self.properties)
         ))
 
     def __repr__(self) -> str:

cyclonedx/output/xml.py

@@ -688,6 +688,10 @@ def _get_vulnerability_as_xml_element_post_1_4(self, vulnerability: Vulnerabilit
                     for version in target.versions:
                         Xml._add_bom_target_version_range(parent_element=v_target_versions_element, version=version)
 
+        # properties
+        if vulnerability.properties:
+            Xml._add_properties_element(properties=vulnerability.properties, parent_element=vulnerability_element)
+
         return vulnerability_element
 
     @staticmethod

cyclonedx/schema/bom-1.4.xsd

@@ -22,7 +22,7 @@ limitations under the License.
            targetNamespace="http://cyclonedx.org/schema/bom/1.4"
            vc:minVersion="1.0"
            vc:maxVersion="1.1"
-           version="1.4.1">
+           version="1.4.2">
 
     <xs:import namespace="http://cyclonedx.org/schema/spdx" schemaLocation="spdx.xsd"/>
 
@@ -2014,6 +2014,16 @@ limitations under the License.
                     </xs:sequence>
                 </xs:complexType>
             </xs:element>
+            <xs:element name="properties" type="bom:propertiesType" minOccurs="0" maxOccurs="1">
+                <xs:annotation>
+                    <xs:documentation>Provides the ability to document properties in a key/value store.
+                        This provides flexibility to include data not officially supported in the standard
+                        without having to use additional namespaces or create extensions. Property names
+                        of interest to the general public are encouraged to be registered in the
+                        CycloneDX Property Taxonomy - https://github.com/CycloneDX/cyclonedx-property-taxonomy.
+                        Formal registration is OPTIONAL.</xs:documentation>
+                </xs:annotation>
+            </xs:element>
         </xs:sequence>
         <xs:attribute name="bom-ref" type="bom:refType">
             <xs:annotation>