feat: support for CycloneDX schema version 1.4.2

- Provides support for `vulnerability.properties`

Signed-off-by: Paul Horton <[email protected]>

Author: madpah

cyclonedx/model/vulnerability.py

@@ -27,7 +27,7 @@
 from sortedcontainers import SortedSet
 
 from ..exception.model import MutuallyExclusivePropertiesException, NoPropertiesProvidedException
-from . import ComparableTuple, OrganizationalContact, OrganizationalEntity, Tool, XsUri
+from . import ComparableTuple, OrganizationalContact, OrganizationalEntity, Property, Tool, XsUri
 from .bom_ref import BomRef
 from .impact_analysis import (
     ImpactAnalysisAffectedStatus,
@@ -788,6 +788,7 @@ def __init__(self, *, bom_ref: Optional[str] = None, id: Optional[str] = None,
                  credits: Optional[VulnerabilityCredits] = None,
                  tools: Optional[Iterable[Tool]] = None, analysis: Optional[VulnerabilityAnalysis] = None,
                  affects_targets: Optional[Iterable[BomTarget]] = None,
+                 properties: Optional[Iterable[Property]] = None,
                  # Deprecated Parameters kept for backwards compatibility
                  source_name: Optional[str] = None, source_url: Optional[str] = None,
                  recommendations: Optional[Iterable[str]] = None) -> None:
@@ -808,6 +809,7 @@ def __init__(self, *, bom_ref: Optional[str] = None, id: Optional[str] = None,
         self.tools = tools or []  # type: ignore
         self.analysis = analysis
         self.affects = affects_targets or []  # type: ignore
+        self.properties = properties or []  # type: ignore
 
         if source_name or source_url:
             warnings.warn('`source_name` and `source_url` are deprecated - use `source`', DeprecationWarning)
@@ -1062,6 +1064,21 @@ def affects(self) -> "SortedSet[BomTarget]":
     def affects(self, affects_targets: Iterable[BomTarget]) -> None:
         self._affects = SortedSet(affects_targets)
 
+    @property
+    def properties(self) -> "SortedSet[Property]":
+        """
+        Provides the ability to document properties in a key/value store. This provides flexibility to include data not
+        officially supported in the standard without having to use additional namespaces or create extensions.
+
+        Return:
+            Set of `Property`
+        """
+        return self._properties
+
+    @properties.setter
+    def properties(self, properties: Iterable[Property]) -> None:
+        self._properties = SortedSet(properties)
+
     def __eq__(self, other: object) -> bool:
         if isinstance(other, Vulnerability):
             return hash(other) == hash(self)
@@ -1079,7 +1096,7 @@ def __hash__(self) -> int:
         return hash((
             self.id, self.source, tuple(self.references), tuple(self.ratings), tuple(self.cwes), self.description,
             self.detail, self.recommendation, tuple(self.advisories), self.created, self.published, self.updated,
-            self.credits, tuple(self.tools), self.analysis, tuple(self.affects)
+            self.credits, tuple(self.tools), self.analysis, tuple(self.affects), tuple(self.properties)
         ))
 
     def __repr__(self) -> str:

cyclonedx/output/xml.py

@@ -688,6 +688,10 @@ def _get_vulnerability_as_xml_element_post_1_4(self, vulnerability: Vulnerabilit
                     for version in target.versions:
                         Xml._add_bom_target_version_range(parent_element=v_target_versions_element, version=version)
 
+        # properties
+        if vulnerability.properties:
+            Xml._add_properties_element(properties=vulnerability.properties, parent_element=vulnerability_element)
+
         return vulnerability_element
 
     @staticmethod

tests/data.py

@@ -214,7 +214,8 @@ def get_bom_with_component_setuptools_with_vulnerability() -> Bom:
                     version_range='49.0.0 - 54.0.0', status=ImpactAnalysisAffectedStatus.AFFECTED
                 )]
             )
-        ]
+        ],
+        properties=get_properties_1()
     )
     component.add_vulnerability(vulnerability=vulnerability)
     bom.components.add(component)

tests/fixtures/json/1.4/bom_setuptools_with_vulnerabilities.json

@@ -180,6 +180,16 @@
             }
           ]
         }
+      ],
+      "properties": [
+        {
+          "name": "key1",
+          "value": "val1"
+        },
+        {
+          "name": "key2",
+          "value": "val2"
+        }
       ]
     }
   ]

tests/fixtures/xml/1.4/bom_setuptools_with_vulnerabilities.xml

@@ -157,6 +157,10 @@
                     </versions>
                 </target>
             </affects>
+            <properties>
+                <property name="key1">val1</property>
+                <property name="key2">val2</property>
+            </properties>
         </vulnerability>
     </vulnerabilities>
 </bom>

typings/sortedcontainers.pyi

@@ -3,19 +3,16 @@
 # The contents of this file were obtained from 
 #  https://github.com/althonos/python-sortedcontainers/blob/d0a225d7fd0fb4c54532b8798af3cbeebf97e2d5/sortedcontainers/sortedset.pyi
 
-from typing import (
+from typing import (  # Iterator,; Tuple,; Type,
     Any,
     Callable,
     Hashable,
     Iterable,
-#    Iterator,
     List,
     MutableSet,
     Optional,
     Sequence,
     Set,
-#    Tuple,
-#    Type,
     TypeVar,
     Union,
     overload,