Merge pull request #575 from justahero/sebastian/feat/v1_4_squash

Add support for 1.4 to cyclonedx-bom

Author: Shnatsel

.gitignore

@@ -4,8 +4,10 @@
 # SBOM documents
 **/bom.xml
 **/*.cdx.xml
+!cyclonedx-bom/tests/examples/**/*.cdx.xml
 **/bom.json
 **/*.cdx.json
+!cyclonedx-bom/tests/examples/**/*.cdx.json
 
 # Nix Flake
 /.direnv/

Cargo.lock

@@ -332,7 +332,7 @@ impl SbomGenerator {
     }
 
     fn get_licenses(&self, package: &Package) -> Option<Licenses> {
-        let mut licenses = vec![];
+        let mut licenses: Option<LicenseChoice> = None;
 
         if let Some(license) = &package.license {
             let parse_mode = self
@@ -355,7 +355,7 @@ impl SbomGenerator {
             };
 
             match result {
-                Ok(expression) => licenses.push(LicenseChoice::Expression(expression)),
+                Ok(expression) => licenses = Some(LicenseChoice::Expressions(vec![expression])),
                 Err(err) => {
                     let level = match &self.config.license_parser {
                         Some(opts) if opts.accept_named.contains(license) => Level::Info,
@@ -368,17 +368,19 @@ impl SbomGenerator {
                         license,
                         err,
                     );
-                    licenses.push(LicenseChoice::License(License::named_license(license)));
+                    licenses = Some(LicenseChoice::Licenses(vec![License::named_license(
+                        license,
+                    )]));
                 }
             }
         }
 
-        if licenses.is_empty() {
+        if let Some(licenses) = licenses {
+            Some(Licenses(licenses))
+        } else {
             log::trace!("Package {} has no licenses", package.name);
-            return None;
+            None
         }
-
-        Some(Licenses(licenses))
     }
 
     fn create_metadata(&self, package: &Package) -> Result<Metadata, GeneratorError> {

cargo-cyclonedx/src/generator.rs

@@ -0,0 +1,44 @@
+# Contributing
+
+Pull requests are welcome.
+But please read the
+[CycloneDX contributing guidelines](https://github.com/CycloneDX/.github/blob/master/CONTRIBUTING.md)
+first.
+
+## Build
+
+```shell
+cargo +stable build --verbose
+```
+
+## Test
+
+Run the tests:
+
+```shell
+cargo test
+```
+
+## Coding standards
+
+Check for deviations from coding standards:
+
+```shell
+cargo fmt -- --check
+cargo clippy --all-targets
+```
+
+Apply coding standards via:
+
+```shell
+cargo fmt
+```
+
+## Sign off your commits
+
+Please sign off your commits,
+to show that you agree to publish your changes under the current terms and licenses of the project.
+
+```shell
+git commit --signoff ...
+```

cyclonedx-bom/CONTRIBUTING.md

@@ -15,8 +15,9 @@ rust-version.workspace = true
 
 [dependencies]
 base64 = "0.21.2"
-http = "1.0.0"
+fluent-uri = "0.1.4"
 once_cell = "1.18.0"
+ordered-float = { version = "4.1.1", default-features = false }
 packageurl = "0.3.0"
 regex = "1.9.3"
 serde = { version = "1.0.193", features = ["derive"] }

cyclonedx-bom/Cargo.toml

@@ -83,6 +83,14 @@ assert_eq!(
 );
 ```
 
+## Verification and Validation
+
+see [README](./tests/README.md) for details.
+
+## Contributing
+
+see [CONTRIBUTING](./CONTRIBUTING.md) for details.
+
 ## Copyright & License
 
 CycloneDX Rust Cargo is Copyright (c) OWASP Foundation. All Rights Reserved.

cyclonedx-bom/README.md

@@ -24,6 +24,9 @@ pub enum BomError {
 
     #[error("Failed to serialize BOM to XML: {0}")]
     XmlSerializationError(String),
+
+    #[error("Failed to serialize BOM to v1.3: {0}")]
+    BomV13SerializationError(String),
 }
 
 #[derive(Debug, thiserror::Error)]
@@ -34,6 +37,11 @@ pub enum JsonWriteError {
         #[from]
         error: serde_json::Error,
     },
+    #[error("Failed to convert Bom: {error}")]
+    BomError {
+        #[from]
+        error: BomError,
+    },
 }
 
 #[derive(Debug, thiserror::Error)]
@@ -45,6 +53,11 @@ pub enum XmlWriteError {
         error: xml::writer::Error,
         element: String,
     },
+    #[error("Failed to convert Bom: {error}")]
+    BomError {
+        #[from]
+        error: BomError,
+    },
 }
 
 #[derive(Debug, thiserror::Error)]

cyclonedx-bom/src/errors.rs

@@ -18,6 +18,7 @@
 
 use std::{convert::TryFrom, str::FromStr};
 
+use fluent_uri::Uri as Url;
 use packageurl::PackageUrl;
 use thiserror::Error;
 
@@ -74,7 +75,7 @@ impl TryFrom<String> for Uri {
     type Error = UriError;
 
     fn try_from(value: String) -> Result<Self, Self::Error> {
-        match value.parse::<http::Uri>() {
+        match Url::parse(value.as_str()) {
             Ok(_) => Ok(Uri(value)),
             Err(_) => Err(UriError::InvalidUri(
                 "Uri does not conform to RFC 3986".to_string(),
@@ -88,11 +89,11 @@ impl Validate for Uri {
         &self,
         context: ValidationContext,
     ) -> Result<ValidationResult, ValidationError> {
-        match self.0.parse::<http::Uri>() {
+        match Url::parse(&self.0.to_string()) {
             Ok(_) => Ok(ValidationResult::Passed),
             Err(_) => Ok(ValidationResult::Failed {
                 reasons: vec![FailureReason {
-                    message: "Uri does not conform to ISO 8601".to_string(),
+                    message: "Uri does not conform to RFC 3986".to_string(),
                     context,
                 }],
             }),
@@ -169,7 +170,7 @@ mod test {
             validation_result,
             ValidationResult::Failed {
                 reasons: vec![FailureReason {
-                    message: "Uri does not conform to ISO 8601".to_string(),
+                    message: "Uri does not conform to RFC 3986".to_string(),
                     context: ValidationContext::default()
                 }]
             }