Add XSLT to add VEX references to SBOM

ppkarwasz · ppkarwasz · commit 1a6f6a5c7f98 · 2023-11-03T18:57:20.000+01:00
The XSLT adds an external reference of type 'vulnerability-assertion' to all the components in the `org.apache.logging.log4j` group. It also adds a `serialNumber` and converts the SBOM to version 1.5. Part of #1707.
diff --git a/src/tools/add-sbom-references.xslt b/src/tools/add-sbom-references.xslt
@@ -0,0 +1,106 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Licensed to the Apache Software Foundation (ASF) under one or more
+  ~ contributor license agreements. See the NOTICE file distributed with
+  ~ this work for additional information regarding copyright ownership.
+  ~ The ASF licenses this file to You under the Apache license, Version 2.0
+  ~ (the "License"); you may not use this file except in compliance with
+  ~ the License. You may obtain a copy of the License at
+  ~
+  ~      http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the license for the specific language governing permissions and
+  ~ limitations under the license.
+  -->
+<!--
+  To add external references run
+      java -cp Xalan_bin_distribution_jars org.apache.xalan.xslt.Process \
+        -IN pom.xml \
+        -OUT pom.xml.out \
+        -XSL this.file.xslt \
+        -PARAM sbom.serialNumber e87ab1a5-3d29-48d5-82fa-211b7e913851
+        -PARAM vdr.serialNumber 2496f0fa-91af-48cc-869f-ef1e03c97018
+        -PARAM vdr.url https://logging.apache.org/log4j/vulnerabilities
+  --> 
+<xsl:stylesheet version="1.0"
+                xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+                xmlns="http://cyclonedx.org/schema/bom/1.5"
+                xmlns:xalan="http://xml.apache.org/xalan"
+                xmlns:cdx14="http://cyclonedx.org/schema/bom/1.4"
+                xmlns:cdx15="http://cyclonedx.org/schema/bom/1.5"
+                exclude-result-prefixes="xalan cdx14 cdx15">
+  <xsl:param name="sbom.serialNumber"/>
+  <xsl:param name="vdr.serialNumber"/>
+  <xsl:param name="vdr.url"/>
+  <xsl:output method="xml"
+              version="1.0"
+              encoding="UTF-8"
+              indent="yes"
+              xalan:indent-amount="2"
+              xalan:line-separator="&#10;"/>
+  <!-- Fixes the license formatting -->
+  <xsl:template match="/">
+    <xsl:text>&#10;</xsl:text>
+    <xsl:apply-templates />
+  </xsl:template>
+  <!-- Standard copy template -->
+  <xsl:template match="@*|node()">
+    <xsl:copy>
+      <xsl:apply-templates select="@*" />
+      <xsl:apply-templates />
+    </xsl:copy>
+  </xsl:template>
+  <xsl:template match="cdx14:*">
+    <xsl:element name="{local-name()}" namespace="http://cyclonedx.org/schema/bom/1.5">
+      <xsl:apply-templates select="@*" />
+      <xsl:apply-templates />
+    </xsl:element>
+  </xsl:template>
+  <!-- Main element -->
+  <xsl:template match="cdx14:bom">
+    <bom>
+      <xsl:attribute name="version">
+        <xsl:value-of select="1"/>
+      </xsl:attribute>
+      <xsl:attribute name="serialNumber">
+        <xsl:value-of select="$sbom.serialNumber"/>
+      </xsl:attribute>
+      <xsl:apply-templates select="cdx14:metadata|cdx14:components"/>
+      <externalReferences>
+        <reference>
+          <xsl:attribute name="type">vulnerability-assertion</xsl:attribute>
+          <url>
+            <xsl:text>urn:cdx:</xsl:text>
+            <xsl:value-of select="$vdr.serialNumber"/>
+          </url>
+        </reference>
+        <reference>
+          <xsl:attribute name="type">vulnerability-assertion</xsl:attribute>
+          <url>
+            <xsl:value-of select="$vdr.url"/>
+          </url>
+        </reference>
+      </externalReferences>
+      <xsl:apply-templates select="cdx14:dependencies"/>
+    </bom>
+  </xsl:template>
+  <xsl:template match="cdx14:externalReferences[preceding-sibling::cdx14:group/text() = 'org.apache.logging.log4j']">
+    <xsl:apply-templates/>
+    <reference>
+      <xsl:attribute name="type">vulnerability-assertion</xsl:attribute>
+      <url>
+        <xsl:text>urn:cdx:</xsl:text>
+        <xsl:value-of select="$vdr.serialNumber"/>
+      </url>
+    </reference>
+    <reference>
+      <xsl:attribute name="type">vulnerability-assertion</xsl:attribute>
+      <url>
+        <xsl:value-of select="$vdr.url"/>
+      </url>
+    </reference>
+  </xsl:template>
+</xsl:stylesheet>
