feat: add support for CycloneDX 1.5 (#480)

Signed-off-by: Miguel Martinez Trivino <[email protected]>

Author: migmartri

go.mod

@@ -7,7 +7,7 @@ require (
 	code.cloudfoundry.org/bytefmt v0.0.0-20230612151507-41ef4d1f67a4
 	cuelang.org/go v0.6.0
 	entgo.io/ent v0.12.3
-	github.com/CycloneDX/cyclonedx-go v0.7.2
+	github.com/CycloneDX/cyclonedx-go v0.8.0
 	github.com/adrg/xdg v0.4.0
 	github.com/aws/aws-sdk-go-v2 v1.21.2
 	github.com/aws/aws-sdk-go-v2/config v1.19.1

go.sum

@@ -108,8 +108,8 @@ github.com/AzureAD/microsoft-authentication-library-for-go v1.2.0 h1:hVeq+yCyUi+
 github.com/AzureAD/microsoft-authentication-library-for-go v1.2.0/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
-github.com/CycloneDX/cyclonedx-go v0.7.2 h1:kKQ0t1dPOlugSIYVOMiMtFqeXI2wp/f5DBIdfux8gnQ=
-github.com/CycloneDX/cyclonedx-go v0.7.2/go.mod h1:K2bA+324+Og0X84fA8HhN2X066K7Bxz4rpMQ4ZhjtSk=
+github.com/CycloneDX/cyclonedx-go v0.8.0 h1:FyWVj6x6hoJrui5uRQdYZcSievw3Z32Z88uYzG/0D6M=
+github.com/CycloneDX/cyclonedx-go v0.8.0/go.mod h1:K2bA+324+Og0X84fA8HhN2X066K7Bxz4rpMQ4ZhjtSk=
 github.com/DATA-DOG/go-sqlmock v1.5.0 h1:Shsta01QNfFxHCfpW6YH2STWB0MudeXXEWMr20OEh60=
 github.com/DATA-DOG/go-sqlmock v1.5.0/go.mod h1:f/Ixk793poVmq4qj/V1dPUg2JEAKC73Q5eFN3EC/SaM=
 github.com/DataDog/datadog-go v3.2.0+incompatible/go.mod h1:LButxg5PwREeZtORoXG3tL4fMGNddJ+vMq1mwgfaqoQ=

internal/attestation/crafter/materials/cyclonedxjson_test.go

@@ -65,9 +65,11 @@ func TestNewCyclonedxJSONCrafter(t *testing.T) {
 
 func TestCyclonedxJSONCraft(t *testing.T) {
 	testCases := []struct {
-		name     string
-		filePath string
-		wantErr  string
+		name         string
+		filePath     string
+		wantErr      string
+		wantFilename string
+		wantDigest   string
 	}{
 		{
 			name:     "invalid path",
@@ -85,8 +87,16 @@ func TestCyclonedxJSONCraft(t *testing.T) {
 			wantErr:  "unexpected material type",
 		},
 		{
-			name:     "valid artifact type",
-			filePath: "./testdata/sbom.cyclonedx.json",
+			name:         "1.4 version",
+			filePath:     "./testdata/sbom.cyclonedx.json",
+			wantDigest:   "sha256:16159bb881eb4ab7eb5d8afc5350b0feeed1e31c0a268e355e74f9ccbe885e0c",
+			wantFilename: "sbom.cyclonedx.json",
+		},
+		{
+			name:         "1.5 version",
+			filePath:     "./testdata/sbom.cyclonedx-1.5.json",
+			wantDigest:   "sha256:5ca3508f02893b0419b266927f66c7b9dd8b11dbea7faf7cdb9169df8f69d8e3",
+			wantFilename: "sbom.cyclonedx-1.5.json",
 		},
 	}
 
@@ -102,10 +112,7 @@ func TestCyclonedxJSONCraft(t *testing.T) {
 			uploader := mUploader.NewUploader(t)
 			if tc.wantErr == "" {
 				uploader.On("UploadFile", context.TODO(), tc.filePath).
-					Return(&casclient.UpDownStatus{
-						Digest:   "deadbeef",
-						Filename: "sbom.cyclonedx.json",
-					}, nil)
+					Return(&casclient.UpDownStatus{}, nil)
 			}
 
 			backend := &casclient.CASBackend{Uploader: uploader}
@@ -123,9 +130,9 @@ func TestCyclonedxJSONCraft(t *testing.T) {
 			assert.True(got.UploadedToCas)
 
 			// The result includes the digest reference
-			assert.Equal(got.GetArtifact(), &attestationApi.Attestation_Material_Artifact{
-				Id: "test", Digest: "sha256:16159bb881eb4ab7eb5d8afc5350b0feeed1e31c0a268e355e74f9ccbe885e0c", Name: "sbom.cyclonedx.json",
-			})
+			assert.Equal(&attestationApi.Attestation_Material_Artifact{
+				Id: "test", Digest: tc.wantDigest, Name: tc.wantFilename,
+			}, got.GetArtifact())
 		})
 	}
 }