Fixed evidence identity. Updated test cases (#359)

stevespringett · web-flow · commit 63e48c4b05e5 · 2024-01-15T21:43:46.000-06:00
Fixed issue with evidence identity that restricted identity to only a single object. The defect was found in JSON and XML schemas but was correct in protobuf. Updated JSON and XML schemas in a way where they are backward compatible. Updated test cases in v1.6 that support BOTH methods (single object and array of objects) of specifying identity evidence. Closes #272
diff --git a/docgen/json/templates/cyclonedx/tabbed_section.html b/docgen/json/templates/cyclonedx/tabbed_section.html
@@ -11,7 +11,11 @@ <h2 class="handle">
             <a class="nav-link {% if loop.index == 1 -%}active {% endif -%} {{ operator }}-option"
                id="{{ node.html_id }}" data-toggle="tab" href="#tab-pane_{{ node.html_id }}" role="tab"
                onclick="setAnchor('#{{ node.html_id }}')"
-            >{{ node.definition_name or tab_label ~ " " ~ loop.index }}</a>
+            >{{ node.definition_name or tab_label ~ " " ~ loop.index }}
+                {%- if node is deprecated -%}
+                {{ " " }}<span class="badge deprecated-property">Deprecated</span>
+                {%- endif -%}
+            </a>
         </li>
     {%- endfor -%}
 </ul>
diff --git a/schema/bom-1.6.schema.json b/schema/bom-1.6.schema.json
@@ -1982,101 +1982,20 @@
       "additionalProperties": false,
       "properties": {
         "identity": {
-          "type": "object",
-          "description": "Evidence that substantiates the identity of a component.",
-          "required": [ "field" ],
-          "additionalProperties": false,
-          "properties": {
-            "field": {
-              "type": "string",
-              "enum": [
-                "group", "name", "version", "purl", "cpe", "swid", "hash"
-              ],
-              "title": "Field",
-              "description": "The identity field of the component which the evidence describes."
-            },
-            "confidence": {
-              "type": "number",
-              "minimum": 0,
-              "maximum": 1,
-              "title": "Confidence",
-              "description": "The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence."
-            },
-            "methods": {
+          "description": "Evidence that substantiates the identity of a component. The identify may be an object or an array of identity objects. Support for specifying identify as a single object was introduced in CycloneDX v1.5. Arrays were introduced in v1.6. It is RECOMMENDED that all implementations use arrays, even if only one identity object is specified.",
+          "oneOf" : [
+            {
               "type": "array",
-              "title": "Methods",
-              "description": "The methods used to extract and/or analyze the evidence.",
-              "items": {
-                "type": "object",
-                "required": [
-                  "technique" ,
-                  "confidence"
-                ],
-                "additionalProperties": false,
-                "properties": {
-                  "technique": {
-                    "title": "Technique",
-                    "description": "The technique used in this method of analysis.",
-                    "type": "string",
-                    "enum": [
-                      "source-code-analysis",
-                      "binary-analysis",
-                      "manifest-analysis",
-                      "ast-fingerprint",
-                      "hash-comparison",
-                      "instrumentation",
-                      "dynamic-analysis",
-                      "filename",
-                      "attestation",
-                      "other"
-                    ],
-                    "meta:enum": {
-                      "source-code-analysis": "Examines the source code without executing it.",
-                      "binary-analysis": "Examines a compiled binary through reverse engineering, typically via disassembly or bytecode reversal.",
-                      "manifest-analysis": "Examines a package management system such as those used for building software or installing software.",
-                      "ast-fingerprint": "Examines the Abstract Syntax Tree (AST) of source code or a compiled binary.",
-                      "hash-comparison": "Evaluates the cryptographic hash of a component against a set of pre-computed hashes of identified software.",
-                      "instrumentation": "Examines the call stack of running applications by intercepting and monitoring application logic without the need to modify the application.",
-                      "dynamic-analysis": "Evaluates a running application.",
-                      "filename": "Evaluates file name of a component against a set of known file names of identified software.",
-                      "attestation": "A testimony to the accuracy of the identify of a component made by an individual or entity.",
-                      "other": "Any other technique."
-                    }
-                  },
-                  "confidence": {
-                    "type": "number",
-                    "minimum": 0,
-                    "maximum": 1,
-                    "title": "Confidence",
-                    "description": "The confidence of the evidence from 0 - 1, where 1 is 100% confidence. Confidence is specific to the technique used. Each technique of analysis can have independent confidence."
-                  },
-                  "value": {
-                    "type": "string",
-                    "title": "Value",
-                    "description": "The value or contents of the evidence."
-                  }
-                }
-              }
+              "title": "Array of Identity Objects",
+              "items": { "$ref": "#/definitions/componentIdentityEvidence" }
             },
-            "tools": {
-              "type": "array",
-              "uniqueItems": true,
-              "items": {
-                "anyOf": [
-                  {
-                    "title": "Ref",
-                    "$ref": "#/definitions/refLinkType"
-                  },
-                  {
-                    "title": "BOM-Link Element",
-                    "$ref": "#/definitions/bomLinkElementType"
-                  }
-                ]
-              },
-              "title": "BOM References",
-              "description": "The object in the BOM identified by its bom-ref. This is often a component or service, but may be any object type supporting bom-refs. Tools used for analysis should already be defined in the BOM, either in the metadata/tools, components, or formulation."
+            {
+              "title": "A Single Identity Object",
+              "description": "[Deprecated]",
+              "$ref": "#/definitions/componentIdentityEvidence",
+              "deprecated": true
             }
-          }
+          ]
         },
         "occurrences": {
           "type": "array",
@@ -4409,6 +4328,91 @@
         }
       }
     },
+    "componentIdentityEvidence": {
+      "type": "object",
+      "description": "Evidence that substantiates the identity of a component.",
+      "required": [ "field" ],
+      "additionalProperties": false,
+      "properties": {
+        "field": {
+          "type": "string",
+          "enum": [
+            "group", "name", "version", "purl", "cpe", "swid", "hash"
+          ],
+          "title": "Field",
+          "description": "The identity field of the component which the evidence describes."
+        },
+        "confidence": {
+          "type": "number",
+          "minimum": 0,
+          "maximum": 1,
+          "title": "Confidence",
+          "description": "The overall confidence of the evidence from 0 - 1, where 1 is 100% confidence."
+        },
+        "methods": {
+          "type": "array",
+          "title": "Methods",
+          "description": "The methods used to extract and/or analyze the evidence.",
+          "items": {
+            "type": "object",
+            "required": [
+              "technique" ,
+              "confidence"
+            ],
+            "additionalProperties": false,
+            "properties": {
+              "technique": {
+                "title": "Technique",
+                "description": "The technique used in this method of analysis.",
+                "type": "string",
+                "enum": [
+                  "source-code-analysis",
+                  "binary-analysis",
+                  "manifest-analysis",
+                  "ast-fingerprint",
+                  "hash-comparison",
+                  "instrumentation",
+                  "dynamic-analysis",
+                  "filename",
+                  "attestation",
+                  "other"
+                ]
+              },
+              "confidence": {
+                "type": "number",
+                "minimum": 0,
+                "maximum": 1,
+                "title": "Confidence",
+                "description": "The confidence of the evidence from 0 - 1, where 1 is 100% confidence. Confidence is specific to the technique used. Each technique of analysis can have independent confidence."
+              },
+              "value": {
+                "type": "string",
+                "title": "Value",
+                "description": "The value or contents of the evidence."
+              }
+            }
+          }
+        },
+        "tools": {
+          "type": "array",
+          "uniqueItems": true,
+          "items": {
+            "anyOf": [
+              {
+                "title": "Ref",
+                "$ref": "#/definitions/refLinkType"
+              },
+              {
+                "title": "BOM-Link Element",
+                "$ref": "#/definitions/bomLinkElementType"
+              }
+            ]
+          },
+          "title": "BOM References",
+          "description": "The object in the BOM identified by its bom-ref. This is often a component or service, but may be any object type supporting bom-refs. Tools used for analysis should already be defined in the BOM, either in the metadata/tools, components, or formulation."
+        }
+      }
+    },
     "standard": {
       "type": "object",
       "title": "Standard",
diff --git a/schema/bom-1.6.xsd b/schema/bom-1.6.xsd
@@ -2248,9 +2248,12 @@ limitations under the License.
 
     <xs:complexType name="componentEvidenceType">
         <xs:sequence>
-            <xs:element name="identity" minOccurs="0" maxOccurs="1">
+            <xs:element name="identity" minOccurs="0" maxOccurs="unbounded">
                 <xs:annotation>
-                    <xs:documentation>Evidence that substantiates the identity of a component.</xs:documentation>
+                    <xs:documentation>Evidence that substantiates the identity of a component. The identify may be an
+                        object or an array of identity objects. Support for specifying identify as a single object was
+                        introduced in CycloneDX v1.5. "unbounded" was introduced in v1.6. It is RECOMMENDED that all
+                        implementations are aware of "unbounded".</xs:documentation>
                 </xs:annotation>
                 <xs:complexType>
                     <xs:sequence>
diff --git a/tools/src/test/js/json-schema-lint-tests.js b/tools/src/test/js/json-schema-lint-tests.js
@@ -49,6 +49,7 @@ function getAjv(strict) {
         validateFormats: true,
         allowMatchingProperties: true,
         addUsedSchema: false,
+        allowUnionTypes: false,
         keywords: ["meta:enum"],
         schemas: {
             'http://cyclonedx.org/schema/spdx.schema.json': spdxSchema,
diff --git a/tools/src/test/resources/1.6/valid-evidence-1.6.json b/tools/src/test/resources/1.6/valid-evidence-1.6.json
@@ -105,6 +105,50 @@
           }
         ]
       }
+    },
+    {
+      "type": "application",
+      "group": "com.example",
+      "name": "example-project",
+      "version": "1.0.0",
+      "purl": "pkg:maven/com.example/example-project@1.0.0",
+      "evidence": {
+        "identity": [
+          {
+            "field": "group",
+            "confidence": 0.1,
+            "methods": [
+              {
+                "technique": "filename",
+                "confidence": 0.1,
+                "value": "example-project-1.0.0.jar"
+              }
+            ]
+          },
+          {
+            "field": "name",
+            "confidence": 0.1,
+            "methods": [
+              {
+                "technique": "filename",
+                "confidence": 0.1,
+                "value": "example-project-1.0.0.jar"
+              }
+            ]
+          },
+          {
+            "field": "version",
+            "confidence": 0.1,
+            "methods": [
+              {
+                "technique": "filename",
+                "confidence": 0.1,
+                "value": "example-project-1.0.0.jar"
+              }
+            ]
+          }
+        ]
+      }
     }
   ]
 }
diff --git a/tools/src/test/resources/1.6/valid-evidence-1.6.textproto b/tools/src/test/resources/1.6/valid-evidence-1.6.textproto
diff --git a/tools/src/test/resources/1.6/valid-evidence-1.6.xml b/tools/src/test/resources/1.6/valid-evidence-1.6.xml
