Specification version 1.5 support
paulkoko opened this issue · comments
Are there plans to add support for 1.5?
Hi, any updates on this progress?
(Trivy defaults to 1.5 in its output since Jun 30 - which we are unable to consume currently)
Hey @niclas-g, I really want to get this done but am a bit time constrained with other priorities right now.
If you're willing and able to, you could help by either contributing missing parts in #90, or alternatively test the changes that currently exist in that branch, and let me know of any issues you run into.
If you have an existing code base you could test on with v1.5 BOMs, that'd be super helpful.
When you say you can't consume BOMs generated by Trivy, is it that info is being dropped, or is decoding failing entirely?
If you're willing and able to, you could help by either contributing missing parts in #90, or alternatively test the changes that currently exist in that branch, and let me know of any issues you run into.
If you have an existing code base you could test on with v1.5 BOMs, that'd be super helpful.
I'll be happy to test against our codebase, I'll see if I can put some time towards it this week or next.
When you say you can't consume BOMs generated by Trivy, is it that info is being dropped, or is decoding failing entirely?
Decoding fails entirely, it returns an ErrInvalidSpecVersion
here when it discovers that it's an unsupported version.
@niclas-g Decoding fails entirely, it returns an ErrInvalidSpecVersion here when it discovers that it's an unsupported version.
Ah, I see. This is technically fixed in master
already
cyclonedx-go/cyclonedx_json.go
Lines 28 to 62 in 83031d6
For a short-term "solution" I could cut a v0.7.2 release, so that at least decoding works again. Would that help?
@nscuro, that would be great!
@niclas-g Here we go: https://github.com/CycloneDX/cyclonedx-go/releases/tag/v0.7.2
Would still very much appreciate it if you could also test the spec-v1.5
branch with your code base! :)
Thanks @nscuro! I'll have a look at the release shortly and try out the branch against our code base next week.
Ok, now I have had some time to test the spec-v1.5
branch against our codebase and it runs without any problems @nscuro . That said we are not looking at anything new introduced in the 1.5 version yet. But the branch doesn't break our application so we are happy :) Keep up the good work! 👍
I am concerned about Metadata.Tools, https://github.com/CycloneDX/cyclonedx-go/blob/master/cyclonedx.go#L439
- In v1.4,
tools
is an array https://cyclonedx.org/docs/1.4/json/#metadata_tools - In v1.5,
tools
is an object https://cyclonedx.org/docs/1.5/json/#metadata_tools_oneOf_i0_components
It seems like it will not be possible to deserialize both 1.4 and 1.5 SBOMs into the same structure without a custom deserializer.