feat(spec1-5): add support for identity, occurrences, and callstack evidence

Signed-off-by: nscuro <[email protected]>

Author: nscuro

convert.go

@@ -140,6 +140,12 @@ func componentConverter(specVersion SpecVersion) func(*Component) {
 		if specVersion < SpecVersion1_5 {
 			c.ModelCard = nil
 			c.Data = nil
+
+			if c.Evidence != nil {
+				c.Evidence.Identity = nil
+				c.Evidence.Occurrences = nil
+				c.Evidence.Callstack = nil
+			}
 		}
 
 		if !specVersion.supportsComponentType(c.Type) {

cyclonedx.go

@@ -116,6 +116,20 @@ func Bool(value bool) *bool {
 
 type BOMReference string
 
+type Callstack struct {
+	Frames *[]CallstackFrame `json:"frames,omitempty" xml:"frames>frame,omitempty"`
+}
+
+type CallstackFrame struct {
+	Package      string    `json:"package,omitempty" xml:"package,omitempty"`
+	Module       string    `json:"module,omitempty" xml:"module,omitempty"`
+	Function     string    `json:"function,omitempty" xml:"function,omitempty"`
+	Parameters   *[]string `json:"parameters,omitempty" xml:"parameters>parameter,omitempty"`
+	Line         *int      `json:"line,omitempty" xml:"line,omitempty"`
+	Column       *int      `json:"column,omitempty" xml:"column,omitempty"`
+	FullFilename string    `json:"fullFilename,omitempty" xml:"fullFilename,omitempty"`
+}
+
 type ComponentType string
 
 const (
@@ -275,8 +289,56 @@ type Diff struct {
 }
 
 type Evidence struct {
-	Licenses  *Licenses    `json:"licenses,omitempty" xml:"licenses,omitempty"`
-	Copyright *[]Copyright `json:"copyright,omitempty" xml:"copyright>text,omitempty"`
+	Identity    *EvidenceIdentity     `json:"identity,omitempty" xml:"identity,omitempty"`
+	Occurrences *[]EvidenceOccurrence `json:"occurrences,omitempty" xml:"occurrences>occurrence,omitempty"`
+	Callstack   *Callstack            `json:"callstack,omitempty" xml:"callstack,omitempty"`
+	Licenses    *Licenses             `json:"licenses,omitempty" xml:"licenses,omitempty"`
+	Copyright   *[]Copyright          `json:"copyright,omitempty" xml:"copyright>text,omitempty"`
+}
+
+type EvidenceIdentity struct {
+	Field      EvidenceIdentityFieldType `json:"field,omitempty" xml:"field,omitempty"`
+	Confidence *float32                  `json:"confidence,omitempty" xml:"confidence,omitempty"`
+	Methods    *[]EvidenceIdentityMethod `json:"methods,omitempty" xml:"methods>method,omitempty"`
+	Tools      *[]BOMReference           `json:"tools,omitempty" xml:"tools>tool,omitempty"`
+}
+
+type EvidenceIdentityFieldType string
+
+const (
+	EvidenceIdentityFieldTypeCPE     EvidenceIdentityFieldType = "cpe"
+	EvidenceIdentityFieldTypeGroup   EvidenceIdentityFieldType = "group"
+	EvidenceIdentityFieldTypeHash    EvidenceIdentityFieldType = "hash"
+	EvidenceIdentityFieldTypeName    EvidenceIdentityFieldType = "name"
+	EvidenceIdentityFieldTypePURL    EvidenceIdentityFieldType = "purl"
+	EvidenceIdentityFieldTypeSWID    EvidenceIdentityFieldType = "swid"
+	EvidenceIdentityFieldTypeVersion EvidenceIdentityFieldType = "version"
+)
+
+type EvidenceIdentityMethod struct {
+	Technique  EvidenceIdentityTechnique `json:"technique,omitempty" xml:"technique,omitempty"`
+	Confidence *float32                  `json:"confidence,omitempty" xml:"confidence,omitempty"`
+	Value      string                    `json:"value,omitempty" xml:"value,omitempty"`
+}
+
+type EvidenceIdentityTechnique string
+
+const (
+	EvidenceIdentityTechniqueASTFingerprint     EvidenceIdentityTechnique = "ast-fingerprint"
+	EvidenceIdentityTechniqueAttestation        EvidenceIdentityTechnique = "attestation"
+	EvidenceIdentityTechniqueBinaryAnalysis     EvidenceIdentityTechnique = "binary-analysis"
+	EvidenceIdentityTechniqueDynamicAnalysis    EvidenceIdentityTechnique = "dynamic-analysis"
+	EvidenceIdentityTechniqueFilename           EvidenceIdentityTechnique = "filename"
+	EvidenceIdentityTechniqueHashComparison     EvidenceIdentityTechnique = "hash-comparison"
+	EvidenceIdentityTechniqueInstrumentation    EvidenceIdentityTechnique = "instrumentation"
+	EvidenceIdentityTechniqueManifestAnalysis   EvidenceIdentityTechnique = "manifest-analysis"
+	EvidenceIdentityTechniqueOther              EvidenceIdentityTechnique = "other"
+	EvidenceIdentityTechniqueSourceCodeAnalysis EvidenceIdentityTechnique = "source-code-analysis"
+)
+
+type EvidenceOccurrence struct {
+	BOMRef   string `json:"bom-ref,omitempty" xml:"bom-ref,attr,omitempty"`
+	Location string `json:"location,omitempty" xml:"location,omitempty"`
 }
 
 type ExternalReference struct {

testdata/snapshots/cyclonedx-go-TestRoundTripJSON-func1-valid-evidence.json

@@ -19,6 +19,65 @@
       ],
       "purl": "pkg:maven/com.google.code.findbugs/[email protected]",
       "evidence": {
+        "identity": {
+          "field": "purl",
+          "confidence": 1,
+          "methods": [
+            {
+              "technique": "filename",
+              "confidence": 0.1,
+              "value": "findbugs-project-3.0.0.jar"
+            },
+            {
+              "technique": "ast-fingerprint",
+              "confidence": 0.9,
+              "value": "61e4bc08251761c3a73b606b9110a65899cb7d44f3b14c81ebc1e67c98e1d9ab"
+            },
+            {
+              "technique": "hash-comparison",
+              "confidence": 0.7,
+              "value": "7c547a9d67cc7bc315c93b6e2ff8e4b6b41ae5be454ac249655ecb5ca2a85abf"
+            }
+          ],
+          "tools": [
+            "bom-ref-of-tool-that-performed-analysis"
+          ]
+        },
+        "occurrences": [
+          {
+            "bom-ref": "d6bf237e-4e11-4713-9f62-56d18d5e2079",
+            "location": "/path/to/component"
+          },
+          {
+            "bom-ref": "b574d5d1-e3cf-4dcd-9ba5-f3507eb1b175",
+            "location": "/another/path/to/component"
+          }
+        ],
+        "callstack": {
+          "frames": [
+            {
+              "package": "com.apache.logging.log4j.core",
+              "module": "Logger.class",
+              "function": "logMessage",
+              "parameters": [
+                "com.acme.HelloWorld",
+                "Level.INFO",
+                "null",
+                "Hello World"
+              ],
+              "line": 150,
+              "column": 17,
+              "fullFilename": "/path/to/log4j-core-2.14.0.jar!/org/apache/logging/log4j/core/Logger.class"
+            },
+            {
+              "module": "HelloWorld.class",
+              "function": "main",
+              "line": 20,
+              "column": 12,
+              "fullFilename": "/path/to/HelloWorld.class"
+            }
+          ]
+        },
         "licenses": [
           {
             "license": {

testdata/snapshots/cyclonedx-go-TestRoundTripXML-func1-valid-evidence.xml

@@ -13,6 +13,63 @@
       </licenses>
       <purl>pkg:maven/com.google.code.findbugs/[email protected]</purl>
       <evidence>
+        <identity>
+          <field>purl</field>
+          <confidence>1</confidence>
+          <methods>
+            <method>
+              <technique>filename</technique>
+              <confidence>0.1</confidence>
+              <value>findbugs-project-3.0.0.jar</value>
+            </method>
+            <method>
+              <technique>ast-fingerprint</technique>
+              <confidence>0.9</confidence>
+              <value>61e4bc08251761c3a73b606b9110a65899cb7d44f3b14c81ebc1e67c98e1d9ab</value>
+            </method>
+            <method>
+              <technique>hash-comparison</technique>
+              <confidence>0.7</confidence>
+              <value>7c547a9d67cc7bc315c93b6e2ff8e4b6b41ae5be454ac249655ecb5ca2a85abf</value>
+            </method>
+          </methods>
+          <tools>
+            <tool ref="bom-ref-of-tool-that-performed-analysis"></tool>
+          </tools>
+        </identity>
+        <occurrences>
+          <occurrence bom-ref="d6bf237e-4e11-4713-9f62-56d18d5e2079">
+            <location>/path/to/component</location>
+          </occurrence>
+          <occurrence bom-ref="b574d5d1-e3cf-4dcd-9ba5-f3507eb1b175">
+            <location>/another/path/to/component</location>
+          </occurrence>
+        </occurrences>
+        <callstack>
+          <frames>
+            <frame>
+              <package>com.apache.logging.log4j.core</package>
+              <module>Logger.class</module>
+              <function>logMessage</function>
+              <parameters>
+                <parameter>com.acme.HelloWorld</parameter>
+                <parameter>Level.INFO</parameter>
+                <parameter>null</parameter>
+                <parameter>Hello World</parameter>
+              </parameters>
+              <line>150</line>
+              <column>17</column>
+              <fullFilename>/path/to/log4j-core-2.14.0.jar!/org/apache/logging/log4j/core/Logger.class</fullFilename>
+            </frame>
+            <frame>
+              <module>HelloWorld.class</module>
+              <function>main</function>
+              <line>20</line>
+              <column>12</column>
+              <fullFilename>/path/to/HelloWorld.class</fullFilename>
+            </frame>
+          </frames>
+        </callstack>
         <licenses>
           <license>
             <id>Apache-2.0</id>

testdata/valid-evidence.json

@@ -19,6 +19,63 @@
       ],
       "purl": "pkg:maven/com.google.code.findbugs/[email protected]",
       "evidence": {
+        "identity": {
+          "field": "purl",
+          "confidence": 1,
+          "methods": [
+            {
+              "technique": "filename",
+              "confidence": 0.1,
+              "value": "findbugs-project-3.0.0.jar"
+            },
+            {
+              "technique": "ast-fingerprint",
+              "confidence": 0.9,
+              "value": "61e4bc08251761c3a73b606b9110a65899cb7d44f3b14c81ebc1e67c98e1d9ab"
+            },
+            {
+              "technique": "hash-comparison",
+              "confidence": 0.7,
+              "value": "7c547a9d67cc7bc315c93b6e2ff8e4b6b41ae5be454ac249655ecb5ca2a85abf"
+            }
+          ],
+          "tools": [
+            "bom-ref-of-tool-that-performed-analysis"
+          ]
+        },
+        "occurrences": [
+          {
+            "bom-ref": "d6bf237e-4e11-4713-9f62-56d18d5e2079",
+            "location": "/path/to/component"
+          },
+          {
+            "bom-ref": "b574d5d1-e3cf-4dcd-9ba5-f3507eb1b175",
+            "location": "/another/path/to/component"
+          }
+        ],
+        "callstack": {
+          "frames": [
+            {
+
+              "package": "com.apache.logging.log4j.core",
+              "module": "Logger.class",
+              "function": "logMessage",
+              "parameters": [
+                "com.acme.HelloWorld", "Level.INFO", "null", "Hello World"
+              ],
+              "line": 150,
+              "column": 17,
+              "fullFilename": "/path/to/log4j-core-2.14.0.jar!/org/apache/logging/log4j/core/Logger.class"
+            },
+            {
+              "module": "HelloWorld.class",
+              "function": "main",
+              "line": 20,
+              "column": 12,
+              "fullFilename": "/path/to/HelloWorld.class"
+            }
+          ]
+        },
         "licenses": [
           {
             "license": {

testdata/valid-evidence.xml

@@ -13,6 +13,63 @@
             </licenses>
             <purl>pkg:maven/com.google.code.findbugs/[email protected]</purl>
             <evidence>
+                <identity>
+                    <field>purl</field>
+                    <confidence>1</confidence>
+                    <methods>
+                        <method>
+                            <technique>filename</technique>
+                            <confidence>0.1</confidence>
+                            <value>findbugs-project-3.0.0.jar</value>
+                        </method>
+                        <method>
+                            <technique>ast-fingerprint</technique>
+                            <confidence>0.9</confidence>
+                            <value>61e4bc08251761c3a73b606b9110a65899cb7d44f3b14c81ebc1e67c98e1d9ab</value>
+                        </method>
+                        <method>
+                            <technique>hash-comparison</technique>
+                            <confidence>0.7</confidence>
+                            <value>7c547a9d67cc7bc315c93b6e2ff8e4b6b41ae5be454ac249655ecb5ca2a85abf</value>
+                        </method>
+                    </methods>
+                    <tools>
+                        <tool ref="bom-ref-of-tool-that-performed-analysis"/>
+                    </tools>
+                </identity>
+                <occurrences>
+                    <occurrence bom-ref="d6bf237e-4e11-4713-9f62-56d18d5e2079">
+                        <location>/path/to/component</location>
+                    </occurrence>
+                    <occurrence bom-ref="b574d5d1-e3cf-4dcd-9ba5-f3507eb1b175">
+                        <location>/another/path/to/component</location>
+                    </occurrence>
+                </occurrences>
+                <callstack>
+                    <frames>
+                        <frame>
+                            <package>com.apache.logging.log4j.core</package>
+                            <module>Logger.class</module>
+                            <function>logMessage</function>
+                            <parameters>
+                                <parameter>com.acme.HelloWorld</parameter>
+                                <parameter>Level.INFO</parameter>
+                                <parameter>null</parameter>
+                                <parameter>Hello World</parameter>
+                            </parameters>
+                            <line>150</line>
+                            <column>17</column>
+                            <fullFilename>/path/to/log4j-core-2.14.0.jar!/org/apache/logging/log4j/core/Logger.class</fullFilename>
+                        </frame>
+                        <frame>
+                            <module>HelloWorld.class</module>
+                            <function>main</function>
+                            <line>20</line>
+                            <column>12</column>
+                            <fullFilename>/path/to/HelloWorld.class</fullFilename>
+                        </frame>
+                    </frames>
+                </callstack>
                 <licenses>
                     <license>
                         <id>Apache-2.0</id>