[FEAT] assert valid CycloneDX xml/json when using "unknown" enum cases #490
Comments
jkowalleck
changed the title
14 tasks
14 tasks
Merged
Merged
jkowalleck
added a commit
that referenced
this issue
Nov 30, 2023
- fixes #490 - BC: Component serialization may throw `cyclonedx.exception.serialization.SerializationOfUnsupportedComponentTypeException` - feat: serialization have own exceptions of `cyclonedx.exception.serialization.*` - tests: lots of (functional) tests related to enums and serialization - misc: bump `py-serializable@^0.15` -> `@^0.16` details & progress: - [x] `DataFlow` - [x] `Encoding` - [x] `HashAlgorithm` - [x] `ExternalReferenceType` convert "unknown" to `other` - [x] `component.ComponentScope` - [x] `component.ComponentType`. > tests done, migrator open Unclear how to proceed. dropping the info is a bad idea here. Best would be to throw an exception and abort the rendering. - [x] `component.PatchClassification` - [x] `impact_analysis.ImpactAnalysisAffectedStatus` - [x] `impact_analysis.ImpactAnalysisJustification` - [x] `impact_analysis.ImpactAnalysisResponse` - [x] `impact_analysis.ImpactAnalysisState` - [x] `issue.IssueClassification` - [x] `vulnerability.VulnerabilityScoreSource` convert "unknown" to `other` - [x] `vulnerability.VulnerabilitySeverity` --------- Signed-off-by: Jan Kowalleck <[email protected]>
|
closes via #492a |
jkowalleck
added a commit
that referenced
this issue
Dec 10, 2023
### Breaking Changes * Removed symbols that were already marked as deprecated (via [#493]) * Removed symbols in `parser.*` ([#489] via [#495]) * Removed `output.LATEST_SUPPORTED_SCHEMA_VERSION` ([#491] via [#494]) * Serialization of unsupported enum values might downgrade/migrate/omit them ([#490] via [#496]) Handling might raise warnings if a data loss occurred due to omitting. The result is a guaranteed valid XML/JSON, since no (enum-)invalid values are rendered. * Serialization of any `model.component.Component` with unsupported `type` raises `exception.serialization.SerializationOfUnsupportedComponentTypeException` ([#490] via [#496]) * Object `model.bom_ref.BomRef`'s property `value` defaults to `Null`, was arbitrary `UUID` ([#504] via [#505]) This change does not affect serialization. All `bom-ref`s are guaranteed to have unique values on rendering. * Removed helpers from public API ([#503] via [#506]) ### Added * Basic support for CycloneDX 1.5 ([#404] via [#488]) * No data models were enhanced nor added, yet. Pull requests to add functionality are welcome. * Existing enumerable got new cases, to reflect features of CycloneDX 1.5 ([#404] via [#488]) * Outputters were enabled to render CycloneDX 1.5 ([#404] via [#488]) ### Tests * Created (regression/unit/integration/functional) tests for CycloneDX 1.5 ([#404] via [#488]) * Created (regression/functional) tests for Enums' handling and completeness ([#490] via [#496]) ### Misc * Bumped dependency `py-serializable@^0.16`, was `@^0.15` (via [#496]) ---- ### API Changes — the details for migration * Added new sub-package `exception.serialization` (via [#496]) * Removed class `models.ComparableTuple` ([#503] via [#506]) * Enum `model.ExternalReferenceType` got new cases, to reflect features for CycloneDX 1.5 ([#404] via [#488]) * Removed function `models.get_now_utc` ([#503] via [#506]) * Removed function `models.sha1sum` ([#503] via [#506]) * Enum `model.component.ComponentType` got new cases, to reflect features for CycloneDX 1.5 ([#404] via [#488]) * Removed `model.component.Component.__init__()`'s deprecated optional kwarg `namespace` (via [#493]) Use kwarg `group` instead. * Removed `model.component.Component.__init__()`'s deprecated optional kwarg `license_str` (via [#493]) Use kwarg `licenses` instead. * Removed deprecated method `model.component.Component.get_namespace()` (via [#493]) * Removed class `models.dependency.DependencyDependencies` ([#503] via [#506]) * Removed `model.vulnerability.Vulnerability.__init__()`'s deprecated optional kwarg `source_name` (via [#493]) Use kwarg `source` instead. * Removed `model.vulnerability.Vulnerability.__init__()`'s deprecated optional kwarg `source_url` (via [#493]) Use kwarg `source` instead. * Removed `model.vulnerability.Vulnerability.__init__()`'s deprecated optional kwarg `recommendations` (via [#493]) Use kwarg `recommendation` instead. * Removed `model.vulnerability.VulnerabilityRating.__init__()`'s deprecated optional kwarg `score_base` (via [#493]) Use kwarg `score` instead. * Enum `model.vulnerability.VulnerabilityScoreSource` got new cases, to reflect features for CycloneDX 1.5 ([#404] via [#488]) * Removed `output.LATEST_SUPPORTED_SCHEMA_VERSION` ([#491] via [#494]) * Removed deprecated function `output.get_instance()` (via [#493]) Use function `output.make_outputter()` instead. * Added new class `output.json.JsonV1Dot5`, to reflect CycloneDX 1.5 ([#404] via [#488]) * Added new item to dict `output.json.BY_SCHEMA_VERSION`, to reflect CycloneDX 1.5 ([#404] via [#488]) * Added new class `output.xml.XmlV1Dot5`, to reflect CycloneDX 1.5 ([#404] via [#488]) * Added new item to dict `output.xml.BY_SCHEMA_VERSION`, to reflect CycloneDX 1.5 ([#404] via [#488]) * Removed class `parser.ParserWarning` ([#489] via [#495]) * Removed class `parser.BaseParser` ([#489] via [#495]) * Enum `schema.SchemaVersion` got new case `V1_5`, to reflect CycloneDX 1.5 ([#404] via [#488]) [#404]: #404 [#488]: #488 [#489]: #489 [#490]: #490 [#491]: #491 [#493]: #493 [#494]: #494 [#495]: #495 [#496]: #496 [#503]: #503 [#504]: #504 [#505]: #505 [#506]: #506 --------- Signed-off-by: Johannes Feichtner <[email protected]> Signed-off-by: Jan Kowalleck <[email protected]> Signed-off-by: semantic-release <semantic-release> Co-authored-by: Johannes Feichtner <[email protected]> Co-authored-by: semantic-release <semantic-release>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Just like children and properties evolve with every CycloneDX version, also the enumeration scopes are expanded.
For example the enum
ExternalReferenceTypehas cases, which are just not available for every version of CycloneDX. "attestation" is not available before cdx1.5, "release-notes" is not available before cdx1.4.All enum cases are available in code, which would allow users of this library to use them,
and for the current implementation: when rendering cdx1.1 an "unknown" value gets rendered, causing an invalid CycloneDX document.
to prevent this, the following feature might help:
the output MUST be valid. the output SHOULD be snapshotted.
to be researched:
@serializable.serializable_enumcan do here.details:
DataFlowEncodingHashAlgorithmExternalReferenceType-- convert "unknown" toothercomponent.ComponentScopecomponent.ComponentType.Unclear how to proceed. dropping the info is a bad idea here.
Best would be to throw an exception and abort the rendering.
component.PatchClassificationimpact_analysis.ImpactAnalysisAffectedStatusimpact_analysis.ImpactAnalysisResponseissue.IssueClassificationvulnerability.VulnerabilityScoreSource-- convert "unknown" toothervulnerability.VulnerabilitySeverityThe text was updated successfully, but these errors were encountered: