Support new tool metadata format in the merge syft sbom script

CycloneDX 1.5 changes the way tools are defined in the metadata section, and marks the 1.4 way as deprecated. Syft has adopted the newer format starting from version 0.99.0. This makes the 'merge_syft_sbom.py' script to fail in case a newer Syft SBOM is used. This patch updates the script so the newer format can be handled. Note that this will make the script fail in case it is used with older versions of Syft. Signed-off-by: Bruno Pimentel <[email protected]>
containerbuildsystem · Jan 25, 2024 · 980af95 · 980af95
1 parent 2b46376
commit 980af95
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 26 deletions.
diff --git a/tests/unit/data/sboms/cachi2.bom.json b/tests/unit/data/sboms/cachi2.bom.json
@@ -215,12 +215,15 @@
         }
     ],
     "metadata": {
-        "tools": [
-            {
-                "vendor": "red hat",
-                "name": "cachi2"
-            }
-        ]
+        "tools": {
+            "components": [
+                {
+                    "type": "application",
+                    "author": "red hat",
+                    "name": "cachi2"
+                }
+            ]
+        }
     },
     "specVersion": "1.4",
     "version": 1

diff --git a/tests/unit/data/sboms/merged.bom.json b/tests/unit/data/sboms/merged.bom.json
@@ -5,17 +5,21 @@
     "version": 1,
     "metadata": {
         "timestamp": "2023-05-03T18:19:41Z",
-        "tools": [
-            {
-                "vendor": "anchore",
-                "name": "syft",
-                "version": "0.47.0"
-            },
-            {
-                "vendor": "red hat",
-                "name": "cachi2"
-            }
-        ],
+        "tools": {
+            "components": [
+                {
+                    "type": "application",
+                    "author": "anchore",
+                    "name": "syft",
+                    "version": "0.100.0"
+                },
+                {
+                    "type": "application",
+                    "author": "red hat",
+                    "name": "cachi2"
+                }
+            ]
+        },
         "component": {
             "bom-ref": "6b8edfe5f2756e0",
             "type": "file",

diff --git a/tests/unit/data/sboms/syft.bom.json b/tests/unit/data/sboms/syft.bom.json
@@ -5,13 +5,16 @@
     "version": 1,
     "metadata": {
         "timestamp": "2023-05-03T18:19:41Z",
-        "tools": [
-            {
-                "vendor": "anchore",
-                "name": "syft",
-                "version": "0.47.0"
-            }
-        ],
+        "tools": {
+            "components": [
+                {
+                    "type": "application",
+                    "author": "anchore",
+                    "name": "syft",
+                    "version": "0.100.0"
+                }
+            ]
+        },
         "component": {
             "bom-ref": "6b8edfe5f2756e0",
             "type": "file",

diff --git a/utils/merge_syft_sbom.py b/utils/merge_syft_sbom.py
@@ -134,8 +134,8 @@ def merge_sboms(cachi2_sbom_path: str, syft_sbom_path: str) -> str:
 
     syft_sbom["components"] = filtered_syft_components + cachi2_sbom["components"]
 
-    syft_sbom.get("metadata", {}).get("tools", []).extend(
-        cachi2_sbom.get("metadata", {}).get("tools", [])
+    syft_sbom.get("metadata", {}).get("tools", {}).get("components", []).extend(
+        cachi2_sbom.get("metadata", {}).get("tools", {}).get("components", [])
     )
 
     return json.dumps(syft_sbom, indent=2)