SBOM with CycloneDx struct (#467)

Author: attiasas

commands/audit/audit.go

@@ -357,7 +357,7 @@ func createJasScansTasks(auditParallelRunner *utils.SecurityParallelRunner, scan
 				Module:                      *module,
 				ConfigProfile:               auditParams.AuditBasicParams.GetConfigProfile(),
 				ScansToPerform:              auditParams.ScansToPerform(),
-				SourceResultsToCompare:      scanner.GetResultsToCompare(utils.GetRelativePath(targetResult.Target, scanResults.GetCommonParentPath())),
+				SourceResultsToCompare:      scanner.GetResultsToCompareByRelativePath(utils.GetRelativePath(targetResult.Target, scanResults.GetCommonParentPath())),
 				SecretsScanType:             secrets.SecretsScannerType,
 				DirectDependencies:          auditParams.DirectDependencies(),
 				ThirdPartyApplicabilityScan: auditParams.thirdPartyApplicabilityScan,

commands/audit/audit_test.go

@@ -2,17 +2,19 @@ package audit
 
 import (
 	"fmt"
-	commonCommands "github.com/jfrog/jfrog-cli-core/v2/common/commands"
-	"github.com/jfrog/jfrog-cli-core/v2/utils/coreutils"
-	configTests "github.com/jfrog/jfrog-cli-security/tests"
-	securityTestUtils "github.com/jfrog/jfrog-cli-security/tests/utils"
-	clientTests "github.com/jfrog/jfrog-client-go/utils/tests"
 	"net/http"
 	"path/filepath"
 	"sort"
 	"strings"
 	"testing"
 
+	"github.com/CycloneDX/cyclonedx-go"
+	commonCommands "github.com/jfrog/jfrog-cli-core/v2/common/commands"
+	"github.com/jfrog/jfrog-cli-core/v2/utils/coreutils"
+	configTests "github.com/jfrog/jfrog-cli-security/tests"
+	securityTestUtils "github.com/jfrog/jfrog-cli-security/tests/utils"
+	clientTests "github.com/jfrog/jfrog-client-go/utils/tests"
+
 	"github.com/stretchr/testify/assert"
 
 	"github.com/jfrog/jfrog-cli-security/tests/validations"
@@ -957,25 +959,30 @@ func TestAudit_DiffScanFlow(t *testing.T) {
 							Target:     tempDirPath,
 							Technology: techutils.Pip,
 						},
-						Sbom: results.Sbom{
-							Components: []results.SbomEntry{
-								{
-									Component: "werkzeug",
-									Version:   "1.0.2",
-									Type:      "Python",
-									XrayType:  "pypi",
-								},
-								{
-									Component: "pyyaml",
-									Version:   "5.2",
-									Type:      "Python",
-									XrayType:  "pypi",
-								},
-								{
-									Component: "wasabi",
-									Version:   "1.1.3",
-									Type:      "Python",
-									XrayType:  "pypi",
+						ScaResults: &results.ScaScanResults{
+							Sbom: &cyclonedx.BOM{
+								Components: &[]cyclonedx.Component{
+									{
+										PackageURL: "pkg:pypi/[email protected]",
+										BOMRef:     "pypi:[email protected]",
+										Name:       "werkzeug",
+										Version:    "1.0.2",
+										Type:       "Python",
+									},
+									{
+										PackageURL: "pkg:pypi/[email protected]",
+										BOMRef:     "pypi:[email protected]",
+										Name:       "pyyaml",
+										Version:    "5.2",
+										Type:       "Python",
+									},
+									{
+										PackageURL: "pkg:pypi/[email protected]",
+										BOMRef:     "pypi:[email protected]",
+										Name:       "wasabi",
+										Version:    "1.1.3",
+										Type:       "Python",
+									},
 								},
 							},
 						},

commands/audit/scarunner.go

@@ -93,7 +93,7 @@ func buildDepTreeAndRunScaScan(auditParallelRunner *utils.SecurityParallelRunner
 				// First scan, no diff to compare
 				log.Debug(fmt.Sprintf("Diff scan - calculated dependencies tree for target %s, skipping scan part", targetResult.Target))
 				continue
-			} else if treeResult, bdtErr = buildinfo.GetDiffDependencyTree(targetResult, results.SearchTargetResultsByPath(utils.GetRelativePath(targetResult.Target, cmdResults.GetCommonParentPath()), auditParams.resultsToCompare), treeResult.FullDepTrees...); bdtErr != nil {
+			} else if treeResult, bdtErr = buildinfo.GetDiffDependencyTree(targetResult, results.SearchTargetResultsByRelativePath(utils.GetRelativePath(targetResult.Target, cmdResults.GetCommonParentPath()), auditParams.resultsToCompare), treeResult.FullDepTrees...); bdtErr != nil {
 				_ = targetResult.AddTargetError(fmt.Errorf("failed to build diff dependency tree in source branch: %s", bdtErr.Error()), auditParams.AllowPartialResults())
 				continue
 			}

commands/scan/scan.go

@@ -53,8 +53,6 @@ const (
 	BypassArchiveLimitsMinXrayVersion = "3.59.0"
 	indexingCommand                   = "graph"
 	fileNotSupportedExitCode          = 3
-	typeJASPackageScanTypeDocker      = "docker"
-	typeJASPackageScanTypeGeneric     = "generic"
 )
 
 type ScanCommand struct {

go.mod

@@ -3,6 +3,7 @@ module github.com/jfrog/jfrog-cli-security
 go 1.24.2
 
 require (
+	github.com/CycloneDX/cyclonedx-go v0.9.2
 	github.com/beevik/etree v1.4.0
 	github.com/go-git/go-git/v5 v5.14.0
 	github.com/google/go-github/v56 v56.0.0
@@ -16,6 +17,7 @@ require (
 	github.com/jfrog/jfrog-client-go v1.54.1
 	github.com/magiconair/properties v1.8.9
 	github.com/owenrumney/go-sarif/v3 v3.1.4
+	github.com/package-url/packageurl-go v0.1.3
 	github.com/stretchr/testify v1.10.0
 	github.com/urfave/cli v1.22.16
 	github.com/virtuald/go-ordered-json v0.0.0-20170621173500-b18e6e673d74
@@ -28,7 +30,6 @@ require (
 require (
 	dario.cat/mergo v1.0.1 // indirect
 	github.com/BurntSushi/toml v1.4.0 // indirect
-	github.com/CycloneDX/cyclonedx-go v0.9.2 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/ProtonMail/go-crypto v1.1.6 // indirect
 	github.com/VividCortex/ewma v1.2.0 // indirect

go.sum

@@ -187,6 +187,8 @@ github.com/onsi/gomega v1.34.1 h1:EUMJIKUjM8sKjYbtxQI9A4z2o+rruxnzNvpknOXie6k=
 github.com/onsi/gomega v1.34.1/go.mod h1:kU1QgUvBDLXBJq618Xvm2LUX6rSAfRaFRTcdOeDLwwY=
 github.com/owenrumney/go-sarif/v3 v3.1.4 h1:lqx5Cb7162BC+FuAgJZq8A8XXP4XMw7XoAPZl9iqlQs=
 github.com/owenrumney/go-sarif/v3 v3.1.4/go.mod h1:Olt8kHDlC+ruWzRfmgIQUD+2hoAk6A6vT+ljDUbae2s=
+github.com/package-url/packageurl-go v0.1.3 h1:4juMED3hHiz0set3Vq3KeQ75KD1avthoXLtmE3I0PLs=
+github.com/package-url/packageurl-go v0.1.3/go.mod h1:nKAWB8E6uk1MHqiS/lQb9pYBGH2+mdJ2PJc2s50dQY0=
 github.com/pelletier/go-toml/v2 v2.2.2 h1:aYUidT7k73Pcl9nb2gScu7NSrKCSHIDE89b3+6Wq+LM=
 github.com/pelletier/go-toml/v2 v2.2.2/go.mod h1:1t835xjRzz80PqgE6HHgN2JOsmgYu/h4qDAS4n929Rs=
 github.com/pierrec/lz4/v4 v4.1.22 h1:cKFw6uJDK+/gfw5BcDL0JL5aBsAFdsIT18eRtLj7VIU=

jas/common.go

@@ -140,8 +140,8 @@ func getJasEnvVars(serverDetails *config.ServerDetails, validateSecrets bool, di
 	return utils.MergeMaps(utils.ToEnvVarsMap(os.Environ()), amBasicVars, vars), nil
 }
 
-func (js *JasScanner) GetResultsToCompare(target string) (resultsToCompare *results.TargetResults) {
-	return results.SearchTargetResultsByPath(target, js.ResultsToCompare)
+func (js *JasScanner) GetResultsToCompareByRelativePath(relativeTarget string) (resultsToCompare *results.TargetResults) {
+	return results.SearchTargetResultsByRelativePath(relativeTarget, js.ResultsToCompare)
 }
 
 func CreateJFrogAppsConfig(workingDirs []string) (*jfrogappsconfig.JFrogAppsConfig, error) {

jas/common_test.go

@@ -589,7 +589,7 @@ func TestGetResultsToCompare(t *testing.T) {
 	for _, testCase := range testCases {
 		t.Run(testCase.name, func(t *testing.T) {
 			scanner := &JasScanner{ResultsToCompare: testCase.ResultsToCompare}
-			assert.Equal(t, testCase.expectedTarget, scanner.GetResultsToCompare(testCase.target))
+			assert.Equal(t, testCase.expectedTarget, scanner.GetResultsToCompareByRelativePath(testCase.target))
 		})
 	}
 }

sca/bom/buildinfo/buildinfobom.go

@@ -5,12 +5,13 @@ import (
 	"os"
 	"time"
 
+	"github.com/CycloneDX/cyclonedx-go"
 	"github.com/jfrog/gofrog/datastructures"
 	clientutils "github.com/jfrog/jfrog-client-go/utils"
 	"github.com/jfrog/jfrog-client-go/utils/errorutils"
 	"github.com/jfrog/jfrog-client-go/utils/io/fileutils"
 	"github.com/jfrog/jfrog-client-go/utils/log"
-	xrayCmdUtils "github.com/jfrog/jfrog-client-go/xray/services/utils"
+	xrayUtils "github.com/jfrog/jfrog-client-go/xray/services/utils"
 
 	"github.com/jfrog/jfrog-cli-core/v2/utils/config"
 
@@ -35,8 +36,8 @@ import (
 )
 
 type DependencyTreeResult struct {
-	FlatTree     *xrayCmdUtils.GraphNode
-	FullDepTrees []*xrayCmdUtils.GraphNode
+	FlatTree     *xrayUtils.GraphNode
+	FullDepTrees []*xrayUtils.GraphNode
 	DownloadUrls map[string]string
 }
 
@@ -56,7 +57,9 @@ func BuildDependencyTree(scan *results.TargetResults, params technologies.BuildI
 	if treeResult.FlatTree == nil || len(treeResult.FlatTree.Nodes) == 0 {
 		return nil, errorutils.CheckErrorf("no dependencies were found. Please try to build your project and re-run the audit command")
 	}
-	scan.SetSbom(results.DepTreeToSbom(treeResult.FullDepTrees))
+	sbom := cyclonedx.NewBOM()
+	sbom.Components, sbom.Dependencies = results.DepsTreeToSbom(treeResult.FullDepTrees...)
+	scan.SetSbom(sbom)
 	return &treeResult, nil
 }
 
@@ -181,44 +184,47 @@ func SetResolutionRepoInParamsIfExists(params *technologies.BuildInfoBomGenerato
 	return
 }
 
-func createFlatTreeWithTypes(uniqueDeps map[string]*xray.DepTreeNode) *xrayCmdUtils.GraphNode {
-	var uniqueNodes []*xrayCmdUtils.GraphNode
+func createFlatTreeWithTypes(uniqueDeps map[string]*xray.DepTreeNode) *xrayUtils.GraphNode {
+	var uniqueNodes []*xrayUtils.GraphNode
 	for uniqueDep, nodeAttr := range uniqueDeps {
-		node := &xrayCmdUtils.GraphNode{Id: uniqueDep}
+		node := &xrayUtils.GraphNode{Id: uniqueDep}
 		if nodeAttr != nil {
 			node.Types = nodeAttr.Types
 			node.Classifier = nodeAttr.Classifier
 		}
 		uniqueNodes = append(uniqueNodes, node)
 	}
-	return &xrayCmdUtils.GraphNode{Id: "root", Nodes: uniqueNodes}
+	return &xrayUtils.GraphNode{Id: "root", Nodes: uniqueNodes}
 }
 
-func createFlatTree(uniqueDeps []string) *xrayCmdUtils.GraphNode {
-	uniqueNodes := []*xrayCmdUtils.GraphNode{}
+func createFlatTree(uniqueDeps []string) *xrayUtils.GraphNode {
+	uniqueNodes := []*xrayUtils.GraphNode{}
 	for _, uniqueDep := range uniqueDeps {
-		uniqueNodes = append(uniqueNodes, &xrayCmdUtils.GraphNode{Id: uniqueDep})
+		uniqueNodes = append(uniqueNodes, &xrayUtils.GraphNode{Id: uniqueDep})
 	}
-	return &xrayCmdUtils.GraphNode{Id: "root", Nodes: uniqueNodes}
+	return &xrayUtils.GraphNode{Id: "root", Nodes: uniqueNodes}
 }
 
 // Collect dependencies exists in target and not in resultsToCompare
-func GetDiffDependencyTree(scanResults *results.TargetResults, resultsToCompare *results.TargetResults, fullDepTrees ...*xrayCmdUtils.GraphNode) (*DependencyTreeResult, error) {
-	if resultsToCompare == nil {
+func GetDiffDependencyTree(scanResults *results.TargetResults, resultsToCompare *results.TargetResults, fullDepTrees ...*xrayUtils.GraphNode) (*DependencyTreeResult, error) {
+	if resultsToCompare == nil || resultsToCompare.ScaResults == nil || resultsToCompare.ScaResults.Sbom == nil || resultsToCompare.ScaResults.Sbom.Components == nil {
 		return nil, fmt.Errorf("failed to get diff dependency tree: no results to compare")
 	}
+	if scanResults == nil || scanResults.ScaResults == nil || scanResults.ScaResults.Sbom == nil || scanResults.ScaResults.Sbom.Components == nil {
+		return nil, fmt.Errorf("failed to get diff dependency tree: no scan results found for target %s", scanResults.Target)
+	}
 	log.Debug(fmt.Sprintf("Comparing %s SBOM with %s to get diff", scanResults.Target, resultsToCompare.Target))
 	// Compare the dependency trees
 	filterDepsMap := datastructures.MakeSet[string]()
-	for _, component := range resultsToCompare.Sbom.Components {
-		filterDepsMap.Add(techutils.ToXrayComponentId(component.XrayType, component.Component, component.Version))
+	for _, component := range *resultsToCompare.ScaResults.Sbom.Components {
+		filterDepsMap.Add(techutils.PurlToXrayComponentId(component.PackageURL))
 	}
 	addedDepsMap := datastructures.MakeSet[string]()
-	for _, component := range scanResults.Sbom.Components {
-		componentId := techutils.ToXrayComponentId(component.XrayType, component.Component, component.Version)
-		if exists := filterDepsMap.Exists(componentId); !exists {
+	for _, component := range *scanResults.ScaResults.Sbom.Components {
+		id := techutils.PurlToXrayComponentId(component.PackageURL)
+		if exists := filterDepsMap.Exists(id); !exists {
 			// Dependency in scan results but not in results to compare
-			addedDepsMap.Add(componentId)
+			addedDepsMap.Add(id)
 		}
 	}
 	diffDepTree := DependencyTreeResult{

sca/bom/buildinfo/buildinfobom_test.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"testing"
 
+	"github.com/CycloneDX/cyclonedx-go"
 	"github.com/jfrog/jfrog-cli-security/utils/results"
 
 	xrayUtils "github.com/jfrog/jfrog-client-go/xray/services/utils"
@@ -14,28 +15,30 @@ import (
 func TestGetDiffDependencyTree(t *testing.T) {
 	targetResults := &results.TargetResults{
 		ScanTarget: results.ScanTarget{Target: "targetPath"},
-		Sbom: results.Sbom{
-			Components: []results.SbomEntry{
-				{
-					Component: "pip",
-					Version:   "20.3.4",
-					Type:      "Python",
-					XrayType:  "pypi",
-					Direct:    true,
-				},
-				{
-					Component: "pyyaml",
-					Version:   "5.2",
-					Type:      "Python",
-					XrayType:  "pypi",
-					Direct:    true,
-				},
-				{
-					Component: "werkzeug",
-					Version:   "1.0.1",
-					Type:      "Python",
-					XrayType:  "pypi",
-					Direct:    true,
+		ScaResults: &results.ScaScanResults{
+			Sbom: &cyclonedx.BOM{
+				Components: &[]cyclonedx.Component{
+					{
+						BOMRef:     "pypi:[email protected]",
+						PackageURL: "pkg:pypi/[email protected]",
+						Name:       "pip",
+						Version:    "20.3.4",
+						Type:       "library",
+					},
+					{
+						BOMRef:     "pypi:[email protected]",
+						PackageURL: "pkg:pypi/[email protected]",
+						Name:       "pyyaml",
+						Version:    "5.2",
+						Type:       "library",
+					},
+					{
+						BOMRef:     "pypi:[email protected]",
+						PackageURL: "pkg:pypi/[email protected]",
+						Name:       "werkzeug",
+						Version:    "1.0.1",
+						Type:       "library",
+					},
 				},
 			},
 		},
@@ -59,25 +62,30 @@ func TestGetDiffDependencyTree(t *testing.T) {
 			name: "different results",
 			resultsToCompare: &results.TargetResults{
 				ScanTarget: results.ScanTarget{Target: "targetPath"},
-				Sbom: results.Sbom{
-					Components: []results.SbomEntry{
-						{
-							Component: "werkzeug",
-							Version:   "1.0.2",
-							Type:      "Python",
-							XrayType:  "pypi",
-						},
-						{
-							Component: "pyyaml",
-							Version:   "5.2",
-							Type:      "Python",
-							XrayType:  "pypi",
-						},
-						{
-							Component: "wasabi",
-							Version:   "1.1.3",
-							Type:      "Python",
-							XrayType:  "pypi",
+				ScaResults: &results.ScaScanResults{
+					Sbom: &cyclonedx.BOM{
+						Components: &[]cyclonedx.Component{
+							{
+								BOMRef:     "pypi:[email protected]",
+								PackageURL: "pkg:pypi/[email protected]",
+								Name:       "werkzeug",
+								Version:    "1.0.2",
+								Type:       "library",
+							},
+							{
+								BOMRef:     "pypi:[email protected]",
+								PackageURL: "pkg:pypi/[email protected]",
+								Name:       "pyyaml",
+								Version:    "5.2",
+								Type:       "library",
+							},
+							{
+								BOMRef:     "pypi:[email protected]",
+								PackageURL: "pkg:pypi/[email protected]",
+								Name:       "wasabi",
+								Version:    "1.1.3",
+								Type:       "library",
+							},
 						},
 					},
 				},