Initial CDXA support

Signed-off-by: Andrew Leonard <[email protected]>
adoptium · Nov 28, 2024 · fd088a5 · fd088a5
1 parent 755cccc
commit fd088a5
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 19 deletions.
diff --git a/.github/linters/suppressed-java.xml b/.github/linters/suppressed-java.xml
@@ -28,4 +28,5 @@
     <suppress files="." checks="LineLength" />
     <suppress files="." checks="Header" /> <!-- Disabled as we don't use headers in our project for the test files -->
     <suppress files="." checks="FileTabCharacter" /> <!-- Disabled as it generally doesn't matter if tabs are disabled or not -->
-</suppressions>
+    <suppress files="." checks="ParameterNumber" />
+</suppressions>
diff --git a/.github/workflows/testsbom.yml b/.github/workflows/testsbom.yml
@@ -56,8 +56,8 @@ jobs:
         run: |
           curl -L -O https://github.com/CycloneDX/cyclonedx-cli/releases/latest/download/cyclonedx-linux-x64
           chmod +x cyclonedx-linux-x64
-          cyclonedx-linux-x64 validate --input-file cyclonedx-lib/build/testSBOM.json --fail-on-errors --input-version v1_6
-          cyclonedx-linux-x64 validate --input-file cyclonedx-lib/build/testSBOM.xml --fail-on-errors --input-version v1_6
+          ./cyclonedx-linux-x64 validate --input-file cyclonedx-lib/build/testSBOM.json --fail-on-errors --input-version v1_6
+          ./cyclonedx-linux-x64 validate --input-file cyclonedx-lib/build/testSBOM.xml --fail-on-errors --input-version v1_6
 
       - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
         name: Collect and Archive TemurinGenSBOM Artifacts

diff --git a/cyclonedx-lib/src/temurin/sbom/TemurinGenCDXA.java b/cyclonedx-lib/src/temurin/sbom/TemurinGenCDXA.java
@@ -31,7 +31,6 @@
 import org.cyclonedx.model.attestation.affirmation.Affirmation;
 import org.cyclonedx.model.attestation.affirmation.Signatory;
 import org.cyclonedx.model.attestation.Targets;
-import org.cyclonedx.model.Property;
 import org.cyclonedx.parsers.JsonParser;
 import org.cyclonedx.parsers.XmlParser;
 import org.cyclonedx.Version;
@@ -124,8 +123,14 @@ static Bom createCdxa(final String fileName, final String attestingOrgName, fina
                           final String affirmationStmt, final String affirmationWebsite, final boolean thirdParty) {
         // Validate inputs
         boolean validInput = true;
-        if (fileName == null) { System.out.println("--xmlFile|--jsonFile not specified"); validInput = false; }
-        if (attestingOrgName == null) { System.out.println("--attesting-org-name not specified"); validInput = false; }
+        if (fileName == null) {
+            System.out.println("--xmlFile|--jsonFile not specified");
+            validInput = false;
+         }
+        if (attestingOrgName == null) {
+            System.out.println("--attesting-org-name not specified");
+            validInput = false;
+        }
         if (predicate == null) {
             System.out.println("--predicate not specified"); validInput = false;
         } else {
@@ -136,13 +141,31 @@ static Bom createCdxa(final String fileName, final String attestingOrgName, fina
                     break;
                 }
             }
-            if (!validPred) { System.out.println("--predicate " + predicate + " not a valid value"); validInput = false; }
+            if (!validPred) {
+                System.out.println("--predicate " + predicate + " not a valid value");
+                validInput = false;
+            }
+        }
+        if (targetName == null) {
+            System.out.println("--target-name not specified");
+            validInput = false;
+        }
+        if (targetUrl == null) {
+            System.out.println("--target-url not specified");
+            validInput = false;
+        }
+        if (targetHash == null) {
+            System.out.println("--target-sha256-hash not specified");
+            validInput = false;
+        }
+        if (affirmationStmt == null) {
+            System.out.println("--affirmation-stmt not specified");
+            validInput = false;
+        }
+        if (affirmationWebsite == null) {
+            System.out.println("--affirmation-website not specified");
+            validInput = false;
         }
-        if (targetName == null) { System.out.println("--target-name not specified"); validInput = false; }
-        if (targetUrl == null) { System.out.println("--target-url not specified"); validInput = false; }
-        if (targetHash == null) { System.out.println("--target-sha256-hash not specified"); validInput = false; }
-        if (affirmationStmt == null) { System.out.println("--affirmation-stmt not specified"); validInput = false; }
-        if (affirmationWebsite == null) { System.out.println("--affirmation-website not specified"); validInput = false; }
         if (!validInput) return null;
 
         Declarations   declarations = new Declarations();
@@ -154,9 +177,9 @@ static Bom createCdxa(final String fileName, final String attestingOrgName, fina
         Attestation    attestation  = new Attestation();
         AttestationMap attestationMap = new AttestationMap();
 
-        final String TARGET_JDK_BOM_REF  = "target-jdk-1";
-        final String ASSESSOR_BOM_REF    = "assessor-1";
-        final String CLAIM_BOM_REF       = "claim-1";
+        final String targetJdkBomRef  = "target-jdk-1";
+        final String assessorBomRef   = "assessor-1";
+        final String claimBomRef      = "claim-1";
 
         // External reference to the target JDK
         ExternalReference extRef = new ExternalReference();
@@ -170,7 +193,7 @@ static Bom createCdxa(final String fileName, final String attestingOrgName, fina
         targetJDK.setType(Component.Type.APPLICATION);
         targetJDK.setName(targetName);
         targetJDK.addExternalReference(extRef);
-        targetJDK.setBomRef(TARGET_JDK_BOM_REF);
+        targetJDK.setBomRef(targetJdkBomRef);
         List<Component> components = new LinkedList<Component>();
         components.add(targetJDK);
         targets.setComponents(components);
@@ -181,15 +204,15 @@ static Bom createCdxa(final String fileName, final String attestingOrgName, fina
         OrganizationalEntity org = new OrganizationalEntity();
         org.setName(attestingOrgName);
         assessor.setOrganization(org);
-        assessor.setBomRef(ASSESSOR_BOM_REF);
+        assessor.setBomRef(assessorBomRef);
         List<Assessor> assessors = new LinkedList<Assessor>();
         assessors.add(assessor);
         declarations.setAssessors(assessors);
 
         // Claim
         claim.setPredicate(predicate);
         claim.setTarget(targetJDK.getBomRef());
-        claim.setBomRef(CLAIM_BOM_REF);
+        claim.setBomRef(claimBomRef);
         List<Claim> claims = new LinkedList<Claim>();
         claims.add(claim);
         declarations.setClaims(claims);
@@ -221,7 +244,7 @@ static Bom createCdxa(final String fileName, final String attestingOrgName, fina
 
         // Create CDXA Bom
         Bom cdxa = new Bom();
-        cdxa.setSerialNumber("urn:uuid:"+UUID.randomUUID());
+        cdxa.setSerialNumber("urn:uuid:" + UUID.randomUUID());
         cdxa.setDeclarations(declarations);
 
         return cdxa;