From f0d731b4ecc628da6cc5dae98f6bb243ee736369 Mon Sep 17 00:00:00 2001
From: Andrew Leonard <anleonar@redhat.com>
Date: Thu, 10 Oct 2024 14:58:48 +0100
Subject: [PATCH] Upgrade to CycloneDX 1.0.6 spec

Signed-off-by: Andrew Leonard <anleonar@redhat.com>
---
 cyclonedx-lib/build.xml                       | 14 +++++---
 cyclonedx-lib/sign_src/TemurinSignSBOM.java   | 35 +++++++++++++++----
 .../src/temurin/sbom/TemurinGenSBOM.java      |  2 +-
 3 files changed, 39 insertions(+), 12 deletions(-)

diff --git a/cyclonedx-lib/build.xml b/cyclonedx-lib/build.xml
index ccb170f0c..ec443c787 100644
--- a/cyclonedx-lib/build.xml
+++ b/cyclonedx-lib/build.xml
@@ -24,10 +24,10 @@
         <property name="openkeystore-version" value="1.0.0"/>
 
         <!-- When retrieving sbom dependency jars with default settings, we will look here. -->
-        <property name="sbom_dependency_default_location" value="https://ci.adoptium.net/view/all/job/build.getDependency/467/artifact/sbom_dependencies"/>
+        <property name="sbom_dependency_default_location" value="https://ci.adoptium.net/view/all/job/build.getDependency/469/artifact/sbom_dependencies"/>
 
         <!-- classpath for running application -->
-        <property name="classpath" value="build/jar/temurin-gen-sbom.jar:build/jar/cyclonedx-core-java.jar:build/jar/jackson-core.jar:build/jar/jackson-dataformat-xml.jar:build/jar/jackson-databind.jar:build/jar/jackson-annotations.jar:build/jar/json-schema.jar:build/jar/commons-codec.jar:build/jar/commons-io.jar:build/jar/github-package-url.jar:build/jar/webpki.org-libext-1.00.jar:build/jar/temurin-sign-sbom.jar"/>
+        <property name="classpath" value="build/jar/temurin-gen-sbom.jar:build/jar/cyclonedx-core-java.jar:build/jar/jackson-core.jar:build/jar/jackson-dataformat-xml.jar:build/jar/jackson-databind.jar:build/jar/jackson-annotations.jar:build/jar/json-schema.jar:build/jar/commons-codec.jar:build/jar/commons-io.jar:build/jar/github-package-url.jar:build/jar/webpki.org-libext-1.00.jar:build/jar/temurin-sign-sbom.jar:build/jar/commons-collections4.jar"/>
 
         <target name="dep-checks">
                 <available file="build/jar/cyclonedx-core-java.jar" property="cyclonedx_available"/>
@@ -38,6 +38,7 @@
                 <available file="build/jar/json-schema.jar" property="json-schema_available"/>
                 <available file="build/jar/commons-codec.jar" property="commons-codec_available"/>
                 <available file="build/jar/commons-io.jar" property="commons-io_available"/>
+                <available file="build/jar/commons-collections4.jar" property="commons-collections4_available"/>
                 <available file="build/jar/github-package-url.jar" property="github-package-url_available"/>
                 <available file="build/webpki.org-libext-1.00.jar" property="openkeystore_available"/>
         </target>
@@ -65,7 +66,7 @@
                 </move>
         </target>
 
-        <target name="build-sign-sbom" depends="dep-checks, clone-and-build-openkeystore, download-cyclonedx, download-jackson-core, download-jackson-dataformat-xml, download-jackson-databind, download-jackson-annotations, download-json-schema, download-commons-codec, download-commons-io, download-github-package-url, compile-sign-sbom, jar-sign-sbom">
+        <target name="build-sign-sbom" depends="dep-checks, clone-and-build-openkeystore, download-cyclonedx, download-jackson-core, download-jackson-dataformat-xml, download-jackson-databind, download-jackson-annotations, download-json-schema, download-commons-codec, download-commons-io, download-commons-collections4, download-github-package-url, compile-sign-sbom, jar-sign-sbom">
                 <echo message="Building cyclonedx-lib TemurinSignSBOM"/>
         </target>
 
@@ -114,12 +115,17 @@
                 <download-file-with-default-options destfile="commons-io.jar"/>
         </target>
 
+        <target name="download-commons-collections4" unless="commons-collections4_available">
+                <echo message="Downloading commons-collections4"/>
+                <download-file-with-default-options destfile="commons-collections4.jar"/>
+        </target>
+
         <target name="download-github-package-url" unless="github-package-url_available">
                 <echo message="Downloading github-package-url"/>
                 <download-file-with-default-options destfile="github-package-url.jar"/>
         </target>
 
-	      <target name="build" depends="dep-checks, download-cyclonedx, download-jackson-core, download-jackson-dataformat-xml, download-jackson-databind, download-jackson-annotations, download-json-schema, download-commons-codec, download-commons-io, download-github-package-url, compile, jar">
+	      <target name="build" depends="dep-checks, download-cyclonedx, download-jackson-core, download-jackson-dataformat-xml, download-jackson-databind, download-jackson-annotations, download-json-schema, download-commons-codec, download-commons-io, download-commons-collections4, download-github-package-url, compile, jar">
                 <echo message="Building cyclonedx-lib"/>
         </target>
 
diff --git a/cyclonedx-lib/sign_src/TemurinSignSBOM.java b/cyclonedx-lib/sign_src/TemurinSignSBOM.java
index afe584d10..4f47110cf 100644
--- a/cyclonedx-lib/sign_src/TemurinSignSBOM.java
+++ b/cyclonedx-lib/sign_src/TemurinSignSBOM.java
@@ -1,6 +1,6 @@
 /*
  * ********************************************************************************
- * Copyright (c) 2023 Contributors to the Eclipse Foundation
+ * Copyright (c) 2023,2024 Contributors to the Eclipse Foundation
  *
  * See the NOTICE file(s) with this work for additional
  * information regarding copyright ownership.
@@ -15,11 +15,13 @@
 
 package temurin.sbom;
 
-import org.cyclonedx.BomGeneratorFactory;
+import org.cyclonedx.exception.GeneratorException;
+import org.cyclonedx.generators.json.BomJsonGenerator;
 import org.cyclonedx.CycloneDxSchema;
 import org.cyclonedx.generators.json.BomJsonGenerator;
 import org.cyclonedx.model.Bom;
 import org.cyclonedx.parsers.JsonParser;
+import org.cyclonedx.Version;
 
 import org.webpki.json.JSONAsymKeySigner;
 import org.webpki.json.JSONObjectReader;
@@ -113,7 +115,13 @@ static Bom signSBOM(final String jsonFile, final String pemFile) {
             if (bom == null) {
                 return null;
             }
-            String sbomDataToSign = generateBomJson(bom);
+            String sbomDataToSign;
+            try {
+                sbomDataToSign = generateBomJson(bom);
+            } catch (GeneratorException e) {
+                LOGGER.log(Level.SEVERE, "Exception generating BOM", e);
+                return null;
+            }
 
             // Read the private key
             KeyPair signingKey = PEMDecoder.getKeyPair(Files.readAllBytes(Paths.get(pemFile)));
@@ -132,15 +140,22 @@ static Bom signSBOM(final String jsonFile, final String pemFile) {
         }
     }
 
-    static String generateBomJson(final Bom bom) {
-        BomJsonGenerator bomGen = BomGeneratorFactory.createJson(CycloneDxSchema.Version.VERSION_14, bom);
+    static String generateBomJson(final Bom bom) throws GeneratorException {
+        BomJsonGenerator bomGen = new BomJsonGenerator(bom, Version.VERSION_16);
         String json = bomGen.toJsonString();
         return json;
     }
 
     static boolean writeJSONfile(final Bom bom, final String fileName) {
         // Creates testJson.json file
-        String json = generateBomJson(bom);
+        String json;
+        try {
+            json = generateBomJson(bom);
+        } catch (GeneratorException e) {
+            LOGGER.log(Level.SEVERE, "Exception generating BOM", e);
+            return false;
+        }
+
         try (FileWriter file = new FileWriter(fileName)) {
             file.write(json);
             return true;
@@ -164,7 +179,13 @@ static boolean verifySignature(final String jsonFile, final String publicKeyFile
         try {
             // Read the JSON file to be verified
             Bom bom = readJSONfile(jsonFile);
-            String signedSbomData = generateBomJson(bom);
+            String signedSbomData;
+            try {
+                signedSbomData = generateBomJson(bom);
+            } catch (GeneratorException e) {
+                LOGGER.log(Level.SEVERE, "Exception generating BOM", e);
+                return false;
+            }
 
             // Parse JSON
             JSONObjectReader reader = JSONParser.parse(signedSbomData);
diff --git a/cyclonedx-lib/src/temurin/sbom/TemurinGenSBOM.java b/cyclonedx-lib/src/temurin/sbom/TemurinGenSBOM.java
index d2d1ba896..63abc2f2a 100644
--- a/cyclonedx-lib/src/temurin/sbom/TemurinGenSBOM.java
+++ b/cyclonedx-lib/src/temurin/sbom/TemurinGenSBOM.java
@@ -1,6 +1,6 @@
 /*
  * ********************************************************************************
- * Copyright (c) 2021 Contributors to the Eclipse Foundation
+ * Copyright (c) 2021,2024 Contributors to the Eclipse Foundation
  *
  * See the NOTICE file(s) with this work for additional
  * information regarding copyright ownership.