Add support for recording multiple CPEs in cyclonedx #819
Conversation
Signed-off-by: Sambhav Kothari <[email protected]>
| assert.Equal(t, CPEURI(c2), test.CPEUrl) | ||
| assert.Equal(t, CPEURI(c1), test.CPEUrl) | ||
| assert.Equal(t, must(NewCPE(CPEURI(c1))), test.WFN) |
There was a problem hiding this comment.
This ensures that we are also making our URL generation also go through the same rigorous CPE encoding/decoding test that our CPE strings go through.
| output.Vendor = sanitize(c.Vendor) | ||
| output.Product = sanitize(c.Product) | ||
| output.Language = sanitize(c.Language) | ||
| output.Version = sanitize(c.Version) | ||
| output.TargetSW = sanitize(c.TargetSW) | ||
| output.Part = sanitize(c.Part) | ||
| output.Edition = sanitize(c.Edition) | ||
| output.Other = sanitize(c.Other) | ||
| output.SWEdition = sanitize(c.SWEdition) | ||
| output.TargetHW = sanitize(c.TargetHW) |
There was a problem hiding this comment.
This mimics our custom CPEString logic above to handle special characters in the CPE.
|
cc: @coderpatros & @stevespringett to validate if this seems like a reasonable usage of the cyclonedx spec. to get around accurate CPE determination limitation that scanning tools face. Detailed reasoning at #818 |
|
I think using properties is more appropriate. External references in CycloneDX are typically URIs to other resources. This varies a lot from SPDX which applies the external reference name to mean potential alternative identifiers. We have a formal property taxonomy as well. https://github.com/CycloneDX/cyclonedx-property-taxonomy We could register |
|
NOTE: The PR should first be reviewed by syft maintainers before any further action is taken -> CycloneDX/cyclonedx-property-taxonomy#8 Thanks for the feedback, I have opened a PR to register a cc: @luhring, @wagoodman, @spiffcs, @kzantow please take a look. My reasoning for choosing |
|
Separately it looks like there is an spdx taxonomy in work as well which contains the CPE field at CycloneDX/cyclonedx-property-taxonomy#7 which might also be suitable for storing this and other SPDX fields. This might also be useful with reference to #563, #723 and #737 |
Fixes #818
For reasoning and logic behind the CPE serialization decision please take a look at the issue. We still store our most specific CPE in the cyclonedx CPE field but for all the other CPEs, we store them as external references.