From 29819b503530f51840352833c631047c85bffc17 Mon Sep 17 00:00:00 2001 From: Jan Koscielniak Date: Fri, 25 Oct 2024 14:42:59 +0200 Subject: [PATCH] Add externalReferences field to SBOM component externalReferences of type distribution are now available to be a part of a component SBOM. This specific type is used for recording the download url and can be used to perform gating on the SBOM by tools that consume it. Docs: https://cyclonedx.org/docs/1.6/json/#components_items_externalReferences Signed-off-by: Jan Koscielniak --- cachi2/core/models/sbom.py | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/cachi2/core/models/sbom.py b/cachi2/core/models/sbom.py index 3df1ca624..0152513e3 100644 --- a/cachi2/core/models/sbom.py +++ b/cachi2/core/models/sbom.py @@ -21,6 +21,13 @@ class Property(pydantic.BaseModel): value: str +class ExternalReference(pydantic.BaseModel): + """An ExternalReference inside an SBOM component.""" + + url: str + type: Literal["distribution"] = "distribution" + + FOUND_BY_CACHI2_PROPERTY: Property = Property(name="cachi2:found_by", value="cachi2") @@ -35,7 +42,10 @@ class Component(pydantic.BaseModel): purl: str version: Optional[str] = None properties: list[Property] = pydantic.Field(default_factory=list, validate_default=True) - type: Literal["library"] = "library" + type: Literal["library", "file"] = "library" + external_references: Optional[list[ExternalReference]] = pydantic.Field( + serialization_alias="externalReferences", default=None + ) def key(self) -> str: """Uniquely identifies a package.