From 8402313ec563e070c22344aa7a0782ebb9c68f77 Mon Sep 17 00:00:00 2001 From: Elias Lundell Date: Wed, 12 Jun 2024 15:35:00 +0200 Subject: [PATCH 1/7] Sort components, dependencies and dependsOn for cyclonedx bom --- entities/buildinfo.go | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/entities/buildinfo.go b/entities/buildinfo.go index c2dc31af..170b751f 100644 --- a/entities/buildinfo.go +++ b/entities/buildinfo.go @@ -8,6 +8,7 @@ import ( "regexp" "strings" "time" + "sort" cdx "github.com/CycloneDX/cyclonedx-go" "github.com/jfrog/gofrog/stringutils" @@ -200,13 +201,24 @@ func (targetBuildInfo *BuildInfo) ToCycloneDxBom() (*cdx.BOM, error) { } } + sort.Slice(components, func (i, j int) bool { + return components[i].BOMRef < components[j].BOMRef + }) + // Convert the map of dependencies to CycloneDX dependency objects var dependencies []cdx.Dependency for compRef, deps := range depMap { depsSlice := maps.Keys(deps) + sort.Slice(depsSlice, func (i, j int) bool { + return depsSlice[i] < depsSlice[j] + }) dependencies = append(dependencies, cdx.Dependency{Ref: compRef, Dependencies: &depsSlice}) } + sort.Slice(dependencies, func(i, j int) bool { + return dependencies[i].Ref < dependencies[j].Ref + }) + bom := cdx.NewBOM() bom.Components = &components bom.Dependencies = &dependencies From acc87ab051547537ec71c5f95b72aa1aab39962a Mon Sep 17 00:00:00 2001 From: Elias Lundell Date: Wed, 12 Jun 2024 15:38:58 +0200 Subject: [PATCH 2/7] gofmt --- entities/buildinfo.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/entities/buildinfo.go b/entities/buildinfo.go index 170b751f..6f0144bb 100644 --- a/entities/buildinfo.go +++ b/entities/buildinfo.go @@ -6,9 +6,9 @@ import ( "golang.org/x/exp/maps" "golang.org/x/exp/slices" "regexp" + "sort" "strings" "time" - "sort" cdx "github.com/CycloneDX/cyclonedx-go" "github.com/jfrog/gofrog/stringutils" @@ -201,7 +201,7 @@ func (targetBuildInfo *BuildInfo) ToCycloneDxBom() (*cdx.BOM, error) { } } - sort.Slice(components, func (i, j int) bool { + sort.Slice(components, func(i, j int) bool { return components[i].BOMRef < components[j].BOMRef }) @@ -209,7 +209,7 @@ func (targetBuildInfo *BuildInfo) ToCycloneDxBom() (*cdx.BOM, error) { var dependencies []cdx.Dependency for compRef, deps := range depMap { depsSlice := maps.Keys(deps) - sort.Slice(depsSlice, func (i, j int) bool { + sort.Slice(depsSlice, func(i, j int) bool { return depsSlice[i] < depsSlice[j] }) dependencies = append(dependencies, cdx.Dependency{Ref: compRef, Dependencies: &depsSlice}) From d12adf16b7348feab12dc21dc2c15fe8206e54aa Mon Sep 17 00:00:00 2001 From: Elias Lundell Date: Wed, 12 Jun 2024 17:20:53 +0200 Subject: [PATCH 3/7] make sure cyclonedx bom are sorted --- entities/buildinfo_test.go | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/entities/buildinfo_test.go b/entities/buildinfo_test.go index 8427e5da..76847746 100644 --- a/entities/buildinfo_test.go +++ b/entities/buildinfo_test.go @@ -2,6 +2,7 @@ package entities import ( "reflect" + "sort" "testing" "github.com/stretchr/testify/assert" @@ -239,3 +240,36 @@ func TestAppend(t *testing.T) { assert.NoError(t, err) assert.True(t, results) } + +func TestToCycloneDxBOM(t *testing.T) { + dependencyA := Dependency{Id: "dependency-a", Checksum: Checksum{Sha1: "dependency-a-sha"}, RequestedBy: [][]string{{"dependency-c"}}} + dependencyB := Dependency{Id: "dependency-b", Checksum: Checksum{Sha1: "dependency-b-sha"}, RequestedBy: [][]string{{"dependency-b"}, {"dependency-c"}}} + dependencyC := Dependency{Id: "dependency-c", Checksum: Checksum{Sha1: "dependency-c-sha"}} + + buildInfo := BuildInfo{ + Modules: []Module{{ + Id: "module-id1", + Dependencies: []Dependency{dependencyC, dependencyB, dependencyA}, + }}, + } + + cdxBom, err := buildInfo.ToCycloneDxBom() + + assert.NoError(t, err) + componentsIsSorted := sort.SliceIsSorted(*cdxBom.Components, func(i, j int) bool { + return (*cdxBom.Components)[i].BOMRef < (*cdxBom.Components)[j].BOMRef + }) + assert.True(t, componentsIsSorted) + + dependenciesIsSorted := sort.SliceIsSorted(*cdxBom.Dependencies, func(i, j int) bool { + return (*cdxBom.Dependencies)[i].Ref < (*cdxBom.Dependencies)[j].Ref + }) + assert.True(t, dependenciesIsSorted) + + for _, dep := range *cdxBom.Dependencies { + dependsOnIsSorted := sort.SliceIsSorted(*dep.Dependencies, func(i, j int) bool { + return (*dep.Dependencies)[i] < (*dep.Dependencies)[j] + }) + assert.True(t, dependsOnIsSorted) + } +} From 07aa5f14a63f8dcc33f3ecadbfaabe981326c2f4 Mon Sep 17 00:00:00 2001 From: Elias Lundell Date: Wed, 12 Jun 2024 15:35:00 +0200 Subject: [PATCH 4/7] Sort components, dependencies and dependsOn for cyclonedx bom --- entities/buildinfo.go | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/entities/buildinfo.go b/entities/buildinfo.go index 6221dde3..e40a5e37 100644 --- a/entities/buildinfo.go +++ b/entities/buildinfo.go @@ -8,6 +8,7 @@ import ( "regexp" "strings" "time" + "sort" cdx "github.com/CycloneDX/cyclonedx-go" "github.com/jfrog/gofrog/stringutils" @@ -200,13 +201,24 @@ func (targetBuildInfo *BuildInfo) ToCycloneDxBom() (*cdx.BOM, error) { } } + sort.Slice(components, func (i, j int) bool { + return components[i].BOMRef < components[j].BOMRef + }) + // Convert the map of dependencies to CycloneDX dependency objects var dependencies []cdx.Dependency for compRef, deps := range depMap { depsSlice := maps.Keys(deps) + sort.Slice(depsSlice, func (i, j int) bool { + return depsSlice[i] < depsSlice[j] + }) dependencies = append(dependencies, cdx.Dependency{Ref: compRef, Dependencies: &depsSlice}) } + sort.Slice(dependencies, func(i, j int) bool { + return dependencies[i].Ref < dependencies[j].Ref + }) + bom := cdx.NewBOM() bom.Components = &components bom.Dependencies = &dependencies From 5a0022c0816fe1da67028286a9d60809efe4d4f3 Mon Sep 17 00:00:00 2001 From: Elias Lundell Date: Wed, 12 Jun 2024 15:38:58 +0200 Subject: [PATCH 5/7] gofmt --- entities/buildinfo.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/entities/buildinfo.go b/entities/buildinfo.go index e40a5e37..f330ac54 100644 --- a/entities/buildinfo.go +++ b/entities/buildinfo.go @@ -6,9 +6,9 @@ import ( "golang.org/x/exp/maps" "golang.org/x/exp/slices" "regexp" + "sort" "strings" "time" - "sort" cdx "github.com/CycloneDX/cyclonedx-go" "github.com/jfrog/gofrog/stringutils" @@ -201,7 +201,7 @@ func (targetBuildInfo *BuildInfo) ToCycloneDxBom() (*cdx.BOM, error) { } } - sort.Slice(components, func (i, j int) bool { + sort.Slice(components, func(i, j int) bool { return components[i].BOMRef < components[j].BOMRef }) @@ -209,7 +209,7 @@ func (targetBuildInfo *BuildInfo) ToCycloneDxBom() (*cdx.BOM, error) { var dependencies []cdx.Dependency for compRef, deps := range depMap { depsSlice := maps.Keys(deps) - sort.Slice(depsSlice, func (i, j int) bool { + sort.Slice(depsSlice, func(i, j int) bool { return depsSlice[i] < depsSlice[j] }) dependencies = append(dependencies, cdx.Dependency{Ref: compRef, Dependencies: &depsSlice}) From e1bb16d5742173cb59ee463312f455f91f296f39 Mon Sep 17 00:00:00 2001 From: Elias Lundell Date: Wed, 12 Jun 2024 17:20:53 +0200 Subject: [PATCH 6/7] make sure cyclonedx bom are sorted --- entities/buildinfo_test.go | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/entities/buildinfo_test.go b/entities/buildinfo_test.go index 8427e5da..76847746 100644 --- a/entities/buildinfo_test.go +++ b/entities/buildinfo_test.go @@ -2,6 +2,7 @@ package entities import ( "reflect" + "sort" "testing" "github.com/stretchr/testify/assert" @@ -239,3 +240,36 @@ func TestAppend(t *testing.T) { assert.NoError(t, err) assert.True(t, results) } + +func TestToCycloneDxBOM(t *testing.T) { + dependencyA := Dependency{Id: "dependency-a", Checksum: Checksum{Sha1: "dependency-a-sha"}, RequestedBy: [][]string{{"dependency-c"}}} + dependencyB := Dependency{Id: "dependency-b", Checksum: Checksum{Sha1: "dependency-b-sha"}, RequestedBy: [][]string{{"dependency-b"}, {"dependency-c"}}} + dependencyC := Dependency{Id: "dependency-c", Checksum: Checksum{Sha1: "dependency-c-sha"}} + + buildInfo := BuildInfo{ + Modules: []Module{{ + Id: "module-id1", + Dependencies: []Dependency{dependencyC, dependencyB, dependencyA}, + }}, + } + + cdxBom, err := buildInfo.ToCycloneDxBom() + + assert.NoError(t, err) + componentsIsSorted := sort.SliceIsSorted(*cdxBom.Components, func(i, j int) bool { + return (*cdxBom.Components)[i].BOMRef < (*cdxBom.Components)[j].BOMRef + }) + assert.True(t, componentsIsSorted) + + dependenciesIsSorted := sort.SliceIsSorted(*cdxBom.Dependencies, func(i, j int) bool { + return (*cdxBom.Dependencies)[i].Ref < (*cdxBom.Dependencies)[j].Ref + }) + assert.True(t, dependenciesIsSorted) + + for _, dep := range *cdxBom.Dependencies { + dependsOnIsSorted := sort.SliceIsSorted(*dep.Dependencies, func(i, j int) bool { + return (*dep.Dependencies)[i] < (*dep.Dependencies)[j] + }) + assert.True(t, dependsOnIsSorted) + } +} From 334562875db7ed67d3c9da9ae1cef45656aa5435 Mon Sep 17 00:00:00 2001 From: Elias Lundell <36220731+LogFlames@users.noreply.github.com> Date: Mon, 17 Jun 2024 19:21:22 +0200 Subject: [PATCH 7/7] Fix newlined Accidental newline between functioncall and assert.NoError --- entities/buildinfo_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/entities/buildinfo_test.go b/entities/buildinfo_test.go index 76847746..c14945f4 100644 --- a/entities/buildinfo_test.go +++ b/entities/buildinfo_test.go @@ -254,8 +254,8 @@ func TestToCycloneDxBOM(t *testing.T) { } cdxBom, err := buildInfo.ToCycloneDxBom() - assert.NoError(t, err) + componentsIsSorted := sort.SliceIsSorted(*cdxBom.Components, func(i, j int) bool { return (*cdxBom.Components)[i].BOMRef < (*cdxBom.Components)[j].BOMRef })