fix: support other versions of cyclonedx (#45)

b31ngd3v · web-flow · commit d776d5284a7f · 2023-10-11T08:44:06.000-07:00
diff --git a/src/cve_bin_tool.py b/src/cve_bin_tool.py
@@ -3,6 +3,7 @@
 
 import glob
 import json
+import re
 import subprocess
 import tempfile
 from pathlib import Path
@@ -197,13 +198,17 @@ def sbom_finder(directory):
                         "bomFormat" in json_data
                         and "specVersion" in json_data
                         and json_data["bomFormat"] == "CycloneDX"
-                        and json_data["specVersion"] == "1.3"
                     ):
-                        sboms.append({"file": file, "type": "cyclonedx"})
+                        try:
+                            spec_version = float(json_data["specVersion"])
+                        except Exception:
+                            spec_version = 0
+                        if spec_version >= 1.3 and spec_version <= 1.5:
+                            sboms.append({"file": file, "type": "cyclonedx"})
             elif file.endswith(".xml"):
                 with open(file) as fd:
                     data = fd.read()
-                    if data.find("cyclonedx.org/schema/bom/1.3") != -1:
+                    if re.search(r"cyclonedx\.org\/schema\/bom\/1\.[3-5]", data):
                         sboms.append({"file": file, "type": "cyclonedx"})
                     elif (
                         data.find("standards.iso.org/iso/19770/-2/2015/schema.xsd")
diff --git a/test/sbom/cyclonedx_test.xml b/test/sbom/cyclonedx_test.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<bom xmlns="http://cyclonedx.org/schema/bom/1.3"
+<bom xmlns="http://cyclonedx.org/schema/bom/1.4"
      serialNumber="urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79"
      version="1">
   <components>
@@ -24,4 +24,4 @@
       <version>2.11.1</version>
     </component>
   </components>
-</bom>
+</bom>
diff --git a/test/sbom/cyclonedx_test2.json b/test/sbom/cyclonedx_test2.json
@@ -1,6 +1,6 @@
 {
   "bomFormat": "CycloneDX",
-  "specVersion": "1.3",
+  "specVersion": "1.5",
   "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
   "version": 1,
   "components": [
@@ -46,4 +46,4 @@
       "description": "On board firmware"
     }
   ]
-}
+}

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"bomFormat": "CycloneDX",`
`3`		`- "specVersion": "1.3",`
	`3`	`+ "specVersion": "1.5",`
`4`	`4`	`"serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",`
`5`	`5`	`"version": 1,`
`6`	`6`	`"components": [`
`@@ -46,4 +46,4 @@`
`46`	`46`	`"description": "On board firmware"`
`47`	`47`	`}`
`48`	`48`	`]`
`49`		`-}`
	`49`	`+}`