Cyclonedx support (guacsec#140)

* cdx support Signed-off-by: Nadgowda, Shripad <[email protected]> * changed node type for image Signed-off-by: Nadgowda, Shripad <[email protected]> * test cases added Signed-off-by: Nadgowda, Shripad <[email protected]> * typos fixed and tests added Signed-off-by: Nadgowda, Shripad <[email protected]> * added copyright notice Signed-off-by: Nadgowda, Shripad <[email protected]> Signed-off-by: pxp928 <[email protected]> Signed-off-by: Nadgowda, Shripad <[email protected]> Signed-off-by: pxp928 <[email protected]>
nguyennp · Oct 12, 2022 · 181efde · 181efde
1 parent 49ed0bb
commit 181efde
Show file tree

Hide file tree

Showing 20 changed files with 21,392 additions and 0 deletions.
diff --git a/go.mod b/go.mod
@@ -101,6 +101,7 @@ require (
 )
 
 require (
+	github.com/CycloneDX/cyclonedx-go v0.7.0
 	github.com/ossf/scorecard/v4 v4.7.0
 	github.com/sigstore/sigstore v1.4.3
 	github.com/spdx/tools-golang v0.3.1-0.20221003161519-fb7fe8874d01

diff --git a/go.sum b/go.sum
@@ -126,6 +126,8 @@ github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBp
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/toml v0.4.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
+github.com/CycloneDX/cyclonedx-go v0.7.0 h1:jNxp8hL7UpcvPDFXjY+Y1ibFtsW+e5zyF9QoSmhK/zg=
+github.com/CycloneDX/cyclonedx-go v0.7.0/go.mod h1:W5Z9w8pTTL+t+yG3PCiFRGlr8PUlE0pGWzKSJbsyXkg=
 github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24/go.mod h1:4UJr5HIiMZrwgkSPdsjy2uOQExX/WEILpIrO9UPGuXs=
 github.com/GoogleCloudPlatform/cloudsql-proxy v1.29.0/go.mod h1:spvB9eLJH9dutlbPSRmHvSXXHOwGRyeXh1jVdquA2G8=
 github.com/Masterminds/goutils v1.1.0/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
@@ -220,6 +222,7 @@ github.com/bombsimon/logrusr/v2 v2.0.1/go.mod h1:ByVAX+vHdLGAfdroiMg6q0zgq2FODY2
 github.com/bombsimon/wsl/v3 v3.3.0/go.mod h1:st10JtZYLE4D5sC7b8xV4zTKZwAQjCH/Hy2Pm1FNZIc=
 github.com/bradleyfalzon/ghinstallation/v2 v2.1.0 h1:5+NghM1Zred9Z078QEZtm28G/kfDfZN/92gkDlLwGVA=
 github.com/bradleyfalzon/ghinstallation/v2 v2.1.0/go.mod h1:Xg3xPRN5Mcq6GDqeUVhFbjEWMb4JHCyWEeeBGEYQoTU=
+github.com/bradleyjkemp/cupaloy/v2 v2.8.0 h1:any4BmKE+jGIaMpnU8YgH/I2LPiLBufr6oMMlVBbn9M=
 github.com/breml/bidichk v0.1.1/go.mod h1:zbfeitpevDUGI7V91Uzzuwrn4Vls8MoBMrwtt78jmso=
 github.com/butuzov/ireturn v0.1.1/go.mod h1:Wh6Zl3IMtTpaIKbmwzqi6olnM9ptYQxxVacMsOEFPoc=
 github.com/caarlos0/env/v6 v6.10.0 h1:lA7sxiGArZ2KkiqpOQNf8ERBRWI+v8MWIH+eGjSN22I=

diff --git a/internal/testing/ingestor/testdata/testdata.go b/internal/testing/ingestor/testdata/testdata.go
@@ -244,6 +244,55 @@ var (
 			ContainedArtifact: rsaPubFile,
 		},
 	}
+
+	// CycloneDX Testdata
+
+	cdxTopLevelPack = assembler.PackageNode{
+		Name:   "gcr.io/distroless/static:nonroot",
+		Digest: []string{"sha256:6ad5b696af3ca05a048bd29bf0f623040462638cb0b29c8d702cbb2805687388"},
+		Purl:   "pkg:oci/static:nonroot?repository_url=gcr.io/distroless",
+		CPEs:   nil,
+	}
+
+	cdxTzdataPack = assembler.PackageNode{
+		Name:   "tzdata",
+		Digest: nil,
+		Purl:   "pkg:deb/debian/tzdata@2021a-1+deb11u6?arch=all&distro=debian-11",
+		CPEs: []string{
+			"cpe:2.3:a:tzdata:tzdata:2021a-1\\+deb11u6:*:*:*:*:*:*:*"},
+	}
+
+	cdxNetbasePack = assembler.PackageNode{
+		Name:   "netbase",
+		Digest: nil,
+		Purl:   "pkg:deb/debian/[email protected]?arch=all&distro=debian-11",
+		CPEs: []string{
+			"cpe:2.3:a:netbase:netbase:6.3:*:*:*:*:*:*:*"},
+	}
+
+	cdxBasefilesPack = assembler.PackageNode{
+		Name:   "base-files",
+		Digest: nil,
+		Purl:   "pkg:deb/debian/[email protected]+deb11u5?arch=amd64&distro=debian-11",
+		CPEs: []string{
+			"cpe:2.3:a:base-files:base-files:11.1\\+deb11u5:*:*:*:*:*:*:*"},
+	}
+
+	CycloneDXNodes = []assembler.GuacNode{cdxTopLevelPack, cdxBasefilesPack, cdxNetbasePack, cdxTzdataPack}
+	CyloneDXEdges  = []assembler.GuacEdge{
+		assembler.DependsOnEdge{
+			PackageNode:       cdxBasefilesPack,
+			PackageDependency: cdxTopLevelPack,
+		},
+		assembler.DependsOnEdge{
+			PackageNode:       cdxNetbasePack,
+			PackageDependency: cdxTopLevelPack,
+		},
+		assembler.DependsOnEdge{
+			PackageNode:       cdxTzdataPack,
+			PackageDependency: cdxTopLevelPack,
+		},
+	}
 )
 
 type mockSigstoreVerifier struct{}

diff --git a/internal/testing/processor/testdata.go b/internal/testing/processor/testdata.go
@@ -39,4 +39,19 @@ var (
 	// Invalid scorecard
 	//go:embed testdata/invalid-scorecard.json
 	ScorecardInvalid []byte
+
+	//go:embed testdata/alpine-cyclonedx.json
+	CycloneDXExampleAlpine []byte
+
+	//go:embed testdata/invalid-cyclonedx.json
+	CycloneDXInvalidExample []byte
+
+	//go:embed testdata/distroless-cyclonedx.json
+	CycloneDXDistrolessExample []byte
+
+	//go:embed testdata/busybox-cyclonedx.json
+	CycloneDXBusyboxExample []byte
+
+	//go:embed testdata/big-mongo-cyclonedx.json
+	CycloneDXBigExample []byte
 )