Add support for CycloneDX 1.5 BOMs

[BoBeR182]

DependencyTrack/dependency-track#2850 lists this project as a dependency.
https://github.com/CycloneDX/cdxgen has support maybe cherrypick commits related to java sections.

[stevespringett]

There are multiple PRs in progress to support 1.5.

[sschuberth]

While writing spec 1.5 SBOMs was added for version 8.0.0 via #316, it seems that the serialized JSON (and XML) do not pass validation as I'm getting

Collection should be empty but contained org.cyclonedx.exception.ParseException: $.metadata.components: is not defined in the schema and the schema does not allow additional properties

for (Kotlin) code

        val metadata = Metadata().apply {
            timestamp = Date()
            toolChoice = ToolInformation().apply {
                components = listOf(
                    Component().apply {
                        type = Component.Type.APPLICATION
                        name = ORT_FULL_NAME
                        version = Environment.ORT_VERSION
                    }
                )
            }
            licenseChoice = LicenseChoice().apply { expression = dataLicense }
        }

[sschuberth]

the serialized JSON (and XML) do not pass validation

@mr-zepol looks like this went unnoticed as the test data still uses the deprecated way to declare tools.

[mr-zepol]

the serialized JSON (and XML) do not pass validation

@mr-zepol looks like this went unnoticed as the test data still uses the deprecated way to declare tools.

This is still valid metadata, the deprecated tool was not removed and from the spec examples ( where those tests were created) they are still valid https://github.com/CycloneDX/specification/blob/master/tools/src/test/resources/1.5/valid-metadata-tool-deprecated-1.5.xml

[mr-zepol]

the test data still uses the deprecated way to declare tools

I will check this and will be back with more info, I am going to try to reproduce it, thanks

[sschuberth]

This is still valid metadata, the deprecated tool was not removed and from the spec examples

Right; what I was trying to say is: If you use the non-deprecated way and declare tools via ToolInformation, tool components get serialized directly under metadata (not nested under tools as required by the spec) which does not pass schema validation, see e.g.

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "serialNumber": "urn:uuid:1efc6fb4-5b37-4da9-80c9-75a38dec630e",
  "version": 1,
  "metadata": {
    "timestamp": "2023-10-05T05:56:55Z",
    "components": [
      {
        "name": "OSS Review Toolkit",
        "version": "IDE-SNAPSHOT",
        "type": "application"
      }
    ],
    "licenses": [
      {
        "expression": "CC0-1.0"
      }
    ]
  },

[mr-zepol]

This is still valid metadata, the deprecated tool was not removed and from the spec examples

Right; what I was trying to say is: If you use the non-deprecated way and declare tools via ToolInformation, tool components get serialized directly under metadata (not nested under tools as required by the spec) which does not pass schema validation, see e.g.

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "serialNumber": "urn:uuid:1efc6fb4-5b37-4da9-80c9-75a38dec630e",
  "version": 1,
  "metadata": {
    "timestamp": "2023-10-05T05:56:55Z",
    "components": [
      {
        "name": "OSS Review Toolkit",
        "version": "IDE-SNAPSHOT",
        "type": "application"
      }
    ],
    "licenses": [
      {
        "expression": "CC0-1.0"
      }
    ]
  },

I found the issue, I hope to have a PR soon so it can be merged and have a new release for this, thank you

[sschuberth]

I found the issue, I hope to have a PR soon so it can be merged and have a new release for this

I can confirm that release 8.0.1 fixed the issue, thanks. So I guess this issue can be closed @stevespringett?