feat: support cyclonedx 1.6 (#424)

Signed-off-by: Ruben Romero Montes <[email protected]>

Author: ruromero

pom.xml

@@ -34,7 +34,7 @@
     <!-- Plugins -->
     <quarkus.platform.artifact-id>quarkus-bom</quarkus.platform.artifact-id>
     <quarkus.platform.group-id>io.quarkus.platform</quarkus.platform.group-id>
-    <quarkus.platform.version>3.19.4</quarkus.platform.version>
+    <quarkus.platform.version>3.23.2</quarkus.platform.version>
     <resources-plugin.version>3.3.1</resources-plugin.version>
     <build-helper-maven-plugin.version>3.4.0</build-helper-maven-plugin.version>
     <compiler-plugin.version>3.11.0</compiler-plugin.version>

src/main/java/com/redhat/exhort/integration/backend/sbom/cyclonedx/CycloneDxParser.java

@@ -20,10 +20,8 @@
 
 import java.io.IOException;
 import java.io.InputStream;
-import java.util.Collections;
 import java.util.HashMap;
 import java.util.HashSet;
-import java.util.List;
 import java.util.Map;
 import java.util.Optional;
 import java.util.Set;
@@ -89,50 +87,83 @@ private Map<PackageRef, DirectDependency> buildDependencies(
       return buildUnknownDependencies(componentPurls);
     }
 
-    Map<PackageRef, List<PackageRef>> dependencies =
-        bom.getDependencies().stream()
-            .collect(
-                Collectors.toMap(
-                    d -> {
-                      if (componentPurls.get(d.getRef()) == null) {
-                        return rootRef;
-                      }
-                      return componentPurls.get(d.getRef());
-                    },
-                    d -> {
-                      if (d.getDependencies() == null) {
-                        return Collections.emptyList();
-                      }
-                      return d.getDependencies().stream()
-                          .map(dep -> componentPurls.get(dep.getRef()))
-                          .toList();
-                    }));
-    List<PackageRef> directDeps;
+    Map<PackageRef, Set<PackageRef>> dependencies = new HashMap<>();
+    bom.getDependencies()
+        .forEach(
+            d -> {
+              PackageRef ref = componentPurls.getOrDefault(d.getRef(), rootRef);
+              Set<PackageRef> deps = new HashSet<>();
+              if (d.getDependencies() != null) {
+                d.getDependencies()
+                    .forEach(
+                        dep -> {
+                          PackageRef depRef = componentPurls.get(dep.getRef());
+                          if (depRef != null) {
+                            deps.add(depRef);
+                          }
+                        });
+              }
+              dependencies.put(ref, deps);
+            });
+
     addUnknownDependencies(dependencies, componentPurls);
-    if (rootRef != null && dependencies.get(rootRef) != null) {
-      directDeps = dependencies.get(rootRef);
+
+    Set<PackageRef> directDeps;
+    if (rootRef != null && dependencies.containsKey(rootRef)) {
+      directDeps = new HashSet<>(dependencies.get(rootRef));
     } else {
-      directDeps =
-          dependencies.keySet().stream()
-              .filter(depRef -> dependencies.values().stream().noneMatch(d -> d.contains(depRef)))
-              .toList();
+      directDeps = new HashSet<>(dependencies.keySet());
+      dependencies.values().forEach(directDeps::removeAll);
     }
 
-    return directDeps.stream()
-        .map(directRef -> toDirectDependency(directRef, dependencies))
-        .collect(Collectors.toMap(DirectDependency::ref, d -> d));
+    componentPurls.values().stream()
+        .filter(Predicate.not(dependencies::containsKey))
+        .forEach(directDeps::add);
+
+    Map<PackageRef, DirectDependency> result = new HashMap<>();
+    directDeps.forEach(
+        directRef -> {
+          Set<PackageRef> transitiveRefs = new HashSet<>();
+          findTransitiveIterative(directRef, dependencies, transitiveRefs);
+          result.put(
+              directRef,
+              DirectDependency.builder().ref(directRef).transitive(transitiveRefs).build());
+        });
+
+    return result;
   }
 
   private void addUnknownDependencies(
-      Map<PackageRef, List<PackageRef>> dependencies, Map<String, PackageRef> componentPurls) {
+      Map<PackageRef, Set<PackageRef>> dependencies, Map<String, PackageRef> componentPurls) {
     Set<PackageRef> knownDeps = new HashSet<>(dependencies.keySet());
-    dependencies.values().forEach(v -> knownDeps.addAll(v));
+    dependencies.values().forEach(knownDeps::addAll);
     componentPurls.values().stream()
         .filter(Predicate.not(knownDeps::contains))
-        .forEach(d -> dependencies.put(d, Collections.emptyList()));
+        .forEach(d -> dependencies.put(d, new HashSet<>()));
+  }
+
+  private void findTransitiveIterative(
+      PackageRef startRef, Map<PackageRef, Set<PackageRef>> dependencies, Set<PackageRef> acc) {
+    Set<PackageRef> toProcess = new HashSet<>();
+    toProcess.add(startRef);
+
+    while (!toProcess.isEmpty()) {
+      PackageRef current = toProcess.iterator().next();
+      toProcess.remove(current);
+
+      Set<PackageRef> deps = dependencies.get(current);
+      if (deps != null) {
+        deps.stream()
+            .filter(d -> !acc.contains(d))
+            .forEach(
+                d -> {
+                  acc.add(d);
+                  toProcess.add(d);
+                });
+      }
+    }
   }
 
-  // The SBOM generator does not have info about the dependency hierarchy
   private Map<PackageRef, DirectDependency> buildUnknownDependencies(
       Map<String, PackageRef> componentPurls) {
     Map<PackageRef, DirectDependency> deps = new HashMap<>();
@@ -148,29 +179,6 @@ private Map<PackageRef, DirectDependency> buildUnknownDependencies(
     return deps;
   }
 
-  private DirectDependency toDirectDependency(
-      PackageRef directRef, Map<PackageRef, List<PackageRef>> dependencies) {
-    var transitiveRefs = new HashSet<PackageRef>();
-    findTransitive(directRef, dependencies, transitiveRefs);
-    var transitive = new HashSet<>(transitiveRefs.stream().toList());
-    return DirectDependency.builder().ref(directRef).transitive(transitive).build();
-  }
-
-  private void findTransitive(
-      PackageRef ref, Map<PackageRef, List<PackageRef>> dependencies, Set<PackageRef> acc) {
-    var deps = dependencies.get(ref);
-    if (deps == null || deps.isEmpty()) {
-      return;
-    }
-    deps.stream()
-        .filter(d -> !acc.contains(d))
-        .forEach(
-            d -> {
-              acc.add(d);
-              findTransitive(d, dependencies, acc);
-            });
-  }
-
   private Bom parseBom(InputStream input) {
     try {
       JsonNode node = MAPPER.readTree(input);
@@ -196,21 +204,15 @@ private Version parseSchemaVersion(String version) throws ParseException {
     if (version == null) {
       throw new ParseException("Missing CycloneDX Spec Version");
     }
-    switch (version) {
-      case "1.5":
-        return Version.VERSION_15;
-      case "1.4":
-        return Version.VERSION_14;
-      case "1.3":
-        return Version.VERSION_13;
-      case "1.2":
-        return Version.VERSION_12;
-      case "1.1":
-        return Version.VERSION_11;
-      case "1.0":
-        return Version.VERSION_10;
-      default:
-        throw new ParseException("Invalid Spec Version received");
-    }
+    return switch (version) {
+      case "1.6" -> Version.VERSION_16;
+      case "1.5" -> Version.VERSION_15;
+      case "1.4" -> Version.VERSION_14;
+      case "1.3" -> Version.VERSION_13;
+      case "1.2" -> Version.VERSION_12;
+      case "1.1" -> Version.VERSION_11;
+      case "1.0" -> Version.VERSION_10;
+      default -> throw new ParseException("Invalid Spec Version received");
+    };
   }
 }

src/test/java/com/redhat/exhort/integration/backend/sbom/cyclonedx/CycloneDxParserTest.java

@@ -0,0 +1,152 @@
+/*
+ * Copyright 2025 Red Hat, Inc. and/or its affiliates
+ * and other contributors as indicated by the @author tags.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *       http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.redhat.exhort.integration.backend.sbom.cyclonedx;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.nio.charset.StandardCharsets;
+import java.util.Map;
+import java.util.Set;
+
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.ValueSource;
+
+import com.redhat.exhort.api.PackageRef;
+import com.redhat.exhort.config.exception.CycloneDXValidationException;
+import com.redhat.exhort.model.DependencyTree;
+import com.redhat.exhort.model.DirectDependency;
+
+class CycloneDxParserTest {
+
+  private static final String TEST_RESOURCES_PATH = "/cyclonedx/";
+
+  @Test
+  void testParseValidSbom() throws IOException {
+    CycloneDxParser parser = new CycloneDxParser();
+    try (InputStream input =
+        getClass().getResourceAsStream(TEST_RESOURCES_PATH + "valid-1.6.json")) {
+      assertNotNull(input, "Test resource not found");
+
+      DependencyTree tree = parser.buildTree(input);
+      Map<PackageRef, DirectDependency> dependencies = tree.dependencies();
+
+      // Verify direct dependencies
+      PackageRef dep1 = new PackageRef("pkg:maven/com.example/[email protected]");
+      PackageRef dep2 = new PackageRef("pkg:maven/com.example/[email protected]");
+      PackageRef transitive = new PackageRef("pkg:maven/com.example/[email protected]");
+
+      assertTrue(dependencies.containsKey(dep1));
+      assertTrue(dependencies.containsKey(dep2));
+
+      // Verify transitive dependencies
+      DirectDependency dep1Dependency = dependencies.get(dep1);
+      Set<PackageRef> dep1Transitive = dep1Dependency.transitive();
+      assertEquals(1, dep1Transitive.size());
+      assertTrue(dep1Transitive.contains(transitive));
+
+      // Verify dep2 has no transitive dependencies
+      DirectDependency dep2Dependency = dependencies.get(dep2);
+      assertTrue(dep2Dependency.transitive().isEmpty());
+    }
+  }
+
+  @Test
+  void testParseSbomWithUnknownDependencies() throws IOException {
+    CycloneDxParser parser = new CycloneDxParser();
+    try (InputStream input =
+        getClass().getResourceAsStream(TEST_RESOURCES_PATH + "unknown-deps.json")) {
+      assertNotNull(input, "Test resource not found");
+
+      DependencyTree tree = parser.buildTree(input);
+      Map<PackageRef, DirectDependency> dependencies = tree.dependencies();
+
+      PackageRef known = new PackageRef("pkg:maven/com.example/[email protected]");
+      PackageRef unknown = new PackageRef("pkg:maven/com.example/[email protected]");
+
+      // Verify both known and unknown dependencies are present
+      assertTrue(dependencies.containsKey(known));
+      assertTrue(dependencies.containsKey(unknown));
+
+      // Verify unknown dependency has no transitive dependencies
+      DirectDependency unknownDependency = dependencies.get(unknown);
+      assertTrue(unknownDependency.transitive().isEmpty());
+    }
+  }
+
+  @Test
+  void testParseInvalidSbom() throws IOException {
+    CycloneDxParser parser = new CycloneDxParser();
+    try (InputStream input =
+        getClass().getResourceAsStream(TEST_RESOURCES_PATH + "invalid-sbom.json")) {
+      assertNotNull(input, "Test resource not found");
+      var exception =
+          assertThrows(CycloneDXValidationException.class, () -> parser.buildTree(input));
+      assertNotNull(exception.getMessage());
+    }
+  }
+
+  @ParameterizedTest
+  @ValueSource(strings = {"1.0", "1.1", "1.2", "1.3", "1.4", "1.5", "1.6"})
+  void testSupportedVersions(String version) throws IOException {
+    String resourcePath = TEST_RESOURCES_PATH + "empty-sbom.json";
+    CycloneDxParser parser = new CycloneDxParser();
+    try (InputStream input = getClass().getResourceAsStream(resourcePath)) {
+      assertNotNull(input, "Test resource not found");
+
+      // Read the file content and replace the version
+      String content =
+          new String(input.readAllBytes(), StandardCharsets.UTF_8)
+              .replace("\"specVersion\": \"1.6\"", "\"specVersion\": \"" + version + "\"");
+
+      // Create a new input stream with the modified content
+      try (InputStream modifiedInput =
+          new java.io.ByteArrayInputStream(content.getBytes(StandardCharsets.UTF_8))) {
+        DependencyTree tree = parser.buildTree(modifiedInput);
+        assertNotNull(tree);
+        assertTrue(tree.dependencies().isEmpty());
+      }
+    }
+  }
+
+  @Test
+  void testUnsupportedVersion() throws IOException {
+    String resourcePath = TEST_RESOURCES_PATH + "empty-sbom.json";
+    CycloneDxParser parser = new CycloneDxParser();
+    try (InputStream input = getClass().getResourceAsStream(resourcePath)) {
+      assertNotNull(input, "Test resource not found");
+
+      String content =
+          new String(input.readAllBytes(), StandardCharsets.UTF_8)
+              .replace("\"specVersion\" : \"1.6\"", "\"specVersion\": \"2.0\"");
+
+      try (InputStream modifiedInput =
+          new java.io.ByteArrayInputStream(content.getBytes(StandardCharsets.UTF_8))) {
+        CycloneDXValidationException exception =
+            assertThrows(CycloneDXValidationException.class, () -> parser.buildTree(modifiedInput));
+        assertNotNull(exception.getMessage());
+      }
+    }
+  }
+}

src/test/resources/application.properties

@@ -3,4 +3,5 @@ quarkus.log.category."com.github.tomakehurst".level=DEBUG
 telemetry.disabled=true
 api.ossindex.disabled=false
 api.snyk.disabled=false
-quarkus.oidc-client.tpa.enabled=false
+quarkus.oidc-client.tpa.enabled=false
+quarkus.hibernate-orm.persistence-xml.ignore=true

src/test/resources/cyclonedx/empty-sbom.json

@@ -1,6 +1,6 @@
 {
     "bomFormat" : "CycloneDX",
-    "specVersion" : "1.4",
+    "specVersion" : "1.6",
     "serialNumber" : "urn:uuid:21e8d828-b07f-4fd3-bd14-0458f7188d40",
     "version" : 1,
     "metadata" : {

src/test/resources/cyclonedx/unknown-deps.json

@@ -0,0 +1,27 @@
+{
+    "bomFormat": "CycloneDX",
+    "specVersion": "1.6",
+    "version": 1,
+    "components": [
+        {
+            "bom-ref": "pkg:maven/com.example/[email protected]",
+            "type": "library",
+            "name": "known",
+            "version": "1.0.0",
+            "purl": "pkg:maven/com.example/[email protected]"
+        },
+        {
+            "bom-ref": "pkg:maven/com.example/[email protected]",
+            "type": "library",
+            "name": "unknown",
+            "version": "1.0.0",
+            "purl": "pkg:maven/com.example/[email protected]"
+        }
+    ],
+    "dependencies": [
+        {
+            "ref": "pkg:maven/com.example/[email protected]",
+            "dependsOn": []
+        }
+    ]
+}