Merge pull request #22 from CycloneDX/spdx-v2.2

coderpatros · web-flow · commit 0769a9b81d64 · 2020-11-23T00:19:00.000+10:00
Add support for converting to SPDX v2.2
diff --git a/cyclonedx/BomFormat.cs b/cyclonedx/BomFormat.cs
@@ -5,6 +5,8 @@ public enum BomFormat
         Unsupported,
         Xml,
         Json,
-        SpdxTag
+        SpdxTag,
+        SpdxTag_v2_1,
+        SpdxTag_v2_2
     }
 }
diff --git a/cyclonedx/Commands/Convert/ConvertOutputFormat.cs b/cyclonedx/Commands/Convert/ConvertOutputFormat.cs
@@ -5,6 +5,8 @@ public enum ConvertOutputFormat
         autodetect,
         xml,
         json,
-        spdxtag
+        spdxtag,
+        spdxtag_v2_1,
+        spdxtag_v2_2
     }
 }
diff --git a/cyclonedx/SpdxTagSerializer.cs b/cyclonedx/SpdxTagSerializer.cs
@@ -5,14 +5,20 @@
 
 namespace CycloneDX.CLI
 {
+    public enum SpdxVersion
+    {
+        v2_1,
+        v2_2
+    }
+
     public static class SpdxTagSerializer
     {
         public class SpdxSerializationException : Exception
         {
             public SpdxSerializationException(string message) : base(message) {}
         }
 
-        public static string Serialize(CycloneDX.Models.v1_2.Bom bom)
+        public static string Serialize(CycloneDX.Models.v1_2.Bom bom, SpdxVersion version)
         {
             if (bom.Metadata?.Component?.Name == null || bom.Metadata?.Component?.Version == null)
                 throw new SpdxSerializationException("For SPDX output top level component name and version are required in the BOM metadata");
@@ -34,7 +40,11 @@ public static string Serialize(CycloneDX.Models.v1_2.Bom bom)
 
             var sb = new StringBuilder();
             var componentSb = new StringBuilder();
-            sb.AppendLine("SPDXVersion: SPDX-2.1");
+            sb.Append("SPDXVersion: SPDX-");
+            if (version == SpdxVersion.v2_1)
+                sb.Append("2.1");
+            else if (version == SpdxVersion.v2_2)
+                sb.Append("2.2");
             // CC0-1.0 is a requirement when using the SPDX specification
             sb.AppendLine("DataLicense: CC0-1.0");
             sb.AppendLine($"SPDXID: SPDXRef-DOCUMENT");
@@ -81,6 +91,7 @@ public static string Serialize(CycloneDX.Models.v1_2.Bom bom)
                 foreach(var hash in component.Hashes)
                 {
                     string algStr = null;
+
                     switch (hash.Alg)
                     {
                         case CycloneDX.Models.v1_2.Hash.HashAlgorithm.SHA_1:
@@ -89,14 +100,18 @@ public static string Serialize(CycloneDX.Models.v1_2.Bom bom)
                         case CycloneDX.Models.v1_2.Hash.HashAlgorithm.SHA_256:
                             algStr = "SHA256";
                             break;
-                        // following algorithms only supported in v2.2
-                        // case Hash.HashAlgorithm.SHA_384:
-                        //     algStr = "SHA384";
-                        //     break;
-                        // case Hash.HashAlgorithm.SHA_512:
-                        //     algStr = "SHA512";
-                        //     break;
                     }
+                    if (version == SpdxVersion.v2_2)
+                    switch (hash.Alg)
+                    {
+                        case CycloneDX.Models.v1_2.Hash.HashAlgorithm.SHA_384:
+                            algStr = "SHA384";
+                            break;
+                        case CycloneDX.Models.v1_2.Hash.HashAlgorithm.SHA_512:
+                            algStr = "SHA512";
+                            break;
+                    }
+
                     if (algStr != null)
                     {
                         sb.AppendLine($"PackageChecksum: {algStr}: {hash.Content}");
diff --git a/cyclonedx/Utils.cs b/cyclonedx/Utils.cs
@@ -49,7 +49,15 @@ public static string BomSerializer(CycloneDX.Models.v1_2.Bom bom, BomFormat form
             }
             else if (format == BomFormat.SpdxTag)
             {
-                return SpdxTagSerializer.Serialize(bom);
+                return SpdxTagSerializer.Serialize(bom, SpdxVersion.v2_2);
+            }
+            else if (format == BomFormat.SpdxTag_v2_1)
+            {
+                return SpdxTagSerializer.Serialize(bom, SpdxVersion.v2_1);
+            }
+            else if (format == BomFormat.SpdxTag_v2_2)
+            {
+                return SpdxTagSerializer.Serialize(bom, SpdxVersion.v2_2);
             }
             throw new UnsupportedFormatException("Unsupported SBOM file format");
         }

Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,8 @@ public enum BomFormat`
`5`	`5`	`Unsupported,`
`6`	`6`	`Xml,`
`7`	`7`	`Json,`
`8`		`- SpdxTag`
	`8`	`+ SpdxTag,`
	`9`	`+ SpdxTag_v2_1,`
	`10`	`+ SpdxTag_v2_2`
`9`	`11`	`}`
`10`	`12`	`}`
Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,8 @@ public enum ConvertOutputFormat`
`5`	`5`	`autodetect,`
`6`	`6`	`xml,`
`7`	`7`	`json,`
`8`		`- spdxtag`
	`8`	`+ spdxtag,`
	`9`	`+ spdxtag_v2_1,`
	`10`	`+ spdxtag_v2_2`
`9`	`11`	`}`
`10`	`12`	`}`
Original file line number	Diff line number	Diff line change
`@@ -49,7 +49,15 @@ public static string BomSerializer(CycloneDX.Models.v1_2.Bom bom, BomFormat form`
`49`	`49`	`}`
`50`	`50`	`else if (format == BomFormat.SpdxTag)`
`51`	`51`	`{`
`52`		`- return SpdxTagSerializer.Serialize(bom);`
	`52`	`+ return SpdxTagSerializer.Serialize(bom, SpdxVersion.v2_2);`
	`53`	`+ }`
	`54`	`+ else if (format == BomFormat.SpdxTag_v2_1)`
	`55`	`+ {`
	`56`	`+ return SpdxTagSerializer.Serialize(bom, SpdxVersion.v2_1);`
	`57`	`+ }`
	`58`	`+ else if (format == BomFormat.SpdxTag_v2_2)`
	`59`	`+ {`
	`60`	`+ return SpdxTagSerializer.Serialize(bom, SpdxVersion.v2_2);`
`53`	`61`	`}`
`54`	`62`	`throw new UnsupportedFormatException("Unsupported SBOM file format");`
`55`	`63`	`}`