feat: add support for component's evidences according to spec #810
Conversation
|
Thank you for providing this feature, @OxPirates could you
|
|
@jkowalleck Thank you for your time, Will work on it and submit the changes. |
tests/_data/models.py
Outdated
There was a problem hiding this comment.
the test models you've added are not properly done. please improve them:
- use the enums you've introduced, not arbitrary strings.
- craft a data model that uses all the newly introduced properties and symbols
- craft a new own data model, instead of reusing an existing one! Create an own function called
get_bom_with_component_evidence()- it will be found and used.automatically.
cyclonedx/model/component.py
Outdated
| @serializable.json_name('technique') | ||
| @serializable.xml_sequence(1) | ||
| def technique(self) -> str: | ||
| return ( |
There was a problem hiding this comment.
wait what?
the setter takes care of correct values, how can isinstance(self._technique, AnalysisTechnique) be false?
cyclonedx/model/component.py
Outdated
| @serializable.xml_array(serializable.XmlArraySerializationType.FLAT, 'confidence') | ||
| @serializable.json_name('confidence') | ||
| @serializable.xml_sequence(2) | ||
| def confidence(self) -> float: |
There was a problem hiding this comment.
please use type Decimal , not float
cyclonedx/model/component.py
Outdated
| value: Optional[str] = None, | ||
| ) -> None: | ||
| if isinstance(technique, str): | ||
| try: |
There was a problem hiding this comment.
not needed. the setter should take care of this
cyclonedx/model/component.py
Outdated
| f'Technique must be one of: {", ".join(t.value for t in AnalysisTechnique)}' | ||
| ) | ||
|
|
||
| if not 0 <= confidence <= 1: |
There was a problem hiding this comment.
not needed. the setter shoudl take care of this
cyclonedx/model/component.py
Outdated
| def __comparable_tuple(self) -> _ComparableTuple: | ||
| return _ComparableTuple( | ||
| ( | ||
| # Use technique.value to compare by string value for consistent ordering |
There was a problem hiding this comment.
at what point cane self.technique ne not a AnalysisTechnique?
|
|
||
|
|
||
| @serializable.serializable_class | ||
| class ToolReference: |
There was a problem hiding this comment.
is this needed? is this not the same as BomRef?
There was a problem hiding this comment.
If I use BomRef, XML Validation fails with error ValidationError: It gives output like below
<tools>
<tool>ref0</tool>
<tool>ref1</tool>
</tools>
<string>:87:0:ERROR:SCHEMASV:SCHEMAV_CVC_COMPLEX_TYPE_2_1: Element '{http://cyclonedx.org/schema/bom/1.6}tool': Character content is not allowed, because the content type is empty.
Whereas with current implementation (ToolRefrence), It gives output as
<tools>
<tool ref="ref0"/>
<tool ref="ref1"/>
</tools>
And XML Validation PASS. Please suggest.
cyclonedx/model/component.py
Outdated
| tools: Optional[Iterable[Union[str, BomRef]]] = None, | ||
| ) -> None: | ||
| # Convert string to enum if needed | ||
| if isinstance(field, str): |
There was a problem hiding this comment.
this should be part of the setter, not the init
|
@jkowalleck Thank you for the detailed review. All comments have been addressed except the one regarding ToolReference |
Signed-off-by: Arun <[email protected]>
fixes #737