Merge pull request #68 from macblazer/57-update-output-to-use-specifi…

…cation-v15

Update output to use specification v1.5

CHANGELOG.md

@@ -4,11 +4,18 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## Unreleased
+## [1.3.0]
 
 ### Added
 - Added optional `--shortened-strings` CLI parameter to limit the author, publisher, and purl lengths. ([Issue #65](https://github.com/CycloneDX/cyclonedx-cocoapods/issues/65)) [@macblazer](https://github.com/macblazer).
 
+### Changed
+- Updated to use v1.5 of the CycloneDX specification. ([Issue #57](https://github.com/CycloneDX/cyclonedx-cocoapods/issues/57)) [@macblazer](https://github.com/macblazer)
+- Code cleanup based on [RuboCop](https://rubocop.org/) analysis. ([Issue #45](https://github.com/CycloneDX/cyclonedx-cocoapods/issues/45)) [@macblazer](https://github.com/macblazer).
+
+### Fixed
+- Following the specification to put the `bom-ref` attribute on `component` instead of as a `bomRef` element of `component`. [@macblazer](https://github.com/macblazer).
+
 ## [1.2.0]
 
 ### Added

README.md

@@ -21,7 +21,7 @@ The CycloneDX CocoaPods Gem creates a valid CycloneDX software bill-of-material
 
 ### From Source
 
-First, clone/copy the source code from GitHub.  Then in the source code directory run these ommands:
+First, clone/copy the source code from GitHub.  Then in the source code directory run these commands (substituting the actual version number for `x.x.x`):
 
 ```shell
 gem build cyclonedx-cocoapods.gemspec
@@ -32,7 +32,7 @@ Building from source requires Ruby 2.4.0 or newer.
 
 ## Compatibility
 
-*cyclonedx-cocoapods* aims to produce SBOMs according to the latest CycloneDX specification, which currently is [1.4](https://cyclonedx.org/docs/1.4/).
+*cyclonedx-cocoapods* aims to produce SBOMs according to the latest CycloneDX specification, which currently is [1.5](https://cyclonedx.org/docs/1.5/xml/).
 You can use the [CycloneDX CLI](https://github.com/CycloneDX/cyclonedx-cli#convert-command) to convert between multiple BOM formats or specification versions.
 
 ## Usage

example_bom.xml

@@ -1,12 +1,12 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<bom xmlns="http://cyclonedx.org/schema/bom/1.4" version="1" serialNumber="urn:uuid:a583f369-d5de-481f-95db-e8373467c3b1">
+<bom xmlns="http://cyclonedx.org/schema/bom/1.5" version="1" serialNumber="urn:uuid:7d67e1d1-ebd7-4ae6-8f41-cc045d3542fb">
   <metadata>
-    <timestamp>2022-08-02T16:16:51Z</timestamp>
+    <timestamp>2024-02-08T06:35:59Z</timestamp>
     <tools>
       <tool>
         <vendor>CycloneDX</vendor>
         <name>cyclonedx-cocoapods</name>
-        <version>1.0.0</version>
+        <version>1.3.0</version>
       </tool>
     </tools>
     <component type="application">
@@ -15,7 +15,7 @@
     </component>
   </metadata>
   <components>
-    <component type="library">
+    <component type="library" bom-ref="pkg:cocoapods/[email protected]">
       <author>J.P. Illanes &lt;[email protected]&gt;</author>
       <publisher>J.P. Illanes &lt;[email protected]&gt;</publisher>
       <name>Highlightr</name>
@@ -36,7 +36,7 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library">
+    <component type="library" bom-ref="pkg:cocoapods/[email protected]">
       <author>Krunoslav Zaher &lt;[email protected]&gt;</author>
       <publisher>Krunoslav Zaher &lt;[email protected]&gt;</publisher>
       <name>RxAtomic</name>
@@ -57,7 +57,7 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library">
+    <component type="library" bom-ref="pkg:cocoapods/[email protected]">
       <author>Krunoslav Zaher &lt;[email protected]&gt;</author>
       <publisher>Krunoslav Zaher &lt;[email protected]&gt;</publisher>
       <name>RxCocoa</name>
@@ -80,7 +80,7 @@
         </reference>
       </externalReferences>
     </component>
-    <component type="library">
+    <component type="library" bom-ref="pkg:cocoapods/[email protected]">
       <author>Krunoslav Zaher &lt;[email protected]&gt;</author>
       <publisher>Krunoslav Zaher &lt;[email protected]&gt;</publisher>
       <name>RxSwift</name>
@@ -112,4 +112,14 @@ git diff | grep bug | less          #  linux pipes - programs communicate by sen
       </externalReferences>
     </component>
   </components>
+  <dependencies>
+    <dependency ref="pkg:cocoapods/[email protected]"/>
+    <dependency ref="pkg:cocoapods/[email protected]"/>
+    <dependency ref="pkg:cocoapods/[email protected]">
+      <dependency ref="pkg:cocoapods/[email protected]"/>
+    </dependency>
+    <dependency ref="pkg:cocoapods/[email protected]">
+      <dependency ref="pkg:cocoapods/[email protected]"/>
+    </dependency>
+  </dependencies>
 </bom>

lib/cyclonedx/cocoapods/bom_builder.rb

@@ -105,7 +105,7 @@ def xml_add_homepage(xml)
       end
 
       def add_to_bom(xml, trim_strings_length = 0)
-        xml.component(type: 'library') do
+        xml.component(type: 'library', 'bom-ref': purl) do
           xml_add_author(xml, trim_strings_length)
           xml.name name
           xml.version version.to_s
@@ -125,7 +125,6 @@ def add_to_bom(xml, trim_strings_length = 0)
           else
             xml.purl purl.slice(0, trim_strings_length)
           end
-          xml.bomRef purl
           xml_add_homepage(xml)
         end
       end
@@ -153,7 +152,7 @@ def add_to_bom(xml)
     end
 
     class BOMBuilder
-      NAMESPACE = 'http://cyclonedx.org/schema/bom/1.4'
+      NAMESPACE = 'http://cyclonedx.org/schema/bom/1.5'
 
       attr_reader :component, :pods, :dependencies
 

lib/cyclonedx/cocoapods/pod.rb

@@ -31,15 +31,15 @@ class Pod
       attr_reader :version
       # Anything responding to :source_qualifier
       attr_reader :source
-      # xs:anyURI - https://cyclonedx.org/docs/1.4/xml/#type_externalReference
+      # xs:anyURI - https://cyclonedx.org/docs/1.5/xml/#type_externalReference
       attr_reader :homepage
-      # https://cyclonedx.org/docs/1.4/xml/#type_hashValue (We only use SHA-1 hashes - length == 40)
+      # https://cyclonedx.org/docs/1.5/xml/#type_hashValue (We only use SHA-1 hashes - length == 40)
       attr_reader :checksum
       # xs:normalizedString
       attr_reader :author
       # xs:normalizedString
       attr_reader :description
-      # https://cyclonedx.org/docs/1.4/xml/#type_licenseType
+      # https://cyclonedx.org/docs/1.5/xml/#type_licenseType
       # We don't currently support several licenses or license expressions https://spdx.github.io/spdx-spec/appendix-IV-SPDX-license-expressions/
       attr_reader :license
 

lib/cyclonedx/cocoapods/version.rb

@@ -21,6 +21,6 @@
 
 module CycloneDX
   module CocoaPods
-    VERSION = '1.2.0'
+    VERSION = '1.3.0'
   end
 end

spec/cyclonedx/cocoapods/bom_builder_spec.rb

@@ -320,53 +320,47 @@
     let(:pod_result) do
       <<~XML
         <components>
-          <component type="library">
+          <component type="library" bom-ref="pkg:cocoapods/[email protected]">
             <author>Chewbacca</author>
             <publisher>Chewbacca</publisher>
             <name>Alamofire</name>
             <version>5.6.2</version>
             <purl>pkg:cocoapods/[email protected]</purl>
-            <bomRef>pkg:cocoapods/[email protected]</bomRef>
           </component>
-          <component type="library">
+          <component type="library" bom-ref="pkg:cocoapods/[email protected]">
             <author>Chewbacca</author>
             <publisher>Chewbacca</publisher>
             <name>FirebaseAnalytics</name>
             <version>7.10.0</version>
             <purl>pkg:cocoapods/[email protected]</purl>
-            <bomRef>pkg:cocoapods/[email protected]</bomRef>
           </component>
-          <component type="library">
+          <component type="library" bom-ref="pkg:cocoapods/[email protected]">
             <author>Chewbacca</author>
             <publisher>Chewbacca</publisher>
             <name>MSAL</name>
             <version>1.2.1</version>
             <purl>pkg:cocoapods/[email protected]</purl>
-            <bomRef>pkg:cocoapods/[email protected]</bomRef>
           </component>
-          <component type="library">
+          <component type="library" bom-ref="pkg:cocoapods/[email protected]#app-lib">
             <author>Chewbacca</author>
             <publisher>Chewbacca</publisher>
             <name>MSAL/app-lib</name>
             <version>1.2.1</version>
             <purl>pkg:cocoapods/[email protected]#app-lib</purl>
-            <bomRef>pkg:cocoapods/[email protected]#app-lib</bomRef>
           </component>
-          <component type="library">
+          <component type="library" bom-ref="pkg:cocoapods/[email protected]">
             <author>Chewbacca</author>
             <publisher>Chewbacca</publisher>
             <name>Realm</name>
             <version>5.5.1</version>
             <purl>pkg:cocoapods/[email protected]</purl>
-            <bomRef>pkg:cocoapods/[email protected]</bomRef>
           </component>
-          <component type="library">
+          <component type="library" bom-ref="pkg:cocoapods/[email protected]">
             <author>Chewbacca</author>
             <publisher>Chewbacca</publisher>
             <name>RxSwift</name>
             <version>5.1.2</version>
             <purl>pkg:cocoapods/[email protected]</purl>
-            <bomRef>pkg:cocoapods/[email protected]</bomRef>
           </component>
         </components>
       XML
@@ -375,53 +369,47 @@
     let(:short_pod_results) do
       <<~XML
         <components>
-          <component type="library">
+          <component type="library" bom-ref="pkg:cocoapods/[email protected]">
             <author>Chewba</author>
             <publisher>Chewba</publisher>
             <name>Alamofire</name>
             <version>5.6.2</version>
             <purl>pkg:co</purl>
-            <bomRef>pkg:cocoapods/[email protected]</bomRef>
           </component>
-          <component type="library">
+          <component type="library" bom-ref="pkg:cocoapods/[email protected]">
             <author>Chewba</author>
             <publisher>Chewba</publisher>
             <name>FirebaseAnalytics</name>
             <version>7.10.0</version>
             <purl>pkg:co</purl>
-            <bomRef>pkg:cocoapods/[email protected]</bomRef>
           </component>
-          <component type="library">
+          <component type="library" bom-ref="pkg:cocoapods/[email protected]">
             <author>Chewba</author>
             <publisher>Chewba</publisher>
             <name>MSAL</name>
             <version>1.2.1</version>
             <purl>pkg:co</purl>
-            <bomRef>pkg:cocoapods/[email protected]</bomRef>
           </component>
-          <component type="library">
+          <component type="library" bom-ref="pkg:cocoapods/[email protected]#app-lib">
             <author>Chewba</author>
             <publisher>Chewba</publisher>
             <name>MSAL/app-lib</name>
             <version>1.2.1</version>
             <purl>pkg:co</purl>
-            <bomRef>pkg:cocoapods/[email protected]#app-lib</bomRef>
           </component>
-          <component type="library">
+          <component type="library" bom-ref="pkg:cocoapods/[email protected]">
             <author>Chewba</author>
             <publisher>Chewba</publisher>
             <name>Realm</name>
             <version>5.5.1</version>
             <purl>pkg:co</purl>
-            <bomRef>pkg:cocoapods/[email protected]</bomRef>
           </component>
-          <component type="library">
+          <component type="library" bom-ref="pkg:cocoapods/[email protected]">
             <author>Chewba</author>
             <publisher>Chewba</publisher>
             <name>RxSwift</name>
             <version>5.1.2</version>
             <purl>pkg:co</purl>
-            <bomRef>pkg:cocoapods/[email protected]</bomRef>
           </component>
         </components>
       XML