Merge pull request #780 from DependencyTrack/issue-1333-update-cdx-sc…

…hema-v1.6 Update CDX schema to v1.6
DependencyTrack · Jul 18, 2024 · 202a506 · 202a506
2 parents 7e05c9f + 8b49ca8
commit 202a506
Show file tree

Hide file tree

Showing 11 changed files with 2,262 additions and 733 deletions.
diff --git a/src/main/java/org/dependencytrack/event/kafka/KafkaTopics.java b/src/main/java/org/dependencytrack/event/kafka/KafkaTopics.java
@@ -21,7 +21,7 @@
 import alpine.Config;
 import org.apache.kafka.common.serialization.Serde;
 import org.apache.kafka.common.serialization.Serdes;
-import org.cyclonedx.proto.v1_4.Bom;
+import org.cyclonedx.proto.v1_6.Bom;
 import org.dependencytrack.common.ConfigKey;
 import org.dependencytrack.event.kafka.serialization.KafkaProtobufSerde;
 import org.dependencytrack.proto.mirror.v1.EpssItem;

diff --git a/src/main/java/org/dependencytrack/event/kafka/processor/VulnerabilityMirrorProcessor.java b/src/main/java/org/dependencytrack/event/kafka/processor/VulnerabilityMirrorProcessor.java
@@ -28,9 +28,9 @@
 import io.github.nscuro.versatile.version.VersioningScheme;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.kafka.clients.consumer.ConsumerRecord;
-import org.cyclonedx.proto.v1_4.Bom;
-import org.cyclonedx.proto.v1_4.Component;
-import org.cyclonedx.proto.v1_4.VulnerabilityAffects;
+import org.cyclonedx.proto.v1_6.Bom;
+import org.cyclonedx.proto.v1_6.Component;
+import org.cyclonedx.proto.v1_6.VulnerabilityAffects;
 import org.dependencytrack.event.kafka.processor.api.Processor;
 import org.dependencytrack.model.Vulnerability;
 import org.dependencytrack.model.VulnerableSoftware;

diff --git a/...main/java/org/dependencytrack/event/kafka/processor/VulnerabilityScanResultProcessor.java b/...main/java/org/dependencytrack/event/kafka/processor/VulnerabilityScanResultProcessor.java
@@ -240,7 +240,7 @@ private void processScannerResult(final QueryManager qm, final Component compone
     private Set<Vulnerability> syncVulnerabilities(final QueryManager qm, final ScanKey scanKey, final ScannerResult scannerResult) {
         final var syncedVulns = new HashSet<Vulnerability>();
 
-        for (final org.cyclonedx.proto.v1_4.Vulnerability reportedVuln : scannerResult.getBom().getVulnerabilitiesList()) {
+        for (final org.cyclonedx.proto.v1_6.Vulnerability reportedVuln : scannerResult.getBom().getVulnerabilitiesList()) {
             final Vulnerability vuln;
             try {
                 vuln = ModelConverterCdxToVuln.convert(qm, scannerResult.getBom(), reportedVuln, true);

diff --git a/src/main/java/org/dependencytrack/parser/dependencytrack/ModelConverterCdxToVuln.java b/src/main/java/org/dependencytrack/parser/dependencytrack/ModelConverterCdxToVuln.java
@@ -19,11 +19,11 @@
 package org.dependencytrack.parser.dependencytrack;
 
 import org.apache.commons.lang3.StringUtils;
-import org.cyclonedx.proto.v1_4.Bom;
-import org.cyclonedx.proto.v1_4.ScoreMethod;
-import org.cyclonedx.proto.v1_4.Source;
-import org.cyclonedx.proto.v1_4.VulnerabilityRating;
-import org.cyclonedx.proto.v1_4.VulnerabilityReference;
+import org.cyclonedx.proto.v1_6.Bom;
+import org.cyclonedx.proto.v1_6.ScoreMethod;
+import org.cyclonedx.proto.v1_6.Source;
+import org.cyclonedx.proto.v1_6.VulnerabilityRating;
+import org.cyclonedx.proto.v1_6.VulnerabilityReference;
 import org.dependencytrack.model.AnalyzerIdentity;
 import org.dependencytrack.model.Severity;
 import org.dependencytrack.model.Vulnerability;
@@ -46,17 +46,17 @@
 import java.util.Objects;
 
 import static org.apache.commons.lang3.StringUtils.trimToNull;
-import static org.cyclonedx.proto.v1_4.ScoreMethod.SCORE_METHOD_CVSSV2;
-import static org.cyclonedx.proto.v1_4.ScoreMethod.SCORE_METHOD_CVSSV3;
-import static org.cyclonedx.proto.v1_4.ScoreMethod.SCORE_METHOD_CVSSV31;
-import static org.cyclonedx.proto.v1_4.ScoreMethod.SCORE_METHOD_OWASP;
+import static org.cyclonedx.proto.v1_6.ScoreMethod.SCORE_METHOD_CVSSV2;
+import static org.cyclonedx.proto.v1_6.ScoreMethod.SCORE_METHOD_CVSSV3;
+import static org.cyclonedx.proto.v1_6.ScoreMethod.SCORE_METHOD_CVSSV31;
+import static org.cyclonedx.proto.v1_6.ScoreMethod.SCORE_METHOD_OWASP;
 
 public final class ModelConverterCdxToVuln {
 
     static final String TITLE_PROPERTY_NAME = "dependency-track:vuln:title";
 
     public static Vulnerability convert(final QueryManager qm, final Bom bom,
-                                        final org.cyclonedx.proto.v1_4.Vulnerability cycloneVuln,
+                                        final org.cyclonedx.proto.v1_6.Vulnerability cycloneVuln,
                                         boolean isAliasSyncEnabled) {
         if (cycloneVuln == null) {
             return null;
@@ -209,7 +209,7 @@ public static Vulnerability convert(final QueryManager qm, final Bom bom,
         return vuln;
     }
 
-    private static VulnerabilityAlias convert(final org.cyclonedx.proto.v1_4.Vulnerability cycloneVuln,
+    private static VulnerabilityAlias convert(final org.cyclonedx.proto.v1_6.Vulnerability cycloneVuln,
                                               final VulnerabilityReference cycloneAlias) {
         final var alias = new VulnerabilityAlias();
         switch (cycloneVuln.getSource().getName()) {
@@ -244,7 +244,7 @@ private static VulnerabilityAlias convert(final org.cyclonedx.proto.v1_4.Vulnera
     public static Severity calculateSeverity(Bom bom) {
         if (bom.getVulnerabilitiesCount() > 0
                 && bom.getVulnerabilities(0).getRatingsCount() > 0) {
-            org.cyclonedx.proto.v1_4.Severity severity =
+            org.cyclonedx.proto.v1_6.Severity severity =
                     bom.getVulnerabilities(0).getRatings(0).getSeverity();
             final VulnerabilityRating rating = bom.getVulnerabilities(0).getRatings(0);
             if (rating.hasSeverity()) {

diff --git a/src/main/proto/buf.yaml b/src/main/proto/buf.yaml
@@ -2,4 +2,4 @@ version: v1
 name: github.com/DependencyTrack/hyades-apiserver
 lint:
   ignore:
-  - org/cyclonedx/v1_4/cyclonedx.proto
+  - org/cyclonedx/v1_6/cyclonedx.proto