(fix) syft, fixing cyclone dx version to sbom version 1.4 for syft (#…

…4991) * fixing cyclone dx version to version 1.4 for syft * fixing unit test for kaniko * fixing integration test for cnb
SAP · Jul 22, 2024 · 5809632 · 5809632
1 parent d2285f8
commit 5809632
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 11 deletions.
diff --git a/cmd/kanikoExecute_test.go b/cmd/kanikoExecute_test.go
@@ -360,7 +360,7 @@ func TestRunKanikoExecute(t *testing.T) {
 		assert.Equal(t, "https://index.docker.io", commonPipelineEnvironment.container.registryURL)
 
 		assert.Equal(t, "/tmp/syfttest/syft", execRunner.Calls[2].Exec)
-		assert.Equal(t, []string{"scan", "registry:index.docker.io/myImage:tag", "-o", "cyclonedx-xml=bom-docker-0.xml", "-q"}, execRunner.Calls[2].Params)
+		assert.Equal(t, []string{"scan", "registry:index.docker.io/myImage:tag", "-o", "cyclonedx-xml@1.4=bom-docker-0.xml", "-q"}, execRunner.Calls[2].Params)
 	})
 
 	t.Run("success case - multi image build with root image", func(t *testing.T) {
@@ -518,7 +518,7 @@ func TestRunKanikoExecute(t *testing.T) {
 			found := false
 			for _, expected := range expectedParams {
 				if expected[0] == "scan" {
-					expected = append(expected, fmt.Sprintf("cyclonedx-xml=bom-docker-%d.xml", index-3), "-q")
+					expected = append(expected, fmt.Sprintf("cyclonedx-xml@1.4=bom-docker-%d.xml", index-3), "-q")
 				}
 				if strings.Join(call.Params, " ") == strings.Join(expected, " ") {
 					found = true
@@ -670,7 +670,7 @@ func TestRunKanikoExecute(t *testing.T) {
 			found := false
 			for _, expected := range expectedParams {
 				if expected[0] == "scan" {
-					expected = append(expected, fmt.Sprintf("cyclonedx-xml=bom-docker-%d.xml", index-2), "-q")
+					expected = append(expected, fmt.Sprintf("cyclonedx-xml@1.4=bom-docker-%d.xml", index-2), "-q")
 				}
 				if strings.Join(call.Params, " ") == strings.Join(expected, " ") {
 					found = true

diff --git a/integration/integration_cnb_test.go b/integration/integration_cnb_test.go
@@ -163,7 +163,7 @@ func TestCNBIntegrationZipPath(t *testing.T) {
 		fmt.Sprintf("Saving %s/not-found:0.0.1", registryURL),
 		"*** Images (sha256:",
 		"SUCCESS",
-		"syft scan registry:localhost:5000/not-found:0.0.1 -o cyclonedx-xml=bom-docker-0.xml -q",
+		"syft scan registry:localhost:5000/not-found:0.0.1 -o cyclonedx-xml@1.4=bom-docker-0.xml -q",
 	)
 	container.assertHasFiles(t, "/project/bom-docker-0.xml")
 	container.terminate(t)
@@ -309,9 +309,9 @@ func TestCNBIntegrationMultiImage(t *testing.T) {
 		"Saving localhost:5000/go-app:v1.0.0...",
 		"Using cached buildpack",
 		"Saving localhost:5000/my-app2:latest...",
-		"syft scan registry:localhost:5000/io-buildpacks-my-app:latest -o cyclonedx-xml=bom-docker-0.xml -q",
-		"syft scan registry:localhost:5000/go-app:v1.0.0 -o cyclonedx-xml=bom-docker-1.xml -q",
-		"syft scan registry:localhost:5000/my-app2:latest -o cyclonedx-xml=bom-docker-2.xml -q",
+		"syft scan registry:localhost:5000/io-buildpacks-my-app:latest -o cyclonedx-xml@1.4=bom-docker-0.xml -q",
+		"syft scan registry:localhost:5000/go-app:v1.0.0 -o cyclonedx-xml@1.4=bom-docker-1.xml -q",
+		"syft scan registry:localhost:5000/my-app2:latest -o cyclonedx-xml@1.4=bom-docker-2.xml -q",
 	)
 
 	container.assertHasFiles(t, "/project/bom-docker-0.xml")

diff --git a/pkg/syft/syft.go b/pkg/syft/syft.go
@@ -20,6 +20,8 @@ type SyftScanner struct {
 	additionalArgs []string
 }
 
+const cyclonedxFormatForSyft = "@1.4"
+
 func GenerateSBOM(syftDownloadURL, dockerConfigDir string, execRunner command.ExecRunner, fileUtils piperutils.FileUtils, httpClient piperhttp.Sender, registryURL string, images []string) error {
 	scanner, err := CreateSyftScanner(syftDownloadURL, fileUtils, httpClient)
 	if err != nil {
@@ -64,7 +66,7 @@ func (s *SyftScanner) ScanImages(dockerConfigDir string, execRunner command.Exec
 			return errors.New("syft: image name must not be empty")
 		}
 		// TrimPrefix needed as syft needs containerRegistry name only
-		args := []string{"scan", fmt.Sprintf("registry:%s/%s", strings.TrimPrefix(registryURL, "https://"), image), "-o", fmt.Sprintf("cyclonedx-xml=bom-docker-%v.xml", index), "-q"}
+		args := []string{"scan", fmt.Sprintf("registry:%s/%s", strings.TrimPrefix(registryURL, "https://"), image), "-o", fmt.Sprintf("cyclonedx-xml%s=bom-docker-%v.xml", cyclonedxFormatForSyft, index), "-q"}
 		args = append(args, s.additionalArgs...)
 		err := execRunner.RunExecutable(s.syftFile, args...)
 		if err != nil {

diff --git a/pkg/syft/syft_test.go b/pkg/syft/syft_test.go
@@ -44,17 +44,17 @@ func TestGenerateSBOM(t *testing.T) {
 		assert.Len(t, execMock.Calls, 2)
 		firstCall := execMock.Calls[0]
 		assert.Equal(t, firstCall.Exec, "/tmp/syfttest/syft")
-		assert.Equal(t, firstCall.Params, []string{"scan", "registry:my-registry/image:latest", "-o", "cyclonedx-xml=bom-docker-0.xml", "-q"})
+		assert.Equal(t, firstCall.Params, []string{"scan", "registry:my-registry/image:latest", "-o", "cyclonedx-xml@1.4=bom-docker-0.xml", "-q"})
 
 		secondCall := execMock.Calls[1]
 		assert.Equal(t, secondCall.Exec, "/tmp/syfttest/syft")
-		assert.Equal(t, secondCall.Params, []string{"scan", "registry:my-registry/image:1.2.3", "-o", "cyclonedx-xml=bom-docker-1.xml", "-q"})
+		assert.Equal(t, secondCall.Params, []string{"scan", "registry:my-registry/image:1.2.3", "-o", "cyclonedx-xml@1.4=bom-docker-1.xml", "-q"})
 	})
 
 	t.Run("error case: syft execution failed", func(t *testing.T) {
 		execMock = mock.ExecMockRunner{}
 		execMock.ShouldFailOnCommand = map[string]error{
-			"/tmp/syfttest/syft scan registry:my-registry/image:latest -o cyclonedx-xml=bom-docker-0.xml -q": errors.New("failed"),
+			"/tmp/syfttest/syft scan registry:my-registry/image:latest -o cyclonedx-xml@1.4=bom-docker-0.xml -q": errors.New("failed"),
 		}
 
 		err := syft.GenerateSBOM("http://test-syft-gh-release.com/syft.tar.gz", "", &execMock, &fileMock, client, "https://my-registry", []string{"image:latest"})