diff --git a/src/macaron/dependency_analyzer/cyclonedx_mvn.py b/src/macaron/dependency_analyzer/cyclonedx_mvn.py index 2e58c8445..a605b0866 100644 --- a/src/macaron/dependency_analyzer/cyclonedx_mvn.py +++ b/src/macaron/dependency_analyzer/cyclonedx_mvn.py @@ -69,6 +69,9 @@ def collect_dependencies(self, dir_path: str) -> dict[str, DependencyInfo]: # If the expected bom file does not exist, allow other named .json files instead. possible_paths = glob.glob(os.path.join(dir_path, "target", "*.json")) if possible_paths: + if len(possible_paths) > 1: + logger.error("Too many JSON SBOM files found. Expected: 1, Found: %s", len(possible_paths)) + return {} top_path = Path(possible_paths[0]) top_path_altered = True diff --git a/tests/dependency_analyzer/cyclonedx/resources/target/custom_bom.json b/tests/dependency_analyzer/cyclonedx/resources/target/custom_bom.json new file mode 100644 index 000000000..7bb4a30c2 --- /dev/null +++ b/tests/dependency_analyzer/cyclonedx/resources/target/custom_bom.json @@ -0,0 +1,116 @@ +{ + "bomFormat" : "CycloneDX", + "specVersion" : "1.4", + "serialNumber" : "urn:uuid:53576e41-735f-4da4-9249-7f63234ebd94", + "version" : 1, + "metadata" : { + "timestamp" : "2023-10-23T00:57:55Z", + "tools" : [ + { + "vendor" : "OWASP Foundation", + "name" : "CycloneDX Maven plugin", + "version" : "2.6.2", + "hashes" : [ + { + "alg" : "MD5", + "content" : "ff29fc50797fce0b33058a6b2b283f64" + }, + { + "alg" : "SHA-1", + "content" : "597e59ebf21c3b8bfb1faeb622569df324eca956" + }, + { + "alg" : "SHA-256", + "content" : "3cf9130fcac45a7beb6df2ae9c3fc9c062d1fddd0731d6a302968586f0aa586e" + }, + { + "alg" : "SHA-384", + "content" : "8111a6788c959305af23daecbc79defd4478c1e274cba65bfe860e09b30cd9fe29822d5d3d3eea608e4926a9418f92e3" + }, + { + "alg" : "SHA-512", + "content" : "2bea87b7bcd70897bf46a28a806b6064a6708d0a45e884e1ceddc25f97ca7bdf4ed190f30d9a28cc9416b6c66176d518c5876fd25bc06bdcb00d39367215e56e" + }, + { + "alg" : "SHA3-256", + "content" : "f0f7b771749955e7898665c2fff8f4f2cd734d9cbe4d29883292db772f1be00e" + }, + { + "alg" : "SHA3-384", + "content" : "a87d4c18bac4d48a46c0b8611ab92934e457fcd55bd4d39dbc9c4e5044d2736d3bda991c43d67b0987eddcf4c88510ff" + }, + { + "alg" : "SHA3-512", + "content" : "90c38f168600787fc90b7e37e743b386b7296bceb10152190de6e30e0f251da3e01698d1b1e11ad84f207532b5a0743aac105f3c5006ff4607d21f30c9ea779f" + } + ] + } + ], + "component" : { + "group" : "com.example", + "name" : "cyclonedx-test", + "version" : "1.0-SNAPSHOT", + "licenses" : [ ], + "purl" : "pkg:maven/com.example/cyclonedx-test@1.0-SNAPSHOT?type=jar", + "type" : "library", + "bom-ref" : "pkg:maven/com.example/cyclonedx-test@1.0-SNAPSHOT?type=jar" + } + }, + "components" : [ + { + "group" : "com.example", + "name" : "cyclonedx-test-dep", + "version" : "1", + "scope" : "optional", + "hashes" : [ + { + "alg" : "MD5", + "content" : "c7b63da4c25c163825cca671e7899fbe" + }, + { + "alg" : "SHA-1", + "content" : "5aa25ee1bf1ffd60b76f16fe0a8edd76f870958c" + }, + { + "alg" : "SHA-256", + "content" : "c38cef49f7676227c1d4cf98e59b96f7a6bf33704d10314d83d682acd2b47d10" + }, + { + "alg" : "SHA-384", + "content" : "7afa5feaa7d3a4ca4ecba7d4bd1b093e75be2ee2a25eefbc5fd90eb8b9a4712fa1a720265765a28d858fc64412dbed2b" + }, + { + "alg" : "SHA-512", + "content" : "bf69097c4c0d165e5521a918ee79c1e5e211e9e74410d48042994c4c6cf5788cf4d62129e7c0d7a22294835178398c91c31929ce6861068c71ea14059f6f6e56" + }, + { + "alg" : "SHA3-256", + "content" : "ba7656644f127c4b10d53c777aee2ed023ac3caf7f420ecb4ca48a909d775a17" + }, + { + "alg" : "SHA3-384", + "content" : "1244f326a9b0b165b27b0061f1fcdf2580e3b64681cc3f09df3afd9a4526ab5491a20213a8fb9edcc671fbae8b51a010" + }, + { + "alg" : "SHA3-512", + "content" : "e6020e5b9adbe61f1c53e575ab0c51b9eef7dbea3dbe21f970607002ed0373b322c893433fd429b04acde5eb58e1d9ca356a0ae9b6c485d239174f642082cb7a" + } + ], + "purl" : "pkg:maven/com.example/cyclonedx-test-dep@1?type=jar", + "type" : "library", + "bom-ref" : "pkg:maven/com.example/cyclonedx-test-dep@1?type=jar" + } + ], + "dependencies" : [ + { + "ref" : "pkg:maven/com.example/cyclonedx-test@1.0-SNAPSHOT?type=jar", + "dependsOn" : [ + "pkg:maven/com.example/cyclonedx-test-dep@1?type=jar" + ] + }, + { + "ref" : "pkg:maven/com.example/cyclonedx-test-dep@1?type=jar", + "dependsOn" : [ ] + } + ] +} diff --git a/tests/dependency_analyzer/cyclonedx/test_cyclonedx.py b/tests/dependency_analyzer/cyclonedx/test_cyclonedx.py index d7baf180e..99793c052 100644 --- a/tests/dependency_analyzer/cyclonedx/test_cyclonedx.py +++ b/tests/dependency_analyzer/cyclonedx/test_cyclonedx.py @@ -15,6 +15,7 @@ get_dep_components, get_deps_from_sbom, ) +from macaron.dependency_analyzer.cyclonedx_mvn import CycloneDxMaven from macaron.dependency_analyzer.dependency_resolver import DependencyInfo RESOURCES_DIR = Path(__file__).parent.joinpath("resources") @@ -106,3 +107,12 @@ def test_multiple_versions(snapshot: dict[str, DependencyInfo]) -> None: bom_path = Path(RESOURCES_DIR, "bom_multi_versions.json") result = get_deps_from_sbom(bom_path) assert snapshot == result + + +def test_custom_sbom_name_with_maven() -> None: + """Test reading cyclonedx maven sbom that was created using a custom name.""" + cyclonedx: CycloneDxMaven = CycloneDxMaven( + "", "bom.json", "maven", defaults.get("dependency.resolver", "dep_tool_maven"), "localhost" + ) + deps_resolved = cyclonedx.collect_dependencies(str(RESOURCES_DIR)) + assert deps_resolved