complete tests in XML for #155

Signed-off-by: Paul Horton <[email protected]>

Author: madpah

cyclonedx/output/schema.py

@@ -77,6 +77,9 @@ def component_supports_swid(self) -> bool:
     def component_supports_pedigree(self) -> bool:
         return True
 
+    def pedigree_supports_patches(self) -> bool:
+        return True
+
     def component_supports_external_references(self) -> bool:
         return True
 
@@ -184,6 +187,9 @@ def bom_supports_services(self) -> bool:
     def services_supports_properties(self) -> bool:
         return False
 
+    def pedigree_supports_patches(self) -> bool:
+        return False
+
     def services_supports_release_notes(self) -> bool:
         return False
 

cyclonedx/output/xml.py

@@ -267,7 +267,7 @@ def _add_component_element(self, component: Component) -> ElementTree.Element:
                         ))
                     if commit.message:
                         ElementTree.SubElement(commit_element, 'message').text = commit.message
-            if component.pedigree.patches:
+            if self.pedigree_supports_patches() and component.pedigree.patches:
                 patches_element = ElementTree.SubElement(pedigree_element, 'patches')
                 for patch in component.pedigree.patches:
                     patches_element.append(Xml.add_patch_element(patch=patch))

tests/fixtures/xml/1.0/bom_setuptools_complete.xml

@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.0" version="1">
+    <components>
+        <component type="library">
+            <name>setuptools</name>
+            <version>50.3.2</version>
+            <cpe>cpe:2.3:a:python:setuptools:50.3.2:*:*:*:*:*:*:*</cpe>
+            <purl>pkg:pypi/[email protected]?extension=tar.gz</purl>
+            <modified>false</modified>
+        </component>
+    </components>
+</bom>

tests/fixtures/xml/1.1/bom_setuptools_complete.xml

@@ -0,0 +1,89 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.1" version="1">
+    <components>
+        <component type="library" bom-ref="pkg:pypi/[email protected]?extension=tar.gz">
+            <name>setuptools</name>
+            <version>50.3.2</version>
+            <licenses>
+                <expression>MIT License</expression>
+            </licenses>
+            <cpe>cpe:2.3:a:python:setuptools:50.3.2:*:*:*:*:*:*:*</cpe>
+            <purl>pkg:pypi/[email protected]?extension=tar.gz</purl>
+            <pedigree>
+                <ancestors>
+                    <component type="library" bom-ref="ccc8d7ee-4b9c-4750-aee0-a72585152291">
+                        <name>setuptools</name>
+                        <version>50.3.2</version>
+                        <licenses>
+                            <expression>MIT License</expression>
+                        </licenses>
+                        <purl>pkg:pypi/[email protected]?extension=tar.gz</purl>
+                    </component>
+                    <component type="library" bom-ref="8a3893b3-9923-4adb-a1d3-47456636ba0a">
+                        <name>setuptools</name>
+                        <version />
+                        <licenses>
+                            <expression>MIT License</expression>
+                        </licenses>
+                        <purl>pkg:pypi/setuptools?extension=tar.gz</purl>
+                    </component>
+                </ancestors>
+                <descendants>
+                    <component type="library" bom-ref="28b2d8ce-def0-446f-a221-58dee0b44acc">
+                        <name>setuptools</name>
+                        <version />
+                        <licenses>
+                            <expression>MIT License</expression>
+                        </licenses>
+                        <purl>pkg:pypi/setuptools?extension=tar.gz</purl>
+                    </component>
+                    <component type="library" bom-ref="555ca729-93c6-48f3-956e-bdaa4a2f0bfa">
+                        <name>toml</name>
+                        <version>0.10.2</version>
+                        <hashes>
+                            <hash alg="SHA-256">806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b</hash>
+                        </hashes>
+                        <purl>pkg:pypi/[email protected]?extension=tar.gz</purl>
+                        <externalReferences>
+                            <reference type="distribution">
+                                <url>https://cyclonedx.org</url>
+                                <comment>No comment</comment>
+                            </reference>
+                        </externalReferences>
+                    </component>
+                </descendants>
+                <variants>
+                    <component type="library" bom-ref="e7abdcca-5ba2-4f29-b2cf-b1e1ef788e66">
+                        <name>toml</name>
+                        <version>0.10.2</version>
+                        <hashes>
+                            <hash alg="SHA-256">806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b</hash>
+                        </hashes>
+                        <purl>pkg:pypi/[email protected]?extension=tar.gz</purl>
+                        <externalReferences>
+                            <reference type="distribution">
+                                <url>https://cyclonedx.org</url>
+                                <comment>No comment</comment>
+                            </reference>
+                        </externalReferences>
+                    </component>
+                    <component type="library" bom-ref="ded1d73e-1fca-4302-b520-f1bc53979958">
+                        <name>setuptools</name>
+                        <version>50.3.2</version>
+                        <licenses>
+                            <expression>MIT License</expression>
+                        </licenses>
+                        <purl>pkg:pypi/[email protected]?extension=tar.gz</purl>
+                    </component>
+                </variants>
+                <commits>
+                    <commit>
+                        <uid>a-random-uid</uid>
+                        <message>A commit message</message>
+                    </commit>
+                </commits>
+                <notes>Some notes here please</notes>
+            </pedigree>
+        </component>
+    </components>
+</bom>

tests/fixtures/xml/1.2/bom_setuptools_complete.xml

@@ -0,0 +1,110 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.2" version="1">
+    <metadata>
+        <timestamp>2021-09-01T10:50:42.051979+00:00</timestamp>
+        <tools>
+            <tool>
+                <vendor>CycloneDX</vendor>
+                <name>cyclonedx-python-lib</name>
+                <version>VERSION</version>
+            </tool>
+        </tools>
+    </metadata>
+    <components>
+        <component type="library" bom-ref="pkg:pypi/[email protected]?extension=tar.gz">
+            <author>Test Author</author>
+            <name>setuptools</name>
+            <version>50.3.2</version>
+            <licenses>
+                <expression>MIT License</expression>
+            </licenses>
+            <cpe>cpe:2.3:a:python:setuptools:50.3.2:*:*:*:*:*:*:*</cpe>
+            <purl>pkg:pypi/[email protected]?extension=tar.gz</purl>
+            <swid tagId="swidgen-242eb18a-503e-ca37-393b-cf156ef09691_9.1.1" name="Test Application" version="3.4.5">
+                <text content-type="text/xml" encoding="base64">PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiID8+CjxTb2Z0d2FyZUlkZW50aXR5IHhtbDpsYW5nPSJFTiIgbmFtZT0iQWNtZSBBcHBsaWNhdGlvbiIgdmVyc2lvbj0iOS4xLjEiIAogdmVyc2lvblNjaGVtZT0ibXVsdGlwYXJ0bnVtZXJpYyIgCiB0YWdJZD0ic3dpZGdlbi1iNTk1MWFjOS00MmMwLWYzODItM2YxZS1iYzdhMmE0NDk3Y2JfOS4xLjEiIAogeG1sbnM9Imh0dHA6Ly9zdGFuZGFyZHMuaXNvLm9yZy9pc28vMTk3NzAvLTIvMjAxNS9zY2hlbWEueHNkIj4gCiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiAKIHhzaTpzY2hlbWFMb2NhdGlvbj0iaHR0cDovL3N0YW5kYXJkcy5pc28ub3JnL2lzby8xOTc3MC8tMi8yMDE1LWN1cnJlbnQvc2NoZW1hLnhzZCBzY2hlbWEueHNkIiA+CiAgPE1ldGEgZ2VuZXJhdG9yPSJTV0lEIFRhZyBPbmxpbmUgR2VuZXJhdG9yIHYwLjEiIC8+IAogIDxFbnRpdHkgbmFtZT0iQWNtZSwgSW5jLiIgcmVnaWQ9ImV4YW1wbGUuY29tIiByb2xlPSJ0YWdDcmVhdG9yIiAvPiAKPC9Tb2Z0d2FyZUlkZW50aXR5Pg==</text>
+            </swid>
+            <pedigree>
+                <ancestors>
+                    <component type="library" bom-ref="ccc8d7ee-4b9c-4750-aee0-a72585152291">
+                        <author>Test Author</author>
+                        <name>setuptools</name>
+                        <version>50.3.2</version>
+                        <licenses>
+                            <expression>MIT License</expression>
+                        </licenses>
+                        <purl>pkg:pypi/[email protected]?extension=tar.gz</purl>
+                    </component>
+                    <component type="library" bom-ref="8a3893b3-9923-4adb-a1d3-47456636ba0a">
+                        <author>Test Author</author>
+                        <name>setuptools</name>
+                        <version />
+                        <licenses>
+                            <expression>MIT License</expression>
+                        </licenses>
+                        <purl>pkg:pypi/setuptools?extension=tar.gz</purl>
+                    </component>
+                </ancestors>
+                <descendants>
+                    <component type="library" bom-ref="28b2d8ce-def0-446f-a221-58dee0b44acc">
+                        <author>Test Author</author>
+                        <name>setuptools</name>
+                        <version />
+                        <licenses>
+                            <expression>MIT License</expression>
+                        </licenses>
+                        <purl>pkg:pypi/setuptools?extension=tar.gz</purl>
+                    </component>
+                    <component type="library" bom-ref="555ca729-93c6-48f3-956e-bdaa4a2f0bfa">
+                        <name>toml</name>
+                        <version>0.10.2</version>
+                        <hashes>
+                            <hash alg="SHA-256">806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b</hash>
+                        </hashes>
+                        <purl>pkg:pypi/[email protected]?extension=tar.gz</purl>
+                        <externalReferences>
+                            <reference type="distribution">
+                                <url>https://cyclonedx.org</url>
+                                <comment>No comment</comment>
+                            </reference>
+                        </externalReferences>
+                    </component>
+                </descendants>
+                <variants>
+                    <component type="library" bom-ref="e7abdcca-5ba2-4f29-b2cf-b1e1ef788e66">
+                        <name>toml</name>
+                        <version>0.10.2</version>
+                        <hashes>
+                            <hash alg="SHA-256">806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b</hash>
+                        </hashes>
+                        <purl>pkg:pypi/[email protected]?extension=tar.gz</purl>
+                        <externalReferences>
+                            <reference type="distribution">
+                                <url>https://cyclonedx.org</url>
+                                <comment>No comment</comment>
+                            </reference>
+                        </externalReferences>
+                    </component>
+                    <component type="library" bom-ref="ded1d73e-1fca-4302-b520-f1bc53979958">
+                        <author>Test Author</author>
+                        <name>setuptools</name>
+                        <version>50.3.2</version>
+                        <licenses>
+                            <expression>MIT License</expression>
+                        </licenses>
+                        <purl>pkg:pypi/[email protected]?extension=tar.gz</purl>
+                    </component>
+                </variants>
+                <commits>
+                    <commit>
+                        <uid>a-random-uid</uid>
+                        <message>A commit message</message>
+                    </commit>
+                </commits>
+                <patches>
+                    <patch type="backport"></patch>
+                </patches>
+                <notes>Some notes here please</notes>
+            </pedigree>
+        </component>
+    </components>
+</bom>

tests/fixtures/xml/1.3/bom_setuptools_complete.xml

@@ -0,0 +1,116 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.3" version="1">
+    <metadata>
+        <timestamp>2021-09-01T10:50:42.051979+00:00</timestamp>
+        <tools>
+            <tool>
+                <vendor>CycloneDX</vendor>
+                <name>cyclonedx-python-lib</name>
+                <version>VERSION</version>
+            </tool>
+        </tools>
+    </metadata>
+    <components>
+        <component type="library" bom-ref="pkg:pypi/[email protected]?extension=tar.gz">
+            <author>Test Author</author>
+            <name>setuptools</name>
+            <version>50.3.2</version>
+            <licenses>
+                <expression>MIT License</expression>
+            </licenses>
+            <cpe>cpe:2.3:a:python:setuptools:50.3.2:*:*:*:*:*:*:*</cpe>
+            <purl>pkg:pypi/[email protected]?extension=tar.gz</purl>
+            <swid tagId="swidgen-242eb18a-503e-ca37-393b-cf156ef09691_9.1.1" name="Test Application" version="3.4.5">
+                <text content-type="text/xml" encoding="base64">PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiID8+CjxTb2Z0d2FyZUlkZW50aXR5IHhtbDpsYW5nPSJFTiIgbmFtZT0iQWNtZSBBcHBsaWNhdGlvbiIgdmVyc2lvbj0iOS4xLjEiIAogdmVyc2lvblNjaGVtZT0ibXVsdGlwYXJ0bnVtZXJpYyIgCiB0YWdJZD0ic3dpZGdlbi1iNTk1MWFjOS00MmMwLWYzODItM2YxZS1iYzdhMmE0NDk3Y2JfOS4xLjEiIAogeG1sbnM9Imh0dHA6Ly9zdGFuZGFyZHMuaXNvLm9yZy9pc28vMTk3NzAvLTIvMjAxNS9zY2hlbWEueHNkIj4gCiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiAKIHhzaTpzY2hlbWFMb2NhdGlvbj0iaHR0cDovL3N0YW5kYXJkcy5pc28ub3JnL2lzby8xOTc3MC8tMi8yMDE1LWN1cnJlbnQvc2NoZW1hLnhzZCBzY2hlbWEueHNkIiA+CiAgPE1ldGEgZ2VuZXJhdG9yPSJTV0lEIFRhZyBPbmxpbmUgR2VuZXJhdG9yIHYwLjEiIC8+IAogIDxFbnRpdHkgbmFtZT0iQWNtZSwgSW5jLiIgcmVnaWQ9ImV4YW1wbGUuY29tIiByb2xlPSJ0YWdDcmVhdG9yIiAvPiAKPC9Tb2Z0d2FyZUlkZW50aXR5Pg==</text>
+            </swid>
+            <pedigree>
+                <ancestors>
+                    <component type="library" bom-ref="ccc8d7ee-4b9c-4750-aee0-a72585152291">
+                        <author>Test Author</author>
+                        <name>setuptools</name>
+                        <version>50.3.2</version>
+                        <licenses>
+                            <expression>MIT License</expression>
+                        </licenses>
+                        <purl>pkg:pypi/[email protected]?extension=tar.gz</purl>
+                    </component>
+                    <component type="library" bom-ref="8a3893b3-9923-4adb-a1d3-47456636ba0a">
+                        <author>Test Author</author>
+                        <name>setuptools</name>
+                        <version />
+                        <licenses>
+                            <expression>MIT License</expression>
+                        </licenses>
+                        <purl>pkg:pypi/setuptools?extension=tar.gz</purl>
+                    </component>
+                </ancestors>
+                <descendants>
+                    <component type="library" bom-ref="28b2d8ce-def0-446f-a221-58dee0b44acc">
+                        <author>Test Author</author>
+                        <name>setuptools</name>
+                        <version />
+                        <licenses>
+                            <expression>MIT License</expression>
+                        </licenses>
+                        <purl>pkg:pypi/setuptools?extension=tar.gz</purl>
+                    </component>
+                    <component type="library" bom-ref="555ca729-93c6-48f3-956e-bdaa4a2f0bfa">
+                        <name>toml</name>
+                        <version>0.10.2</version>
+                        <hashes>
+                            <hash alg="SHA-256">806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b</hash>
+                        </hashes>
+                        <purl>pkg:pypi/[email protected]?extension=tar.gz</purl>
+                        <externalReferences>
+                            <reference type="distribution">
+                                <url>https://cyclonedx.org</url>
+                                <comment>No comment</comment>
+                                <hashes>
+                                    <hash alg="SHA-256">806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b</hash>
+                                </hashes>
+                            </reference>
+                        </externalReferences>
+                    </component>
+                </descendants>
+                <variants>
+                    <component type="library" bom-ref="e7abdcca-5ba2-4f29-b2cf-b1e1ef788e66">
+                        <name>toml</name>
+                        <version>0.10.2</version>
+                        <hashes>
+                            <hash alg="SHA-256">806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b</hash>
+                        </hashes>
+                        <purl>pkg:pypi/[email protected]?extension=tar.gz</purl>
+                        <externalReferences>
+                            <reference type="distribution">
+                                <url>https://cyclonedx.org</url>
+                                <comment>No comment</comment>
+                                <hashes>
+                                    <hash alg="SHA-256">806143ae5bfb6a3c6e736a764057db0e6a0e05e338b5630894a5f779cabb4f9b</hash>
+                                </hashes>
+                            </reference>
+                        </externalReferences>
+                    </component>
+                    <component type="library" bom-ref="ded1d73e-1fca-4302-b520-f1bc53979958">
+                        <author>Test Author</author>
+                        <name>setuptools</name>
+                        <version>50.3.2</version>
+                        <licenses>
+                            <expression>MIT License</expression>
+                        </licenses>
+                        <purl>pkg:pypi/[email protected]?extension=tar.gz</purl>
+                    </component>
+                </variants>
+                <commits>
+                    <commit>
+                        <uid>a-random-uid</uid>
+                        <message>A commit message</message>
+                    </commit>
+                </commits>
+                <patches>
+                    <patch type="backport"></patch>
+                </patches>
+                <notes>Some notes here please</notes>
+            </pedigree>
+        </component>
+    </components>
+</bom>