fix: 1.6 xml validation, add: documentation for 1.6 and testcases (#401)

Signed-off-by: andreas hilti <[email protected]>

README.md

@@ -110,7 +110,7 @@ Options:
   --output-file <output-file>                                  Output BOM filename, will write to stdout if no value provided.
   --input-format <autodetect|csv|json|protobuf|spdxjson|xml>   Specify input file format.
   --output-format <autodetect|csv|json|protobuf|spdxjson|xml>  Specify output file format.
-  --output-version <v1_0|v1_1|v1_2|v1_3|v1_4|v1_5>                  Specify output BOM specification version. (ignored for CSV and SPDX formats)  
+  --output-version <v1_0|v1_1|v1_2|v1_3|v1_4|v1_5|v1_6>        Specify output BOM specification version. (ignored for CSV and SPDX formats)  
 ```
 
 ### Examples
@@ -192,15 +192,15 @@ Usage:
   cyclonedx merge [options]
 
 Options:
-  --input-files <input-files>                      Input BOM filenames (separate filenames with a space).
-  --output-file <output-file>                      Output BOM filename, will write to stdout if no value provided.
-  --input-format <autodetect|json|protobuf|xml>    Specify input file format.
-  --output-format <autodetect|json|protobuf|xml>   Specify output file format.
-  --output-version <v1_0|v1_1|v1_2|v1_3|v1_4|v1_5> Specify output BOM specification version.
-  --hierarchical                                   Perform a hierarchical merge.
-  --group <group>                                  Provide the group of software the merged BOM describes.
-  --name <name>                                    Provide the name of software the merged BOM describes (required for hierarchical merging).
-  --version <version>                              Provide the version of software the merged BOM describes (required for hierarchical merging).
+  --input-files <input-files>                           Input BOM filenames (separate filenames with a space).
+  --output-file <output-file>                           Output BOM filename, will write to stdout if no value provided.
+  --input-format <autodetect|json|protobuf|xml>         Specify input file format.
+  --output-format <autodetect|json|protobuf|xml>        Specify output file format.
+  --output-version <v1_0|v1_1|v1_2|v1_3|v1_4|v1_5|v1_6> Specify output BOM specification version.
+  --hierarchical                                        Perform a hierarchical merge.
+  --group <group>                                       Provide the group of software the merged BOM describes.
+  --name <name>                                         Provide the name of software the merged BOM describes (required for hierarchical merging).
+  --version <version>                                   Provide the version of software the merged BOM describes (required for hierarchical merging).
 ```
 
 Note: To perform a hierarchical merge all BOMs need the subject of the BOM
@@ -261,10 +261,10 @@ Usage:
   cyclonedx validate [options]
 
 Options:
-  --input-file <input-file>                   Input BOM filename, will read from stdin if no value provided.
-  --input-format <autodetect|json|xml>        Specify input file format.
-  --input-version <v1_0|v1_1|v1_2|v1_3|v1_4|v1_5>  Specify input file specification version (defaults to v1.5)
-  --fail-on-errors                            Fail on validation errors (return a non-zero exit code)
+  --input-file <input-file>                             Input BOM filename, will read from stdin if no value provided.
+  --input-format <autodetect|json|xml>                  Specify input file format.
+  --input-version <v1_0|v1_1|v1_2|v1_3|v1_4|v1_5|v1_6>  Specify input file specification version (defaults to v1.6)
+  --fail-on-errors                                      Fail on validation errors (return a non-zero exit code)
 ```
 
 ### Examples

src/cyclonedx/Commands/ValidateCommand.cs

@@ -36,7 +36,7 @@ public static void Configure(RootCommand rootCommand)
             var subCommand = new System.CommandLine.Command("validate", "Validate a BOM");
             subCommand.Add(new Option<string>("--input-file", "Input BOM filename, will read from stdin if no value provided."));
             subCommand.Add(new Option<ValidationBomFormat>("--input-format", "Specify input file format."));
-            subCommand.Add(new Option<SpecificationVersion?>("--input-version", "Specify input file specification version (defaults to v1.5)"));
+            subCommand.Add(new Option<SpecificationVersion?>("--input-version", "Specify input file specification version (defaults to v1.6)"));
             subCommand.Add(new Option<bool>("--fail-on-errors", "Fail on validation errors (return a non-zero exit code)"));
             subCommand.Handler = CommandHandler.Create<ValidateCommandOptions>(Validate);
             rootCommand.Add(subCommand);
@@ -76,7 +76,11 @@ public static async Task<int> Validate(ValidateCommandOptions options)
             }
             else if (options.InputFormat == ValidationBomFormat.xml)
             {
-                validationResult = Xml.Validator.Validate(inputBom, SpecificationVersion.v1_5);
+                validationResult = Xml.Validator.Validate(inputBom, SpecificationVersion.v1_6);
+                if (!validationResult.Valid)
+                {
+                    validationResult = Xml.Validator.Validate(inputBom, SpecificationVersion.v1_5);
+                }
                 if (!validationResult.Valid)
                 {
                     validationResult = Xml.Validator.Validate(inputBom, SpecificationVersion.v1_4);

tests/cyclonedx.tests/ConvertTests.cs

@@ -1,4 +1,4 @@
-// This file is part of CycloneDX CLI Tool
+// This file is part of CycloneDX CLI Tool
 //
 // Licensed under the Apache License, Version 2.0 (the “License”);
 // you may not use this file except in compliance with the License.
@@ -75,6 +75,11 @@ public class ConvertTests
         [InlineData("bom-1.5.json", ConvertFormat.json, "bom.json", ConvertFormat.json, null)]
         [InlineData("bom-1.5.json", ConvertFormat.json, "bom.json", ConvertFormat.json, SpecificationVersion.v1_5)]
 
+        [InlineData("bom-1.6.json", ConvertFormat.autodetect, "bom.json", ConvertFormat.autodetect, null)]
+        [InlineData("bom-1.6.json", ConvertFormat.json, "bom.json", ConvertFormat.autodetect, null)]
+        [InlineData("bom-1.6.json", ConvertFormat.json, "bom.json", ConvertFormat.json, null)]
+        [InlineData("bom-1.6.json", ConvertFormat.json, "bom.json", ConvertFormat.json, SpecificationVersion.v1_6)]
+
         [InlineData("bom.csv", ConvertFormat.autodetect, "bom.csv", ConvertFormat.autodetect, null)]
         [InlineData("bom.csv", ConvertFormat.csv, "bom.csv", ConvertFormat.autodetect, null)]
         [InlineData("bom.csv", ConvertFormat.csv, "bom.csv", ConvertFormat.csv, null)]

tests/cyclonedx.tests/Resources/bom-1.6.json

@@ -0,0 +1,177 @@
+{
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
+  "version": 1,
+  "metadata": {
+    "timestamp": "2020-04-13T20:20:39+00:00",
+    "tools": [
+      {
+        "vendor": "Awesome Vendor",
+        "name": "Awesome Tool",
+        "version": "9.1.2",
+        "hashes": [
+          {
+            "alg": "SHA-1",
+            "content": "25ed8e31b995bb927966616df2a42b979a2717f0"
+          },
+          {
+            "alg": "SHA-256",
+            "content": "a74f733635a19aefb1f73e5947cef59cd7440c6952ef0f03d09d974274cbd6df"
+          }
+        ]
+      }
+    ],
+    "authors": [
+      {
+        "name": "Samantha Wright",
+        "email": "[email protected]",
+        "phone": "800-555-1212"
+      }
+    ],
+    "component": {
+      "type": "application",
+      "author": "Acme Super Heros",
+      "name": "Acme Application",
+      "version": "9.1.1",
+      "swid": {
+        "tagId": "swidgen-242eb18a-503e-ca37-393b-cf156ef09691_9.1.1",
+        "name": "Acme Application",
+        "version": "9.1.1",
+        "text": {
+          "contentType": "text/xml",
+          "encoding": "base64",
+          "content": "PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiID8+CjxTb2Z0d2FyZUlkZW50aXR5IHhtbDpsYW5nPSJFTiIgbmFtZT0iQWNtZSBBcHBsaWNhdGlvbiIgdmVyc2lvbj0iOS4xLjEiIAogdmVyc2lvblNjaGVtZT0ibXVsdGlwYXJ0bnVtZXJpYyIgCiB0YWdJZD0ic3dpZGdlbi1iNTk1MWFjOS00MmMwLWYzODItM2YxZS1iYzdhMmE0NDk3Y2JfOS4xLjEiIAogeG1sbnM9Imh0dHA6Ly9zdGFuZGFyZHMuaXNvLm9yZy9pc28vMTk3NzAvLTIvMjAxNS9zY2hlbWEueHNkIj4gCiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiAKIHhzaTpzY2hlbWFMb2NhdGlvbj0iaHR0cDovL3N0YW5kYXJkcy5pc28ub3JnL2lzby8xOTc3MC8tMi8yMDE1LWN1cnJlbnQvc2NoZW1hLnhzZCBzY2hlbWEueHNkIiA+CiAgPE1ldGEgZ2VuZXJhdG9yPSJTV0lEIFRhZyBPbmxpbmUgR2VuZXJhdG9yIHYwLjEiIC8+IAogIDxFbnRpdHkgbmFtZT0iQWNtZSwgSW5jLiIgcmVnaWQ9ImV4YW1wbGUuY29tIiByb2xlPSJ0YWdDcmVhdG9yIiAvPiAKPC9Tb2Z0d2FyZUlkZW50aXR5Pg=="
+        }
+      }
+    },
+    "manufacture": {
+      "name": "Acme, Inc.",
+      "url": [
+        "https://example.com"
+      ],
+      "contact": [
+        {
+          "name": "Acme Professional Services",
+          "email": "[email protected]"
+        }
+      ]
+    },
+    "supplier": {
+      "name": "Acme, Inc.",
+      "url": [
+        "https://example.com"
+      ],
+      "contact": [
+        {
+          "name": "Acme Distribution",
+          "email": "[email protected]"
+        }
+      ]
+    }
+  },
+  "components": [
+    {
+      "bom-ref": "pkg:npm/acme/[email protected]",
+      "type": "library",
+      "publisher": "Acme Inc",
+      "group": "com.acme",
+      "name": "tomcat-catalina",
+      "version": "9.0.14",
+      "hashes": [
+        {
+          "alg": "MD5",
+          "content": "3942447fac867ae5cdb3229b658f4d48"
+        },
+        {
+          "alg": "SHA-1",
+          "content": "e6b1000b94e835ffd37f4c6dcbdad43f4b48a02a"
+        },
+        {
+          "alg": "SHA-256",
+          "content": "f498a8ff2dd007e29c2074f5e4b01a9a01775c3ff3aeaf6906ea503bc5791b7b"
+        },
+        {
+          "alg": "SHA-512",
+          "content": "e8f33e424f3f4ed6db76a482fde1a5298970e442c531729119e37991884bdffab4f9426b7ee11fccd074eeda0634d71697d6f88a460dce0ac8d627a29f7d1282"
+        }
+      ],
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0",
+            "text": {
+              "contentType": "text/plain",
+              "encoding": "base64",
+              "content": "License text here"
+            },
+            "url": "https://www.apache.org/licenses/LICENSE-2.0.txt"
+          }
+        }
+      ],
+      "purl": "pkg:npm/acme/[email protected]",
+      "pedigree": {
+        "ancestors": [
+          {
+            "type": "library",
+            "publisher": "Acme Inc",
+            "group": "com.acme",
+            "name": "tomcat-catalina",
+            "version": "9.0.14"
+          },
+          {
+            "type": "library",
+            "publisher": "Acme Inc",
+            "group": "com.acme",
+            "name": "tomcat-catalina",
+            "version": "9.0.14"
+          }
+        ],
+        "commits": [
+          {
+            "uid": "7638417db6d59f3c431d3e1f261cc637155684cd",
+            "url": "https://location/to/7638417db6d59f3c431d3e1f261cc637155684cd",
+            "author": {
+              "timestamp": "2018-11-13T20:20:39+00:00",
+              "name": "me",
+              "email": "[email protected]"
+            }
+          }
+        ]
+      }
+    },
+    {
+      "type": "library",
+      "supplier": {
+        "name": "Example, Inc.",
+        "url": [
+          "https://example.com",
+          "https://example.net"
+        ],
+        "contact": [
+          {
+            "name": "Example Support AMER Distribution",
+            "email": "[email protected]",
+            "phone": "800-555-1212"
+          },
+          {
+            "name": "Example Support APAC",
+            "email": "[email protected]"
+          }
+        ]
+      },
+      "author": "Example Super Heros",
+      "group": "org.example",
+      "name": "mylibrary",
+      "version": "1.0.0"
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "pkg:npm/acme/[email protected]",
+      "dependsOn": [
+        "pkg:npm/acme/[email protected]"
+      ]
+    }
+  ]
+}

tests/cyclonedx.tests/ValidateTests.cs

@@ -1,4 +1,4 @@
-// This file is part of CycloneDX CLI Tool
+// This file is part of CycloneDX CLI Tool
 //
 // Licensed under the Apache License, Version 2.0 (the “License”);
 // you may not use this file except in compliance with the License.
@@ -47,6 +47,9 @@ public class ValidateTests
         [InlineData("bom-1.5.xml", ValidationBomFormat.autodetect, null, true)]
         [InlineData("bom-1.5.xml", ValidationBomFormat.xml, SpecificationVersion.v1_5, true)]
 
+        [InlineData("bom-1.6.xml", ValidationBomFormat.autodetect, null, true)]
+        [InlineData("bom-1.6.xml", ValidationBomFormat.xml, SpecificationVersion.v1_6, true)]
+
         [InlineData("bom-1.2.json", ValidationBomFormat.autodetect, null, true)]
         [InlineData("bom-1.2.json", ValidationBomFormat.autodetect, SpecificationVersion.v1_3, false)]
 
@@ -64,6 +67,9 @@ public class ValidateTests
 
         [InlineData("bom-1.5.json", ValidationBomFormat.autodetect, null, true)]
         [InlineData("bom-1.5.json", ValidationBomFormat.json, SpecificationVersion.v1_5, true)]
+
+        [InlineData("bom-1.6.json", ValidationBomFormat.autodetect, null, true)]
+        [InlineData("bom-1.6.json", ValidationBomFormat.json, SpecificationVersion.v1_6, true)]
         public async Task Validate(string inputFilename, ValidationBomFormat inputFormat, SpecificationVersion? inputVersion, bool valid)
         {
             var exitCode = await ValidateCommand.Validate(new ValidateCommandOptions