CycloneDX
org.cyclonedx.model.Dependency is missing "provides" mapping according to CycloneDX 1.6 spec
Hi,
looking at the CycloneDX 1.6 spec (https://cyclonedx.org/docs/1.6/json/#dependencies_items_provides), the Dependency object should be able to include a provides Array of Strings (bom-refs).
The current implementation of org.cyclonedx.model.Dependency is missing such mapping, therefore if I parse a SBOM file like:
{
"version": 1,
"specVersion": "1.6",
"serialNumber": "urn:uuid:fbe21a61-ba0f-3008-bc9f-fd4f0ac1aac3",
"metadata": {
"component": {
"name": "bar",
"purl": "pkg:maven/com.foo/[email protected]?type=jar",
"type": "library",
"group": "com.foo",
"version": "1.0.0"
},
"timestamp": "2024-12-05T09:40:16Z"
},
"bomFormat": "CycloneDX",
"components": [
{
"name": "bar",
"purl": "pkg:maven/com.foo/[email protected]?type=jar",
"bom-ref": "pkg:maven/com.foo/[email protected]?type=jar",
"type": "library",
"group": "com.foo",
"version": "1.0.0"
},
{
"name": "foo",
"purl": "pkg:maven/com.bar/[email protected]?type=jar",
"bom-ref": "pkg:maven/com.bar/[email protected]?type=jar",
"type": "library",
"group": "com.bar",
"version": "1.0.0"
}
],
"dependencies": [
{
"ref": "pkg:maven/com.foo/[email protected]?type=jar",
"provides": [
"pkg:maven/com.bar/[email protected]?type=jar"
]
}
]
}
using the org.cyclonedx.parsers.JsonParser.parse(File) method, the org.cyclonedx.model.Bom is returned without any issue, but it's missing the provides array.
Would it be possible to update the org.cyclonedx.model.Dependency mapping according to 1.6 spec?
Thanks!
Hi, I have opened a PR to add the missing mapping, would you please be able to take a look at that and let me know what should be the next steps? Thanks!