Skip to content

org.cyclonedx.model.Dependency is missing "provides" mapping according to CycloneDX 1.6 spec #565

New issue
New issue
Open
Open
org.cyclonedx.model.Dependency is missing "provides" mapping according to CycloneDX 1.6 spec#565
@vibe13

Description

@vibe13
vibe13
opened on Dec 5, 2024

Hi,
looking at the CycloneDX 1.6 spec (https://cyclonedx.org/docs/1.6/json/#dependencies_items_provides), the Dependency object should be able to include a provides Array of Strings (bom-refs).
The current implementation of org.cyclonedx.model.Dependency is missing such mapping, therefore if I parse a SBOM file like:

{
  "version": 1,
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:fbe21a61-ba0f-3008-bc9f-fd4f0ac1aac3",
  "metadata": {
    "component": {
      "name": "bar",
      "purl": "pkg:maven/com.foo/bar@1.0.0?type=jar",
      "type": "library",
      "group": "com.foo",
      "version": "1.0.0"
    },
    "timestamp": "2024-12-05T09:40:16Z"
  },
  "bomFormat": "CycloneDX",
  "components": [
    {
      "name": "bar",
      "purl": "pkg:maven/com.foo/bar@1.0.0?type=jar",
      "bom-ref": "pkg:maven/com.foo/bar@1.0.0?type=jar",
      "type": "library",
      "group": "com.foo",
      "version": "1.0.0"
    },
    {
      "name": "foo",
      "purl": "pkg:maven/com.bar/foo@1.0.0?type=jar",
      "bom-ref": "pkg:maven/com.bar/foo@1.0.0?type=jar",
      "type": "library",
      "group": "com.bar",
      "version": "1.0.0"
    }
  ],
  "dependencies": [
    {
      "ref": "pkg:maven/com.foo/bar@1.0.0?type=jar",
      "provides": [
        "pkg:maven/com.bar/foo@1.0.0?type=jar"
      ]
    }
  ]
}

using the org.cyclonedx.parsers.JsonParser.parse(File) method, the org.cyclonedx.model.Bom is returned without any issue, but it's missing the provides array.

Would it be possible to update the org.cyclonedx.model.Dependency mapping according to 1.6 spec?

Thanks!

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions