feat(cyclonedx): use evidence.occurrences for file paths instead of FilePath property#10937
feat(cyclonedx): use evidence.occurrences for file paths instead of FilePath property#10937kevglynn wants to merge 1 commit into
Conversation
…ilePath property CycloneDX has a native field for recording where a component was found: evidence.occurrences. Use it in CycloneDX output instead of the proprietary aquasecurity:trivy:FilePath property. The aquasecurity:trivy:FilePath property is still parsed when scanning SBOMs generated by older versions of Trivy. Close aquasecurity#9832 Co-authored-by: Cursor <cursoragent@cursor.com>
|
Hi @knqyf263 @DmitriyLewen — gentle ping when you have a moment. CLA is signed and this is ready for review. The Test and Validate PR Title workflows are still waiting on first-time contributor approval, so CI hasn't run yet on our side. Locally: Happy to adjust anything — especially around backward compat for old Thanks for your time! |
Note on golden file diffsThe large diffs in
No other content was changed. These were regenerated via the patched binary against the same integration fixtures and roundtrip-verified. ( |
|
Hello @kevglynn We're currently busy with other priority tasks. Thanks for your work and your patience. |
Description
CycloneDX has a native field for recording where a component was found:
evidence.occurrences(available since spec 1.5). Trivy currently records this in a proprietaryaquasecurity:trivy:FilePathproperty instead.This PR switches CycloneDX output to
evidence.occurrences:pkg/sbom/io/encode.go: no longer adds theFilePathproperty to component properties (the file path is already carried incore.Component.Files).pkg/sbom/cyclonedx/marshal.go: marshalscore.Component.Filespaths asevidence.occurrences[].location.pkg/sbom/cyclonedx/unmarshal.go: parsesevidence.occurrencesback intocore.Component.Files, so re-scanning a Trivy SBOM preserves file paths.Backward compatibility
pkg/sbom/io/decode.gostill parses theaquasecurity:trivy:FilePathproperty, so SBOMs generated by older versions of Trivy keep working. Existing test fixtures using the old property (testdata/happy/bom.json,testdata/happy/group-in-name.json, fanal SBOM testdata, and thefluentd-multiple-lockfiles-cyclonedx.jsonintegration fixture) are intentionally left unchanged so they keep covering this path.testdata/happy/evidence-occurrences.json) covers the new path.core.PropertyFilePathremains induplicatePropertiesin the SPDX marshaler: when an older SBOM is rescanned,reuseExistingBOM()passes the original components (which still contain the property) directly to the marshaler, so the filter is still needed to prevent a duplicateFilePathannotation in SPDX output.integration/testdata/fluentd-multiple-lockfiles-short.cdx.json.goldenis intentionally not changed: that test scans an old-style SBOM and outputs CycloneDX viareuseExistingBOM(), which passes the original components through unchanged, so the old property is (correctly) preserved in that output.Before
{ "purl": "pkg:conda/openssl@1.1.1q", "properties": [ { "name": "aquasecurity:trivy:FilePath", "value": "miniconda3/envs/testenv/conda-meta/openssl-1.1.1q-h7f8727e_0.json" }, { "name": "aquasecurity:trivy:PkgType", "value": "conda-pkg" } ] }After
{ "purl": "pkg:conda/openssl@1.1.1q", "properties": [ { "name": "aquasecurity:trivy:PkgType", "value": "conda-pkg" } ], "evidence": { "occurrences": [ { "location": "miniconda3/envs/testenv/conda-meta/openssl-1.1.1q-h7f8727e_0.json" } ] } }(Output of
trivy rootfs --format cyclonedxonintegration/testdata/fixtures/repo/conda.)Related issues
component.evidence.occurrences.locationfor filapaths and linenumber #9832Checklist
Made with Cursor