feat: include support for CycloneDX 1.5

README.md

@@ -16,7 +16,7 @@
 </p>
 
 The Genealogos project is a tool that takes output from Nix evaluation tools and produces BOM files.
-Currently, it takes input from [nixtract][nixtract-url] and produces json output compliant with the [CycloneDX][cyclonedx-url] 1.3 or 1.4 specification.<!-- TODO: 1.5 -->
+Currently, it takes input from [nixtract][nixtract] and produces json or xml output compliant with the [CycloneDX][cyclonedx] 1.3, 1.4, or 1.5 specification.
 Output from Genealogos can be used by various other tools to perform further analysis.
 
 Note Nix is mainly just suitable for Software, and so the BOM output by Genealogos is nearly always an SBOM.
@@ -149,8 +149,7 @@ Example:
 curl "http://localhost:8000/api/analyze?installable=nixpkgs%23hello&cyclonedx_version=v1_4"
 ```
 
-<!-- TODO: Add 1.5 support -->
-Currently supported are `[cyclonedx_1.3_json, cyclonedx_1.3_xml, cyclonedx_1.4_json, cyclonedx_1.4_xml]`, with `cyclonedx_1.4_json` being the default.
+Currently supported are `[cyclonedx_1.3_json, cyclonedx_1.3_xml, cyclonedx_1.4_json, cyclonedx_1.4_xml, cyclonedx_1.5_json, cyclonedx_1.5_xml]`, with `cyclonedx_1.5_json` being the default.
 
 #### Jobs
 The jobs based API consists of three endpoints: `/api/jobs/create`, `/api/jobs/status`, and `/api/jobs/result`.

genealogos-api/src/main.rs

@@ -172,20 +172,15 @@ mod tests {
                 };
                 let response_bom: serde_json::Value = serde_json::from_str(response_bom).unwrap();
 
-                // 1.4
-                let mut expected_path_1_4 = input_path.clone();
-                expected_path_1_4.set_extension("1_4.out");
-                // Read expected_path_1_4 to a string
-                let expected_string_1_4 = std::fs::read_to_string(expected_path_1_4).unwrap();
-                let expected_output_1_4: serde_json::Value =
-                    serde_json::from_str(&expected_string_1_4).unwrap();
-
-                // Convert from and to json to remove the pretty printed stuff
-                // let expected_json_1_4: serde_json::Value =
-                //     serde_json::from_str(&expected_output_1_4).unwrap();
-                // let expected_output_1_4 = serde_json::to_string(&expected_json_1_4).unwrap();
-
-                assert_eq!(response_bom, expected_output_1_4);
+                // 1.5
+                let mut expected_path_1_5 = input_path.clone();
+                expected_path_1_5.set_extension("1_5.out");
+                // Read expected_path_1_5 to a string
+                let expected_string_1_5 = std::fs::read_to_string(expected_path_1_5).unwrap();
+                let expected_output_1_5: serde_json::Value =
+                    serde_json::from_str(&expected_string_1_5).unwrap();
+
+                assert_eq!(response_bom, expected_output_1_5);
             }
         }
     }

genealogos-frontend/index.html

@@ -65,6 +65,8 @@ <h1 class="text-center mt-5">Genealogos</h1>
                         <option value="cyclonedx_1.3_xml">CycloneDX 1.3 (XML)</option>
                         <option value="cyclonedx_1.4_json">CycloneDX 1.4 (JSON)</option>
                         <option value="cyclonedx_1.4_xml">CycloneDX 1.4 (XML)</option>
+                        <option value="cyclonedx_1.5_json" selected>CycloneDX 1.5 (JSON)</option>
+                        <option value="cyclonedx_1.5_xml">CycloneDX 1.5 (XML)</option>
                     </select>
                 </div>
                 <div class="d-flex justify-content-between align-items-center">

genealogos/src/args.rs

@@ -55,8 +55,7 @@ impl std::fmt::Display for BackendArg {
 #[derive(Clone, Copy, Debug)]
 #[non_exhaustive]
 pub enum BomArg {
-    /// A subset of the CycloneDX bom format, currently only supporting 1.3 and 1.4, both xml and json output.
-    // TODO: Include 1.5
+    /// A subset of the CycloneDX bom format, currently only supporting 1.3, 1.4, and 1.5, both xml and json output.
     CycloneDX(
         crate::bom::cyclonedx::SpecVersion,
         crate::bom::cyclonedx::FileFormat,

genealogos/src/bom/cyclonedx.rs

@@ -55,15 +55,17 @@ impl FromStr for FileFormat {
 #[non_exhaustive]
 pub enum SpecVersion {
     V1_3,
-    #[default]
     V1_4,
+    #[default]
+    V1_5,
 }
 
 impl Display for SpecVersion {
     fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
         match self {
             SpecVersion::V1_3 => write!(f, "1.3"),
             SpecVersion::V1_4 => write!(f, "1.4"),
+            SpecVersion::V1_5 => write!(f, "1.5"),
         }
     }
 }
@@ -75,6 +77,7 @@ impl FromStr for SpecVersion {
         match s {
             "1.3" => Ok(SpecVersion::V1_3),
             "1.4" => Ok(SpecVersion::V1_4),
+            "1.5" => Ok(SpecVersion::V1_5),
             _ => Err(Error::InvalidCycloneDXVersion(s.to_string())),
         }
     }
@@ -168,6 +171,10 @@ impl super::Bom for CycloneDX {
                 FileFormat::JSON => bom.output_as_json_v1_4(writer)?,
                 FileFormat::XML => bom.output_as_xml_v1_4(writer)?,
             },
+            SpecVersion::V1_5 => match self.file_format {
+                FileFormat::JSON => bom.output_as_json_v1_5(writer)?,
+                FileFormat::XML => bom.output_as_xml_v1_5(writer)?,
+            },
         }
 
         Ok(())
@@ -272,6 +279,8 @@ impl TryFrom<ModelComponent> for Component {
             components: None,
             evidence: None,
             signature: None,
+            model_card: None,
+            data: None,
         })
     }
 }
@@ -295,6 +304,9 @@ impl TryFrom<ModelLicense> for LicenseChoice {
                 license_identifier: LicenseIdentifier::Name(NormalizedString::new(&name)),
                 text: None,
                 url: None,
+                bom_ref: None,
+                licensing: None,
+                properties: None,
             }))
         } else {
             unreachable!("We only construct ModelLicense with at least id or name")