CycloneDX
diff --git a/‎cyclonedx/model/component.py
Lines changed: 713 additions & 32 deletions b/‎cyclonedx/model/component.py
Lines changed: 713 additions & 32 deletions
diff --git a/‎tests/_data/models.py
Lines changed: 85 additions & 0 deletions b/‎tests/_data/models.py
Lines changed: 85 additions & 0 deletions
diff --git a/‎tests/_data/snapshots/get_bom_with_component_evidence-1.0.xml.bin
Lines changed: 11 additions & 0 deletions b/‎tests/_data/snapshots/get_bom_with_component_evidence-1.0.xml.bin
Lines changed: 11 additions & 0 deletions
diff --git a/‎tests/_data/snapshots/get_bom_with_component_evidence-1.1.xml.bin
Lines changed: 15 additions & 0 deletions b/‎tests/_data/snapshots/get_bom_with_component_evidence-1.1.xml.bin
Lines changed: 15 additions & 0 deletions
diff --git a/‎tests/_data/snapshots/get_bom_with_component_evidence-1.2.json.bin
Lines changed: 56 additions & 0 deletions b/‎tests/_data/snapshots/get_bom_with_component_evidence-1.2.json.bin
Lines changed: 56 additions & 0 deletions
diff --git a/‎tests/_data/snapshots/get_bom_with_component_evidence-1.2.xml.bin
Lines changed: 39 additions & 0 deletions b/‎tests/_data/snapshots/get_bom_with_component_evidence-1.2.xml.bin
Lines changed: 39 additions & 0 deletions
diff --git a/‎tests/_data/snapshots/get_bom_with_component_evidence-1.3.json.bin
Lines changed: 73 additions & 0 deletions b/‎tests/_data/snapshots/get_bom_with_component_evidence-1.3.json.bin
Lines changed: 73 additions & 0 deletions
diff --git a/‎tests/_data/snapshots/get_bom_with_component_evidence-1.3.xml.bin
Lines changed: 50 additions & 0 deletions b/‎tests/_data/snapshots/get_bom_with_component_evidence-1.3.xml.bin
Lines changed: 50 additions & 0 deletions
@@ -44,16 +44,23 @@
 from cyclonedx.model.bom import Bom, BomMetaData
 from cyclonedx.model.bom_ref import BomRef
 from cyclonedx.model.component import (
+    AnalysisTechnique,
+    CallStack,
     Commit,
     Component,
     ComponentEvidence,
     ComponentScope,
     ComponentType,
     Diff,
+    Identity,
+    IdentityFieldType,
+    Method,
+    Occurrence,
     OmniborId,
     Patch,
     PatchClassification,
     Pedigree,
+    StackFrame,
     Swhid,
     Swid,
 )
@@ -455,6 +462,35 @@ def get_bom_with_component_setuptools_complete() -> Bom:
     return _make_bom(components=[get_component_setuptools_complete()])
 
 
+def get_bom_with_component_evidence() -> Bom:
+    bom = _make_bom()
+    tool_component = Component(
+        name='product-cbom-generator',
+        type=ComponentType.APPLICATION,
+        bom_ref='cbom:generator'
+    )
+    bom.metadata.tools.components.add(tool_component)
+    bom.metadata.component = Component(
+        name='root-component',
+        type=ComponentType.APPLICATION,
+        licenses=[DisjunctiveLicense(id='MIT')],
+        bom_ref='myApp',
+    )
+    component = Component(
+        name='setuptools', version='50.3.2',
+        bom_ref='pkg:pypi/[email protected]?extension=tar.gz',
+        purl=PackageURL(
+            type='pypi', name='setuptools', version='50.3.2', qualifiers='extension=tar.gz'
+        ),
+        licenses=[DisjunctiveLicense(id='MIT')],
+        author='Test Author'
+    )
+    component.evidence = get_component_evidence_basic(tool=tool_component.bom_ref, bom_ref='ref:setuptools')
+    bom.components.add(component)
+    bom.register_dependency(bom.metadata.component, depends_on=[component])
+    return bom
+
+
 def get_bom_with_component_setuptools_with_vulnerability() -> Bom:
     bom = _make_bom()
     component = get_component_setuptools_simple()
@@ -737,6 +773,55 @@ def get_component_setuptools_complete(include_pedigree: bool = True) -> Componen
     return component
 
 
+def get_component_evidence_basic(tool: BomRef, bom_ref: str) -> ComponentEvidence:
+    """
+    Returns a basic ComponentEvidence object for testing.
+    """
+    return ComponentEvidence(
+        identity=[
+            Identity(
+                field=IdentityFieldType.NAME,
+                confidence=Decimal('0.9'),
+                concluded_value='example-component',
+                methods=[
+                    Method(
+                        technique=AnalysisTechnique.SOURCE_CODE_ANALYSIS,
+                        confidence=Decimal('0.8'), value='analysis-tool'
+                    )
+                ],
+                tools=[tool]
+            )
+        ],
+        occurrences=[
+            Occurrence(
+                location='path/to/file',
+                line=42,
+                offset=16,
+                symbol='exampleSymbol',
+                additional_context='Found in source code',
+                bom_ref=bom_ref,
+            )
+        ],
+        callstack=CallStack(
+            frames=[
+                StackFrame(
+                    package='example.package',
+                    module='example.module',
+                    function='example_function',
+                    parameters=['param1', 'param2'],
+                    line=10,
+                    column=5,
+                    full_filename='path/to/file',
+                )
+            ]
+        ),
+        licenses=[DisjunctiveLicense(id='MIT')],
+        copyright=[
+            Copyright(text='Commercial'), Copyright(text='Commercial 2')
+        ]
+    )
+
+
 def get_component_setuptools_simple(
     bom_ref: Optional[str] = 'pkg:pypi/[email protected]?extension=tar.gz'
 ) -> Component:
 
@@ -0,0 +1,11 @@
+<?xml version="1.0" ?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.0" version="1">
+  <components>
+    <component type="library">
+      <name>setuptools</name>
+      <version>50.3.2</version>
+      <purl>pkg:pypi/[email protected]?extension=tar.gz</purl>
+      <modified>false</modified>
+    </component>
+  </components>
+</bom>
@@ -0,0 +1,15 @@
+<?xml version="1.0" ?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.1" serialNumber="urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac" version="1">
+  <components>
+    <component type="library" bom-ref="pkg:pypi/[email protected]?extension=tar.gz">
+      <name>setuptools</name>
+      <version>50.3.2</version>
+      <licenses>
+        <license>
+          <id>MIT</id>
+        </license>
+      </licenses>
+      <purl>pkg:pypi/[email protected]?extension=tar.gz</purl>
+    </component>
+  </components>
+</bom>
@@ -0,0 +1,56 @@
+{
+  "components": [
+    {
+      "author": "Test Author",
+      "bom-ref": "pkg:pypi/[email protected]?extension=tar.gz",
+      "licenses": [
+        {
+          "license": {
+            "id": "MIT"
+          }
+        }
+      ],
+      "name": "setuptools",
+      "purl": "pkg:pypi/[email protected]?extension=tar.gz",
+      "type": "library",
+      "version": "50.3.2"
+    }
+  ],
+  "dependencies": [
+    {
+      "dependsOn": [
+        "pkg:pypi/[email protected]?extension=tar.gz"
+      ],
+      "ref": "myApp"
+    },
+    {
+      "ref": "pkg:pypi/[email protected]?extension=tar.gz"
+    }
+  ],
+  "metadata": {
+    "component": {
+      "bom-ref": "myApp",
+      "licenses": [
+        {
+          "license": {
+            "id": "MIT"
+          }
+        }
+      ],
+      "name": "root-component",
+      "type": "application",
+      "version": ""
+    },
+    "timestamp": "2023-01-07T13:44:32.312678+00:00",
+    "tools": [
+      {
+        "name": "product-cbom-generator"
+      }
+    ]
+  },
+  "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac",
+  "version": 1,
+  "$schema": "http://cyclonedx.org/schema/bom-1.2b.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.2"
+}
@@ -0,0 +1,39 @@
+<?xml version="1.0" ?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.2" serialNumber="urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac" version="1">
+  <metadata>
+    <timestamp>2023-01-07T13:44:32.312678+00:00</timestamp>
+    <tools>
+      <tool>
+        <name>product-cbom-generator</name>
+      </tool>
+    </tools>
+    <component type="application" bom-ref="myApp">
+      <name>root-component</name>
+      <version/>
+      <licenses>
+        <license>
+          <id>MIT</id>
+        </license>
+      </licenses>
+    </component>
+  </metadata>
+  <components>
+    <component type="library" bom-ref="pkg:pypi/[email protected]?extension=tar.gz">
+      <author>Test Author</author>
+      <name>setuptools</name>
+      <version>50.3.2</version>
+      <licenses>
+        <license>
+          <id>MIT</id>
+        </license>
+      </licenses>
+      <purl>pkg:pypi/[email protected]?extension=tar.gz</purl>
+    </component>
+  </components>
+  <dependencies>
+    <dependency ref="myApp">
+      <dependency ref="pkg:pypi/[email protected]?extension=tar.gz"/>
+    </dependency>
+    <dependency ref="pkg:pypi/[email protected]?extension=tar.gz"/>
+  </dependencies>
+</bom>
@@ -0,0 +1,73 @@
+{
+  "components": [
+    {
+      "author": "Test Author",
+      "bom-ref": "pkg:pypi/[email protected]?extension=tar.gz",
+      "evidence": {
+        "copyright": [
+          {
+            "text": "Commercial"
+          },
+          {
+            "text": "Commercial 2"
+          }
+        ],
+        "licenses": [
+          {
+            "license": {
+              "id": "MIT"
+            }
+          }
+        ]
+      },
+      "licenses": [
+        {
+          "license": {
+            "id": "MIT"
+          }
+        }
+      ],
+      "name": "setuptools",
+      "purl": "pkg:pypi/[email protected]?extension=tar.gz",
+      "type": "library",
+      "version": "50.3.2"
+    }
+  ],
+  "dependencies": [
+    {
+      "dependsOn": [
+        "pkg:pypi/[email protected]?extension=tar.gz"
+      ],
+      "ref": "myApp"
+    },
+    {
+      "ref": "pkg:pypi/[email protected]?extension=tar.gz"
+    }
+  ],
+  "metadata": {
+    "component": {
+      "bom-ref": "myApp",
+      "licenses": [
+        {
+          "license": {
+            "id": "MIT"
+          }
+        }
+      ],
+      "name": "root-component",
+      "type": "application",
+      "version": ""
+    },
+    "timestamp": "2023-01-07T13:44:32.312678+00:00",
+    "tools": [
+      {
+        "name": "product-cbom-generator"
+      }
+    ]
+  },
+  "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac",
+  "version": 1,
+  "$schema": "http://cyclonedx.org/schema/bom-1.3a.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.3"
+}
@@ -0,0 +1,50 @@
+<?xml version="1.0" ?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.3" serialNumber="urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac" version="1">
+  <metadata>
+    <timestamp>2023-01-07T13:44:32.312678+00:00</timestamp>
+    <tools>
+      <tool>
+        <name>product-cbom-generator</name>
+      </tool>
+    </tools>
+    <component type="application" bom-ref="myApp">
+      <name>root-component</name>
+      <version/>
+      <licenses>
+        <license>
+          <id>MIT</id>
+        </license>
+      </licenses>
+    </component>
+  </metadata>
+  <components>
+    <component type="library" bom-ref="pkg:pypi/[email protected]?extension=tar.gz">
+      <author>Test Author</author>
+      <name>setuptools</name>
+      <version>50.3.2</version>
+      <licenses>
+        <license>
+          <id>MIT</id>
+        </license>
+      </licenses>
+      <purl>pkg:pypi/[email protected]?extension=tar.gz</purl>
+      <evidence>
+        <licenses>
+          <license>
+            <id>MIT</id>
+          </license>
+        </licenses>
+        <copyright>
+          <text>Commercial</text>
+          <text>Commercial 2</text>
+        </copyright>
+      </evidence>
+    </component>
+  </components>
+  <dependencies>
+    <dependency ref="myApp">
+      <dependency ref="pkg:pypi/[email protected]?extension=tar.gz"/>
+    </dependency>
+    <dependency ref="pkg:pypi/[email protected]?extension=tar.gz"/>
+  </dependencies>
+</bom>