feat: add support for component's evidences according to spec

Signed-off-by: Arun <[email protected]>

Author: OxPirates

cyclonedx/model/component.py

@@ -44,16 +44,23 @@
 from cyclonedx.model.bom import Bom, BomMetaData
 from cyclonedx.model.bom_ref import BomRef
 from cyclonedx.model.component import (
+    AnalysisTechnique,
+    CallStack,
     Commit,
     Component,
     ComponentEvidence,
     ComponentScope,
     ComponentType,
     Diff,
+    Identity,
+    IdentityFieldType,
+    Method,
+    Occurrence,
     OmniborId,
     Patch,
     PatchClassification,
     Pedigree,
+    StackFrame,
     Swhid,
     Swid,
 )
@@ -455,6 +462,10 @@ def get_bom_with_component_setuptools_complete() -> Bom:
     return _make_bom(components=[get_component_setuptools_complete()])
 
 
+def get_bom_with_component_evidence() -> Bom:
+    return _make_bom(components=[get_component_with_evidence()])
+
+
 def get_bom_with_component_setuptools_with_vulnerability() -> Bom:
     bom = _make_bom()
     component = get_component_setuptools_simple()
@@ -737,6 +748,64 @@ def get_component_setuptools_complete(include_pedigree: bool = True) -> Componen
     return component
 
 
+def get_component_with_evidence(include_pedigree: bool = True) -> Component:
+    component = get_component_setuptools_simple()
+    component.evidence = get_component_evidence_basic()
+    return component
+
+
+def get_component_evidence_basic() -> ComponentEvidence:
+    """
+    Returns a basic ComponentEvidence object for testing.
+    """
+    return ComponentEvidence(
+        identity=[
+            Identity(
+                field=IdentityFieldType.NAME,
+                confidence=Decimal('0.9'),
+                concluded_value='example-component',
+                methods=[
+                    Method(
+                        technique=AnalysisTechnique.SOURCE_CODE_ANALYSIS,
+                        confidence=Decimal('0.8'), value='analysis-tool'
+                    )
+                ],
+                tools=[
+                    BomRef('ref0'),  # BomRef reference
+                    BomRef('ref1')  # BomRef reference
+                ]
+            )
+        ],
+        occurrences=[
+            Occurrence(
+                location='path/to/file',
+                line=42,
+                offset=16,
+                symbol='exampleSymbol',
+                additional_context='Found in source code',
+                bom_ref='BomRef.2392456298152259.7035102660516194',
+            )
+        ],
+        callstack=CallStack(
+            frames=[
+                StackFrame(
+                    package='example.package',
+                    module='example.module',
+                    function='example_function',
+                    parameters=['param1', 'param2'],
+                    line=10,
+                    column=5,
+                    full_filename='path/to/file',
+                )
+            ]
+        ),
+        licenses=[DisjunctiveLicense(id='MIT')],
+        copyright=[
+            Copyright(text='Commercial'), Copyright(text='Commercial 2')
+        ]
+    )
+
+
 def get_component_setuptools_simple(
     bom_ref: Optional[str] = 'pkg:pypi/[email protected]?extension=tar.gz'
 ) -> Component:
@@ -1485,4 +1554,5 @@ def get_bom_for_issue540_duplicate_components() -> Bom:
     get_bom_with_lifecycles,
     get_bom_with_definitions_standards,
     get_bom_with_definitions_and_detailed_standards,
+    get_bom_with_component_evidence,
 }

tests/_data/models.py

@@ -0,0 +1,11 @@
+<?xml version="1.0" ?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.0" version="1">
+  <components>
+    <component type="library">
+      <name>setuptools</name>
+      <version>50.3.2</version>
+      <purl>pkg:pypi/[email protected]?extension=tar.gz</purl>
+      <modified>false</modified>
+    </component>
+  </components>
+</bom>

tests/_data/snapshots/get_bom_with_component_evidence-1.0.xml.bin

@@ -0,0 +1,15 @@
+<?xml version="1.0" ?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.1" serialNumber="urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac" version="1">
+  <components>
+    <component type="library" bom-ref="pkg:pypi/[email protected]?extension=tar.gz">
+      <name>setuptools</name>
+      <version>50.3.2</version>
+      <licenses>
+        <license>
+          <id>MIT</id>
+        </license>
+      </licenses>
+      <purl>pkg:pypi/[email protected]?extension=tar.gz</purl>
+    </component>
+  </components>
+</bom>

tests/_data/snapshots/get_bom_with_component_evidence-1.1.xml.bin

@@ -0,0 +1,32 @@
+{
+  "components": [
+    {
+      "author": "Test Author",
+      "bom-ref": "pkg:pypi/[email protected]?extension=tar.gz",
+      "licenses": [
+        {
+          "license": {
+            "id": "MIT"
+          }
+        }
+      ],
+      "name": "setuptools",
+      "purl": "pkg:pypi/[email protected]?extension=tar.gz",
+      "type": "library",
+      "version": "50.3.2"
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "pkg:pypi/[email protected]?extension=tar.gz"
+    }
+  ],
+  "metadata": {
+    "timestamp": "2023-01-07T13:44:32.312678+00:00"
+  },
+  "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac",
+  "version": 1,
+  "$schema": "http://cyclonedx.org/schema/bom-1.2b.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.2"
+}

tests/_data/snapshots/get_bom_with_component_evidence-1.2.json.bin

@@ -0,0 +1,22 @@
+<?xml version="1.0" ?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.2" serialNumber="urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac" version="1">
+  <metadata>
+    <timestamp>2023-01-07T13:44:32.312678+00:00</timestamp>
+  </metadata>
+  <components>
+    <component type="library" bom-ref="pkg:pypi/[email protected]?extension=tar.gz">
+      <author>Test Author</author>
+      <name>setuptools</name>
+      <version>50.3.2</version>
+      <licenses>
+        <license>
+          <id>MIT</id>
+        </license>
+      </licenses>
+      <purl>pkg:pypi/[email protected]?extension=tar.gz</purl>
+    </component>
+  </components>
+  <dependencies>
+    <dependency ref="pkg:pypi/[email protected]?extension=tar.gz"/>
+  </dependencies>
+</bom>

tests/_data/snapshots/get_bom_with_component_evidence-1.2.xml.bin

@@ -0,0 +1,49 @@
+{
+  "components": [
+    {
+      "author": "Test Author",
+      "bom-ref": "pkg:pypi/[email protected]?extension=tar.gz",
+      "evidence": {
+        "copyright": [
+          {
+            "text": "Commercial"
+          },
+          {
+            "text": "Commercial 2"
+          }
+        ],
+        "licenses": [
+          {
+            "license": {
+              "id": "MIT"
+            }
+          }
+        ]
+      },
+      "licenses": [
+        {
+          "license": {
+            "id": "MIT"
+          }
+        }
+      ],
+      "name": "setuptools",
+      "purl": "pkg:pypi/[email protected]?extension=tar.gz",
+      "type": "library",
+      "version": "50.3.2"
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "pkg:pypi/[email protected]?extension=tar.gz"
+    }
+  ],
+  "metadata": {
+    "timestamp": "2023-01-07T13:44:32.312678+00:00"
+  },
+  "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac",
+  "version": 1,
+  "$schema": "http://cyclonedx.org/schema/bom-1.3a.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.3"
+}

tests/_data/snapshots/get_bom_with_component_evidence-1.3.json.bin

@@ -0,0 +1,33 @@
+<?xml version="1.0" ?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.3" serialNumber="urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac" version="1">
+  <metadata>
+    <timestamp>2023-01-07T13:44:32.312678+00:00</timestamp>
+  </metadata>
+  <components>
+    <component type="library" bom-ref="pkg:pypi/[email protected]?extension=tar.gz">
+      <author>Test Author</author>
+      <name>setuptools</name>
+      <version>50.3.2</version>
+      <licenses>
+        <license>
+          <id>MIT</id>
+        </license>
+      </licenses>
+      <purl>pkg:pypi/[email protected]?extension=tar.gz</purl>
+      <evidence>
+        <licenses>
+          <license>
+            <id>MIT</id>
+          </license>
+        </licenses>
+        <copyright>
+          <text>Commercial</text>
+          <text>Commercial 2</text>
+        </copyright>
+      </evidence>
+    </component>
+  </components>
+  <dependencies>
+    <dependency ref="pkg:pypi/[email protected]?extension=tar.gz"/>
+  </dependencies>
+</bom>

tests/_data/snapshots/get_bom_with_component_evidence-1.3.xml.bin

@@ -0,0 +1,49 @@
+{
+  "components": [
+    {
+      "author": "Test Author",
+      "bom-ref": "pkg:pypi/[email protected]?extension=tar.gz",
+      "evidence": {
+        "copyright": [
+          {
+            "text": "Commercial"
+          },
+          {
+            "text": "Commercial 2"
+          }
+        ],
+        "licenses": [
+          {
+            "license": {
+              "id": "MIT"
+            }
+          }
+        ]
+      },
+      "licenses": [
+        {
+          "license": {
+            "id": "MIT"
+          }
+        }
+      ],
+      "name": "setuptools",
+      "purl": "pkg:pypi/[email protected]?extension=tar.gz",
+      "type": "library",
+      "version": "50.3.2"
+    }
+  ],
+  "dependencies": [
+    {
+      "ref": "pkg:pypi/[email protected]?extension=tar.gz"
+    }
+  ],
+  "metadata": {
+    "timestamp": "2023-01-07T13:44:32.312678+00:00"
+  },
+  "serialNumber": "urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac",
+  "version": 1,
+  "$schema": "http://cyclonedx.org/schema/bom-1.4.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.4"
+}

tests/_data/snapshots/get_bom_with_component_evidence-1.4.json.bin

@@ -0,0 +1,33 @@
+<?xml version="1.0" ?>
+<bom xmlns="http://cyclonedx.org/schema/bom/1.4" serialNumber="urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac" version="1">
+  <metadata>
+    <timestamp>2023-01-07T13:44:32.312678+00:00</timestamp>
+  </metadata>
+  <components>
+    <component type="library" bom-ref="pkg:pypi/[email protected]?extension=tar.gz">
+      <author>Test Author</author>
+      <name>setuptools</name>
+      <version>50.3.2</version>
+      <licenses>
+        <license>
+          <id>MIT</id>
+        </license>
+      </licenses>
+      <purl>pkg:pypi/[email protected]?extension=tar.gz</purl>
+      <evidence>
+        <licenses>
+          <license>
+            <id>MIT</id>
+          </license>
+        </licenses>
+        <copyright>
+          <text>Commercial</text>
+          <text>Commercial 2</text>
+        </copyright>
+      </evidence>
+    </component>
+  </components>
+  <dependencies>
+    <dependency ref="pkg:pypi/[email protected]?extension=tar.gz"/>
+  </dependencies>
+</bom>