feat: add support for lifecycles in BOM metadata

Author: Churro

cyclonedx/model/bom.py

@@ -43,6 +43,7 @@
 from .contact import OrganizationalContact, OrganizationalEntity
 from .dependency import Dependable, Dependency
 from .license import License, LicenseExpression, LicenseRepository
+from .lifecycle import Lifecycle, LifecycleRepository, _LifecycleRepositoryHelper
 from .service import Service
 from .vulnerability import Vulnerability
 
@@ -69,6 +70,7 @@ def __init__(
         properties: Optional[Iterable[Property]] = None,
         timestamp: Optional[datetime] = None,
         manufacturer: Optional[OrganizationalEntity] = None,
+        lifecycles: Optional[Iterable[Lifecycle]] = None,
         # Deprecated as of v1.6
         manufacture: Optional[OrganizationalEntity] = None,
     ) -> None:
@@ -80,6 +82,7 @@ def __init__(
         self.licenses = licenses or []  # type:ignore[assignment]
         self.properties = properties or []  # type:ignore[assignment]
         self.manufacturer = manufacturer
+        self.lifecycles = lifecycles or []  # type:ignore[assignment]
 
         self.manufacture = manufacture
         if manufacture:
@@ -107,16 +110,23 @@ def timestamp(self) -> datetime:
     def timestamp(self, timestamp: datetime) -> None:
         self._timestamp = timestamp
 
-    # @property
-    # ...
-    # @serializable.view(SchemaVersion1Dot5)
-    # @serializable.xml_sequence(2)
-    # def lifecycles(self) -> ...:
-    #    ... # TODO since CDX1.5
-    #
-    # @lifecycles.setter
-    # def lifecycles(self, ...) -> None:
-    #    ... # TODO since CDX1.5
+    @property
+    @serializable.view(SchemaVersion1Dot5)
+    @serializable.view(SchemaVersion1Dot6)
+    @serializable.type_mapping(_LifecycleRepositoryHelper)
+    @serializable.xml_sequence(2)
+    def lifecycles(self) -> LifecycleRepository:
+        """
+        An optional list of BOM lifecycle stages.
+
+        Returns:
+            Set of `Lifecycle`
+        """
+        return self._lifecycles
+
+    @lifecycles.setter
+    def lifecycles(self, lifecycles: Iterable[Lifecycle]) -> None:
+        self._lifecycles = LifecycleRepository(lifecycles)
 
     @property
     @serializable.xml_array(serializable.XmlArraySerializationType.NESTED, 'tool')
@@ -292,7 +302,7 @@ def __eq__(self, other: object) -> bool:
     def __hash__(self) -> int:
         return hash((
             tuple(self.authors), self.component, tuple(self.licenses), self.manufacture, tuple(self.properties),
-            self.supplier, self.timestamp, tuple(self.tools), self.manufacturer,
+            self.supplier, self.timestamp, tuple(self.tools), tuple(self.lifecycles), self.manufacturer
         ))
 
     def __repr__(self) -> str:

cyclonedx/model/lifecycle.py

@@ -0,0 +1,240 @@
+# This file is part of CycloneDX Python Library
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) OWASP Foundation. All Rights Reserved.
+
+"""
+    This set of classes represents the lifecycles types in the CycloneDX standard.
+
+.. note::
+    Introduced in CycloneDX v1.5
+
+.. note::
+    See the CycloneDX Schema for lifecycles: https://cyclonedx.org/docs/1.5/#metadata_lifecycles
+"""
+
+from enum import Enum
+from json import loads as json_loads
+from typing import TYPE_CHECKING, Any, Dict, List, Optional, Type, Union
+from xml.etree.ElementTree import Element  # nosec B405
+
+import serializable
+from serializable.helpers import BaseHelper
+from sortedcontainers import SortedSet
+
+from .._internal.compare import ComparableTuple as _ComparableTuple
+from ..exception.serialization import CycloneDxDeserializationException
+
+if TYPE_CHECKING:  # pragma: no cover
+    from serializable import ViewType
+
+
+@serializable.serializable_enum
+class Phase(str, Enum):
+    DESIGN = 'design'
+    PREBUILD = 'pre-build'
+    BUILD = 'build'
+    POSTBUILD = 'post-build'
+    OPERATIONS = 'operations'
+    DISCOVERY = 'discovery'
+    DECOMISSION = 'decommission'
+
+
+@serializable.serializable_class
+class PredefinedPhase:
+    """
+    Object that defines pre-defined phases in the product lifecycle.
+
+    .. note::
+        See the CycloneDX Schema definition: https://cyclonedx.org/docs/1.5/#metadata_lifecycles
+    """
+
+    def __init__(self, phase: Phase) -> None:
+        self._phase = phase
+
+    @property
+    def phase(self) -> Phase:
+        return self._phase
+
+    @phase.setter
+    def phase(self, phase: Phase) -> None:
+        self._phase = phase
+
+    def __hash__(self) -> int:
+        return hash(self._phase)
+
+    def __eq__(self, other: object) -> bool:
+        if isinstance(other, PredefinedPhase):
+            return hash(other) == hash(self)
+        return False
+
+    def __lt__(self, other: Any) -> bool:
+        if isinstance(other, PredefinedPhase):
+            return self._phase < other._phase
+        if isinstance(other, CustomPhase):
+            return True  # put PredefinedPhase before any CustomPhase
+        return NotImplemented
+
+    def __repr__(self) -> str:
+        return f'<PredefinedPhase name={self._phase}>'
+
+
+@serializable.serializable_class
+class CustomPhase:
+    def __init__(self, name: str, description: Optional[str] = None) -> None:
+        self._name = name
+        self._description = description
+
+    @property
+    @serializable.xml_sequence(1)
+    @serializable.xml_string(serializable.XmlStringSerializationType.NORMALIZED_STRING)
+    def name(self) -> str:
+        """
+        Name of the lifecycle phase.
+
+        Returns:
+             `str`
+        """
+        return self._name
+
+    @name.setter
+    def name(self, name: str) -> None:
+        self._name = name
+
+    @property
+    @serializable.xml_sequence(2)
+    @serializable.xml_string(serializable.XmlStringSerializationType.NORMALIZED_STRING)
+    def description(self) -> Optional[str]:
+        """
+        Description of the lifecycle phase.
+
+        Returns:
+             `str`
+        """
+        return self._description
+
+    @description.setter
+    def description(self, description: Optional[str]) -> None:
+        self._description = description
+
+    def __hash__(self) -> int:
+        return hash((self._name, self._description))
+
+    def __eq__(self, other: object) -> bool:
+        if isinstance(other, CustomPhase):
+            return hash(other) == hash(self)
+        return False
+
+    def __lt__(self, other: Any) -> bool:
+        if isinstance(other, CustomPhase):
+            return _ComparableTuple((self._name, self._description)) < _ComparableTuple(
+                (other._name, other._description)
+            )
+        if isinstance(other, PredefinedPhase):
+            return False  # put CustomPhase after any PredefinedPhase
+        return NotImplemented
+
+    def __repr__(self) -> str:
+        return f'<CustomPhase name={self._name}>'
+
+
+Lifecycle = Union[PredefinedPhase, CustomPhase]
+"""TypeAlias for a union of supported lifecycle models.
+
+- :class:`PredefinedPhase`
+- :class:`CustomPhase`
+"""
+
+if TYPE_CHECKING:  # pragma: no cover
+    # workaround for https://github.com/python/mypy/issues/5264
+    # this code path is taken when static code analysis or documentation tools runs through.
+    class LifecycleRepository(SortedSet[Lifecycle]):
+        """Collection of :class:`Lifecycle`.
+
+        This is a `set`, not a `list`.  Order MUST NOT matter here.
+        """
+
+else:
+
+    class LifecycleRepository(SortedSet):
+        """Collection of :class:`Lifecycle`.
+
+        This is a `set`, not a `list`.  Order MUST NOT matter here.
+        """
+
+
+class _LifecycleRepositoryHelper(BaseHelper):
+    @classmethod
+    def json_normalize(cls, o: LifecycleRepository, *,
+                       view: Optional[Type['ViewType']],
+                       **__: Any) -> Any:
+        if len(o) == 0:
+            return None
+
+        return [json_loads(li.as_json(  # type:ignore[union-attr]
+            view_=view)) for li in o]
+
+    @classmethod
+    def json_denormalize(cls, o: List[Dict[str, Any]],
+                         **__: Any) -> LifecycleRepository:
+        repo = LifecycleRepository()
+        for li in o:
+            if 'phase' in li:
+                repo.add(PredefinedPhase.from_json(li))  # type:ignore[attr-defined]
+            elif 'name' in li:
+                repo.add(CustomPhase.from_json(li))  # type:ignore[attr-defined]
+            else:
+                raise CycloneDxDeserializationException(f'unexpected: {li!r}')
+
+        return repo
+
+    @classmethod
+    def xml_normalize(cls, o: LifecycleRepository, *,
+                      element_name: str,
+                      view: Optional[Type['ViewType']],
+                      xmlns: Optional[str],
+                      **__: Any) -> Optional[Element]:
+        if len(o) == 0:
+            return None
+
+        elem = Element(element_name)
+        for li in o:
+            elem.append(li.as_xml(  # type:ignore[union-attr]
+                view_=view, as_string=False, element_name='lifecycle', xmlns=xmlns))
+
+        return elem
+
+    @classmethod
+    def xml_denormalize(cls, o: Element,
+                        default_ns: Optional[str],
+                        **__: Any) -> LifecycleRepository:
+        repo = LifecycleRepository()
+
+        for li in o:
+            tag = li.tag if default_ns is None else li.tag.replace(f'{{{default_ns}}}', '')
+
+            if tag == 'lifecycle':
+                stages = list(li)
+
+                predefined_phase = next((el for el in stages if 'phase' in el.tag), None)
+                custom_phase = next((el for el in stages if 'name' in el.tag), None)
+                if predefined_phase is not None:
+                    repo.add(PredefinedPhase.from_xml(li, default_ns))  # type:ignore[attr-defined]
+                elif custom_phase is not None:
+                    repo.add(CustomPhase.from_xml(li, default_ns))  # type:ignore[attr-defined]
+            else:
+                raise CycloneDxDeserializationException(f'unexpected: {li!r}')
+
+        return repo

tests/_data/models.py

@@ -87,6 +87,7 @@
 )
 from cyclonedx.model.issue import IssueClassification, IssueType, IssueTypeSource
 from cyclonedx.model.license import DisjunctiveLicense, License, LicenseAcknowledgement, LicenseExpression
+from cyclonedx.model.lifecycle import CustomPhase, Phase, PredefinedPhase
 from cyclonedx.model.release_note import ReleaseNotes
 from cyclonedx.model.service import Service
 from cyclonedx.model.vulnerability import (
@@ -533,6 +534,7 @@ def get_bom_just_complete_metadata() -> Bom:
             content='VGVzdCBjb250ZW50IC0gdGhpcyBpcyBub3QgdGhlIEFwYWNoZSAyLjAgbGljZW5zZSE='
         )
     )]
+    bom.metadata.lifecycles = [PredefinedPhase(Phase.BUILD)]
     bom.metadata.properties = get_properties_1()
     return bom
 
@@ -1122,6 +1124,20 @@ def get_bom_for_issue_630_empty_property() -> Bom:
         )
     })
 
+
+def get_bom_with_lifecycles() -> Bom:
+    return _make_bom(
+        metadata=BomMetaData(
+            lifecycles=[
+                PredefinedPhase(Phase.BUILD),
+                PredefinedPhase(Phase.POSTBUILD),
+                CustomPhase(name='platform-integration-testing',
+                            description='Integration testing specific to the runtime platform'),
+            ],
+            component=Component(name='app', type=ComponentType.APPLICATION, bom_ref='my-app'),
+        ),
+    )
+
 # ---
 
 
@@ -1162,4 +1178,5 @@ def get_bom_for_issue_630_empty_property() -> Bom:
     get_bom_for_issue_598_multiple_components_with_purl_qualifiers,
     get_bom_with_component_setuptools_with_v16_fields,
     get_bom_for_issue_630_empty_property,
+    get_bom_with_lifecycles,
 }

tests/_data/snapshots/get_bom_just_complete_metadata-1.5.json.bin

@@ -350,6 +350,11 @@
         }
       }
     ],
+    "lifecycles": [
+      {
+        "phase": "build"
+      }
+    ],
     "manufacture": {
       "contact": [
         {

tests/_data/snapshots/get_bom_just_complete_metadata-1.5.xml.bin

@@ -2,6 +2,11 @@
 <bom xmlns="http://cyclonedx.org/schema/bom/1.5" serialNumber="urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac" version="1">
   <metadata>
     <timestamp>2023-01-07T13:44:32.312678+00:00</timestamp>
+    <lifecycles>
+      <lifecycle>
+        <phase>build</phase>
+      </lifecycle>
+    </lifecycles>
     <tools>
       <tool>
         <vendor>CycloneDX</vendor>

tests/_data/snapshots/get_bom_just_complete_metadata-1.6.json.bin

@@ -380,6 +380,11 @@
         }
       }
     ],
+    "lifecycles": [
+      {
+        "phase": "build"
+      }
+    ],
     "manufacture": {
       "address": {
         "country": "GB",

tests/_data/snapshots/get_bom_just_complete_metadata-1.6.xml.bin

@@ -2,6 +2,11 @@
 <bom xmlns="http://cyclonedx.org/schema/bom/1.6" serialNumber="urn:uuid:1441d33a-e0fc-45b5-af3b-61ee52a88bac" version="1">
   <metadata>
     <timestamp>2023-01-07T13:44:32.312678+00:00</timestamp>
+    <lifecycles>
+      <lifecycle>
+        <phase>build</phase>
+      </lifecycle>
+    </lifecycles>
     <tools>
       <tool>
         <vendor>CycloneDX</vendor>