Skip to content

Corrections to CycloneDX Export #3355

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
stevespringett wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Corrections to CycloneDX Export #3355

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
87 changes: 45 additions & 42 deletions 5.0/tools/cyclonedx.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@
class CycloneDX:
bom = {}
bom['bomFormat'] = "CycloneDX"
bom['specVersion'] = "1.6"
bom['specVersion'] = "1.7"
bom['serialNumber'] = "urn:uuid:" + str(uuid.uuid4())
bom['version'] = 1
bom['metadata'] = {}
Expand All @@ -51,20 +51,20 @@ class CycloneDX:
bom['metadata']['supplier'] = {}
bom['metadata']['supplier']['name'] = "OWASP Foundation"
bom['metadata']['supplier']['url'] = [ "https://owasp.org" ]
bom['declarations'] = {}
bom['declarations']['standards'] = []
bom['declarations']['standards'].append({})
bom['definitions'] = {}
bom['definitions']['standards'] = []
bom['definitions']['standards'].append({})

def __init__(self, asvs_json_in):
self.asvs = asvs_json_in
asvs = json.loads(asvs_json_in)
bom_ref = asvs["ShortName"] + "-" + asvs["Version"]
self.bom['declarations']['standards'][0]['bom-ref'] = bom_ref
self.bom['declarations']['standards'][0]['name'] = \
self.bom['definitions']['standards'][0]['bom-ref'] = bom_ref
self.bom['definitions']['standards'][0]['name'] = \
asvs["Name"].replace('Project', '') + "(" + asvs["ShortName"] + ")"
self.bom['declarations']['standards'][0]['version'] = asvs["Version"]
self.bom['declarations']['standards'][0]['description'] = asvs["Description"]
self.bom['declarations']['standards'][0]['owner'] = asvs["Name"]
self.bom['definitions']['standards'][0]['version'] = asvs["Version"]
self.bom['definitions']['standards'][0]['description'] = asvs["Description"]
self.bom['definitions']['standards'][0]['owner'] = asvs["Name"]

requirements = []
l1_requirements = []
Expand All @@ -89,41 +89,44 @@ def __init__(self, asvs_json_in):
elif asvs_requirement['L'] == "3":
l3_requirements.append(requirement['bom-ref'])

self.bom['declarations']['standards'][0]['requirements'] = requirements
self.bom['definitions']['standards'][0]['requirements'] = requirements

self.bom['declarations']['standards'][0]['levels'] = []
self.bom['declarations']['standards'][0]['levels'].append({})
self.bom['declarations']['standards'][0]['levels'][0] = {}
self.bom['declarations']['standards'][0]['levels'][0]['bom-ref'] = "level-1"
self.bom['declarations']['standards'][0]['levels'][0]['identifier'] = "Level 1"
self.bom['declarations']['standards'][0]['levels'][0]['description'] = "This level contains the minimum requirements to consider when securing an application and represents a critical starting point."
self.bom['declarations']['standards'][0]['levels'][0]['requirements'] = l1_requirements
self.bom['declarations']['standards'][0]['levels'].append({})
self.bom['declarations']['standards'][0]['levels'][1] = {}
self.bom['declarations']['standards'][0]['levels'][1]['bom-ref'] = "level-2"
self.bom['declarations']['standards'][0]['levels'][1]['identifier'] = "Level 2"
self.bom['declarations']['standards'][0]['levels'][1]['description'] = "ASVS Level 2 requirements generally relate to either less common attacks or more complicated protections against common attacks. They may still be a first layer of defense, or they may require certain preconditions for the attack to be successful."
self.bom['declarations']['standards'][0]['levels'][1]['requirements'] = l2_requirements
self.bom['declarations']['standards'][0]['levels'].append({})
self.bom['declarations']['standards'][0]['levels'][2] = {}
self.bom['declarations']['standards'][0]['levels'][2]['bom-ref'] = "level-3"
self.bom['declarations']['standards'][0]['levels'][2]['identifier'] = "Level 3"
self.bom['declarations']['standards'][0]['levels'][2]['description'] = "ASVS Level 3 should be the goal for applications looking to demonstrate the highest levels of security and requirements in this section are generally either defense-in-depth mechanisms or other useful but hard-to-implement controls."
self.bom['declarations']['standards'][0]['levels'][2]['requirements'] = l3_requirements
self.bom['definitions']['standards'][0]['levels'] = []
self.bom['definitions']['standards'][0]['levels'].append({})
self.bom['definitions']['standards'][0]['levels'][0] = {}
self.bom['definitions']['standards'][0]['levels'][0]['bom-ref'] = "level-1"
self.bom['definitions']['standards'][0]['levels'][0]['identifier'] = "Level 1"
self.bom['definitions']['standards'][0]['levels'][0]['title'] = "Level 1"
self.bom['definitions']['standards'][0]['levels'][0]['description'] = "This level contains the minimum requirements to consider when securing an application and represents a critical starting point."
self.bom['definitions']['standards'][0]['levels'][0]['requirements'] = l1_requirements
self.bom['definitions']['standards'][0]['levels'].append({})
self.bom['definitions']['standards'][0]['levels'][1] = {}
self.bom['definitions']['standards'][0]['levels'][1]['bom-ref'] = "level-2"
self.bom['definitions']['standards'][0]['levels'][1]['identifier'] = "Level 2"
self.bom['definitions']['standards'][0]['levels'][1]['title'] = "Level 2"
self.bom['definitions']['standards'][0]['levels'][1]['description'] = "ASVS Level 2 requirements generally relate to either less common attacks or more complicated protections against common attacks. They may still be a first layer of defense, or they may require certain preconditions for the attack to be successful."
self.bom['definitions']['standards'][0]['levels'][1]['requirements'] = l2_requirements
self.bom['definitions']['standards'][0]['levels'].append({})
self.bom['definitions']['standards'][0]['levels'][2] = {}
self.bom['definitions']['standards'][0]['levels'][2]['bom-ref'] = "level-3"
self.bom['definitions']['standards'][0]['levels'][2]['identifier'] = "Level 3"
self.bom['definitions']['standards'][0]['levels'][2]['title'] = "Level 3"
self.bom['definitions']['standards'][0]['levels'][2]['description'] = "ASVS Level 3 should be the goal for applications looking to demonstrate the highest levels of security and requirements in this section are generally either defense-in-depth mechanisms or other useful but hard-to-implement controls."
self.bom['definitions']['standards'][0]['levels'][2]['requirements'] = l3_requirements

self.bom['declarations']['standards'][0]['externalReferences'] = []
self.bom['declarations']['standards'][0]['externalReferences'].append({})
self.bom['declarations']['standards'][0]['externalReferences'][0]['type'] = 'website'
self.bom['declarations']['standards'][0]['externalReferences'][0]['url'] = 'https://owasp.org/asvs'
self.bom['declarations']['standards'][0]['externalReferences'].append({})
self.bom['declarations']['standards'][0]['externalReferences'][1]['type'] = 'vcs'
self.bom['declarations']['standards'][0]['externalReferences'][1]['url'] = 'https://github.com/OWASP/ASVS'
self.bom['declarations']['standards'][0]['externalReferences'].append({})
self.bom['declarations']['standards'][0]['externalReferences'][2]['type'] = 'issue-tracker'
self.bom['declarations']['standards'][0]['externalReferences'][2]['url'] = 'https://github.com/OWASP/ASVS/issues'
self.bom['declarations']['standards'][0]['externalReferences'].append({})
self.bom['declarations']['standards'][0]['externalReferences'][3]['type'] = 'social'
self.bom['declarations']['standards'][0]['externalReferences'][3]['url'] = 'https://twitter.com/OWASP_ASVS'
self.bom['definitions']['standards'][0]['externalReferences'] = []
self.bom['definitions']['standards'][0]['externalReferences'].append({})
self.bom['definitions']['standards'][0]['externalReferences'][0]['type'] = 'website'
self.bom['definitions']['standards'][0]['externalReferences'][0]['url'] = 'https://owasp.org/asvs'
self.bom['definitions']['standards'][0]['externalReferences'].append({})
self.bom['definitions']['standards'][0]['externalReferences'][1]['type'] = 'vcs'
self.bom['definitions']['standards'][0]['externalReferences'][1]['url'] = 'https://github.com/OWASP/ASVS'
self.bom['definitions']['standards'][0]['externalReferences'].append({})
self.bom['definitions']['standards'][0]['externalReferences'][2]['type'] = 'issue-tracker'
self.bom['definitions']['standards'][0]['externalReferences'][2]['url'] = 'https://github.com/OWASP/ASVS/issues'
self.bom['definitions']['standards'][0]['externalReferences'].append({})
self.bom['definitions']['standards'][0]['externalReferences'][3]['type'] = 'social'
self.bom['definitions']['standards'][0]['externalReferences'][3]['url'] = 'https://twitter.com/OWASP_ASVS'

def convert_requirement(self, asvs_requirement, parent):
requirement = {}
Expand Down
Loading