All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.cyclonedx.BomParser Maven / Gradle / Ivy

Go to download

The CycloneDX core module provides a model representation of the BOM along with utilities to assist in creating, parsing, and validating BOMs.

There is a newer version: 10.1.0
Show newest version
/*
 * This file is part of CycloneDX Core (Java).
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 * SPDX-License-Identifier: Apache-2.0
 * Copyright (c) Steve Springett. All Rights Reserved.
 */
package org.cyclonedx;

import com.thoughtworks.xstream.XStream;
import com.thoughtworks.xstream.XStreamException;
import com.thoughtworks.xstream.converters.enums.EnumToStringConverter;
import com.thoughtworks.xstream.io.xml.QNameMap;
import com.thoughtworks.xstream.io.xml.StaxDriver;
import com.thoughtworks.xstream.mapper.CannotResolveClassException;
import com.thoughtworks.xstream.mapper.MapperWrapper;
import org.cyclonedx.converters.HashConverter;
import org.cyclonedx.converters.LicenseTextConverter;
import org.cyclonedx.exception.ParseException;
import org.cyclonedx.model.Bom;
import org.cyclonedx.model.Commit;
import org.cyclonedx.model.Component;
import org.cyclonedx.model.ExternalReference;
import org.cyclonedx.model.Hash;
import org.cyclonedx.model.License;
import org.cyclonedx.model.LicenseChoice;
import org.cyclonedx.model.Pedigree;
import org.cyclonedx.model.ext.dependencyGraph.Dependency;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
import org.xml.sax.ErrorHandler;
import org.xml.sax.InputSource;
import org.xml.sax.SAXException;
import org.xml.sax.SAXParseException;
import javax.xml.namespace.QName;
import javax.xml.transform.Source;
import javax.xml.transform.stream.StreamSource;
import javax.xml.validation.Schema;
import javax.xml.validation.Validator;
import javax.xml.xpath.XPath;
import javax.xml.xpath.XPathConstants;
import javax.xml.xpath.XPathExpression;
import javax.xml.xpath.XPathExpressionException;
import javax.xml.xpath.XPathFactory;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.Reader;
import java.lang.reflect.Field;
import java.net.URL;
import java.util.HashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;

/**
 * BomParser is responsible for validating and parsing CycloneDX bill-of-material
 * documents and returning a high-level {@link Bom} object with all its components.
 * @since 1.1.0
 */
@SuppressWarnings("unused")
public class BomParser extends CycloneDxSchema {

    /**
     * Parses a CycloneDX BOM.
     *
     * @param file the BOM
     * @return an Bom object
     * @throws ParseException when errors are encountered
     * @since 1.1.0
     */
    public Bom parse(File file) throws ParseException {
        try {
            final String schemaVersion = identifySchemaVersion(
                    extractAllNamespaceDeclarations(new InputSource(new FileInputStream(file))));
            final XStream xstream = mapDefaultObjectModel(createXStream());
            final Bom bom = (Bom) xstream.fromXML(file);
            return injectSchemaVersion(bom, schemaVersion);
        } catch (XStreamException | XPathExpressionException | FileNotFoundException e) {
            throw new ParseException(e);
        }
    }

    /**
     * Parses a CycloneDX BOM.
     *
     * @param bomBytes the BOM
     * @return an Bom object
     * @throws ParseException when errors are encountered
     * @since 1.1.0
     */
    public Bom parse(byte[] bomBytes) throws ParseException {
        try {
            final String schemaVersion = identifySchemaVersion(
                    extractAllNamespaceDeclarations(new InputSource(new ByteArrayInputStream(bomBytes))));
            final XStream xstream = mapDefaultObjectModel(createXStream());
            final Bom bom = (Bom)xstream.fromXML(new ByteArrayInputStream(bomBytes));
            return injectSchemaVersion(bom, schemaVersion);
        } catch (XStreamException | XPathExpressionException e) {
            throw new ParseException(e);
        }
    }

    /**
     * Parses a CycloneDX BOM.
     *
     * @param url to the BOM
     * @return an Bom object
     * @throws ParseException when errors are encountered
     * @since 2.0.0
     */
    public Bom parse(URL url) throws ParseException {
        try {
            final String schemaVersion = identifySchemaVersion(
                    extractAllNamespaceDeclarations(new InputSource(url.openStream())));
            final XStream xstream = mapDefaultObjectModel(createXStream());
            final Bom bom = (Bom) xstream.fromXML(url);
            return injectSchemaVersion(bom, schemaVersion);
        } catch (XStreamException | XPathExpressionException | IOException e) {
            throw new ParseException(e);
        }
    }

    /**
     * Parses a CycloneDX BOM.
     *
     * @param reader a Reader object
     * @return an Bom object
     * @throws ParseException when errors are encountered
     * @since 2.0.0
     */
    public Bom parse(Reader reader) throws ParseException {
        try {
            XStream xstream = mapDefaultObjectModel(createXStream());
            return (Bom) xstream.fromXML(reader);
        } catch (XStreamException e) {
            throw new ParseException(e);
        }
    }

    /**
     * Uses reflection to set the schemaVersion field inside a Bom instance.
     * The schemaVersion is 'not user serviceable' so no methods for setting
     * it are provided, other than the constructor, which xstream does not
     * use.
     * @param bom the Bom to set the schemaVersion for
     * @param schemaVersion the value of the schema version
     * @return the updated Bom
     * @since 2.5.0
     */
    private Bom injectSchemaVersion(Bom bom, String schemaVersion) {
        try {
            final Field field = Bom.class.getDeclaredField("schemaVersion");
            field.setAccessible(true);
            field.set(bom, schemaVersion);
        } catch (NoSuchFieldException | IllegalAccessException e) {
            // throw it away
        }
        return bom;
    }

    /**
     * Verifies a CycloneDX BoM conforms to the latest version of the specification
     * through XML validation.
     * @param file the CycloneDX BoM file to validate
     * @return a List of SAXParseExceptions. If the size of the list is 0, validation was successful
     * @since 1.1.0
     */
    public List validate(File file) {
        return validate(file, CycloneDxSchema.Version.VERSION_11);
    }

    /**
     * Verifies a CycloneDX BoM conforms to the specification through XML validation.
     * @param file the CycloneDX BoM file to validate
     * @param schemaVersion the schema version to validate against
     * @return a List of SAXParseExceptions. If the size of the list is 0, validation was successful
     * @since 2.0.0
     */
    public List validate(File file, CycloneDxSchema.Version schemaVersion) {
        final Source xmlFile = new StreamSource(file);
        final List exceptions = new LinkedList<>();
        try {
            final Schema schema = getXmlSchema(schemaVersion);
            final Validator validator = schema.newValidator();
            validator.setErrorHandler(new ErrorHandler() {
                @Override
                public void warning(SAXParseException exception) {
                    exceptions.add(exception);
                }
                @Override
                public void fatalError(SAXParseException exception) {
                    exceptions.add(exception);
                }
                @Override
                public void error(SAXParseException exception) {
                    exceptions.add(exception);
                }
            });
            validator.validate(xmlFile);
        } catch (IOException | SAXException e) {
            // throw it away
        }
        return exceptions;
    }

    /**
     * Verifies a CycloneDX BoM conforms to the latest version of the specification
     * through XML validation.
     * @param file the CycloneDX BoM file to validate
     * @return true is the file is a valid BoM, false if not
     * @since 1.1.0
     */
    public boolean isValid(File file) {
        return validate(file).isEmpty();
    }

    /**
     * Verifies a CycloneDX BoM conforms to the specification through XML validation.
     * @param file the CycloneDX BoM file to validate
     * @param schemaVersion the schema version to validate against
     * @return true is the file is a valid BoM, false if not
     * @since 2.0.0
     */
    public boolean isValid(File file, CycloneDxSchema.Version schemaVersion) {
        return validate(file, schemaVersion).isEmpty();
    }

    private String identifySchemaVersion(final NodeList nodeList) {
        for (int i=0; i getComponentTypeMapping() {
        Map map = new HashMap<>();
        map.put(Component.Type.APPLICATION.getTypeName(), Component.Type.APPLICATION);
        map.put(Component.Type.FRAMEWORK.getTypeName(), Component.Type.FRAMEWORK);
        map.put(Component.Type.LIBRARY.getTypeName(), Component.Type.LIBRARY);
        map.put(Component.Type.OPERATING_SYSTEM.getTypeName(), Component.Type.OPERATING_SYSTEM);
        map.put(Component.Type.DEVICE.getTypeName(), Component.Type.DEVICE);
        map.put(Component.Type.FILE.getTypeName(), Component.Type.FILE);
        return map;
    }

    private Map getComponentScopeMapping() {
        Map map = new HashMap<>();
        map.put(Component.Scope.REQUIRED.getScopeName(), Component.Scope.REQUIRED);
        map.put(Component.Scope.EXCLUDED.getScopeName(), Component.Scope.EXCLUDED);
        map.put(Component.Scope.OPTIONAL.getScopeName(), Component.Scope.OPTIONAL);
        return map;
    }

    private Map getExternalReferenceTypeMapping() {
        Map map = new HashMap<>();
        map.put(ExternalReference.Type.VCS.getTypeName(), ExternalReference.Type.VCS);
        map.put(ExternalReference.Type.ISSUE_TRACKER.getTypeName(), ExternalReference.Type.ISSUE_TRACKER);
        map.put(ExternalReference.Type.WEBSITE.getTypeName(), ExternalReference.Type.WEBSITE);
        map.put(ExternalReference.Type.ADVISORIES.getTypeName(), ExternalReference.Type.ADVISORIES);
        map.put(ExternalReference.Type.BOM.getTypeName(), ExternalReference.Type.BOM);
        map.put(ExternalReference.Type.MAILING_LIST.getTypeName(), ExternalReference.Type.MAILING_LIST);
        map.put(ExternalReference.Type.SOCIAL.getTypeName(), ExternalReference.Type.SOCIAL);
        map.put(ExternalReference.Type.CHAT.getTypeName(), ExternalReference.Type.CHAT);
        map.put(ExternalReference.Type.DOCUMENTATION.getTypeName(), ExternalReference.Type.DOCUMENTATION);
        map.put(ExternalReference.Type.SUPPORT.getTypeName(), ExternalReference.Type.SUPPORT);
        map.put(ExternalReference.Type.DISTRIBUTION.getTypeName(), ExternalReference.Type.DISTRIBUTION);
        map.put(ExternalReference.Type.LICENSE.getTypeName(), ExternalReference.Type.LICENSE);
        map.put(ExternalReference.Type.BUILD_META.getTypeName(), ExternalReference.Type.BUILD_META);
        map.put(ExternalReference.Type.BUILD_SYSTEM.getTypeName(), ExternalReference.Type.BUILD_SYSTEM);
        map.put(ExternalReference.Type.OTHER.getTypeName(), ExternalReference.Type.OTHER);
        return map;
    }

    private XStream createXStream() {
        QName qname = new QName(CycloneDxSchema.NS_BOM_LATEST);
        QNameMap nsm = new QNameMap();
        nsm.registerMapping(qname, Bom.class);
        nsm.setDefaultNamespace(CycloneDxSchema.NS_BOM_LATEST);
        XStream xstream = new XStream(new StaxDriver(nsm)) {
            @Override
            protected MapperWrapper wrapMapper(MapperWrapper next) {
                return new MapperWrapper(next) {
                    @Override
                    public boolean shouldSerializeMember(Class definedIn, String fieldName) {
                        try {
                            return definedIn != Object.class || realClass(fieldName) != null;
                        } catch(CannotResolveClassException e) {
                            return false;
                        }
                    }
                    @Override
                    public Class realClass(String elementName) {
                        try {
                            return super.realClass(elementName);
                        } catch(CannotResolveClassException e) {
                            return null;
                        }
                    }
                };
            }
        };
        XStream.setupDefaultSecurity(xstream);
        xstream.allowTypesByWildcard(new String[] {
                "org.cyclonedx.model.**", "org.cyclonedx.model.ext.dependencyGraph.**"
        });
        return xstream;
    }

    private XStream mapDefaultObjectModel(XStream xstream) {
        xstream.alias("bom", Bom.class);
        xstream.aliasAttribute(Bom.class, "version", "version");
        xstream.aliasAttribute(Bom.class, "serialNumber", "serialNumber");

        xstream.alias("component", Component.class);
        xstream.aliasAttribute(Component.class, "type", "type");
        xstream.aliasAttribute(Component.class, "bomRef", "bom-ref");
        xstream.aliasAttribute(Component.class, "scope", "scope");
        xstream.registerConverter(new EnumToStringConverter<>(Component.Type.class, getComponentTypeMapping()));
        xstream.registerConverter(new EnumToStringConverter<>(Component.Scope.class, getComponentScopeMapping()));

        xstream.alias("hash", Hash.class);
        xstream.registerConverter(new HashConverter());

        xstream.alias("commit", Commit.class);

        xstream.alias("reference", ExternalReference.class);
        xstream.aliasAttribute(ExternalReference.class, "type", "type");
        xstream.registerConverter(new EnumToStringConverter<>(ExternalReference.Type.class, getExternalReferenceTypeMapping()));

        xstream.aliasField("licenses", Component.class, "licenseChoice");
        xstream.alias("license", License.class);
        xstream.addImplicitCollection(LicenseChoice.class, "licenses");
        xstream.registerConverter(new LicenseTextConverter());
        xstream.aliasField("text", License.class, "licenseText");

        xstream.alias("pedigree", Pedigree.class);

        xstream.addImplicitCollection(Dependency.class, "dependencies");
        xstream.alias("dependency", Dependency.class);
        xstream.aliasAttribute(Dependency.class, "ref", "ref");

        return xstream;
    }
}




© 2015 - 2025 Weber Informatics LLC | Privacy Policy