feat(cdx): Update to CycloneDX 1.6

heubeck · heubeck · commit 285c6c3485c5 · 2024-07-11T20:53:35.000+02:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -11,7 +11,7 @@ env:
   CDXGEN_VERSION: '10.8.1'
   CDXGEN_PLUGINS_VERSION: '1.6.2'
   GRYPE_VERSION: 'v0.79.2'
-  SBOMQS_VERSION: 'v0.1.5'
+  SBOMQS_VERSION: 'v0.1.6'
   DEPSCAN_VERSION: 'v5.4.2'
   NYDUS_VERSION: '2.2.5'
   SWIFT_VERSION: '5.10.1'
diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml
@@ -12,7 +12,7 @@ on:
 env:
   CDXGEN_PLUGINS_VERSION: '1.6.2'
   GRYPE_VERSION: 'v0.79.2'
-  SBOMQS_VERSION: 'v0.1.5'
+  SBOMQS_VERSION: 'v0.1.6'
   DEPSCAN_VERSION: 'v5.4.2'
   NYDUS_VERSION: '2.2.5'
   java_version: '21'
diff --git a/src/main/java/com/mediamarktsaturn/technolinator/sbom/CdxgenClient.java b/src/main/java/com/mediamarktsaturn/technolinator/sbom/CdxgenClient.java
@@ -147,7 +147,7 @@ public CdxgenClient() {
      * * --project-name %s # name of main component of the SBOM, defaulting to the repository name
      * * --no-validate # disable cdxgen validation as we try to process everything
      */
-    private static final String CDXGEN_CMD_FMT = "cdxgen --spec-version 1.5 -o %s%s%s%s%s%s --project-name %s --no-validate";
+    private static final String CDXGEN_CMD_FMT = "cdxgen --spec-version 1.6 -o %s%s%s%s%s%s --project-name %s --no-validate";
 
     public record SbomCreationCommand(
         Path repoDir,
diff --git a/src/main/java/com/mediamarktsaturn/technolinator/sbom/DependencyTrackClient.java b/src/main/java/com/mediamarktsaturn/technolinator/sbom/DependencyTrackClient.java
@@ -50,7 +50,7 @@ public DependencyTrackClient(
      */
     public Uni<Result<Project>> uploadSBOM(RepositoryDetails repoDetails, Bom sbom, String projectName, Project parentProject, Optional<String> commitSha) {
         var projectVersion = repoDetails.version();
-        var sbomBase64 = Base64.getEncoder().encodeToString(new BomJsonGenerator(sbom, Version.VERSION_15).toJsonString().getBytes(StandardCharsets.UTF_8));
+        var sbomBase64 = Base64.getEncoder().encodeToString(new BomJsonGenerator(sbom, Version.VERSION_16).toJsonString().getBytes(StandardCharsets.UTF_8));
         var payload = new JsonObject(Map.of(
             "projectName", projectName,
             "projectVersion", projectVersion,
diff --git a/src/test/java/com/mediamarktsaturn/technolinator/handler/PushHandlingTest.java b/src/test/java/com/mediamarktsaturn/technolinator/handler/PushHandlingTest.java
@@ -19,7 +19,6 @@
 import org.kohsuke.github.GHEventPayload;
 import org.kohsuke.github.GitHub;
 import org.mockito.ArgumentCaptor;
-import org.testcontainers.shaded.org.hamcrest.CoreMatchers;
 
 import java.io.IOException;
 import java.util.Optional;
