Skip to content

Commit

Permalink
improve SPDX and CycloneDX JSON SBOM format detection
Browse files Browse the repository at this point in the history
  • Loading branch information
joshdabosh committed Aug 8, 2024
1 parent e2893d4 commit a5c4e5c
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 4 deletions.
14 changes: 12 additions & 2 deletions attestation/product/product.go
Original file line number Diff line number Diff line change
Expand Up @@ -243,15 +243,25 @@ func (a *Attestor) Subjects() map[string]cryptoutil.DigestSet {
return subjects
}

func IsSPDXJson(buf []byte) bool {
header := buf[:500]
return bytes.Contains(header, []byte(`"spdxVersion":"SPDX-`)) || bytes.Contains(header, []byte(`"spdxVersion": "SPDX-`))
}

func IsCycloneDXJson(buf []byte) bool {
header := buf[:500]
return bytes.Contains(header, []byte(`"bomFormat":"CycloneDX"`)) || bytes.Contains(header, []byte(`"bomFormat": "CycloneDX"`))
}

func getFileContentType(fileName string) (string, error) {
// Add SPDX JSON detector
mimetype.Lookup("application/json").Extend(func(buf []byte, limit uint32) bool {
return bytes.HasPrefix(buf, []byte(`{"spdxVersion":"SPDX-`))
return IsSPDXJson(buf)
}, "application/spdx+json", ".spdx.json")

// Add CycloneDx JSON detector
mimetype.Lookup("application/json").Extend(func(buf []byte, limit uint32) bool {
return bytes.HasPrefix(buf, []byte(`{"$schema":"http://cyclonedx.org/schema/bom-`))
return IsCycloneDXJson(buf)
}, "application/vnd.cyclonedx+json", ".cdx.json")

// Add CycloneDx XML detector
Expand Down
5 changes: 3 additions & 2 deletions attestation/sbom/sbom.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ import (

"github.com/CycloneDX/cyclonedx-go"
"github.com/in-toto/go-witness/attestation"
"github.com/in-toto/go-witness/attestation/product"
"github.com/in-toto/go-witness/cryptoutil"
"github.com/in-toto/go-witness/log"
"github.com/in-toto/go-witness/registry"
Expand Down Expand Up @@ -129,9 +130,9 @@ func (a *SBOMAttestor) MarshalJSON() ([]byte, error) {
}

func (a *SBOMAttestor) UnmarshalJSON(data []byte) error {
if bytes.HasPrefix(data, []byte(`{"spdxVersion":"SPDX-`)) {
if product.IsSPDXJson(data) {
a.predicateType = SPDXPredicateType
} else if bytes.HasPrefix(data, []byte(`{"$schema":"http://cyclonedx.org/schema/bom-`)) {
} else if product.IsCycloneDXJson(data) {
a.predicateType = CycloneDxPredicateType
} else {
log.Warn("Unknown sbom predicate type")
Expand Down

0 comments on commit a5c4e5c

Please sign in to comment.