From a5c4e5c5e235f8ee37d577b966af8724513b0014 Mon Sep 17 00:00:00 2001 From: Joshua Wang Date: Thu, 8 Aug 2024 15:12:52 -0700 Subject: [PATCH] improve SPDX and CycloneDX JSON SBOM format detection --- attestation/product/product.go | 14 ++++++++++++-- attestation/sbom/sbom.go | 5 +++-- 2 files changed, 15 insertions(+), 4 deletions(-) diff --git a/attestation/product/product.go b/attestation/product/product.go index 8c9d6c34..d8614786 100644 --- a/attestation/product/product.go +++ b/attestation/product/product.go @@ -243,15 +243,25 @@ func (a *Attestor) Subjects() map[string]cryptoutil.DigestSet { return subjects } +func IsSPDXJson(buf []byte) bool { + header := buf[:500] + return bytes.Contains(header, []byte(`"spdxVersion":"SPDX-`)) || bytes.Contains(header, []byte(`"spdxVersion": "SPDX-`)) +} + +func IsCycloneDXJson(buf []byte) bool { + header := buf[:500] + return bytes.Contains(header, []byte(`"bomFormat":"CycloneDX"`)) || bytes.Contains(header, []byte(`"bomFormat": "CycloneDX"`)) +} + func getFileContentType(fileName string) (string, error) { // Add SPDX JSON detector mimetype.Lookup("application/json").Extend(func(buf []byte, limit uint32) bool { - return bytes.HasPrefix(buf, []byte(`{"spdxVersion":"SPDX-`)) + return IsSPDXJson(buf) }, "application/spdx+json", ".spdx.json") // Add CycloneDx JSON detector mimetype.Lookup("application/json").Extend(func(buf []byte, limit uint32) bool { - return bytes.HasPrefix(buf, []byte(`{"$schema":"http://cyclonedx.org/schema/bom-`)) + return IsCycloneDXJson(buf) }, "application/vnd.cyclonedx+json", ".cdx.json") // Add CycloneDx XML detector diff --git a/attestation/sbom/sbom.go b/attestation/sbom/sbom.go index 8da439f0..3732e119 100644 --- a/attestation/sbom/sbom.go +++ b/attestation/sbom/sbom.go @@ -25,6 +25,7 @@ import ( "github.com/CycloneDX/cyclonedx-go" "github.com/in-toto/go-witness/attestation" + "github.com/in-toto/go-witness/attestation/product" "github.com/in-toto/go-witness/cryptoutil" "github.com/in-toto/go-witness/log" "github.com/in-toto/go-witness/registry" @@ -129,9 +130,9 @@ func (a *SBOMAttestor) MarshalJSON() ([]byte, error) { } func (a *SBOMAttestor) UnmarshalJSON(data []byte) error { - if bytes.HasPrefix(data, []byte(`{"spdxVersion":"SPDX-`)) { + if product.IsSPDXJson(data) { a.predicateType = SPDXPredicateType - } else if bytes.HasPrefix(data, []byte(`{"$schema":"http://cyclonedx.org/schema/bom-`)) { + } else if product.IsCycloneDXJson(data) { a.predicateType = CycloneDxPredicateType } else { log.Warn("Unknown sbom predicate type")