Fix/metadata import overrides (#1041)

* fix: metadata import respects --set-name/version/type overrides (#817)

- ReadMetaDataFromFile now accepts IFileSystem for testability
- Metadata import now only copies Metadata section, preserving BOM spec version
- SetMetadataComponentIfNecessary now accepts explicit override values
- RunOptions.setType now defaults to Null (not Application) to distinguish
  'user explicitly set' from default
- Enable 3 previously-skipped tests for setName/setVersion/setType overrides

* docs: add bom-metadata reference and update README metadata section

* feat: use project file <Version> in BOM metadata when --set-version not provided (#954)

* docs: update bom-metadata reference with project file version source

* feat: check AssemblyVersion/ProjectVersion/PackageVersion as version fallbacks (#1006)

---------

Co-authored-by: construct agent <agent@construct.local>

Author: mtsfoni

CycloneDX.Tests/CycloneDX.Tests.csproj

@@ -141,6 +141,9 @@
     <None Update="FunctionalTests\TestcaseFiles\Issue-758.json">
       <CopyToOutputDirectory>Always</CopyToOutputDirectory>
     </None>
+    <None Update="FunctionalTests\TestcaseFiles\metadata.xml">
+      <CopyToOutputDirectory>Always</CopyToOutputDirectory>
+    </None>
     <None Update="FunctionalTests\TestcaseFiles\ProjectReferenceWithPackageReferenceWithTransitivePackage.json">
       <CopyToOutputDirectory>Always</CopyToOutputDirectory>
     </None>

CycloneDX.Tests/FunctionalTests/FunctionalTestHelper.cs

@@ -133,7 +133,7 @@ public static async Task<Bom> Test(RunOptions options, INugetServiceFactory nuge
             return runner.LastGeneratedBom;
         }
 
-        private const string CsprojContents =
+        public const string CsprojContents =
         "<Project Sdk=\"Microsoft.NET.Sdk\">\n\n  " +
             "<PropertyGroup>\n    " +
                 "<OutputType>Exe</OutputType>\n    " +

CycloneDX.Tests/FunctionalTests/MetaData.cs

@@ -0,0 +1,133 @@
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.IO.Abstractions.TestingHelpers;
+using System.Linq;
+using System.Threading.Tasks;
+using CycloneDX.Models;
+using Xunit;
+
+namespace CycloneDX.Tests.FunctionalTests
+{
+    public class MetaData
+    {
+        private MockFileSystem getMockFS()
+        {
+            return new MockFileSystem(new Dictionary<string, MockFileData>
+            {
+                { MockUnixSupport.Path("c:/ProjectPath/obj/project.assets.json"),
+                        new MockFileData(
+                            File.ReadAllText(Path.Combine("FunctionalTests", "TestcaseFiles", "SimpleNET6.0Library.json"))) },
+                { MockUnixSupport.Path("c:/ProjectPath/Project.csproj"), new MockFileData(FunctionalTestHelper.CsprojContents) },
+                { MockUnixSupport.Path("c:/ProjectPath/metadata.xml"),
+                     new MockFileData(
+                            File.ReadAllText(Path.Combine("FunctionalTests", "TestcaseFiles", "metadata.xml"))) }
+            });
+        }
+
+        [Fact]
+        public async Task ImportedMetaDataAreInBomOutput()
+        {
+            var options = new RunOptions
+            {
+                importMetadataPath = MockUnixSupport.Path("c:/ProjectPath/metadata.xml")
+            };
+
+            var bom = await FunctionalTestHelper.Test(options, getMockFS());
+
+            Assert.Equal("CycloneDX", bom.Metadata.Component.Name);
+            Assert.Equal("1.3.0", bom.Metadata.Component.Version);
+            Assert.Equal(Component.Classification.Application, bom.Metadata.Component.Type);
+            Assert.False(string.IsNullOrEmpty(bom.Metadata.Component.Description));
+            Assert.Equal("Apache License 2.0", bom.Metadata.Component.Licenses.First().License.Name);
+            Assert.Equal("Apache-2.0", bom.Metadata.Component.Licenses.First().License.Id);
+            Assert.Equal("pkg:nuget/CycloneDX@1.3.0", bom.Metadata.Component.Purl);
+        }
+
+        [Fact]
+        public async Task IfNoMetadataIsImportedTimestampIsSetAutomatically()
+        {
+            var options = new RunOptions
+            {             
+            };
+
+            var bom = await FunctionalTestHelper.Test(options, getMockFS());
+            Assert.True(bom.Metadata.Timestamp.Value > DateTime.UtcNow.AddMinutes(-10));
+        }
+
+        [Fact]
+        public async Task IfMetadataWithoutTimestampIsImportedTimestampStillGetsSet()
+        {
+            var options = new RunOptions
+            {
+                importMetadataPath = MockUnixSupport.Path("c:/ProjectPath/metadata.xml")
+            };
+
+            var bom = await FunctionalTestHelper.Test(options, getMockFS());
+            Assert.True(bom.Metadata.Timestamp.Value > DateTime.UtcNow.AddMinutes(-10));
+        }
+
+        [Fact]
+        public async Task SetVersionOverwritesVersionWhenMetadataAreProvided()
+        {
+            var options = new RunOptions
+            {
+                importMetadataPath = MockUnixSupport.Path("c:/ProjectPath/metadata.xml"),
+                setVersion = "3.0.4"
+                
+            };
+
+            var bom = await FunctionalTestHelper.Test(options, getMockFS());
+
+            Assert.Equal("CycloneDX", bom.Metadata.Component.Name);
+            Assert.Equal("3.0.4", bom.Metadata.Component.Version);
+            Assert.Equal(Component.Classification.Application, bom.Metadata.Component.Type);
+            Assert.False(string.IsNullOrEmpty(bom.Metadata.Component.Description));
+            Assert.Equal("Apache License 2.0", bom.Metadata.Component.Licenses.First().License.Name);
+            Assert.Equal("Apache-2.0", bom.Metadata.Component.Licenses.First().License.Id);
+            Assert.Equal("pkg:nuget/CycloneDX@1.3.0", bom.Metadata.Component.Purl);
+        }
+
+        [Fact]
+        public async Task SetNameOverwritesNameWhenMetadataAreProvided()
+        {
+            var options = new RunOptions
+            {
+                importMetadataPath = MockUnixSupport.Path("c:/ProjectPath/metadata.xml"),
+                setName = "Foo"
+
+            };
+
+            var bom = await FunctionalTestHelper.Test(options, getMockFS());
+
+            Assert.Equal("Foo", bom.Metadata.Component.Name);
+            Assert.Equal("1.3.0", bom.Metadata.Component.Version);
+            Assert.Equal(Component.Classification.Application, bom.Metadata.Component.Type);
+            Assert.False(string.IsNullOrEmpty(bom.Metadata.Component.Description));
+            Assert.Equal("Apache License 2.0", bom.Metadata.Component.Licenses.First().License.Name);
+            Assert.Equal("Apache-2.0", bom.Metadata.Component.Licenses.First().License.Id);
+            Assert.Equal("pkg:nuget/CycloneDX@1.3.0", bom.Metadata.Component.Purl);
+        }
+
+        [Fact]
+        public async Task SetTypeOverwritesTypeWhenMetadataAreProvided()
+        {
+            var options = new RunOptions
+            {
+                importMetadataPath = MockUnixSupport.Path("c:/ProjectPath/metadata.xml"),
+                setType = Component.Classification.Container
+
+            };
+
+            var bom = await FunctionalTestHelper.Test(options, getMockFS());
+
+            Assert.Equal("CycloneDX", bom.Metadata.Component.Name);
+            Assert.Equal("1.3.0", bom.Metadata.Component.Version);
+            Assert.Equal(Component.Classification.Container, bom.Metadata.Component.Type);
+            Assert.False(string.IsNullOrEmpty(bom.Metadata.Component.Description));
+            Assert.Equal("Apache License 2.0", bom.Metadata.Component.Licenses.First().License.Name);
+            Assert.Equal("Apache-2.0", bom.Metadata.Component.Licenses.First().License.Id);
+            Assert.Equal("pkg:nuget/CycloneDX@1.3.0", bom.Metadata.Component.Purl);
+        }
+    }
+}

CycloneDX.Tests/FunctionalTests/ProjectVersionMetadataTest.cs

@@ -0,0 +1,110 @@
+// This file is part of CycloneDX Tool for .NET
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// SPDX-License-Identifier: Apache-2.0
+// Copyright (c) OWASP Foundation. All Rights Reserved.
+
+using System.Collections.Generic;
+using System.IO.Abstractions.TestingHelpers;
+using System.Threading.Tasks;
+using CycloneDX.Models;
+using Xunit;
+using XFS = System.IO.Abstractions.TestingHelpers.MockUnixSupport;
+
+namespace CycloneDX.Tests.FunctionalTests
+{
+    public class ProjectVersionMetadataTest
+    {
+        [Fact]
+        public async Task BomMetadataVersion_ShouldMatchProjectVersion()
+        {
+            var csproj = "<Project Sdk=\"Microsoft.NET.Sdk\">\n" +
+                        "  <PropertyGroup>\n" +
+                        "    <OutputType>Exe</OutputType>\n" +
+                        "    <Version>2.1.3</Version>\n" +
+                        "  </PropertyGroup>\n" +
+                        "</Project>\n";
+
+            var mockFileSystem = new MockFileSystem(new Dictionary<string, MockFileData>
+            {
+                { XFS.Path("c:/ProjectPath/Project.csproj"), new MockFileData(csproj) },
+                { XFS.Path("c:/ProjectPath/obj/project.assets.json"), new MockFileData("{}") }
+            });
+
+            var options = new RunOptions
+            {
+                SolutionOrProjectFile = XFS.Path("c:/ProjectPath/Project.csproj"),
+                outputDirectory = XFS.Path("c:/ProjectPath/"),
+                disablePackageRestore = true
+            };
+
+            var bom = await FunctionalTestHelper.Test(options, mockFileSystem);
+            Assert.Equal("2.1.3", bom.Metadata.Component.Version);
+        }
+
+        [Fact]
+        public async Task BomMetadataVersion_SetVersionFlagOverridesProjectVersion()
+        {
+            var csproj = "<Project Sdk=\"Microsoft.NET.Sdk\">\n" +
+                        "  <PropertyGroup>\n" +
+                        "    <OutputType>Exe</OutputType>\n" +
+                        "    <Version>2.1.3</Version>\n" +
+                        "  </PropertyGroup>\n" +
+                        "</Project>\n";
+
+            var mockFileSystem = new MockFileSystem(new Dictionary<string, MockFileData>
+            {
+                { XFS.Path("c:/ProjectPath/Project.csproj"), new MockFileData(csproj) },
+                { XFS.Path("c:/ProjectPath/obj/project.assets.json"), new MockFileData("{}") }
+            });
+
+            var options = new RunOptions
+            {
+                SolutionOrProjectFile = XFS.Path("c:/ProjectPath/Project.csproj"),
+                outputDirectory = XFS.Path("c:/ProjectPath/"),
+                disablePackageRestore = true,
+                setVersion = "9.9.9"
+            };
+
+            var bom = await FunctionalTestHelper.Test(options, mockFileSystem);
+            Assert.Equal("9.9.9", bom.Metadata.Component.Version);
+        }
+
+        [Fact]
+        public async Task BomMetadataVersion_DefaultsTo000WhenNoVersionInProjectFile()
+        {
+            var csproj = "<Project Sdk=\"Microsoft.NET.Sdk\">\n" +
+                        "  <PropertyGroup>\n" +
+                        "    <OutputType>Exe</OutputType>\n" +
+                        "  </PropertyGroup>\n" +
+                        "</Project>\n";
+
+            var mockFileSystem = new MockFileSystem(new Dictionary<string, MockFileData>
+            {
+                { XFS.Path("c:/ProjectPath/Project.csproj"), new MockFileData(csproj) },
+                { XFS.Path("c:/ProjectPath/obj/project.assets.json"), new MockFileData("{}") }
+            });
+
+            var options = new RunOptions
+            {
+                SolutionOrProjectFile = XFS.Path("c:/ProjectPath/Project.csproj"),
+                outputDirectory = XFS.Path("c:/ProjectPath/"),
+                disablePackageRestore = true
+            };
+
+            var bom = await FunctionalTestHelper.Test(options, mockFileSystem);
+            Assert.Equal("0.0.0", bom.Metadata.Component.Version);
+        }
+    }
+}

CycloneDX.Tests/FunctionalTests/TestcaseFiles/metadata.xml

@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="utf-8"?>
+<bom xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" serialNumber="urn:uuid:087d0712-f591-4995-ba76-03f1c5c48884" version="1" xmlns="http://cyclonedx.org/schema/bom/1.5">
+  <metadata>
+    <component type="application" bom-ref="pkg:nuget/CycloneDX@1.3.0">
+      <name>CycloneDX</name>
+      <version>1.3.0</version>
+      <description>
+        <![CDATA[The [CycloneDX module](https://github.com/CycloneDX/cyclonedx-dotnet) for .NET creates a valid CycloneDX bill-of-material document containing an aggregate of all project dependencies. CycloneDX is a lightweight BOM specification that is easily created, human readable, and simple to parse.]]>
+      </description>
+      <licenses>
+        <license>
+          <name>Apache License 2.0</name>
+          <id>Apache-2.0</id>
+        </license>
+      </licenses>
+      <purl>pkg:nuget/CycloneDX@1.3.0</purl>
+    </component>
+  </metadata>
+</bom>

CycloneDX.Tests/ProgramTests.cs

@@ -18,6 +18,7 @@
 using System;
 using System.Collections.Generic;
 using System.IO;
+using System.IO.Abstractions;
 using System.IO.Abstractions.TestingHelpers;
 using System.Threading.Tasks;
 using CycloneDX.Interfaces;
@@ -237,7 +238,7 @@ public void CheckMetaDataTemplate()
         {
             var bom = new Bom();
             string resourcePath = Path.Join(AppContext.BaseDirectory, "Resources", "metadata");
-            bom = Runner.ReadMetaDataFromFile(bom, Path.Join(resourcePath, "cycloneDX-metadata-template.xml"));
+            bom = Runner.ReadMetaDataFromFile(bom, Path.Join(resourcePath, "cycloneDX-metadata-template.xml"), new FileSystem());
             Assert.NotNull(bom.Metadata);
             Assert.Matches("CycloneDX", bom.Metadata.Component.Name);
             Assert.NotEmpty(bom.Metadata.Tools.Tools);