Merge pull request #544 from jeremylong/fix/avoid-deprecated-tools

fix: avoid using deprecated tools section

Author: skhokhlov

build.gradle.kts

@@ -38,6 +38,7 @@ dependencies {
 
 tasks.withType<Test> {
     useJUnitPlatform()
+    maxParallelForks = (Runtime.getRuntime().availableProcessors() / 2).coerceAtLeast(1)
 }
 
 tasks.withType<JavaCompile>().configureEach {

src/main/java/org/cyclonedx/gradle/SbomBuilder.java

@@ -50,6 +50,7 @@
 import org.cyclonedx.model.Metadata;
 import org.cyclonedx.model.Property;
 import org.cyclonedx.model.Tool;
+import org.cyclonedx.model.metadata.ToolInformation;
 import org.cyclonedx.util.BomUtils;
 import org.gradle.api.logging.Logger;
 
@@ -72,7 +73,7 @@ class SbomBuilder {
 
     SbomBuilder(final Logger logger, final CycloneDxTask task) {
         this.logger = logger;
-        this.version = CycloneDxUtils.DEFAULT_SCHEMA_VERSION;
+        this.version = CycloneDxUtils.schemaVersion(task.getSchemaVersion().get());
         this.artifactHashes = new HashMap<>();
         this.mavenHelper = new MavenHelper(logger, task.getIncludeLicenseText().get());
         this.task = task;
@@ -125,11 +126,23 @@ private Metadata buildMetadata(final SbomComponent parentComponent) {
 
         final Properties pluginProperties = readPluginProperties();
         if (!pluginProperties.isEmpty()) {
-            final Tool tool = new Tool();
-            tool.setVendor(pluginProperties.getProperty("vendor"));
-            tool.setName(pluginProperties.getProperty("name"));
-            tool.setVersion(pluginProperties.getProperty("version"));
-            metadata.addTool(tool);
+            // if schema version is 1.5 or higher use tools instead of tool
+            if (version.compareTo(Version.VERSION_15) >= 0) {
+                final Component component = new Component();
+                component.setType(Component.Type.APPLICATION);
+                component.setAuthor(pluginProperties.getProperty("vendor"));
+                component.setName(pluginProperties.getProperty("name"));
+                component.setVersion(pluginProperties.getProperty("version"));
+                final ToolInformation tool = new ToolInformation();
+                tool.setComponents(Collections.singletonList(component));
+                metadata.setToolChoice(tool);
+            } else {
+                final Tool tool = new Tool();
+                tool.setVendor(pluginProperties.getProperty("vendor"));
+                tool.setName(pluginProperties.getProperty("name"));
+                tool.setVersion(pluginProperties.getProperty("version"));
+                metadata.addTool(tool);
+            }
         }
 
         return metadata;

src/test/groovy/org/cyclonedx/gradle/PluginConfigurationSpec.groovy

@@ -4,6 +4,7 @@ import com.fasterxml.jackson.databind.ObjectMapper
 import org.cyclonedx.gradle.utils.CycloneDxUtils
 import org.cyclonedx.model.Bom
 import org.cyclonedx.model.Component
+import org.cyclonedx.model.Tool
 import org.gradle.testkit.runner.GradleRunner
 import org.gradle.testkit.runner.TaskOutcome
 import spock.lang.Specification
@@ -619,4 +620,76 @@ class PluginConfigurationSpec extends Specification {
         File jsonBom = new File(testDir, "build/reports/bom.json")
         assert !jsonBom.text.contains("\"id\" : \"Apache-2.0\"")
     }
+
+    def "should not use depecrated tool section if schema is 1.5 or higher"() {
+        given:
+        File testDir = TestUtils.createFromString("""
+            plugins {
+                id 'org.cyclonedx.bom'
+                id 'java'
+            }
+            repositories {
+                mavenCentral()
+            }
+            group = 'com.example'
+            version = '1.0.0'
+            cyclonedxBom {
+                schemaVersion = "1.6"
+            }
+            dependencies {
+                implementation group: 'org.apache.logging.log4j', name: 'log4j-core', version:'2.15.0'
+            }""", "rootProject.name = 'hello-world'")
+
+        when:
+        def result = GradleRunner.create()
+            .withProjectDir(testDir)
+            .withArguments("cyclonedxBom", "--configuration-cache")
+            .withPluginClasspath()
+            .build()
+
+        then:
+        result.task(":cyclonedxBom").outcome == TaskOutcome.SUCCESS
+        File jsonBom = new File(testDir, "build/reports/bom.json")
+        Bom bom = new ObjectMapper().readValue(jsonBom, Bom.class)
+        assert bom.getMetadata().getToolChoice().getComponents().size() == 1
+        Component cycloneDxTool = bom.getMetadata().getToolChoice().getComponents().get(0)
+        assert cycloneDxTool.getName() == "cyclonedx-gradle-plugin"
+        assert cycloneDxTool.getAuthor() == "CycloneDX"
+    }
+
+    def "should use legacy tools section if schema is below 1.5"() {
+        given:
+        File testDir = TestUtils.createFromString("""
+            plugins {
+                id 'org.cyclonedx.bom'
+                id 'java'
+            }
+            repositories {
+                mavenCentral()
+            }
+            group = 'com.example'
+            version = '1.0.0'
+            cyclonedxBom {
+                schemaVersion = "1.4"
+            }
+            dependencies {
+                implementation group: 'org.apache.logging.log4j', name: 'log4j-core', version:'2.15.0'
+            }""", "rootProject.name = 'hello-world'")
+
+        when:
+        def result = GradleRunner.create()
+            .withProjectDir(testDir)
+            .withArguments("cyclonedxBom", "--configuration-cache")
+            .withPluginClasspath()
+            .build()
+
+        then:
+        result.task(":cyclonedxBom").outcome == TaskOutcome.SUCCESS
+        File jsonBom = new File(testDir, "build/reports/bom.json")
+        Bom bom = new ObjectMapper().readValue(jsonBom, Bom.class)
+        assert bom.getMetadata().getTools().size() == 1
+        Tool tool = bom.getMetadata().getTools().get(0);
+        assert tool.getName() == "cyclonedx-gradle-plugin"
+        assert tool.getVendor() == "CycloneDX"
+    }
 }