feat: Add CycloneDX 1.7 support (#2815)

Bump cyclonedx-go to v0.11.0 and add support for spec 1.7 in output
format

- [x] TODO: Update osv-scalibr dependency to a version that contains the
cyclonedx-go update

Resolves: #2787
Related PR:
[osv-scalibr#2117](google/osv-scalibr#2117)

Author: Ly-Joey

cmd/osv-scanner/scan/source/__snapshots__/command_test.snap

@@ -50,6 +50,44 @@ Loaded filter from: <rootdir>/testdata/locks-many/osv-scanner-test.toml
 
 ---
 
+[TestCommand/Empty_cyclonedx_1.6_output - 1]
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "version": 1,
+  "components": [],
+  "vulnerabilities": []
+}
+
+---
+
+[TestCommand/Empty_cyclonedx_1.6_output - 2]
+Scanning dir ./testdata/locks-many/composer.lock
+Scanned <rootdir>/testdata/locks-many/composer.lock file and found 1 package
+Loaded filter from: <rootdir>/testdata/locks-many/osv-scanner-test.toml
+
+---
+
+[TestCommand/Empty_cyclonedx_1.7_output - 1]
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.7",
+  "version": 1,
+  "components": [],
+  "vulnerabilities": []
+}
+
+---
+
+[TestCommand/Empty_cyclonedx_1.7_output - 2]
+Scanning dir ./testdata/locks-many/composer.lock
+Scanned <rootdir>/testdata/locks-many/composer.lock file and found 1 package
+Loaded filter from: <rootdir>/testdata/locks-many/osv-scanner-test.toml
+
+---
+
 [TestCommand/Empty_gh-annotations_output - 1]
 
 ---
@@ -785,6 +823,194 @@ Scanned <rootdir>/testdata/locks-insecure/osv-scanner-custom.json file and found
 
 ---
 
+[TestCommand/cyclonedx_1.6_output - 1]
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.6",
+  "version": 1,
+  "components": [
+    {
+      "bom-ref": "pkg:composer/league/flysystem@1.0.8",
+      "type": "library",
+      "name": "league/flysystem",
+      "version": "1.0.8",
+      "licenses": [],
+      "purl": "pkg:composer/league/flysystem@1.0.8"
+    },
+    {
+      "bom-ref": "pkg:golang/stdlib@1.99.9",
+      "type": "library",
+      "name": "stdlib",
+      "version": "1.99.9",
+      "licenses": [],
+      "purl": "pkg:golang/stdlib@1.99.9"
+    },
+    {
+      "bom-ref": "pkg:golang/toolchain@1.99.9",
+      "type": "library",
+      "name": "toolchain",
+      "version": "1.99.9",
+      "licenses": [],
+      "purl": "pkg:golang/toolchain@1.99.9"
+    },
+    {
+      "bom-ref": "pkg:npm/has-flag@4.0.0",
+      "type": "library",
+      "name": "has-flag",
+      "version": "4.0.0",
+      "licenses": [],
+      "purl": "pkg:npm/has-flag@4.0.0"
+    },
+    {
+      "bom-ref": "pkg:npm/wrappy@1.0.2",
+      "type": "library",
+      "name": "wrappy",
+      "version": "1.0.2",
+      "licenses": [],
+      "purl": "pkg:npm/wrappy@1.0.2"
+    }
+  ],
+  "vulnerabilities": [
+    {
+      "id": "GHSA-9f46-5r25-5wfm",
+      "references": [
+        {
+          "id": "CVE-2021-32708",
+          "source": {}
+        }
+      ],
+      "ratings": [
+        {
+          "method": "CVSSv3",
+          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+        }
+      ],
+      "description": "Time-of-check Time-of-use (TOCTOU) Race Condition in league/flysystem",
+      "detail": "### Impact\n\nThe whitespace normalisation using in 1.x and 2.x removes any unicode whitespace. Under certain specific conditions this could potentially allow a malicious user to execute code remotely.\n\nThe conditions: \n\n- A user is allowed to supply the path or filename of an uploaded file.\n- The supplied path or filename is not checked against unicode chars.\n- The supplied pathname checked against an extension deny-list, not an allow-list.\n- The supplied path or filename contains a unicode whitespace char in the extension.\n- The uploaded file is stored in a directory that allows PHP code to be executed.\n\nGiven these conditions are met a user can upload and execute arbitrary code on the system under attack.\n\n### Patches\n\nThe unicode whitespace removal has been replaced with a rejection (exception).\n\nThe library has been patched in:\n- 1.x: https://github.com/thephpleague/flysystem/commit/f3ad69181b8afed2c9edf7be5a2918144ff4ea32\n- 2.x: https://github.com/thephpleague/flysystem/commit/a3c694de9f7e844b76f9d1b61296ebf6e8d89d74\n\n### Workarounds\n\nFor 1.x users, upgrade to 1.1.4. For 2.x users, upgrade to 2.1.1.\n",
+      "advisories": [
+        {
+          "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32708"
+        }
+      ],
+      "published": "2021-06-29T03:13:28Z",
+      "updated": "2026-03-13T22:01:08Z",
+      "credits": {
+        "organizations": []
+      },
+      "affects": [
+        {
+          "ref": "pkg:composer/league/flysystem"
+        }
+      ]
+    }
+  ]
+}
+
+---
+
+[TestCommand/cyclonedx_1.6_output - 2]
+Scanning dir ./testdata/locks-insecure
+Scanned <rootdir>/testdata/locks-insecure/bun.lock file and found 2 packages
+Scanned <rootdir>/testdata/locks-insecure/composer.lock file and found 1 package
+Scanned <rootdir>/testdata/locks-insecure/osv-scanner-custom.json file and found 2 packages
+
+---
+
+[TestCommand/cyclonedx_1.7_output - 1]
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.7.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.7",
+  "version": 1,
+  "components": [
+    {
+      "bom-ref": "pkg:composer/league/flysystem@1.0.8",
+      "type": "library",
+      "name": "league/flysystem",
+      "version": "1.0.8",
+      "licenses": [],
+      "purl": "pkg:composer/league/flysystem@1.0.8"
+    },
+    {
+      "bom-ref": "pkg:golang/stdlib@1.99.9",
+      "type": "library",
+      "name": "stdlib",
+      "version": "1.99.9",
+      "licenses": [],
+      "purl": "pkg:golang/stdlib@1.99.9"
+    },
+    {
+      "bom-ref": "pkg:golang/toolchain@1.99.9",
+      "type": "library",
+      "name": "toolchain",
+      "version": "1.99.9",
+      "licenses": [],
+      "purl": "pkg:golang/toolchain@1.99.9"
+    },
+    {
+      "bom-ref": "pkg:npm/has-flag@4.0.0",
+      "type": "library",
+      "name": "has-flag",
+      "version": "4.0.0",
+      "licenses": [],
+      "purl": "pkg:npm/has-flag@4.0.0"
+    },
+    {
+      "bom-ref": "pkg:npm/wrappy@1.0.2",
+      "type": "library",
+      "name": "wrappy",
+      "version": "1.0.2",
+      "licenses": [],
+      "purl": "pkg:npm/wrappy@1.0.2"
+    }
+  ],
+  "vulnerabilities": [
+    {
+      "id": "GHSA-9f46-5r25-5wfm",
+      "references": [
+        {
+          "id": "CVE-2021-32708",
+          "source": {}
+        }
+      ],
+      "ratings": [
+        {
+          "method": "CVSSv3",
+          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+        }
+      ],
+      "description": "Time-of-check Time-of-use (TOCTOU) Race Condition in league/flysystem",
+      "detail": "### Impact\n\nThe whitespace normalisation using in 1.x and 2.x removes any unicode whitespace. Under certain specific conditions this could potentially allow a malicious user to execute code remotely.\n\nThe conditions: \n\n- A user is allowed to supply the path or filename of an uploaded file.\n- The supplied path or filename is not checked against unicode chars.\n- The supplied pathname checked against an extension deny-list, not an allow-list.\n- The supplied path or filename contains a unicode whitespace char in the extension.\n- The uploaded file is stored in a directory that allows PHP code to be executed.\n\nGiven these conditions are met a user can upload and execute arbitrary code on the system under attack.\n\n### Patches\n\nThe unicode whitespace removal has been replaced with a rejection (exception).\n\nThe library has been patched in:\n- 1.x: https://github.com/thephpleague/flysystem/commit/f3ad69181b8afed2c9edf7be5a2918144ff4ea32\n- 2.x: https://github.com/thephpleague/flysystem/commit/a3c694de9f7e844b76f9d1b61296ebf6e8d89d74\n\n### Workarounds\n\nFor 1.x users, upgrade to 1.1.4. For 2.x users, upgrade to 2.1.1.\n",
+      "advisories": [
+        {
+          "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32708"
+        }
+      ],
+      "published": "2021-06-29T03:13:28Z",
+      "updated": "2026-03-13T22:01:08Z",
+      "credits": {
+        "organizations": []
+      },
+      "affects": [
+        {
+          "ref": "pkg:composer/league/flysystem"
+        }
+      ]
+    }
+  ]
+}
+
+---
+
+[TestCommand/cyclonedx_1.7_output - 2]
+Scanning dir ./testdata/locks-insecure
+Scanned <rootdir>/testdata/locks-insecure/bun.lock file and found 2 packages
+Scanned <rootdir>/testdata/locks-insecure/composer.lock file and found 1 package
+Scanned <rootdir>/testdata/locks-insecure/osv-scanner-custom.json file and found 2 packages
+
+---
+
 [TestCommand/exclude_with_exact_directory_name - 1]
 Scanning dir ./testdata/locks-one-with-nested
 Scanned <rootdir>/testdata/locks-one-with-nested/nested/composer.lock file and found 1 package
@@ -1237,7 +1463,7 @@ OPTIONS:
    --data-source string                                                             source to fetch package information from; value can be: deps.dev, native (default: "deps.dev")
    --maven-registry string                                                          URL of the default registry to fetch Maven metadata
    --config string                                                                  set/override config file
-   --format string, -f string                                                       sets the output format; value can be: table, html, vertical, json, markdown, sarif, gh-annotations, cyclonedx-1-4, cyclonedx-1-5, spdx-2-3 (default: "table")
+   --format string, -f string                                                       sets the output format; value can be: table, html, vertical, json, markdown, sarif, gh-annotations, cyclonedx-1-4, cyclonedx-1-5, cyclonedx-1-6, cyclonedx-1-7, spdx-2-3 (default: "table")
    --serve                                                                          output as HTML result and serve it locally
    --port string                                                                    port number to use when serving HTML report (default: 8000)
    --output string                                                                  [DEPRECATED] (Use "--output-file" instead) saves the result to the given file path
@@ -1633,7 +1859,7 @@ Total 1 package affected by 1 known vulnerability (0 Critical, 1 High, 0 Medium,
 ---
 
 [TestCommand/output_format:_unsupported - 2]
-unsupported output format "unknown" - must be one of: table, html, vertical, json, markdown, sarif, gh-annotations, cyclonedx-1-4, cyclonedx-1-5, spdx-2-3
+unsupported output format "unknown" - must be one of: table, html, vertical, json, markdown, sarif, gh-annotations, cyclonedx-1-4, cyclonedx-1-5, cyclonedx-1-6, cyclonedx-1-7, spdx-2-3
 
 ---
 

cmd/osv-scanner/scan/source/command_test.go

@@ -251,6 +251,28 @@ func TestCommand(t *testing.T) {
 			Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "--format", "cyclonedx-1-5", "--all-packages", "./testdata/locks-insecure"},
 			Exit: 1,
 		},
+		// output format: cyclonedx 1.6
+		{
+			Name: "Empty_cyclonedx_1.6_output",
+			Args: []string{"", "source", "--format", "cyclonedx-1-6", "./testdata/locks-many/composer.lock"},
+			Exit: 0,
+		},
+		{
+			Name: "cyclonedx_1.6_output",
+			Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "--format", "cyclonedx-1-6", "--all-packages", "./testdata/locks-insecure"},
+			Exit: 1,
+		},
+		// output format: cyclonedx 1.7
+		{
+			Name: "Empty_cyclonedx_1.7_output",
+			Args: []string{"", "source", "--format", "cyclonedx-1-7", "./testdata/locks-many/composer.lock"},
+			Exit: 0,
+		},
+		{
+			Name: "cyclonedx_1.7_output",
+			Args: []string{"", "source", "--config=./testdata/osv-scanner-empty-config.toml", "--format", "cyclonedx-1-7", "--all-packages", "./testdata/locks-insecure"},
+			Exit: 1,
+		},
 		// output format: spdx 2.3
 		{
 			Name: "Empty_spdx_2.3_output",