(ant-antlibs-cyclonedx) 04/05: add bom-type externalreferences when sbomLink is used

[bodewig]

This is an automated email from the ASF dual-hosted git repository.

asf-gitbox-commits pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/ant-antlibs-cyclonedx.git

commit 477e65fa3d4b562d4a1798e96f36b2a65246193a
Author: Stefan Bodewig <bode...@apache.org>
AuthorDate: Thu Jun 4 15:29:02 2026 +0200

    add bom-type externalreferences when sbomLink is used
---
 changes.xml                                      |  6 +++
 src/main/org/apache/ant/cyclonedx/Component.java | 11 ++++++
 src/tests/antunit/component-test.xml             | 47 ++++++++++++++++++++++++
 3 files changed, 64 insertions(+)

diff --git a/changes.xml b/changes.xml
index 9c19b08..eebc431 100644
--- a/changes.xml
+++ b/changes.xml
@@ -46,6 +46,12 @@
       A new type "propertyset" can be used to group properties and
       reuse common sets of properties for multiple components.
     </action>
+    <action type="add">
+      When using sbomLink for a component, the link is an URL and the
+      component-elemen doesn't define a "bom"-type external reference
+      itself a "bom" externalreference with the URL as value is added
+      to the component.
+    </action>
   </release>
 
   <release version="0.1" date="2026-06-03" description="initial release">
diff --git a/src/main/org/apache/ant/cyclonedx/Component.java 
b/src/main/org/apache/ant/cyclonedx/Component.java
index 0387135..74f5fad 100644
--- a/src/main/org/apache/ant/cyclonedx/Component.java
+++ b/src/main/org/apache/ant/cyclonedx/Component.java
@@ -524,6 +524,17 @@ public class Component extends DataType {
             }
             List<org.cyclonedx.model.Dependency> allDependencies = 
bom.getDependencies();
             fillFromBomLink(real, allDependencies);
+            if (!externalReferences.stream()
+                .anyMatch(e -> 
e.getType().equals(org.cyclonedx.model.ExternalReference.Type.BOM))) {
+                Resource sbom = sbomLink.iterator().next();
+                URLProvider up = sbom.as(URLProvider.class);
+                if (up != null) {
+                    ExternalReference e = new ExternalReference();
+                    e.setUrl(up.getURL().toExternalForm());
+                    
e.setType(org.cyclonedx.model.ExternalReference.Type.BOM.name());
+                    addConfiguredExternalReference(e);
+                }
+            }
 
             if (!areDependenciesUnknown() && !dependencies.isEmpty()) {
                 List<org.cyclonedx.model.Component> additionalComponents = 
bom.getComponents();
diff --git a/src/tests/antunit/component-test.xml 
b/src/tests/antunit/component-test.xml
index bc03687..ba1ca13 100644
--- a/src/tests/antunit/component-test.xml
+++ b/src/tests/antunit/component-test.xml
@@ -933,6 +933,53 @@
         value='&lt;hash alg="SHA-256"&gt;${ant.file.sha256}&lt;/hash&gt;'/>
   </target>
 
+  <target name="testSbomLinkAddsBomExternalLink" 
depends="createMaximalComponentData">
+    <cdx:componentbom
+        bomName="merged"
+        outputdirectory="${output}"
+        format="xml"
+        xmlns:cdx="antlib:org.apache.ant.cyclonedx">
+      <component>
+        <sbomLink>
+          <url 
url="https://repo1.maven.org/maven2/org/apache/ant/ant-cyclonedx/0.1/ant-cyclonedx-0.1-cyclonedx.json"/>
+        </sbomLink>
+      </component>
+    </cdx:componentbom>
+    <xmlproperty file="${output}/merged.xml"/>
+    <au:assertPropertyEquals
+        xmlns:au="antlib:org.apache.ant.antunit"
+        name="bom.metadata.component.externalReferences.reference(type)"
+        
value="license,mailing-list,security-contact,vcs,build-system,issue-tracker,website,distribution,source-distribution,bom"/>
+    <au:assertPropertyEquals
+        xmlns:au="antlib:org.apache.ant.antunit"
+        name="bom.metadata.component.externalReferences.reference.url"
+        
value="https://www.apache.org/licenses/LICENSE-2.0.txt,https://ant.apache.org/mail.html,https://www.apache.org/security/,https://gitbox.apache.org/repos/asf/ant-antlibs-cyclonedx.git,https://ci-builds.apache.org/job/Ant/job/CycloneDX%20Antlib/,https://bz.apache.org/bugzilla/buglist.cgi?component=CycloneDX%20Antlib&amp;product=Ant,https://ant.apache.org/antlibs/cyclonedx/,https://ant.apache.org/antlibs/bindownload.cgi,https://ant.apache.org/antlibs/srcdownload.cgi,https://repo1.ma
 [...]
+  </target>
+
+  <target name="testSbomLinkAddsDoesntOverrideExistingBomExternalLink" 
depends="createMaximalComponentData">
+    <cdx:componentbom
+        bomName="merged"
+        outputdirectory="${output}"
+        format="xml"
+        xmlns:cdx="antlib:org.apache.ant.cyclonedx">
+      <component>
+        <sbomLink>
+          <url 
url="https://repo1.maven.org/maven2/org/apache/ant/ant-cyclonedx/0.1/ant-cyclonedx-0.1-cyclonedx.json"/>
+        </sbomLink>
+        <externalReference type="bom" url="https://example.org/"/>
+      </component>
+    </cdx:componentbom>
+    <xmlproperty file="${output}/merged.xml"/>
+    <au:assertPropertyEquals
+        xmlns:au="antlib:org.apache.ant.antunit"
+        name="bom.metadata.component.externalReferences.reference(type)"
+        value="bom"/>
+    <au:assertPropertyEquals
+        xmlns:au="antlib:org.apache.ant.antunit"
+        name="bom.metadata.component.externalReferences.reference.url"
+        value="https://example.org/"/>
+  </target>
+
   <target
       name="testSbomLinkDoesNotUseLinkedManufacturerIfSupplierIsManufacturer"
       depends="createMaximalComponentData">