Merge pull request #339 from nscuro/issue-338

Fix XML deserialization of legacy `Tool`s
CycloneDX · Oct 18, 2023 · 50ed005 · 50ed005
2 parents c72eb8b + 3c56d87
commit 50ed005
Show file tree

Hide file tree

Showing 7 changed files with 98 additions and 2 deletions.
diff --git a/src/main/java/org/cyclonedx/util/deserializer/MetadataDeserializer.java b/src/main/java/org/cyclonedx/util/deserializer/MetadataDeserializer.java
@@ -105,8 +105,19 @@ public Metadata deserialize(JsonParser jsonParser, DeserializationContext ctxt)
         metadata.setTools(tools);
       }
       else if (toolsNode.has("tool")) {
-        Tool tool = mapper.convertValue(toolsNode.get("tool"), Tool.class);
-        metadata.setTools(Collections.singletonList(tool));
+        final JsonNode toolNode = toolsNode.get("tool");
+        // When deserializing XML BOMs, and multiple tools are provided, Jackson's internal
+        // representation looks like this:
+        //   {"tool": [{"name": "foo"}, {"name": "bar"}]}
+        // If only a single tool is provided, it looks like this:
+        //   {"tool": {"name": "foo"}}
+        if (toolNode.isArray()) {
+          List<Tool> tools = mapper.convertValue(toolsNode.get("tool"), new TypeReference<List<Tool>>() { });
+          metadata.setTools(tools);
+        } else {
+          Tool tool = mapper.convertValue(toolsNode.get("tool"), Tool.class);
+          metadata.setTools(Collections.singletonList(tool));
+        }
       }
       else {
         ToolInformation toolInformation = new ToolInformation();

diff --git a/src/test/java/org/cyclonedx/parsers/JsonParserTest.java b/src/test/java/org/cyclonedx/parsers/JsonParserTest.java
@@ -185,4 +185,17 @@ public void testParsedObjects15Bom_validTools() throws Exception {
         assertCommonBomProperties(bom, Version.VERSION_15);
         assertMetadata_validTools(bom.getMetadata());
     }
+
+    @Test
+    public void testIssue338RegressionWithSingleTool() throws Exception {
+        final Bom bom = getJsonBom("regression/issue338-single-tool.json");
+        assertEquals("acme-tool-a", bom.getMetadata().getTools().get(0).getName());
+    }
+
+    @Test
+    public void testIssue338RegressionWithMultipleTools() throws Exception {
+        final Bom bom = getJsonBom("regression/issue338-multiple-tools.json");
+        assertEquals("acme-tool-a", bom.getMetadata().getTools().get(0).getName());
+        assertEquals("acme-tool-b", bom.getMetadata().getTools().get(1).getName());
+    }
 }
diff --git a/src/test/java/org/cyclonedx/parsers/XmlParserTest.java b/src/test/java/org/cyclonedx/parsers/XmlParserTest.java
@@ -341,4 +341,17 @@ public void testParsedObjects14Bom_WithVulnsExtension() throws Exception {
         assertEquals(1, bom.getVersion());
         assertNull(bom.getVulnerabilities());
     }
+
+    @Test
+    public void testIssue338RegressionWithSingleTool() throws Exception {
+        final Bom bom = getXmlBom("regression/issue338-single-tool.xml");
+        assertEquals("acme-tool-a", bom.getMetadata().getTools().get(0).getName());
+    }
+
+    @Test
+    public void testIssue338RegressionWithMultipleTools() throws Exception {
+        final Bom bom = getXmlBom("regression/issue338-multiple-tools.xml");
+        assertEquals("acme-tool-a", bom.getMetadata().getTools().get(0).getName());
+        assertEquals("acme-tool-b", bom.getMetadata().getTools().get(1).getName());
+    }
 }
diff --git a/src/test/resources/regression/issue338-multiple-tools.json b/src/test/resources/regression/issue338-multiple-tools.json
@@ -0,0 +1,16 @@
+{
+  "bomFormat" : "CycloneDX",
+  "specVersion" : "1.4",
+  "serialNumber": "urn:uuid:1624fa6f-aebe-4dba-8ead-f2c876c9b832",
+  "version" : 1,
+  "metadata": {
+    "tools": [
+      {
+        "name": "acme-tool-a"
+      },
+      {
+        "name": "acme-tool-b"
+      }
+    ]
+  }
+}
diff --git a/src/test/resources/regression/issue338-multiple-tools.xml b/src/test/resources/regression/issue338-multiple-tools.xml
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="utf-8"?>
+<bom xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+     serialNumber="urn:uuid:1624fa6f-aebe-4dba-8ead-f2c876c9b832" version="1"
+     xmlns="http://cyclonedx.org/schema/bom/1.4">
+    <metadata>
+        <tools>
+            <tool>
+                <name>acme-tool-a</name>
+                <version>1.0.0</version>
+            </tool>
+            <tool>
+                <name>acme-tool-b</name>
+                <version>2.0.0</version>
+            </tool>
+        </tools>
+    </metadata>
+</bom>
diff --git a/src/test/resources/regression/issue338-single-tool.json b/src/test/resources/regression/issue338-single-tool.json
@@ -0,0 +1,13 @@
+{
+  "bomFormat" : "CycloneDX",
+  "specVersion" : "1.4",
+  "serialNumber": "urn:uuid:1624fa6f-aebe-4dba-8ead-f2c876c9b832",
+  "version" : 1,
+  "metadata": {
+    "tools": [
+      {
+        "name": "acme-tool-a"
+      }
+    ]
+  }
+}
diff --git a/src/test/resources/regression/issue338-single-tool.xml b/src/test/resources/regression/issue338-single-tool.xml
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="utf-8"?>
+<bom xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"
+     serialNumber="urn:uuid:1624fa6f-aebe-4dba-8ead-f2c876c9b832" version="1"
+     xmlns="http://cyclonedx.org/schema/bom/1.4">
+    <metadata>
+        <tools>
+            <tool>
+                <name>acme-tool-a</name>
+                <version>1.0.0</version>
+            </tool>
+        </tools>
+    </metadata>
+</bom>