deps: Update cyclonedx-core-java to version 8.0.1

renovate[bot] · sschuberth · commit 68e8e1fc37f4 · 2023-10-17T08:57:50.000+02:00
This deprecates the `Tool` class in favor of `ToolInformation`, see [1]. [1]: CycloneDX/cyclonedx-core-java#316
diff --git a/gradle/libs.versions.toml b/gradle/libs.versions.toml
@@ -16,7 +16,7 @@ asciidoctorjPdf = "2.3.9"
 clikt = "4.2.1"
 commonsCompress = "1.24.0"
 cvssCalculator = "1.4.2"
-cyclonedx = "7.3.2"
+cyclonedx = "8.0.1"
 diffUtils = "4.12"
 diskLruCache = "2.0.2"
 exposed = "0.44.0"
diff --git a/plugins/reporters/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result-with-findings.json b/plugins/reporters/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result-with-findings.json
@@ -1,16 +1,19 @@
 {
   "bomFormat": "CycloneDX",
-  "specVersion": "1.4",
+  "specVersion": "1.5",
   "serialNumber": "urn:uuid:01234567-0123-0123-0123-01234567",
   "version": 1,
   "metadata": {
     "timestamp": "1970-01-01T00:00:00Z",
-    "tools": [
-      {
-        "name": "OSS Review Toolkit",
-        "version": "deadbeef"
-      }
-    ],
+    "tools": {
+      "components": [
+        {
+          "name": "OSS Review Toolkit",
+          "version": "deadbeef",
+          "type": "application"
+        }
+      ]
+    },
     "licenses": [
       {
         "expression": "CC0-1.0"
diff --git a/plugins/reporters/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result-without-findings.json b/plugins/reporters/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result-without-findings.json
@@ -1,16 +1,19 @@
 {
   "bomFormat": "CycloneDX",
-  "specVersion": "1.4",
+  "specVersion": "1.5",
   "serialNumber": "urn:uuid:01234567-0123-0123-0123-01234567",
   "version": 1,
   "metadata": {
     "timestamp": "1970-01-01T00:00:00Z",
-    "tools": [
-      {
-        "name": "OSS Review Toolkit",
-        "version": "deadbeef"
-      }
-    ],
+    "tools": {
+      "components": [
+        {
+          "name": "OSS Review Toolkit",
+          "version": "deadbeef",
+          "type": "application"
+        }
+      ]
+    },
     "licenses": [
       {
         "expression": "CC0-1.0"
diff --git a/plugins/reporters/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result.json b/plugins/reporters/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result.json
@@ -1,16 +1,19 @@
 {
   "bomFormat": "CycloneDX",
-  "specVersion": "1.4",
+  "specVersion": "1.5",
   "serialNumber": "urn:uuid:01234567-0123-0123-0123-01234567",
   "version": 1,
   "metadata": {
     "timestamp": "1970-01-01T00:00:00Z",
-    "tools": [
-      {
-        "name": "OSS Review Toolkit",
-        "version": "deadbeef"
-      }
-    ],
+    "tools": {
+      "components": [
+        {
+          "name": "OSS Review Toolkit",
+          "version": "deadbeef",
+          "type": "application"
+        }
+      ]
+    },
     "licenses": [
       {
         "expression": "CC0-1.0"
diff --git a/plugins/reporters/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result.xml b/plugins/reporters/cyclonedx/src/funTest/assets/cyclonedx-reporter-expected-result.xml
@@ -1,12 +1,14 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<bom serialNumber="urn:uuid:01234567-0123-0123-0123-01234567" version="1" xmlns="http://cyclonedx.org/schema/bom/1.4">
+<bom serialNumber="urn:uuid:01234567-0123-0123-0123-01234567" version="1" xmlns="http://cyclonedx.org/schema/bom/1.5">
   <metadata>
     <timestamp>1970-01-01T00:00:00Z</timestamp>
     <tools>
-      <tool>
-        <name>OSS Review Toolkit</name>
-        <version>deadbeef</version>
-      </tool>
+      <components>
+        <component type="application">
+          <name>OSS Review Toolkit</name>
+          <version>deadbeef</version>
+        </component>
+      </components>
     </tools>
     <licenses>
       <expression>CC0-1.0</expression>
diff --git a/plugins/reporters/cyclonedx/src/main/kotlin/CycloneDxReporter.kt b/plugins/reporters/cyclonedx/src/main/kotlin/CycloneDxReporter.kt
@@ -36,7 +36,7 @@ import org.cyclonedx.model.Hash
 import org.cyclonedx.model.License
 import org.cyclonedx.model.LicenseChoice
 import org.cyclonedx.model.Metadata
-import org.cyclonedx.model.Tool
+import org.cyclonedx.model.metadata.ToolInformation
 
 import org.ossreviewtoolkit.model.FileFormat
 import org.ossreviewtoolkit.model.LicenseSource
@@ -66,7 +66,7 @@ import org.ossreviewtoolkit.utils.spdx.SpdxLicense
  */
 class CycloneDxReporter : Reporter {
     companion object {
-        val DEFAULT_SCHEMA_VERSION = CycloneDxSchema.Version.VERSION_14
+        val DEFAULT_SCHEMA_VERSION = CycloneDxSchema.Version.VERSION_15
         val DEFAULT_DATA_LICENSE = SpdxLicense.CC0_1_0
 
         const val REPORT_BASE_FILENAME = "bom.cyclonedx"
@@ -155,12 +155,15 @@ class CycloneDxReporter : Reporter {
 
         val metadata = Metadata().apply {
             timestamp = Date()
-            tools = listOf(
-                Tool().apply {
-                    name = ORT_FULL_NAME
-                    version = Environment.ORT_VERSION
-                }
-            )
+            toolChoice = ToolInformation().apply {
+                components = listOf(
+                    Component().apply {
+                        type = Component.Type.APPLICATION
+                        name = ORT_FULL_NAME
+                        version = Environment.ORT_VERSION
+                    }
+                )
+            }
             licenseChoice = LicenseChoice().apply { expression = dataLicense }
         }
 
