SBOM ingestion

[barv-jfrog]

• The pull request is targeting the dev branch.
• The code has been validated to compile successfully by running go vet ./....
• The code has been formatted properly using go fmt ./....
• All static analysis checks passed.
• All tests have passed. If this feature is not already covered by the tests, new tests have been added.
• All changes are detailed at the description. if not already covered at JFrog Documentation, new documentation have been added.

---

Depends on:
jfrog/jfrog-client-go#961
jfrog/jfrog-cli-core#1193

---

Description: new command jf-sbom enrich, the point is to take an XML/JSON file which contains an SBOM of a package in CycloneDX format and enrich it with vulnerabilities which xray finds.

Usage:
jf sbom-enrich <file.xml/file.json>
Output:
the file.xml/file.json with an additional vulnerabilities section.

For example:

And the output is the file with an additional section (provided here is an image with the extra section)

This is only part of the output, the output is the file that was put as input but with an additional section.

[github-actions]

CLA Assistant Lite bot All contributors have signed the CLA ✍️ ✅

[barv-jfrog]

I have read the CLA Document and I hereby sign the CLA

[attiasas]

Check out my comments. Make sure the Clinet PR is approved by ecosystem team

[attiasas]

Suggested change

	type EnrichJson struct {
	Vulnerability []struct {
	BomRef string `json:"bom-ref,"`
	Id string `json:"id"`
	} `json:"vulnerabilities"`
	}
	type EnrichBom struct {
	Vulnerabilities []Vulnerability `json:"vulnerabilities xml:"Vulnerabilities"`
	}

Use the struc already defined. you can combine and define xml and json tags at the same object...
Also move it to format

[barv-jfrog]

I know I can combine but XML is a bit different in structure than JSON, must separate.

[barv-jfrog]

moved to format

[attiasas]

Suggested change

	type Bom struct {
	Vulnerabilities struct {
	Vulnerability []struct {
	BomRef string `xml:"bom-ref,attr"`
	Id string `xml:"id"`
	} `xml:"vulnerability"`
	} `xml:"vulnerabilities"`
	}

remove duplicated

[barv-jfrog]

its not duplicated

[attiasas]

Suggested change

	func testVulns(t *testing.T, vulns []struct {
	BomRef string
	Id string
	}) {
	for _, vuln := range vulns {
	assert.NotEqual(t, vuln.BomRef, nil)
	assert.NotEqual(t, vuln.Id, nil)
	}
	}
	func testVulns(t *testing.T, vulns Vulnerabilities) {
	for _, vuln := range vulns {
	assert.NotEqual(t, vuln.BomRef, nil)
	assert.NotEqual(t, vuln.Id, nil)
	}
	}

Use the structs from the formats that you added. you dont need anonymus structs

[barv-jfrog]

I want the testVulns function to receive both xml and json structs. I only care about specific fields in this so I used annonymous structs to make this function generic. whats wrong with that ?

[github-actions]

---

🐸 JFrog Frogbot