Inconsistent authors handling for 1.5 #190
Description
CycloneDX 1.6 has deprecated the component.author in favor of component.authors, but this is handled somewhat inconsistently and incorrectly when outputting earlier versions.
When specifying the authors for a component, but not specifying an author, this is dropped. I suppose this is somewhat expected since it's going from a list to a single value, but there could be some logic to, say, take the first name as the author.
Secondly, when specifying the authors for a component within the metadata.tools, it is still output in 1.5. Is there something else I should be doing here?
Is the guidance here to set both author and authors.name for maximum compatibility? Or something else?
Using version v0.9.0 of this library, here's an example program:
package main
import (
"os"
"github.com/CycloneDX/cyclonedx-go"
)
func main() {
bom := cyclonedx.BOM{
Metadata: &cyclonedx.Metadata{
Timestamp: "",
Lifecycles: nil,
Tools: &cyclonedx.ToolsChoice{
Components: &[]cyclonedx.Component{
{
Authors: &[]cyclonedx.OrganizationalContact{
{
Name: "some-author-1",
},
},
},
},
},
},
Components: &[]cyclonedx.Component{
{
Authors: &[]cyclonedx.OrganizationalContact{
{
Name: "some-author-2",
},
},
},
},
}
enc := cyclonedx.NewBOMEncoder(os.Stdout, cyclonedx.BOMFileFormatJSON)
enc.SetPretty(true)
enc.SetEscapeHTML(false)
_ = enc.EncodeVersion(&bom, cyclonedx.SpecVersion1_5)
}outputs:
{
"$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
"bomFormat": "",
"specVersion": "1.5",
"version": 0,
"metadata": {
"tools": {
"components": [
{
"type": "",
"authors": [
{
"name": "some-author-1"
}
],
"name": ""
}
]
}
},
"components": [
{
"type": "application",
"name": ""
}
]
}