1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
|
.. # Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# SPDX-License-Identifier: Apache-2.0
Modelling
=========
You can create a BOM Model from either manually using the methods available
directly on the :py:class:`cyclonedx.model.bom.Bom` class,
or deserialize a JSON/XML via :py:meth:`cyclonedx.model.bom.Bom.from_json`/:py:meth:`cyclonedx.model.bom.Bom.from_xml`
Vulnerabilities are supported by the Model as of version 0.3.0.
**Note:** Known vulnerabilities associated with Components can be sourced from various data sources, but this library
will not source them for you. Perhaps look at `Jake`_ if you're interested in this.
Example BOM created programmatically
------------------------------------
.. note::
It is recommended that you have a good understanding of the `CycloneDX Schema`_ before attempting to create a BOM
programmatically with this library.
For the most up-to-date in-depth examples, look at our `Unit Tests`_.
Example BOM created from existing CycloneDX BOM
------------------------------------
.. note::
Supported from version 4.0.0 of this library.
Deserializing from a CycloneDX JSON BOM
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Each model class in this library that is serializable provides a magic ``from_json()`` method.
See the example below to read and deserialize a JSON CycloneDX document. Note that reading the file and loading as JSON
is the programmers responsibility.
.. code-block:: python
import json
from cyclonedx.model.bom import Bom
with open('/path/to/my/cyclonedx.json') as input_json:
deserialized_bom = Bom.from_json(data=json.loads(input_json.read()))
Deserializing from a CycloneDX XML BOM
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Each model class in this library that is serializable provides a magic ``from_xml()`` method.
See the example below to read and deserialize a XML CycloneDX document. Note that reading the file and loading as XML
is the programmers responsibility. Be careful to avoid XML vulnerabilities as documented `here`_. It is recommended that
you use a library such as `defusedxml` instead of the native `xml.etree.ElementTree`.
.. code-block:: python
from xml.etree import ElementTree
from cyclonedx.model.bom import Bom
with open('/path/to/my/cyclonedx.xml') as input_xml:
deserialized_bom = cast(Bom, Bom.from_xml(data=ElementTree.fromstring(input_xml.read())))
.. _CycloneDX Python: https://github.com/CycloneDX/cyclonedx-python
.. _Jake: https://pypi.org/project/jake
.. _CycloneDX Schema: https://cyclonedx.org/docs/latest
.. _Unit Tests: https://github.com/CycloneDX/cyclonedx-python-lib/tree/main/tests
.. _here: https://docs.python.org/3/library/xml.html#xml-vulnerabilities
|
