Fixes #1353

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
CycloneDX · Dec 26, 2024 · e995c54 · e995c54
1 parent f306859
commit e995c54
Show file tree

Hide file tree

Showing 2 changed files with 41 additions and 31 deletions.
diff --git a/.github/workflows/repotests.yml b/.github/workflows/repotests.yml
@@ -262,6 +262,11 @@ jobs:
           repository: 'quarkusio/quarkus-quickstarts'
           path: 'repotests/quarkus-quickstarts'
           ref: '3.17.3'
+      - uses: actions/checkout@v4
+        with:
+          repository: 'aws-solutions/iot-device-simulator'
+          path: 'repotests/iot-device-simulator'
+          ref: 'v3.0.9'
       - uses: dtolnay/rust-toolchain@stable
       - name: setup sdkman
         run: |
@@ -310,6 +315,11 @@ jobs:
           bin/cdxgen.js -p -r -t quarkus repotests/quarkus-quickstarts -o bomresults/bom-quarkus-quickstarts-quarkus.json --no-recurse
           bin/cdxgen.js -p -r -t quarkus repotests/quarkus-quickstarts -o bomresults/bom-quarkus-quickstarts-quarkus.json --no-recurse --spec-version 1.5
         shell: bash
+      - name: repotests iot-device-simulator
+        run: |
+          bin/cdxgen.js -p -t js -o bomresults/bom-iot.json --evidence repotests/iot-device-simulator
+          bin/cdxgen.js -p -t js -o bomresults/bom-iot15.json --evidence repotests/iot-device-simulator --spec-version 1.5
+        shell: bash
       - name: repotests evidence
         run: |
           bin/cdxgen.js -p -t js --no-recurse -o bomresults/bom.json --evidence .

diff --git a/lib/cli/index.js b/lib/cli/index.js
@@ -905,37 +905,6 @@ function addComponent(
       delete component.swhid;
     }
     processHashes(pkg, component);
-    // Retain evidence
-    if (
-      options.specVersion >= 1.5 &&
-      pkg.evidence &&
-      Object.keys(pkg.evidence).length
-    ) {
-      component.evidence = pkg.evidence;
-      // Convert evidence.identity section to an array for 1.6 and above
-      if (
-        options.specVersion >= 1.6 &&
-        pkg.evidence &&
-        pkg.evidence.identity &&
-        !Array.isArray(pkg.evidence.identity)
-      ) {
-        // Automatically add concludedValue
-        if (pkg.evidence.identity?.methods?.length === 1) {
-          pkg.evidence.identity.concludedValue =
-            pkg.evidence.identity.methods[0].value;
-        }
-        component.evidence.identity = [pkg.evidence.identity];
-      }
-      // Convert evidence.identity section to an object for 1.5
-      if (
-        options.specVersion === 1.5 &&
-        pkg.evidence &&
-        pkg.evidence.identity &&
-        Array.isArray(pkg.evidence.identity)
-      ) {
-        component.evidence.identity = pkg.evidence.identity[0];
-      }
-    }
     // Upgrade authors section
     if (options.specVersion >= 1.6 && component.author) {
       const authorsList = [];
@@ -983,6 +952,37 @@ function addComponent(
         component = mergedComponents[0];
       }
     }
+    // Retain evidence
+    if (
+      options.specVersion >= 1.5 &&
+      pkg.evidence &&
+      Object.keys(pkg.evidence).length
+    ) {
+      component.evidence = pkg.evidence;
+      // Convert evidence.identity section to an array for 1.6 and above
+      if (
+        options.specVersion >= 1.6 &&
+        pkg.evidence &&
+        pkg.evidence.identity &&
+        !Array.isArray(pkg.evidence.identity)
+      ) {
+        // Automatically add concludedValue
+        if (pkg.evidence.identity?.methods?.length === 1) {
+          pkg.evidence.identity.concludedValue =
+            pkg.evidence.identity.methods[0].value;
+        }
+        component.evidence.identity = [pkg.evidence.identity];
+      }
+      // Convert evidence.identity section to an object for 1.5
+      if (
+        options.specVersion === 1.5 &&
+        pkg.evidence &&
+        pkg.evidence.identity &&
+        Array.isArray(pkg.evidence.identity)
+      ) {
+        component.evidence.identity = pkg.evidence.identity[0];
+      }
+    }
     compMap[component.purl] = component;
   }
   if (pkg.dependencies) {