Add support for CycloneDX XML inputs #1136 (#1137)

Signed-off-by: tdruez <tdruez@nexb.com>

Author: tdruez

CHANGELOG.rst

@@ -1,6 +1,12 @@
 Changelog
 =========
 
+v34.2.0 (unreleased)
+--------------------
+
+- Add support for CycloneDX XML inputs.
+  https://github.com/nexB/scancode.io/issues/1136
+
 v34.1.0 (2024-03-27)
 --------------------
 

scanpipe/pipes/cyclonedx.py

@@ -32,6 +32,7 @@
 from cyclonedx.schema import SchemaVersion
 from cyclonedx.validation import ValidationError
 from cyclonedx.validation.json import JsonStrictValidator
+from defusedxml import ElementTree as SafeElementTree
 from packageurl import PackageURL
 
 
@@ -121,10 +122,18 @@ def validate_document(document):
 
 def is_cyclonedx_bom(input_location):
     """Return True if the file at `input_location` is a CycloneDX BOM."""
-    with suppress(Exception):
-        data = json.loads(Path(input_location).read_text())
-        if data.get("bomFormat") == "CycloneDX":
-            return True
+    if str(input_location).endswith(".json"):
+        with suppress(Exception):
+            data = json.loads(Path(input_location).read_text())
+            if data.get("bomFormat") == "CycloneDX":
+                return True
+
+    elif str(input_location).endswith(".xml"):
+        with suppress(Exception):
+            et = SafeElementTree.parse(input_location)
+            if "cyclonedx" in et.getroot().tag:
+                return True
+
     return False
 
 
@@ -164,11 +173,6 @@ def cyclonedx_component_to_package_data(cdx_component):
     }
 
 
-def get_bom(cyclonedx_document):
-    """Return CycloneDX BOM object."""
-    return Bom.from_json(data=cyclonedx_document)
-
-
 def get_components(bom):
     """Return list of components from CycloneDX BOM."""
     return list(bom._get_all_components())
@@ -177,13 +181,23 @@ def get_components(bom):
 def resolve_cyclonedx_packages(input_location):
     """Resolve the packages from the `input_location` CycloneDX document file."""
     input_path = Path(input_location)
-    cyclonedx_document = json.loads(input_path.read_text())
+    document_data = input_path.read_text()
 
-    if errors := validate_document(cyclonedx_document):
-        error_msg = f'CycloneDX document "{input_path.name}" is not valid:\n{errors}'
-        raise ValueError(error_msg)
+    if str(input_location).endswith(".xml"):
+        cyclonedx_document = SafeElementTree.fromstring(document_data)
+        cyclonedx_bom = Bom.from_xml(cyclonedx_document)
 
-    cyclonedx_bom = get_bom(cyclonedx_document)
-    components = get_components(cyclonedx_bom)
+    elif str(input_location).endswith(".json"):
+        cyclonedx_document = json.loads(document_data)
+        if errors := validate_document(cyclonedx_document):
+            error_msg = (
+                f'CycloneDX document "{input_path.name}" is not valid:\n{errors}'
+            )
+            raise ValueError(error_msg)
+        cyclonedx_bom = Bom.from_json(data=cyclonedx_document)
+
+    else:
+        return []
 
+    components = get_components(cyclonedx_bom)
     return [cyclonedx_component_to_package_data(component) for component in components]

scanpipe/pipes/resolve.py

@@ -264,17 +264,17 @@ def get_default_package_type(input_location):
         if handler.is_datafile(input_location):
             return handler.default_package_type
 
-        if input_location.endswith((".spdx", ".spdx.json")):
-            return "spdx"
+    if input_location.endswith((".spdx", ".spdx.json")):
+        return "spdx"
 
-        if input_location.endswith((".bom.json", ".cdx.json")):
-            return "cyclonedx"
+    if input_location.endswith(("bom.json", ".cdx.json", "bom.xml", ".cdx.xml")):
+        return "cyclonedx"
 
-        if input_location.endswith(".json"):
-            if cyclonedx.is_cyclonedx_bom(input_location):
-                return "cyclonedx"
-            if spdx.is_spdx_document(input_location):
-                return "spdx"
+    if input_location.endswith((".json", ".xml")):
+        if cyclonedx.is_cyclonedx_bom(input_location):
+            return "cyclonedx"
+        if spdx.is_spdx_document(input_location):
+            return "spdx"
 
 
 # Mapping between `default_package_type` its related resolver functions