fix: handle identity field as dict or array in ComponentEvidence deserialization

qkaiser · qkaiser · commit 7d3e6f656654 · 2025-10-20T11:46:20.000+02:00
The identity field in ComponentEvidence can be either a single object (dict)
in CycloneDX 1.5 or a single object/array of objects in CycloneDX 1.6.
The previous implementation failed when deserializing a single object format,
throwing 'str' object has no attribute 'items' error.

Added _IdentitySetSerializationHelper to properly handle both formats:
- json_normalize: serializes Identity objects as list while preserving view context
- json_deserialize: handles both dict (single) and list (array) formats

Also updated _ComponentEvidenceSerializationHelper.json_denormalize to normalize
single dict format to array before deserialization for consistency.

Fixes deserialization of CycloneDX 1.5 and 1.6 SBOMs with component evidence.

Signed-off-by: Quentin Kaiser &lt;quentin.kaiser@onekey.com&gt;
diff --git a/cyclonedx/model/component_evidence.py b/cyclonedx/model/component_evidence.py
@@ -185,6 +185,24 @@ def xml_denormalize(cls, o: 'XmlElement', *,
         return [BomRef(value=t.get('ref')) for t in o]
 
 
+class _IdentitySetSerializationHelper(serializable.helpers.BaseHelper):
+    """  THIS CLASS IS NON-PUBLIC API  """
+
+    @classmethod
+    def json_normalize(cls, o: Iterable['Identity'], *,
+                       view: Optional[type[serializable.ViewType]],
+                       **__: Any) -> list[dict[str, Any]]:
+        # Serialize identity as a list of dicts, preserving the view context
+        return [json_loads(item.as_json(view)) for item in o]  # type: ignore[attr-defined]
+
+    @classmethod
+    def json_deserialize(cls, o: Union[dict[str, Any], list[dict[str, Any]]]) -> list['Identity']:
+        # Handle identity field which can be a dict (CycloneDX 1.5) or list of dicts (CycloneDX 1.6)
+        if isinstance(o, dict):
+            return [Identity.from_json(o)]  # type: ignore[attr-defined]
+        return [Identity.from_json(item) for item in o]  # type: ignore[attr-defined]
+
+
 @serializable.serializable_class(ignore_unknown_during_deserialization=True)
 class Identity:
     """
@@ -654,6 +672,7 @@ def __init__(
     @property
     @serializable.view(SchemaVersion1Dot5)
     @serializable.view(SchemaVersion1Dot6)
+    @serializable.type_mapping(_IdentitySetSerializationHelper)
     @serializable.xml_sequence(1)
     @serializable.xml_array(serializable.XmlArraySerializationType.FLAT, 'identity')
     def identity(self) -> 'SortedSet[Identity]':
@@ -768,6 +787,10 @@ def json_normalize(cls, o: ComponentEvidence, *,
 
     @classmethod
     def json_denormalize(cls, o: dict[str, Any], **__: Any) -> Any:
+        # Handle identity field which can be a dict (CycloneDX 1.5) or list of dicts (CycloneDX 1.6)
+        # Before passing to ComponentEvidence.from_json, ensure it's always a list
+        if 'identity' in o and isinstance(o['identity'], dict):
+            o = {**o, 'identity': [o['identity']]}
         return ComponentEvidence.from_json(o)  # type:ignore[attr-defined]
 
     @classmethod
diff --git a/tests/test_model_component_evidence.py b/tests/test_model_component_evidence.py
@@ -201,6 +201,143 @@ def test_not_same_1(self) -> None:
         self.assertNotEqual(hash(ce_1), hash(ce_2))
         self.assertFalse(ce_1 == ce_2)
 
+    def test_identity_deserialization_single_dict_format(self) -> None:
+        """Test deserialization of identity field as a single dict (CycloneDX 1.5 format)"""
+        # This is the format that was failing before the fix
+        json_data = {
+            'identity': {
+                'field': 'name',
+                'confidence': 1.0,
+                'concludedValue': 'test-component'
+            }
+        }
+        ce = ComponentEvidence.from_json(json_data)  # type: ignore[attr-defined]
+        self.assertEqual(len(ce.identity), 1)
+        identity = list(ce.identity)[0]
+        self.assertEqual(identity.field, IdentityField.NAME)
+        self.assertEqual(identity.confidence, Decimal('1.0'))
+        self.assertEqual(identity.concluded_value, 'test-component')
+
+    def test_identity_deserialization_array_format(self) -> None:
+        """Test deserialization of identity field as an array (CycloneDX 1.6 format)"""
+        json_data = {
+            'identity': [
+                {
+                    'field': 'name',
+                    'confidence': 1.0,
+                    'concludedValue': 'test-component'
+                },
+                {
+                    'field': 'version',
+                    'confidence': 0.8,
+                    'concludedValue': '1.0.0'
+                }
+            ]
+        }
+        ce = ComponentEvidence.from_json(json_data)  # type: ignore[attr-defined]
+        self.assertEqual(len(ce.identity), 2)
+
+        # Check that both identities are present
+        identities = sorted(ce.identity, key=lambda x: x.field.value)
+        self.assertEqual(identities[0].field, IdentityField.NAME)
+        self.assertEqual(identities[0].concluded_value, 'test-component')
+        self.assertEqual(identities[1].field, IdentityField.VERSION)
+        self.assertEqual(identities[1].concluded_value, '1.0.0')
+
+    def test_identity_dict_format_converts_to_array_internally(self) -> None:
+        """Test that single dict identity format is converted to array format internally"""
+        # When deserializing a single dict, it should be normalized to array format
+        # before being passed to ComponentEvidence
+        json_data_dict = {
+            'identity': {
+                'field': 'name',
+                'confidence': 1.0,
+                'concludedValue': 'test-component'
+            }
+        }
+
+        json_data_array = {
+            'identity': [
+                {
+                    'field': 'name',
+                    'confidence': 1.0,
+                    'concludedValue': 'test-component'
+                }
+            ]
+        }
+
+        # Both formats should produce the same result
+        ce_from_dict = ComponentEvidence.from_json(json_data_dict)  # type: ignore[attr-defined]
+        ce_from_array = ComponentEvidence.from_json(json_data_array)  # type: ignore[attr-defined]
+
+        self.assertEqual(len(ce_from_dict.identity), 1)
+        self.assertEqual(len(ce_from_array.identity), 1)
+
+        # The identity objects should be equivalent
+        identity_dict = list(ce_from_dict.identity)[0]
+        identity_array = list(ce_from_array.identity)[0]
+        self.assertEqual(identity_dict.field, identity_array.field)
+        self.assertEqual(identity_dict.confidence, identity_array.confidence)
+        self.assertEqual(identity_dict.concluded_value, identity_array.concluded_value)
+
+    def test_identity_dict_with_multiple_methods(self) -> None:
+        """Test deserialization of single identity dict with multiple methods"""
+        json_data = {
+            'identity': {
+                'field': 'purl',
+                'confidence': 0.95,
+                'concludedValue': 'pkg:npm/example@1.0.0',
+                'methods': [
+                    {
+                        'technique': 'source-code-analysis',
+                        'confidence': 0.9,
+                        'value': 'Found in package.json'
+                    },
+                    {
+                        'technique': 'binary-analysis',
+                        'confidence': 0.85,
+                        'value': 'Found in binary metadata'
+                    }
+                ]
+            }
+        }
+        ce = ComponentEvidence.from_json(json_data)  # type: ignore[attr-defined]
+        self.assertEqual(len(ce.identity), 1)
+        identity = list(ce.identity)[0]
+        self.assertEqual(identity.field, IdentityField.PURL)
+        self.assertEqual(len(identity.methods), 2)
+
+        # Verify methods are properly deserialized
+        methods = sorted(identity.methods, key=lambda m: m.technique.value)
+        self.assertEqual(methods[0].technique, AnalysisTechnique.BINARY_ANALYSIS)
+        self.assertEqual(methods[0].confidence, Decimal('0.85'))
+        self.assertEqual(methods[1].technique, AnalysisTechnique.SOURCE_CODE_ANALYSIS)
+        self.assertEqual(methods[1].confidence, Decimal('0.9'))
+
+    def test_identity_deserialization_dict_with_methods(self) -> None:
+        """Test deserialization of single identity dict with methods"""
+        json_data = {
+            'identity': {
+                'field': 'name',
+                'confidence': 0.95,
+                'concludedValue': 'test-lib',
+                'methods': [
+                    {
+                        'technique': 'source-code-analysis',
+                        'confidence': 0.9,
+                        'value': 'Found in metadata'
+                    }
+                ]
+            }
+        }
+        ce = ComponentEvidence.from_json(json_data)  # type: ignore[attr-defined]
+        self.assertEqual(len(ce.identity), 1)
+        identity = list(ce.identity)[0]
+        self.assertEqual(len(identity.methods), 1)
+        method = list(identity.methods)[0]
+        self.assertEqual(method.technique, AnalysisTechnique.SOURCE_CODE_ANALYSIS)
+        self.assertEqual(method.confidence, Decimal('0.9'))
+
 
 class TestModelCallStackFrame(TestCase):
 
