diff --git a/cdxev/initialize_sbom.py b/cdxev/initialize_sbom.py index 9e05b4ec..24bbcec1 100644 --- a/cdxev/initialize_sbom.py +++ b/cdxev/initialize_sbom.py @@ -1,6 +1,7 @@ # SPDX-License-Identifier: GPL-3.0-or-later import json +from uuid import uuid4 from datetime import datetime from typing import Any, Union @@ -67,10 +68,7 @@ def initialize_sbom( type=ExternalReferenceType.WEBSITE, ) - bom_ref = BomRef( - "An optional identifier which can be used " - "to reference the component elsewhere in the SBOM." - ) + bom_ref = BomRef(str(uuid4())) metadata_component = Component( name=software_name, diff --git a/tests/integration/test_integration.py b/tests/integration/test_integration.py index 85477a2a..460c9331 100644 --- a/tests/integration/test_integration.py +++ b/tests/integration/test_integration.py @@ -3,6 +3,7 @@ import json import os import re +from uuid import UUID from collections.abc import Callable from itertools import chain from pathlib import Path @@ -299,6 +300,15 @@ def test( # Verify that command completed successfully assert exit_code == Status.OK + # Verify bom ref is a valid UUID + assert UUID(actual["metadata"]["component"]["bom-ref"]) + + # Remove randomly generated bom ref for the comparison + actual["dependencies"][0].pop("ref") + actual["metadata"]["component"].pop("bom-ref") + expected["metadata"]["component"].pop("bom-ref") + expected["dependencies"][0].pop("ref") + # Verify that output matches what is expected assert actual == expected @@ -318,6 +328,15 @@ def test_no_arguments( # Verify that command completed successfully assert exit_code == Status.OK + # Verify bom ref is a valid UUID + assert UUID(actual["metadata"]["component"]["bom-ref"]) + + # Remove randomly generated bom ref for the comparison + actual["dependencies"][0].pop("ref") + actual["metadata"]["component"].pop("bom-ref") + expected["metadata"]["component"].pop("bom-ref") + expected["dependencies"][0].pop("ref") + # Verify that output matches what is expected assert actual == expected