sap-jenkins-library/pkg/whitesource/testdata/sbom.golden

<?xml version="1.0" encoding="UTF-8"?>
<bom xmlns="http://cyclonedx.org/schema/bom/1.4" version="1">
  <metadata>
    <component bom-ref="pkg:maven/com.sap/myproduct@1.3.4" type="library">
      <group>com.sap</group>
      <name>myproduct</name>
      <version>1.3.4</version>
      <purl>pkg:maven/com.sap/myproduct@1.3.4</purl>
    </component>
    <properties>
      <property name="internal:ws-product-identifier">productToken-123</property>
      <property name="internal:ws-project-identifier">projectToken-567</property>
    </properties>
  </metadata>
  <components>
    <component bom-ref="pkg:maven/apache-commons/commons-lang@2.4.30" type="library">
      <author>apache-commons</author>
      <name>commons-lang</name>
      <version>2.4.30</version>
      <hashes>
        <hash alg="SHA-1"></hash>
      </hashes>
      <purl>pkg:maven/apache-commons/commons-lang@2.4.30</purl>
    </component>
    <component bom-ref="pkg:maven/apache-commons/commons-lang@3.15" type="library">
      <author>apache-commons</author>
      <name>commons-lang</name>
      <version>3.15</version>
      <hashes>
        <hash alg="SHA-1"></hash>
      </hashes>
      <purl>pkg:maven/apache-commons/commons-lang@3.15</purl>
    </component>
    <component bom-ref="pkg:maven/apache-logging/log4j@1.14" type="library">
      <author>apache-logging</author>
      <name>log4j</name>
      <version>1.14</version>
      <hashes>
        <hash alg="SHA-1"></hash>
      </hashes>
      <purl>pkg:maven/apache-logging/log4j@1.14</purl>
    </component>
    <component bom-ref="pkg:maven/apache-logging/log4j@3.25" type="library">
      <author>apache-logging</author>
      <name>log4j</name>
      <version>3.25</version>
      <hashes>
        <hash alg="SHA-1"></hash>
      </hashes>
      <purl>pkg:maven/apache-logging/log4j@3.25</purl>
    </component>
  </components>
  <dependencies>
    <dependency ref="pkg:maven/apache-logging/log4j@1.14">
      <dependency ref="pkg:maven/apache-commons/commons-lang@2.4.30"></dependency>
    </dependency>
    <dependency ref="pkg:maven/apache-logging/log4j@3.25">
      <dependency ref="pkg:maven/apache-commons/commons-lang@3.15"></dependency>
    </dependency>
    <dependency ref="pkg:maven/com.sap/myproduct@1.3.4">
      <dependency ref="pkg:maven/apache-logging/log4j@1.14"></dependency>
      <dependency ref="pkg:maven/apache-logging/log4j@3.25"></dependency>
    </dependency>
  </dependencies>
  <vulnerabilities>
    <vulnerability bom-ref="pkg:maven/apache-logging/log4j@1.14">
      <id>CVE-2022-001</id>
      <source></source>
      <references></references>
      <ratings>
        <rating>
          <score>7</score>
          <severity>high</severity>
          <method>CVSSv3</method>
        </rating>
        <rating>
          <score>6</score>
          <severity>medium</severity>
          <method>CVSSv2</method>
        </rating>
      </ratings>
      <advisories></advisories>
      <published>01.01.2022</published>
      <tools>
        <tool>
          <vendor>Mend</vendor>
          <name>Mend Unified Agent</name>
          <version>3.3.3</version>
          <externalReferences>
            <reference type="build-meta">
              <url>https://www.mend.io/</url>
            </reference>
          </externalReferences>
        </tool>
      </tools>
      <affects>
        <target>
          <ref>pkg:maven/apache-logging/log4j@1.14</ref>
          <versions>
            <version>
              <version>1.14</version>
              <status></status>
            </version>
          </versions>
        </target>
      </affects>
    </vulnerability>
    <vulnerability bom-ref="pkg:maven/apache-commons/commons-lang@2.4.30">
      <id>CVE-2022-002</id>
      <source></source>
      <references></references>
      <ratings>
        <rating>
          <score>8</score>
          <severity>high</severity>
          <method>CVSSv3</method>
        </rating>
        <rating>
          <score>0</score>
          <severity>none</severity>
          <method>CVSSv2</method>
        </rating>
      </ratings>
      <advisories></advisories>
      <published>02.01.2022</published>
      <tools>
        <tool>
          <vendor>Mend</vendor>
          <name>Mend Unified Agent</name>
          <version>3.3.3</version>
          <externalReferences>
            <reference type="build-meta">
              <url>https://www.mend.io/</url>
            </reference>
          </externalReferences>
        </tool>
      </tools>
      <affects>
        <target>
          <ref>pkg:maven/apache-commons/commons-lang@2.4.30</ref>
          <versions>
            <version>
              <version>2.4.30</version>
              <status></status>
            </version>
          </versions>
        </target>
      </affects>
    </vulnerability>
    <vulnerability bom-ref="pkg:maven/apache-logging/log4j@3.25">
      <id>CVE-2022-003</id>
      <source></source>
      <references></references>
      <ratings>
        <rating>
          <score>0</score>
          <severity>none</severity>
          <method>CVSSv3</method>
        </rating>
        <rating>
          <score>6</score>
          <severity>medium</severity>
          <method>CVSSv2</method>
        </rating>
      </ratings>
      <advisories></advisories>
      <published>03.01.2022</published>
      <tools>
        <tool>
          <vendor>Mend</vendor>
          <name>Mend Unified Agent</name>
          <version>3.3.3</version>
          <externalReferences>
            <reference type="build-meta">
              <url>https://www.mend.io/</url>
            </reference>
          </externalReferences>
        </tool>
      </tools>
      <affects>
        <target>
          <ref>pkg:maven/apache-logging/log4j@3.25</ref>
          <versions>
            <version>
              <version>3.25</version>
              <status></status>
            </version>
          </versions>
        </target>
      </affects>
    </vulnerability>
  </vulnerabilities>
</bom>