Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for CycloneDX 1.5 BOMs #317

Closed
BoBeR182 opened this issue Jul 13, 2023 · 8 comments
Closed

Add support for CycloneDX 1.5 BOMs #317

BoBeR182 opened this issue Jul 13, 2023 · 8 comments

Comments

@BoBeR182
Copy link

DependencyTrack/dependency-track#2850 lists this project as a dependency.
https://github.com/CycloneDX/cdxgen has support maybe cherrypick commits related to java sections.

@stevespringett
Copy link
Member

There are multiple PRs in progress to support 1.5.

@sschuberth
Copy link
Contributor

While writing spec 1.5 SBOMs was added for version 8.0.0 via #316, it seems that the serialized JSON (and XML) do not pass validation as I'm getting

Collection should be empty but contained org.cyclonedx.exception.ParseException: $.metadata.components: is not defined in the schema and the schema does not allow additional properties

for (Kotlin) code

        val metadata = Metadata().apply {
            timestamp = Date()
            toolChoice = ToolInformation().apply {
                components = listOf(
                    Component().apply {
                        type = Component.Type.APPLICATION
                        name = ORT_FULL_NAME
                        version = Environment.ORT_VERSION
                    }
                )
            }
            licenseChoice = LicenseChoice().apply { expression = dataLicense }
        }

@sschuberth
Copy link
Contributor

the serialized JSON (and XML) do not pass validation

@mr-zepol looks like this went unnoticed as the test data still uses the deprecated way to declare tools.

@mr-zepol
Copy link
Contributor

mr-zepol commented Oct 4, 2023

the serialized JSON (and XML) do not pass validation

@mr-zepol looks like this went unnoticed as the test data still uses the deprecated way to declare tools.

This is still valid metadata, the deprecated tool was not removed and from the spec examples ( where those tests were created) they are still valid https://github.com/CycloneDX/specification/blob/master/tools/src/test/resources/1.5/valid-metadata-tool-deprecated-1.5.xml

@mr-zepol
Copy link
Contributor

mr-zepol commented Oct 4, 2023

the test data still uses the deprecated way to declare tools

I will check this and will be back with more info, I am going to try to reproduce it, thanks

@sschuberth
Copy link
Contributor

sschuberth commented Oct 5, 2023

This is still valid metadata, the deprecated tool was not removed and from the spec examples

Right; what I was trying to say is: If you use the non-deprecated way and declare tools via ToolInformation, tool components get serialized directly under metadata (not nested under tools as required by the spec) which does not pass schema validation, see e.g.

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "serialNumber": "urn:uuid:1efc6fb4-5b37-4da9-80c9-75a38dec630e",
  "version": 1,
  "metadata": {
    "timestamp": "2023-10-05T05:56:55Z",
    "components": [
      {
        "name": "OSS Review Toolkit",
        "version": "IDE-SNAPSHOT",
        "type": "application"
      }
    ],
    "licenses": [
      {
        "expression": "CC0-1.0"
      }
    ]
  },

@mr-zepol
Copy link
Contributor

mr-zepol commented Oct 6, 2023

This is still valid metadata, the deprecated tool was not removed and from the spec examples

Right; what I was trying to say is: If you use the non-deprecated way and declare tools via ToolInformation, tool components get serialized directly under metadata (not nested under tools as required by the spec) which does not pass schema validation, see e.g.

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.5",
  "serialNumber": "urn:uuid:1efc6fb4-5b37-4da9-80c9-75a38dec630e",
  "version": 1,
  "metadata": {
    "timestamp": "2023-10-05T05:56:55Z",
    "components": [
      {
        "name": "OSS Review Toolkit",
        "version": "IDE-SNAPSHOT",
        "type": "application"
      }
    ],
    "licenses": [
      {
        "expression": "CC0-1.0"
      }
    ]
  },

I found the issue, I hope to have a PR soon so it can be merged and have a new release for this, thank you

@sschuberth
Copy link
Contributor

I found the issue, I hope to have a PR soon so it can be merged and have a new release for this

I can confirm that release 8.0.1 fixed the issue, thanks. So I guess this issue can be closed @stevespringett?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants