Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JSON output does not guarantee component.version value #248

Closed
dmuse89 opened this issue Jan 27, 2022 · 2 comments · Fixed by #247
Closed

JSON output does not guarantee component.version value #248

dmuse89 opened this issue Jan 27, 2022 · 2 comments · Fixed by #247
Labels
bug

Comments

@dmuse89
Copy link

dmuse89 commented Jan 27, 2022

I was using the JSON output of this tool as an input for another tool. I implemented a validation function in python for my other tool in order to ensure its correctness before processing the file, and can be seen as follows:

import json
import jsonschema
import pkg_resources

def validate_bom(filename):
    bom = json.load(open(filename, "r"))
    spec_version = bom.get("specVersion", None)
    schema_path = pkg_resources.resource_filename('cyclonedx', f'schema/bom-{spec_version}.schema.json')
    bom_schema = json.load(open(schema_path, "r"))
    try:
        jsonschema.validate(instance=bom, schema=bom_schema)
    except jsonschema.exceptions.ValidationError as err:
        raise err
    return True

In this case I was using I created a BoM using schema v1.3 and noticed that there was a version value missing from the component within the optional metadata property, and was throwing an error as invalid.

In the schema file bom-1.3.schema.json, the optional metadata section, allows for components to be listed and references the component in the #/definitions/component section, where a version is required. In this case, there was no version associated with the component found in the metadata secion.

The output is therefore non-compliant to the v1.3 schema standard, and the output should be verified to ensure that it is compliant before outputting to the user.
@dmuse89 dmuse89 changed the title Output does not guarantee Version in Metadata for Component JSON output does not guarantee metadata[component][version] value Jan 27, 2022
@jkowalleck jkowalleck changed the title JSON output does not guarantee metadata[component][version] value JSON output does not guarantee metadata.component.version value Jan 27, 2022
@jkowalleck jkowalleck changed the title JSON output does not guarantee metadata.component.version value JSON output does not guarantee component.version value Jan 27, 2022
@jkowalleck
Copy link
Member

according to the specs JSON schema v1.3 the component.version is required and must be a string.
see https://github.com/CycloneDX/specification/blob/c710388b96501867c6e3119fca4fbea139711d56/schema/bom-1.3.schema.json#L231
see https://github.com/CycloneDX/specification/blob/c710388b96501867c6e3119fca4fbea139711d56/schema/bom-1.3.xsd#L266

therefore described behavior is clearly a bug

@jkowalleck jkowalleck added the bug label Jan 27, 2022
@jkowalleck jkowalleck mentioned this issue Jan 28, 2022
Merged
jkowalleck added a commit that referenced this issue Jan 28, 2022
@jkowalleck
Component constructor may set its author
1bf0c88 
fixes #246
fixes #248
part of #233
part of #220

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
jkowalleck added a commit that referenced this issue Jan 28, 2022
@jkowalleck
Component constructor may set its author
3cc38d0 
fixes #246
fixes #248
part of #233
part of #220

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
jkowalleck added a commit that referenced this issue Jan 28, 2022
@jkowalleck
Component rework
e47d7e7 
detect component.author - fixes #246
normalize empty component.version - fixes #248
add JSDoc - #220
use private properties - #233

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
jkowalleck added a commit that referenced this issue Jan 29, 2022
@jkowalleck
Component rework
38c57ed 
detect component.author - fixes #246
normalize empty component.version - fixes #248
add JSDoc - #220
use private properties - #233

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
@jkowalleck
Copy link
Member

jkowalleck commented Jan 29, 2022
edited
Loading

thanks for the report.
@dmuse89 could you review #247 ? this should fix the issue

jkowalleck added a commit that referenced this issue Feb 2, 2022
@jkowalleck
Component proper setter/getter, constructor may set its author, n…
48b06b5 
…ormalize optional `version` (#247)

* Changed
  * Private/protected properties of Component models are no longer directly accessible. ([#233] via [#247])  
    Access via public getter/setter.
* Fixed
  * Normalization guarantees `component.version`. ([#248] via [#247])
  * Component's constructor may detect & set `autor` based on package info. ([#246] via [#247])
* Added
  * JSDoc for Component model. ([#220] via [#247])

[#220]: #220
[#233]: #233
[#246]: #246
[#247]: #247
[#248]: #248

---

* Component rework

detect component.author - fixes #246
normalize empty component.version - fixes #248
add JSDoc - #220
use private properties - #233

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

* use `@babel/eslint-parser`

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

* update locked dependencies and lockfile format

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

* CT/CI generates jsdoc & play with jsdoc

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

* wrote history

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

* slacked components getterusage internally

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>

* fixed JSDoc `object` annotation

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
2 participants
@jkowalleck @dmuse89