[BUG] Remote URLs and packages without versions raise an exception

[mostafa]

I tried to run cyclonedx-bom on a requirements file (a test fixture and also a private repository of mine) and found that when the version is empty, the library raises an error. The error was introduced after I replaced the requirements parser in CycloneDX/cyclonedx-python#327, and the affected line is:

cyclonedx-python-lib/cyclonedx/output/json.py

Line 154 in 9fce6bf

if self.component_version_optional() and bom_json[base_key][i]['version'] == "":

According to the specification, the version field is not required/enforced.

$ cyclonedx-bom -r -i tests/fixtures/requirements-local-and-remote-packages.txt --format json
Traceback (most recent call last):
  File "/somewhere/.pyenv/versions/3.9.6/bin/cyclonedx-bom", line 8, in <module>
    sys.exit(main())
  File "/somewhere/.pyenv/versions/3.9.6/lib/python3.9/site-packages/cyclonedx_py/client.py", line 260, in main
    CycloneDxCmd(args).execute()
  File "/somewhere/.pyenv/versions/3.9.6/lib/python3.9/site-packages/cyclonedx_py/client.py", line 122, in execute
    output.output_to_file(filename=output_filename, allow_overwrite=self._arguments.output_file_overwrite)
  File "/somewhere/.pyenv/versions/3.9.6/lib/python3.9/site-packages/cyclonedx/output/__init__.py", line 102, in output_to_file
    f_out.write(self.output_as_string().encode('utf-8'))
  File "/somewhere/.pyenv/versions/3.9.6/lib/python3.9/site-packages/cyclonedx/output/json.py", line 117, in output_as_string
    self.generate()
  File "/somewhere/.pyenv/versions/3.9.6/lib/python3.9/site-packages/cyclonedx/output/json.py", line 67, in generate
    bom_json = json.loads(self._specialise_output_for_schema_version(bom_json=bom_json))
  File "/somewhere/.pyenv/versions/3.9.6/lib/python3.9/site-packages/cyclonedx/output/json.py", line 96, in _specialise_output_for_schema_version
    bom_json = self._recurse_specialise_component(bom_json=bom_json)
  File "/somewhere/.pyenv/versions/3.9.6/lib/python3.9/site-packages/cyclonedx/output/json.py", line 147, in _recurse_specialise_component
    if self.component_version_optional() and bom_json[base_key][i]['version'] == "":
KeyError: 'version'

@madpah @jkowalleck WDYT?

[madpah]

Hey @mostafa - thanks for the report.

Version is now optional according to CycloneDX 1.4 - and looks like this has exposed a bug in the library.

Will get a fix raised :-)

[madpah]

@mostafa - will leave this open for a bit to allow you to validate the fix that has been released.

[madpah]

@mostafa - have you had chance to validate this fix yet?

[mostafa]

@madpah Works like a charm! 👌 I think you can close the issue.

[madpah]

Awesome - thanks for confirming @mostafa.